merge: resolve conflicts with main

Author: dangrondahl

.github/workflows/docker.yml

@@ -7,13 +7,21 @@ on:
             - '.github/workflows/install-script-tests.yml'
             - 'bin/test_install_script.sh'
             - 'bin/test_install_script_over_homebrew.sh'
+            - 'npm/**'
+            - '.goreleaser.yml'
+            - 'scripts/npm-publish.sh'
     pull_request:
         paths:
             - 'install-cli.sh'
             - '.github/workflows/install-script-tests.yml'
             - 'bin/test_install_script.sh'
             - 'bin/test_install_script_over_homebrew.sh'
+            - 'npm/**'
+            - '.goreleaser.yml'
+            - 'scripts/npm-publish.sh'
     workflow_dispatch:
+    release:
+        types: [published]
 
 jobs:
     test-script:
@@ -63,4 +71,34 @@ jobs:
           shell: bash
           run: |
             chmod +x install-cli.sh
-            bash bin/test_install_script_over_homebrew.sh --token ${{ secrets.GITHUB_TOKEN }}
+            bash bin/test_install_script_over_homebrew.sh --token ${{ secrets.GITHUB_TOKEN }}
+
+    # Note: this job installs from the public npm registry, so on push/PR
+    # it tests the currently published version — not the code being changed.
+    # That still catches regressions. The release trigger is what tests new releases.
+    test-npm:
+        name: Test npm install on ${{ matrix.os }}
+        runs-on: ${{ matrix.os }}
+        strategy:
+            matrix:
+                os:
+                    - ubuntu-latest        # linux/x64
+                    - ubuntu-24.04-arm     # linux/arm64
+                    - macos-latest         # darwin/arm64
+                    - windows-latest       # win32/x64
+                    - windows-11-arm       # win32/arm64
+
+        steps:
+        - name: Install @kosli/cli via npm
+          shell: bash
+          run: |
+            TAG="${{ github.event.release.tag_name }}"
+            if [[ "${{ github.event_name }}" == "release" && "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              npm install -g @kosli/cli@latest
+            else
+              npm install -g @kosli/cli@snapshot
+            fi
+
+        - name: Verify kosli binary works
+          shell: bash
+          run: kosli version

.github/workflows/install-script-tests.yml

@@ -109,7 +109,7 @@ jobs:
     uses: ./.github/workflows/docker.yml
     with:
       tag: ${{ needs.pre-build.outputs.tag }}
-      platforms: linux/amd64
+      platforms: linux/amd64,linux/arm64
       flow_name: cli
       trail_name: ${{ needs.pre-build.outputs.trail_name }}
       kosli_org: kosli-public
@@ -144,4 +144,4 @@ jobs:
         uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main
         with:
           slack_url: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -149,11 +149,17 @@ jobs:
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v7
         with:
+          distribution: goreleaser-pro
           version: '~> v2' # latest
           args: release --clean ${{ steps.get-tag-notes.outputs.args }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GORELEASER_KEY: ${{ secrets.KOSLI_GORELEASERPRO }}
+
+      - name: Copy npm packages into dist for provenance
+        run: find npm -name "*.tgz" -exec cp {} dist/ \;
 
       - uses: actions/upload-artifact@v7
         with:
@@ -164,7 +170,7 @@ jobs:
       - name: Prepare artifacts list
         id: prepare-artifacts-list
         run: |
-          ARTIFACTS=$(jq '[reduce .[] as $item (
+          GORELEASER_ARTIFACTS=$(jq '[reduce .[] as $item (
             [];
             if ($item.type == "Archive") then
                 . + [{ template_name: ($item.goos + "-" + $item.goarch), path: $item.path }]
@@ -175,6 +181,18 @@ jobs:
             end
            )][]' dist/artifacts.json)
 
+          NPM_ARTIFACTS=$(find dist -maxdepth 1 -name "*.tgz" -printf '%f\n' \
+            | jq -R '{
+                template_name: ("npm-" + sub("-[0-9]+\\.[0-9]+\\.[0-9]+.*\\.tgz$"; "")),
+                path: ("dist/" + .)
+              }' \
+            | jq -s '.')
+
+          ARTIFACTS=$(jq -n \
+            --argjson g "$GORELEASER_ARTIFACTS" \
+            --argjson n "$NPM_ARTIFACTS" \
+            '$g + $n')
+
           echo "artifacts<<nEOFn" >> $GITHUB_OUTPUT
           echo "${ARTIFACTS}" >> $GITHUB_OUTPUT
           echo "nEOFn" >> $GITHUB_OUTPUT

