@metasession.co/devaudit-cli 0.1.29 → 0.1.31

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.29",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.31",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/governance/ai-disclosure.md.template

@@ -0,0 +1,91 @@
+---
+title: "AI Use Disclosure (deployer-facing)"
+provider: "REPLACE — legal name of the AI system provider"
+intended_purpose: "REPLACE — one-line description of intended use"
+last_reviewed_at: "REPLACE — YYYY-MM-DD"
+review_cadence_days: 180
+risk_class: "REPLACE — minimal | limited | high | unacceptable"
+---
+
+> ⚠️ **STARTER TEMPLATE — REPLACE BEFORE GOING TO PRODUCTION.**
+> This file was auto-installed by `devaudit install` as a starting point.
+> It does **not** describe your project's actual AI use. Edit and commit.
+> Auditors will reject unedited stubs. See `docs/governance-templates.md` for guidance.
+
+# AI Use Disclosure — Provision of information to deployers
+
+**Framework coverage:** `EUAIA.Art-13` (Transparency and provision of information to deployers)
+
+**Evidence type:** `ai_disclosure` · **Cadence:** refresh every 180 days, or whenever an AI tool / model / prompt-class is added or substantively changed.
+
+> The EU AI Act requires providers to give deployers (the people who put the AI system into use in their professional activity) **clear, comprehensive, accurate and unambiguous** information about the system's capabilities, limitations, and intended use. This file is that disclosure for our project — both for AI we develop and for third-party AI we incorporate.
+
+## 1. Intended purpose
+
+- **What the AI system does:** REPLACE
+- **Intended use cases:** REPLACE
+- **Foreseeable misuse / out-of-scope use cases:** REPLACE
+
+## 2. Risk classification
+
+- **Annex III high-risk category match:** REPLACE — none / list applicable categories
+- **Final risk class (per Title III):** REPLACE — minimal / limited / high / unacceptable
+- **Reasoning:** REPLACE
+
+## 3. AI tools and models in use
+
+Add one row per AI tool / model / API. Delete this template row before your first audit.
+
+| Tool / model | Vendor | Use case | Inputs (data classes) | Outputs | Risk class | Provider docs |
+|---|---|---|---|---|---|---|
+| REPLACE — e.g. GPT-4o | OpenAI | Code suggestion in IDE | Source code, no PII | Code suggestions | Limited | https://… |
+| REPLACE | | | | | | |
+
+## 4. Human oversight (Art. 14)
+
+- **Where humans intervene in the AI loop:** REPLACE — e.g. "Every AI-suggested change goes through a four-eyes code review before merge"
+- **Authority of the human reviewer:** REPLACE — can they reject / override / stop the system? Document the path
+- **Cross-reference to four-eyes release approval:** all releases require an approved-by audit event in the portal (closes `EUAIA.Art-14`)
+
+## 5. Capabilities and limitations
+
+- **Known limitations:** REPLACE — failure modes, training data cut-off, hallucination risk
+- **Accuracy / robustness metrics:** REPLACE — link to test reports / benchmark results
+- **Conditions under which performance degrades:** REPLACE
+
+## 6. Data, training, validation
+
+- **Training data provenance (if we train):** REPLACE — sources, licensing, consent
+- **Fine-tuning, RAG, prompt engineering used:** REPLACE
+- **Data flowing to third-party AI providers:** REPLACE — list each provider + what's sent + DPA / SCC reference (cross-link to ROPA)
+
+## 7. Logging and traceability (Art. 12)
+
+- **What we log:** REPLACE — prompts, completions, user/agent identity, timestamp
+- **Where logs live:** REPLACE — link to portal `audit_log` evidence pipeline
+- **Retention:** REPLACE
+- **Closes `EUAIA.Art-12` via the `audit_log` snapshot uploaded each release.**
