pumuki 6.3.26 → 6.3.28

package/integrations/gate/waivers.ts

@@ -0,0 +1,209 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { isAbsolute, resolve } from 'node:path';
+import { z } from 'zod';
+import type { AiGateStage, AiGateViolation } from './evaluateAiGate';
+
+const DEFAULT_AI_GATE_WAIVER_PATH = '.pumuki/waivers/ai-gate.json';
+
+const stageSchema = z.enum(['PRE_WRITE', 'PRE_COMMIT', 'PRE_PUSH', 'CI']);
+
+const waiverEntrySchema = z.object({
+  id: z.string().min(1),
+  code: z.string().min(1),
+  owner: z.string().min(1),
+  reason: z.string().min(1),
+  created_at: z.string().datetime({ offset: true }),
+  expires_at: z.string().datetime({ offset: true }),
+  stage: z.union([stageSchema, z.array(stageSchema).min(1)]).optional(),
+  branch: z.string().min(1).optional(),
+});
+
+const waiverFileSchema = z.object({
+  version: z.literal('1'),
+  waivers: z.array(waiverEntrySchema),
+});
+
+type AiGateWaiverEntry = z.infer<typeof waiverEntrySchema>;
+
+export type AppliedAiGateWaiver = {
+  id: string;
+  code: string;
+  owner: string;
+  reason: string;
+  expires_at: string;
+  ttl_seconds: number;
+  branch?: string;
+};
+
+export type AiGateWaiverApplyResult = {
+  path: string;
+  status: 'none' | 'applied' | 'invalid';
+  invalid_reason: string | null;
+  violations: ReadonlyArray<AiGateViolation>;
+  applied: ReadonlyArray<AppliedAiGateWaiver>;
+};
+
+const parseDate = (value: string): Date | null => {
+  const parsed = Date.parse(value);
+  if (!Number.isFinite(parsed)) {
+    return null;
+  }
+  return new Date(parsed);
+};
+
+const toTtlSeconds = (expiresAt: Date, now: Date): number =>
+  Math.max(0, Math.floor((expiresAt.getTime() - now.getTime()) / 1000));
+
+const matchesStage = (
+  waiver: AiGateWaiverEntry,
+  stage: AiGateStage
+): boolean => {
+  if (!waiver.stage) {
+    return true;
+  }
+  if (Array.isArray(waiver.stage)) {
+    return waiver.stage.includes(stage);
+  }
+  return waiver.stage === stage;
+};
+
+const matchesBranch = (
+  waiver: AiGateWaiverEntry,
+  branch: string | null
+): boolean => {
+  if (!waiver.branch) {
+    return true;
+  }
+  if (!branch) {
+    return false;
+  }
+  return waiver.branch === branch;
+};
+
+const matchesViolationCode = (
+  waiver: AiGateWaiverEntry,
+  violationCode: string
+): boolean =>
+  waiver.code === '*' || waiver.code === violationCode;
+
+export const resolveAiGateWaiverPath = (repoRoot: string): string => {
+  const candidate = process.env.PUMUKI_AI_GATE_WAIVER_PATH?.trim();
+  if (!candidate) {
+    return resolve(repoRoot, DEFAULT_AI_GATE_WAIVER_PATH);
+  }
+  if (isAbsolute(candidate)) {
+    return candidate;
+  }
+  return resolve(repoRoot, candidate);
+};
+
+const toAppliedWaiver = (
+  waiver: AiGateWaiverEntry,
+  now: Date
