@metasession.co/devaudit-cli 0.1.28 → 0.1.29

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.28",
+  "version": "0.1.29",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.28",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.29",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/scripts/upload-evidence.sh

@@ -26,6 +26,12 @@
 #                               build / test / compliance / revert) for
 #                               the release row. Unknown values are
 #                               silently dropped server-side.
+#   --gate-status <status>      `passed` / `failed` / `skipped`. Lets the
+#                               portal distinguish a gate that ran-and-
+#                               failed from one that never ran. Forwarded
+#                               as `gateStatus`; unknown values are
+#                               silently dropped server-side.
+#                               DevAudit-Installer#96.
 #
 # Required environment variables:
 #   DEVAUDIT_BASE_URL  e.g. https://meta-comply-production.up.railway.app
@@ -65,6 +71,7 @@ ENVIRONMENT=""
 EVIDENCE_CATEGORY=""
 RELEASE_TITLE=""
 CHANGE_TYPE=""
+GATE_STATUS=""
 
 while [ "$#" -gt 0 ]; do
   case "$1" in
@@ -80,6 +87,10 @@ while [ "$#" -gt 0 ]; do
     # unknown change-type values are dropped server-side, not 400'd.
     --release-title) RELEASE_TITLE="$2"; shift 2 ;;
     --change-type) CHANGE_TYPE="$2"; shift 2 ;;
+    # passed/failed/skipped — surfaces failed gates on the portal so
+    # ran-and-failed != never-ran. Unknown values dropped server-side.
+    # DevAudit-Installer#96.
+    --gate-status) GATE_STATUS="$2"; shift 2 ;;
     *) echo "Unknown option: $1"; exit 1 ;;
   esac
 done
@@ -181,6 +192,7 @@ for FILE in "${FILES[@]}"; do
   [ -n "$EVIDENCE_CATEGORY" ] && CURL_ARGS+=(-F "evidenceCategory=${EVIDENCE_CATEGORY}")
   [ -n "$RELEASE_TITLE" ] && CURL_ARGS+=(-F "releaseTitle=${RELEASE_TITLE}")
   [ -n "$CHANGE_TYPE" ] && CURL_ARGS+=(-F "changeType=${CHANGE_TYPE}")
+  [ -n "$GATE_STATUS" ] && CURL_ARGS+=(-F "gateStatus=${GATE_STATUS}")
 
   ATTEMPT=1
   BACKOFF=$INITIAL_BACKOFF_SECONDS

package/sdlc/files/_common/scripts/derive-release-version.sh

@@ -13,6 +13,9 @@
 #   4. Pending release ticket on disk: exactly one
 #                                      compliance/pending-releases/RELEASE-TICKET-REQ-XXX.md
 #                                                                    -> REQ-XXX
+#   4-bis. RTM.md IN PROGRESS row:    exactly one tracked REQ marked
+#                                      IN PROGRESS in compliance/RTM.md
+#                                                                    -> REQ-XXX
 #   5. Fallback:                      bare date                      -> v2026.05.17
 #
 # Step 4 (DevAudit-Installer#92) handles `chore:` / `docs:` / `ci:`
@@ -23,6 +26,12 @@
 # bare date — when exactly one ticket is open, attribute to it.
 # Multiple open tickets stays ambiguous → bare-date fallback.
 #
+# Step 4-bis (DevAudit-Installer#95) is the zero-ceremony equivalent:
+# RTM.md is the file the operator already maintains as the source of
+# truth for release state. When step 4 finds no ticket and exactly one
+# RTM row is IN PROGRESS, attribute to it. RTM_PATH defaults to
+# compliance/RTM.md and is overridable via env.
+#
 # The id is taken from a bracketed [REQ-XXX] tag (subject or body) or the
 # `Ref:` line — NOT from unbracketed prose (e.g. "target close: REQ-002" must
 # not win over "Ref: REQ-001"). Step 3 exists because a "Merge pull request"
@@ -83,5 +92,32 @@ if [ -d compliance/pending-releases ]; then
   fi
 fi
 
