@metasession.co/devaudit-cli 0.1.24 → 0.1.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.24",
+  "version": "0.1.26",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.24",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.26",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/scripts/close-out-release.sh

@@ -117,11 +117,31 @@ echo "Ticket Status -> RELEASED."
 
 # ── Flip the RTM row -> RELEASED (preserve any parenthetical note) ───────────
 if [ -f "$RTM" ] && grep -qE "^\| ${REQ_ID} " "$RTM"; then
+  # Table-aware Status column resolution (#72): the previous version locked
+  # `statuscol` on the FIRST header that contained "Status", which mangled the
+  # wrong column when the RTM has a small legend table above the main matrix
+  # (e.g. a 2-column legend with `Status | Description` columns → statuscol=2,
+  # then the awk overwrote col-1 REQ-ID for every row).
+  #
+  # Fix: re-evaluate `statuscol` on EVERY header-shaped row (a row whose cells
+  # carry the literal header text "Status" + an ID-like column header). The
+  # legend has "Status" but no ID-like column → not locked; the main RTM has
+  # both → locks correctly. Data rows don't carry the literal "Status" header
+  # text in any cell, so they don't re-trigger the lock. Separator rows
+  # (`|---|---|…`) are left intact and don't affect `statuscol`.
   awk -v req="$REQ_ID" '
     BEGIN { FS="|"; OFS="|"; statuscol=0 }
-    # Locate the "Status" column from the first header row that has one.
-    statuscol==0 {
-      for (i=1; i<=NF; i++) { c=$i; gsub(/^[[:space:]]+|[[:space:]]+$/, "", c); if (c=="Status") statuscol=i }
+    # Header detection: scan every row; require both a "Status" header cell
+    # AND an ID-like header cell in the same row before locking statuscol to
+    # this row''s column index.
+    {
+      cand=0; idseen=0
+      for (i=1; i<=NF; i++) {
+        c=$i; gsub(/^[[:space:]]+|[[:space:]]+$/, "", c)
+        if (c=="Status") cand=i
+        if (c=="ID" || c=="REQ-ID" || c=="REQ ID" || c ~ /^Requirement/) idseen=1
+      }
+      if (cand>0 && idseen) statuscol=cand
     }
     $0 ~ ("^\\| " req " ") && statuscol>0 {
       cell=$statuscol