+
+## 8. Deployer obligations
+
+- **What deployers must do to use the system safely:** REPLACE — link to operator runbook
+- **Notification of substantial modifications:** REPLACE — process
+
+## 9. Sign-off
+
+| Role | Name | Date |
+|---|---|---|
+| Provider responsible | REPLACE | REPLACE |
+| AI compliance reviewer | REPLACE | REPLACE |
+
+## Sources
+
+- [EU AI Act (Regulation 2024/1689)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj) — especially Art. 9–15 (high-risk requirements) and Title IV (transparency)
+- [NIST AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework)
+- [Anthropic Responsible Scaling Policy](https://www.anthropic.com/news/anthropics-responsible-scaling-policy) (example provider disclosure)
+
+## Review log
+
+| Date | Reviewer | Changes |
+|---|---|---|
+| REPLACE — YYYY-MM-DD | REPLACE | Initial AI disclosure authored from starter template |

package/sdlc/files/_common/governance/dpia.md.template

@@ -0,0 +1,78 @@
+---
+title: "Data Protection Impact Assessment (DPIA)"
+processing_activity: "REPLACE — short name of the activity assessed"
+controller: "REPLACE — legal name of the controller"
+last_reviewed_at: "REPLACE — YYYY-MM-DD"
+review_cadence_days: 365
+risk_level: "REPLACE — low | medium | high"
+---
+
+> ⚠️ **STARTER TEMPLATE — REPLACE BEFORE GOING TO PRODUCTION.**
+> This file was auto-installed by `devaudit install` as a starting point.
+> It does **not** describe your project's actual data protection risks. Edit and commit.
+> Auditors will reject unedited stubs. See `docs/governance-templates.md` for guidance.
+
+# Data Protection Impact Assessment
+
+**Framework coverage:** `GDPR.Art-35` (Data protection impact assessment)
+
+**Evidence type:** `dpia` · **Cadence:** refresh every 365 days, or whenever the processing materially changes.
+
+> A DPIA is **mandatory** for processing likely to result in high risk to data subjects: large-scale special-category data, systematic monitoring, automated decision-making with legal effect, etc. See Art. 35(3) and your supervisory authority's "blacklist" guidance.
+
+## 1. Description of the processing
+
+- **Activity name:** REPLACE
+- **Nature, scope, context, purposes:** REPLACE — what data is processed, how, why, for whom, at what scale
+- **Data flow diagram or reference:** REPLACE — link to architecture doc / threat model
+- **Cross-reference to ROPA:** `compliance/governance/ropa.md` activity REPLACE
+
+## 2. Necessity and proportionality
+
+- **Lawful basis (Art. 6):** REPLACE
+- **Special-category basis (Art. 9), if applicable:** REPLACE
+- **Less-intrusive alternatives considered:** REPLACE
+- **Data minimisation:** REPLACE — what's not collected and why
+- **Retention justification:** REPLACE
+- **Data subject rights — how exercised:** REPLACE — link to SAR procedure, rectification, erasure, portability
+
+## 3. Risks to rights and freedoms
+
+For each risk, populate one row. Add or remove rows to fit your assessment.
+
+| # | Risk | Likelihood (1–3) | Severity (1–3) | Inherent risk | Existing controls | Residual risk | Acceptable? |
+|---|---|---|---|---|---|---|---|
+| 1 | REPLACE — e.g. unauthorised access to user accounts | REPLACE | REPLACE | REPLACE | REPLACE — MFA, RBAC, encryption-at-rest | REPLACE | REPLACE Y/N |
+| 2 | REPLACE | | | | | | |
+
+## 4. Measures to address the risks
+
+- **Technical measures:** REPLACE — encryption, pseudonymisation, access controls, logging
+- **Organisational measures:** REPLACE — training, policies, contractual safeguards
+- **Residual high risk?** REPLACE — if YES, you must consult the supervisory authority (Art. 36) **before** processing begins. Document the consultation outcome.
