npm - @metasession.co/devaudit-cli - Versions diffs - 0.1.19 → 0.1.21 - Mend

@metasession.co/devaudit-cli 0.1.19 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.js +3 -1
package/dist/index.js.map +1 -1
package/package.json +2 -2
package/scripts/upload-evidence.sh +18 -0
package/sdlc/files/_common/4-submit-for-review.md +2 -0
package/sdlc/files/_common/skills/sdlc-implementer/SKILL.md +20 -5
package/sdlc/files/ci/ci.yml.template +70 -11
package/sdlc/files/ci/compliance-evidence.yml.template +47 -9
package/sdlc/files/ci/python/ci.yml.template +52 -11
package/sdlc/files/sdlc-config.example.json +4 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.19",
+  "version": "0.1.21",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.19",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.21",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/scripts/upload-evidence.sh CHANGED Viewed

@@ -17,6 +17,15 @@
 #   --category <cat>            Evidence category: ci_pipeline, local_dev,
 #                               planning, test_report, security_scan,
 #                               release_artifact
+#   --release-title <text>      Human title for the release row (e.g. the
+#                               release-ticket H1). Forwarded as
+#                               `releaseTitle`; the portal no-clobbers
+#                               existing non-null values.
+#   --change-type <type>        Conventional-commit prefix (feat / fix /
+#                               refactor / perf / chore / docs / ci /
+#                               build / test / compliance / revert) for
+#                               the release row. Unknown values are
+#                               silently dropped server-side.
 #
 # Required environment variables:
 #   DEVAUDIT_BASE_URL  e.g. https://meta-comply-production.up.railway.app
@@ -54,6 +63,8 @@ RELEASE_VERSION=""
 CREATE_RELEASE_IF_MISSING=false
 ENVIRONMENT=""
 EVIDENCE_CATEGORY=""
+RELEASE_TITLE=""
+CHANGE_TYPE=""
 while [ "$#" -gt 0 ]; do
   case "$1" in
@@ -64,6 +75,11 @@ while [ "$#" -gt 0 ]; do
     --create-release-if-missing) CREATE_RELEASE_IF_MISSING=true; shift ;;
     --environment) ENVIRONMENT="$2"; shift 2 ;;
     --category) EVIDENCE_CATEGORY="$2"; shift 2 ;;
+    # Descriptive title + conventional-commit change type passed through to
+    # the portal's findOrCreateRelease no-clobber backfill. Both optional;
+    # unknown change-type values are dropped server-side, not 400'd.
+    --release-title) RELEASE_TITLE="$2"; shift 2 ;;
+    --change-type) CHANGE_TYPE="$2"; shift 2 ;;
     *) echo "Unknown option: $1"; exit 1 ;;
   esac
 done
@@ -163,6 +179,8 @@ for FILE in "${FILES[@]}"; do
   [ -n "$BRANCH" ] && CURL_ARGS+=(-F "releaseBranch=${BRANCH}")
   [ -n "$ENVIRONMENT" ] && CURL_ARGS+=(-F "environment=${ENVIRONMENT}")
   [ -n "$EVIDENCE_CATEGORY" ] && CURL_ARGS+=(-F "evidenceCategory=${EVIDENCE_CATEGORY}")
+  [ -n "$RELEASE_TITLE" ] && CURL_ARGS+=(-F "releaseTitle=${RELEASE_TITLE}")
+  [ -n "$CHANGE_TYPE" ] && CURL_ARGS+=(-F "changeType=${CHANGE_TYPE}")
   ATTEMPT=1
   BACKOFF=$INITIAL_BACKOFF_SECONDS

package/sdlc/files/_common/4-submit-for-review.md CHANGED Viewed

@@ -93,6 +93,8 @@ git diff origin/main..develop -- package.json | grep '^\+'
 ### Step 3: Create the PR
+> The `--base main --head develop` below is the develop-first default. The branches are project-configured in `sdlc-config.json` — `release_branch` (default `main`) and `integration_branch` (default `develop`); a trunk-only project sets both to `main` and opens the feature branch directly against `main`.
