Install gate, Phase 3 (lane 2): --json machine output#114
Open
juangaitanv wants to merge 3 commits into
Open
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
c39ab0f to
d9af832
Compare
juangaitanv
added a commit
that referenced
this pull request
Jun 12, 2026
…t refusals Addresses Cursor review on #114. - the wrapper's --json is now forwarded to the package manager on passthrough (non-install subcommands, bare exec): `corgea npm --json view x` reaches npm's --json again instead of the wrapper silently swallowing it. A non-install passthrough produces no Corgea report, so the flag is the manager's. - the pre-report refusals that previously bypassed the JSON error helper (unparsable npm ci / uv sync lockfile, bare-npm root redirect, npm ci root redirect) now route through refuse_guard, so `--json` emits a parseable {"error": …} document instead of bare stderr. Machine consumers can parse every blocking path uniformly.
juangaitanv
force-pushed
the
install-gate-phase-3-json
branch
from
0e07df6 to
c5715f9
Compare
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
d9af832 to
36350f3
Compare
juangaitanv
added a commit
that referenced
this pull request
Jun 12, 2026
…t refusals Addresses Cursor review on #114. - the wrapper's --json is now forwarded to the package manager on passthrough (non-install subcommands, bare exec): `corgea npm --json view x` reaches npm's --json again instead of the wrapper silently swallowing it. A non-install passthrough produces no Corgea report, so the flag is the manager's. - the pre-report refusals that previously bypassed the JSON error helper (unparsable npm ci / uv sync lockfile, bare-npm root redirect, npm ci root redirect) now route through refuse_guard, so `--json` emits a parseable {"error": …} document instead of bare stderr. Machine consumers can parse every blocking path uniformly.
juangaitanv
force-pushed
the
install-gate-phase-3-json
branch
from
c5715f9 to
c79d501
Compare
Harvested from the install-vuln-gate spike (dfac68e). - --json prints the report as one pretty-printed JSON document on stdout: summary counts, verdict_mode ("public" / "recency-only"), per-result verdict objects (vulnerable verdicts carry matches and a remediation field — the safe version covering every advisory, null when any advisory lacks a fix), and the tree object (mode full/named-only, resolved_count, transitive[] with origin labels) - stdout purity: the wrapped package manager's stdout moves to stderr so stdout stays parseable; guard refusals (pip add, uv install, wrong manager, parse errors) emit an {"error": …} document - VulnMatch is now Serialize for the JSON matches array
…t refusals Addresses Cursor review on #114. - the wrapper's --json is now forwarded to the package manager on passthrough (non-install subcommands, bare exec): `corgea npm --json view x` reaches npm's --json again instead of the wrapper silently swallowing it. A non-install passthrough produces no Corgea report, so the flag is the manager's. - the pre-report refusals that previously bypassed the JSON error helper (unparsable npm ci / uv sync lockfile, bare-npm root redirect, npm ci root redirect) now route through refuse_guard, so `--json` emits a parseable {"error": …} document instead of bare stderr. Machine consumers can parse every blocking path uniformly.
…ion holes
The --json contract is 'every exit path yields exactly one parseable
document on stdout'. Three paths broke it and two were inconsistent:
- --force over an unparsable lockfile now emits a {warning, proceeded}
document before exec (stdout was empty).
- uv passthrough (and the no-files 'uv pip sync' branch) routes through
passthrough_exec, so the wrapper's consumed --json is re-forwarded to
uv ('corgea uv --json tree' reaches uv's own --json again).
- Bare yarn/pnpm installs under --json emit an empty report document
(null tree, zero results) with the honesty note on stderr.
- Binary-not-found under --json emits an {error} document before exit
127.
- refuse_guard pretty-prints, matching the main report's formatting;
SKILL.md documents verdict_mode 'recency-only' as library-only.
- New position-sensitivity test pins that post-verb --json belongs to
the manager ('corgea npm install --json x' forwards it; gate stays
text).
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
36350f3 to
f8426b6
Compare
juangaitanv
force-pushed
the
install-gate-phase-3-json
branch
from
c79d501 to
07bb21d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phase 3, lane 2 of the install-gate restart
Stacked on #113 (Phase 3 lane 1). Base:
install-gate-phase-3-uv.Machine-readable output for the gate.
Scope (per the PRD)
--jsonprints the report as one pretty-printed JSON document on stdout: summary counts,verdict_mode("public"/"recency-only"), per-resultverdictobjects, and thetreeobject (modefull/named-only,resolved_count,transitive[]with origin labels).remediationfield on vulnerable verdicts — the safe version covering every advisory,nullwhen any advisory lacks a fix.add,uv install, wrong manager, parse errors) emit an{"error": …}document.VulnMatchgainsSerializefor the JSONmatchesarray.Out of scope: auth/fail-closed (lane 3).
Exit criteria — met
Covered by
--jsontests acrosscli_install.rs,cli_verdict.rs,cli_remediation.rs,cli_tree.rs,cli_bare_install.rs,cli_provenance.rs; confirmed live against staging (the workflow's exactcorgea npm --threshold 0s --json install …invocation parses clean)../harness checkgreen.🤖 Generated with Claude Code