@metasession.co/devaudit-cli 0.1.34 → 0.1.36

package/dist/index.js

@@ -55,7 +55,7 @@ function emitJsonResult(payload) {
 
 // package.json
 var package_default = {
-  version: "0.1.34"};
+  version: "0.1.36"};
 
 // src/lib/version.ts
 var CLI_VERSION = package_default.version;
@@ -1047,7 +1047,7 @@ async function runAuthProbe(ctx) {
   const client = new DevAuditClient({ token: ctx.token, baseUrl: ctx.baseUrl });
   try {
     await client.listProjects();
-    return { step: "1/12 Authenticate", status: "ok", message: `PAT accepted at ${ctx.baseUrl}` };
+    return { step: "1/11 Authenticate", status: "ok", message: `PAT accepted at ${ctx.baseUrl}` };
   } catch (err) {
     if (err instanceof DevAuditApiError && (err.status === 401 || err.status === 403)) {
       throw new Error(
@@ -1102,7 +1102,7 @@ async function detectStack(ctx) {
 }
 function ok(stack, wd) {
   return {
-    step: "2/12 Detect stack",
+    step: "2/11 Detect stack",
     status: "ok",
     message: `stack=${stack} working_directory=${wd} host=railway`,
     data: { stack, workingDirectory: wd, host: "railway" }
@@ -1209,7 +1209,7 @@ var PYTHON_PATHS_IGNORE = [
 async function writeSdlcConfig(ctx, plan) {
   if (ctx.installMode === "developer") {
     return {
-      step: "4/12 Write sdlc-config.json",
+      step: "4/11 Write sdlc-config.json",
       status: "skipped",
       message: "developer mode \u2014 leaving sdlc-config.json untouched (the team config is already on disk from the project operator). Use --force-team-config if you need to refresh wizard-owned fields."
     };
@@ -1263,20 +1263,20 @@ async function writeSdlcConfig(ctx, plan) {
   if (ctx.dryRun) {
     const preserved = existing ? `preserves existing customizations (${Object.keys(existing).filter((k) => !(k in wizardOwned)).length} non-wizard fields)` : "fresh config";
     return {
-      step: "4/12 Write sdlc-config.json",
+      step: "4/11 Write sdlc-config.json",
       status: "planned",
       message: `would write ${outPath} (stack=${plan.stack}, slug=${plan.projectSlug}) \u2014 ${preserved}`
     };
   }
   await promises.writeFile(outPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
-  return { step: "4/12 Write sdlc-config.json", status: "ok", message: `wrote ${outPath}` };
+  return { step: "4/11 Write sdlc-config.json", status: "ok", message: `wrote ${outPath}` };
 }
 