+# 4-bis. RTM.md IN PROGRESS row: when exactly one REQ row in
+# compliance/RTM.md (or $RTM_PATH) is marked IN PROGRESS, attribute the
+# in-flight release to it. Reads the file the operator already
+# maintains so chore/docs/ci sync commits don't need a manually-dropped
+# pending-tickets file. Same exactly-one guard as step 4 — zero or
+# multiple IN PROGRESS rows → ambiguous, fall through.
+# DevAudit-Installer#95.
+RTM_PATH="${RTM_PATH:-compliance/RTM.md}"
+if [ -f "$RTM_PATH" ]; then
+  # Match REQ rows whose status column starts with `IN PROGRESS`.
+  # `\|[[:space:]]+IN PROGRESS` requires a pipe followed by whitespace,
+  # so legend rows (`| \`IN PROGRESS\``) and prose mentions don't match.
+  # Variable padding between REQ-ID and Status (Issue/Risk/Evidence
+  # columns) is fine — only the leading REQ-XXX and the status-cell
+  # marker matter.
+  IN_PROGRESS_REQS=$(grep -E '\|[[:space:]]+IN PROGRESS' "$RTM_PATH" 2>/dev/null \
+    | grep -oE '^\|[[:space:]]*REQ-[0-9]+' \
+    | grep -oE 'REQ-[0-9]+' | sort -u || true)
+  if [ -n "$IN_PROGRESS_REQS" ]; then
+    IN_PROGRESS_COUNT=$(echo "$IN_PROGRESS_REQS" | grep -c .)
+    if [ "$IN_PROGRESS_COUNT" = "1" ]; then
+      echo "$IN_PROGRESS_REQS"
+      exit 0
+    fi
+  fi
+fi
+
 # 5. Fallback: bare date in UTC
 echo "v$(date -u +%Y.%m.%d)"

package/sdlc/files/_common/scripts/derive-release-version.test.sh

@@ -154,6 +154,89 @@ cat > compliance/pending-releases/RELEASE-TICKET-REQ-051.md <<'TICKET'
 TICKET
 assert_eq "subject [REQ-099] beats pending REQ-051 -> REQ-099" "REQ-099" "$(run_helper)"
 