+): AppliedAiGateWaiver | null => {
+  const expiresAt = parseDate(waiver.expires_at);
+  if (!expiresAt) {
+    return null;
+  }
+  const ttlSeconds = toTtlSeconds(expiresAt, now);
+  if (ttlSeconds <= 0) {
+    return null;
+  }
+  return {
+    id: waiver.id,
+    code: waiver.code,
+    owner: waiver.owner,
+    reason: waiver.reason,
+    expires_at: waiver.expires_at,
+    ttl_seconds: ttlSeconds,
+    branch: waiver.branch,
+  };
+};
+
+export const applyAiGateWaivers = (params: {
+  repoRoot: string;
+  stage: AiGateStage;
+  branch: string | null;
+  violations: ReadonlyArray<AiGateViolation>;
+  now?: Date;
+}): AiGateWaiverApplyResult => {
+  const path = resolveAiGateWaiverPath(params.repoRoot);
+  if (!existsSync(path)) {
+    return {
+      path,
+      status: 'none',
+      invalid_reason: null,
+      violations: params.violations,
+      applied: [],
+    };
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(readFileSync(path, 'utf8'));
+  } catch (error) {
+    return {
+      path,
+      status: 'invalid',
+      invalid_reason: error instanceof Error ? error.message : String(error),
+      violations: params.violations,
+      applied: [],
+    };
+  }
+
+  const validation = waiverFileSchema.safeParse(parsed);
+  if (!validation.success) {
+    return {
+      path,
+      status: 'invalid',
+      invalid_reason: validation.error.issues[0]?.message ?? 'invalid_schema',
+      violations: params.violations,
+      applied: [],
+    };
+  }
+
+  const now = params.now ?? new Date();
+  const activeWaivers = validation.data.waivers
+    .filter((waiver) => matchesStage(waiver, params.stage))
+    .filter((waiver) => matchesBranch(waiver, params.branch))
+    .map((waiver) => ({
+      raw: waiver,
+      normalized: toAppliedWaiver(waiver, now),
+    }))
+    .filter((entry): entry is { raw: AiGateWaiverEntry; normalized: AppliedAiGateWaiver } =>
+      entry.normalized !== null
+    );
+
+  if (activeWaivers.length === 0) {
+    return {
+      path,
+      status: 'none',
+      invalid_reason: null,
+      violations: params.violations,
+      applied: [],
+    };
+  }
+
+  const remaining: AiGateViolation[] = [];
+  const applied = new Map<string, AppliedAiGateWaiver>();
+  for (const violation of params.violations) {
+    const match = activeWaivers.find((entry) =>
+      matchesViolationCode(entry.raw, violation.code)
+    );
+    if (!match) {
+      remaining.push(violation);
+      continue;
+    }
+    applied.set(match.normalized.id, match.normalized);
+  }
+
+  return {
+    path,
+    status: applied.size > 0 ? 'applied' : 'none',
+    invalid_reason: null,
+    violations: remaining,
+    applied: [...applied.values()].sort((left, right) =>
+      left.id.localeCompare(right.id)
+    ),
+  };
+};

