@eduardbar/drift 1.2.0 → 1.4.0

package/.gga

@@ -0,0 +1,50 @@
+# Gentleman Guardian Angel Configuration
+# https://github.com/your-org/gga
+
+# AI Provider (required)
+# Options: claude, gemini, codex, opencode, ollama:<model>, lmstudio[:model], github:<model>
+# Examples:
+#   PROVIDER="claude"
+#   PROVIDER="gemini"
+#   PROVIDER="codex"
+#   PROVIDER="opencode"
+#   PROVIDER="opencode:anthropic/claude-opus-4-5"
+#   PROVIDER="ollama:llama3.2"
+#   PROVIDER="ollama:codellama"
+#   PROVIDER="lmstudio"
+#   PROVIDER="lmstudio:qwen2.5-coder-7b-instruct"
+#   PROVIDER="github:gpt-4o"
+#   PROVIDER="github:deepseek-r1"
+PROVIDER="claude"
+
+# File patterns to include in review (comma-separated)
+# Default: * (all files)
+# Examples:
+#   FILE_PATTERNS="*.ts,*.tsx"
+#   FILE_PATTERNS="*.py"
+#   FILE_PATTERNS="*.go,*.mod"
+FILE_PATTERNS="*.ts,*.tsx,*.js,*.jsx"
+
+# File patterns to exclude from review (comma-separated)
+# Default: none
+# Examples:
+#   EXCLUDE_PATTERNS="*.test.ts,*.spec.ts"
+#   EXCLUDE_PATTERNS="*_test.go,*.mock.ts"
+EXCLUDE_PATTERNS="*.test.ts,*.spec.ts,*.test.tsx,*.spec.tsx,*.d.ts"
+
+# File containing code review rules
+# Default: AGENTS.md
+RULES_FILE="AGENTS.md"
+
+# Strict mode: fail if AI response is ambiguous
+# Default: true
+STRICT_MODE="true"
+
+# Timeout in seconds for AI provider response
+# Default: 300 (5 minutes)
+# Increase for large changesets or slow connections
+TIMEOUT="300"
+
+# Base branch for --pr-mode (auto-detects main/master/develop if empty)
+# Default: auto-detect
+# PR_BASE_BRANCH="main"

package/.github/actions/drift-review/README.md

@@ -0,0 +1,60 @@
+# drift-review Action
+
+Composite action for PR workflows that wraps `drift trust`, optional `drift review`, and `drift trust-gate`.
+
+The action runs drift via `npm exec` with an isolated prefix under `$RUNNER_TEMP/drift-cli` to avoid local bin resolution conflicts when workflows execute inside the `@eduardbar/drift` repository.
+
+## Why this action exists
+
+The repository workflow (`.github/workflows/review-pr.yml`) uses trust as the merge gate and review markdown as complementary context. This action packages that flow as a reusable contract:
+
+1. Generate trust markdown + JSON
+2. Optionally generate review markdown
+3. Extract stable trust outputs for downstream jobs/comments
+4. Enforce trust gate when configured
+
+## Usage
+
+```yaml
+- name: Drift trust/review
+  id: drift_review
+  uses: ./.github/actions/drift-review
+  with:
+    path: .
+    base-ref: origin/${{ github.base_ref }}
+    version: 1.3.0
+    min-trust: 40
+    max-risk: HIGH
+    fail-on-gate: true
+    include-review: true
+```
+
+## Inputs
+
+| Input | Description | Default |
+|-------|-------------|---------|
+| `path` | Path to analyze | `.` |
+| `base-ref` | Base git ref for diff-aware trust/review | `origin/main` |
+| `version` | drift version for `npm exec` execution | `1.3.0` |
+| `min-trust` | Failing threshold for trust score | `45` |
+| `max-risk` | Failing threshold for merge risk | `HIGH` |
+| `fail-on-gate` | Enforce trust gate failure | `true` |
+| `include-review` | Generate review markdown file | `true` |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `trust-score` | `trust_score` from trust JSON |
+| `merge-risk` | `merge_risk` from trust JSON |
+| `new-issues` | New issue count from `diff_context` or `n/a` |
+| `resolved-issues` | Resolved issue count from `diff_context` or `n/a` |
+| `trust-json` | Trust JSON file path |
+| `trust-markdown` | Trust markdown file path |
+| `review-markdown` | Review markdown file path |
+
+## Failure behavior
+
+- Parsing failures on trust JSON fail the step.
+- Gate violations fail when `fail-on-gate=true`.
+- No `|| true` paths are used for critical scan/trust/gate commands.

