refactor: split audit_report_render.go into domain-specific files

[Copilot]

pkg/cli/audit_report_render.go was 1,139 lines — nearly 4× the documented 300-line hard limit — containing 10+ logically independent render domains in a single file.

Changes

• Reduced audit_report_render.go from 1,139 → 287 lines; retains only the three entry points: renderJSON, renderConsole, renderAuditComparison
• Created 6 domain-specific files, each ≤ 300 lines:

File	Key functions
audit_report_render_overview.go	renderOverview, renderMetrics, renderTaskDomain, renderBehaviorFingerprint, renderAgenticAssessments, renderPerformanceMetrics, renderEngineConfig, renderPromptAnalysis, renderSessionAnalysis
audit_report_render_jobs.go	renderJobsTable
audit_report_render_tools.go	renderToolUsageTable, renderMCPToolUsageTable, renderMCPServerHealth
audit_report_render_firewall.go	renderFirewallAnalysis, renderRedactedDomainsAnalysis, renderPolicyAnalysis, formatUnixTimestamp
audit_report_render_guard.go	renderGuardPolicySummary
audit_report_render_findings.go	renderKeyFindings, renderRecommendations, renderCreatedItemsTable, renderSafeOutputSummary, renderTokenUsage, renderGitHubRateLimitUsage, renderErrorsAndWarnings

• Extracted the inline errors/warnings block from renderConsole into renderErrorsAndWarnings (moved to findings.go) to keep the original file under the limit
• No logic changes; all symbols remain in the same package