package/integrations/git/findingTraceability.ts

@@ -1,9 +1,12 @@
 import type { Fact } from '../../core/facts/Fact';
 import type { Finding } from '../../core/gate/Finding';
+import { matchesScope } from '../../core/gate/scopeMatcher';
 import type { Condition } from '../../core/rules/Condition';
 import type { RuleDefinition } from '../../core/rules/RuleDefinition';
 import type { RuleSet } from '../../core/rules/RuleSet';
 
+type RuleScope = RuleDefinition['scope'];
+
 type Trace = {
   matched: boolean;
   filePath?: string;
@@ -12,29 +15,6 @@ type Trace = {
   source?: string;
 };
 
-type RuleScope = RuleDefinition['scope'];
-
-const extractPrefix = (pattern: string): string => {
-  const wildcardIndex = pattern.indexOf('*');
-  return wildcardIndex === -1 ? pattern : pattern.slice(0, wildcardIndex);
-};
-
-const matchesAnyPrefix = (path: string, patterns: ReadonlyArray<string>): boolean => {
-  return patterns.some((pattern) => path.startsWith(extractPrefix(pattern)));
-};
-
-const matchesScope = (path: string, scope?: RuleScope): boolean => {
-  const include = scope?.include;
-  const exclude = scope?.exclude;
-  if (exclude && exclude.length > 0 && matchesAnyPrefix(path, exclude)) {
-    return false;
-  }
-  if (!include || include.length === 0) {
-    return true;
-  }
-  return matchesAnyPrefix(path, include);
-};
-
 const normalizePath = (path: string): string => path.replace(/\\/g, '/');
 
 const sortedUniqueLines = (lines: ReadonlyArray<number>): readonly number[] | undefined => {

package/integrations/git/index.js

@@ -0,0 +1,5 @@
+'use strict';
+
+require('tsx/cjs');
+
+module.exports = require('./index.ts');

package/integrations/git/runCliCommand.ts

@@ -1,4 +1,10 @@
 export const runCliCommand = (runner: () => Promise<number>): void => {
+  const hasQuietFlag = process.argv.slice(2).includes('--quiet');
+  const previousQuietMode = process.env.PUMUKI_HOOK_SUMMARY_QUIET;
+  if (hasQuietFlag) {
+    process.env.PUMUKI_HOOK_SUMMARY_QUIET = '1';
+  }
+
   void runner()
     .then((code) => {
       process.exitCode = code;
@@ -7,5 +13,15 @@ export const runCliCommand = (runner: () => Promise<number>): void => {
       const message = error instanceof Error ? error.message : 'Unexpected CLI runner error.';
       process.stderr.write(`${message}\n`);
       process.exitCode = 1;
+    })
+    .finally(() => {
+      if (!hasQuietFlag) {
+        return;
+      }
+      if (typeof previousQuietMode === 'undefined') {
+        delete process.env.PUMUKI_HOOK_SUMMARY_QUIET;
+      } else {
+        process.env.PUMUKI_HOOK_SUMMARY_QUIET = previousQuietMode;
+      }
     });
 };

package/integrations/git/runPlatformGate.ts

@@ -188,6 +188,41 @@ const toSkillsUnsupportedAutoRulesBlockingFinding = (params: {
   };
 };
 