+# Case 13 (DevAudit-Installer#95): step-4-bis. No subject/body tag,
+# no pending ticket, but RTM.md has exactly one IN PROGRESS row.
+# Attribute to that REQ. Tests the zero-ceremony fallback that
+# survives chore/docs/ci sync commits when no operator state file
+# has been dropped.
+make_fixture "$WORK/c13" "chore: devaudit update to 0.1.29"
+mkdir -p compliance
+cat > compliance/RTM.md <<'RTM'
+# RTM
+| REQ-ID  | Issue | Risk | Evidence                     | Status              | Approver | Date       |
+| ------- | ----- | ---- | ---------------------------- | ------------------- | -------- | ---------- |
+| REQ-100 | #10   | LOW  | compliance/evidence/REQ-100/ | APPROVED - DEPLOYED | dev      | 2026-05-30 |
+| REQ-101 | #11   | MED  | compliance/evidence/REQ-101/ | IN PROGRESS         | dev      | 2026-06-01 |
+RTM
+assert_eq "RTM single IN PROGRESS row -> REQ-101" "REQ-101" "$(run_helper)"
+
+# Case 14: step-4-bis ambiguity guard. Two IN PROGRESS rows → falls
+# through to the bare date rather than guessing.
+make_fixture "$WORK/c14" "chore: devaudit update to 0.1.29"
+mkdir -p compliance
+cat > compliance/RTM.md <<'RTM'
+| REQ-ID  | Status         |
+| ------- | -------------- |
+| REQ-101 | IN PROGRESS    |
+| REQ-102 | IN PROGRESS    |
+RTM
+assert_eq "RTM two IN PROGRESS rows -> bare date $TODAY" "$TODAY" "$(run_helper)"
+
+# Case 15: step-4-bis must ignore legend rows that mention IN PROGRESS
+# inside backticks (the wawagardenbar-app RTM convention) and prose
+# mentions in description columns.
+make_fixture "$WORK/c15" "chore: devaudit update to 0.1.29"
+mkdir -p compliance
+cat > compliance/RTM.md <<'RTM'
+# RTM
+## Conventions
+| Value              | Meaning                       |
+| ------------------ | ----------------------------- |
+| `IN PROGRESS`      | Active development underway   |
+
+| REQ-ID  | Status                                                            |
+| ------- | ----------------------------------------------------------------- |
+| REQ-200 | RELEASED (was IN PROGRESS during Q3, then deployed)               |
+RTM
+assert_eq "RTM legend + prose mentions -> bare date $TODAY" "$TODAY" "$(run_helper)"
+
+# Case 16: step-4-bis with the real META-JOBS-shaped RTM row (long
+# parenthetical commentary in the status cell). The status cell still
+# starts with `IN PROGRESS` after the pipe.
+make_fixture "$WORK/c16" "chore: devaudit update to 0.1.29"
+mkdir -p compliance
+cat > compliance/RTM.md <<'RTM'
+| REQ-ID  | Issue | Risk        | Evidence                     | Status                                                                | Approver   | Date       |
+| ------- | ----- | ----------- | ---------------------------- | --------------------------------------------------------------------- | ---------- | ---------- |
+| REQ-056 | #117  | MEDIUM-HIGH | compliance/evidence/REQ-056/ | IN PROGRESS (WhatsApp inbound-message router; many details follow...) | ostendo-io | 2026-06-01 |
+RTM
+assert_eq "RTM long parenthetical status -> REQ-056" "REQ-056" "$(run_helper)"
+
+# Case 17: step-4-bis must NOT win over a pending ticket on disk.
+# Step 4 returns first.
+make_fixture "$WORK/c17" "chore: devaudit update to 0.1.29"
+mkdir -p compliance/pending-releases compliance
+cat > compliance/pending-releases/RELEASE-TICKET-REQ-301.md <<'TICKET'
+# Release Ticket: REQ-301
+TICKET
+cat > compliance/RTM.md <<'RTM'
+| REQ-ID  | Status      |
+| ------- | ----------- |
+| REQ-302 | IN PROGRESS |
+RTM
+assert_eq "pending ticket REQ-301 beats RTM IN PROGRESS REQ-302" "REQ-301" "$(run_helper)"
+
+# Case 18: step-4-bis respects RTM_PATH env override.
+make_fixture "$WORK/c18" "chore: devaudit update to 0.1.29"
+mkdir -p docs
+cat > docs/custom-RTM.md <<'RTM'
+| REQ-ID  | Status      |
+| ------- | ----------- |
+| REQ-400 | IN PROGRESS |
+RTM
+GOT=$(RTM_PATH=docs/custom-RTM.md run_helper)
+assert_eq "RTM_PATH=docs/custom-RTM.md -> REQ-400" "REQ-400" "$GOT"
+
 echo ""
 echo "=== Summary: $PASS pass / $FAIL fail ==="
 

package/sdlc/files/_common/scripts/validate-commits.sh

@@ -22,7 +22,10 @@ echo "Comparing: $BASE_BRANCH...HEAD"
 echo ""
 
 # Conventional Commit regex: type(optional-scope): description
-CC_REGEX='^(feat|fix|docs|test|refactor|chore|compliance|security|perf|ci|build|revert)(\([a-zA-Z0-9_-]+\))?!?: .+'
+# Scope accepts anything except `)` so multi-scope subjects like
+# `feat(auth,profile):` and `fix(rewards/expiry):` validate. The closing-paren
+# guard prevents pathological inputs. DevAudit-Installer#93.
+CC_REGEX='^(feat|fix|docs|test|refactor|chore|compliance|security|perf|ci|build|revert)(\([^)]+\))?!?: .+'
 