+
+## 5. Consultation
+
+- **DPO opinion:** REPLACE — name, date, conclusion
+- **Data subjects / representatives consulted:** REPLACE — describe or document why not
+- **Supervisory authority prior consultation:** REPLACE — required only when residual high risk remains
+
+## 6. Sign-off
+
+| Role | Name | Date | Decision |
+|---|---|---|---|
+| Controller | REPLACE | REPLACE | REPLACE — approved / rejected / conditional |
+| DPO | REPLACE | REPLACE | REPLACE |
+| Technical lead | REPLACE | REPLACE | REPLACE |
+
+## Sources
+
+- [EDPB DPIA guidelines (WP248 rev.01)](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/)
+- [ICO DPIA template](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/)
+- [CNIL PIA software](https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assessment)
+
+## Review log
+
+| Date | Reviewer | Changes |
+|---|---|---|
+| REPLACE — YYYY-MM-DD | REPLACE | Initial DPIA authored from starter template |

package/sdlc/files/_common/governance/incident-report.md.template

@@ -0,0 +1,111 @@
+---
+title: "Incident Report"
+incident_id: "REPLACE — e.g. INC-2026-001"
+severity: "REPLACE — low | medium | high | critical"
+detected_at: "REPLACE — ISO-8601 with timezone"
+resolved_at: "REPLACE — ISO-8601 or 'ongoing'"
+involves_personal_data: "REPLACE — true | false"
+reported_to_supervisory_authority: "REPLACE — true | false | n/a"
+notification_window_72h: "REPLACE — within | outside | n/a"
+last_reviewed_at: "REPLACE — YYYY-MM-DD"
+---
+
+> ⚠️ **STARTER TEMPLATE — REPLACE BEFORE GOING TO PRODUCTION.**
+> This file was auto-installed by `devaudit install` as a starting point.
+> If you reach for this file it's because something **happened** — replace this banner
+> with the actual incident details. One incident per file (rename to
+> `incident-report-<id>.md` if you keep multiple). Auditors will reject unedited stubs.
+
+# Incident Report
+
+**Framework coverage:**
+
+- `ISO29119.3.5.4` (Test incident report)
+- `SOC2.CC7.2` (System monitoring and incident response)
+- `GDPR.Art-33` (Notification of a personal data breach to the supervisory authority — 72h)
+- `GDPR.Art-34` (Communication of a personal data breach to the data subject)
+
+**Evidence type:** `incident_report` · One artefact can satisfy multiple clauses depending on its scope (test defect, ops incident, personal-data breach).
+
+## 1. Summary
+
+- **Incident ID:** REPLACE
+- **Severity:** REPLACE — low / medium / high / critical
+- **One-line description:** REPLACE
+- **Detected at:** REPLACE — when was it first noticed
+- **Resolved at:** REPLACE — or "ongoing"
+- **Duration:** REPLACE
+
+## 2. Personal data scope (GDPR triage)
+
+| Question | Answer |
+|---|---|
+| Did the incident involve personal data? | REPLACE — Y / N |
+| If Y: estimated number of data subjects affected | REPLACE |
+| If Y: categories of personal data involved | REPLACE |
+| If Y: likely consequences for data subjects | REPLACE |
+| **Notify supervisory authority (Art. 33)?** | REPLACE — required if Y and risk to rights/freedoms |
+| **Notify data subjects (Art. 34)?** | REPLACE — required if high risk to rights/freedoms |
+| 72-hour notification window: | REPLACE — within / outside / n/a; if outside, explain delay |
+
+## 3. Timeline
+
+| Time (UTC) | Event |
+|---|---|
+| REPLACE — ISO-8601 | REPLACE — first signal observed |
+| REPLACE | REPLACE — detection escalated to on-call |
+| REPLACE | REPLACE — incident channel opened, IC assigned |