 // src/install/project.ts
 async function findOrCreateProject(ctx, plan) {
   if (ctx.dryRun) {
     return {
-      step: "5/12 Find or create DevAudit project",
+      step: "5/11 Find or create DevAudit project",
       status: "planned",
       message: `would create or find project slug='${plan.projectSlug}' on ${ctx.baseUrl}`
     };
@@ -1286,7 +1286,7 @@ async function findOrCreateProject(ctx, plan) {
   if (existing) {
     plan.projectId = existing.id;
     return {
-      step: "5/12 Find or create DevAudit project",
+      step: "5/11 Find or create DevAudit project",
       status: "ok",
       message: `project '${plan.projectSlug}' already exists (id ${existing.id.slice(0, 8)}\u2026) \u2014 skipping creation`,
       data: { projectId: existing.id, created: false }
@@ -1295,7 +1295,7 @@ async function findOrCreateProject(ctx, plan) {
   const created = await client.createProject(plan.projectSlug, plan.projectSlug);
   plan.projectId = created.id;
   return {
-    step: "5/12 Find or create DevAudit project",
+    step: "5/11 Find or create DevAudit project",
     status: "ok",
     message: `project '${plan.projectSlug}' created (id ${created.id.slice(0, 8)}\u2026)`,
     data: { projectId: created.id, created: true }
@@ -1307,14 +1307,14 @@ var KEY_NAME = "Onboarding-issued";
 async function issueApiKey(ctx, plan) {
   if (ctx.installMode === "developer") {
     return {
-      step: "6/12 Issue project API key",
+      step: "6/11 Issue project API key",
       status: "skipped",
       message: "developer mode \u2014 leaving the project's 'Onboarding-issued' API key untouched (the team key is already configured by the project operator)."
     };
   }
   if (ctx.dryRun) {
     return {
-      step: "6/12 Issue project API key",
+      step: "6/11 Issue project API key",
       status: "planned",
       message: `would issue API key named '${KEY_NAME}' on project '${plan.projectSlug}' (if not already present)`
     };
@@ -1327,7 +1327,7 @@ async function issueApiKey(ctx, plan) {
   const live = existing.find((k) => k.name === KEY_NAME && k.revoked_at === null);
   if (live) {
     return {
-      step: "6/12 Issue project API key",
+      step: "6/11 Issue project API key",
       status: "warn",
       message: `'${KEY_NAME}' API key already exists \u2014 revoke it in the portal and re-run, or set DEVAUDIT_API_KEY manually`
     };
@@ -1335,7 +1335,7 @@ async function issueApiKey(ctx, plan) {
   const issued = await client.issueApiKey(plan.projectId, KEY_NAME);
   plan.apiKey = issued.plainTextKey;
   return {
-    step: "6/12 Issue project API key",
+    step: "6/11 Issue project API key",
     status: "ok",
     message: `issued (will be stored as repo secret DEVAUDIT_API_KEY)`
   };
@@ -1361,7 +1361,7 @@ function buildSkipped(plan) {
 async function setGithubSecrets(ctx, plan, provider) {
   if (ctx.installMode === "developer") {
     return {
-      step: "7/12 Set GitHub secrets and variables",
+      step: "7/11 Set GitHub secrets and variables",
       status: "skipped",
       message: "developer mode \u2014 leaving DEVAUDIT_USER_TOKEN, DEVAUDIT_API_KEY, DEVAUDIT_BASE_URL, and the production-URL secret unchanged. Use --force-team-config to rotate them as the project operator."
     };
@@ -1370,7 +1370,7 @@ async function setGithubSecrets(ctx, plan, provider) {
   if (ctx.dryRun) {
     const summary = operations.map((op) => `${op.kind}:${op.name}`).join(", ");
     return {
-      step: "7/12 Set GitHub secrets and variables",
+      step: "7/11 Set GitHub secrets and variables",
       status: "planned",
       message: `would set ${summary} via ${provider.name} provider`
     };
@@ -1384,7 +1384,7 @@ async function setGithubSecrets(ctx, plan, provider) {
   }
   const skipped = buildSkipped(plan);
   const detail = `${operations.length} item(s) set${skipped.length > 0 ? ` (skipped: ${skipped.join("; ")})` : ""}`;
-  return { step: "7/12 Set GitHub secrets and variables", status: "ok", message: detail };
+  return { step: "7/11 Set GitHub secrets and variables", status: "ok", message: detail };
 }
 async function commandExists(cmd) {
   try {
@@ -1406,7 +1406,7 @@ async function bootstrapHooks(ctx, plan) {
   if (ctx.dryRun) {
     const action = plan.stack === "python" ? "pre-commit install" : "npx husky init";
     return {
-      step: "8/12 Bootstrap hook framework",
+      step: "8/11 Bootstrap hook framework",
       status: "planned",
       message: `would run \`${action}\` in ${ctx.projectPath}`
     };
@@ -1417,29 +1417,29 @@ async function bootstrapHooks(ctx, plan) {
 async function bootstrapPython(ctx) {
   if (!await commandExists("pre-commit")) {
     return {
-      step: "8/12 Bootstrap hook framework",
+      step: "8/11 Bootstrap hook framework",
       status: "warn",
       message: "pre-commit not on PATH \u2014 run `pip install pre-commit && pre-commit install` manually"
     };
   }
   await execa("pre-commit", ["install"], { cwd: ctx.projectPath, stdio: "inherit" });
   await execa("pre-commit", ["install", "--hook-type", "commit-msg"], { cwd: ctx.projectPath, stdio: "inherit" });
-  return { step: "8/12 Bootstrap hook framework", status: "ok", message: "pre-commit hooks installed" };
+  return { step: "8/11 Bootstrap hook framework", status: "ok", message: "pre-commit hooks installed" };
 }
 async function bootstrapNode(ctx) {
   const huskyDir = join(ctx.projectPath, ".husky");
   if (await dirExists(huskyDir)) {
-    return { step: "8/12 Bootstrap hook framework", status: "ok", message: ".husky/ already exists" };
+    return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ already exists" };
   }
   if (!await commandExists("npx")) {
     return {
-      step: "8/12 Bootstrap hook framework",
+      step: "8/11 Bootstrap hook framework",
       status: "warn",
       message: "npx not on PATH \u2014 run `npx husky init` manually"
     };
   }
   await execa("npx", ["husky", "init"], { cwd: ctx.projectPath, stdio: "inherit" });
-  return { step: "8/12 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
+  return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
 }
 
