@metasession.co/devaudit-cli 0.1.37 → 0.1.39

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.37",
+  "version": "0.1.39",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.37",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.39",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/SKILLS.md

@@ -93,10 +93,11 @@ node scripts/validate-adapter.cjs sdlc/files/_common/skills/<name>/SKILL.md
 
 ## Skills currently shipped
 
-| Skill               | Location          | Triggers (paraphrased)                                                                                                       | Additional emissions                             |
-| ------------------- | ----------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
-| `e2e-test-engineer` | `_common/skills/` | "add e2e tests", "bootstrap an e2e suite", "update the test pack", "are any tests obsolete", "run e2e tests and file issues" | `e2e/helpers/evidence.ts` (node-stack consumers) |
-| `sdlc-implementer`  | `_common/skills/` | "implement issue #N under the SDLC", "run the SDLC for issue #N", "automate REQ-XXX from issue to release", "resume REQ-XXX" | — (orchestrator; invokes `e2e-test-engineer`)    |
+| Skill                   | Location          | Triggers (paraphrased)                                                                                                                                                                                  | Additional emissions                                                              |
+| ----------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
+| `e2e-test-engineer`     | `_common/skills/` | "add e2e tests", "bootstrap an e2e suite", "update the test pack", "are any tests obsolete", "run e2e tests and file issues"                                                                            | `e2e/helpers/evidence.ts` + `evidence-shot-core.ts` (node-stack consumers)        |
+| `sdlc-implementer`      | `_common/skills/` | "implement issue #N under the SDLC", "run the SDLC for issue #N", "automate REQ-XXX from issue to release", "resume REQ-XXX"                                                                            | — (orchestrator; invokes `e2e-test-engineer` + `governance-doc-author`)           |
+| `governance-doc-author` | `_common/skills/` | "create / refresh the RoPA", "write a DPIA", "update the AI disclosure", "set up the periodic review schedule", "GDPR.Art-30 is MISSING on the matrix" (v0.1.37+)                                       | `references/incident-classification.md` (shared with `e2e-test-engineer`)         |
 
 `sdlc-implementer` is the **default entry point for a tracked change** — an **orchestration skill** that drives Claude Code's native tools (`gh`, shell, `devaudit` CLI, portal API) through the full 5-stage flow against a single GitHub issue, pausing only at the UAT-review gate (and at the plan checkpoint for HIGH/CRITICAL risk). It is synced into every consumer (`.claude/skills/sdlc-implementer/`) by `devaudit update`. It replaces an earlier roadmap of five atomic skills (`risk-classifier`, `commit-message-author`, `compliance-evidence-author`, `sast-triager`, `release-ticket-author`) that were deprioritised — Claude Code's innate capabilities already cover what those atomic skills wrapped; the value-add is end-to-end orchestration with framework-compliant pauses, not five discoverable helpers a human still has to compose.
 

package/sdlc/ai-rules/INSTRUCTIONS-SDLC.md

@@ -58,7 +58,7 @@ Read `SDLC/1-plan-requirement.md` for full details. Summary:
 2. Get next REQ ID: `grep -oP 'REQ-\d+' compliance/RTM.md | sort -t- -k2 -n | tail -1`
 3. Classify risk (use issue labels as input): LOW (internal, no auth) / MEDIUM (PII, user-facing, APIs) / HIGH (security, payments, RBAC). AI involvement raises risk by one level.
 4. Add to `compliance/RTM.md` Part B: `| REQ-XXX | #NNN | [RISK] | compliance/evidence/REQ-XXX/ | DRAFT | -- | -- |`
-5. **MEDIUM/HIGH risk:** Create `compliance/evidence/REQ-XXX/implementation-plan.md` — document approach, files, architecture decisions. **WAIT CHECKPOINT:** Present the plan to the developer. Do NOT proceed until approved.
+5. **MEDIUM/HIGH risk:** Create `compliance/evidence/REQ-XXX/implementation-plan.md` from `SDLC/Implementation_Plan_TEMPLATE.md` (synced from the framework in v0.1.37+). The template's shape is load-bearing — it carries the `## Framework attribution` section that closes **ISO 29119 §3.4** (test plan), **ISO 27001 A.8.25** (secure SDLC), **GDPR Art. 25** (data protection by design), and **EU AI Act Art. 11** (technical documentation). Don't delete sections — mark with `N/A — <reason>` if a clause genuinely doesn't apply. **WAIT CHECKPOINT:** Present the plan to the developer. Do NOT proceed until approved.
 6. Create `compliance/evidence/REQ-XXX/test-scope.md` with acceptance criteria (derived from the implementation plan for MEDIUM/HIGH).
 7. **WAIT CHECKPOINT:** Present the test scope to the developer. Do NOT proceed until confirmed.
 8. Create `compliance/evidence/REQ-XXX/test-plan.md` — map acceptance criteria to specific tests, list tests to add/update/remove. Distinguish unit tests (TDD, before implementation) from E2E tests (after implementation).