+| REPLACE | REPLACE — mitigation deployed |
+| REPLACE | REPLACE — incident declared resolved |
+| REPLACE | REPLACE — supervisory authority notified (if applicable) |
+| REPLACE | REPLACE — data subjects notified (if applicable) |
+
+## 4. Root cause
+
+- **What happened:** REPLACE — technical narrative
+- **Why it happened:** REPLACE — 5-whys or equivalent
+- **Why it wasn't caught earlier:** REPLACE — gap in monitoring / testing / review
+
+## 5. Impact
+
+- **Users affected:** REPLACE — count + segment
+- **Data confidentiality / integrity / availability impact:** REPLACE
+- **Financial / reputational:** REPLACE
+- **Regulatory:** REPLACE
+
+## 6. Containment, mitigation, and recovery
+
+- **Containment actions:** REPLACE
+- **Mitigation deployed (link PRs):** REPLACE
+- **Recovery actions:** REPLACE
+- **Verification that the incident is resolved:** REPLACE
+
+## 7. Communications
+
+- **Internal:** REPLACE — who was notified, when
+- **Customer / data subjects:** REPLACE — channel, content (attach), timing
+- **Supervisory authority:** REPLACE — body, reference number, content (attach)
+- **Public statement:** REPLACE — link if any
+
+## 8. Lessons learned and follow-ups
+
+- **What worked well:** REPLACE
+- **What didn't:** REPLACE
+- **Follow-up actions (issue links, owners, due dates):** REPLACE — file GitHub issues; one row per action
+  - [ ] REPLACE — owner @REPLACE — due REPLACE
+  - [ ] REPLACE — owner @REPLACE — due REPLACE
+
+## 9. Sign-off
+
+| Role | Name | Date |
+|---|---|---|
+| Incident Commander | REPLACE | REPLACE |
+| Engineering lead | REPLACE | REPLACE |
+| DPO (if personal data involved) | REPLACE | REPLACE |
+| Security lead | REPLACE | REPLACE |
+
+## Sources
+
+- [ICO breach reporting guidance](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/) (UK)
+- [EDPB Guidelines 9/2022 on personal data breach notification](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/)
+- [SOC 2 Trust Services Criteria — CC7 (System Operations)](https://www.aicpa-cima.com/topic/audit-assurance/trust-services-criteria)

package/sdlc/files/_common/governance/periodic-review.md.template

@@ -0,0 +1,109 @@
+---
+title: "Periodic Review of Internal Controls"
+period_start: "REPLACE — YYYY-MM-DD"
+period_end: "REPLACE — YYYY-MM-DD"
+reviewer: "REPLACE — name + role"
+last_reviewed_at: "REPLACE — YYYY-MM-DD"
+review_cadence_days: 90
+---
+
+> ⚠️ **STARTER TEMPLATE — REPLACE BEFORE GOING TO PRODUCTION.**
+> This file was auto-installed by `devaudit install` as a starting point.
+> The Periodic Review workflow (`.github/workflows/periodic-review.yml`, shipped in
+> v0.1.31) auto-regenerates this file quarterly with locally-derived metrics and
+> opens a PR. The human attestation sections (Review notes, control-effectiveness
+> judgement, dual-actor sign-off) still need to be filled in before each PR can
+> merge — the auto-generator can't produce defensible attestation on its own.
+> Auditors will reject unedited stubs. See `docs/governance-templates.md` for guidance.
+
+# Periodic Review of Internal Controls
+
+**Framework coverage:**
+
+- `SOC2.CC4.1` (Monitoring of internal controls)
+- `ISO27001.A.12.1` (Operational procedures and responsibilities)
+
+**Evidence type:** `periodic_review` · **Cadence:** every 90 days (quarterly). The portal flags this evidence as `expired` after 365 days — but a 90-day cadence is the practical minimum.
