From c8308efcf00816407b917d60abd2be2563d1cd5f Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sat, 25 Apr 2026 16:30:08 -0700
Subject: [PATCH] feat(ci): warn on fixture audit findings

---
 scripts/check-ci-policy.mjs |  8 ++++++++
 test/ci-policy.test.mjs     | 26 ++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/scripts/check-ci-policy.mjs b/scripts/check-ci-policy.mjs
index 1bfde66..572abe0 100644
--- a/scripts/check-ci-policy.mjs
+++ b/scripts/check-ci-policy.mjs
@@ -202,6 +202,14 @@ function executionChecks(executionResults, policy, options) {
       message: `${executionResults.summary.failCount} failed synthetic probes`,
       evidence: failedExecutionEvidence(executionResults),
     },
+    {
+      id: "execution-results.audit-findings",
+      action: executionResults.summary.auditFindingCount > 0 ? "warn" : "pass",
+      message: `${executionResults.summary.auditFindingCount ?? 0} package audit findings`,
+      evidence: executionResults.artifacts
+        .filter((artifact) => artifact.kind === "audit" && artifact.findingCount > 0)
+        .map((artifact) => `${artifact.fixture}:${artifact.findingCount}`),
+    },
   ];
 
   const blocked = executionResults.artifacts.flatMap((artifact) =>
diff --git a/test/ci-policy.test.mjs b/test/ci-policy.test.mjs
index e9f676e..745ae8a 100644
--- a/test/ci-policy.test.mjs
+++ b/test/ci-policy.test.mjs
@@ -79,6 +79,31 @@ test("ci policy fails ref diff hard regressions", async () => {
   assert.ok(validateCiPolicyReport(report).some((error) => error.includes("hookNames.removed-used")));
 });
 
+test("ci policy reports package audit findings as warnings", async () => {
+  const report = await buildCiPolicyReport({
+    policy,
+    compatibilityReport: compatibilityReport(),
+    executionResults: {
+      summary: {
+        failCount: 0,
+        auditFindingCount: 2,
+      },
+      artifacts: [
+        {
+          fixture: "fixture",
+          kind: "audit",
+          findingCount: 2,
+          failures: [],
+          blocked: [],
+        },
+      ],
+    },
+  });
+
+  assert.equal(report.status, "pass");
+  assert.ok(report.checks.some((check) => check.action === "warn" && check.id === "execution-results.audit-findings"));
+});
+
 function compatibilityReport() {
   return {
     summary: {
@@ -100,6 +125,7 @@ function executionResults(blocked) {
   return {
     summary: {
       failCount: 0,
+      auditFindingCount: 0,
     },
     artifacts: [
       {