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw l /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.1/x64/bin/node CommaSeparatedCogit epo}/actions/runrev-parse ache/node/24.14.--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path golangci-lint (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git ons-test20989524git remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-bash config /opt/hostedtoolc--noprofile git (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel x_amd64/compile /usr/bin/git git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --get remote.origin.url /usr/bin/gh matter-with-env-git GO111MODULE 64/bin/go gh run download 12346 /usr/bin/git test-logs/run-12git GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git licyMinIntegritygit git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 59/001/test-inligit git r,url,status,con--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo2907018040/001 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git rev-�� --show-toplevel node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --check **/*.cjs 64/bin/go node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -test.timeout=10m0s -test.count=1 /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git efaultBranchFromgit efaultBranchFromrev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha itcustom_branch1277794183/001 itcustom_branch1277794183/002/work 1/x64/bin/node r/repo.git git /usr/bin/git git rev-�� 1094385182/.github/workflows git 1/x64/bin/node --show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env y.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git tants.go ne_constants.go 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git licyBlockedUsersgit s .cfg git rev-�� --show-toplevel gcc /usr/bin/git -x c /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x. git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/compile-insgrep show /usr/bin/git git init�� /usr/bin/git git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel git /usr/bin/git /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE b/gh-aw/pkg/consenv GOMODCACHE go env RraB/O98nZVqJHnDGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 0465659/b394/impGO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore format:pkg-json 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git stat�� --porcelain sh 64/bin/go -d (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha t0 go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel ache/go/1.25.8/xremote /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git runs/20260414-22git git /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git 1/x64/bin/node --show-toplevel resolved$ /usr/bin/git git js --show-toplevel git /usr/bin/git --show-toplevel resolved$ /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha add myorg /usr/bin/git rity3622596392/0git GO111MODULE 64/bin/go git rev-�� --show-toplevel go 0314431/b451/vet.cfg -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha runs/20260414-221701-37474/test-282063149 ache/go/1.25.8/xrev-parse /usr/local/bin/iptables 4663861/b001/_pkdocker git 4663861/b001=> iptables -w -t (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 3357722118 git 1/x64/bin/node --show-toplevel git /usr/bin/git git js --show-toplevel git k --show-toplevel git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -aw/git/ref/tags/v2.0.0 -buildtags /usr/lib/git-core/git -errorsas -ifaceassert -nilfunc /usr/lib/git-core/git --gi�� for-each-ref --format=%(objectname) /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --noprofile git /usr/lib/git-core/git --show-toplevel gh /usr/bin/git /usr/lib/git-core/git main�� existing.md --auto /usr/bin/git --detach git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 1/main.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha edcfg GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuTest User env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha ace-editor.md GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env itattributes-test1853133248/.github/workflows GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha om/owner/repo.git om/owner/repo.git /usr/bin/git repo2907018040/0git GO111MODULE nch,headSha,disp--show-toplevel git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/sbin/iptables ub/workflows git /usr/bin/git iptables -w -t security /usr/bin/git OUTPUT -d 168.63.129.16 git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha sistency_GoAndJavaScript393337815/001/test-frontmatter-with-env-template-expressions.md -trimpath /usr/bin/infocmp -p main -lang=go1.25 infocmp -1 xterm-color -dwarf=false /usr/bin/git go1.25.8 -c=4 -nolocalimports git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --noprofile git /usr/bin/git HEAD gh /usr/local/sbin/--show-toplevel git push�� origin my-default (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha ithub/workflows/ai-moderator.md GOPROXY 0314431/b449/typeutil.test GOSUMDB GOWORK 64/bin/go 0314431/b449/typeutil.test e=/t�� t0 go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --noprofile /usr/lib/git-core/git /usr/bin/git run --auto /usr/bin/git git comm�� runs/20260414-221701-37474/test-3126629599/custom/workflows initial commit /usr/bin/git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2043833919 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env e-analyzer.md GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name git /usr/bin/git it/ref/tags/v7 x_amd64/compile /usr/bin/git git comm�� 4465142/.github/workflows Initial /usr/bin/git --get-regexp ^remote\..*\.gh-remote /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 84204325 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name git /usr/bin/sed GOMODCACHE go /usr/bin/git sed s/-\�� 64/bin/go /usr/bin/git /usr/local/bin/iptables pload-artifact/ggit ^remote\..*\.gh-rev-parse /usr/bin/git iptables (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env til.go o 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name git /usr/bin/sed --git-dir go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2043833919 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name git /usr/lib/git-core/git --show-toplevel go /usr/bin/git /usr/lib/git-core/git main�� 4465142/.github/workflows --auto /usr/bin/git --detach go /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2043833919 go ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2419157016/.github/workflows GO111MODULE eutil.test GOINSECURE GOMOD GOMODCACHE eutil.test (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� 4465142/.github/workflows /usr/bin/git /usr/bin/git -v go /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7D8RXanEmFBss env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git chec�� 4465142/.github/workflows feature-branch /usr/bin/git --get-regexp ^remote\..*\.gh-init /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 2419157016 GO111MODULE util.test GOINSECURE GOMOD GOMODCACHE util.test (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name git /usr/bin/git --show-toplevel go /usr/bin/git git add 4465142/.github/workflows /usr/bin/git /usr/bin/git --get-regexp ^remote\..*\.gh-remote /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build3910314431/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env tants.go ne_constants.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linuTest User /usr/bin/git g_.a GO111MODULE Name,createdAt,s--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 5/001/test-inlinhead GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha github.actor git /usr/bin/git /tmp/gh-aw-test-git remote /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git DefaultBranchFro/bin/sh DefaultBranchFro-c /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha edOutput2976385845/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel x_amd64/vet /usr/bin/git git rev-�� efaultBranchFromLsRemoteWithRealGitcustom_branchremote.origin.url efaultBranchFromLsRemoteWithRealGitcustom_branch3491007324/001' /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --check scripts/**/*.js 64/bin/go -d --silent 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE iE8t3kR/vbNrLVZ2rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel /tmp/go-build3910314431/b432/sliceutil.test /usr/bin/git -test.paniconexigit -test.v=true /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� ay_c3800188451/001 '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch3568316649/001' Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --show-toplevel 64/pkg/tool/linuconfig /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go .prettierignore format:pkg-json 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GOMOD 64/bin/go -d (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --porcelain sh 64/bin/go -d (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --check scripts/**/*.js 64/bin/go -d (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel node /usr/bin/git /tmp/TestHashCongit git /usr/bin/git git rev-�� --show-toplevel git e/git --show-toplevel go /usr/bin/git e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git e/git --show-toplevel go /usr/bin/git e/git estP�� --show-toplevel tname) /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile 9103�� -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 53 /usr/bin/git ACCEPT go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env verutil.go verutil_test.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion secrets.TOKEN MO/X2lamLNGwUyQxrev-parse /usr/bin/git git stat�� y_with_repos=public_3331890776/001 git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel git /usr/bin/sed git -C /tmp/gh-aw-add-gitattributes-test728374572/.github/workflows rev-parse /usr/bin/git 450959491/.githuinfocmp git /usr/bin/git git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git sistency_WithImpgit rev-parse 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git kflow.test 0465659/b402/imp--norc ortcfg.link git (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build3910314431/b397/cli.test /tmp/go-build3910314431/b397/cli.test -test.testlogfile=/tmp/go-build3910314431/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /tmp/go-build3604663861/b001/cli.test /tmp/go-build3604663861/b001/cli.test -test.testlogfile=/tmp/go-build3604663861/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� --show-toplevel /tmp/go-build3910314431/b418/logger.test /usr/bin/git -test.paniconexigit l 1/x64/bin/node git rev-�� --show-toplevel 1/x64/bin/node /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git (http block)
  • Triggering command: /tmp/go-build4091206479/b001/cli.test /tmp/go-build4091206479/b001/cli.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 -test.short=true 3079128907/.github/workflows Test User /usr/bin/git xterm-color go /usr/bin/git git rev-�� --show-toplevel git 64/pkg/tool/linux_amd64/asm --show-toplevel go /usr/bin/git 64/pkg/tool/linu^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path /bin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git 1/x64/bin/bash --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR refactors the audit report console renderer by splitting the previously oversized pkg/cli/audit_report_render.go into several smaller, domain-focused files while keeping behavior and symbols in the same package.

