Shared memory and context tools for agentic work.
Code Rooms
{
"schema": "m1nd-bug-hunt-audit-result-v0",
"round_id": "bughunt-p-limit-confirm-20260514T204651Z",
"lane_id": "audit-02",
"instruction_mode": "m1nd-temponizer-compact",
"repo": "p-limit",
"model": "Codex GPT-5",
"started_at": "2026-05-15T10:18:23Z",
"finished_at": "2026-05-15T10:20:48Z",
"findings": [
"title": "Options object enables rejectOnClear by default despite documented default false",
"severity": "high",
"file": "index.js",
"symbol": "pLimit",
"cause": "When the first argument is an object, destructuring uses `rejectOnClear = true`, so `pLimit({concurrency: 1})` rejects pending tasks on `clearQueue()` even though README and type docs state the option defaults to false.",
"impact": "Consumers following the documented options-object form can get unexpected AbortError rejections from pending tasks when clearing the queue. This can turn ordinary teardown or queue discard code into Promise.all failures.",
"evidence": "index.js:6-8 destructures `({concurrency, rejectOnClear = true} = concurrency)`. README lines 46-52 and index.d.ts lines 99-105 document `rejectOnClear` defaulting to false. The existing `accepts options object` test at test.js:257-273 does not exercise `clearQueue()`.",
"reproduction_or_test": "node --input-type=module -e \"import {setTimeout as delay} from 'node:timers/promises'; import pLimit from './index.js'; const limit = pLimit({concurrency: 1}); const running = limit(() => delay(20)); const pending = limit(() => delay(20)); await Promise.resolve(); limit.clearQueue(); let outcome = 'still-pending'; try { await Promise.race([pending.then(() => 'resolved'), delay(20).then(() => 'still-pending')]); } catch (error) { outcome = error.name; } await running; console.log(JSON.stringify({pendingOutcome: outcome, rejectOnClearDefaultExpected: false}));\" => {\"pendingOutcome\":\"AbortError\",\"rejectOnClearDefaultExpected\":false}",
"confidence": "high"
},
"title": "limitFunction drops all call arguments",
"symbol": "limitFunction",
"cause": "The wrapper returned by `limitFunction` is declared and documented as accepting the original function arguments, but the implementation returns `() => limit(() => function_())`, which ignores arguments supplied by callers.",
"impact": "Any limited function that depends on parameters receives undefined values. This silently corrupts results for common wrapper use cases such as `limitedFetch(url)` or `limitedTransform(input)`.",
"evidence": "index.js:121-125 returns a zero-argument wrapper. index.d.ts:133-136 declares `(...arguments_: Arguments) => Promise<ReturnType>`. README lines 111-117 describe returning a function with limited concurrency, and tests at test.js:343-356 cover only zero-argument calls.",
"reproduction_or_test": "node --input-type=module -e \"import {limitFunction} from './index.js'; const limited = limitFunction(async value => value * 2, {concurrency: 1}); console.log(JSON.stringify({result: await limited(21)}));\" => {\"result\":null} because the actual result is NaN after the argument is dropped.",
"title": "limit.map omits mapper index for non-array iterables",
"severity": "medium",
"symbol": "generator.map",
"cause": "`limit.map` conditionally passes the index only when `Array.isArray(iterable)` is true, so Set, generator, and iterator inputs receive `undefined` for the mapper index.",
"impact": "The public contract says the mapper receives the item value and its index for any iterable. Batch processing over Sets or generators that relies on the index will produce wrong results while the current tests only verify values.",
"evidence": "index.js:108-112 passes `iterableIsArray ? index : undefined`. README lines 78-85 and index.d.ts lines 30-43 state that the mapper receives the item value and index, equivalent to `Array.from(iterable, (item, index) => limit(mapperFunction, item, index))`. Tests at test.js:239-255 cover Set and array iterator values but not indexes.",