 COMMITS=$(git log "$BASE_BRANCH"..HEAD --format='%H' || true)
 

package/sdlc/files/ci/ci.yml.template

@@ -76,11 +76,13 @@ jobs:
       # ── Gate 1: TypeScript ──
 
       - name: TypeScript Check
+        id: typescript
         run: npx tsc --noEmit
 
       # ── Gate 2: SAST (Semgrep) ──
 
       - name: SAST Scan
+        id: sast
         run: |
           # --output writes the JSON report to the file directly; stderr
           # (progress/metrics/version notices) goes to /dev/null. Using
@@ -106,6 +108,7 @@ jobs:
       # ── Gate 3: Dependency Audit ──
 
       - name: Dependency Audit
+        id: dep-audit
         run: |
           # stderr → /dev/null so warnings can't corrupt the JSON (DevAudit #48)
           npm audit --json > dependency-audit.json 2>/dev/null || true
@@ -144,10 +147,34 @@ jobs:
       # ── Gate 5: Build ──
 
       - name: Build Check
+        id: build
         run: npm run build
         env:
 {{BUILD_ENV}}
 
+      # ── Summarise per-gate outcomes ──
+      #
+      # Runs unconditionally so a failed earlier gate doesn't strand the
+      # outcome of the gates that did run. Step outcomes are one of
+      # `success` / `failure` / `skipped` / `cancelled`. The upload-evidence
+      # job maps these to `passed` / `failed` / `skipped` and sends the
+      # result as `gateStatus=` on each per-gate upload, so the portal can
+      # render a failed gate as failed (with the run artefact) rather than
+      # showing it as missing. DevAudit-Installer#96.
+
+      - name: Summarise gate outcomes
+        if: always()
+        run: |
+          cat > gate-outcomes.json <<EOF
+          {
+            "typescript": "${{ steps.typescript.outcome }}",
+            "sast": "${{ steps.sast.outcome }}",
+            "dependency_audit": "${{ steps.dep-audit.outcome }}",
+            "build": "${{ steps.build.outcome }}"
+          }
+          EOF
+          cat gate-outcomes.json
+
       # ── Upload artifacts ──
 
       - uses: actions/upload-artifact@v4
@@ -162,6 +189,7 @@ jobs:
             e2e-auth-results.json
             playwright-report/
             coverage/coverage-summary.json
+            gate-outcomes.json
             compliance/evidence/*/screenshots/*.png
           retention-days: 90
 
@@ -278,7 +306,11 @@ jobs:
     name: Upload Evidence
     runs-on: {{RUNNER}}
     needs: [quality-gates, register-release]
-    if: ${{ !failure() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' }}
+    # `always()` instead of `!failure()` so failed gates still upload their
+    # evidence — `status=failed` is itself the audit trail. `!cancelled()`
+    # still guards against partial state on operator-cancel.
+    # DevAudit-Installer#96.
+    if: ${{ always() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' && needs.register-release.result == 'success' }}
     env:
       DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
@@ -315,6 +347,32 @@ jobs:
             fi
           }
 