package/sdlc/files/_common/governance/ai-disclosure.md.template

@@ -22,10 +22,10 @@ risk_class: "REPLACE — minimal | limited | high | unacceptable"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/ai-disclosure.md`
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `ai_disclosure` evidence.
-- **Verify after merge:** open `/projects/<slug>/compliance`. The **EU AI Act Art. 13** clause should flip MISSING → COVERED within ~2 minutes.
-- **Refresh cadence:** every 180 days, or whenever an AI tool / model / prompt-class is added or materially changed. Source data: git `Co-Authored-By: Claude` trailers + CI usage logs + per-REQ implementation-plan §5.
+- **File path:** `compliance/governance/ai-disclosure.md` (kept in-repo for review; CI does NOT upload it).
+- **Upload trigger:** manual via the portal Upload Evidence form at `/projects/<slug>/upload` — select evidence type `ai_disclosure`. Tier-2 governance docs are operator-uploaded only since DevAudit-Installer v0.1.39 — the previous CI auto-upload was treating placeholder content as canonical evidence. The matrix MISSING row for `EUAIA.Art-13` renders an `Upload ai-disclosure.md →` deep-link that pre-fills the form for you.
+- **Verify after upload:** open `/projects/<slug>/compliance`. The **EU AI Act Art. 13** clause should flip MISSING → COVERED immediately.
+- **Refresh cadence:** every 180 days, or whenever an AI tool / model / prompt-class is added or materially changed. The portal renders an inline `Expires YYYY-MM-DD` on the clause (amber within 30 days, red once stale). Source data for each refresh: git `Co-Authored-By: Claude` trailers + CI usage logs + per-REQ implementation-plan §5.
 
 ## Framework checklist — EU AI Act Art. 13
 

package/sdlc/files/_common/governance/dpia.md.template

@@ -22,10 +22,10 @@ risk_level: "REPLACE — low | medium | high"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/dpia.md` (or `dpia-<reqid>.md` for a per-REQ DPIA tied to a HIGH-risk requirement)
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `dpia` evidence.
-- **Verify after merge:** open `/projects/<slug>/compliance`. The **GDPR Art. 35** clause should flip MISSING → COVERED within ~2 minutes.
-- **Refresh cadence:** annually (365 days), or sooner whenever the assessed processing materially changes (new data category, new recipient, new automated-decision path).
+- **File path:** `compliance/governance/dpia.md` (or `dpia-<reqid>.md` for a per-REQ DPIA tied to a HIGH-risk requirement). Kept in-repo for review; CI does NOT upload it.
+- **Upload trigger:** manual via the portal Upload Evidence form at `/projects/<slug>/upload` — select evidence type `dpia`. Tier-2 governance docs are operator-uploaded only since DevAudit-Installer v0.1.39 — the previous CI auto-upload was treating placeholder content as canonical evidence. The matrix MISSING row for `GDPR.Art-35` renders an `Upload dpia.md →` deep-link that pre-fills the form for you.
+- **Verify after upload:** open `/projects/<slug>/compliance`. The **GDPR Art. 35** clause should flip MISSING → COVERED immediately.
+- **Refresh cadence:** annually (365 days), or sooner whenever the assessed processing materially changes (new data category, new recipient, new automated-decision path). The portal renders an inline `Expires YYYY-MM-DD` on the clause (amber within 30 days, red once stale).
 
