feat: display control identifier in assert artifact output for for_control policy failures (#926)

* feat: display control identifier in assert artifact output for for_control policy failures

When a policy rule has for_control set, the resolution context now includes
the control identifier (server PR #5814). The CLI now surfaces it in failure
messages so CI pipelines can identify which specific control is unsatisfied.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: pbeckham

cmd/kosli/assertArtifact.go

@@ -221,13 +221,23 @@ func printAssertAsTable(raw string, out io.Writer, page int) error {
 							ruleDefinition := rule["definition"].(map[string]interface{})
 							attestationName := ruleDefinition["name"]
 							attestationType := ruleDefinition["type"]
+							context, _ := resolution["context"].(map[string]interface{})
+							forControl, _ := context["for_control"].(string)
 							switch resolutionType {
 							case "legacy_flow":
 								failures = append(failures, "artifact comes from a legacy flow and does not have the new attestations")
 							case "missing_attestation":
-								failures = append(failures, fmt.Sprintf("artifact is missing required '%v' (type: %v) attestation in trail", attestationName, attestationType))
+								if forControl != "" {
+									failures = append(failures, fmt.Sprintf("artifact is missing required %v for control '%v'", attestationType, forControl))
+								} else {
+									failures = append(failures, fmt.Sprintf("artifact is missing required '%v' (type: %v) attestation in trail", attestationName, attestationType))
+								}
 							case "non_compliant_attestation":
-								failures = append(failures, fmt.Sprintf("attestation '%v' is non-compliant in trail", attestationName))
+								if forControl != "" {
+									failures = append(failures, fmt.Sprintf("decision for control '%v' is non-compliant in trail", forControl))
+								} else {
+									failures = append(failures, fmt.Sprintf("attestation '%v' is non-compliant in trail", attestationName))
+								}
 							case "non_compliant_in_trail":
 								failures = append(failures, "artifact is not compliant in trail")
 							}

cmd/kosli/assertArtifact_test.go

@@ -30,6 +30,17 @@ type AssertArtifactCommandTestSuite struct {
 	artifactName3         string
 	artifact3Path         string
 	fingerprint3          string
+	// for_control test fixtures
+	controlIdentifier    string
+	controlPolicyName    string
+	controlEnvName       string
+	flowNameForControl   string
+	trailNameNoDecision  string
+	artifact4Path        string
+	fingerprint4         string
+	trailNameBadDecision string
+	artifact5Path        string
+	fingerprint5         string
 }
 
 func (suite *AssertArtifactCommandTestSuite) SetupTest() {
@@ -78,6 +89,34 @@ func (suite *AssertArtifactCommandTestSuite) SetupTest() {
 	require.NoError(suite.T(), err)
 	CreateGenericArtifactAttestation(suite.flowName3, suite.trailName, suite.fingerprint3, "failing-attestation", false, suite.T())
 	require.NoError(suite.T(), err)
+
+	// Setup for for_control policy evaluation tests
+	suite.controlIdentifier = "assert-artifact-ctl"
+	suite.controlPolicyName = "assert-artifact-control-pol"
+	suite.controlEnvName = "assert-artifact-control-env"
+	suite.flowNameForControl = "assert-artifact-control-flow"
+	suite.trailNameNoDecision = "assert-artifact-no-decision-trail"
+	suite.trailNameBadDecision = "assert-artifact-bad-decision-trail"
+	suite.artifact4Path = "testdata/artifacts/AssertArtifactCommandTestSuiteArtifact4.txt"
+	suite.artifact5Path = "testdata/artifacts/AssertArtifactCommandTestSuiteArtifact5.txt"
+
+	CreateControl(global.Org, suite.controlIdentifier, "Test Control For Assert", suite.T())
+	CreatePolicyWithFile(global.Org, suite.controlPolicyName, "testdata/policy-files/test-policy-for-control.yml", suite.T())
+	CreateEnv(global.Org, suite.controlEnvName, "server", suite.T())
+	AttachPolicy([]string{suite.controlEnvName}, suite.controlPolicyName, suite.T())
+
+	CreateFlow(suite.flowNameForControl, suite.T())
+
+	BeginTrail(suite.trailNameNoDecision, suite.flowNameForControl, "", suite.T())
+	suite.fingerprint4, err = GetSha256Digest(suite.artifact4Path, fingerprintOptions, logger)
+	require.NoError(suite.T(), err)
+	CreateArtifactOnTrail(suite.flowNameForControl, suite.trailNameNoDecision, "cli", suite.fingerprint4, "arti-no-decision", suite.T())
+
+	BeginTrail(suite.trailNameBadDecision, suite.flowNameForControl, "", suite.T())
+	suite.fingerprint5, err = GetSha256Digest(suite.artifact5Path, fingerprintOptions, logger)
+	require.NoError(suite.T(), err)
+	CreateArtifactOnTrail(suite.flowNameForControl, suite.trailNameBadDecision, "cli", suite.fingerprint5, "arti-bad-decision", suite.T())
+	CreateDecisionAttestation(suite.flowNameForControl, suite.trailNameBadDecision, suite.controlIdentifier, "decision", false, suite.T())
 }
 
