From 19e4ffdbe2e2e98f02a4bfc80c58433a75e3033d Mon Sep 17 00:00:00 2001
From: nvphungdev <283886185+nvphungdev@users.noreply.github.com>
Date: Sun, 17 May 2026 09:11:54 +0700
Subject: [PATCH] fix(cli): align fail-on defaults

Signed-off-by: nvphungdev <283886185+nvphungdev@users.noreply.github.com>
---
 README.md                |  2 +-
 cmd/optiqor/main.go      |  2 +-
 cmd/optiqor/main_test.go | 14 ++++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 463654f..b9605d0 100644
--- a/README.md
+++ b/README.md
@@ -195,7 +195,7 @@ The pipeline is deterministic. The same input always produces the same output. T
 | `--no-color` / `NO_COLOR=1` | Disable ANSI output; auto-detected when piped |
 | `--severity low\|med\|high` | Drop findings below the threshold (analyze) |
 | `--detector <id>` | Repeatable allow-list, e.g. `--detector cpu-overprovisioned --detector image-pinned-latest` |
-| `--fail-on low\|med\|high` | Exit code 1 if any finding meets/exceeds the severity (analyze, audit) |
+| `--fail-on low\|med\|high` | Exit code 1 if any finding meets/exceeds the severity (analyze, audit; unset by default) |
 | `--config <path>` | Load `.optiqor.yaml` from a custom path (default `./.optiqor.yaml` or `$OPTIQOR_CONFIG`) |
 
 ### Exit codes
diff --git a/cmd/optiqor/main.go b/cmd/optiqor/main.go
index 2503180..b491c41 100644
--- a/cmd/optiqor/main.go
+++ b/cmd/optiqor/main.go
@@ -569,7 +569,7 @@ func newAuditCmd() *cobra.Command {
 		},
 	}
 	cmd.Flags().BoolVar(&jsonOut, "json", false, "emit machine-readable JSON")
-	cmd.Flags().StringVar(&failOn, "fail-on", "high", "exit code 1 when any finding is at this severity or higher (low|med|high)")
+	cmd.Flags().StringVar(&failOn, "fail-on", "", "exit code 1 when any finding is at this severity or higher (low|med|high)")
 	cmd.Flags().StringVarP(&outputPath, "output", "o", "", "write the rendered output to a file instead of stdout")
 	return cmd
 }
diff --git a/cmd/optiqor/main_test.go b/cmd/optiqor/main_test.go
index 772db2f..34be2df 100644
--- a/cmd/optiqor/main_test.go
+++ b/cmd/optiqor/main_test.go
@@ -138,6 +138,20 @@ func TestAnalyze_JSONShape(t *testing.T) {
 	}
 }
 
+func TestAudit_DefaultFailOnIsOptIn(t *testing.T) {
+	cmd := newRootCmd()
+	var buf bytes.Buffer
+	cmd.SetOut(&buf)
+	cmd.SetErr(&buf)
+	cmd.SetArgs([]string{"--no-color", "audit", "../../testdata/fixtures/basic-chart/values.yaml"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("audit without --fail-on should not fail by default: %v\n%s", err, buf.String())
+	}
+	if !strings.Contains(buf.String(), "HIGH") {
+		t.Fatalf("audit fixture should still report high severity findings:\n%s", buf.String())
+	}
+}
+
 func TestResolveColor_NoColorFlag(t *testing.T) {
 	cmd := newRootCmd()
 	if got := resolveColor(cmd, true); got {