feat: release forge-audit ai-governance category (v1.11.0)

[LucasSantana-Dev]

Summary

• align forge-audit CLI/test contract to 6 categories including ai-governance
• fix release workflow output typo ($GITHUB_OUTPUT) in release detection path
• bump package version to 1.11.0 and update README/CHANGELOG for the new audit contract

Validation

• npm run build
• npm test -- --runInBand patterns/idp/__tests__/migration-assessor.test.ts patterns/idp/__tests__/migration-cli.test.ts
• npm run lint:check
• npx tsc --noEmit
• npm pack --dry-run
• node dist/patterns/idp/migration/cli.js --help | rg "ai-governance"
• node dist/patterns/idp/migration/cli.js --dir <tmp> --json (verified 6 categories + ai-governance)

Summary by CodeRabbit

• New Features

  • Introduced ai-governance as a new audit category to forge-audit. The tool now evaluates 6 categories: dependencies, architecture, security, quality, migration-readiness, and ai-governance.

• Bug Fixes

  • Fixed a typo in the release workflow that was preventing proper publish detection.

• Documentation

  • Updated documentation to reflect the expanded audit categories.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e4274a5b-5f2e-4fc0-97ef-6d59f73b8569

📥 Commits

Reviewing files that changed from the base of the PR and between 4c9e6ed and 7f33ce3.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• .github/workflows/release.yml
• CHANGELOG.md
• README.md
• package.json
• patterns/idp/__tests__/migration-cli.test.ts
• patterns/idp/migration/cli.ts

---

📝 Walkthrough

Walkthrough

These changes introduce "ai-governance" as a new assessment category to the forge-audit tool, bringing the total from 5 to 6 categories. The package version is bumped to 1.11.0, accompanied by documentation updates, test adjustments, CLI help text changes, and a typo fix in the release workflow file.

Changes

Cohort / File(s)	Summary
Release & Workflow .github/workflows/release.yml	Fixed typo in output variable: corrected $ITHUB_OUTPUT to $GITHUB_OUTPUT for proper publish-detection logic.
Documentation & Versioning CHANGELOG.md, README.md, package.json	Added ai-governance category documentation to changelog and readme; bumped version from 1.10.1 to 1.11.0.
Code & Tests patterns/idp/__tests__/migration-cli.test.ts, patterns/idp/migration/cli.ts	Updated test expectations to verify 6 categories instead of 5 and added ai-governance category assertion; added ai-governance to CLI help text and categories list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add AI governance category to forge-audit #104: Directly related PR that also adds the "ai-governance" assessment category across tests, CLI help, and code exports.

Poem

🐰 Six categories strong, the forge-audit hops along,
AI governance joins the throng, making audits twice as strong!
Version bumped with care, documentation declared fair,
The rabbit audits everywhere! 🌿✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: releasing a new ai-governance category for forge-audit with version 1.11.0, which aligns with the primary objective and substantial changes throughout the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/ai-governance-audit

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.16.4)

package.json

┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m

patterns/idp/__tests__/migration-cli.test.ts

┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m

patterns/idp/migration/cli.ts

┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

patterns/idp/migration/collectors/ai-governance-assessor.ts (2)

208-231: Consider case-insensitive matching for CI tool detection.

The string checks are case-sensitive (e.g., 'semgrep'), which should work for most GitHub Actions since action names are typically lowercase. However, YAML comments or custom step names might use different casing.