 **For tracked requirements:**
 ```bash

package/sdlc/files/_common/skills/sdlc-implementer/SKILL.md CHANGED Viewed

@@ -47,6 +47,15 @@ Unit-test and integration-test work stays with this skill until a counterpart un
 A triage step (Phase 0) routes the issue, then up to five phases for tracked work. Phase 0 plus Phases 1–4 run in one Claude Code session; Phase 5 is invoked separately by the user after UAT. The off-ramps from Phase 0 (housekeeping / trivial / doc-only) don't enter Phase 1 — they run the **Lightweight path** (below), which the skill drives to merge.
+**Branch targets are project-configured — never hardcode `main` / `develop`.** Read them once from `sdlc-config.json` and use them throughout:
+```bash
+INTEGRATION_BRANCH=$(jq -r '.integration_branch // "develop"' sdlc-config.json)  # where work lands + ci.yml uploads gate evidence
+RELEASE_BRANCH=$(jq -r '.release_branch // "main"' sdlc-config.json)             # the protected production branch
+```
+For a **develop-first** repo these are `develop` and `main`: implementation lands on `$INTEGRATION_BRANCH`, and the UAT-approved release PR is `$INTEGRATION_BRANCH → $RELEASE_BRANCH`. A **trunk-only** repo sets both to `main`, collapsing the two hops into a single `feature → main` PR. Where the two branches differ, the release PR's head is `$INTEGRATION_BRANCH`; where they're equal, it's the feature branch.
 ### Phase 0 — Workflow triage (classify → announce → confirm → route)
 Runs **first**, before any `REQ-XXX` is assigned. It decides which of the six change-types in [`change-workflows.md`](https://github.com/metasession-dev/DevAudit-Installer/blob/main/docs/change-workflows.md) applies and what will — and won't — run. This is what stops every issue defaulting to maximum ceremony.
@@ -86,11 +95,11 @@ Only the **tracked** route continues into Phase 1; the others run the Lightweigh
 Reached from Phase 0 for non-tracked change-types. The skill drives this end-to-end; the only difference from the tracked cycle is the absence of *ceremony*, not the absence of *guidance*. It pauses only where a human is genuinely required (PR review, merge).
-1. **Branch off `develop`** with a housekeeping prefix — `chore/…`, `docs/…`, `ci/…`, `build/…`, `test/…`, or `compliance/…` for a doc-only change against an existing REQ.
+1. **Branch off `$INTEGRATION_BRANCH`** with a housekeeping prefix — `chore/…`, `docs/…`, `ci/…`, `build/…`, `test/…`, or `compliance/…` for a doc-only change against an existing REQ.
 2. **Make the change**, single-purpose. If it turns out to touch runtime behaviour in `app/` / `lib/`, stop and reclassify as tracked — the commit-type rule is the backstop.
 3. **Run all gates locally** (`npm run lint`, `npx tsc --noEmit`, the test suite, `semgrep`, `npm audit` — or the stack-adapter equivalents). Trivial ≠ unverified; never `--no-verify`.
 4. **Commit** with a housekeeping type and **no** `REQ-XXX` — `docs:` / `chore:` / `ci:` / `build:` / `test:` / `revert:` are exempt from the `[REQ-XXX]` rule; a `compliance:` doc-only change references the existing REQ. `Co-Authored-By: Claude` if AI-assisted.
-5. **Push and open the PR.** CI runs the same quality gates; `compliance-validation.yml` finds no `REQ-XXX` and skips artifact validation.
+5. **Push and open the PR** into `$INTEGRATION_BRANCH` (`gh pr create --base "$INTEGRATION_BRANCH" --head <branch>`). CI runs the same quality gates; `compliance-validation.yml` finds no `REQ-XXX` and skips artifact validation.
 6. **Report honest status** — wait for CI, name any failing check, fix and re-push. Never announce "ready" while a required check is red.
 7. **Guide review → merge.** A human still reviews the PR (separation of duties). There is **no** portal release approval, no UAT four-eyes, no Production gate, and no close-out. Merge once CI is green and the reviewer approves.
 8. **Done.** A housekeeping push produces at most a bare-date release (`vYYYY.MM.DD`) with no approval gate; a doc-only push attaches its docs to the existing `REQ-XXX` release. No further action required — report completion and stop.