.github/workflows/release.yml

@@ -163,7 +163,6 @@ jobs:
         INTEGRATION_TEST_AZURE_CLIENT_SECRET: ${{ secrets.azure_client_secret }}
         INTEGRATION_TEST_AZURE_CLIENT_ID: ${{ secrets.azure_client_id }}
         KOSLI_SONAR_API_TOKEN: ${{ secrets.sonarqube_token }}
-        DOCKER_API_VERSION: "1.45"
         KOSLI_API_TOKEN_PROD: ${{ secrets.kosli_querying_api_token }}
       run: |
         # some tests use git operations, therefore the git author on the CI VM needs to be set
@@ -273,4 +272,3 @@ jobs:
            --trail ${{ inputs.TRAIL_NAME }}
            --scan-results  snyk-dependency.json
            --org ${{ inputs.KOSLI_ORG }}
-

.github/workflows/test.yml

@@ -17,6 +17,8 @@ docs.kosli.com/resources/_gen/*
 docs.kosli.com/content/client_reference/kosli*
 docs.kosli.com/public/
 docs.kosli.com/.netlify
+npm/cli*/bin/*
+npm/*/kosli*.tgz
 *.tar.gz
 *~
 /.idea

.gitignore

@@ -3,6 +3,8 @@ project_name: kosli
 before:
   hooks:
   - go mod tidy
+  - rm -rf npm/cli-*/bin
+  - find npm -name "*.tgz" -delete
 builds:
   - id: kosli
     binary: kosli
@@ -27,6 +29,19 @@ builds:
       - goos: windows
         goarch: arm
     main: ./cmd/kosli/
+    hooks:
+      post:
+        - cmd: >-
+            bash -c '
+            OS="{{ .Os }}";
+            ARCH="{{ .Arch }}";
+            [ "$OS" = "windows" ] && OS="win32";
+            [ "$ARCH" = "amd64" ] && ARCH="x64";
+            EXT="";
+            [ "{{ .Os }}" = "windows" ] && EXT=".exe";
+            mkdir -p npm/cli-${OS}-${ARCH}/bin &&
+            cp "{{ .Path }}" npm/cli-${OS}-${ARCH}/bin/kosli${EXT} &&
+            chmod +x npm/cli-${OS}-${ARCH}/bin/kosli${EXT}'
 
 archives:
   -
@@ -37,11 +52,9 @@ archives:
       - goos: windows
         formats: [zip]
 
-
 # docs for nfpm can be found here:  https://goreleaser.com/customization/nfpm/
 nfpms:
   - id: kosli
-
     # You can change the file name of the package.
     #
     # Default:`{{ .PackageName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}`
@@ -83,6 +96,12 @@ nfpms:
       - src: dist/{{ .ProjectName }}_{{ .Os }}_{{ if .Amd64 }}{{ .Arch }}_v1{{ else if .Arm }}{{ .Arch }}_6{{ else if eq .Arch "arm64" }}{{ .Arch }}_v8.0{{ else }}{{ .Arch }}{{ end }}/kosli
         dst: /usr/local/bin/kosli
 
+after:
+  hooks:
+    - cmd: bash scripts/npm-publish.sh "{{ .Version }}"{{ if or .IsSnapshot (not .IsRelease) }} --dry-run{{ end }}
+      # after hooks suppresses output by default. You need to add output: true to the hook to see the script's messages.
+      output: true
+
 publishers:
   - name: fury.io
     # by specifying `packages` id here goreleaser will only use this publisher

.goreleaser.yml

@@ -121,7 +121,7 @@ setup_test_to_use_staging_server_image:
 
 test_integration: deps vet ensure_network test_setup ## Run tests except the too slow ones
 	@[ -e ~/.kosli.yml ] && mv ~/.kosli.yml ~/.kosli-renamed.yml || true
-	@export KOSLI_TESTS=true $(FAKE_CI_ENV) && $(GOTESTSUM) -- --short -p=6 -coverprofile=cover.out ./...
+	@export KOSLI_TESTS=true $(FAKE_CI_ENV) && $(GOTESTSUM) -- --short -p=8 -coverprofile=cover.out ./...
 	@go tool cover -func=cover.out | grep total:
 	@go tool cover -html=cover.out
 	@[ -e ~/.kosli-renamed.yml ] && mv ~/.kosli-renamed.yml ~/.kosli.yml || true
@@ -130,14 +130,14 @@ test_integration: deps vet ensure_network test_setup ## Run tests except the too
 test_integration_full: deps vet ensure_network test_setup ## Run all tests
 	@[ -e ~/.kosli.yml ] && mv ~/.kosli.yml ~/.kosli-renamed.yml || true
 	@mkdir -p junit-test-results
-	@export KOSLI_TESTS=true $(FAKE_CI_ENV) && $(GOTESTSUM) --junitfile junit-test-results/junit.xml -- -p=6 -coverprofile=cover.out ./...
+	@export KOSLI_TESTS=true $(FAKE_CI_ENV) && $(GOTESTSUM) --junitfile junit-test-results/junit.xml -- -p=8 -coverprofile=cover.out ./...
 	@go tool cover -func=cover.out
 	@[ -e ~/.kosli-renamed.yml ] && mv ~/.kosli-renamed.yml ~/.kosli.yml || true
 