+          # Map step outcomes from gate-outcomes.json (written by the
+          # `Summarise gate outcomes` step) to gateStatus values the
+          # uploader forwards to the portal. Failed gates upload as
+          # gateStatus=failed so the portal can distinguish a gate that
+          # ran-and-failed from one that never ran. DevAudit-Installer#96.
+          gate_status() {
+            case "$1" in
+              success) echo passed ;;
+              failure) echo failed ;;
+              *) echo skipped ;;
+            esac
+          }
+          STATUS_TYPESCRIPT=skipped
+          STATUS_SAST=skipped
+          STATUS_DEPAUDIT=skipped
+          STATUS_BUILD=skipped
+          if [ -f ci-evidence/gate-outcomes.json ]; then
+            STATUS_TYPESCRIPT=$(gate_status "$(jq -r '.typescript // "skipped"' ci-evidence/gate-outcomes.json)")
+            STATUS_SAST=$(gate_status "$(jq -r '.sast // "skipped"' ci-evidence/gate-outcomes.json)")
+            STATUS_DEPAUDIT=$(gate_status "$(jq -r '.dependency_audit // "skipped"' ci-evidence/gate-outcomes.json)")
+            STATUS_BUILD=$(gate_status "$(jq -r '.build // "skipped"' ci-evidence/gate-outcomes.json)")
+            upload gate-outcomes.json \
+              {{PROJECT_SLUG}} _compliance-docs compliance_document ci-evidence/gate-outcomes.json \
+              --category ci_pipeline ${FLAGS}
+          fi
+
           # Re-generate gate evidence as fallback if artifact download failed
           mkdir -p ci-evidence
           if [ ! -f ci-evidence/sast-results.json ]; then
@@ -337,7 +395,7 @@ jobs:
           if [ -f ci-evidence/sast-results.json ]; then
             upload sast-results.json \
               {{PROJECT_SLUG}} _compliance-docs sast_report ci-evidence/sast-results.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_SAST" ${FLAGS}
           fi
 
           # Upload dependency audit — precise evidence_type=dependency_audit
@@ -345,7 +403,7 @@ jobs:
           if [ -f ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
               {{PROJECT_SLUG}} _compliance-docs dependency_audit ci-evidence/dependency-audit.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_DEPAUDIT" ${FLAGS}
           fi
 
           # Upload E2E test results (ci_pipeline category)

package/sdlc/files/ci/python/ci.yml.template

@@ -61,19 +61,23 @@ jobs:
       # ── Gate 1: Lint + format (ruff) ──
 
       - name: Ruff lint
+        id: ruff-lint
         run: ruff check {{SOURCE_DIRS}}
 
       - name: Ruff format check
+        id: ruff-format
         run: ruff format --check {{SOURCE_DIRS}}
 
       # ── Gate 2: Type check (mypy --strict) ──
 
       - name: Type Check (mypy)
+        id: mypy
         run: mypy {{SOURCE_DIRS}}
 
       # ── Gate 3: SAST (Semgrep) ──
 
       - name: SAST Scan
+        id: sast
         run: |
           mkdir -p ci-evidence
           semgrep scan --config auto {{SOURCE_DIRS}} \
@@ -95,6 +99,7 @@ jobs:
       # ── Gate 4: Dependency Audit (pip-audit) ──
 
       - name: Dependency Audit
+        id: dep-audit
         run: |
           mkdir -p ci-evidence
           pip-audit --format=json > ci-evidence/dependency-audit.json 2>&1 || true
@@ -124,6 +129,7 @@ jobs:
 {{DATABASE_URI_STEP}}
 
       - name: Tests
+        id: tests
         run: |
           mkdir -p ci-evidence
           pytest --junit-xml=ci-evidence/junit.xml --tb=short
@@ -131,10 +137,31 @@ jobs:
       # ── Gate 6: Build ──
 
       - name: Build Check
+        id: build
         run: python -m build --sdist --wheel
         env:
 {{BUILD_ENV}}
 