@@ -110,7 +119,7 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
 ### Phase 2 — Implement and test (SDLC stage 2)
-1. **Branch off `develop`.** `git checkout -b feat/REQ-XXX-<slug>`. The slug is a kebab-case fragment of the issue title (max 6 words).
+1. **Branch off `$INTEGRATION_BRANCH`.** `git checkout "$INTEGRATION_BRANCH" && git pull && git checkout -b feat/REQ-XXX-<slug>`. The slug is a kebab-case fragment of the issue title (max 6 words).
 2. **Write failing tests first** per [`Test_Architecture.md`](../../Test_Architecture.md). Depth scales with risk class:
    - LOW — unit tests on the changed function(s); no e2e required unless the change touches a user-facing flow.
    - MEDIUM — unit + integration; e2e for any UI-facing change.
@@ -127,7 +136,9 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
    - `npm audit --audit-level=high` (or stack-adapter equivalent)
 6. **On gate failure**, iterate up to N=3 attempts. Each iteration: read the failure output, propose a fix, apply, re-run. On exhausted attempts, halt with the full failure output and surface to the human — never use `--no-verify`, `eslint-disable`, `@ts-expect-error`, `xfail`, or any other bypass.
 7. **Commit** using Conventional Commits with `Ref: REQ-XXX` trailer and `Co-Authored-By: Claude` trailer. One commit per logical step; never amend a commit that's already been pushed.
-8. **Push** to the feature branch. No PR yet — that happens in Phase 4.
+8. **Land the work on `$INTEGRATION_BRANCH`.** Push the feature branch, then:
+   - **If `$INTEGRATION_BRANCH` ≠ `$RELEASE_BRANCH`** (develop-first): open a PR `feat/REQ-XXX-<slug> → $INTEGRATION_BRANCH` and merge it once CI is green. This is the **integration hop** — there is no UAT four-eyes gate here (that's the release PR in Phase 4); for MEDIUM+ risk get a peer review on this PR per the project's norms. The push to `$INTEGRATION_BRANCH` is what triggers `ci.yml` to register the release and upload gate evidence.
+   - **If `$INTEGRATION_BRANCH` = `$RELEASE_BRANCH`** (trunk-only): do **not** merge to the protected branch here — leave the work on the feature branch; it becomes the release PR's head in Phase 4.
 ### Phase 3 — Compile evidence (SDLC stage 3)
@@ -156,7 +167,11 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
 ### Phase 4 — Submit for UAT review (SDLC stage 4)
-1. **Open the PR.** `gh pr create --base main --head <branch>`. PR body per the SDLC PR template (see [`.github/pull_request_template.md`](../../../../../.github/pull_request_template.md)):
+1. **Open the release PR** — the PR that carries the UAT four-eyes approval gate (`check-release-approval.yml`), always into `$RELEASE_BRANCH`:
+   - develop-first (`$INTEGRATION_BRANCH` ≠ `$RELEASE_BRANCH`): `gh pr create --base "$RELEASE_BRANCH" --head "$INTEGRATION_BRANCH"` (e.g. `develop → main`). The implementation already landed on `$INTEGRATION_BRANCH` in Phase 2; this promotes it. (Note: if other work is also waiting on `$INTEGRATION_BRANCH`, this is a bundled release — every in-scope REQ keeps its own release record and Production approval.)
+   - trunk-only (`$INTEGRATION_BRANCH` = `$RELEASE_BRANCH`): `gh pr create --base "$RELEASE_BRANCH" --head feat/REQ-XXX-<slug>` (the feature branch from Phase 2).
+   PR body per the SDLC PR template (see [`.github/pull_request_template.md`](../../../../../.github/pull_request_template.md)):
    - Closes #N
    - REQ-XXX
    - Risk: <class>

package/sdlc/files/ci/ci.yml.template CHANGED Viewed

@@ -212,20 +212,64 @@ jobs:
             --git-sha ${{ github.sha }} --branch ${{ github.ref_name }} || true
       - name: Sync known requirements from RTM
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          if [ -f "compliance/RTM.md" ]; then
-            REQS=$(grep -oP 'REQ-\d+' compliance/RTM.md | sort -t- -k2 -n -u)
-            if [ -n "$REQS" ]; then
-              JSON_ARRAY=$(echo "$REQS" | jq -R -s -c 'split("\n") | map(select(length > 0))')
-              HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-                -X PATCH "${BASE}/api/ci/projects/{{PROJECT_SLUG}}/known-requirements" \
-                -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
-                -H "Content-Type: application/json" \
-                -d "{\"requirements\": ${JSON_ARRAY}}")
-              echo "known_requirements sync: HTTP ${HTTP_CODE}"
-              echo "Synced $(echo "$REQS" | wc -w) requirements from RTM.md"
+          if [ ! -f "compliance/RTM.md" ]; then exit 0; fi
+          # Per REQ row in RTM we look up: title (release-ticket H1, else the
+          # linked issue's title via `gh`), and risk_class (the first LOW /
+          # MEDIUM / HIGH / CRITICAL token in the row). Both are optional —
+          # the portal renders gracefully with nulls. The portal endpoint
+          # accepts either a bare string[] (legacy) or rich rows.
+          REQS_JSON='[]'
+          while IFS= read -r REQ; do
+            [ -z "$REQ" ] && continue
+            ROW=$(grep -m1 -E "^\| ${REQ} " compliance/RTM.md || true)
+            TITLE=""
+            # Title: release-ticket H1 first (pending then approved)
+            for FILE in "compliance/pending-releases/RELEASE-TICKET-${REQ}.md" \
+                        "compliance/approved-releases/RELEASE-TICKET-${REQ}.md"; do
+              if [ -f "$FILE" ]; then
+                TITLE=$(grep -m1 '^# ' "$FILE" \
+                  | sed -E 's/^# *(REQ-[0-9]+)?[[:space:]]*[—:-]?[[:space:]]*//')
+                break
+              fi
+            done
+            # Title fallback: first issue # found anywhere in the row
+            if [ -z "$TITLE" ] && [ -n "$ROW" ]; then
+              ISSUE_NUM=$(echo "$ROW" | grep -oE '#[0-9]+' | head -1 | tr -d '#')
+              if [ -n "$ISSUE_NUM" ]; then
+                TITLE=$(gh issue view "$ISSUE_NUM" --json title --jq .title 2>/dev/null || true)
+              fi
+            fi
+            # Risk: first LOW/MEDIUM/HIGH/CRITICAL token in the row
+            RISK=""
+            if [ -n "$ROW" ]; then
+              RISK=$(echo "$ROW" | grep -ioE '\b(LOW|MEDIUM|HIGH|CRITICAL)\b' | head -1 \
+                | tr 'a-z' 'A-Z')
             fi
+            REQS_JSON=$(echo "$REQS_JSON" | jq \
+              --arg id "$REQ" --arg title "$TITLE" --arg risk "$RISK" \
+              '. + [{
+                id: $id,
+                title: (if $title == "" then null else $title end),
+                riskClass: (if $risk == "" then null else $risk end)
+              }]')
+          done < <(grep -oE 'REQ-[0-9]+' compliance/RTM.md | sort -t- -k2 -n -u)
+          COUNT=$(echo "$REQS_JSON" | jq length)
+          if [ "$COUNT" = "0" ]; then
+            echo "No REQ-XXX rows in RTM.md — skipping sync"
+            exit 0
           fi
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+            -X PATCH "${BASE}/api/ci/projects/{{PROJECT_SLUG}}/known-requirements" \
+            -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
+            -H "Content-Type: application/json" \
+            -d "{\"requirements\": ${REQS_JSON}}")
+          echo "known_requirements sync: HTTP ${HTTP_CODE}"
+          echo "Synced ${COUNT} requirements from RTM.md (titles + risk_class)"
   # ──────────────────────────────────────────────
   # Upload Evidence to DevAudit (after gates pass)
@@ -357,6 +401,20 @@ jobs:
             echo "Uploading ${#SHOTS[@]} evidence screenshot(s) for: ${SHOT_REQS[*]}"
             SHOT_TMP="$(mktemp -d)"
             for REQ in "${SHOT_REQS[@]}"; do
+              # Per-REQ release metadata for the portal (no-clobbered on existing rows):
+              # release title from the pending ticket's H1; change type from the
+              # latest commit that references the REQ.
