@metasession.co/devaudit-cli 0.1.15 → 0.1.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.15",
+  "version": "0.1.17",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.15",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.17",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/skills/e2e-test-engineer/SKILL.md

@@ -85,7 +85,7 @@ The bootstrap workflow:
 
 9. **Wire up runner scripts** — at minimum `test:e2e` (headless), `test:e2e:ui` or `:headed` (interactive), `test:e2e:debug`, and `test:e2e:update-snapshots` if visual regression is in.
 
-10. **Offer a CI job** — write the YAML (or equivalent) for the project's CI system, but **do not commit it without confirmation**. Show it inline first.
+10. **Offer a CI job** — write the YAML (or equivalent) for the project's CI system, but **do not commit it without confirmation**. Show it inline first. On a **DevAudit** project, `.github/workflows/ci.yml` is generated and marked do-not-edit-manually — don't hand-edit it; instead drive the E2E gate from `sdlc-config.json`. If the suite must run against a **disposable local database** (the rule on any project with no separate test instance — never test against prod), set `e2e_setup_command` (e.g. `supabase start` + load schema + seed) and `e2e_env` (e.g. `E2E_LOCAL=1`, local coords, a dummy email key) so the gate severs production. See [Local-database E2E in CI](https://github.com/metasession-dev/DevAudit-Installer/blob/main/docs/e2e-local-db-ci.md), then `devaudit update` to regenerate.
 
 11. **Write a short README** in the test directory explaining structure, how to run, how to add new tests, and how to update visual baselines. Future contributors (and the skill itself, on next invocation) will thank you.
 

package/sdlc/files/ci/ci.yml.template

@@ -130,26 +130,16 @@ jobs:
       # ── Gate 4: E2E Tests (Playwright) ──
 
 {{DATABASE_URI_STEP}}
-
+{{E2E_SETUP_STEP}}
       - name: Kill stale dev server
         run: lsof -ti:3000 | xargs kill -9 2>/dev/null || true
 
-      - name: Start dev server
-        run: {{E2E_START_COMMAND}} &
+{{E2E_DEV_SERVER_STEP}}
 
       - name: Wait for dev server
         run: npx wait-on http://localhost:3000 --timeout 120000
 
-      - name: E2E Tests
-        env:
-          # PLAYWRIGHT_JSON_OUTPUT_NAME makes the json reporter write straight
-          # to the file. Capturing stdout (`> e2e-results.json`) instead mixed
-          # the html reporter's "To open report" line in after the JSON blob
-          # and produced an unparseable file (DevAudit #48). html report still
-          # lands in playwright-report/.
-          PLAYWRIGHT_HTML_REPORTER_OPEN: never
-          PLAYWRIGHT_JSON_OUTPUT_NAME: e2e-results.json
-        run: npx playwright test --project={{E2E_PROJECT}} --reporter=json,html
+{{E2E_TEST_STEP}}
 {{E2E_AUTHENTICATED_STEP}}
       # ── Gate 5: Build ──
 
@@ -172,6 +162,7 @@ jobs:
             e2e-auth-results.json
             playwright-report/
             coverage/coverage-summary.json
+            compliance/evidence/*/screenshots/*.png
           retention-days: 90
 
   # ──────────────────────────────────────────────
@@ -339,6 +330,44 @@ jobs:
               --category test_report ${FLAGS}
           fi
 