+
+## 1. Review period
+
+- **From:** REPLACE — YYYY-MM-DD
+- **To:** REPLACE — YYYY-MM-DD
+- **Reviewer:** REPLACE — name + role
+- **Approver (different person, if dual-actor required):** REPLACE
+
+## 2. Activity summary (CI-derived, auto-fill when WS3 lands)
+
+| Metric | Value | Notes |
+|---|---|---|
+| Releases shipped this period | REPLACE | Tracked + housekeeping combined |
+| Tracked releases (REQ-XXX) | REPLACE | |
+| Quality-gate pass rate | REPLACE — % | % of CI runs where every gate passed |
+| SAST findings net change | REPLACE | +/- vs. previous period |
+| Dependency-audit unaccepted high/critical | REPLACE | Current count |
+| Audit-log entries | REPLACE | Total in period |
+| Open SDLC issues at period end | REPLACE | From `gh issue list --label requirement --state open` |
+
+## 3. Control-effectiveness review
+
+For each control area, document evidence + reviewer judgement.
+
+### 3a. Access control (ISO 27001 A.5.15)
+
+- **Active access grants reviewed:** REPLACE — list or attach export
+- **Grants revoked this period:** REPLACE — count + reason
+- **Anomalies:** REPLACE — or "none"
+- **Effective?** REPLACE — Y / N (if N, follow-up action below)
+
+### 3b. Change management (ISO 27001 A.8.32 / SOC 2 CC8.1)
+
+- **Releases approved via four-eyes flow:** REPLACE — N of M
+- **Self-approval blocked on MEDIUM/HIGH risk?** REPLACE — confirm enforcement
+- **Effective?** REPLACE
+
+### 3c. Security testing (ISO 27001 A.8.29)
+
+- **SAST gate pass rate:** REPLACE
+- **Dependency-audit gate pass rate:** REPLACE
+- **E2E gate pass rate:** REPLACE
+- **Effective?** REPLACE
+
+### 3d. Logging and monitoring (ISO 27001 A.8.16 / EUAIA Art. 12)
+
+- **Audit-log entries reviewed:** REPLACE — sample size + method
+- **Anomalies escalated:** REPLACE — count
+- **Effective?** REPLACE
+
+### 3e. Operational procedures (ISO 27001 A.12.1)
+
+- **Procedures reviewed this period:** REPLACE — list (link `Periodic_Security_Review_Schedule.md` items completed)
+- **Stale / out-of-date docs:** REPLACE
+- **Effective?** REPLACE
+
+## 4. Incidents this period
+
+- **Total incidents:** REPLACE — link each `compliance/governance/incident-report-*.md`
+- **Personal-data breaches:** REPLACE — count
+- **Mean time to detection (MTTD):** REPLACE
+- **Mean time to resolution (MTTR):** REPLACE
+
+## 5. Findings and follow-up actions
+
+| # | Finding | Severity | Owner | Due | Issue link |
+|---|---|---|---|---|---|
+| 1 | REPLACE | REPLACE | REPLACE | REPLACE | REPLACE |
+| 2 | REPLACE | | | | |
+
+## 6. Sign-off
+
+| Role | Name | Date |
+|---|---|---|
+| Reviewer | REPLACE | REPLACE |
+| Approver (dual-actor) | REPLACE | REPLACE |
+| Decision | REPLACE — controls effective / partially effective / not effective |
+
+## Sources
+
+- [SOC 2 Trust Services Criteria — CC4 (Monitoring)](https://www.aicpa-cima.com/topic/audit-assurance/trust-services-criteria)
+- [ISO/IEC 27001:2022 Annex A.12 — Operational security](https://www.iso.org/standard/82875.html)
+- Your project's `Periodic_Security_Review_Schedule.md`

package/sdlc/files/_common/governance/ropa.md.template

@@ -0,0 +1,59 @@
+---
+title: "Records of Processing Activities (ROPA)"
+controller: "REPLACE — legal name of the controller"
+controller_contact: "REPLACE — DPO email or controller contact"
+last_reviewed_at: "REPLACE — YYYY-MM-DD"
+review_cadence_days: 365
+processing_activities: []
+---
+
+> ⚠️ **STARTER TEMPLATE — REPLACE BEFORE GOING TO PRODUCTION.**
+> This file was auto-installed by `devaudit install` as a starting point.
