Track the full check lifecycle
Move one AuraOne evaluation Check Run through queued, in-progress, and completed states with explicit success, failure, neutral, action-required, or error conclusions.
AuraOne Open / CI and pull-request review
Create one lifecycle-aware AuraOne evaluation Check Run and one update-in-place pull-request evidence summary with explicit decisions, thresholds, template results, and remediation.
For repository owners who need evaluation gates to behave like native engineering checks instead of appended status noise.
Product surface
Inspect locally
npm package 0.2.0 and the matching v0.2.0 source tag were observed on July 13, 2026. This adds the self-hosted Node.js package; it does not install a hosted GitHub App. Create and permission your own app, then validate it against a non-production repository.
npm add --save-exact @auraone/github-app@0.2.0Move one AuraOne evaluation Check Run through queued, in-progress, and completed states with explicit success, failure, neutral, action-required, or error conclusions.
Update one marker-owned bot comment rather than appending duplicates, while never overwriting user-authored comments.
Show score, threshold, evaluated commit, configuration path, template evidence, details URL, and concrete next actions.
Source inspection, runtime testing, and release verification are separate checkpoints.
01
Review Checks, Contents, Pull requests, Issues, webhook events, secrets, and outbound API destinations.
GitHub App permission manifest
02
Read the repository evaluation configuration and validate thresholds and template references.
Configuration path and validation
03
Create or rerun an idempotent Check Run tied to the exact commit and webhook delivery.
Check Run output
04
Update the bot-owned PR evidence summary when enabled without changing the Check Run result on optional comment failure.
Pull-request comment record
05
Match the deployed app owner, permissions, webhook delivery, package and source versions, health evidence, and rollback target. Treat npm provenance as unverified until an attestation is recorded.
Deployment and release packet
Evidence packet preview
The current release is trusted only when the source, artifact, runtime, and support records agree.
Release evidence
Source access, package publication, binary integrity, and product captures are reported separately. Missing proof is shown as blocked, not inferred.
npm serves the self-hosted 0.2.0 package, and its five packaged files match the v0.2.0 source tag. A public hosted GitHub App deployment is not claimed because deployed-owner, permission, webhook-health, rollback, and npm provenance-attestation evidence are not recorded.
npm self-hosted Node.js package / 0.2.0
The registry package loads after a clean no-script install, and its packaged files match the v0.2.0 source tag. This does not verify npm provenance or any hosted GitHub App deployment.