Summary
assertMitigated in validate-audit.js couples a pure policy decision (determining whether unexpected advisories exist) to infrastructure I/O (reportUnexpectedAdvisories side effects), violating domain-adapter boundaries already established by the policyIo pattern in audit-exception-policy.js.
Problem
Calling reportUnexpectedAdvisories directly inside assertMitigated means:
- The domain function cannot be tested without either suppressing or capturing
console.error output.
- The reporting transport is baked into domain logic rather than injected at the call site.
- The pattern is inconsistent with
assertNoExpired, which accepts a policyIo adapter.
Acceptance criteria
- Extract the
reportUnexpectedAdvisories call out of assertMitigated.
assertMitigated should return (or expose) the partition result rather than performing I/O.validate-audit.js invokes reportUnexpectedAdvisories after assertMitigated completes, passing an injected reportingIo adapter if testability is required.- Update tests to exercise
assertMitigated independently of I/O, and to exercise the reporting step separately.
Context
Raised during review of PR #354 by @leynos.
Summary
assertMitigatedinvalidate-audit.jscouples a pure policy decision (determining whether unexpected advisories exist) to infrastructure I/O (reportUnexpectedAdvisoriesside effects), violating domain-adapter boundaries already established by thepolicyIopattern inaudit-exception-policy.js.Problem
Calling
reportUnexpectedAdvisoriesdirectly insideassertMitigatedmeans:console.erroroutput.assertNoExpired, which accepts apolicyIoadapter.Acceptance criteria
reportUnexpectedAdvisoriescall out ofassertMitigated.assertMitigatedshould return (or expose) the partition result rather than performing I/O.validate-audit.jsinvokesreportUnexpectedAdvisoriesafterassertMitigatedcompletes, passing an injectedreportingIoadapter if testability is required.assertMitigatedindependently of I/O, and to exercise the reporting step separately.Context
Raised during review of PR #354 by @leynos.