Install gate, Phase 3 (lane 2): --json machine output#114
Open
juangaitanv wants to merge 3 commits into
Open
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
c39ab0f to
d9af832
Compare
juangaitanv
added a commit
that referenced
this pull request
Jun 12, 2026
…t refusals Addresses Cursor review on #114. - the wrapper's --json is now forwarded to the package manager on passthrough (non-install subcommands, bare exec): `corgea npm --json view x` reaches npm's --json again instead of the wrapper silently swallowing it. A non-install passthrough produces no Corgea report, so the flag is the manager's. - the pre-report refusals that previously bypassed the JSON error helper (unparsable npm ci / uv sync lockfile, bare-npm root redirect, npm ci root redirect) now route through refuse_guard, so `--json` emits a parseable {"error": …} document instead of bare stderr. Machine consumers can parse every blocking path uniformly.
juangaitanv
force-pushed
the
install-gate-phase-3-json
branch
from
0e07df6 to
c5715f9
Compare
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
d9af832 to
36350f3
Compare
juangaitanv
added a commit
that referenced
this pull request
Jun 12, 2026
…t refusals Addresses Cursor review on #114. - the wrapper's --json is now forwarded to the package manager on passthrough (non-install subcommands, bare exec): `corgea npm --json view x` reaches npm's --json again instead of the wrapper silently swallowing it. A non-install passthrough produces no Corgea report, so the flag is the manager's. - the pre-report refusals that previously bypassed the JSON error helper (unparsable npm ci / uv sync lockfile, bare-npm root redirect, npm ci root redirect) now route through refuse_guard, so `--json` emits a parseable {"error": …} document instead of bare stderr. Machine consumers can parse every blocking path uniformly.
juangaitanv
force-pushed
the
install-gate-phase-3-json
branch
from
c5715f9 to
c79d501
Compare
Harvested from the install-vuln-gate spike (dfac68e). - --json prints the report as one pretty-printed JSON document on stdout: summary counts, verdict_mode ("public" / "recency-only"), per-result verdict objects (vulnerable verdicts carry matches and a remediation field — the safe version covering every advisory, null when any advisory lacks a fix), and the tree object (mode full/named-only, resolved_count, transitive[] with origin labels) - stdout purity: the wrapped package manager's stdout moves to stderr so stdout stays parseable; guard refusals (pip add, uv install, wrong manager, parse errors) emit an {"error": …} document - VulnMatch is now Serialize for the JSON matches array
…t refusals Addresses Cursor review on #114. - the wrapper's --json is now forwarded to the package manager on passthrough (non-install subcommands, bare exec): `corgea npm --json view x` reaches npm's --json again instead of the wrapper silently swallowing it. A non-install passthrough produces no Corgea report, so the flag is the manager's. - the pre-report refusals that previously bypassed the JSON error helper (unparsable npm ci / uv sync lockfile, bare-npm root redirect, npm ci root redirect) now route through refuse_guard, so `--json` emits a parseable {"error": …} document instead of bare stderr. Machine consumers can parse every blocking path uniformly.
…ion holes
The --json contract is 'every exit path yields exactly one parseable
document on stdout'. Three paths broke it and two were inconsistent:
- --force over an unparsable lockfile now emits a {warning, proceeded}
document before exec (stdout was empty).
- uv passthrough (and the no-files 'uv pip sync' branch) routes through
passthrough_exec, so the wrapper's consumed --json is re-forwarded to
uv ('corgea uv --json tree' reaches uv's own --json again).
- Bare yarn/pnpm installs under --json emit an empty report document
(null tree, zero results) with the honesty note on stderr.
- Binary-not-found under --json emits an {error} document before exit
127.
- refuse_guard pretty-prints, matching the main report's formatting;
SKILL.md documents verdict_mode 'recency-only' as library-only.
- New position-sensitivity test pins that post-verb --json belongs to
the manager ('corgea npm install --json x' forwards it; gate stays
text).
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
36350f3 to
f8426b6
Compare
juangaitanv
force-pushed
the
install-gate-phase-3-json
branch
from
c79d501 to
07bb21d
Compare
leenk7991
reviewed
Jun 15, 2026
| "subcommand": report.subcommand, | ||
| "args": report.original_args, | ||
| "threshold_seconds": report.threshold.as_secs(), | ||
| "summary": { |
There was a problem hiding this comment.
json summary counts mix scopes inconsistently. vulnerable/unverifiable use verdicts (includes tree), but ok/recent/skipped/errors are named only.
for all tree reports (npm ci/uv sync) this gives ok: 0 even with dozens of clean locked packages, and there's no clean count (TreeOutcome has no age, so recency is inherently named only)
can we split summary into scope matched named and tree sub-objects so each reconciles with its own array, adding a clean count.
for example:
"summary": {
"named": { "ok", "recent", "vulnerable", "unverifiable", "clean", "skipped", "errors" },
"tree": { "resolved_count", "vulnerable", "unverifiable", "clean", "not_checked" }
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR is Phase 3, lane 2 of the install-gate feature for the Corgea CLI.
Lane 2 adds machine-readable output.
--jsonmakes install-gate reports parseable by agents, scripts, and CI while preserving package-manager passthrough behavior when Corgea is not producing a gate report.This lane does not add auth or fail-closed enforcement.
Stacked on #113. Base branch:
install-gate-phase-3-uv. Review this PR's diff in isolation; it contains the Phase 3 lane 2 slice.What Phase 3 Lane 2 Includes
--jsonreport output as one pretty-printed JSON document on stdout.verdict_mode.matchesand aremediationfield.remediationis the safe version covering every advisory, ornullwhen any advisory lacks a fix.mode(fullornamed-only),resolved_count, andtransitive[]entries with origin labels.--forcewarnings over unparsable locks.--jsonflag is forwarded instead of swallowed.--jsoncontrols Corgea output, while post-verb manager-level--jsonremains the package manager's flag.VulnMatchserialization so vuln-api matches appear in JSON verdicts.Deliberately Out Of Scope
The next lane adds:
Exit Criteria - Met
Covered by
--jsontests acrosstests/cli_install.rs,tests/cli_verdict.rs,tests/cli_remediation.rs,tests/cli_tree.rs,tests/cli_bare_install.rs,tests/cli_provenance.rs,tests/cli_npm_ci.rs, andtests/cli_uv_sync.rs. Confirmed live against staging with the workflow'scorgea npm --threshold 0s --json install ...invocation parsing cleanly../harness checkpasses.