"reproduction_or_test": "node --input-type=module -e 'import pLimit from \"./index.js\"; const limit = pLimit(2); const result = await limit.map(new Set([\"a\", \"b\"]), (value, index) => value + \":\" + index); console.log(JSON.stringify(result));' => [\"a:undefined\",\"b:undefined\"]",
}
],
"commands_run": [
"sed -n '1,220p' lane-prompts/audit-02.md",
"python3 /Users/kle1nz/m1nd/skills/m1nd-operator/scripts/probe_m1nd.py --binary /usr/local/bin/m1nd-mcp --no-worktree-artifacts --workspace-root <lane-workspace> tools",
"m1nd trust_selftest/session_handshake/audit via probe_m1nd.py run",
"m1nd ingest/session_handshake/seek/search/activate via probe_m1nd.py run",
"nl -ba index.js/test.js/index.d.ts/readme.md/package.json",
"node --input-type=module probes for rejectOnClear default, limitFunction arguments, and limit.map indexes",
"m1nd ingest + impact(file::index.js) via probe_m1nd.py run"
"files_inspected": [
"/Users/kle1nz/m1nd/docs/benchmarks/bug-hunt-rounds/bughunt-p-limit-confirm-20260514T204651Z/lane-prompts/audit-02.md",
"/Users/kle1nz/m1nd/docs/benchmarks/bug-hunt-rounds/bughunt-p-limit-confirm-20260514T204651Z/lane-result-template.json",
"/Users/kle1nz/m1nd/.m1nd-field-workspaces/bughunt-p-limit-confirm-20260514T204651Z/audit-02/p-limit/index.js",
"/Users/kle1nz/m1nd/.m1nd-field-workspaces/bughunt-p-limit-confirm-20260514T204651Z/audit-02/p-limit/test.js",
"/Users/kle1nz/m1nd/.m1nd-field-workspaces/bughunt-p-limit-confirm-20260514T204651Z/audit-02/p-limit/index.d.ts",
"/Users/kle1nz/m1nd/.m1nd-field-workspaces/bughunt-p-limit-confirm-20260514T204651Z/audit-02/p-limit/readme.md",
"/Users/kle1nz/m1nd/.m1nd-field-workspaces/bughunt-p-limit-confirm-20260514T204651Z/audit-02/p-limit/package.json"
"m1nd_usage": [
"tool": "tools",
"result": "96 tools exposed by /usr/local/bin/m1nd-mcp"
"tool": "trust_selftest/session_handshake",
"result": "Initial isolated runtime was correctly workspace-bound but needed ingest; recovery playbook indicated call_ingest."
"tool": "ingest/session_handshake",
"result": "Ingested 10 files, 82 nodes, 94 edges; post-ingest trust_mode full_trust."
"tool": "seek/search/activate",
"result": "Focused discovery identified index.js enqueue/validateConcurrency/limitFunction plus docs/tests around clearQueue and map."
"tool": "impact",
"result": "file::index.js blast radius covered resumeNext, next, run, enqueue, generator, limitFunction, and validateConcurrency."
"tool": "recovery_note",
"result": "Standalone focused retrieval started a fresh isolated runtime and returned needs_ingest; recovered by bundling ingest and retrieval in the same probe_m1nd.py run."
"temponizer_usage": [
"phase": "IO",
"tc_estimate": "0.10 * 10m = 1m",
"te_measured": "about 2m from prompt read through trusted m1nd orientation",
"decision": "Use m1nd trust and audit first, then narrow to core public API files.",
"recalibration_note": "Tool latency and cold isolated graph ingest dominated more than human reading time."
"phase": "DBG",
"tc_estimate": "0.08 * 20m = 1.6m",
"te_measured": "about 2m for source reads plus three inline Node probes",
"decision": "Promote only runtime-reproduced contract mismatches to findings.",
"recalibration_note": "Inline probes were cheap; source verification was the main constraint."
"phase": "PAR",
"tc_estimate": "0.05 * 10m = 0.5m",
"te_measured": "under 1m to stop after three concrete findings",
"decision": "Stop after three independent, source-backed, repro-backed findings rather than speculative expansion.",
"recalibration_note": "Additional broad search had lower expected value than preserving concrete proof quality."
"agent_testimony": "I did not patch the audited repo or read operator-only artifacts. Findings are based on m1nd orientation, direct source reads, and focused inline Node reproductions.",
"notes": "The audited git tree was reported dirty by m1nd with an uncommitted file named ndex.js, but the inspected and executed public entrypoint was index.js from the lane workspace. No benchmark hypothesis or answer key was read.",
"non_claims": [
"auditor did not see the operator-only answer key",
"extra findings are unadjudicated until a judge validates them"
]