 // src/install/branch-protection.ts
@@ -1451,7 +1451,7 @@ var REQUIRED_CHECKS = [
 async function configureBranchProtection(ctx, provider) {
   if (ctx.installMode === "developer") {
     return {
-      step: "9/12 Configure branch protection",
+      step: "9/11 Configure branch protection",
       status: "skipped",
       message: "developer mode \u2014 leaving branch protection unchanged. Use --force-team-config to re-apply as the project operator."
     };
@@ -1461,7 +1461,7 @@ async function configureBranchProtection(ctx, provider) {
     meta = await provider.getRepoMeta(ctx.projectPath);
   } catch (err) {
     return {
-      step: "9/12 Configure branch protection",
+      step: "9/11 Configure branch protection",
       status: "warn",
       message: `could not resolve git repo (${err.message}) \u2014 configure manually`
     };
@@ -1469,7 +1469,7 @@ async function configureBranchProtection(ctx, provider) {
   const repo = `${meta.owner}/${meta.name}`;
   if (ctx.dryRun) {
     return {
-      step: "9/12 Configure branch protection",
+      step: "9/11 Configure branch protection",
       status: "planned",
       message: `would apply branch protection on ${repo}:${meta.defaultBranch} with checks=${JSON.stringify(REQUIRED_CHECKS)}`
     };
@@ -1477,13 +1477,13 @@ async function configureBranchProtection(ctx, provider) {
   const result = await provider.applyBranchProtection(ctx.projectPath, meta.defaultBranch, REQUIRED_CHECKS);
   if (result.applied) {
     return {
-      step: "9/12 Configure branch protection",
+      step: "9/11 Configure branch protection",
       status: "ok",
       message: `required checks on ${meta.defaultBranch}: ${REQUIRED_CHECKS.join(", ")}`
     };
   }
   return {
-    step: "9/12 Configure branch protection",
+    step: "9/11 Configure branch protection",
     status: "warn",
     message: `${result.message ?? "branch-protection apply failed"} \u2014 configure manually`
   };
@@ -1787,26 +1787,37 @@ async function syncSkills(ctx) {
   }
   return { name: "Claude Code skills", filesSynced: count, message: `${count} synced to .claude/skills/` };
 }
+var HELPER_FILES = ["evidence.ts", "evidence-shot-core.ts"];
 async function syncEvidenceHelper(ctx) {
   if (ctx.stack !== "node") {
     return { name: "E2E evidence helper", filesSynced: 0, skipped: true };
   }
-  const src = join(
+  const srcDir = join(
     ctx.installerRoot,
     "sdlc",
     "files",
     "_common",
     "skills",
     "e2e-test-engineer",
-    "references",
-    "evidence.ts"
+    "references"
   );
-  if (!await exists(src)) {
-    return { name: "E2E evidence helper", filesSynced: 0, skipped: true, message: "source not found" };
+  let copied = 0;
+  const missing = [];
+  for (const fname of HELPER_FILES) {
+    const src = join(srcDir, fname);
+    if (!await exists(src)) {
+      missing.push(fname);
+      continue;
+    }
+    const dst = join(ctx.projectPath, "e2e", "helpers", fname);
+    await copyFile(src, dst);
+    copied += 1;
   }
-  const dst = join(ctx.projectPath, "e2e", "helpers", "evidence.ts");
-  await copyFile(src, dst);
-  return { name: "E2E evidence helper", filesSynced: 1, message: "synced to e2e/helpers/evidence.ts" };
+  if (copied === 0) {
+    return { name: "E2E evidence helper", filesSynced: 0, skipped: true, message: "no sources found" };
+  }
+  const message = missing.length > 0 ? `synced ${copied} to e2e/helpers/ (missing: ${missing.join(", ")})` : `synced to e2e/helpers/ (${HELPER_FILES.join(" + ")})`;
+  return { name: "E2E evidence helper", filesSynced: copied, message };
 }
 