package/sdlc/files/_common/scripts/close-out-release.test.sh

@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+# close-out-release.test.sh — Tests for the RTM-flip awk in
+# close-out-release.sh, specifically that it locates the correct
+# Status column when the RTM has multiple markdown tables with
+# different shapes (#72 regression: the prior implementation locked
+# `statuscol` on the FIRST header containing "Status", mangling the
+# wrong column when a legend table appeared above the main RTM).
+#
+# Usage:
+#   ./scripts/close-out-release.test.sh
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+HELPER="$SCRIPT_DIR/close-out-release.sh"
+[ -x "$HELPER" ] || chmod +x "$HELPER"
+
+PASS=0
+FAIL=0
+
+assert_eq() {
+  local desc="$1" want="$2" got="$3"
+  if [ "$got" = "$want" ]; then
+    echo "  PASS: $desc"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL: $desc"
+    echo "        want: $want"
+    echo "        got:  $got"
+    FAIL=$((FAIL + 1))
+  fi
+}
+
+# Build a self-contained fixture under $1 with:
+#   - compliance/RTM.md containing the legend table + the main RTM
+#   - compliance/pending-releases/RELEASE-TICKET-REQ-050.md (so the script
+#     can stage the move + flip; close-out aborts early without it)
+#   - a `.git` so the `git mv` step doesn't break
+make_fixture() {
+  local dir="$1"
+  rm -rf "$dir"
+  mkdir -p "$dir/compliance/pending-releases" "$dir/compliance/approved-releases"
+  cd "$dir"
+  git init -q --initial-branch=main
+  git config user.email "test@example.com"
+  git config user.name "test"
+
+  # Multi-table RTM: legend table first (Status | Description, 2 cols, the
+  # shape that mangled WGB on REQ-048/050), then the main RTM (REQ-ID, …,
+  # Status, …, 7 cols).
+  cat > compliance/RTM.md <<'EOF'
+# Requirements Traceability Matrix
+
+## Status Legend
+
+| Status                       | Description                                |
+| ---------------------------- | ------------------------------------------ |
+| DRAFT                        | Requirement captured, planning underway    |
+| TESTED - PENDING SIGN-OFF    | Implementation merged, awaiting close-out  |
+| RELEASED                     | Promoted to main + portal-released         |
+
+## Main RTM
+
+| REQ-ID  | Source | Risk   | Evidence                       | Status                    | Owner   | Date       |
+| ------- | ------ | ------ | ------------------------------ | ------------------------- | ------- | ---------- |
+| REQ-049 | #155   | LOW    | compliance/evidence/REQ-049/   | RELEASED                  | thomp@. | 2026-05-24 |
+| REQ-050 | #180   | HIGH   | compliance/evidence/REQ-050/   | TESTED - PENDING SIGN-OFF | thomp@. | 2026-05-28 |
+EOF
+
+  # A minimal release ticket — just enough for the script's pre-checks to pass.
+  cat > compliance/pending-releases/RELEASE-TICKET-REQ-050.md <<'EOF'
+# Release Ticket: REQ-050
+
+**Status:** TESTED - PENDING SIGN-OFF
+**DevAudit Release:** REQ-050
+EOF
+
+  git add -A
+  git commit -q -m "fixture: pre-close-out state"
+}
+
+# ── Case 1: multi-table RTM, status-column lock disambiguated by ID column ─
+{
+  dir="$(mktemp -d)/cli-close-out-fixture-1"
+  make_fixture "$dir"
+  # Skip the portal probe + the ticket-move so we isolate the RTM-flip path.
+  unset DEVAUDIT_API_KEY DEVAUDIT_BASE_URL || true
+  # Run the script; tolerate exit on the warnings — the RTM flip should still
+  # have happened before any non-fatal warning.
+  bash "$HELPER" REQ-050 >/dev/null 2>&1 || true
+  # Assert: col-1 stays REQ-050 (NOT overwritten with RELEASED); col-5 flips.
+  row=$(grep -m1 -E "^\| REQ-050 " compliance/RTM.md || true)
+  col1=$(echo "$row" | awk -F '|' '{gsub(/^[[:space:]]+|[[:space:]]+$/,"",$2); print $2}')
+  col5=$(echo "$row" | awk -F '|' '{gsub(/^[[:space:]]+|[[:space:]]+$/,"",$6); print $6}')
+  assert_eq "REQ-050 row: col-1 unchanged"   "REQ-050"  "$col1"
+  assert_eq "REQ-050 row: col-5 flipped"     "RELEASED" "$col5"
+  # And the unrelated REQ-049 row stays untouched (it was already RELEASED
+  # before this run; if the awk picked up the wrong table or column, col-1
+  # would say RELEASED instead of REQ-049).
+  row49=$(grep -m1 -E "^\| REQ-049 " compliance/RTM.md || true)
+  col1_49=$(echo "$row49" | awk -F '|' '{gsub(/^[[:space:]]+|[[:space:]]+$/,"",$2); print $2}')
+  assert_eq "REQ-049 row: col-1 untouched"   "REQ-049"  "$col1_49"
+  rm -rf "$(dirname "$dir")"
+}
+
+# ── Case 2: single-table RTM (the simple shape) — behaviour unchanged ──────
+{
+  dir="$(mktemp -d)/cli-close-out-fixture-2"
+  mkdir -p "$dir/compliance/pending-releases" "$dir/compliance/approved-releases"
+  cd "$dir"
+  git init -q --initial-branch=main >/dev/null
+  git config user.email "test@example.com"
+  git config user.name "test"
+  cat > compliance/RTM.md <<'EOF'
+# Requirements Traceability Matrix
+
+| REQ-ID  | Source | Risk   | Evidence                       | Status                    | Owner   | Date       |
+| ------- | ------ | ------ | ------------------------------ | ------------------------- | ------- | ---------- |
+| REQ-050 | #180   | HIGH   | compliance/evidence/REQ-050/   | TESTED - PENDING SIGN-OFF | thomp@. | 2026-05-28 |
+EOF
+  cat > compliance/pending-releases/RELEASE-TICKET-REQ-050.md <<'EOF'
+# Release Ticket: REQ-050
+
+**Status:** TESTED - PENDING SIGN-OFF
+**DevAudit Release:** REQ-050
+EOF
+  git add -A
+  git commit -q -m "fixture: single-table"
+  unset DEVAUDIT_API_KEY DEVAUDIT_BASE_URL || true
+  bash "$HELPER" REQ-050 >/dev/null 2>&1 || true
+  row=$(grep -m1 -E "^\| REQ-050 " compliance/RTM.md || true)
+  col1=$(echo "$row" | awk -F '|' '{gsub(/^[[:space:]]+|[[:space:]]+$/,"",$2); print $2}')
+  col5=$(echo "$row" | awk -F '|' '{gsub(/^[[:space:]]+|[[:space:]]+$/,"",$6); print $6}')
+  assert_eq "single-table: col-1 unchanged" "REQ-050"  "$col1"
+  assert_eq "single-table: col-5 flipped"   "RELEASED" "$col5"
+  rm -rf "$(dirname "$dir")"
+}
+
+echo
+echo "Result: $PASS passed, $FAIL failed"
+[ "$FAIL" = "0" ]

package/sdlc/files/ci/check-release-approval.yml.template

@@ -34,6 +34,17 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          # The default `pull_request` checkout is a synthetic merge commit
+          # with an empty body, so `derive-release-version.sh` can't see the
+          # `[REQ-XXX]` tag on the integration-side commit. Pull the head
+          # commit directly + full history so the same derivation script the
+          # uploaders use (compliance-evidence.yml, ci.yml's register-release)
+          # produces the same release identity here (#81 — release-identity
+          # coherence; was hardcoded to `v$(date +%Y.%m.%d)` which never
+          # matched the `REQ-XXX` records the uploaders wrote).
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
 
       - name: Resolve DevAudit base URL
         run: |
@@ -138,8 +149,15 @@ jobs:
         id: release
         if: env.BOOTSTRAP_MODE != 'true'
         run: |
-          DATE_PREFIX="v$(date +%Y.%m.%d)"
-          RESOLVE_URL="${BASE}/api/ci/releases/resolve?projectSlug=${PROJECT_SLUG}&versionPrefix=${DATE_PREFIX}"
+          # Derive the same release prefix the uploaders write to. The script
+          # priority is: subject `[REQ-XXX]` → body `Ref: REQ-XXX` → body
+          # `[REQ-XXX]` (merge-commit case) → bare-date fallback. Reusing it
+          # here makes the gate and the uploaders agree on release identity
+          # (#81). The 8 scenarios are covered by derive-release-version.test.sh.
+          chmod +x scripts/derive-release-version.sh 2>/dev/null || true
+          LOOKUP_PREFIX=$(bash scripts/derive-release-version.sh)
+          echo "Resolving release for prefix: ${LOOKUP_PREFIX}"
+          RESOLVE_URL="${BASE}/api/ci/releases/resolve?projectSlug=${PROJECT_SLUG}&versionPrefix=${LOOKUP_PREFIX}"
           # Retry: register-release in ci.yml may still be racing with us.
           MAX_ATTEMPTS=6
           WAIT_SECONDS=10
@@ -151,13 +169,13 @@ jobs:
               break
             fi
             if [ "$ATTEMPT" -lt "$MAX_ATTEMPTS" ]; then
-              echo "Attempt ${ATTEMPT}/${MAX_ATTEMPTS}: no release for ${DATE_PREFIX} yet — waiting ${WAIT_SECONDS}s..."
+              echo "Attempt ${ATTEMPT}/${MAX_ATTEMPTS}: no release for ${LOOKUP_PREFIX} yet — waiting ${WAIT_SECONDS}s..."
               sleep $WAIT_SECONDS
             fi
           done
           VERSION=$(echo "$RESP" | jq -r '.latest.version // empty')
           if [ -z "$VERSION" ]; then
-            echo "::error::No release found for ${DATE_PREFIX} after ${MAX_ATTEMPTS} attempts. Push to develop first to create the release."
+            echo "::error::No release found for ${LOOKUP_PREFIX} after ${MAX_ATTEMPTS} attempts. Push to develop first to create the release."
             exit 1
           fi
           RELEASE_ID=$(echo "$RESP" | jq -r '.latest.id')

