@metasession.co/devaudit-cli 0.1.31 → 0.1.33

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.31",
+  "version": "0.1.33",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.31",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.33",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/3-compile-evidence.md

@@ -29,7 +29,7 @@ description: Compile test, security, and AI evidence, update RTM, create release
 | `compliance/evidence/REQ-XXX/test-scope.md` | Git | Planning artifact, reviewed in PRs |
 | `compliance/evidence/REQ-XXX/implementation-plan.md` | Git | Design decisions artifact (MEDIUM/HIGH risk), reviewed in PRs |
 | `compliance/evidence/REQ-XXX/test-plan.md` | Git | Test strategy — tests to add/update/remove, mapped to criteria |
-| `compliance/evidence/REQ-XXX/test-execution-summary.md` | Git | Gate results, test changes, coverage against test plan |
+| `compliance/evidence/REQ-XXX/test-execution-summary.md` | Git | Gate results, test changes, coverage against test plan. **ISO 29119-3 §3.5.6 Test Completion Report for THIS release** — uploaded as `evidence_type=test_report` since v0.1.32, satisfying the portal's Test Reports gate with fresh per-release evidence. |
 | `compliance/evidence/REQ-XXX/ai-use-note.md` | Git | Small markdown, needs PR review |
 | `compliance/evidence/REQ-XXX/ai-prompts.md` | Git | Small markdown, needs PR review |
 | `compliance/evidence/REQ-XXX/security-summary.md` | Git | Small markdown, needs PR review |

package/sdlc/files/ci/ci.yml.template

@@ -430,17 +430,18 @@ jobs:
               --category test_report ${FLAGS}
           fi
 
-          # Upload test summary report — precise evidence_type=test_report
-          # (was compliance_document). The portal's Compliance Gates panel
-          # filters by evidence_type, so the markdown summary belongs in the
-          # Test Reports gate alongside playwright-report.zip + coverage
-          # summary. Markdown renders inline (MarkdownRenderer); auditor
-          # reads pass/fail counts + narrative without downloading the zip.
-          # devaudit#370 follow-up.
+          # Upload project-level Test Summary Report as a baseline
+          # `compliance_document`. As of v0.1.32 this is NOT a per-release
+          # gate artefact — the Test Reports gate is satisfied by the
+          # per-REQ `test-execution-summary.md` uploaded by
+          # compliance-evidence.yml (carries fresh release-specific data).
+          # The project-level TSR remains useful as Documents-tab baseline
+          # describing the project's testing posture but no longer poses
+          # as per-release test evidence. See DevAudit-Installer#101.
           if [ -f "compliance/test-summary-report.md" ]; then
             upload test-summary-report.md \
-              {{PROJECT_SLUG}} _compliance-docs test_report compliance/test-summary-report.md \
-              --category test_report ${FLAGS}
+              {{PROJECT_SLUG}} _compliance-docs compliance_document compliance/test-summary-report.md \
+              --category planning ${FLAGS}
           fi
 
           # Upload per-AC e2e evidence screenshots, scoped to each in-scope

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -138,15 +138,20 @@ jobs:
             fi
           done
 
-          # Test summary report — precise evidence_type=test_report so it
-          # lands in the portal's Test Reports gate (rendered inline by the
-          # MarkdownRenderer). devaudit#370 follow-up; same change applied
-          # in ci.yml's gate-evidence upload step.
+          # Project-level Test Summary Report — a hand-authored baseline
+          # describing the project's testing posture. As of v0.1.32 this is
+          # uploaded as `compliance_document` (NOT `test_report`) — the
+          # per-release Test Reports gate is now satisfied by the per-REQ
+          # `test-execution-summary.md` uploaded in the in-scope-requirements
+          # loop below, which carries fresh release-specific data. The
+          # project-level TSR continues to ship as a Documents-tab baseline
+          # but no longer poses as per-release test evidence.
+          # See DevAudit-Installer#101.
           if [ -f "compliance/test-summary-report.md" ]; then
-            echo "Uploading: test-summary-report.md (test_report type)"
+            echo "Uploading: test-summary-report.md (compliance_document — baseline)"
             bash scripts/upload-evidence.sh \
-              {{PROJECT_SLUG}} _compliance-docs test_report compliance/test-summary-report.md \
-              --category test_report ${FLAGS} --release "${DERIVED_RELEASE}" \
+              {{PROJECT_SLUG}} _compliance-docs compliance_document compliance/test-summary-report.md \
+              --category planning ${FLAGS} --release "${DERIVED_RELEASE}" \
               "${DERIVED_META[@]}" \
               || echo "Warning: Failed to upload test-summary-report.md"
           fi
@@ -181,6 +186,38 @@ jobs:
           upload_governance compliance/incident-report.md             incident_report
           upload_governance compliance/governance/incident-report.md  incident_report
 
