npm - @metasession.co/devaudit-cli - Versions diffs - 0.1.3 → 0.1.5 - Mend

@metasession.co/devaudit-cli 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.3",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.5",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/scripts/derive-release-version.sh CHANGED Viewed

@@ -10,7 +10,9 @@
 #   2. Ref in commit body:        "Ref: REQ-037"                 -> REQ-037
 #   3. Fallback:                  bare date                      -> v2026.05.17
 #
-# Multi-REQ commits: first match wins; subject takes priority over body.
+# The id is taken from the bracketed subject tag or the `Ref:` line only —
+# NOT from arbitrary REQ mentions in prose (e.g. a body line "target close:
+# REQ-002" must not win over "Ref: REQ-001"). Subject takes priority over body.
 # Output: single line on stdout. Exit 0 in all normal cases.
 #
 # This ties a release record (project_id, version) to the feature the
@@ -24,15 +26,17 @@ set -euo pipefail
 SUBJECT=$(git log -1 --format='%s' 2>/dev/null || echo '')
 BODY=$(git log -1 --format='%b' 2>/dev/null || echo '')
-# 1. Subject: [REQ-XXX]
+# 1. Subject: [REQ-XXX] — the bracketed tag only, not other REQ mentions.
 if echo "$SUBJECT" | grep -qE '\[REQ-[0-9]+\]'; then
-  echo "$SUBJECT" | grep -oE 'REQ-[0-9]+' | head -1
+  echo "$SUBJECT" | grep -oE '\[REQ-[0-9]+\]' | head -1 | grep -oE 'REQ-[0-9]+'
   exit 0
 fi
-# 2. Body: Ref: REQ-XXX (case-insensitive on "Ref" and "REQ")
+# 2. Body: the id on the `Ref:` line only (case-insensitive on "Ref"/"REQ").
+# Scoping to the Ref: line prevents a prose mention earlier in the body
+# (e.g. "target close: REQ-002") from being picked over the real ref.
 if echo "$BODY" | grep -qiE 'Ref:[[:space:]]*REQ-[0-9]+'; then
-  echo "$BODY" | grep -ioE 'REQ-[0-9]+' | head -1 | tr '[:lower:]' '[:upper:]'
+  echo "$BODY" | grep -ioE 'Ref:[[:space:]]*REQ-[0-9]+' | head -1 | grep -oiE 'REQ-[0-9]+' | tr '[:lower:]' '[:upper:]'
   exit 0
 fi

package/sdlc/files/_common/scripts/derive-release-version.test.sh CHANGED Viewed

@@ -90,6 +90,17 @@ assert_eq "subject overrides body conflict -> REQ-037" "REQ-037" "$(run_helper)"
 make_fixture "$WORK/c6" "chore: bump deps"
 assert_eq "no tag -> bare date $TODAY" "$TODAY" "$(run_helper)"
+# Case 7: a prose REQ mention earlier in the body must NOT beat the Ref:
+# line. Regression for the META-JOBS misattribution where "target close:
+# REQ-002" caused gate evidence to land on a REQ-002 release instead of
+# the real Ref: REQ-001.
+make_fixture "$WORK/c7" "chore(sdlc): accept dep advisories
+Dependency advisories accepted under R-001; target close: REQ-002.
+Ref: REQ-001"
+assert_eq "prose REQ-002 before Ref: REQ-001 -> REQ-001" "REQ-001" "$(run_helper)"
 echo ""
 echo "=== Summary: $PASS pass / $FAIL fail ==="

package/sdlc/files/_common/scripts/validate-compliance-artifacts.sh CHANGED Viewed