+          # Upload per-AC e2e evidence screenshots, scoped to each in-scope
+          # requirement so they render under "Evidence by requirement" in the
+          # portal. These are the per-assertion `evidenceShot(page, REQ, 'ACn-…')`
+          # captures (compliance/evidence/<reqId>/screenshots/*.png) — taken at the
+          # moment each acceptance criterion is demonstrated, NOT the Playwright
+          # report's trailing/failure capture. evidenceType `screenshot` →
+          # image/png renders inline. Only when a pending release ticket defines
+          # the in-scope REQ(s); skipped on ordinary dev pushes. Best-effort: a
+          # screenshot upload failure warns but never blocks the gate.
+          SHOT_REQS=()
+          if [ -d compliance/pending-releases ]; then
+            for TICKET in compliance/pending-releases/RELEASE-TICKET-REQ-*.md; do
+              [ -f "$TICKET" ] || continue
+              SHOT_REQS+=("$(basename "$TICKET" .md | sed 's/^RELEASE-TICKET-//')")
+            done
+          fi
+          shopt -s nullglob
+          SHOTS=(ci-evidence/compliance/evidence/*/screenshots/*.png compliance/evidence/*/screenshots/*.png)
+          if [ "${#SHOT_REQS[@]}" -gt 0 ] && [ "${#SHOTS[@]}" -gt 0 ]; then
+            echo "Uploading ${#SHOTS[@]} evidence screenshot(s) for: ${SHOT_REQS[*]}"
+            SHOT_TMP="$(mktemp -d)"
+            for REQ in "${SHOT_REQS[@]}"; do
+              for PNG in "${SHOTS[@]}"; do
+                # The folder is the (SRS) requirement id, the basename is the AC
+                # slug (ACn-…). Upload as <srs-req>-<slug>.png so the reviewer can
+                # see which requirement/AC each image proves and names don't collide.
+                SRS_REQ="$(basename "$(dirname "$(dirname "$PNG")")")"
+                NAMED="${SHOT_TMP}/${SRS_REQ}-$(basename "$PNG")"
+                cp "$PNG" "$NAMED" 2>/dev/null || continue
+                bash scripts/upload-evidence.sh \
+                  {{PROJECT_SLUG}} "$REQ" screenshot "$NAMED" \
+                  --category test_report ${FLAGS} --release "$REQ" \
+                  || echo "::warning::evidence screenshot upload failed: ${PNG} -> ${REQ}"
+              done
+            done
+          fi
+          shopt -u nullglob
+
           # NOTE: committed compliance docs (planning category: RTM/test-plan/
           # test-cases, release tickets, and per-requirement
           # compliance/evidence/REQ-*/ folders) are intentionally NOT uploaded

package/sdlc/files/sdlc-config.example.json

@@ -32,9 +32,14 @@
   "e2e_project": "chromium",
   "e2e_start_command": "npm run dev",
 
-  "_comment_e2e_authenticated": "Optional report-only authenticated e2e gate (continue-on-error, never blocks the merge). e2e_projects = Playwright project names that need a logged-in session (auth-setup runs automatically as their dependency); e2e_seed_command seeds admins/fixtures before the run; e2e_env maps repo secrets onto the seed + e2e steps. Author these specs with the e2e-test-engineer skill (evidenceShot per AC). Leave empty to run only the blocking smoke project above.",
+  "_comment_e2e_setup": "Optional foreground command run before the dev server starts — use it to stand up a DISPOSABLE LOCAL database so the E2E gate never touches production. The consumer owns the command (the framework stays stack-agnostic). For a Supabase project: install the CLI, `supabase start`, load the local schema + seed, e.g. \"supabase start && psql \\\"$DATABASE_URL\\\" -f supabase/schema-local.sql\". Pair with e2e_env below to point the dev server + tests at the local stack. Leave empty for projects whose dev server already targets a safe test DB.",
+  "e2e_setup_command": "",
+
+  "_comment_e2e_authenticated": "Optional report-only authenticated e2e gate (continue-on-error, never blocks the merge). e2e_projects = Playwright project names that need a logged-in session (auth-setup runs automatically as their dependency); e2e_seed_command seeds admins/fixtures before the run. Author these specs with the e2e-test-engineer skill (evidenceShot per AC). Leave empty to run only the blocking smoke project above.",
   "e2e_seed_command": "",
   "e2e_projects": [],
+
+  "_comment_e2e_env": "Env applied to the E2E setup, (blocking) dev-server, and E2E test steps. To run E2E against a local stack, override EVERY remote/prod key here so production is fully severed — e.g. { \"E2E_LOCAL\": \"1\", \"NEXT_PUBLIC_SUPABASE_URL\": \"http://127.0.0.1:54321\", \"SUPABASE_SERVICE_ROLE_KEY\": \"<local-service-key>\", \"RESEND_API_KEY\": \"re_e2e_local_dummy_key\" }. Step-level env wins over the job-level secrets. Values may reference repo secrets, e.g. \"${{ secrets.E2E_ADMIN_USERNAME }}\".",
   "e2e_env": {},
 
   "paths_ignore": [