feat: new exception approvals workflow (#22)

Author: julio-rocketchat

.changeset/curly-tables-stand.md

@@ -0,0 +1,5 @@
+---
+"layne": minor
+---
+
+Adds a new feature that allows exceptions to be approved by specific teams or people

CHANGELOG.md

@@ -1,5 +1,18 @@
 # layne
 
+## 1.2.0
+
+### Minor Changes
+
+- **Exception Approvals**: Configure specific users or teams who can approve PRs that would otherwise fail the security scan. When an authorized approver approves a PR, Layne automatically re-runs the scan and passes it with a clear audit trail. Features include:
+  - Automatic re-run on `pull_request_review` webhook when authorized approver approves
+  - Team membership resolution via GitHub API
+  - Approval validation against current commit SHA (new commits invalidate approvals)
+  - Configurable exception labels (`onException`)
+  - Always-on notifications for exception usage
+  - Full audit trail in check run summary and chat notifications
+  - See [Exception Approvals](./website/docs/exception-approvals.md) documentation
+
 ## 1.1.1
 
 ### Patch Changes

config/layne.json

@@ -10,7 +10,8 @@
       "onFailure":       ["needs-security-review"],
       "removeOnSuccess": ["needs-security-review"],
       "onSuccess":       [],
-      "removeOnFailure": []
+      "removeOnFailure": [],
+      "onException":     ["security-exception-used"]
     }
   },
   "acme/frontend": {
@@ -46,6 +47,10 @@
         "webhookUrl": "$PAYMENTS_ROCKETCHAT_WEBHOOK_URL",
         "template": ":rotating_light: *Payment system alert — {{repo}} PR #{{prNumber}}*\n{{total}} finding(s): {{critical}} critical, {{high}} high, {{medium}} medium, {{low}} low"
       }
+    },
+    "exceptionApprovers": {
+      "users": ["payments-security-lead"],
+      "teams": ["acme/payments-security"]
     }
   },
   "RocketChat/security": {

src/__tests__/config.test.js

@@ -299,4 +299,39 @@ describe('loadScanConfig()', () => {
     const config = await loadScanConfig({ owner: 'acme', repo: 'payments' });
     expect(config.comment.template).toBe('repo tpl');
   });
+
+  // --- exceptionApprovers ---
+
+  it('returns empty exceptionApprovers by default', async () => {
+    vi.mocked(readFile).mockResolvedValueOnce(JSON.stringify({}));
+    const config = await loadScanConfig({ owner: 'org', repo: 'repo' });
+    expect(config.exceptionApprovers).toEqual({ users: [], teams: [] });
+  });
+
+  it('inherits $global exceptionApprovers when the repo has no exceptionApprovers block', async () => {
+    vi.mocked(readFile).mockResolvedValueOnce(JSON.stringify({
+      '$global':       { exceptionApprovers: { users: ['admin'], teams: ['org/security'] } },
+      'acme/frontend': { semgrep: { extraArgs: ['--config', 'auto'] } },
+    }));
+    const config = await loadScanConfig({ owner: 'acme', repo: 'frontend' });
+    expect(config.exceptionApprovers).toEqual({ users: ['admin'], teams: ['org/security'] });
+  });
+
+  it('repo-level exceptionApprovers replaces $global', async () => {
+    vi.mocked(readFile).mockResolvedValueOnce(JSON.stringify({
+      '$global':       { exceptionApprovers: { users: ['admin'], teams: ['org/security'] } },
+      'acme/payments': { exceptionApprovers: { users: ['payments-lead'], teams: [] } },
+    }));
+    const config = await loadScanConfig({ owner: 'acme', repo: 'payments' });
+    expect(config.exceptionApprovers).toEqual({ users: ['payments-lead'], teams: [] });
+  });
+
+  it('repo can disable exceptionApprovals by setting empty arrays', async () => {
+    vi.mocked(readFile).mockResolvedValueOnce(JSON.stringify({
+      '$global':        { exceptionApprovers: { users: ['admin'], teams: ['org/security'] } },
+      'acme/internal': { exceptionApprovers: { users: [], teams: [] } },
+    }));
+    const config = await loadScanConfig({ owner: 'acme', repo: 'internal' });
+    expect(config.exceptionApprovers).toEqual({ users: [], teams: [] });
+  });
 });