+      # ── Summarise per-gate outcomes ──
+      # Runs unconditionally so a failed earlier gate doesn't strand the
+      # outcome of the gates that did run. DevAudit-Installer#96.
+      - name: Summarise gate outcomes
+        if: always()
+        run: |
+          mkdir -p ci-evidence
+          cat > ci-evidence/gate-outcomes.json <<EOF
+          {
+            "ruff_lint": "${{ steps.ruff-lint.outcome }}",
+            "ruff_format": "${{ steps.ruff-format.outcome }}",
+            "mypy": "${{ steps.mypy.outcome }}",
+            "sast": "${{ steps.sast.outcome }}",
+            "dependency_audit": "${{ steps.dep-audit.outcome }}",
+            "tests": "${{ steps.tests.outcome }}",
+            "build": "${{ steps.build.outcome }}"
+          }
+          EOF
+          cat ci-evidence/gate-outcomes.json
+
       # ── Upload artifacts ──
 
       # actions/upload-artifact@v4 doesn't honour the job's `working-directory`;
@@ -150,6 +177,7 @@ jobs:
             {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json
             {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json
             {{WORKING_DIR_PREFIX}}ci-evidence/junit.xml
+            {{WORKING_DIR_PREFIX}}ci-evidence/gate-outcomes.json
             {{WORKING_DIR_PREFIX}}dist/
           retention-days: 90
 
@@ -256,7 +284,11 @@ jobs:
     name: Upload Evidence
     runs-on: {{RUNNER}}
     needs: [quality-gates, register-release]
-    if: ${{ !failure() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' }}
+    # `always()` instead of `!failure()` so failed gates still upload their
+    # evidence — `status=failed` is itself the audit trail. `!cancelled()`
+    # still guards against partial state on operator-cancel.
+    # DevAudit-Installer#96.
+    if: ${{ always() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' && needs.register-release.result == 'success' }}
     env:
       DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
@@ -293,25 +325,50 @@ jobs:
             fi
           }
 
+          # Map step outcomes from gate-outcomes.json (written by the
+          # `Summarise gate outcomes` step) to gateStatus values the
+          # uploader forwards to the portal. Failed gates upload as
+          # gateStatus=failed so the portal can distinguish a gate that
+          # ran-and-failed from one that never ran. DevAudit-Installer#96.
+          gate_status() {
+            case "$1" in
+              success) echo passed ;;
+              failure) echo failed ;;
+              *) echo skipped ;;
+            esac
+          }
+          STATUS_SAST=skipped
+          STATUS_DEPAUDIT=skipped
+          STATUS_TESTS=skipped
+          OUTCOMES_FILE="{{WORKING_DIR_PREFIX}}ci-evidence/gate-outcomes.json"
+          if [ -f "$OUTCOMES_FILE" ]; then
+            STATUS_SAST=$(gate_status "$(jq -r '.sast // "skipped"' "$OUTCOMES_FILE")")
+            STATUS_DEPAUDIT=$(gate_status "$(jq -r '.dependency_audit // "skipped"' "$OUTCOMES_FILE")")
+            STATUS_TESTS=$(gate_status "$(jq -r '.tests // "skipped"' "$OUTCOMES_FILE")")
+            upload gate-outcomes.json \
+              {{PROJECT_SLUG}} _compliance-docs compliance_document "$OUTCOMES_FILE" \
+              --category ci_pipeline ${FLAGS}
+          fi
+
           mkdir -p {{WORKING_DIR_PREFIX}}ci-evidence
 
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json ]; then
             upload sast-results.json \
               {{PROJECT_SLUG}} _compliance-docs audit_log {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_SAST" ${FLAGS}
           fi
 
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
               {{PROJECT_SLUG}} _compliance-docs audit_log {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_DEPAUDIT" ${FLAGS}
           fi
 
           # pytest junit.xml is the Python equivalent of e2e-results.json — same `e2e_result` evidence type
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/junit.xml ]; then
             upload junit.xml \
               {{PROJECT_SLUG}} _compliance-docs e2e_result {{WORKING_DIR_PREFIX}}ci-evidence/junit.xml \
-              --category ci_pipeline ${FLAGS}
+              --category ci_pipeline --gate-status "$STATUS_TESTS" ${FLAGS}
           fi
 
           if [ -f "compliance/test-summary-report.md" ]; then