artifact-keeper · brandonrc · May 9, 2026 · May 9, 2026
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **`release/1.1.x` maintenance branch + `:1.1-dev` Docker tag rule** (#331) - mirrors `artifact-keeper#890`; pushes to `release/1.1.x` now publish `ghcr.io/artifact-keeper/artifact-keeper-web:1.1-dev` so the v1.1.x release-gate can test a true v1.1.x web/backend pair.
 
 ### Changed
+- **Type-safe API layer — extend #206 hardening to security** (#359 batch 8) - replaced all 25 `as never` casts in `src/lib/api/security.ts` with adapter functions and `assertData` guards. 9 read adapters (Dashboard / Score / Scan / ScanList / Finding / FindingList / Policy / ScanConfig / RepoSecurity / TriggerScanResponse) and 4 write adapters (TriggerRequest / CreatePolicyRequest / UpdatePolicyRequest / UpsertScanConfigRequest). The Score adapter synthesizes `total_findings` from severity counts since the SDK ScoreResponse doesn't expose it directly. SDK PolicyResponse has additional fields the local ScanPolicy doesn't model (`max_artifact_age_days`, `min_staging_hours`, `require_signature`) which the adapter intentionally drops — those are consumed by the lifecycle module, not security.
 - **Type-safe API layer — extend #206 hardening to promotion** (#359 batch 7) - replaced 9 of 10 `as never` casts in `src/lib/api/promotion.ts` with adapter functions, `assertData` guards, and `narrowEnum` for `severity` (`critical`/`high`/`medium`/`low`/`info`) and `PromotionHistoryStatus` (`promoted`/`rejected`/`pending_approval`). One `as unknown as` retained inline for `policy_result` (the SDK exposes the field as an opaque key/value bag, the local type declares a typed `PolicyEvaluationResult` that consumers only access lazily — bridge documented). Also exports `adaptArtifact` / `adaptArtifactList` from `artifacts.ts` and `adaptRepository` / `adaptRepositoryList` from `repositories.ts` so promotion can reuse them rather than re-implementing.
 - **Type-safe API layer — extend #206 hardening to dependency-track** (#359 batch 6) - replaced all 12 `as never` casts in `src/lib/api/dependency-track.ts` with adapter functions and `assertData` guards. The SDK declares every metric counter on `DtProjectMetrics` / `DtPortfolioMetrics` as optional; the local types declare them as required `: number`. Adapters coerce undefined → 0 so an empty backend response renders numeric zeros in the metrics card instead of "undefined". Nested adapters for `DtFinding` (component / vulnerability / analysis / attribution / cwe / license) preserve existing render behavior.
 - **Type-safe API layer — extend #206 hardening to sbom** (#359 batch 5) - replaced all 21 `as never` casts in `src/lib/api/sbom.ts` with adapter functions, `assertData` guards, and exported `narrowCveStatus` / `narrowPolicyAction` helpers for callers that want a typed status. Multiple SDK shape mismatches are now explicit and documented: `LicenseCheckResult` is synthesized (SDK returns `violations: string[]` with no `action`; adapter coerces to `{license, reason}` rows and derives `action: "block"|"allow"` from `compliant`); `getByArtifact` no longer accepts a `format` query param (the SDK has no query and the backend ignored it pre-#359). No app consumer surfaces these endpoints today, so the synthesis is best-effort and documented inline. Other endpoints (generate/list/get/getComponents/convert/getCveHistory/updateCveStatus/getCveTrends/list-get-upsert-deletePolicy) round-trip pages unchanged.