package/.github/actions/drift-review/action.yml

@@ -0,0 +1,131 @@
+name: 'Drift — Trust + Review for PRs'
+description: 'Generate trust/review artifacts and enforce trust gate for pull requests'
+author: 'eduardbar'
+
+branding:
+  icon: 'shield'
+  color: 'blue'
+
+inputs:
+  path:
+    description: 'Path to analyze'
+    required: false
+    default: '.'
+  base-ref:
+    description: 'Git base ref used by trust/review diff context'
+    required: false
+    default: 'origin/main'
+  version:
+    description: 'Version of @eduardbar/drift to use'
+    required: false
+    default: '1.3.0'
+  min-trust:
+    description: 'Fail gate if trust score is below this threshold'
+    required: false
+    default: '45'
+  max-risk:
+    description: 'Fail gate if merge risk exceeds this level (LOW|MEDIUM|HIGH|CRITICAL)'
+    required: false
+    default: 'HIGH'
+  fail-on-gate:
+    description: 'Whether to enforce trust-gate failure'
+    required: false
+    default: 'true'
+  include-review:
+    description: 'Whether to generate drift review markdown'
+    required: false
+    default: 'true'
+
+outputs:
+  trust-score:
+    description: 'Trust score from drift trust JSON'
+    value: ${{ steps.extract.outputs.trust_score }}
+  merge-risk:
+    description: 'Merge risk from drift trust JSON'
+    value: ${{ steps.extract.outputs.merge_risk }}
+  new-issues:
+    description: 'New issues compared to base ref when available'
+    value: ${{ steps.extract.outputs.new_issues }}
+  resolved-issues:
+    description: 'Resolved issues compared to base ref when available'
+    value: ${{ steps.extract.outputs.resolved_issues }}
+  trust-json:
+    description: 'Generated trust JSON file path'
+    value: ${{ steps.files.outputs.trust_json }}
+  trust-markdown:
+    description: 'Generated trust markdown file path'
+    value: ${{ steps.files.outputs.trust_md }}
+  review-markdown:
+    description: 'Generated review markdown file path (if include-review=true)'
+    value: ${{ steps.files.outputs.review_md }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Prepare artifact file paths
+      id: files
+      shell: bash
+      run: |
+        set -euo pipefail
+        trust_json="$RUNNER_TEMP/drift-trust.json"
+        trust_md="$RUNNER_TEMP/drift-trust.md"
+        review_md="$RUNNER_TEMP/drift-review.md"
+        echo "trust_json=$trust_json" >> "$GITHUB_OUTPUT"
+        echo "trust_md=$trust_md" >> "$GITHUB_OUTPUT"
+        echo "review_md=$review_md" >> "$GITHUB_OUTPUT"
+
+    - name: Generate trust artifacts
+      shell: bash
+      run: |
+        set -euo pipefail
+        EXEC_PREFIX="$RUNNER_TEMP/drift-cli"
+        mkdir -p "$EXEC_PREFIX"
+        npm exec --yes --prefix "$EXEC_PREFIX" --package=@eduardbar/drift@${{ inputs.version }} -- drift --version
+        npm exec --yes --prefix "$EXEC_PREFIX" --package=@eduardbar/drift@${{ inputs.version }} -- drift trust "${{ inputs.path }}" --base "${{ inputs.base-ref }}" --markdown --json-output "${{ steps.files.outputs.trust_json }}" > "${{ steps.files.outputs.trust_md }}"
+
+    - name: Generate review markdown
+      if: inputs.include-review == 'true'
+      shell: bash
+      run: |
+        set -euo pipefail
+        EXEC_PREFIX="$RUNNER_TEMP/drift-cli"
+        mkdir -p "$EXEC_PREFIX"
+        npm exec --yes --prefix "$EXEC_PREFIX" --package=@eduardbar/drift@${{ inputs.version }} -- drift review --base "${{ inputs.base-ref }}" --comment > "${{ steps.files.outputs.review_md }}"
+
+    - name: Extract trust outputs
+      id: extract
+      shell: bash
+      run: |
+        set -euo pipefail
+        TRUST_JSON_PATH="${{ steps.files.outputs.trust_json }}" GITHUB_OUTPUT_PATH="$GITHUB_OUTPUT" node --input-type=module <<'NODE'
+        import fs from 'node:fs'
+
+        const payload = JSON.parse(fs.readFileSync(process.env.TRUST_JSON_PATH, 'utf8'))
+        const trust = payload.trust_score
+        const risk = payload.merge_risk
+        const diff = payload.diff_context ?? {}
+
+        if (typeof trust !== 'number') {
+          throw new Error('drift trust JSON missing numeric trust_score')
+        }
+        if (typeof risk !== 'string') {
+          throw new Error('drift trust JSON missing merge_risk')
+        }
+
+        const lines = [
+          `trust_score=${trust}`,
+          `merge_risk=${risk}`,
+          `new_issues=${diff.newIssues ?? 'n/a'}`,
+          `resolved_issues=${diff.resolvedIssues ?? 'n/a'}`,
+        ]
+        fs.appendFileSync(process.env.GITHUB_OUTPUT_PATH, lines.join('\n') + '\n')
+        NODE
+
+    - name: Enforce trust gate
+      if: inputs.fail-on-gate == 'true'
+      shell: bash
+      run: |
+        set -euo pipefail
+        EXEC_PREFIX="$RUNNER_TEMP/drift-cli"
+        mkdir -p "$EXEC_PREFIX"
+        npm exec --yes --prefix "$EXEC_PREFIX" --package=@eduardbar/drift@${{ inputs.version }} -- drift trust-gate "${{ steps.files.outputs.trust_json }}" --min-trust "${{ inputs.min-trust }}" --max-risk "${{ inputs.max-risk }}"

