feat: full audit fixes batch - 8 commits closing 20 issues#8
Merged
George-iam merged 9 commits intomainfrom Apr 6, 2026
Merged
feat: full audit fixes batch - 8 commits closing 20 issues#8George-iam merged 9 commits intomainfrom
George-iam merged 9 commits intomainfrom
Conversation
…cleanup CLI - checkGit protectedBranch: token-level matching instead of substring (git push origin main-file-feat was falsely blocked) - Remove turns counter: bumpTurn/incrementTurns removed from SessionMeta, server.ts, session-cleanup — counter was 0 in 96% of sessions, misleading - safety.ts: use os.homedir() instead of process.env.HOME for ~ expansion (fixes undefined on Windows/containers where HOME is unset) - pending-audits rmdir: use rmSync instead of unlinkSync (EISDIR fix) - New CLI command: axme-code cleanup legacy-artifacts [--dry-run] removes pre-PR#7 sessions (no origin), audit logs (no resume), legacy dirs with backup to .axme-code/backups/ Closes: B1, G6, L1, L2, L3, E1, E3, N2 from full audit plan.
recordAuditFailure now distinguishes retryable errors (429, rate limit, ETIMEDOUT, ECONNRESET, etc.) from deterministic failures (prompt too long, parser errors). Retryable errors leave session in stale-pending state so orphan scan retries on next MCP startup. RETRYABLE_MAX_ATTEMPTS=5 caps infinite retries. Non-retryable errors immediately mark session as failed. This fixes the issue where 3 sessions today needed manual auditAttempts reset after transient Anthropic 429 errors. Closes: G3 from full audit plan.
- hasActivity now includes filesChanged.length > 0 as a trigger (fixes N1: audit was skipped when transcript empty but files changed) - parseTranscriptFromOffset collects raw bash commands in bashCommands[] - New extractBashWritePaths utility parses redirects, sed -i, cp, mv, rm, touch, tee, curl -o, wget -O from shell commands - session-cleanup supplements filesChanged from bash commands before audit - parseAndRenderTranscripts aggregates allBashCommands across refs Closes: G2, N1 from full audit plan.
- Deterministic pre-check: if filesChanged contains structural manifests (package.json, pyproject.toml, go.mod, CLAUDE.md, etc.) oracle rescan fires automatically without waiting for LLM verdict - AUDIT_PROMPT updated with explicit ORACLE_CHANGES instructions: lists what counts as YES (new dependencies, version upgrades, new dirs, CLAUDE.md changes) vs NO (regular edits, bug fixes, refactoring) - Both triggers feed into existing runOracleScan code path Closes: G1 from full audit plan.
- logSessionStart called in ensureAxmeSessionForClaude on fresh session creation (fires once per AXME session on first hook call) - logCheckResult called after audit in session-cleanup (PASS/FAIL with extraction counts: "3 mem, 5 dec, 1 safety") - Both were dead exports in worklog.ts, now active Closes: G4, G5 from full audit plan.
Decision lifecycle: active -> superseded/deprecated/revoked. - Decision type: +status, +supersededBy, +supersedes, +revokedAt, +revokedReason - listDecisions() defaults to active-only (undefined = active for backward compat) - supersedeDecision(path, oldId, newInput): marks old as superseded, creates new - revokeDecision(path, id, reason): marks as revoked with timestamp - formatDecisionFile/parseDecisionFile: handle all new fields in frontmatter - decisionsContext: includes (date) per decision + "newer wins" rule header - MCP server instructions: DECISION CONFLICT RULE added - CLI: axme-code cleanup decisions-normalize [--dry-run] adds status:active to all 2444 existing decisions across 57 workspace locations Closes: A1 from full audit plan.
- Ghost sessions (<2s lifetime, 0 files) auto-marked as done without LLM audit (saves cost on Bug F artifacts and race condition empties) - trackFileChanged normalizes paths via path.resolve before dedup (fixes /home/user/./x.ts vs /home/user/x.ts producing duplicates) - audit-spawner guards against undefined process.argv[1] Closes: A4, E6, N20 from full audit plan.
src/storage/report.ts had 5 exports (appendReport, readReport, saveArtifact, formatAgentHeader, formatTokens) with zero imports anywhere in the codebase. Removing to reduce maintenance surface. Closes: N3 from full audit plan.
Denied prefix `git push origin main` was incorrectly blocking `git push origin main-file-feat` via simple string startsWith. Added isPrefixBoundaryMatch: when prefix ends with alphanumeric, next char must be a word boundary (space, end, etc.), not a continuation like hyphen. Path prefixes like `rm -rf /` still match `rm -rf /etc` correctly since `/` is non-alphanumeric. 12/12 test cases pass (7 blocked, 5 allowed).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive batch of fixes and improvements from the full axme-code audit conducted on 2026-04-05/06. Addresses 20 issues found during 120-assertion E2E audit + full code review.
8 commits, each self-contained with regression verification:
Issues closed
New CLI commands
axme-code cleanup legacy-artifacts [--dry-run]- removes pre-PR#7 sessions/logs with backupaxme-code cleanup decisions-normalize [--dry-run]- adds status:active to all 2444 decisionsNew capabilities
Test plan