@@ -19,14 +19,25 @@ echo "=== Compliance Artifact Validation ==="
 echo "Comparing: $BASE_BRANCH...HEAD"
 echo ""
-# Extract REQ-XXX references from commits in this PR.
+# Extract the requirement(s) THIS PR implements — from the commit subject
+# tag `[REQ-XXX]` and the `Ref: REQ-XXX` trailer only, NOT from arbitrary
+# prose in commit bodies. A mention like "target close: REQ-002" or
+# "prereq for REQ-034" is a forward-reference, not a requirement under
+# change; scraping the whole body (%B) made CI demand evidence dirs for
+# work that hasn't started (DevAudit: META-JOBS tracker, REQ-002 false
+# positive). The RTM-row guard below is a secondary safety net.
 #
-# Requires ≥3 digits so placeholder patterns like `REQ-0XX` (used in
-# commit-body templates referring to a batch of sub-REQs) don't create
-# phantom IDs that block CI — the loose `\d+` would match `REQ-0` from
-# `REQ-0XX` and then ERROR on a missing evidence dir for the phantom
-# `REQ-0`. The project's stable id format is REQ-001 onwards (#232).
-REQUIREMENTS=$(git log "$BASE_BRANCH"..HEAD --format='%B' | grep -oP 'REQ-\d{3,}' | sort -u || true)
+# Requires ≥3 digits so placeholder patterns like `REQ-0XX` don't create
+# phantom IDs. The project's stable id format is REQ-001 onwards (#232).
+PR_MSGS=$(git log "$BASE_BRANCH"..HEAD --format='%B' || true)
+REQUIREMENTS=$(
+  {
+    # Subject/anywhere tag, e.g. `feat: [REQ-001] …`
+    printf '%s\n' "$PR_MSGS" | grep -oP '\[\KREQ-\d{3,}(?=\])' || true
+    # `Ref:` line (may list several, e.g. `Ref: REQ-001, REQ-003`)
+    printf '%s\n' "$PR_MSGS" | grep -iP '^\s*Ref:' | grep -oP 'REQ-\d{3,}' || true
+  } | sort -u
+)
 if [ -z "$REQUIREMENTS" ]; then
   echo "No REQ-XXX references found in PR commits — skipping artifact validation."

package/sdlc/files/_common/scripts/validate-compliance-artifacts.test.sh CHANGED Viewed

@@ -195,6 +195,33 @@ assert_grep "no missing-test ERROR" 'ERROR: Test file referenced in test-plan.md
 assert_exit "validator exits 0 with depth-2 bare-filename reference" 0
 cd "$WORKDIR"
+# --- case 6: a future REQ mentioned only in commit prose is ignored ---
+# Regression for the META-JOBS REQ-002 false positive: scraping the whole
+# commit body pulled in `REQ-002` from "target close: REQ-002" and then
+# ERRORed on its missing evidence dir even though REQ-002 hadn't started.
+# Only `[REQ-XXX]` subject tags and `Ref:` lines count as under-change.
+echo "Case 6: future REQ mentioned only in prose is not validated"
+make_fixture "$WORKDIR/case6" "Implements the access-control boundary.
+Dependency advisories accepted under R-001; target close: REQ-002.
+Ref: REQ-001"
+# REQ-002 HAS an RTM row (the trap) but no evidence dir; REQ-001 is the real
+# Ref but has no RTM row, so it INFO-skips. Old code would ERROR on REQ-002.
+{
+  echo '# RTM'
+  echo
+  echo '| ID | Description | Status |'
+  echo '| --- | --- | --- |'
+  echo '| REQ-002 | Dependency hardening (not started) | PLANNED |'
+} > compliance/RTM.md
+git add . && git commit -q -m "chore: seed RTM with future REQ-002 row"
+run_validator
+assert_grep "REQ-002 not pulled in from prose" 'Requirements found in PR commits:.*REQ-002' 0
+assert_grep "no evidence-dir ERROR for prose-only REQ-002" 'ERROR: Evidence directory missing.*REQ-002' 0
+assert_exit "validator exits 0 when future REQ is only prose-mentioned" 0
+cd "$WORKDIR"
 # --- summary ---
 echo