+const toSkillsComplianceBlockingFinding = (params: {
+  stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+  skillsCompliance?: {
+    missing_rule_ids: string[];
+    by_file: Array<{
+      file_path: string;
+      missing_rule_ids: string[];
+    }>;
+  };
+}): Finding | undefined => {
+  const missingRuleIds = params.skillsCompliance?.missing_rule_ids ?? [];
+  if (missingRuleIds.length === 0) {
+    return undefined;
+  }
+
+  const filesWithMissing = (params.skillsCompliance?.by_file ?? [])
+    .filter((entry) => entry.missing_rule_ids.length > 0)
+    .map((entry) => entry.file_path)
+    .sort((left, right) => left.localeCompare(right))
+    .join(', ');
+
+  return {
+    ruleId: 'governance.skills.compliance.incomplete',
+    severity: 'ERROR',
+    code: 'SKILLS_COMPLIANCE_INCOMPLETE_HIGH',
+    message:
+      `Skills compliance incomplete at ${params.stage}: ` +
+      `missing_rule_ids=[${[...missingRuleIds].sort().join(', ')}]. ` +
+      `affected_files=[${filesWithMissing}].`,
+    filePath: '.ai_evidence.json',
+    matchedBy: 'SkillsComplianceGuard',
+    source: 'skills-compliance',
+  };
+};
+
 export async function runPlatformGate(params: {
   policy: GatePolicy;
   auditMode?: 'gate' | 'engine';
@@ -307,6 +342,15 @@ export async function runPlatformGate(params: {
         unsupportedAutoRuleIds: skillsRuleSet.unsupportedAutoRuleIds ?? [],
       })
       : undefined;
+  const skillsComplianceBlockingFinding =
+    params.policy.stage === 'PRE_COMMIT' ||
+    params.policy.stage === 'PRE_PUSH' ||
+    params.policy.stage === 'CI'
+      ? toSkillsComplianceBlockingFinding({
+        stage: params.policy.stage,
+        skillsCompliance: coverage?.skillsCompliance,
+      })
+      : undefined;
   const rulesCoverage = coverage
     ? {
       stage: params.policy.stage,
@@ -334,6 +378,11 @@ export async function runPlatformGate(params: {
         coverage.activeRuleIds.length === 0
           ? 1
           : Number((coverage.evaluatedRuleIds.length / coverage.activeRuleIds.length).toFixed(6)),
+      ...(coverage.skillsCompliance
+        ? {
+          skills_compliance: coverage.skillsCompliance,
+        }
+        : {}),
     }
     : createEmptySnapshotRulesCoverage(params.policy.stage);
   const currentBranch = resolveCurrentBranch(git, repoRoot);
@@ -352,13 +401,15 @@ export async function runPlatformGate(params: {
     ? [
       sddBlockingFinding,
       ...(unsupportedSkillsMappingFinding ? [unsupportedSkillsMappingFinding] : []),
+      ...(skillsComplianceBlockingFinding ? [skillsComplianceBlockingFinding] : []),
       ...(coverageBlockingFinding ? [coverageBlockingFinding] : []),
       ...tddBddEvaluation.findings,
       ...findings,
     ]
-    : unsupportedSkillsMappingFinding || coverageBlockingFinding || tddBddEvaluation.findings.length > 0
+    : unsupportedSkillsMappingFinding || skillsComplianceBlockingFinding || coverageBlockingFinding || tddBddEvaluation.findings.length > 0
       ? [
         ...(unsupportedSkillsMappingFinding ? [unsupportedSkillsMappingFinding] : []),
+        ...(skillsComplianceBlockingFinding ? [skillsComplianceBlockingFinding] : []),
         ...(coverageBlockingFinding ? [coverageBlockingFinding] : []),
         ...tddBddEvaluation.findings,
         ...findings,
@@ -368,6 +419,7 @@ export async function runPlatformGate(params: {
   const gateOutcome =
     sddBlockingFinding ||
     unsupportedSkillsMappingFinding ||
+    skillsComplianceBlockingFinding ||
     coverageBlockingFinding ||
     hasTddBddBlockingFinding
       ? 'BLOCK'

package/integrations/git/runPlatformGateEvaluation.ts

@@ -12,6 +12,10 @@ import {
   loadSkillsRuleSetForStage,
   type SkillsRuleSetLoadResult,
 } from '../config/skillsRuleSet';
+import {
+  evaluateSkillsCompliance,
+  type SkillsComplianceSnapshot,
+} from '../config/skillsCompliance';
 import { applyHeuristicSeverityForStage } from '../gate/stagePolicies';
 import {
   detectPlatformsFromFacts,
@@ -45,6 +49,7 @@ type PlatformGateEvaluationResult = {
     matchedRuleIds: ReadonlyArray<string>;
     unmatchedRuleIds: ReadonlyArray<string>;
     unevaluatedRuleIds: ReadonlyArray<string>;
+    skillsCompliance?: SkillsComplianceSnapshot;
   };
   findings: ReadonlyArray<Finding>;
 };
@@ -218,6 +223,13 @@ export const evaluatePlatformGateFindings = (
   const unevaluatedRuleIds = activeRuleIds.filter(
     (ruleId) => !evaluatedRuleIdsSet.has(ruleId)
   );
+  const skillsCompliance = evaluateSkillsCompliance({
+    skillsRuleSet,
+    observedFilePaths,
+    activeRuleIds,
+    evaluatedRuleIds,
+    matchedRuleIds,
+  });
 
   return {
     detectedPlatforms,
@@ -243,6 +255,7 @@ export const evaluatePlatformGateFindings = (
       matchedRuleIds,
       unmatchedRuleIds,
       unevaluatedRuleIds,
+      ...(skillsCompliance ? { skillsCompliance } : {}),
     },
     findings,
   };