package/.github/actions/drift-scan/README.md

@@ -1,15 +1,26 @@
-# drift-scan Action
+# drift-scan Action (v2 contract)
 
-Scan your TypeScript project for AI-generated technical debt in CI.
+Composite action to run `drift scan` in CI without global installs.
+
+## Contract highlights
+
+- Runtime strategy: `npm exec --yes --prefix "$RUNNER_TEMP/drift-cli" --package=@eduardbar/drift@<version> -- drift ...` (no `npm install -g`)
+- Uses isolated `--prefix` under `$RUNNER_TEMP` to avoid bin resolution conflicts in self-hosting repository workflows
+- Default drift version is pinned (`1.3.0`) for deterministic runs
+- Uses `drift scan --json` and extracts typed outputs
+- Critical command/parse failures are not silenced (step fails immediately)
 
 ## Usage
 
 ```yaml
 - name: Check drift score
-  uses: eduardbar/drift@v1
+  id: drift_scan
+  uses: ./.github/actions/drift-scan
   with:
     path: ./src
     min-score: 60
+    fail-on-threshold: true
+    version: 1.3.0
 ```
 
 ## Inputs
@@ -19,7 +30,7 @@ Scan your TypeScript project for AI-generated technical debt in CI.
 | `path` | Path to scan | `.` |
 | `min-score` | Fail if score exceeds this | `80` |
 | `fail-on-threshold` | Whether to fail on threshold | `true` |
-| `version` | drift version to use | `latest` |
+| `version` | drift version for `npm exec` execution | `1.3.0` |
 
 ## Outputs
 
@@ -27,35 +38,20 @@ Scan your TypeScript project for AI-generated technical debt in CI.
 |--------|-------------|
 | `score` | Project drift score (0-100) |
 | `grade` | Grade: CLEAN / LOW / MODERATE / HIGH / CRITICAL |
+| `errors` | Error-level issue count |
+| `warnings` | Warning-level issue count |
+| `infos` | Info-level issue count |
+| `total-issues` | Total issue count |
+| `files-affected` | Files with at least one issue |
+| `top-rules` | Top 3 rules as `rule:count` CSV |
 
