green: Layer 2 exit code confidence — wantExitCode in cmdTestCase + scenario tests

- ExitCodeFor now recognises Cobra's built-in usage error patterns
  (unknown flag, required flag not set, wrong arg count) so tests that
  use executeCommandC get the same exit code as the real binary
- Add wantExitCode int to cmdTestCase; runTestCmd asserts ExitCodeFor(err)
  when the field is non-zero
- New TestExitCodeScenarios covers codes 0–4 end-to-end using httptest
  (no local server required): version (0), deny-all policy (1),
  5xx / unreachable (2), 401/403 (3), unknown flag / cobra required flag /
  wrong arg count (4)
- Add wantExitCode: 4 to all arg/flag usage error cases in evaluateTrail
  and wantExitCode: 1 to all deny-all policy cases
- Add wantExitCode annotations to assertSnapshot tests 01 (exit 4) and
  04 (exit 1)
- Extend TestExitCodeFor with four Cobra error pattern cases

Author: dangrondahl

cmd/kosli/assertSnapshot_test.go

@@ -64,10 +64,11 @@ func (suite *AssertSnapshotCommandTestSuite) SetupTest() {
 func (suite *AssertSnapshotCommandTestSuite) TestAssertSnapshotCmd() {
 	tests := []cmdTestCase{
 		{
-			wantError: true,
-			name:      "01 missing --org fails",
-			cmd:       fmt.Sprintf(`assert snapshot %s --api-token secret`, suite.nonCompliantEnvName),
-			golden:    "Error: --org is not set\nUsage: kosli assert snapshot ENVIRONMENT-NAME-OR-EXPRESSION [flags]\n",
+			wantError:    true,
+			wantExitCode: 4,
+			name:         "01 missing --org fails",
+			cmd:          fmt.Sprintf(`assert snapshot %s --api-token secret`, suite.nonCompliantEnvName),
+			golden:       "Error: --org is not set\nUsage: kosli assert snapshot ENVIRONMENT-NAME-OR-EXPRESSION [flags]\n",
 		},
 		{
 			wantError: true,
@@ -82,9 +83,10 @@ func (suite *AssertSnapshotCommandTestSuite) TestAssertSnapshotCmd() {
 			golden:    "Error: Environment named 'non-existing' does not exist for organization 'docs-cmd-test-user'\n",
 		},
 		{
-			wantError: true,
-			name:      "04 asserting a non compliant env results in INCOMPLIANT and non-zero exit",
-			cmd:       fmt.Sprintf(`assert snapshot %s %s`, suite.nonCompliantEnvName, suite.defaultKosliArguments),
+			wantError:    true,
+			wantExitCode: 1,
+			name:         "04 asserting a non compliant env results in INCOMPLIANT and non-zero exit",
+			cmd:          fmt.Sprintf(`assert snapshot %s %s`, suite.nonCompliantEnvName, suite.defaultKosliArguments),
 			additionalConfig: assertSnapshotTestConfig{
 				reportToEnv: true,
 				envName:     suite.nonCompliantEnvName,

