@metasession.co/devaudit-cli 0.1.25 → 0.1.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@metasession.co/devaudit-cli",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.26",
|
|
4
4
|
"description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
},
|
|
34
34
|
"dependencies": {
|
|
35
35
|
"@clack/prompts": "^0.8.2",
|
|
36
|
-
"@metasession.co/devaudit-plugin-sdk": "^0.1.
|
|
36
|
+
"@metasession.co/devaudit-plugin-sdk": "^0.1.26",
|
|
37
37
|
"commander": "^12.1.0",
|
|
38
38
|
"consola": "^3.2.3",
|
|
39
39
|
"env-paths": "^3.0.0",
|
|
@@ -329,17 +329,22 @@ jobs:
|
|
|
329
329
|
npm audit --json > ci-evidence/dependency-audit.json 2>/dev/null || echo '{"vulnerabilities":{}}' > ci-evidence/dependency-audit.json
|
|
330
330
|
fi
|
|
331
331
|
|
|
332
|
-
# Upload SAST results (
|
|
332
|
+
# Upload SAST results — precise evidence_type=sast_report (Phase 3a /
|
|
333
|
+
# devaudit#370). Pre-3a uploads used `audit_log` + category alone,
|
|
334
|
+
# which made the portal's SAST and Dependency Audit gates show
|
|
335
|
+
# identical content (devaudit#387). Tagging the precise type keeps
|
|
336
|
+
# the two panels distinct + matches the ISO 27001 A.8.28 clause.
|
|
333
337
|
if [ -f ci-evidence/sast-results.json ]; then
|
|
334
338
|
upload sast-results.json \
|
|
335
|
-
{{PROJECT_SLUG}} _compliance-docs
|
|
339
|
+
{{PROJECT_SLUG}} _compliance-docs sast_report ci-evidence/sast-results.json \
|
|
336
340
|
--category security_scan ${FLAGS}
|
|
337
341
|
fi
|
|
338
342
|
|
|
339
|
-
# Upload dependency audit
|
|
343
|
+
# Upload dependency audit — precise evidence_type=dependency_audit
|
|
344
|
+
# (same rationale as SAST above).
|
|
340
345
|
if [ -f ci-evidence/dependency-audit.json ]; then
|
|
341
346
|
upload dependency-audit.json \
|
|
342
|
-
{{PROJECT_SLUG}} _compliance-docs
|
|
347
|
+
{{PROJECT_SLUG}} _compliance-docs dependency_audit ci-evidence/dependency-audit.json \
|
|
343
348
|
--category security_scan ${FLAGS}
|
|
344
349
|
fi
|
|
345
350
|
|
|
@@ -137,6 +137,36 @@ jobs:
|
|
|
137
137
|
fi
|
|
138
138
|
done
|
|
139
139
|
|
|
140
|
+
# Project-level governance docs (devaudit#370 Phase 3a). When the
|
|
141
|
+
# operator commits any of these markdown files, upload with the
|
|
142
|
+
# precise evidence_type so the portal's framework-coverage matrix
|
|
143
|
+
# auto-closes the matching clauses (GDPR.Art-30 for ropa, GDPR.Art-35
|
|
144
|
+
# for dpia, EUAIA.Art-13 for ai_disclosure, SOC2.CC4.1 + ISO27001.A.12.1
|
|
145
|
+
# for periodic_review, etc.). Each path is optional — skipped silently
|
|
146
|
+
# when the file is absent.
|
|
147
|
+
upload_governance() {
|
|
148
|
+
local FILE="$1" TYPE="$2"
|
|
149
|
+
if [ ! -f "$FILE" ]; then return 0; fi
|
|
150
|
+
echo "Uploading governance: $(basename "$FILE") (type=${TYPE})"
|
|
151
|
+
bash scripts/upload-evidence.sh \
|
|
152
|
+
{{PROJECT_SLUG}} _compliance-docs "$TYPE" "$FILE" \
|
|
153
|
+
--category planning ${FLAGS} --release "${DERIVED_RELEASE}" \
|
|
154
|
+
"${DERIVED_META[@]}" \
|
|
155
|
+
|| echo "Warning: Failed to upload $(basename "$FILE")"
|
|
156
|
+
}
|
|
157
|
+
# Recognise governance docs at top-level OR under compliance/governance/
|
|
158
|
+
# (operator's choice — both layouts are common).
|
|
159
|
+
upload_governance compliance/ropa.md ropa
|
|
160
|
+
upload_governance compliance/governance/ropa.md ropa
|
|
161
|
+
upload_governance compliance/dpia.md dpia
|
|
162
|
+
upload_governance compliance/governance/dpia.md dpia
|
|
163
|
+
upload_governance compliance/ai-disclosure.md ai_disclosure
|
|
164
|
+
upload_governance compliance/governance/ai-disclosure.md ai_disclosure
|
|
165
|
+
upload_governance compliance/periodic-review.md periodic_review
|
|
166
|
+
upload_governance compliance/governance/periodic-review.md periodic_review
|
|
167
|
+
upload_governance compliance/incident-report.md incident_report
|
|
168
|
+
upload_governance compliance/governance/incident-report.md incident_report
|
|
169
|
+
|
|
140
170
|
# Helper: emit a `--release-title …` `--change-type …` pair for a given
|
|
141
171
|
# REQ, derived from its pending release-ticket H1 and the most recent
|
|
142
172
|
# commit attributed to that REQ. Empty pair when neither is available.
|