 ## Framework checklist — GDPR Art. 35
 

package/sdlc/files/_common/governance/ropa.md.template

@@ -20,10 +20,10 @@ processing_activities: []
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/ropa.md`
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, the `compliance-evidence.yml` workflow uploads this file as `ropa` evidence via the `upload_governance` helper.
-- **Verify after merge:** open `/projects/<slug>/compliance` on the DevAudit portal. The **GDPR Art. 30** clause should flip MISSING → COVERED within ~2 minutes.
-- **Refresh cadence:** annually (365 days). The portal flags the clause as `expired` once the most-recent ropa upload is older than that window.
+- **File path:** `compliance/governance/ropa.md` (kept in-repo for review; CI does NOT upload it).
+- **Upload trigger:** manual via the portal Upload Evidence form at `/projects/<slug>/upload` — select evidence type `ropa`. Tier-2 governance docs are operator-uploaded only since DevAudit-Installer v0.1.39 — the previous CI auto-upload was treating placeholder content as canonical evidence. The matrix MISSING row for `GDPR.Art-30` renders an `Upload ropa.md →` deep-link that pre-fills the form for you.
+- **Verify after upload:** open `/projects/<slug>/compliance` on the DevAudit portal. The **GDPR Art. 30** clause should flip MISSING → COVERED immediately.
+- **Refresh cadence:** annually (365 days). The portal renders an inline `Expires YYYY-MM-DD` on the clause (amber within 30 days, red once stale).
 
 ## Framework checklist — GDPR Art. 30
 

package/sdlc/files/_common/skills/governance-doc-author/SKILL.md

@@ -7,13 +7,13 @@ description: Author or refresh one of the project's governance documents — RoP
 
 Author or refresh a single governance document so it correctly closes the framework clauses it's meant to satisfy. Five document classes covered:
 
-| Document | File | Closes |
-|---|---|---|
-| **RoPA** | `compliance/governance/ropa.md` | `GDPR.Art-30` |
-| **DPIA** | `compliance/governance/dpia.md` (or `dpia-<reqid>.md`) | `GDPR.Art-35` |
-| **AI Use Disclosure** | `compliance/governance/ai-disclosure.md` | `EUAIA.Art-13` |
-| **Periodic Security Review Schedule** | `SDLC/Periodic_Security_Review_Schedule.md` *(Tier 2, uploaded as `compliance_document` via the portal Upload form)* | `ISO27001.A.12.1` (the schedule itself; the quarterly runs close `ISO27001.A.12.1` + `SOC2.CC4.1` via `periodic_review` evidence — see Phase 6) |
-| **Incident Report (project-level template)** | `compliance/governance/incident-report.md` | `ISO29119.3.5.4` baseline; conditionals via [[incident-classification]] |
+| Document | Tier | File | Upload path | Closes |
+|---|---|---|---|---|
+| **RoPA** | 2 | `compliance/governance/ropa.md` | **Portal Upload form** (type `ropa`) — CI does NOT auto-upload since v0.1.39 | `GDPR.Art-30` |
+| **DPIA** | 2 | `compliance/governance/dpia.md` (or `dpia-<reqid>.md`) | **Portal Upload form** (type `dpia`) — CI does NOT auto-upload since v0.1.39 | `GDPR.Art-35` |
+| **AI Use Disclosure** | 2 | `compliance/governance/ai-disclosure.md` | **Portal Upload form** (type `ai_disclosure`) — CI does NOT auto-upload since v0.1.39 | `EUAIA.Art-13` |
+| **Periodic Security Review Schedule** | 2 | `SDLC/Periodic_Security_Review_Schedule.md` | **Portal Upload form** (type `compliance_document`) | `ISO27001.A.12.1` schedule expectation (quarterly runs close it via `periodic_review` evidence — see Phase 6) |
+| **Incident Report (project-level template)** | 3 | `compliance/governance/incident-report.md` | **CI auto-upload** via `compliance-evidence.yml` | `ISO29119.3.5.4` baseline; conditionals via [[incident-classification]] |
 
 Each doc has a starter template under `sdlc/files/_common/governance/*.md.template` (installed on demand via `devaudit bootstrap-governance` since v0.1.36). This skill does NOT regenerate the template — it walks the operator through *filling it in* against the project's actual state.
 