cmd/kosli/evaluateTrail_test.go

@@ -37,33 +37,38 @@ func (suite *EvaluateTrailCommandTestSuite) SetupTest() {
 func (suite *EvaluateTrailCommandTestSuite) TestEvaluateTrailCmd() {
 	tests := []cmdTestCase{
 		{
-			wantError: true,
-			name:      "missing trail name argument fails",
-			cmd:       fmt.Sprintf(`evaluate trail --flow %s %s`, suite.flowName, suite.defaultKosliArguments),
-			golden:    "Error: accepts 1 arg(s), received 0\n",
+			wantError:    true,
+			wantExitCode: 4,
+			name:         "missing trail name argument fails",
+			cmd:          fmt.Sprintf(`evaluate trail --flow %s %s`, suite.flowName, suite.defaultKosliArguments),
+			golden:       "Error: accepts 1 arg(s), received 0\n",
 		},
 		{
-			wantError: true,
-			name:      "providing more than one argument fails",
-			cmd:       fmt.Sprintf(`evaluate trail %s xxx --flow %s %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
-			golden:    "Error: accepts 1 arg(s), received 2\n",
+			wantError:    true,
+			wantExitCode: 4,
+			name:         "providing more than one argument fails",
+			cmd:          fmt.Sprintf(`evaluate trail %s xxx --flow %s %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
+			golden:       "Error: accepts 1 arg(s), received 2\n",
 		},
 		{
-			wantError: true,
-			name:      "missing --flow flag fails",
-			cmd:       fmt.Sprintf(`evaluate trail %s %s`, suite.trailName, suite.defaultKosliArguments),
-			golden:    "Error: required flag(s) \"flow\", \"policy\" not set\n",
+			wantError:    true,
+			wantExitCode: 4,
+			name:         "missing --flow flag fails",
+			cmd:          fmt.Sprintf(`evaluate trail %s %s`, suite.trailName, suite.defaultKosliArguments),
+			golden:       "Error: required flag(s) \"flow\", \"policy\" not set\n",
 		},
 		{
-			wantError: true,
-			name:      "missing --policy flag fails",
-			cmd:       fmt.Sprintf(`evaluate trail %s --flow %s %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
-			golden:    "Error: required flag(s) \"policy\" not set\n",
+			wantError:    true,
+			wantExitCode: 4,
+			name:         "missing --policy flag fails",
+			cmd:          fmt.Sprintf(`evaluate trail %s --flow %s %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
+			golden:       "Error: required flag(s) \"policy\" not set\n",
 		},
 		{
-			wantError: true,
-			name:      "missing --api-token fails",
-			cmd:       fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/allow-all.rego --org orgX`, suite.trailName, suite.flowName),
+			wantError:    true,
+			wantExitCode: 4,
+			name:         "missing --api-token fails",
+			cmd:          fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/allow-all.rego --org orgX`, suite.trailName, suite.flowName),
 		},
 		{
 			wantError: true,
@@ -76,9 +81,10 @@ func (suite *EvaluateTrailCommandTestSuite) TestEvaluateTrailCmd() {
 			cmd:  fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/allow-all.rego %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
 		},
 		{
-			wantError: true,
-			name:      "with --policy deny-all exits 1",
-			cmd:       fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
+			wantError:    true,
+			wantExitCode: 1,
+			name:         "with --policy deny-all exits 1",
+			cmd:          fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
 		},
 		{
 			wantError: true,
@@ -96,21 +102,23 @@ func (suite *EvaluateTrailCommandTestSuite) TestEvaluateTrailCmd() {
 			goldenJson: []jsonCheck{{"allow", true}},
 		},
 		{
-			wantError:   true,
-			name:        "with --policy deny-all --output json prints JSON with allow false and violations",
-			cmd:         fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego --output json %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
-			goldenRegex: `(?s)"allow":\s*false.*"violations":\s*\[.*"always denied"`,
+			wantError:    true,
+			wantExitCode: 1,
+			name:         "with --policy deny-all --output json prints JSON with allow false and violations",
+			cmd:          fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego --output json %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
+			goldenRegex:  `(?s)"allow":\s*false.*"violations":\s*\[.*"always denied"`,
 		},
 		{
 			name:        "with --policy allow-all --output table prints allowed text",
 			cmd:         fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/allow-all.rego --output table %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
 			goldenRegex: `RESULT:\s+ALLOWED`,
 		},
 		{
-			wantError:   true,
-			name:        "with --policy deny-all --output table prints denied text with violations",
-			cmd:         fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego --output table %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
-			goldenRegex: `RESULT:\s+DENIED\nVIOLATIONS:\s+always denied`,
+			wantError:    true,
+			wantExitCode: 1,
+			name:         "with --policy deny-all --output table prints denied text with violations",
+			cmd:          fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego --output table %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
+			goldenRegex:  `RESULT:\s+DENIED\nVIOLATIONS:\s+always denied`,
 		},
 		{
 			name:        "with --policy allow-all and no --output defaults to table output",
@@ -129,10 +137,11 @@ func (suite *EvaluateTrailCommandTestSuite) TestEvaluateTrailCmd() {
 			goldenJson: []jsonCheck{{"allow", true}, {"input.trail.name", suite.trailName}},
 		},
 		{
-			wantError:   true,
-			name:        "with --policy deny-all --output json --show-input includes input alongside allow and violations",
-			cmd:         fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego --output json --show-input %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
-			goldenRegex: `(?s)"allow":\s*false.*"input":\s*\{.*"trail".*"violations":\s*\[.*"always denied"`,
+			wantError:    true,
+			wantExitCode: 1,
+			name:         "with --policy deny-all --output json --show-input includes input alongside allow and violations",
+			cmd:          fmt.Sprintf(`evaluate trail %s --flow %s --policy testdata/policies/deny-all.rego --output json --show-input %s`, suite.trailName, suite.flowName, suite.defaultKosliArguments),
+			goldenRegex:  `(?s)"allow":\s*false.*"input":\s*\{.*"trail".*"violations":\s*\[.*"always denied"`,
 		},
 		{
 			name:        "with --policy allow-all --output table --show-input ignores show-input",