♻️ Optional: case-insensitive matching

-  if (
-    !allContent.includes('secret-scan') &&
-    !allContent.includes('trufflehog') &&
-    !allContent.includes('gitguardian') &&
-    !allContent.includes('ggshield')
-  ) {
+  const lowerContent = allContent.toLowerCase();
+  if (
+    !lowerContent.includes('secret-scan') &&
+    !lowerContent.includes('trufflehog') &&
+    !lowerContent.includes('gitguardian') &&
+    !lowerContent.includes('ggshield')
+  ) {

Apply similarly for the SAST check below.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@patterns/idp/migration/collectors/ai-governance-assessor.ts` around lines 208
- 231, The current checks on allContent (used with variables allContent and
findings) are case-sensitive; normalize allContent to lowercase once (e.g.,
const normalized = allContent.toLowerCase()) and use normalized.includes(...)
for the secret-scan checks (secret-scan, trufflehog, gitguardian, ggshield) and
the SAST checks (semgrep, codeql, snyk) so matching becomes case-insensitive;
apply this change in the same blocks that push findings to ensure both high and
medium severity checks use the normalized string.

---

242-272: Extract scoring logic to a shared utility.

The scoreCategory function duplicates identical severity-penalty mapping and grade calculation across at least 5 assessors (security, readiness, ai-governance, quality, and architecture). Consider moving this logic to a shared helper in patterns/idp/migration/collectors/ to reduce duplication and prevent divergence when grading rules change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@patterns/idp/migration/collectors/ai-governance-assessor.ts` around lines 242
- 272, The scoreCategory function duplicates severity-to-penalty mapping and
grade computation across multiple assessors; extract this logic into a shared
helper (e.g., create a new exported function like computeCategoryScore or
scoreFindings in patterns/idp/migration/collectors/score-utils.ts), move the
switch/penalty and grade logic there, export necessary types (CategoryScore,
Grade, AssessmentFinding or import them from a common types file), then replace
the local scoreCategory implementations in ai-governance-assessor.ts and the
other assessor files (security, readiness, quality, architecture) to import and
call the new helper so all assessors use the single canonical scoring function.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@patterns/idp/migration/collectors/ai-governance-assessor.ts`:
- Around line 208-231: The current checks on allContent (used with variables
allContent and findings) are case-sensitive; normalize allContent to lowercase
once (e.g., const normalized = allContent.toLowerCase()) and use
normalized.includes(...) for the secret-scan checks (secret-scan, trufflehog,
gitguardian, ggshield) and the SAST checks (semgrep, codeql, snyk) so matching
becomes case-insensitive; apply this change in the same blocks that push
findings to ensure both high and medium severity checks use the normalized
string.
- Around line 242-272: The scoreCategory function duplicates severity-to-penalty
mapping and grade computation across multiple assessors; extract this logic into
a shared helper (e.g., create a new exported function like computeCategoryScore
or scoreFindings in patterns/idp/migration/collectors/score-utils.ts), move the
switch/penalty and grade logic there, export necessary types (CategoryScore,
Grade, AssessmentFinding or import them from a common types file), then replace
the local scoreCategory implementations in ai-governance-assessor.ts and the
other assessor files (security, readiness, quality, architecture) to import and
call the new helper so all assessors use the single canonical scoring function.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 01d3906c-32a6-4bfd-95f0-cf1eec406d45

📥 Commits

Reviewing files that changed from the base of the PR and between f442b48 and 4c9e6ed.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (11)

• .github/workflows/release.yml
• CHANGELOG.md
• README.md
• package.json
• patterns/idp/__tests__/migration-assessor.test.ts
• patterns/idp/__tests__/migration-cli.test.ts
• patterns/idp/migration/assessor.ts
• patterns/idp/migration/cli.ts
• patterns/idp/migration/collectors/ai-governance-assessor.ts
• patterns/idp/migration/index.ts
• patterns/idp/migration/types.ts

[github-actions]

Project Scorecard

Scorecard: 84/100 (B)
────────────────────────────────────────
  security: 100/100 (A)
  quality: 80/100 (B) — 1 violations
  performance: 67/100 (D) — 1 violations
  compliance: 75/100 (C) — 1 violations
  dependency: 100/100 (A)

Recommendations:
  - Increase test coverage to meet the 80% threshold
  - Extend log retention to at least 90 days for compliance

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud