@metasession.co/devaudit-cli 0.1.3 → 0.1.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.3",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.4",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/scripts/validate-compliance-artifacts.sh

@@ -19,14 +19,25 @@ echo "=== Compliance Artifact Validation ==="
 echo "Comparing: $BASE_BRANCH...HEAD"
 echo ""
 
-# Extract REQ-XXX references from commits in this PR.
+# Extract the requirement(s) THIS PR implements — from the commit subject
+# tag `[REQ-XXX]` and the `Ref: REQ-XXX` trailer only, NOT from arbitrary
+# prose in commit bodies. A mention like "target close: REQ-002" or
+# "prereq for REQ-034" is a forward-reference, not a requirement under
+# change; scraping the whole body (%B) made CI demand evidence dirs for
+# work that hasn't started (DevAudit: META-JOBS tracker, REQ-002 false
+# positive). The RTM-row guard below is a secondary safety net.
 #
-# Requires ≥3 digits so placeholder patterns like `REQ-0XX` (used in
-# commit-body templates referring to a batch of sub-REQs) don't create
-# phantom IDs that block CI — the loose `\d+` would match `REQ-0` from
-# `REQ-0XX` and then ERROR on a missing evidence dir for the phantom
-# `REQ-0`. The project's stable id format is REQ-001 onwards (#232).
-REQUIREMENTS=$(git log "$BASE_BRANCH"..HEAD --format='%B' | grep -oP 'REQ-\d{3,}' | sort -u || true)
+# Requires ≥3 digits so placeholder patterns like `REQ-0XX` don't create
+# phantom IDs. The project's stable id format is REQ-001 onwards (#232).
+PR_MSGS=$(git log "$BASE_BRANCH"..HEAD --format='%B' || true)
+REQUIREMENTS=$(
+  {
+    # Subject/anywhere tag, e.g. `feat: [REQ-001] …`
+    printf '%s\n' "$PR_MSGS" | grep -oP '\[\KREQ-\d{3,}(?=\])' || true
+    # `Ref:` line (may list several, e.g. `Ref: REQ-001, REQ-003`)
+    printf '%s\n' "$PR_MSGS" | grep -iP '^\s*Ref:' | grep -oP 'REQ-\d{3,}' || true
+  } | sort -u
+)
 
 if [ -z "$REQUIREMENTS" ]; then
   echo "No REQ-XXX references found in PR commits — skipping artifact validation."

package/sdlc/files/_common/scripts/validate-compliance-artifacts.test.sh

@@ -195,6 +195,33 @@ assert_grep "no missing-test ERROR" 'ERROR: Test file referenced in test-plan.md
 assert_exit "validator exits 0 with depth-2 bare-filename reference" 0
 cd "$WORKDIR"
 
+# --- case 6: a future REQ mentioned only in commit prose is ignored ---
+# Regression for the META-JOBS REQ-002 false positive: scraping the whole
+# commit body pulled in `REQ-002` from "target close: REQ-002" and then
+# ERRORed on its missing evidence dir even though REQ-002 hadn't started.
+# Only `[REQ-XXX]` subject tags and `Ref:` lines count as under-change.
+echo "Case 6: future REQ mentioned only in prose is not validated"
+make_fixture "$WORKDIR/case6" "Implements the access-control boundary.
+
+Dependency advisories accepted under R-001; target close: REQ-002.
+
+Ref: REQ-001"
+# REQ-002 HAS an RTM row (the trap) but no evidence dir; REQ-001 is the real
+# Ref but has no RTM row, so it INFO-skips. Old code would ERROR on REQ-002.
+{
+  echo '# RTM'
+  echo
+  echo '| ID | Description | Status |'
+  echo '| --- | --- | --- |'
+  echo '| REQ-002 | Dependency hardening (not started) | PLANNED |'
+} > compliance/RTM.md
+git add . && git commit -q -m "chore: seed RTM with future REQ-002 row"
+run_validator
+assert_grep "REQ-002 not pulled in from prose" 'Requirements found in PR commits:.*REQ-002' 0
+assert_grep "no evidence-dir ERROR for prose-only REQ-002" 'ERROR: Evidence directory missing.*REQ-002' 0
+assert_exit "validator exits 0 when future REQ is only prose-mentioned" 0
+cd "$WORKDIR"
+
 # --- summary ---
 
 echo