@metasession.co/devaudit-cli 0.1.32 → 0.1.33
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@metasession.co/devaudit-cli",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.33",
|
|
4
4
|
"description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
},
|
|
34
34
|
"dependencies": {
|
|
35
35
|
"@clack/prompts": "^0.8.2",
|
|
36
|
-
"@metasession.co/devaudit-plugin-sdk": "^0.1.
|
|
36
|
+
"@metasession.co/devaudit-plugin-sdk": "^0.1.33",
|
|
37
37
|
"commander": "^12.1.0",
|
|
38
38
|
"consola": "^3.2.3",
|
|
39
39
|
"env-paths": "^3.0.0",
|
|
@@ -186,6 +186,38 @@ jobs:
|
|
|
186
186
|
upload_governance compliance/incident-report.md incident_report
|
|
187
187
|
upload_governance compliance/governance/incident-report.md incident_report
|
|
188
188
|
|
|
189
|
+
# ── Audit-log export (DevAudit-Installer#98 WS2) ──────────────
|
|
190
|
+
# Snapshot the portal's audit log for the rolling 90-day window
|
|
191
|
+
# and upload as `evidence_type=audit_log`. Closes three
|
|
192
|
+
# framework-coverage clauses on every release:
|
|
193
|
+
# - ISO27001.A.8.16 — Monitoring activities
|
|
194
|
+
# - EUAIA.Art-12 — Record-keeping (automatic logging)
|
|
195
|
+
# - GDPR.Art-32 — Security of processing (audit-log half)
|
|
196
|
+
#
|
|
197
|
+
# The portal endpoint defaults to the last 90 days when no
|
|
198
|
+
# `since`/`until` query params are passed; omit them so the
|
|
199
|
+
# consumer side stays zero-config. Endpoint shipped in
|
|
200
|
+
# META-COMPLY PR #413; project-scoped API key (uploader role)
|
|
201
|
+
# already has read access via `resolveCiUploadAuth`.
|
|
202
|
+
AUDIT_LOG_FILE="$(mktemp -t audit-log-XXXXXX.json)"
|
|
203
|
+
if curl -sSf -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
|
|
204
|
+
"${DEVAUDIT_BASE_URL%/}/api/ci/projects/{{PROJECT_SLUG}}/audit-log/export" \
|
|
205
|
+
-o "$AUDIT_LOG_FILE"; then
|
|
206
|
+
echo "Uploading: audit-log.json (audit_log — 90-day window)"
|
|
207
|
+
bash scripts/upload-evidence.sh \
|
|
208
|
+
{{PROJECT_SLUG}} _compliance-docs audit_log "$AUDIT_LOG_FILE" \
|
|
209
|
+
--category compliance_document ${FLAGS} --release "${DERIVED_RELEASE}" \
|
|
210
|
+
"${DERIVED_META[@]}" \
|
|
211
|
+
|| echo "Warning: Failed to upload audit-log.json"
|
|
212
|
+
else
|
|
213
|
+
# Soft-fail: an export hiccup shouldn't break the rest of the
|
|
214
|
+
# evidence pipeline. Surfaces as a warning in the workflow log;
|
|
215
|
+
# the framework-coverage panel will show MISSING for the three
|
|
216
|
+
# clauses above until the next successful upload.
|
|
217
|
+
echo "::warning::Audit-log export failed — endpoint unreachable or 4xx/5xx. Three framework-coverage clauses (ISO27001.A.8.16, EUAIA.Art-12, GDPR.Art-32 audit-log half) will stay MISSING until the next run."
|
|
218
|
+
fi
|
|
219
|
+
rm -f "$AUDIT_LOG_FILE"
|
|
220
|
+
|
|
189
221
|
# Helper: emit a `--release-title …` `--change-type …` pair for a given
|
|
190
222
|
# REQ, derived from its pending release-ticket H1 and the most recent
|
|
191
223
|
# commit attributed to that REQ. Empty pair when neither is available.
|