cmd/kosli/exitcodes_test.go

@@ -0,0 +1,119 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	kosliErrors "github.com/kosli-dev/cli/internal/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+// TestExitCodeScenarios verifies that each documented exit code is produced
+// by the right class of error. Uses executeCommandC so no binary build is needed.
+//
+// Codes covered:
+//
+//	0 — success
+//	1 — compliance/policy violation
+//	2 — server unreachable or 5xx
+//	3 — invalid API token (401/403)
+//	4 — CLI usage error (missing flags, unknown flag, wrong arg count)
+func TestExitCodeScenarios(t *testing.T) {
+	assertCode := func(t *testing.T, cmd string, want int) {
+		t.Helper()
+		_, _, err := executeCommandC(cmd)
+		got := kosliErrors.ExitCodeFor(err)
+		assert.Equal(t, want, got, "command: %s\nerror: %v", cmd, err)
+	}
+
+	// ── exit 0: success ───────────────────────────────────────────────────────
+
+	t.Run("exit 0: kosli version succeeds", func(t *testing.T) {
+		assertCode(t, "version", kosliErrors.ExitOK)
+	})
+
+	// ── exit 1: compliance / policy violation ─────────────────────────────────
+
+	t.Run("exit 1: evaluate trail with deny-all policy", func(t *testing.T) {
+		srv := newStaticJSONServer(t, http.StatusOK, `{"name":"my-trail","compliance_status":{}}`)
+		cmd := fmt.Sprintf(
+			"evaluate trail my-trail --flow my-flow --policy testdata/policies/deny-all.rego --host %s --org test-org --api-token secret",
+			srv.URL,
+		)
+		assertCode(t, cmd, kosliErrors.ExitCompliance)
+	})
+
+	// ── exit 2: server unreachable / 5xx ──────────────────────────────────────
+
+	t.Run("exit 2: server returns 500", func(t *testing.T) {
+		srv := newStaticJSONServer(t, http.StatusInternalServerError, `{"message":"internal error"}`)
+		cmd := fmt.Sprintf(
+			"list environments --host %s --org test-org --api-token secret --max-api-retries 0",
+			srv.URL,
+		)
+		assertCode(t, cmd, kosliErrors.ExitServer)
+	})
+
+	t.Run("exit 2: server unreachable (bad host)", func(t *testing.T) {
+		assertCode(t,
+			"list environments --host http://localhost:19999 --org test-org --api-token secret --max-api-retries 0",
+			kosliErrors.ExitServer,
+		)
+	})
+
+	// ── exit 3: invalid API token ─────────────────────────────────────────────
+
+	t.Run("exit 3: server returns 401", func(t *testing.T) {
+		srv := newStaticJSONServer(t, http.StatusUnauthorized, `{"message":"unauthorized"}`)
+		cmd := fmt.Sprintf(
+			"list environments --host %s --org test-org --api-token bad-token",
+			srv.URL,
+		)
+		assertCode(t, cmd, kosliErrors.ExitConfig)
+	})
+
+	t.Run("exit 3: server returns 403", func(t *testing.T) {
+		srv := newStaticJSONServer(t, http.StatusForbidden, `{"message":"forbidden"}`)
+		cmd := fmt.Sprintf(
+			"list environments --host %s --org test-org --api-token bad-token",
+			srv.URL,
+		)
+		assertCode(t, cmd, kosliErrors.ExitConfig)
+	})
+
+	// ── exit 4: CLI usage errors ──────────────────────────────────────────────
+
+	t.Run("exit 4: unknown flag", func(t *testing.T) {
+		assertCode(t, "version --no-such-flag", kosliErrors.ExitUsage)
+	})
+
+	t.Run("exit 4: cobra required flag not set (--flow, --policy)", func(t *testing.T) {
+		assertCode(t,
+			"evaluate trail my-trail --host http://localhost:8001 --org test-org --api-token secret",
+			kosliErrors.ExitUsage,
+		)
+	})
+
+	t.Run("exit 4: wrong number of arguments", func(t *testing.T) {
+		// evaluate trail requires exactly 1 positional argument
+		assertCode(t,
+			"evaluate trail --host http://localhost:8001 --org test-org --api-token secret",
+			kosliErrors.ExitUsage,
+		)
+	})
+}
+
+// newStaticJSONServer starts a test HTTP server that always responds with the
+// given status code and JSON body, and closes itself when the test ends.
+func newStaticJSONServer(t *testing.T, status int, body string) *httptest.Server {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(status)
+		_, _ = fmt.Fprint(w, body)
+	}))
+	t.Cleanup(srv.Close)
+	return srv
+}

cmd/kosli/testHelpers.go

@@ -12,6 +12,7 @@ import (
 	"testing"
 