package/integrations/git/stageRunners.ts

@@ -1,8 +1,11 @@
 import { resolvePolicyForStage } from '../gate/stagePolicies';
+import type { ResolvedStagePolicy } from '../gate/stagePolicies';
 import { resolveCiBaseRef, resolveUpstreamRef } from './resolveGitRefs';
 import { runPlatformGate } from './runPlatformGate';
 import { GitService } from './GitService';
 import { emitAuditSummaryNotificationFromEvidence } from '../notifications/emitAuditSummaryNotification';
+import { readEvidenceResult, type EvidenceReadResult } from '../evidence/readEvidence';
+import { emitStructuredTelemetry } from '../telemetry/structuredTelemetry';
 
 const PRE_PUSH_UPSTREAM_REQUIRED_MESSAGE =
   'pumuki pre-push blocked: branch has no upstream tracking reference. Configure upstream first (for example: git push --set-upstream origin <branch>) and retry.';
@@ -13,10 +16,14 @@ type StageRunnerDependencies = {
   resolveCiBaseRef: typeof resolveCiBaseRef;
   runPlatformGate: typeof runPlatformGate;
   resolveRepoRoot: () => string;
+  readEvidenceResult: (repoRoot: string) => EvidenceReadResult;
+  env: NodeJS.ProcessEnv;
+  writeStdout: (message: string) => void;
   notifyAuditSummaryFromEvidence: (params: {
     repoRoot: string;
     stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
   }) => void;
+  emitStructuredTelemetry: typeof emitStructuredTelemetry;
 };
 
 const defaultDependencies: StageRunnerDependencies = {
@@ -25,12 +32,18 @@ const defaultDependencies: StageRunnerDependencies = {
   resolveCiBaseRef,
   runPlatformGate,
   resolveRepoRoot: () => new GitService().resolveRepoRoot(),
+  readEvidenceResult,
+  env: process.env,
+  writeStdout: (message: string) => {
+    process.stdout.write(`${message}\n`);
+  },
   notifyAuditSummaryFromEvidence: ({ repoRoot, stage }) => {
     emitAuditSummaryNotificationFromEvidence({
       repoRoot,
       stage,
     });
   },
+  emitStructuredTelemetry,
 };
 
 const getDependencies = (
@@ -42,18 +55,138 @@ const getDependencies = (
 
 const notifyAuditSummaryForStage = (
   dependencies: StageRunnerDependencies,
+  repoRoot: string,
   stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI'
 ): void => {
   dependencies.notifyAuditSummaryFromEvidence({
-    repoRoot: dependencies.resolveRepoRoot(),
+    repoRoot,
     stage,
   });
 };
 
