fix(review): enforce surface lane gate verdicts

[JSONbored]

Motivation

• The deterministic content/registry surface lane computed an authoritative GateCheckEvaluation but the published GitHub Gate check was being recomputed from advisory + policy, which could drop the surface-lane override and display a green Gate despite a surface failure/action_required verdict.
• applySurfaceGate treated a generic evaluation with an empty blockers array as permissive, which could convert deliberate generic neutral/hold states (e.g. first-time-contributor grace) into success when a surface lane returned merge.

Description

• Allow createOrUpdateGateCheckRun to accept an optional gateEvaluation and prefer it over recomputing the gate from advisory/policy so the finalized surface-lane verdict is published intact (src/github/app.ts).
• Thread the finalized gateEvaluation from the processor into the Gate completion call so the published check run matches the already-overridden evaluation (src/queue/processors.ts).
• Adjust applySurfaceGate so generic neutral/action_required holds are preserved when the surface lane returns success, while still preserving generic hard blockers and allowing surface failure to enforce a blocking conclusion (src/review/content-lane-wire.ts).
• Add unit tests that assert (1) a supplied gateEvaluation is published instead of being recomputed and (2) a generic neutral hold is preserved over a surface merge, and that surface rejections still override neutral holds (test/unit/github-app.test.ts, test/unit/content-lane-wire.test.ts).
• Add the required type import and small test/fixture adjustments to cover the new paths.

Testing

• Ran targeted unit tests: npx vitest run test/unit/content-lane-wire.test.ts test/unit/github-app.test.ts, all tests in those files passed.
• Type-check succeeded with tsc --noEmit.
• Attempted full CI/local coverage with npm run test:coverage / npm run test:ci, but coverage finalization in this environment failed due to an unrelated tooling/runtime issue (TypeError: jsTokens is not a function) during coverage remapping; this is an environment/tooling failure and not a regression in the changes here.
• npm audit --audit-level=moderate could not complete in this environment due to the registry audit endpoint returning 403 Forbidden (external to the code changes).

---

Codex Task

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.33%. Comparing base (6138b9e) to head (bed232c).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1398   +/-   ##
=======================================
  Coverage   95.33%   95.33%           
=======================================
  Files         192      192           
  Lines       20750    20751    +1     
  Branches     7500     7502    +2     
=======================================
+ Hits        19783    19784    +1     
  Misses        383      383           
  Partials      584      584           

Files with missing lines	Coverage Δ
src/github/app.ts	97.11% <100.00%> (ø)
src/queue/processors.ts	87.61% <ø> (ø)
src/review/content-lane-wire.ts	97.56% <100.00%> (+0.06%)	⬆️

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	gittensory-ui	bed232c	Commit Preview URL Branch Preview URL	Jun 25 2026, 11:03 PM