+          # ── Audit-log export (DevAudit-Installer#98 WS2) ──────────────
+          # Snapshot the portal's audit log for the rolling 90-day window
+          # and upload as `evidence_type=audit_log`. Closes three
+          # framework-coverage clauses on every release:
+          #   - ISO27001.A.8.16 — Monitoring activities
+          #   - EUAIA.Art-12   — Record-keeping (automatic logging)
+          #   - GDPR.Art-32    — Security of processing (audit-log half)
+          #
+          # The portal endpoint defaults to the last 90 days when no
+          # `since`/`until` query params are passed; omit them so the
+          # consumer side stays zero-config. Endpoint shipped in
+          # META-COMPLY PR #413; project-scoped API key (uploader role)
+          # already has read access via `resolveCiUploadAuth`.
+          AUDIT_LOG_FILE="$(mktemp -t audit-log-XXXXXX.json)"
+          if curl -sSf -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
+            "${DEVAUDIT_BASE_URL%/}/api/ci/projects/{{PROJECT_SLUG}}/audit-log/export" \
+            -o "$AUDIT_LOG_FILE"; then
+            echo "Uploading: audit-log.json (audit_log — 90-day window)"
+            bash scripts/upload-evidence.sh \
+              {{PROJECT_SLUG}} _compliance-docs audit_log "$AUDIT_LOG_FILE" \
+              --category compliance_document ${FLAGS} --release "${DERIVED_RELEASE}" \
+              "${DERIVED_META[@]}" \
+              || echo "Warning: Failed to upload audit-log.json"
+          else
+            # Soft-fail: an export hiccup shouldn't break the rest of the
+            # evidence pipeline. Surfaces as a warning in the workflow log;
+            # the framework-coverage panel will show MISSING for the three
+            # clauses above until the next successful upload.
+            echo "::warning::Audit-log export failed — endpoint unreachable or 4xx/5xx. Three framework-coverage clauses (ISO27001.A.8.16, EUAIA.Art-12, GDPR.Art-32 audit-log half) will stay MISSING until the next run."
+          fi
+          rm -f "$AUDIT_LOG_FILE"
+
           # Helper: emit a `--release-title …` `--change-type …` pair for a given
           # REQ, derived from its pending release-ticket H1 and the most recent
           # commit attributed to that REQ. Empty pair when neither is available.
@@ -257,12 +294,28 @@ jobs:
               REQ_META_ARGS=$(req_meta_args "$REQ_ID")
               for ARTIFACT in "$REQ_DIR"*.md; do
                 [ -f "$ARTIFACT" ] || continue
-                echo "Uploading: ${REQ_ID}/$(basename "$ARTIFACT")"
+                # Per-REQ test-execution-summary.md is the ISO 29119-3 §3.5.6
+                # Test Completion Report for THIS release cycle (populated by
+                # the e2e-test-engineer skill in Stage 3 — scope, results, AC
+                # mapping, defects). Upload as `test_report` so it satisfies
+                # the portal's Test Reports gate with per-release evidence
+                # instead of the project-level evergreen TSR (which from
+                # v0.1.32 downgrades to `compliance_document`). See
+                # DevAudit-Installer#101.
+                BASENAME=$(basename "$ARTIFACT")
+                if [ "$BASENAME" = "test-execution-summary.md" ] || [ "$BASENAME" = "test-summary-report.md" ]; then
+                  EVTYPE=test_report
+                  EVCAT=test_report
+                else
+                  EVTYPE=compliance_document
+                  EVCAT=planning
+                fi
+                echo "Uploading: ${REQ_ID}/${BASENAME} (${EVTYPE})"
                 eval "bash scripts/upload-evidence.sh \
-                  {{PROJECT_SLUG}} \"${REQ_ID}\" compliance_document \"$ARTIFACT\" \
-                  --category planning ${FLAGS} --release \"${REQ_ID}\" \
+                  {{PROJECT_SLUG}} \"${REQ_ID}\" ${EVTYPE} \"$ARTIFACT\" \
+                  --category ${EVCAT} ${FLAGS} --release \"${REQ_ID}\" \
                   ${REQ_META_ARGS}" \
-                  || echo "Warning: Failed to upload $(basename "$ARTIFACT")"
+                  || echo "Warning: Failed to upload ${BASENAME}"
               done
             done
           fi