green: evaluate trail/trails policy denial exits with code 1 (ErrCompliance)

dangrondahl · dangrondahl · commit efcf32526099 · 2026-03-19T00:23:39.000+01:00
- printEvaluateResultAsJson and printEvaluateResultAsTable now return
  ErrCompliance on policy denial so the process exits with code 1
- Add exitCodesEvaluate set (code 1: "Policy denied.") and register
  kosli evaluate trail and kosli evaluate trails in commandExitCodes
- Add TestPolicyDenialIsErrCompliance covering both formatters for
  allow and deny cases
diff --git a/cmd/kosli/docs.go b/cmd/kosli/docs.go
@@ -47,6 +47,15 @@ var (
 		{Code: 2, Meaning: "Kosli server is unreachable or down."},
 	}
 
+	// exitCodesEvaluate applies to evaluate commands that run a policy and can signal policy denial.
+	exitCodesEvaluate = []docgen.ExitCodeEntry{
+		{Code: 0, Meaning: "No error (policy allowed)."},
+		{Code: 1, Meaning: "Policy denied."},
+		{Code: 2, Meaning: "Kosli server is unreachable or returned a server error."},
+		{Code: 3, Meaning: "Invalid API token or unauthorized access."},
+		{Code: 4, Meaning: "CLI usage error (e.g. missing or invalid flags)."},
+	}
+
 	// exitCodesNoAPI applies to commands that do not call the Kosli API (version, completion, docs).
 	exitCodesNoAPI = []docgen.ExitCodeEntry{
 		{Code: 0, Meaning: "No error."},
@@ -72,6 +81,9 @@ var commandExitCodes = map[string][]docgen.ExitCodeEntry{
 	"kosli attest pullrequest azure":     exitCodesAttest,
 	"kosli attest pullrequest bitbucket": exitCodesAttest,
 	"kosli attest jira":                  exitCodesAttest,
+	// evaluate commands — policy denial exits with code 1
+	"kosli evaluate trail":              exitCodesEvaluate,
+	"kosli evaluate trails":             exitCodesEvaluate,
 	// non-API commands
 	"kosli version":                     exitCodesNoAPI,
 	"kosli completion":                  exitCodesNoAPI,
diff --git a/cmd/kosli/evaluateHelpers.go b/cmd/kosli/evaluateHelpers.go
@@ -9,6 +9,7 @@ import (
 	"os"
 
 	"github.com/kosli-dev/cli/internal/evaluate"
+	kosliErrors "github.com/kosli-dev/cli/internal/errors"
 	"github.com/kosli-dev/cli/internal/output"
 	"github.com/kosli-dev/cli/internal/requests"
 	"github.com/spf13/cobra"
@@ -136,7 +137,7 @@ func printEvaluateResultAsJson(raw string, out io.Writer, _ int) error {
 		return err
 	}
 	if allow, ok := result["allow"].(bool); ok && !allow {
-		return fmt.Errorf("policy denied")
+		return kosliErrors.NewErrCompliance("policy denied")
 	}
 	return nil
 }
@@ -167,8 +168,8 @@ func printEvaluateResultAsTable(raw string, out io.Writer, _ int) error {
 			}
 		}
 		tabFormattedPrint(out, []string{}, rows)
-		return fmt.Errorf("policy denied: %v", violations)
+		return kosliErrors.NewErrCompliance(fmt.Sprintf("policy denied: %v", violations))
 	}
 	tabFormattedPrint(out, []string{}, rows)
-	return fmt.Errorf("policy denied")
+	return kosliErrors.NewErrCompliance("policy denied")
 }
diff --git a/cmd/kosli/evaluateHelpers_test.go b/cmd/kosli/evaluateHelpers_test.go
@@ -0,0 +1,36 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"testing"
+
+	kosliErrors "github.com/kosli-dev/cli/internal/errors"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPolicyDenialIsErrCompliance(t *testing.T) {
+	deniedJSON := `{"allow":false,"violations":["missing approval"]}`
+
+	t.Run("printEvaluateResultAsJson returns ErrCompliance on policy denial", func(t *testing.T) {
+		err := printEvaluateResultAsJson(deniedJSON, &bytes.Buffer{}, 0)
+		var ec *kosliErrors.ErrCompliance
+		assert.True(t, errors.As(err, &ec), "expected ErrCompliance, got %T: %v", err, err)
+	})
+
+	t.Run("printEvaluateResultAsTable returns ErrCompliance on policy denial", func(t *testing.T) {
+		err := printEvaluateResultAsTable(deniedJSON, &bytes.Buffer{}, 0)
+		var ec *kosliErrors.ErrCompliance
+		assert.True(t, errors.As(err, &ec), "expected ErrCompliance, got %T: %v", err, err)
+	})
+
+	t.Run("printEvaluateResultAsJson returns nil on policy allow", func(t *testing.T) {
+		err := printEvaluateResultAsJson(`{"allow":true,"violations":[]}`, &bytes.Buffer{}, 0)
+		assert.NoError(t, err)
+	})
+
+	t.Run("printEvaluateResultAsTable returns nil on policy allow", func(t *testing.T) {
+		err := printEvaluateResultAsTable(`{"allow":true,"violations":[]}`, &bytes.Buffer{}, 0)
+		assert.NoError(t, err)
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`	`"os"`
`10`	`10`
`11`	`11`	`"github.com/kosli-dev/cli/internal/evaluate"`
	`12`	`+ kosliErrors "github.com/kosli-dev/cli/internal/errors"`
`12`	`13`	`"github.com/kosli-dev/cli/internal/output"`
`13`	`14`	`"github.com/kosli-dev/cli/internal/requests"`
`14`	`15`	`"github.com/spf13/cobra"`
`@@ -136,7 +137,7 @@ func printEvaluateResultAsJson(raw string, out io.Writer, _ int) error {`
`136`	`137`	`return err`
`137`	`138`	`}`
`138`	`139`	`if allow, ok := result["allow"].(bool); ok && !allow {`
`139`		`- return fmt.Errorf("policy denied")`
	`140`	`+ return kosliErrors.NewErrCompliance("policy denied")`
`140`	`141`	`}`
`141`	`142`	`return nil`
`142`	`143`	`}`
`@@ -167,8 +168,8 @@ func printEvaluateResultAsTable(raw string, out io.Writer, _ int) error {`
`167`	`168`	`}`
`168`	`169`	`}`
`169`	`170`	`tabFormattedPrint(out, []string{}, rows)`
`170`		`- return fmt.Errorf("policy denied: %v", violations)`
	`171`	`+ return kosliErrors.NewErrCompliance(fmt.Sprintf("policy denied: %v", violations))`
`171`	`172`	`}`
`172`	`173`	`tabFormattedPrint(out, []string{}, rows)`
`173`		`- return fmt.Errorf("policy denied")`
	`174`	`+ return kosliErrors.NewErrCompliance("policy denied")`
`174`	`175`	`}`