 // src/lib/templates.ts
@@ -1820,14 +1831,20 @@ function substituteTokens(content, tokens) {
 }
 function substituteBlocks(content, blocks) {
   if (Object.keys(blocks).length === 0) return content;
-  Object.keys(blocks).map((k) => `{{${k}}}`);
-  return content.split("\n").map((line) => {
+  const out = [];
+  for (const line of content.split("\n")) {
+    let matched = false;
     for (const [key, replacement] of Object.entries(blocks)) {
       const needle = `{{${key}}}`;
-      if (line.includes(needle)) return replacement;
+      if (line.includes(needle)) {
+        matched = true;
+        if (replacement.length > 0) out.push(replacement);
+        break;
+      }
     }
-    return line;
-  }).join("\n");
+    if (!matched) out.push(line);
+  }
+  return out.join("\n");
 }
 function stripServicesBlock(content) {
   const lines = content.split("\n");
@@ -2128,68 +2145,19 @@ async function syncAll(projectPaths) {
 async function syncTemplates(ctx) {
   if (ctx.dryRun) {
     return {
-      step: "10/12 Sync SDLC templates",
+      step: "10/11 Sync SDLC templates",
       status: "planned",
       message: `would run native syncProject() against ${ctx.projectPath}`
     };
   }
   const report = await syncProject(ctx.projectPath);
   return {
-    step: "10/12 Sync SDLC templates",
+    step: "10/11 Sync SDLC templates",
     status: "ok",
     message: `synced ${report.totalFilesSynced} files across ${report.sections.length} sections`,
     data: { totalFilesSynced: report.totalFilesSynced }
   };
 }
-var STEP = "11/12 Bootstrap governance docs";
-var SOURCE_REL = "sdlc/files/_common/governance";
-var TARGET_REL = "compliance/governance";
-async function bootstrapGovernanceDocs(ctx) {
-  const sourceDir = resolve(ctx.installerRoot, SOURCE_REL);
-  const targetDir = resolve(ctx.projectPath, TARGET_REL);
-  let templates = [];
-  try {
-    templates = (await readdir(sourceDir)).filter((name) => name.endsWith(".md.template")).sort();
-  } catch (err) {
-    return {
-      step: STEP,
-      status: "warn",
-      message: `source directory not found: ${sourceDir} (${err.message})`
-    };
-  }
-  if (templates.length === 0) {
-    return { step: STEP, status: "warn", message: `no .md.template files in ${sourceDir}` };
-  }
-  if (ctx.dryRun) {
-    return {
-      step: STEP,
-      status: "planned",
-      message: `would copy ${templates.length} starter(s) to ${TARGET_REL}/ (skip-if-exists)`,
-      data: { templates: [...templates] }
-    };
-  }
-  await ensureDir(targetDir);
-  const copied = [];
-  const skipped = [];
-  for (const template of templates) {
-    const targetName = template.replace(/\.template$/, "");
-    const targetPath = join(targetDir, targetName);
-    if (await isFile(targetPath)) {
-      skipped.push(targetName);
-      continue;
-    }
-    const body = await readFile(join(sourceDir, template), "utf8");
-    await writeFile(targetPath, body, "utf8");
-    copied.push(targetName);
-  }
-  const detail = skipped.length === 0 ? `${copied.length} starter(s) copied to ${TARGET_REL}/` : `${copied.length} copied, ${skipped.length} kept (already on disk)`;
-  return {
-    step: STEP,
-    status: "ok",
-    message: `${detail} \u2014 STARTERS, edit before production (see docs/governance-templates.md)`,
-    data: { copied, skipped, targetDir: TARGET_REL }
-  };
-}
 