+              REQ_TITLE=""
+              if [ -f "compliance/pending-releases/RELEASE-TICKET-${REQ}.md" ]; then
+                REQ_TITLE=$(grep -m1 '^# ' "compliance/pending-releases/RELEASE-TICKET-${REQ}.md" \
+                  | sed -E 's/^# *(REQ-[0-9]+)?[[:space:]]*[—:-]?[[:space:]]*//')
+              fi
+              REQ_CT=$(git log --grep "\[${REQ}\]\|Ref: ${REQ}" --pretty=%s -1 2>/dev/null \
+                | grep -oE '^(feat|fix|refactor|perf|chore|docs|ci|build|test|compliance|revert)' \
+                | head -1 || true)
+              REQ_META=()
+              [ -n "$REQ_TITLE" ] && REQ_META+=(--release-title "$REQ_TITLE")
+              [ -n "$REQ_CT" ] && REQ_META+=(--change-type "$REQ_CT")
               for PNG in "${SHOTS[@]}"; do
                 # The folder is the (SRS) requirement id, the basename is the AC
                 # slug (ACn-…). Upload as <srs-req>-<slug>.png so the reviewer can
@@ -367,6 +425,7 @@ jobs:
                 bash scripts/upload-evidence.sh \
                   {{PROJECT_SLUG}} "$REQ" screenshot "$NAMED" \
                   --category test_report ${FLAGS} --release "$REQ" \
+                  "${REQ_META[@]}" \
                   || echo "::warning::evidence screenshot upload failed: ${PNG} -> ${REQ}"
               done
             done

package/sdlc/files/ci/compliance-evidence.yml.template CHANGED Viewed

@@ -110,16 +110,47 @@ jobs:
           FLAGS="${FLAGS} --create-release-if-missing --environment uat"
           DERIVED_RELEASE="${{ steps.version.outputs.version }}"
+          # Derive change_type for the bare-date (housekeeping) DERIVED_RELEASE:
+          # the prefix of the most recent commit's subject. No-op for tracked
+          # releases — they get per-REQ derivation in the loop below.
+          DERIVED_CT=$(git log -1 --pretty=%s 2>/dev/null \
+            | grep -oE '^(feat|fix|refactor|perf|chore|docs|ci|build|test|compliance|revert)' \
+            | head -1 || true)
+          DERIVED_META=()
+          [ -n "$DERIVED_CT" ] && DERIVED_META+=(--change-type "$DERIVED_CT")
           # Upload compliance docs (planning category)
           for DOC in compliance/RTM.md compliance/test-plan.md compliance/test-cases.md compliance/test-summary-report.md; do
             if [ -f "$DOC" ]; then
               echo "Uploading: $(basename "$DOC")"
               bash scripts/upload-evidence.sh \
                 {{PROJECT_SLUG}} _compliance-docs compliance_document "$DOC" \
-                --category planning ${FLAGS} --release "${DERIVED_RELEASE}" || echo "Warning: Failed to upload $(basename "$DOC")"
+                --category planning ${FLAGS} --release "${DERIVED_RELEASE}" \
+                "${DERIVED_META[@]}" \
+                || echo "Warning: Failed to upload $(basename "$DOC")"
             fi
           done
+          # Helper: emit a `--release-title …` `--change-type …` pair for a given
+          # REQ, derived from its pending release-ticket H1 and the most recent
+          # commit attributed to that REQ. Empty pair when neither is available.