+const isQuietHookSummaryEnabled = (env: NodeJS.ProcessEnv): boolean => {
+  const value = env.PUMUKI_HOOK_SUMMARY_QUIET?.trim().toLowerCase();
+  return value === '1' || value === 'true' || value === 'yes';
+};
+
+const resolveEvidenceAgeSeconds = (timestamp: string): string => {
+  const generatedAtMillis = Date.parse(timestamp);
+  if (!Number.isFinite(generatedAtMillis)) {
+    return 'n/a';
+  }
+  return String(Math.max(0, Math.floor((Date.now() - generatedAtMillis) / 1000)));
+};
+
+const resolveEvidenceIntegrityStatus = (evidenceResult: EvidenceReadResult): string => {
+  if (evidenceResult.kind !== 'valid') {
+    return 'n/a';
+  }
+  return evidenceResult.evidence.integrity ? 'valid' : 'missing';
+};
+
+const resolveEvidenceChainHash = (evidenceResult: EvidenceReadResult): string => {
+  if (evidenceResult.kind !== 'valid') {
+    return 'n/a';
+  }
+  return evidenceResult.evidence.integrity?.chain_hash ?? 'n/a';
+};
+
+const resolvePolicyBundle = (trace?: ResolvedStagePolicy['trace']): string =>
+  trace?.bundle ?? 'n/a';
+
+const resolvePolicyHash = (trace?: ResolvedStagePolicy['trace']): string =>
+  trace?.hash ?? 'n/a';
+
+const resolvePolicyVersion = (trace?: ResolvedStagePolicy['trace']): string =>
+  trace?.version ?? 'n/a';
+
+const resolvePolicySignature = (trace?: ResolvedStagePolicy['trace']): string =>
+  trace?.signature ?? 'n/a';
+
+const emitHookGateSummary = (params: {
+  dependencies: StageRunnerDependencies;
+  repoRoot: string;
+  stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+  policyTrace?: ResolvedStagePolicy['trace'];
+  exitCode: number;
+  printSummary?: boolean;
+}): void => {
+  const evidenceResult = params.dependencies.readEvidenceResult(params.repoRoot);
+  const decision = params.exitCode === 0 ? 'ALLOW' : 'BLOCK';
+  const status = params.exitCode === 0 ? 'ALLOWED' : 'BLOCKED';
+  const outcome =
+    evidenceResult.kind === 'valid' ? evidenceResult.evidence.snapshot.outcome : 'n/a';
+  const evidenceAgeSeconds =
+    evidenceResult.kind === 'valid'
+      ? resolveEvidenceAgeSeconds(evidenceResult.evidence.timestamp)
+      : 'n/a';
+  const policyTrace = params.policyTrace;
+  params.dependencies.emitStructuredTelemetry({
+    repoRoot: params.repoRoot,
+    env: params.dependencies.env,
+    event: {
+      schema_version: '1',
+      timestamp: new Date().toISOString(),
+      source: 'pumuki',
+      channel: 'hook_gate',
+      event: 'hook_gate.evaluated',
+      stage: params.stage,
+      repo_root: params.repoRoot,
+      status,
+      decision,
+      policy: {
+        source: policyTrace?.source ?? 'n/a',
+        bundle: resolvePolicyBundle(policyTrace),
+        hash: resolvePolicyHash(policyTrace),
+        version: resolvePolicyVersion(policyTrace),
+        signature: resolvePolicySignature(policyTrace),
+      },
+      evidence: {
+        kind: evidenceResult.kind,
+        age_seconds:
+          evidenceResult.kind === 'valid'
+            ? Number.parseInt(evidenceAgeSeconds, 10)
+            : null,
+        max_age_seconds: null,
+        source: 'local_file_ai_evidence',
+        path: `${params.repoRoot}/.ai_evidence.json`,
+        digest: null,
+        generated_at:
+          evidenceResult.kind === 'valid' ? evidenceResult.evidence.timestamp : null,
+        integrity_status: resolveEvidenceIntegrityStatus(evidenceResult),
+        chain_hash: resolveEvidenceChainHash(evidenceResult),
+      },
+      metrics: {
+        violations_total:
+          evidenceResult.kind === 'valid'
+            ? evidenceResult.evidence.severity_metrics.total_violations
+            : 0,
+        violations_error:
+          evidenceResult.kind === 'valid'
+            ? evidenceResult.evidence.severity_metrics.by_severity.ERROR
+            : 0,
+        violations_warn:
+          evidenceResult.kind === 'valid'
+            ? evidenceResult.evidence.severity_metrics.by_severity.WARN
+            : 0,
+      },
+    },
+  });
+
+  if ((params.printSummary ?? true) && isQuietHookSummaryEnabled(params.dependencies.env)) {
+    return;
+  }
+
+  params.dependencies.writeStdout(
+    `[pumuki][hook-gate] stage=${params.stage} policy_bundle=${resolvePolicyBundle(policyTrace)} policy_hash=${resolvePolicyHash(policyTrace)} policy_version=${resolvePolicyVersion(policyTrace)} policy_signature=${resolvePolicySignature(policyTrace)} decision=${decision} outcome=${outcome} evidence_kind=${evidenceResult.kind} evidence_age_seconds=${evidenceAgeSeconds} evidence_integrity=${resolveEvidenceIntegrityStatus(evidenceResult)} evidence_chain_hash=${resolveEvidenceChainHash(evidenceResult)}`
+  );
+};
+
 export async function runPreCommitStage(
   dependencies: Partial<StageRunnerDependencies> = {}
 ): Promise<number> {
   const activeDependencies = getDependencies(dependencies);
+  const repoRoot = activeDependencies.resolveRepoRoot();
   const resolved = activeDependencies.resolvePolicyForStage('PRE_COMMIT');
   const exitCode = await activeDependencies.runPlatformGate({
     policy: resolved.policy,
@@ -62,7 +195,14 @@ export async function runPreCommitStage(
       kind: 'staged',
     },
   });
-  notifyAuditSummaryForStage(activeDependencies, 'PRE_COMMIT');
+  emitHookGateSummary({
+    dependencies: activeDependencies,
+    repoRoot,
+    stage: 'PRE_COMMIT',
+    policyTrace: resolved.trace,
+    exitCode,
+  });
+  notifyAuditSummaryForStage(activeDependencies, repoRoot, 'PRE_COMMIT');
   return exitCode;
 }
 