Changes:

• Reduced audit_report_render.go to the core entry points (renderJSON, renderConsole, renderAuditComparison).
• Extracted rendering helpers into 6 new domain-specific files (overview, jobs, tools, firewall, guard, findings).
• Moved the inline errors/warnings rendering block into renderErrorsAndWarnings in the new findings renderer.

Show a summary per file

File	Description
pkg/cli/audit_report_render.go	Keeps only the main rendering entry points; delegates domain-specific output to new helper files.
pkg/cli/audit_report_render_overview.go	Renders the overview + related “top-of-report” sections (task domain, fingerprint, assessments, performance, engine/prompt/session).
pkg/cli/audit_report_render_jobs.go	Renders the jobs table output.
pkg/cli/audit_report_render_tools.go	Renders tool usage, MCP tool usage, and MCP server health tables.
pkg/cli/audit_report_render_firewall.go	Renders firewall analysis, redacted domains, and policy analysis + timestamp formatting.
pkg/cli/audit_report_render_guard.go	Renders the guard policy enforcement summary details.
pkg/cli/audit_report_render_findings.go	Renders findings/recommendations plus created items, safe output summary, token usage, GitHub API usage, and errors/warnings.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 7/7 changed files
• Comments generated: 0

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (914 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help document this decision:

📄 Draft ADR: docs/adr/26304-split-audit-report-render-by-domain.md

Note: This PR was already merged before the gate ran. The ADR commit could not be pushed to the PR branch. Please manually commit the file below to docs/adr/26304-split-audit-report-render-by-domain.md on main.

📋 Draft ADR Content — copy to docs/adr/26304-split-audit-report-render-by-domain.md

# ADR-26304: Split audit_report_render.go into Domain-Specific Files

**Date**: 2026-04-14
**Status**: Draft
**Deciders**: pelikhan, Copilot

---

## Part 1 — Narrative (Human-Friendly)

### Context

`pkg/cli/audit_report_render.go` had grown to 1,139 lines — nearly 4× the team's documented 300-line hard limit — containing 10+ logically independent render domains in a single file. These domains (overview metrics, job tables, tool usage, firewall analysis, guard policy, and key findings) share no state with one another; their co-location was purely incidental. Contributors working on, say, firewall rendering had to navigate past hundreds of unrelated lines to reach the relevant functions, making the file a navigation liability.

### Decision

We will split `pkg/cli/audit_report_render.go` into six domain-specific files within the same `cli` package, each owning one rendering domain. The root file is reduced to 287 lines and retains only the three top-level entry points (`renderJSON`, `renderConsole`, `renderAuditComparison`). All files remain in the same Go package (`package cli`), so no import paths or public APIs change. No logic is modified; this is a pure structural reorganization to enforce the 300-line file limit and improve file-level navigability.

### Alternatives Considered

#### Alternative 1: Keep Everything in a Single File

The file could remain as-is. This is the simplest option — no merge conflicts, no changes to navigation patterns. It was rejected because 1,139 lines with no shared state between sections makes file navigation genuinely painful. The team's documented 300-line hard limit exists precisely to prevent this anti-pattern, and this file was nearly 4× that limit.

#### Alternative 2: Extract into a Separate Sub-Package

The render domains could have been moved into a dedicated sub-package (e.g., `pkg/cli/auditrender/`). This would provide stronger compile-time boundaries and make the domain separation visible at the import level. It was not chosen because the render functions reference unexported types in `cli` and moving them would require exporting those types or significantly restructuring the package boundary — a change well beyond the scope of the navigability problem being solved.