-## Example: PR gate
+## Example: consume outputs
 
 ```yaml
-name: Drift Check
-on: [pull_request]
-
-jobs:
-  drift:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: eduardbar/drift@v1
-        with:
-          path: ./src
-          min-score: 60
-          fail-on-threshold: true
-```
-
-## Example: capture outputs
-
-```yaml
-- name: Scan drift
-  id: drift
-  uses: eduardbar/drift@v1
-  with:
-    path: ./src
-    fail-on-threshold: false
-
-- name: Print results
-  run: echo "Score ${{ steps.drift.outputs.score }}/100 — ${{ steps.drift.outputs.grade }}"
+- name: Print drift outputs
+  run: |
+    echo "Score: ${{ steps.drift_scan.outputs.score }}"
+    echo "Grade: ${{ steps.drift_scan.outputs.grade }}"
+    echo "Errors/Warnings/Infos: ${{ steps.drift_scan.outputs.errors }}/${{ steps.drift_scan.outputs.warnings }}/${{ steps.drift_scan.outputs.infos }}"
+    echo "Top rules: ${{ steps.drift_scan.outputs.top-rules }}"
 ```

package/.github/actions/drift-scan/action.yml

@@ -22,7 +22,7 @@ inputs:
   version:
     description: 'Version of @eduardbar/drift to use'
     required: false
-    default: 'latest'
+    default: '1.3.0'
 
 outputs:
   score:
@@ -31,33 +31,97 @@ outputs:
   grade:
     description: 'The drift grade (CLEAN / LOW / MODERATE / HIGH / CRITICAL)'
     value: ${{ steps.scan.outputs.grade }}
+  errors:
+    description: 'Total error-level issues in the scan'
+    value: ${{ steps.scan.outputs.errors }}
+  warnings:
+    description: 'Total warning-level issues in the scan'
+    value: ${{ steps.scan.outputs.warnings }}
+  infos:
+    description: 'Total info-level issues in the scan'
+    value: ${{ steps.scan.outputs.infos }}
+  total-issues:
+    description: 'Total number of issues in the scan'
+    value: ${{ steps.scan.outputs.total_issues }}
+  files-affected:
+    description: 'Number of files that contain at least one issue'
+    value: ${{ steps.scan.outputs.files_affected }}
+  top-rules:
+    description: 'Top 3 rules as comma-separated pairs rule:count'
+    value: ${{ steps.scan.outputs.top_rules }}
 
 runs:
   using: 'composite'
   steps:
-    - name: Install drift
-      shell: bash
-      run: npm install -g @eduardbar/drift@${{ inputs.version }}
-
     - name: Run drift scan
       id: scan
       shell: bash
       run: |
+        set -euo pipefail
         TMPFILE=$(mktemp)
+        EXEC_PREFIX="$RUNNER_TEMP/drift-cli"
+        mkdir -p "$EXEC_PREFIX"
 
-        # Run scan — write JSON to tmp, progress to stderr (already separate)
-        drift scan ${{ inputs.path }} --ai > "$TMPFILE" 2>/dev/null || true
+        npm exec --yes --prefix "$EXEC_PREFIX" --package=@eduardbar/drift@${{ inputs.version }} -- drift --version
+        npm exec --yes --prefix "$EXEC_PREFIX" --package=@eduardbar/drift@${{ inputs.version }} -- drift scan "${{ inputs.path }}" --json > "$TMPFILE"
 
-        # Extract score and grade from AIOutput JSON
-        SCORE=$(node -e "const d=JSON.parse(require('fs').readFileSync('$TMPFILE','utf8')); console.log(d.summary.score)")
-        GRADE=$(node -e "const d=JSON.parse(require('fs').readFileSync('$TMPFILE','utf8')); console.log(d.summary.grade)")
+        TMPFILE_PATH="$TMPFILE" GITHUB_OUTPUT_PATH="$GITHUB_OUTPUT" node --input-type=module -e "
+          import fs from 'node:fs'
 
-        rm "$TMPFILE"
+          const payload = JSON.parse(fs.readFileSync(process.env.TMPFILE_PATH, 'utf8'))
+          const score = payload.totalScore
+          if (typeof score !== 'number') {
+            throw new Error('drift scan JSON did not include numeric totalScore')
+          }
+
+          const grade = score === 0
+            ? 'CLEAN'
+            : score <= 19
+              ? 'LOW'
+              : score <= 44
+                ? 'MODERATE'
+                : score <= 69
+                  ? 'HIGH'
+                  : 'CRITICAL'
+
+          const summary = payload.summary ?? {}
+          const errors = Number(summary.errors ?? 0)
+          const warnings = Number(summary.warnings ?? 0)
+          const infos = Number(summary.infos ?? 0)
+          const totalIssues = Number(payload.totalIssues ?? 0)
+          const filesAffected = Array.isArray(payload.files) ? payload.files.length : 0
 
