npm - @metasession.co/devaudit-cli - Versions diffs - 0.1.25 → 0.1.27 - Mend

@metasession.co/devaudit-cli 0.1.25 → 0.1.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/package.json +2 -2
package/sdlc/files/ci/ci.yml.template +17 -6
package/sdlc/files/ci/compliance-evidence.yml.template +46 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.25",
+  "version": "0.1.27",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.25",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.27",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/ci/ci.yml.template CHANGED Viewed

@@ -329,17 +329,22 @@ jobs:
             npm audit --json > ci-evidence/dependency-audit.json 2>/dev/null || echo '{"vulnerabilities":{}}' > ci-evidence/dependency-audit.json
           fi
-          # Upload SAST results (security_scan category)
+          # Upload SAST results — precise evidence_type=sast_report (Phase 3a /
+          # devaudit#370). Pre-3a uploads used `audit_log` + category alone,
+          # which made the portal's SAST and Dependency Audit gates show
+          # identical content (devaudit#387). Tagging the precise type keeps
+          # the two panels distinct + matches the ISO 27001 A.8.28 clause.
           if [ -f ci-evidence/sast-results.json ]; then
             upload sast-results.json \
-              {{PROJECT_SLUG}} _compliance-docs audit_log ci-evidence/sast-results.json \
+              {{PROJECT_SLUG}} _compliance-docs sast_report ci-evidence/sast-results.json \
               --category security_scan ${FLAGS}
           fi
-          # Upload dependency audit (security_scan category)
+          # Upload dependency audit — precise evidence_type=dependency_audit
+          # (same rationale as SAST above).
           if [ -f ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
-              {{PROJECT_SLUG}} _compliance-docs audit_log ci-evidence/dependency-audit.json \
+              {{PROJECT_SLUG}} _compliance-docs dependency_audit ci-evidence/dependency-audit.json \
               --category security_scan ${FLAGS}
           fi
@@ -367,10 +372,16 @@ jobs:
               --category test_report ${FLAGS}
           fi
-          # Upload test summary report (test_report category)
+          # Upload test summary report — precise evidence_type=test_report
+          # (was compliance_document). The portal's Compliance Gates panel
+          # filters by evidence_type, so the markdown summary belongs in the
+          # Test Reports gate alongside playwright-report.zip + coverage
+          # summary. Markdown renders inline (MarkdownRenderer); auditor
+          # reads pass/fail counts + narrative without downloading the zip.
+          # devaudit#370 follow-up.
           if [ -f "compliance/test-summary-report.md" ]; then
             upload test-summary-report.md \
-              {{PROJECT_SLUG}} _compliance-docs compliance_document compliance/test-summary-report.md \
+              {{PROJECT_SLUG}} _compliance-docs test_report compliance/test-summary-report.md \
               --category test_report ${FLAGS}
           fi

package/sdlc/files/ci/compliance-evidence.yml.template CHANGED Viewed

@@ -125,8 +125,9 @@ jobs:
           DERIVED_META=()
           [ -n "$DERIVED_CT" ] && DERIVED_META+=(--change-type "$DERIVED_CT")
-          # Upload compliance docs (planning category)
-          for DOC in compliance/RTM.md compliance/test-plan.md compliance/test-cases.md compliance/test-summary-report.md; do
+          # Upload planning docs (RTM / Test Plan / Test Cases) as
+          # compliance_document — they surface under the Documents tab.
+          for DOC in compliance/RTM.md compliance/test-plan.md compliance/test-cases.md; do
             if [ -f "$DOC" ]; then
               echo "Uploading: $(basename "$DOC")"
               bash scripts/upload-evidence.sh \
@@ -137,6 +138,49 @@ jobs:
             fi
           done
+          # Test summary report — precise evidence_type=test_report so it
+          # lands in the portal's Test Reports gate (rendered inline by the
+          # MarkdownRenderer). devaudit#370 follow-up; same change applied
+          # in ci.yml's gate-evidence upload step.
+          if [ -f "compliance/test-summary-report.md" ]; then
+            echo "Uploading: test-summary-report.md (test_report type)"
+            bash scripts/upload-evidence.sh \
+              {{PROJECT_SLUG}} _compliance-docs test_report compliance/test-summary-report.md \
+              --category test_report ${FLAGS} --release "${DERIVED_RELEASE}" \
+              "${DERIVED_META[@]}" \
+              || echo "Warning: Failed to upload test-summary-report.md"
+          fi
+          # Project-level governance docs (devaudit#370 Phase 3a). When the
+          # operator commits any of these markdown files, upload with the
+          # precise evidence_type so the portal's framework-coverage matrix
+          # auto-closes the matching clauses (GDPR.Art-30 for ropa, GDPR.Art-35
+          # for dpia, EUAIA.Art-13 for ai_disclosure, SOC2.CC4.1 + ISO27001.A.12.1
+          # for periodic_review, etc.). Each path is optional — skipped silently
+          # when the file is absent.
+          upload_governance() {
+            local FILE="$1" TYPE="$2"
+            if [ ! -f "$FILE" ]; then return 0; fi
+            echo "Uploading governance: $(basename "$FILE") (type=${TYPE})"
+            bash scripts/upload-evidence.sh \
+              {{PROJECT_SLUG}} _compliance-docs "$TYPE" "$FILE" \
+              --category planning ${FLAGS} --release "${DERIVED_RELEASE}" \
+              "${DERIVED_META[@]}" \
+              || echo "Warning: Failed to upload $(basename "$FILE")"
+          }
+          # Recognise governance docs at top-level OR under compliance/governance/
+          # (operator's choice — both layouts are common).
+          upload_governance compliance/ropa.md             ropa
+          upload_governance compliance/governance/ropa.md  ropa
+          upload_governance compliance/dpia.md             dpia
+          upload_governance compliance/governance/dpia.md  dpia
+          upload_governance compliance/ai-disclosure.md             ai_disclosure
+          upload_governance compliance/governance/ai-disclosure.md  ai_disclosure
+          upload_governance compliance/periodic-review.md             periodic_review
+          upload_governance compliance/governance/periodic-review.md  periodic_review
+          upload_governance compliance/incident-report.md             incident_report
+          upload_governance compliance/governance/incident-report.md  incident_report
           # Helper: emit a `--release-title …` `--change-type …` pair for a given
           # REQ, derived from its pending release-ticket H1 and the most recent
           # commit attributed to that REQ. Empty pair when neither is available.