+> It does **not** describe your project's actual processing activities. Edit and commit.
+> Auditors will reject unedited stubs. See `docs/governance-templates.md` for guidance.
+
+# Records of Processing Activities
+
+**Framework coverage:** `GDPR.Art-30` (Records of processing activities)
+
+**Evidence type:** `ropa` · **Cadence:** refresh every 365 days (portal flags as `expired` after)
+
+## Controller
+
+- **Legal name:** REPLACE
+- **Address:** REPLACE
+- **Contact / DPO:** REPLACE
+- **Joint controllers / representatives:** REPLACE (or "none")
+
+## Processing activities
+
+For each distinct processing activity your project performs, add one section below. Delete this template row before your first audit.
+
+### Activity 1 — REPLACE (e.g. "User authentication and session management")
+
+| Field | Value |
+|---|---|
+| **Purpose(s) of processing** | REPLACE — why you process this data; lawful basis (Art. 6) |
+| **Categories of data subjects** | REPLACE — e.g. customers, employees, prospects |
+| **Categories of personal data** | REPLACE — e.g. name, email, IP address, hashed password |
+| **Special categories (Art. 9)** | REPLACE — none / specify (health, biometric, etc.) |
+| **Recipients / categories of recipients** | REPLACE — internal teams + named processors |
+| **Third-country transfers** | REPLACE — none / list countries + safeguard (SCCs, adequacy) |
+| **Retention period** | REPLACE — e.g. "duration of customer relationship + 7 years" |
+| **Technical and organisational security measures** | REPLACE — link to ISO 27001 controls / Test_Policy.md / encryption details |
+
+### Activity 2 — REPLACE
+
+(repeat the table above)
+
+## Sources
+
+- [ICO ROPA template (UK)](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/records-of-processing/)
+- [EDPB Guidelines on Article 30](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/)
+- Your privacy policy + DPIA (`compliance/governance/dpia.md`) should describe the same activities.
+
+## Review log
+
+| Date | Reviewer | Changes |
+|---|---|---|
+| REPLACE — YYYY-MM-DD | REPLACE | Initial ROPA authored from starter template |

package/sdlc/files/ci/incident-export.yml.template

@@ -0,0 +1,173 @@
+# Incident Export — auto-export a closed `label:incident` issue to compliance/governance/incident-report-<n>.md
+#
+# Generated by `devaudit install` / `devaudit update` from sdlc-config.json.
+# Do not edit manually — re-run the CLI (`devaudit update`) to regenerate.
+#
+# Why this exists:
+# - ISO 29119 3.5.4 (Test incident report), SOC 2 CC7.2 (System monitoring
+#   and incident response), and GDPR Art. 33 + 34 (breach notification)
+#   all want incident records as portal-resident evidence — not lost in
+#   GitHub issue threads.
+# - When an issue labelled `incident` is closed, this workflow exports its
+#   title + body + comments + timeline into a structured markdown report,
+#   opens a PR adding it to compliance/governance/, and lets the next
+#   push to develop pick it up via compliance-evidence.yml's
+#   upload_governance helper (uploads as `incident_report`).
+#
+# Operator setup (one-time):
+#   gh label create incident --color 'B60205' --description 'Operational or test incident; close to auto-archive as portal evidence'
+#
+# DevAudit-Installer#98 WS4.
+
+name: Incident Export
+
+on:
+  issues:
+    types: [closed]
+
+permissions:
+  contents: write
+  issues: read
+  pull-requests: write
+
+jobs:
+  export:
+    name: Export closed incident issue to compliance/governance/
+    runs-on: ubuntu-latest
+    # Only fire when the issue carries the `incident` label. Cheap predicate;
+    # skips this job entirely on unlabelled issue closes.