-        echo "score=$SCORE" >> "$GITHUB_OUTPUT"
-        echo "grade=$GRADE" >> "$GITHUB_OUTPUT"
+          const byRule = summary.byRule && typeof summary.byRule === 'object' ? summary.byRule : {}
+          const topRules = Object.entries(byRule)
+            .sort((a, b) => Number(b[1]) - Number(a[1]))
+            .slice(0, 3)
+            .map(([rule, count]) => `${rule}:${count}`)
+            .join(',')
 
-        echo "Drift Score: $SCORE/100 ($GRADE)"
+          const lines = [
+            `score=${score}`,
+            `grade=${grade}`,
+            `errors=${errors}`,
+            `warnings=${warnings}`,
+            `infos=${infos}`,
+            `total_issues=${totalIssues}`,
+            `files_affected=${filesAffected}`,
+            `top_rules=${topRules}`,
+          ]
+
+          fs.appendFileSync(process.env.GITHUB_OUTPUT_PATH, lines.join('\\n') + '\\n')
+          console.log(`Drift Score: ${score}/100 (${grade})`)
+          console.log(`Issue summary: errors=${errors} warnings=${warnings} infos=${infos} total=${totalIssues}`)
+          console.log(`Top rules: ${topRules || 'n/a'}`)
+        "
+
+        SCORE=$(TMPFILE_PATH="$TMPFILE" node --input-type=module -e "
+          import fs from 'node:fs'
+          const payload = JSON.parse(fs.readFileSync(process.env.TMPFILE_PATH, 'utf8'))
+          process.stdout.write(String(payload.totalScore))
+        ")
+
+        rm "$TMPFILE"
 
         if [ "${{ inputs.fail-on-threshold }}" = "true" ] && [ "$SCORE" -gt "${{ inputs.min-score }}" ]; then
           echo "::error::Drift score $SCORE/100 exceeds threshold of ${{ inputs.min-score }}"

package/.github/workflows/publish-vscode.yml

@@ -24,14 +24,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event_name == 'release' && github.ref || github.event.repository.default_branch }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
           cache-dependency-path: packages/vscode-drift/package-lock.json
 

package/.github/workflows/publish.yml

@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/v{0}', inputs.tag) || github.ref }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: '22'
           registry-url: 'https://registry.npmjs.org'
           cache: 'npm'
 

package/.github/workflows/review-pr.yml

@@ -7,27 +7,104 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  security-events: write
 
 jobs:
   drift-review:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: Install dependencies
         run: npm ci
 
