artifact-keeper · brandonrc · May 9, 2026 · May 9, 2026
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **`release/1.1.x` maintenance branch + `:1.1-dev` Docker tag rule** (#331) - mirrors `artifact-keeper#890`; pushes to `release/1.1.x` now publish `ghcr.io/artifact-keeper/artifact-keeper-web:1.1-dev` so the v1.1.x release-gate can test a true v1.1.x web/backend pair.
 
 ### Changed
+- **Type-safe API layer — extend #206 hardening to sso (final batch)** (#359 batch 9) - replaced all 30 `as never` casts in `src/lib/api/sso.ts` with adapter functions and `assertData` guards. 7 read adapters (SsoProvider / OidcConfig / LdapConfig / SamlConfig / LdapTestResult / TokenPair) and 6 write adapters covering the OIDC/LDAP/SAML create+update request shapes. Provider type narrowed via `narrowEnum` to the local `oidc | ldap | saml` union. The SDK declares attribute_mapping values as `unknown` while the local types declare them as string; the adapter coerces non-strings defensively. `ldapLogin` runtime-narrows the SDK's `unknown` 200 response to extract the access/refresh token pair. Closes #359 in full.
 - **Type-safe API layer — extend #206 hardening to security** (#359 batch 8) - replaced all 25 `as never` casts in `src/lib/api/security.ts` with adapter functions and `assertData` guards. 9 read adapters (Dashboard / Score / Scan / ScanList / Finding / FindingList / Policy / ScanConfig / RepoSecurity / TriggerScanResponse) and 4 write adapters (TriggerRequest / CreatePolicyRequest / UpdatePolicyRequest / UpsertScanConfigRequest). The Score adapter synthesizes `total_findings` from severity counts since the SDK ScoreResponse doesn't expose it directly. SDK PolicyResponse has additional fields the local ScanPolicy doesn't model (`max_artifact_age_days`, `min_staging_hours`, `require_signature`) which the adapter intentionally drops — those are consumed by the lifecycle module, not security.
 - **Type-safe API layer — extend #206 hardening to promotion** (#359 batch 7) - replaced 9 of 10 `as never` casts in `src/lib/api/promotion.ts` with adapter functions, `assertData` guards, and `narrowEnum` for `severity` (`critical`/`high`/`medium`/`low`/`info`) and `PromotionHistoryStatus` (`promoted`/`rejected`/`pending_approval`). One `as unknown as` retained inline for `policy_result` (the SDK exposes the field as an opaque key/value bag, the local type declares a typed `PolicyEvaluationResult` that consumers only access lazily — bridge documented). Also exports `adaptArtifact` / `adaptArtifactList` from `artifacts.ts` and `adaptRepository` / `adaptRepositoryList` from `repositories.ts` so promotion can reuse them rather than re-implementing.
 - **Type-safe API layer — extend #206 hardening to dependency-track** (#359 batch 6) - replaced all 12 `as never` casts in `src/lib/api/dependency-track.ts` with adapter functions and `assertData` guards. The SDK declares every metric counter on `DtProjectMetrics` / `DtPortfolioMetrics` as optional; the local types declare them as required `: number`. Adapters coerce undefined → 0 so an empty backend response renders numeric zeros in the metrics card instead of "undefined". Nested adapters for `DtFinding` (component / vulnerability / analysis / attribution / cwe / license) preserve existing render behavior.