+          req_meta_args() {
+            local REQ="$1"; local TITLE=""; local CT=""
+            for FILE in "compliance/pending-releases/RELEASE-TICKET-${REQ}.md" \
+                        "compliance/approved-releases/RELEASE-TICKET-${REQ}.md"; do
+              if [ -f "$FILE" ]; then
+                TITLE=$(grep -m1 '^# ' "$FILE" \
+                  | sed -E 's/^# *(REQ-[0-9]+)?[[:space:]]*[—:-]?[[:space:]]*//')
+                break
+              fi
+            done
+            CT=$(git log --grep "\[${REQ}\]\|Ref: ${REQ}" --pretty=%s -1 2>/dev/null \
+              | grep -oE '^(feat|fix|refactor|perf|chore|docs|ci|build|test|compliance|revert)' \
+              | head -1 || true)
+            [ -n "$TITLE" ] && printf -- '--release-title %q ' "$TITLE"
+            [ -n "$CT" ] && printf -- '--change-type %q ' "$CT"
+          }
           # Upload release tickets (pending only)
           if [ -d "compliance/pending-releases" ]; then
             for TICKET in compliance/pending-releases/*.md; do
@@ -130,14 +161,18 @@ jobs:
               case "$TICKET_BASE" in
                 RELEASE-TICKET-REQ-*)
                   TICKET_REQ="${TICKET_BASE#RELEASE-TICKET-}"
-                  TICKET_OWNER="$TICKET_REQ"; TICKET_RELEASE="$TICKET_REQ" ;;
+                  TICKET_OWNER="$TICKET_REQ"; TICKET_RELEASE="$TICKET_REQ"
+                  TICKET_META_ARGS=$(req_meta_args "$TICKET_REQ") ;;
                 *)
-                  TICKET_OWNER="_compliance-docs"; TICKET_RELEASE="$DERIVED_RELEASE" ;;
+                  TICKET_OWNER="_compliance-docs"; TICKET_RELEASE="$DERIVED_RELEASE"
+                  TICKET_META_ARGS="" ;;
               esac
               echo "Uploading: $(basename "$TICKET") -> release ${TICKET_RELEASE}"
-              bash scripts/upload-evidence.sh \
-                {{PROJECT_SLUG}} "${TICKET_OWNER}" compliance_document "$TICKET" \
-                --category release_artifact ${FLAGS} --release "${TICKET_RELEASE}" || echo "Warning: Failed to upload $(basename "$TICKET")"
+              eval "bash scripts/upload-evidence.sh \
+                {{PROJECT_SLUG}} \"${TICKET_OWNER}\" compliance_document \"$TICKET\" \
+                --category release_artifact ${FLAGS} --release \"${TICKET_RELEASE}\" \
+                ${TICKET_META_ARGS}" \
+                || echo "Warning: Failed to upload $(basename "$TICKET")"
             done
           fi
@@ -165,12 +200,15 @@ jobs:
                 echo "Warning: pending ticket for ${REQ_ID} but no ${REQ_DIR} on disk"
                 continue
               fi
+              REQ_META_ARGS=$(req_meta_args "$REQ_ID")
               for ARTIFACT in "$REQ_DIR"*.md; do
                 [ -f "$ARTIFACT" ] || continue
                 echo "Uploading: ${REQ_ID}/$(basename "$ARTIFACT")"
-                bash scripts/upload-evidence.sh \
-                  {{PROJECT_SLUG}} "${REQ_ID}" compliance_document "$ARTIFACT" \
-                  --category planning ${FLAGS} --release "${REQ_ID}" || echo "Warning: Failed to upload $(basename "$ARTIFACT")"
+                eval "bash scripts/upload-evidence.sh \
+                  {{PROJECT_SLUG}} \"${REQ_ID}\" compliance_document \"$ARTIFACT\" \
+                  --category planning ${FLAGS} --release \"${REQ_ID}\" \
+                  ${REQ_META_ARGS}" \
+                  || echo "Warning: Failed to upload $(basename "$ARTIFACT")"
               done
             done
           fi

package/sdlc/files/ci/python/ci.yml.template CHANGED Viewed

@@ -196,20 +196,61 @@ jobs:
             --git-sha ${{ github.sha }} --branch ${{ github.ref_name }} || true
       - name: Sync known requirements from RTM
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          if [ -f "compliance/RTM.md" ]; then
-            REQS=$(grep -oP 'REQ-\d+' compliance/RTM.md | sort -t- -k2 -n -u)
-            if [ -n "$REQS" ]; then
-              JSON_ARRAY=$(echo "$REQS" | jq -R -s -c 'split("\n") | map(select(length > 0))')
-              HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-                -X PATCH "${BASE}/api/ci/projects/{{PROJECT_SLUG}}/known-requirements" \
-                -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
-                -H "Content-Type: application/json" \
-                -d "{\"requirements\": ${JSON_ARRAY}}")
-              echo "known_requirements sync: HTTP ${HTTP_CODE}"
-              echo "Synced $(echo "$REQS" | wc -w) requirements from RTM.md"
+          if [ ! -f "compliance/RTM.md" ]; then exit 0; fi
+          # Per REQ row in RTM we look up: title (release-ticket H1, else the
+          # linked issue's title via `gh`), and risk_class (the first LOW /
+          # MEDIUM / HIGH / CRITICAL token in the row). Both are optional —
+          # the portal renders gracefully with nulls. The portal endpoint
+          # accepts either a bare string[] (legacy) or rich rows.