 // src/install/done-report.ts
 function doneReport(ctx, plan) {
@@ -2218,7 +2186,7 @@ function doneReport(ctx, plan) {
       ""
     ];
     return {
-      step: "12/12 Done (developer mode)",
+      step: "11/11 Done (developer mode)",
       status: "ok",
       message: lines2.join("\n"),
       data: { mode: "developer" }
@@ -2245,7 +2213,7 @@ function doneReport(ctx, plan) {
     ""
   ];
   return {
-    step: "12/12 Done",
+    step: "11/11 Done",
     status: "ok",
     message: lines.join("\n"),
     data: { nextBranch: branch, mode: "operator" }
@@ -2297,7 +2265,7 @@ async function runInstall(options) {
     steps.push(await record(log, setGithubSecrets(ctx, plan, providerResolution.provider)));
   } else {
     const skipped = {
-      step: "7/12 Set GitHub secrets and variables",
+      step: "7/11 Set GitHub secrets and variables",
       status: "skipped",
       message: providerResolution.reason ?? "no git provider available"
     };
@@ -2309,7 +2277,7 @@ async function runInstall(options) {
     steps.push(await record(log, configureBranchProtection(ctx, providerResolution.provider)));
   } else {
     const skipped = {
-      step: "9/12 Configure branch protection",
+      step: "9/11 Configure branch protection",
       status: "skipped",
       message: providerResolution.reason ?? "no git provider available"
     };
@@ -2317,7 +2285,6 @@ async function runInstall(options) {
     log.warn(`[${skipped.step}] SKIPPED ${skipped.message}`);
   }
   steps.push(await record(log, syncTemplates(ctx)));
-  steps.push(await record(log, bootstrapGovernanceDocs(ctx)));
   const done = doneReport(ctx, plan);
   steps.push(done);
   log.success(`[${done.step}]`);
@@ -2413,7 +2380,7 @@ async function record(log, p) {
 }
 function planSummary(plan) {
   return {
-    step: "3/12 Configure",
+    step: "3/11 Configure",
     status: "ok",
     message: `slug=${plan.projectSlug} runtime=${plan.runtimeVersion}`,
     data: { ...plan }
@@ -2505,6 +2472,80 @@ async function runUpdate(options) {
   log.log("");
   log.warn("Do NOT auto-commit \u2014 review the changes first.");
 }
+var STEP = "Bootstrap governance docs";
+var SOURCE_REL = "sdlc/files/_common/governance";
+var TARGET_REL = "compliance/governance";
+async function bootstrapGovernanceDocs(ctx) {
+  const sourceDir = resolve(ctx.installerRoot, SOURCE_REL);
+  const targetDir = resolve(ctx.projectPath, TARGET_REL);
+  let templates = [];
+  try {
+    templates = (await readdir(sourceDir)).filter((name) => name.endsWith(".md.template")).sort();
+  } catch (err) {
+    return {
+      step: STEP,
+      status: "warn",
+      message: `source directory not found: ${sourceDir} (${err.message})`
+    };
+  }
+  if (templates.length === 0) {
+    return { step: STEP, status: "warn", message: `no .md.template files in ${sourceDir}` };
+  }
+  if (ctx.dryRun) {
+    return {
+      step: STEP,
+      status: "planned",
+      message: `would copy ${templates.length} starter(s) to ${TARGET_REL}/ (skip-if-exists)`,
+      data: { templates: [...templates] }
+    };
+  }
+  await ensureDir(targetDir);
+  const copied = [];
+  const skipped = [];
+  for (const template of templates) {
+    const targetName = template.replace(/\.template$/, "");
+    const targetPath = join(targetDir, targetName);
+    if (await isFile(targetPath)) {
+      skipped.push(targetName);
+      continue;
+    }
+    const body = await readFile(join(sourceDir, template), "utf8");
+    await writeFile(targetPath, body, "utf8");
+    copied.push(targetName);
+  }
+  const detail = skipped.length === 0 ? `${copied.length} starter(s) copied to ${TARGET_REL}/` : `${copied.length} copied, ${skipped.length} kept (already on disk)`;
+  return {
+    step: STEP,
+    status: "ok",
+    message: `${detail} \u2014 STARTERS, edit before production (see docs/governance-templates.md)`,
+    data: { copied, skipped, targetDir: TARGET_REL }
+  };
+}
+
+// src/commands/bootstrap-governance.ts
+async function runBootstrapGovernance(opts) {
+  const projectPath = resolve(opts.path ?? process.cwd());
+  const installerRoot = await resolveInstallerRoot();
+  const log = logger();
+  const result = await bootstrapGovernanceDocs({
+    projectPath,
+    installerRoot,
+    dryRun: Boolean(opts.dryRun)
+  });
+  if (isJsonMode()) {
+    emitJsonResult(result);
+    return;
+  }
+  if (result.status === "ok") {
+    log.success(`[${result.step}] ${result.message ?? ""}`);
+  } else if (result.status === "warn") {
+    log.warn(`[${result.step}] ${result.message ?? ""}`);
+  } else if (result.status === "planned") {
+    log.info(`[${result.step}] (dry-run) ${result.message ?? ""}`);
+  } else {
+    log.log(`[${result.step}] ${result.message ?? ""}`);
+  }
+}
 
 // src/commands/stub.ts
 function makeStub(info) {
@@ -2764,6 +2805,12 @@ async function main(argv) {
       });
     }
   );
+  program.command("bootstrap-governance [path]").description(
+    "Copy governance starter templates (ropa, dpia, ai-disclosure, periodic-review, incident-report) into compliance/governance/. Opt-in since v0.1.36 \u2014 auto-seed during install was removed because the placeholders auto-uploaded as evidence on first CI push."
+  ).action(async (path, _opts, cmd) => {
+    const opts = cmd?.optsWithGlobals() ?? {};
+    await runBootstrapGovernance({ path, dryRun: opts.dryRun });
+  });
   program.command("doctor").description("Verify the local install: required tools on PATH, auth state, config validity").action(runDoctor);
   program.command("status [path]").description("Show the consumer project's framework state").action(async (path) => {
     await runStatus({ path });