AuraOne Open / CI and pull-request review

Put evaluation evidence on the commit that must clear it.

Create one lifecycle-aware AuraOne evaluation Check Run and one update-in-place pull-request evidence summary with explicit decisions, thresholds, template results, and remediation.

For repository owners who need evaluation gates to behave like native engineering checks instead of appended status noise.

License
MIT; verify the license file and deployed application owner before installation.
Data boundary
The app reads configured repository and pull-request context, sends the requested evaluation to AuraOne, and writes Checks plus an optional bot-owned summary comment.
License
MIT; verify the license file and deployed application owner before installation.
Runtime boundary
The app reads configured repository and pull-request context, sends the requested evaluation to AuraOne, and writes Checks plus an optional bot-owned summary comment.

Product surface

The job, runtime boundary, and resulting artifact stay visible.

Inspect locally

Start from the source, then follow the reviewed README.

npm package 0.2.0 and the matching v0.2.0 source tag were observed on July 13, 2026. This adds the self-hosted Node.js package; it does not install a hosted GitHub App. Create and permission your own app, then validate it against a non-production repository.

npm add --save-exact @auraone/github-app@0.2.0

Track the full check lifecycle

Move one AuraOne evaluation Check Run through queued, in-progress, and completed states with explicit success, failure, neutral, action-required, or error conclusions.

Keep PR evidence idempotent

Update one marker-owned bot comment rather than appending duplicates, while never overwriting user-authored comments.

Expose remediation

Show score, threshold, evaluated commit, configuration path, template evidence, details URL, and concrete next actions.

AuraOne GitHub App evaluation path

Source inspection, runtime testing, and release verification are separate checkpoints.

  1. 01

    Inspect permissions

    Review Checks, Contents, Pull requests, Issues, webhook events, secrets, and outbound API destinations.

    GitHub App permission manifest

  2. 02

    Load configuration

    Read the repository evaluation configuration and validate thresholds and template references.

    Configuration path and validation

  3. 03

    Run the evaluation

    Create or rerun an idempotent Check Run tied to the exact commit and webhook delivery.

    Check Run output

  4. 04

    Publish the summary

    Update the bot-owned PR evidence summary when enabled without changing the Check Run result on optional comment failure.

    Pull-request comment record

  5. 05

    Verify deployment

    Match the deployed app owner, permissions, webhook delivery, package and source versions, health evidence, and rollback target. Treat npm provenance as unverified until an attestation is recorded.

    Deployment and release packet

Evidence packet preview

AuraOne GitHub App evidence packet

The current release is trusted only when the source, artifact, runtime, and support records agree.

Evidence attached
Identity
@auraone/github-app package, source revision, deployed app owner, and versionRepository, npm, and GitHub App settings
Permissions
Checks write, Contents read, Pull requests read, Issues write, and Check run webhookInstalled app permission record
Decision
Conclusion, score, threshold, commit, configuration, template evidence, and remediationGitHub Check Run
Publication
npm 0.2.0 registry record, matching source tag, tarball comparison, and clean package load; hosted deployment and provenance require separate proofnpm registry, v0.2.0 source tag, and release verification record

Release evidence

Availability follows the evidence record.

Source access, package publication, binary integrity, and product captures are reported separately. Missing proof is shown as blocked, not inferred.

Blocked

AuraOne GitHub App release decision

npm serves the self-hosted 0.2.0 package, and its five packaged files match the v0.2.0 source tag. A public hosted GitHub App deployment is not claimed because deployed-owner, permission, webhook-health, rollback, and npm provenance-attestation evidence are not recorded.

@auraone/github-app

npm self-hosted Node.js package / 0.2.0

The registry package loads after a clean no-script install, and its packaged files match the v0.2.0 source tag. This does not verify npm provenance or any hosted GitHub App deployment.

Verified