@@ -70,10 +210,17 @@ export async function runPrePushStage(
   dependencies: Partial<StageRunnerDependencies> = {}
 ): Promise<number> {
   const activeDependencies = getDependencies(dependencies);
+  const repoRoot = activeDependencies.resolveRepoRoot();
   const upstreamRef = activeDependencies.resolveUpstreamRef();
   if (!upstreamRef) {
     process.stderr.write(`${PRE_PUSH_UPSTREAM_REQUIRED_MESSAGE}\n`);
-    notifyAuditSummaryForStage(activeDependencies, 'PRE_PUSH');
+    emitHookGateSummary({
+      dependencies: activeDependencies,
+      repoRoot,
+      stage: 'PRE_PUSH',
+      exitCode: 1,
+    });
+    notifyAuditSummaryForStage(activeDependencies, repoRoot, 'PRE_PUSH');
     return 1;
   }
 
@@ -87,7 +234,14 @@ export async function runPrePushStage(
       toRef: 'HEAD',
     },
   });
-  notifyAuditSummaryForStage(activeDependencies, 'PRE_PUSH');
+  emitHookGateSummary({
+    dependencies: activeDependencies,
+    repoRoot,
+    stage: 'PRE_PUSH',
+    policyTrace: resolved.trace,
+    exitCode,
+  });
+  notifyAuditSummaryForStage(activeDependencies, repoRoot, 'PRE_PUSH');
   return exitCode;
 }
 
@@ -95,6 +249,7 @@ export async function runCiStage(
   dependencies: Partial<StageRunnerDependencies> = {}
 ): Promise<number> {
   const activeDependencies = getDependencies(dependencies);
+  const repoRoot = activeDependencies.resolveRepoRoot();
   const resolved = activeDependencies.resolvePolicyForStage('CI');
   const exitCode = await activeDependencies.runPlatformGate({
     policy: resolved.policy,
@@ -105,6 +260,14 @@ export async function runCiStage(
       toRef: 'HEAD',
     },
   });
-  notifyAuditSummaryForStage(activeDependencies, 'CI');
+  emitHookGateSummary({
+    dependencies: activeDependencies,
+    repoRoot,
+    stage: 'CI',
+    policyTrace: resolved.trace,
+    exitCode,
+    printSummary: false,
+  });
+  notifyAuditSummaryForStage(activeDependencies, repoRoot, 'CI');
   return exitCode;
 }