From 0edff2413ed5477cef92a2922fa398401cba1996 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 3 Jun 2026 10:11:06 +0000
Subject: [PATCH] docs: add missing audit/ module to AGENTS.md architecture
 tree

The src/audit/ module (introduced with the ado-aw audit command) was
never added to the architecture section of AGENTS.md. The command is
referenced in the CLI docs and docs index, but agents reading the
architecture tree had no visibility into the module structure.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 AGENTS.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index 12823ed9..fbfff894 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -87,6 +87,27 @@ Every compiled pipeline runs as three sequential jobs:
 │   ├── ado/              # Shared Azure DevOps REST helpers (auth, list/match/PATCH/POST)
 │   │   ├── mod.rs        # Shared ADO REST helpers used by all lifecycle commands (`enable`, `disable`, `list`, `status`, `run`, `remove`, `secrets`)
 │   │   └── discovery.rs  # Project-scope pipeline discovery (`--all-repos` / `--source` flags)
+│   ├── audit/            # `ado-aw audit` command — downloads pipeline artifacts and runs analyzers
+│   │   ├── mod.rs        # Shared audit data types; AuditData report model
+│   │   ├── cli.rs        # CLI entry point for the `audit` subcommand
+│   │   ├── model.rs      # AuditData and supporting report structs
+│   │   ├── findings.rs   # Finding severity levels and structured finding types
+│   │   ├── cache.rs      # Artifact download cache (keyed on build-id)
+│   │   ├── url.rs        # Build-reference parsing (bare ID, full ADO URL)
+│   │   ├── analyzers/    # Per-signal analyzers that populate AuditData sections
+│   │   │   ├── mod.rs
+│   │   │   ├── detection.rs    # Detection-stage artifact analysis
+│   │   │   ├── firewall.rs     # AWF network log analysis
+│   │   │   ├── jobs.rs         # Build timeline / job-level analysis
+│   │   │   ├── mcp.rs          # MCP tool-call analysis
+│   │   │   ├── missing.rs      # Missing-tool / missing-data / noop safe-output analysis
+│   │   │   ├── otel.rs         # OTel agent stats (token usage, duration, turns)
+│   │   │   ├── policy.rs       # Policy-level findings (safe-output integrity, prompt injection signals)
+│   │   │   └── safe_outputs.rs # Safe-output NDJSON analysis
+│   │   └── render/       # Report renderers
+│   │       ├── mod.rs
+│   │       ├── console.rs # Human-readable console report
+│   │       └── json.rs    # Machine-readable AuditData JSON
 │   ├── detect.rs         # Agentic pipeline detection — discovers compiled pipelines; used by all lifecycle commands
 │   ├── update_check.rs   # Version update check — queries GitHub Releases and prints advisory when newer version is available
 │   ├── ndjson.rs         # NDJSON parsing utilities