@metasession.co/devaudit-cli 0.1.28 → 0.1.30

package/sdlc/files/ci/ci.yml.template

@@ -76,11 +76,13 @@ jobs:
       # ── Gate 1: TypeScript ──
 
       - name: TypeScript Check
+        id: typescript
         run: npx tsc --noEmit
 
       # ── Gate 2: SAST (Semgrep) ──
 
       - name: SAST Scan
+        id: sast
         run: |
           # --output writes the JSON report to the file directly; stderr
           # (progress/metrics/version notices) goes to /dev/null. Using
@@ -106,6 +108,7 @@ jobs:
       # ── Gate 3: Dependency Audit ──
 
       - name: Dependency Audit
+        id: dep-audit
         run: |
           # stderr → /dev/null so warnings can't corrupt the JSON (DevAudit #48)
           npm audit --json > dependency-audit.json 2>/dev/null || true
@@ -144,10 +147,34 @@ jobs:
       # ── Gate 5: Build ──
 
       - name: Build Check
+        id: build
         run: npm run build
         env:
 {{BUILD_ENV}}
 
+      # ── Summarise per-gate outcomes ──
+      #
+      # Runs unconditionally so a failed earlier gate doesn't strand the
+      # outcome of the gates that did run. Step outcomes are one of
+      # `success` / `failure` / `skipped` / `cancelled`. The upload-evidence
+      # job maps these to `passed` / `failed` / `skipped` and sends the
+      # result as `gateStatus=` on each per-gate upload, so the portal can
+      # render a failed gate as failed (with the run artefact) rather than
+      # showing it as missing. DevAudit-Installer#96.
+
+      - name: Summarise gate outcomes
+        if: always()
+        run: |
+          cat > gate-outcomes.json <<EOF
+          {
+            "typescript": "${{ steps.typescript.outcome }}",
+            "sast": "${{ steps.sast.outcome }}",
+            "dependency_audit": "${{ steps.dep-audit.outcome }}",
+            "build": "${{ steps.build.outcome }}"
+          }
+          EOF
+          cat gate-outcomes.json
+
       # ── Upload artifacts ──
 
       - uses: actions/upload-artifact@v4
@@ -162,6 +189,7 @@ jobs:
             e2e-auth-results.json
             playwright-report/
             coverage/coverage-summary.json
+            gate-outcomes.json
             compliance/evidence/*/screenshots/*.png
           retention-days: 90
 
@@ -278,7 +306,11 @@ jobs:
     name: Upload Evidence
     runs-on: {{RUNNER}}
     needs: [quality-gates, register-release]
-    if: ${{ !failure() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' }}
+    # `always()` instead of `!failure()` so failed gates still upload their
+    # evidence — `status=failed` is itself the audit trail. `!cancelled()`
+    # still guards against partial state on operator-cancel.
+    # DevAudit-Installer#96.
+    if: ${{ always() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' && needs.register-release.result == 'success' }}
     env:
       DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
@@ -315,6 +347,32 @@ jobs:
             fi
           }
 
+          # Map step outcomes from gate-outcomes.json (written by the
+          # `Summarise gate outcomes` step) to gateStatus values the
+          # uploader forwards to the portal. Failed gates upload as
+          # gateStatus=failed so the portal can distinguish a gate that
+          # ran-and-failed from one that never ran. DevAudit-Installer#96.
+          gate_status() {
+            case "$1" in
+              success) echo passed ;;
+              failure) echo failed ;;
+              *) echo skipped ;;
+            esac
+          }
+          STATUS_TYPESCRIPT=skipped
+          STATUS_SAST=skipped
+          STATUS_DEPAUDIT=skipped
+          STATUS_BUILD=skipped
+          if [ -f ci-evidence/gate-outcomes.json ]; then
+            STATUS_TYPESCRIPT=$(gate_status "$(jq -r '.typescript // "skipped"' ci-evidence/gate-outcomes.json)")
+            STATUS_SAST=$(gate_status "$(jq -r '.sast // "skipped"' ci-evidence/gate-outcomes.json)")
+            STATUS_DEPAUDIT=$(gate_status "$(jq -r '.dependency_audit // "skipped"' ci-evidence/gate-outcomes.json)")
+            STATUS_BUILD=$(gate_status "$(jq -r '.build // "skipped"' ci-evidence/gate-outcomes.json)")
+            upload gate-outcomes.json \
+              {{PROJECT_SLUG}} _compliance-docs compliance_document ci-evidence/gate-outcomes.json \
+              --category ci_pipeline ${FLAGS}
+          fi
+
           # Re-generate gate evidence as fallback if artifact download failed
           mkdir -p ci-evidence
           if [ ! -f ci-evidence/sast-results.json ]; then
@@ -337,7 +395,7 @@ jobs:
           if [ -f ci-evidence/sast-results.json ]; then
             upload sast-results.json \
               {{PROJECT_SLUG}} _compliance-docs sast_report ci-evidence/sast-results.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_SAST" ${FLAGS}
           fi
 
           # Upload dependency audit — precise evidence_type=dependency_audit
@@ -345,7 +403,7 @@ jobs:
           if [ -f ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
               {{PROJECT_SLUG}} _compliance-docs dependency_audit ci-evidence/dependency-audit.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_DEPAUDIT" ${FLAGS}
           fi
 
           # Upload E2E test results (ci_pipeline category)

package/sdlc/files/ci/python/ci.yml.template

@@ -61,19 +61,23 @@ jobs:
       # ── Gate 1: Lint + format (ruff) ──
 
       - name: Ruff lint
+        id: ruff-lint
         run: ruff check {{SOURCE_DIRS}}
 