 func (suite *AssertArtifactCommandTestSuite) TestAssertArtifactCmd() {
@@ -199,6 +238,18 @@ func (suite *AssertArtifactCommandTestSuite) TestAssertArtifactCmd() {
 			cmd:         fmt.Sprintf(`assert artifact %s --artifact-type file %s`, suite.artifact3Path, suite.defaultKosliArguments),
 			goldenRegex: "^Error: NON-COMPLIANT\n",
 		},
+		{
+			wantError:   true,
+			name:        "18 asserting artifact against env policy with for_control reports control ID when decision is missing",
+			cmd:         fmt.Sprintf(`assert artifact --fingerprint %s --environment %s %s`, suite.fingerprint4, suite.controlEnvName, suite.defaultKosliArguments),
+			goldenRegex: fmt.Sprintf("(?s).*artifact is missing required decision for control '%v'.*", suite.controlIdentifier),
+		},
+		{
+			wantError:   true,
+			name:        "19 asserting artifact against env policy with for_control reports control ID when decision is non-compliant",
+			cmd:         fmt.Sprintf(`assert artifact --fingerprint %s --environment %s %s`, suite.fingerprint5, suite.controlEnvName, suite.defaultKosliArguments),
+			goldenRegex: fmt.Sprintf("(?s).*decision for control '%v' is non-compliant in trail.*", suite.controlIdentifier),
+		},
 	}
 
 	runTestCmd(suite.T(), tests)

cmd/kosli/testHelpers.go

@@ -538,6 +538,12 @@ func CreateControl(org, identifier, name string, t *testing.T) {
 
 // CreatePolicy creates a policy on the server
 func CreatePolicy(org, policyName string, t *testing.T) {
+	t.Helper()
+	CreatePolicyWithFile(org, policyName, "testdata/policy-files/test-policy.yml", t)
+}
+
+// CreatePolicyWithFile creates a policy on the server using the given policy file.
+func CreatePolicyWithFile(org, policyName, policyFilePath string, t *testing.T) {
 	t.Helper()
 	o := &createPolicyOptions{
 		payload: PolicyPayload{
@@ -547,10 +553,33 @@ func CreatePolicy(org, policyName string, t *testing.T) {
 		},
 	}
 
-	err := o.run([]string{policyName, "testdata/policy-files/test-policy.yml"})
+	err := o.run([]string{policyName, policyFilePath})
 	require.NoError(t, err, "policy should be created without error")
 }
 
+// CreateDecisionAttestation records a decision attestation against a trail.
+func CreateDecisionAttestation(flowName, trailName, controlID, attestationName string, compliant bool, t *testing.T) {
+	t.Helper()
+	o := &attestDecisionOptions{
+		CommonAttestationOptions: &CommonAttestationOptions{
+			flowName:                flowName,
+			trailName:               trailName,
+			fingerprintOptions:      &fingerprintOptions{},
+			attestationNameTemplate: attestationName,
+		},
+		payload: DecisionAttestationPayload{
+			CommonAttestationPayload: &CommonAttestationPayload{},
+			TypeName:                 "decision",
+			Control:                  controlID,
+			AttestationData: DecisionAttestationData{
+				Compliant: compliant,
+			},
+		},
+	}
+	err := o.run([]string{})
+	require.NoError(t, err, "decision attestation should be created without error")
+}
+
 func AttachPolicy(envNames []string, policyName string, t *testing.T) {
 	t.Helper()
 	o := &attachPolicyOptions{

cmd/kosli/testdata/artifacts/AssertArtifactCommandTestSuiteArtifact4.txt

@@ -0,0 +1 @@
+artifact for AssertArtifactCommandTestSuite missing-decision test

cmd/kosli/testdata/artifacts/AssertArtifactCommandTestSuiteArtifact5.txt

@@ -0,0 +1 @@
+artifact for AssertArtifactCommandTestSuite non-compliant-decision test

cmd/kosli/testdata/policy-files/test-policy-for-control.yml

@@ -0,0 +1,9 @@
+_schema: https://kosli.com/schemas/policy/environment/v1
+
+artifacts:
+  provenance:
+    required: true
+  attestations:
+    - name: decision
+      type: decision
+      for_control: assert-artifact-ctl