-      - name: Generate drift review markdown
-        run: npx @eduardbar/drift review --base "origin/${{ github.base_ref }}" --comment > drift-review.md
+      - name: Generate drift trust/review artifacts and gate
+        id: drift_review
+        uses: ./.github/actions/drift-review
+        with:
+          path: .
+          base-ref: origin/${{ github.base_ref }}
+          version: 1.3.0
+          min-trust: 45
+          max-risk: HIGH
+          fail-on-gate: true
+          include-review: true
+
+      - name: Generate drift SARIF
+        run: npx --no-install tsx ./src/cli.ts scan . --format sarif > drift.sarif
+
+      - name: Publish trust KPI step summary
+        run: |
+          {
+            echo "## drift trust KPI"
+            echo
+            echo "- Trust score: **${{ steps.drift_review.outputs.trust-score }}**"
+            echo "- Merge risk: **${{ steps.drift_review.outputs.merge-risk }}**"
+            echo "- New issues vs base: **${{ steps.drift_review.outputs.new-issues }}**"
+            echo "- Resolved issues vs base: **${{ steps.drift_review.outputs.resolved-issues }}**"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Aggregate trust KPI from trust JSON artifact
+        run: npx --no-install tsx ./src/cli.ts kpi "${{ steps.drift_review.outputs.trust-json }}" --no-summary > drift-trust-kpi.json
+
+      - name: Extract aggregated KPI values
+        id: trust_kpi_aggregate
+        run: |
+          node --input-type=module -e "
+            import fs from 'node:fs'
+            const payload = JSON.parse(fs.readFileSync('drift-trust-kpi.json', 'utf8'))
+            const files = payload.files ?? {}
+            const trustScore = payload.trustScore ?? {}
+            const highRiskRatio = payload.highRiskRatio
+            fs.appendFileSync(process.env.GITHUB_OUTPUT, [
+              'matched=' + (files.matched ?? 'n/a'),
+              'parsed=' + (files.parsed ?? 'n/a'),
+              'malformed=' + (files.malformed ?? 'n/a'),
+              'prs=' + (payload.prsEvaluated ?? 'n/a'),
+              'avg=' + (trustScore.average ?? 'n/a'),
+              'high_risk_ratio=' + (highRiskRatio == null ? 'n/a' : Number(highRiskRatio * 100).toFixed(2) + '%'),
+            ].join('\\n') + '\\n')
+          "
+
+      - name: Publish trust KPI aggregate summary
+        run: |
+          {
+            echo
+            echo "## drift trust KPI aggregate"
+            echo
+            echo "- Files matched/parsed/malformed: **${{ steps.trust_kpi_aggregate.outputs.matched }} / ${{ steps.trust_kpi_aggregate.outputs.parsed }} / ${{ steps.trust_kpi_aggregate.outputs.malformed }}**"
+            echo "- PR samples evaluated: **${{ steps.trust_kpi_aggregate.outputs.prs }}**"
+            echo "- Aggregate trust score avg: **${{ steps.trust_kpi_aggregate.outputs.avg }}**"
+            echo "- High-risk ratio (HIGH+CRITICAL): **${{ steps.trust_kpi_aggregate.outputs.high_risk_ratio }}**"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload drift trust JSON artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: drift-trust-json-pr-${{ github.event.pull_request.number }}-run-${{ github.run_attempt }}
+          path: |
+            ${{ steps.drift_review.outputs.trust-json }}
+            ${{ steps.drift_review.outputs.trust-markdown }}
+            ${{ steps.drift_review.outputs.review-markdown }}
+            drift-trust-kpi.json
+            drift.sarif
+          if-no-files-found: error
+          retention-days: 14
+
+      - name: Upload SARIF to GitHub Code Scanning (non-fork only)
+        if: github.event.pull_request.head.repo.fork == false
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: drift.sarif
 
       - name: Post or update PR comment (non-fork only)
         if: github.event.pull_request.head.repo.fork == false
@@ -38,7 +115,13 @@ jobs:
         run: |
           COMMENT_BODY="<!-- drift-review -->"
           COMMENT_BODY+=$'\n'
-          COMMENT_BODY+="$(cat drift-review.md)"
+          COMMENT_BODY+="## drift trust"$'\n\n'
+          COMMENT_BODY+="$(cat "${{ steps.drift_review.outputs.trust-markdown }}")"
+          COMMENT_BODY+=$'\n\n'
+          COMMENT_BODY+="## drift review"$'\n\n'
+          COMMENT_BODY+="$(cat "${{ steps.drift_review.outputs.review-markdown }}")"
+          COMMENT_BODY+=$'\n\n'
+          COMMENT_BODY+="<!-- drift-trust-kpi score=${{ steps.drift_review.outputs.trust-score }} risk=${{ steps.drift_review.outputs.merge-risk }} new=${{ steps.drift_review.outputs.new-issues }} resolved=${{ steps.drift_review.outputs.resolved-issues }} -->"
 
           EXISTING_ID=$(gh api "repos/$REPO/issues/$PR_NUMBER/comments" --jq '.[] | select(.user.login == "github-actions[bot]") | select(.body | contains("<!-- drift-review -->")) | .id' | sed -n '1p')
 
@@ -52,10 +135,12 @@ jobs:
         if: github.event.pull_request.head.repo.fork == true
         run: |
           {
+            echo "## drift trust"
+            echo
+            cat "${{ steps.drift_review.outputs.trust-markdown }}"
+            echo
             echo "## drift review"
             echo
-            cat drift-review.md
+            cat "${{ steps.drift_review.outputs.review-markdown }}"
           } >> "$GITHUB_STEP_SUMMARY"
 
-      - name: Enforce drift threshold
-        run: npx @eduardbar/drift review --base "origin/${{ github.base_ref }}" --fail-on 5 --comment > /dev/null