+    if: contains(github.event.issue.labels.*.name, 'incident')
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.DEVAUDIT_USER_TOKEN || github.token }}
+
+      - name: Compute paths
+        id: paths
+        env:
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          OUT="compliance/governance/incident-report-${ISSUE_NUMBER}.md"
+          BRANCH="chore/incident-export-${ISSUE_NUMBER}"
+          echo "out=${OUT}" >> "$GITHUB_OUTPUT"
+          echo "branch=${BRANCH}" >> "$GITHUB_OUTPUT"
+
+      - name: Export issue to markdown
+        env:
+          GH_TOKEN: ${{ github.token }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          OUT: ${{ steps.paths.outputs.out }}
+        run: |
+          mkdir -p compliance/governance
+          ISSUE_JSON=$(gh issue view "$ISSUE_NUMBER" \
+            --json title,body,labels,author,createdAt,closedAt,comments,url,assignees,number,state)
+          {
+            echo "$ISSUE_JSON" | jq -r '
+              "---",
+              ("title: " + (.title | @json)),
+              ("incident_id: \"INC-" + (.createdAt[:10] | gsub("-";"")) + "-" + (.number|tostring) + "\""),
+              ("severity: \"REPLACE — low | medium | high | critical\""),
+              ("detected_at: " + (.createdAt | @json)),
+              ("resolved_at: " + (.closedAt | @json)),
+              ("involves_personal_data: \"REPLACE — true | false\""),
+              ("reported_to_supervisory_authority: \"REPLACE — true | false | n/a\""),
+              ("notification_window_72h: \"REPLACE — within | outside | n/a\""),
+              ("last_reviewed_at: " + (.closedAt[:10] | @json)),
+              ("source_issue: " + (.url | @json)),
+              ("source_issue_number: " + (.number|tostring)),
+              "---",
+              "",
+              "> ℹ️ Auto-exported by Incident Export workflow on issue close.",
+              "> The narrative below is the original issue body + comments.",
+              "> **Operator must replace the REPLACE markers in the frontmatter and",
+              "> in the GDPR triage / sign-off sections before this PR merges** —",
+              "> a personal-data triage decision is load-bearing; an auto-generated",
+              "> answer is not defensible. Auditors will reject auto-generated",
+              "> stubs without human attestation.",
+              "",
+              "# Incident Report — " + .title,
+              "",
+              "**Framework coverage:**",
+              "",
+              "- `ISO29119.3.5.4` (Test incident report)",
+              "- `SOC2.CC7.2` (System monitoring and incident response)",
+              "- `GDPR.Art-33` (Notification of a personal data breach to the supervisory authority — 72h)",
+              "- `GDPR.Art-34` (Communication of a personal data breach to the data subject)",
+              "",
+              "**Source:** [#" + (.number|tostring) + "](" + .url + ")  ",
+              "**Detected:** " + .createdAt + "  ",
+              "**Closed:** " + .closedAt + "  ",
+              "**Reporter:** @" + .author.login + "  ",
+              "**Assignees:** " + (if .assignees == [] then "_unassigned_" else (.assignees | map("@" + .login) | join(", ")) end) + "  ",
+              "**Labels:** " + (.labels | map("`" + .name + "`") | join(", ")),
+              "",
+              "## 1. Personal data scope (GDPR triage) — REPLACE",
+              "",
+              "| Question | Answer |",
+              "| --- | --- |",
+              "| Did the incident involve personal data? | REPLACE — Y / N |",
+              "| If Y: estimated number of data subjects affected | REPLACE |",
+              "| If Y: categories of personal data involved | REPLACE |",
+              "| If Y: likely consequences for data subjects | REPLACE |",
+              "| Notify supervisory authority (Art. 33)? | REPLACE — required if Y and risk to rights/freedoms |",
+              "| Notify data subjects (Art. 34)? | REPLACE — required if high risk to rights/freedoms |",
+              "| 72-hour notification window | REPLACE — within / outside / n/a |",
+              "",
+              "## 2. Narrative (from the GitHub issue)",
+              "",
+              .body,
+              "",
+              "## 3. Timeline (from issue comments)"
+            '
+            echo ""
+            # Comments — one section each, ordered by createdAt.