package/sdlc/files/ci/ci.yml.template

@@ -329,17 +329,22 @@ jobs:
             npm audit --json > ci-evidence/dependency-audit.json 2>/dev/null || echo '{"vulnerabilities":{}}' > ci-evidence/dependency-audit.json
           fi
 
-          # Upload SAST results (security_scan category)
+          # Upload SAST results — precise evidence_type=sast_report (Phase 3a /
+          # devaudit#370). Pre-3a uploads used `audit_log` + category alone,
+          # which made the portal's SAST and Dependency Audit gates show
+          # identical content (devaudit#387). Tagging the precise type keeps
+          # the two panels distinct + matches the ISO 27001 A.8.28 clause.
           if [ -f ci-evidence/sast-results.json ]; then
             upload sast-results.json \
-              {{PROJECT_SLUG}} _compliance-docs audit_log ci-evidence/sast-results.json \
+              {{PROJECT_SLUG}} _compliance-docs sast_report ci-evidence/sast-results.json \
               --category security_scan ${FLAGS}
           fi
 
-          # Upload dependency audit (security_scan category)
+          # Upload dependency audit — precise evidence_type=dependency_audit
+          # (same rationale as SAST above).
           if [ -f ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
-              {{PROJECT_SLUG}} _compliance-docs audit_log ci-evidence/dependency-audit.json \
+              {{PROJECT_SLUG}} _compliance-docs dependency_audit ci-evidence/dependency-audit.json \
               --category security_scan ${FLAGS}
           fi
 

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -137,6 +137,36 @@ jobs:
             fi
           done
 
+          # Project-level governance docs (devaudit#370 Phase 3a). When the
+          # operator commits any of these markdown files, upload with the
+          # precise evidence_type so the portal's framework-coverage matrix
+          # auto-closes the matching clauses (GDPR.Art-30 for ropa, GDPR.Art-35
+          # for dpia, EUAIA.Art-13 for ai_disclosure, SOC2.CC4.1 + ISO27001.A.12.1
+          # for periodic_review, etc.). Each path is optional — skipped silently
+          # when the file is absent.
+          upload_governance() {
+            local FILE="$1" TYPE="$2"
+            if [ ! -f "$FILE" ]; then return 0; fi
+            echo "Uploading governance: $(basename "$FILE") (type=${TYPE})"
+            bash scripts/upload-evidence.sh \
+              {{PROJECT_SLUG}} _compliance-docs "$TYPE" "$FILE" \
+              --category planning ${FLAGS} --release "${DERIVED_RELEASE}" \
+              "${DERIVED_META[@]}" \
+              || echo "Warning: Failed to upload $(basename "$FILE")"
+          }
+          # Recognise governance docs at top-level OR under compliance/governance/
+          # (operator's choice — both layouts are common).
+          upload_governance compliance/ropa.md             ropa
+          upload_governance compliance/governance/ropa.md  ropa
+          upload_governance compliance/dpia.md             dpia
+          upload_governance compliance/governance/dpia.md  dpia
+          upload_governance compliance/ai-disclosure.md             ai_disclosure
+          upload_governance compliance/governance/ai-disclosure.md  ai_disclosure
+          upload_governance compliance/periodic-review.md             periodic_review
+          upload_governance compliance/governance/periodic-review.md  periodic_review
+          upload_governance compliance/incident-report.md             incident_report
+          upload_governance compliance/governance/incident-report.md  incident_report
+
           # Helper: emit a `--release-title …` `--change-type …` pair for a given
           # REQ, derived from its pending release-ticket H1 and the most recent
           # commit attributed to that REQ. Empty pair when neither is available.