From dc6dd1d30c638a442fa6fdc43c5803585c274e35 Mon Sep 17 00:00:00 2001
From: root <root@island37.com>
Date: Mon, 27 Apr 2026 07:24:23 -0500
Subject: [PATCH] =?UTF-8?q?auditor:=20per-PR=20audit=20cap=20(default=203)?=
 =?UTF-8?q?=20=E2=80=94=20daemon=20halts=20further=20audits=20until=20rese?=
 =?UTF-8?q?t?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds MAX_AUDITS_PER_PR (env LH_AUDITOR_MAX_AUDITS_PER_PR, default 3).
The poller increments a per-PR counter on each successful audit; when
the counter reaches the cap it skips that PR with a "capped" log line
until the operator manually clears state.audit_count_per_pr[<PR#>].

Why:
"I don't want it to continuously loop even if it finds a problem.
We need a maximum until we can come back."

Without this, the daemon polls every 90s and audits every new head
SHA. If each fix-commit surfaces new findings (which is what
kimi_architect is designed to do), the audit loop runs unbounded
while the operator is away. At ~$0.30/audit on Opus and 5-10 pushes
a day, that's $1-3/day idle burn — fine for a couple days, painful
for weeks.

Cap mechanics:
- Counter starts at 0 per PR (or whatever exists in state.json)
- Increments only on successful audit (failures don't count)
- Comparison is >= so cap=3 means audits 1, 2, 3 run; 4+ skip
- Skip is logged: "capped at N/M audits — clear state.json
  audit_count_per_pr.<N> to resume"
- New `cycles_skipped_capped` counter on State for observability

Reset:
  jq '.audit_count_per_pr = (.audit_count_per_pr - {"11": 4})' \
    /home/profit/lakehouse/data/_auditor/state.json > /tmp/s.json && \
    mv /tmp/s.json /home/profit/lakehouse/data/_auditor/state.json
- Daemon picks up the change on the next cycle (no restart needed —
  state is reloaded each cycle)
- Or set the entry to 0 if you want to keep the key

Disable cap: LH_AUDITOR_MAX_AUDITS_PER_PR=0
Reduce cap: LH_AUDITOR_MAX_AUDITS_PER_PR=1   (one audit per PR head, then pause)

Pre-existing PR audits today (4 on PR #11) are NOT seeded into the
counter by this commit — operator decides post-deploy whether to set
state.audit_count_per_pr.11 to today's actual count or leave at 0.
Setting to 4 (or 3) immediately halts further audits on PR #11.

Verification:
  bun build auditor/index.ts   compiles
  systemctl restart lakehouse-auditor   active

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 auditor/index.ts | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/auditor/index.ts b/auditor/index.ts
index cd64144..c56f301 100644
--- a/auditor/index.ts
+++ b/auditor/index.ts
@@ -24,14 +24,30 @@ const POLL_INTERVAL_MS = 90_000; // 90s — enough budget for audit runs to comp
 const PAUSE_FILE = "/home/profit/lakehouse/auditor.paused";
 const STATE_FILE = "/home/profit/lakehouse/data/_auditor/state.json";
 