+            echo "$ISSUE_JSON" | jq -r '
+              .comments | sort_by(.createdAt) | .[] |
+              "### " + .createdAt + " — @" + .author.login + "\n\n" + .body + "\n"
+            '
+            cat <<'TAIL'
+
+          ## 4. Sign-off — REPLACE
+
+          | Role                                | Name    | Date    |
+          | ----------------------------------- | ------- | ------- |
+          | Incident Commander                  | REPLACE | REPLACE |
+          | Engineering lead                    | REPLACE | REPLACE |
+          | DPO (if personal data involved)     | REPLACE | REPLACE |
+          | Security lead                       | REPLACE | REPLACE |
+
+          ---
+
+          _Source: auto-exported by `.github/workflows/incident-export.yml` when the originating issue was closed._
+          TAIL
+          } > "$OUT"
+          echo "Wrote $OUT"
+
+      - name: Open export PR
+        env:
+          GH_TOKEN: ${{ secrets.DEVAUDIT_USER_TOKEN || github.token }}
+          BRANCH: ${{ steps.paths.outputs.branch }}
+          OUT: ${{ steps.paths.outputs.out }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+        run: |
+          git config user.name 'devaudit-bot'
+          git config user.email 'devaudit-bot@users.noreply.github.com'
+          git fetch origin develop
+          git checkout -B "${BRANCH}" origin/develop
+          git add "$OUT"
+          if git diff --cached --quiet; then
+            echo "No change — already exported."
+            exit 0
+          fi
+          git commit -m "chore(compliance): export incident #${ISSUE_NUMBER}" -m "Auto-exported by Incident Export workflow." -m "" -m "Source: ${ISSUE_URL}" -m "" -m "REPLACE markers in the GDPR triage + Sign-off sections require human attestation before this PR can merge."
+          git push --force-with-lease origin "${BRANCH}"
+          EXISTING=$(gh pr list --head "${BRANCH}" --json number --jq '.[0].number' || true)
+          if [ -z "$EXISTING" ]; then
+            gh pr create --base develop --head "${BRANCH}" \
+              --title "chore(compliance): export incident #${ISSUE_NUMBER}" \
+              --body "Auto-exported by the \`Incident Export\` workflow when issue [#${ISSUE_NUMBER}](${ISSUE_URL}) was closed with label \`incident\`.\n\n**Required before merge:**\n- [ ] Replace \`REPLACE — …\` markers in the **GDPR triage** section (personal-data Y/N decision is load-bearing)\n- [ ] Fill in **severity** in the frontmatter\n- [ ] Add reviewer sign-off (IC, Eng lead, DPO if PII, Security lead)\n- [ ] If 72h window applies and we're outside it, document the delay explicitly\n\nSee [\`compliance/governance/incident-report.md\`](compliance/governance/incident-report.md) (the v0.1.30 starter) and [\`DevAudit-Installer/docs/governance-templates.md\`](https://github.com/metasession-dev/DevAudit-Installer/blob/main/docs/governance-templates.md#gdpr--eu-general-data-protection-regulation-2016679) for guidance.\n\nCloses (for this incident) \`ISO29119.3.5.4\` + \`SOC2.CC7.2\`; \`GDPR.Art-33\` + \`Art-34\` close once the triage section is filled in."
+          else
+            echo "PR #${EXISTING} already open for this incident — branch updated in place."
+          fi