+          REQS_JSON='[]'
+          while IFS= read -r REQ; do
+            [ -z "$REQ" ] && continue
+            ROW=$(grep -m1 -E "^\| ${REQ} " compliance/RTM.md || true)
+            TITLE=""
+            for FILE in "compliance/pending-releases/RELEASE-TICKET-${REQ}.md" \
+                        "compliance/approved-releases/RELEASE-TICKET-${REQ}.md"; do
+              if [ -f "$FILE" ]; then
+                TITLE=$(grep -m1 '^# ' "$FILE" \
+                  | sed -E 's/^# *(REQ-[0-9]+)?[[:space:]]*[—:-]?[[:space:]]*//')
+                break
+              fi
+            done
+            if [ -z "$TITLE" ] && [ -n "$ROW" ]; then
+              ISSUE_NUM=$(echo "$ROW" | grep -oE '#[0-9]+' | head -1 | tr -d '#')
+              if [ -n "$ISSUE_NUM" ]; then
+                TITLE=$(gh issue view "$ISSUE_NUM" --json title --jq .title 2>/dev/null || true)
+              fi
+            fi
+            RISK=""
+            if [ -n "$ROW" ]; then
+              RISK=$(echo "$ROW" | grep -ioE '\b(LOW|MEDIUM|HIGH|CRITICAL)\b' | head -1 \
+                | tr 'a-z' 'A-Z')
             fi
+            REQS_JSON=$(echo "$REQS_JSON" | jq \
+              --arg id "$REQ" --arg title "$TITLE" --arg risk "$RISK" \
+              '. + [{
+                id: $id,
+                title: (if $title == "" then null else $title end),
+                riskClass: (if $risk == "" then null else $risk end)
+              }]')
+          done < <(grep -oE 'REQ-[0-9]+' compliance/RTM.md | sort -t- -k2 -n -u)
+          COUNT=$(echo "$REQS_JSON" | jq length)
+          if [ "$COUNT" = "0" ]; then
+            echo "No REQ-XXX rows in RTM.md — skipping sync"
+            exit 0
           fi
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+            -X PATCH "${BASE}/api/ci/projects/{{PROJECT_SLUG}}/known-requirements" \
+            -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
+            -H "Content-Type: application/json" \
+            -d "{\"requirements\": ${REQS_JSON}}")
+          echo "known_requirements sync: HTTP ${HTTP_CODE}"
+          echo "Synced ${COUNT} requirements from RTM.md (titles + risk_class)"
   upload-evidence:
     name: Upload Evidence

package/sdlc/files/sdlc-config.example.json CHANGED Viewed

@@ -6,6 +6,10 @@
   "node_version": 20,
   "runner": "self-hosted",
+  "_comment_branches": "Branch model the sdlc-implementer skill follows. integration_branch = where implementation PRs land and ci.yml uploads gate evidence on push (develop-first default). release_branch = the protected production branch the integration branch is promoted to via the UAT-approved release PR. Trunk-only projects set both to \"main\".",
+  "integration_branch": "develop",
+  "release_branch": "main",
   "source_dirs": "app/ lib/ src/",
   "sast_baseline": 0,
   "accepted_dep_risks": "",