From 06d901d2a8c07a1cd09202823eb4a49477d37b8b Mon Sep 17 00:00:00 2001
From: Ugur Cekmez <ucekmez@gmail.com>
Date: Sun, 21 Jun 2026 19:11:18 +0300
Subject: [PATCH] ci(audit): scope blocking npm-audit gate to published
 packages

The dependency-policy gate audited examples and the test harness in the
same blocking loop as the published packages, so a high-severity advisory
in a demo's transitive dependency failed CI for every PR. A hono advisory
in examples/node-gate-publisher recently blocked main and 8 open PRs this
way, even though nothing consumers install was affected.

Published @eep-dev/* packages still gate the build (a vulnerability there
ships to consumers). Examples and the test harness move to a separate,
non-blocking advisory step that surfaces high-severity advisories as CI
warnings without failing the run.

Signed-off-by: Ugur Cekmez <ucekmez@gmail.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/test.yml | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e552fac..0f97626 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,18 +22,22 @@ jobs:
           npm ci
           npm run build
 
-      - name: npm high-severity audit gate
+      - name: npm high-severity audit gate (published packages — blocking)
         run: |
           set -euo pipefail
+          # Only packages we publish to npm gate the build: a high-severity
+          # advisory in one of these ships to consumers. Examples and the test
+          # harness are audited in a separate, non-blocking step below — a vuln
+          # in a demo's transitive dependency must not block every contributor
+          # PR (it previously blocked main and 8 PRs over a hono advisory in
+          # examples/node-gate-publisher).
           for dir in \
             "packages/@eep-dev/gates" \
             "packages/@eep-dev/signer" \
             "packages/@eep-dev/validator" \
             "packages/@eep-dev/compliance-cli" \
             "packages/@eep-dev/setup-cli" \
-            "packages/@eep-dev/middleware" \
-            "tests" \
-            "examples/node-gate-publisher"
+            "packages/@eep-dev/middleware"
           do
             echo "Auditing $dir"
             (cd "$dir" && npm ci && npm audit --omit=dev --audit-level=high)
@@ -43,6 +47,24 @@ jobs:
           echo "Auditing packages/@eep-dev/mcp-bridge"
           (cd "packages/@eep-dev/mcp-bridge" && npm install && npm audit --omit=dev --audit-level=high)
 
+      - name: npm audit (examples + test harness — advisory, non-blocking)
+        continue-on-error: true
+        run: |
+          # These are not published to npm. High-severity transitive advisories
+          # here are surfaced as warnings but do NOT fail CI.
+          for dir in \
+            "tests" \
+            "examples/node-gate-publisher"
+          do
+            echo "::group::Advisory audit $dir"
+            if (cd "$dir" && npm ci && npm audit --omit=dev --audit-level=high); then
+              echo "$dir: no high-severity advisories"
+            else
+              echo "::warning title=Advisory audit::$dir has high-severity advisories (non-blocking: not a published package)"
+            fi
+            echo "::endgroup::"
+          done
+
       - uses: actions/setup-python@v6
         with:
           python-version: '3.12'