 
 test_integration_restart_server: test_setup_restart_server
 	@[ -e ~/.kosli.yml ] && mv ~/.kosli.yml ~/.kosli-renamed.yml || true
-	@export KOSLI_TESTS=true $(FAKE_CI_ENV) && $(GOTESTSUM) -- --short -p=6 -coverprofile=cover.out ./...
+	@export KOSLI_TESTS=true $(FAKE_CI_ENV) && $(GOTESTSUM) -- --short -p=8 -coverprofile=cover.out ./...
 	@go tool cover -html=cover.out
 	@[ -e ~/.kosli-renamed.yml ] && mv ~/.kosli-renamed.yml ~/.kosli.yml || true
 

Makefile

@@ -44,3 +44,23 @@
 - [x] Slice 5: Expression builder wizard
 - [x] Slice 6: API lookups for flows and custom attestation types
 - [x] Slice 7: Preview screen + polish
+
+## kosli evaluate input
+
+- [x] Slice 1: `evaluate input --input-file` with a file path
+- [x] Slice 2: stdin support (omit --input-file to read stdin; `-` not supported by cobra)
+- [x] Slice 3: help text and examples
+- [x] Slice 4: PR review feedback
+  - [x] Remove "using OPA" from all evaluate command long descriptions
+  - [x] Add test cases for policy validation errors (missing package policy, missing allow rule, deny without violations)
+  - [x] Update help text examples with fixture-capture workflow
+  - [x] Refactor: use `cmd.InOrStdin()` for testable stdin
+  - [x] Refactor: embed `commonEvaluateOptions` to remove flag duplication
+- [x] Slice 5: Detect terminal stdin and error when no input is piped
+
+## Add `--params` flag to `kosli evaluate` commands
+
+- [x] Slice 1: `evaluate.Evaluate()` accepts params, passes via OPA data store
+- [x] Slice 2: Add `--params` flag across all three commands
+- [x] Slice 3: Show params in `--show-input` output
+- [x] Slice 4: Update help text and examples

TODO.md

@@ -6,16 +6,23 @@ import (
 	"github.com/spf13/cobra"
 )
 
-const evaluateShortDesc = `Evaluate Kosli trail data against OPA/Rego policies.`
+const evaluateShortDesc = `Evaluate data against Rego policies.`
 
 // Backtick breaks (`"` + "`x`" + `"`) are needed to embed markdown
 // inline code spans inside raw string literals.
 const evaluateLongDesc = evaluateShortDesc + `
-Fetch trail data from Kosli and evaluate it against custom policies written
-in Rego, the policy language used by Open Policy Agent (OPA).
+Evaluate trail data or local JSON input against custom Rego policies.
+
+Use ` + "`evaluate trail`" + ` or ` + "`evaluate trails`" + ` to fetch data from Kosli and evaluate it.
+Use ` + "`evaluate input`" + ` to evaluate a local JSON file or stdin without any API calls.
+
 The policy must use ` + "`package policy`" + ` and define an ` + "`allow`" + ` rule.
 An optional ` + "`violations`" + ` rule (a set of strings) can provide human-readable denial reasons.
-The command exits with code 0 when allowed and code 1 when denied.`
+The command exits with code 0 when allowed and code 1 when denied.
+
+Use ` + "`--params`" + ` to pass configuration data (thresholds, expected counts, etc.)
+to your policy. Params are available as ` + "`data.params`" + ` in Rego, keeping policy
+logic reusable across environments with different tolerances.`
 
 func newEvaluateCmd(out io.Writer) *cobra.Command {
 	cmd := &cobra.Command{
@@ -28,6 +35,7 @@ func newEvaluateCmd(out io.Writer) *cobra.Command {
 	cmd.AddCommand(
 		newEvaluateTrailCmd(out),
 		newEvaluateTrailsCmd(out),
+		newEvaluateInputCmd(out),
 	)
 
 	return cmd