 	"github.com/kosli-dev/cli/internal/gitview"
+	kosliErrors "github.com/kosli-dev/cli/internal/errors"
 	shellwords "github.com/mattn/go-shellwords"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -32,6 +33,7 @@ type cmdTestCase struct {
 	goldenRegex      string
 	goldenJson       []jsonCheck // Use like this for array {"[0].compliant", false}
 	wantError        bool
+	wantExitCode     int // when non-zero, asserts ExitCodeFor(err) == wantExitCode
 	additionalConfig interface{}
 }
 
@@ -80,6 +82,11 @@ func runTestCmd(t *testing.T, tests []cmdTestCase) {
 			if (err != nil) != tt.wantError {
 				t.Errorf("error expectation not matched\n\n WANT error is: %t\n\n but GOT: '%v'", tt.wantError, err)
 			}
+			if tt.wantExitCode != 0 {
+				if got := kosliErrors.ExitCodeFor(err); got != tt.wantExitCode {
+					t.Errorf("exit code mismatch: want %d, got %d (error: %v)", tt.wantExitCode, got, err)
+				}
+			}
 			if tt.golden != "" {
 				if !bytes.Equal([]byte(tt.golden), []byte(out)) {
 					t.Errorf("does not match golden\n\nWANT:\n'%s'\n\nGOT:\n'%s'\n", tt.golden, out)

internal/errors/errors.go

@@ -1,6 +1,9 @@
 package errors
 
-import "errors"
+import (
+	"errors"
+	"strings"
+)
 
 // Exit codes
 const (
@@ -61,5 +64,23 @@ func ExitCodeFor(err error) int {
 	if errors.As(err, &eu) {
 		return ExitUsage
 	}
+	if isCobraUsageError(err) {
+		return ExitUsage
+	}
 	return ExitCompliance // default non-zero; use exit 1 for unclassified errors
 }
+
+// isCobraUsageError returns true for plain errors produced by Cobra's built-in
+// flag and argument validation that were not already wrapped as ErrUsage.
+// This covers cases where innerMain's wrapping is bypassed (e.g. in tests).
+func isCobraUsageError(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	return strings.Contains(msg, "unknown flag:") ||
+		strings.Contains(msg, "unknown shorthand flag:") ||
+		strings.Contains(msg, "required flag(s)") ||
+		strings.Contains(msg, "accepts") && strings.Contains(msg, "arg(s)") ||
+		strings.Contains(msg, "requires at least") && strings.Contains(msg, "arg(s)")
+}

internal/errors/errors_test.go

@@ -61,4 +61,25 @@ func TestExitCodeFor(t *testing.T) {
 		err := fmt.Errorf("some unexpected error")
 		assert.Equal(t, 1, kosliErrors.ExitCodeFor(err))
 	})
+
+	// Cobra built-in errors are classified as exit 4 without explicit wrapping.
+	t.Run("cobra unknown flag error returns 4", func(t *testing.T) {
+		err := fmt.Errorf("unknown flag: --foo")
+		assert.Equal(t, 4, kosliErrors.ExitCodeFor(err))
+	})
+
+	t.Run("cobra required flag not set returns 4", func(t *testing.T) {
+		err := fmt.Errorf(`required flag(s) "flow", "policy" not set`)
+		assert.Equal(t, 4, kosliErrors.ExitCodeFor(err))
+	})
+
+	t.Run("cobra ExactArgs error returns 4", func(t *testing.T) {
+		err := fmt.Errorf("accepts 1 arg(s), received 0")
+		assert.Equal(t, 4, kosliErrors.ExitCodeFor(err))
+	})
+
+	t.Run("cobra MinimumNArgs error returns 4", func(t *testing.T) {
+		err := fmt.Errorf("requires at least 1 arg(s), only received 0")
+		assert.Equal(t, 4, kosliErrors.ExitCodeFor(err))
+	})
 }