#### Alternative 3: Split by Concern Type (Entry Points vs. Domain Renderers)

An alternative structure would retain all entry points and helper calls in one file and put all domain renderers in another large file. This was rejected because it would simply shift the navigability problem to the "domain renderers" file rather than eliminating it. Domain grouping keeps all logic for a single concern (e.g., firewall analysis rendering) collocated in one file.

### Consequences

#### Positive
- Each of the six new files is ≤ 300 lines, bringing the package back within the team's documented limit.
- Contributors working on one rendering domain (e.g., guard policy) can open a single focused file without scrolling past unrelated sections.
- The root `audit_report_render.go` is reduced from 1,139 to 287 lines, retaining only the three top-level orchestration entry points.
- No API surface changes — callers outside the package are unaffected because all symbols remain in `package cli`.

#### Negative
- The codebase now has more files, which adds a small overhead when searching for a function across the package for the first time.
- Cross-domain relationships (e.g., a helper in `audit_report_render_findings.go` used from the root file) are less immediately visible than when everything was in one file.

#### Neutral
- Go's intra-package visibility means all unexported identifiers remain accessible across the split files; no export changes are needed.
- IDE tooling and `go build` are unaffected by intra-package file splits.
- This split follows the same pattern established for `logs_report.go` in ADR-26278, creating consistency across the `pkg/cli` package.

---

## Part 2 — Normative Specification (RFC 2119)

> The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, **SHOULD NOT**, **RECOMMENDED**, **MAY**, and **OPTIONAL** in this section are to be interpreted as described in [RFC 2119]((www.rfceditor.org/redacted)

### File Organization

1. Implementations **MUST** keep all `audit_report_render_*.go` files in the same Go package (`package cli`).
2. Each domain-specific file **MUST** own all render functions for that domain, and **MUST NOT** contain render functions belonging to another domain.
3. Implementations **MUST NOT** introduce a new sub-package solely to house the split files; the existing `pkg/cli` package boundary **SHALL** be maintained.
4. Implementations **SHOULD** keep each `audit_report_render_*.go` file under 300 lines; if a file grows beyond this threshold, it **SHOULD** be further decomposed or the split reconsidered.

### Entry Points and Orchestration

1. The three top-level entry points `renderJSON`, `renderConsole`, and `renderAuditComparison` **MUST** remain in `audit_report_render.go`.
2. Implementations **MUST NOT** duplicate function or type definitions across split files; each symbol **SHALL** be defined in exactly one file.

### Domain-to-File Mapping

1. Overview, metrics, and session functions (`renderOverview`, `renderMetrics`, `renderTaskDomain`, `renderBehaviorFingerprint`, `renderAgenticAssessments`, `renderPerformanceMetrics`, `renderEngineConfig`, `renderPromptAnalysis`, `renderSessionAnalysis`) **MUST** reside in `audit_report_render_overview.go`.
2. The jobs table function (`renderJobsTable`) **MUST** reside in `audit_report_render_jobs.go`.
3. Tool usage functions (`renderToolUsageTable`, `renderMCPToolUsageTable`, `renderMCPServerHealth`) **MUST** reside in `audit_report_render_tools.go`.
4. Firewall and policy functions (`renderFirewallAnalysis`, `renderRedactedDomainsAnalysis`, `renderPolicyAnalysis`, `formatUnixTimestamp`) **MUST** reside in `audit_report_render_firewall.go`.
5. Guard policy functions (`renderGuardPolicySummary`) **MUST** reside in `audit_report_render_guard.go`.
6. Findings and output functions (`renderKeyFindings`, `renderRecommendations`, `renderCreatedItemsTable`, `renderSafeOutputSummary`, `renderTokenUsage`, `renderGitHubRateLimitUsage`, `renderErrorsAndWarnings`) **MUST** reside in `audit_report_render_findings.go`.

### Conformance

An implementation is considered conformant with this ADR if it satisfies all **MUST** and **MUST NOT** requirements above. The primary conformance checks are: (a) all split files are in `package cli`, (b) no new sub-package is created, (c) each domain's render functions are collocated in their designated file, and (d) the three entry points remain in `audit_report_render.go`.

---

*This is a DRAFT ADR generated by the [Design Decision Gate](https://github.com/github/gh-aw/actions/runs/24425903321) workflow. The PR author must review, complete, and finalize this document.*

Why ADRs Matter

This refactor follows the same domain-split pattern as ADR-26278 (logs_report.go). Documenting it in an ADR creates a searchable record of why the pkg/cli package enforces the 300-line file limit and how domain-based file organization is applied consistently across large report renderers.

---

🔒 Please commit the ADR file above to main to complete this record.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• refactor: split audit_report_render.go into domain-specific files #26304 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 139.3K · ◷