       - name: Ruff format check
+        id: ruff-format
         run: ruff format --check {{SOURCE_DIRS}}
 
       # ── Gate 2: Type check (mypy --strict) ──
 
       - name: Type Check (mypy)
+        id: mypy
         run: mypy {{SOURCE_DIRS}}
 
       # ── Gate 3: SAST (Semgrep) ──
 
       - name: SAST Scan
+        id: sast
         run: |
           mkdir -p ci-evidence
           semgrep scan --config auto {{SOURCE_DIRS}} \
@@ -95,6 +99,7 @@ jobs:
       # ── Gate 4: Dependency Audit (pip-audit) ──
 
       - name: Dependency Audit
+        id: dep-audit
         run: |
           mkdir -p ci-evidence
           pip-audit --format=json > ci-evidence/dependency-audit.json 2>&1 || true
@@ -124,6 +129,7 @@ jobs:
 {{DATABASE_URI_STEP}}
 
       - name: Tests
+        id: tests
         run: |
           mkdir -p ci-evidence
           pytest --junit-xml=ci-evidence/junit.xml --tb=short
@@ -131,10 +137,31 @@ jobs:
       # ── Gate 6: Build ──
 
       - name: Build Check
+        id: build
         run: python -m build --sdist --wheel
         env:
 {{BUILD_ENV}}
 
+      # ── Summarise per-gate outcomes ──
+      # Runs unconditionally so a failed earlier gate doesn't strand the
+      # outcome of the gates that did run. DevAudit-Installer#96.
+      - name: Summarise gate outcomes
+        if: always()
+        run: |
+          mkdir -p ci-evidence
+          cat > ci-evidence/gate-outcomes.json <<EOF
+          {
+            "ruff_lint": "${{ steps.ruff-lint.outcome }}",
+            "ruff_format": "${{ steps.ruff-format.outcome }}",
+            "mypy": "${{ steps.mypy.outcome }}",
+            "sast": "${{ steps.sast.outcome }}",
+            "dependency_audit": "${{ steps.dep-audit.outcome }}",
+            "tests": "${{ steps.tests.outcome }}",
+            "build": "${{ steps.build.outcome }}"
+          }
+          EOF
+          cat ci-evidence/gate-outcomes.json
+
       # ── Upload artifacts ──
 
       # actions/upload-artifact@v4 doesn't honour the job's `working-directory`;
@@ -150,6 +177,7 @@ jobs:
             {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json
             {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json
             {{WORKING_DIR_PREFIX}}ci-evidence/junit.xml
+            {{WORKING_DIR_PREFIX}}ci-evidence/gate-outcomes.json
             {{WORKING_DIR_PREFIX}}dist/
           retention-days: 90
 
@@ -256,7 +284,11 @@ jobs:
     name: Upload Evidence
     runs-on: {{RUNNER}}
     needs: [quality-gates, register-release]
-    if: ${{ !failure() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' }}
+    # `always()` instead of `!failure()` so failed gates still upload their
+    # evidence — `status=failed` is itself the audit trail. `!cancelled()`
+    # still guards against partial state on operator-cancel.
+    # DevAudit-Installer#96.
+    if: ${{ always() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' && needs.register-release.result == 'success' }}
     env:
       DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
@@ -293,25 +325,50 @@ jobs:
             fi
           }
 
+          # Map step outcomes from gate-outcomes.json (written by the
+          # `Summarise gate outcomes` step) to gateStatus values the
+          # uploader forwards to the portal. Failed gates upload as
+          # gateStatus=failed so the portal can distinguish a gate that
+          # ran-and-failed from one that never ran. DevAudit-Installer#96.
+          gate_status() {
+            case "$1" in
+              success) echo passed ;;
+              failure) echo failed ;;
+              *) echo skipped ;;
+            esac
+          }
+          STATUS_SAST=skipped
+          STATUS_DEPAUDIT=skipped
+          STATUS_TESTS=skipped
+          OUTCOMES_FILE="{{WORKING_DIR_PREFIX}}ci-evidence/gate-outcomes.json"
+          if [ -f "$OUTCOMES_FILE" ]; then
+            STATUS_SAST=$(gate_status "$(jq -r '.sast // "skipped"' "$OUTCOMES_FILE")")
+            STATUS_DEPAUDIT=$(gate_status "$(jq -r '.dependency_audit // "skipped"' "$OUTCOMES_FILE")")
+            STATUS_TESTS=$(gate_status "$(jq -r '.tests // "skipped"' "$OUTCOMES_FILE")")
+            upload gate-outcomes.json \
+              {{PROJECT_SLUG}} _compliance-docs compliance_document "$OUTCOMES_FILE" \
+              --category ci_pipeline ${FLAGS}
+          fi
+
           mkdir -p {{WORKING_DIR_PREFIX}}ci-evidence
 
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json ]; then
             upload sast-results.json \
               {{PROJECT_SLUG}} _compliance-docs audit_log {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_SAST" ${FLAGS}
           fi
 
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
               {{PROJECT_SLUG}} _compliance-docs audit_log {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json \
-              --category security_scan ${FLAGS}
+              --category security_scan --gate-status "$STATUS_DEPAUDIT" ${FLAGS}
           fi
 
           # pytest junit.xml is the Python equivalent of e2e-results.json — same `e2e_result` evidence type
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/junit.xml ]; then
             upload junit.xml \
               {{PROJECT_SLUG}} _compliance-docs e2e_result {{WORKING_DIR_PREFIX}}ci-evidence/junit.xml \
-              --category ci_pipeline ${FLAGS}
+              --category ci_pipeline --gate-status "$STATUS_TESTS" ${FLAGS}
           fi
 
           if [ -f "compliance/test-summary-report.md" ]; then