+// Per-PR audit cap. Prevents the daemon from running away on a PR
+// when each push surfaces new findings — operator wants to review
+// in batch, not have the daemon burn budget while they're away.
+// Default 3 audits per PR. Override via LH_AUDITOR_MAX_AUDITS_PER_PR.
+// Set to 0 to disable the cap.
+//
+// Reset (after manual review): edit data/_auditor/state.json and
+// set audit_count_per_pr.<N> = 0 (or delete the key). Daemon picks
+// up the change on the next cycle without restart.
+const MAX_AUDITS_PER_PR = Number(process.env.LH_AUDITOR_MAX_AUDITS_PER_PR) || 3;
+
 interface State {
   // Map: PR number → last-audited head SHA. Lets us dedupe audits
   // across restarts (poller can crash/restart without re-auditing
   // all open PRs from scratch).
   last_audited: Record<string, string>;
+  // Map: PR number → number of audits run on that PR since last reset.
+  // Daemon halts auditing a PR once this hits MAX_AUDITS_PER_PR.
+  // Operator clears the entry to resume.
+  audit_count_per_pr: Record<string, number>;
   started_at: string;
   cycles_total: number;
   cycles_skipped_paused: number;
+  cycles_skipped_capped: number;
   audits_run: number;
   last_cycle_at?: string;
 }
@@ -47,17 +63,21 @@ async function loadState(): Promise<State> {
     return {
       last_audited: s.last_audited ?? {},
       started_at: s.started_at ?? new Date().toISOString(),
+      audit_count_per_pr: s.audit_count_per_pr ?? {},
       cycles_total: s.cycles_total ?? 0,
       cycles_skipped_paused: s.cycles_skipped_paused ?? 0,
+      cycles_skipped_capped: s.cycles_skipped_capped ?? 0,
       audits_run: s.audits_run ?? 0,
       last_cycle_at: s.last_cycle_at,
     };
   } catch {
     return {
       last_audited: {},
+      audit_count_per_pr: {},
       started_at: new Date().toISOString(),
       cycles_total: 0,
       cycles_skipped_paused: 0,
+      cycles_skipped_capped: 0,
       audits_run: 0,
     };
   }
@@ -89,12 +109,23 @@ async function runCycle(state: State): Promise<State> {
   console.log(`[auditor] cycle ${state.cycles_total}: ${prs.length} open PR(s)`);
 
   for (const pr of prs) {
-    const last = state.last_audited[String(pr.number)];
+    const prKey = String(pr.number);
+    const last = state.last_audited[prKey];
     if (last === pr.head_sha) {
       console.log(`[auditor]   skip PR #${pr.number} (SHA ${pr.head_sha.slice(0, 8)} already audited)`);
       continue;
     }
-    console.log(`[auditor]   audit PR #${pr.number} (${pr.head_sha.slice(0, 8)}) — ${pr.title.slice(0, 60)}`);
+    // Per-PR audit cap — once a PR has been audited MAX_AUDITS_PER_PR
+    // times, halt further audits until the operator manually clears
+    // audit_count_per_pr[<N>] in state.json. Prevents runaway burn
+    // when each fix surfaces new findings.
+    const auditedSoFar = state.audit_count_per_pr[prKey] ?? 0;
+    if (MAX_AUDITS_PER_PR > 0 && auditedSoFar >= MAX_AUDITS_PER_PR) {
+      console.log(`[auditor]   skip PR #${pr.number} (capped at ${auditedSoFar}/${MAX_AUDITS_PER_PR} audits — clear state.json audit_count_per_pr.${prKey} to resume)`);
+      state.cycles_skipped_capped += 1;
+      continue;
+    }
+    console.log(`[auditor]   audit PR #${pr.number} (${pr.head_sha.slice(0, 8)}) — ${pr.title.slice(0, 60)} [${auditedSoFar + 1}/${MAX_AUDITS_PER_PR}]`);
     try {
       // Skip dynamic by default: it mutates live playbook state and
       // re-runs on every PR update would pollute quickly. Operator
@@ -106,8 +137,12 @@ async function runCycle(state: State): Promise<State> {
         skip_inference: process.env.LH_AUDITOR_SKIP_INFERENCE === "1",
       });
       console.log(`[auditor]     verdict=${verdict.overall} findings=${verdict.metrics.findings_total} (block=${verdict.metrics.findings_block} warn=${verdict.metrics.findings_warn})`);
-      state.last_audited[String(pr.number)] = pr.head_sha;
+      state.last_audited[prKey] = pr.head_sha;
+      state.audit_count_per_pr[prKey] = auditedSoFar + 1;
       state.audits_run += 1;
+      if (state.audit_count_per_pr[prKey] >= MAX_AUDITS_PER_PR) {
+        console.log(`[auditor]     PR #${pr.number} reached cap (${MAX_AUDITS_PER_PR} audits) — daemon will skip further audits until reset`);
+      }
     } catch (e) {
       console.error(`[auditor]     audit failed: ${(e as Error).message}`);
     }