@@ -23,7 +23,7 @@ Each doc has a starter template under `sdlc/files/_common/governance/*.md.templa
 - Authoring or refreshing one (or more) of the five governance docs above.
 - Gathering source data from the codebase / CI runs / git history.
 - Confirming framework attribution before commit.
-- Driving the commit + push → CI auto-upload → portal verification loop.
+- Driving the commit + push → portal upload (manual for Tier 1/2, CI auto for Tier 3) → portal verification loop.
 
 **Out of scope**
 - Incident response itself — that path is the `e2e-test-engineer` skill's defect-filing flow plus `incident-export.yml` on issue close.
@@ -104,10 +104,15 @@ If any required section is still stub, **do not commit**. Surface the gap in the
 
 ### Phase 5 — Commit + verify
 
+Tier 1/2 docs (RoPA, DPIA, AI Disclosure, Periodic Security Review Schedule) and Tier 3 per-event docs (Incident Report template) take different upload paths since DevAudit-Installer v0.1.39. The skill must drive the right one based on which doc Phase 0 routed to.
+
 1. Show the operator the diff. Confirm before committing (per the **Confirm before destructive or public actions** principle).
 2. Commit with a conventional-commit message: `compliance(governance): refresh <doc> for <reason>` — e.g. `compliance(governance): refresh ropa.md — annual review 2026-Q2`.
-3. Push to the current working branch. Surface the path: "next `git push` to `develop` → `compliance-evidence.yml` auto-uploads as `<evidence_type>`, closing `<framework_clause>` within ~2 minutes."
-4. Suggest the operator open `/projects/<slug>/compliance` on the portal post-merge to verify the clause flipped MISSING → COVERED.
+3. Push to the current working branch.
+4. Drive upload based on doc class:
+   - **Tier 1/2 (RoPA, DPIA, AI Disclosure, Periodic Security Review Schedule)** — CI does NOT upload these. Direct the operator to the portal Upload Evidence form at `/projects/<slug>/upload`. Surface the exact evidence type to select (`ropa` / `dpia` / `ai_disclosure` / `compliance_document` respectively) and remind them: "the matrix MISSING row for the corresponding clause renders an `Upload <filename> →` deep-link that pre-fills the form."
+   - **Tier 3 (Incident Report template, plus per-event `periodic-review.md` and `incident-report-<n>.md`)** — CI auto-uploads via `compliance-evidence.yml`. Surface: "next `git push` to `develop` → `compliance-evidence.yml` auto-uploads as `<evidence_type>`, closing `<framework_clause>` within ~2 minutes."
+5. Suggest the operator open `/projects/<slug>/compliance` on the portal post-upload to verify the clause flipped MISSING → COVERED. For docs with freshness windows (365d for RoPA / DPIA / Test_Policy / Test_Strategy / AGENT / INSTRUCTIONS; 180d for AI Disclosure) the matrix renders an inline `Expires YYYY-MM-DD` label — confirm it reads the expected date for the upload.
 
 ### Phase 6 — Special case: the Periodic Review Schedule vs the quarterly review itself
 

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -156,13 +156,17 @@ jobs:
               || echo "Warning: Failed to upload test-summary-report.md"
           fi
 
-          # Project-level governance docs (devaudit#370 Phase 3a). When the
-          # operator commits any of these markdown files, upload with the
-          # precise evidence_type so the portal's framework-coverage matrix
-          # auto-closes the matching clauses (GDPR.Art-30 for ropa, GDPR.Art-35
-          # for dpia, EUAIA.Art-13 for ai_disclosure, SOC2.CC4.1 + ISO27001.A.12.1
-          # for periodic_review, etc.). Each path is optional — skipped silently
-          # when the file is absent.
+          # Tier 3 per-event governance docs (devaudit#370 Phase 3a, narrowed
+          # in v0.1.39). Only periodic-review and incident-report are CI-uploaded
+          # — both are auto-generated by other workflows (periodic-review by the
+          # quarterly cron, incident-report by the incident-export workflow).
+          #
+          # Tier 1/2 governance docs (Test_Policy, AGENT, INSTRUCTIONS,
+          # Test_Strategy, Test_Architecture, Periodic_Security_Review_Schedule,
+          # ROPA, DPIA, AI Disclosure) are operator-uploaded via the portal
+          # Upload Evidence form. CI auto-upload was removed because placeholder
+          # starter content was landing as canonical evidence; the portal form
+          # ensures the operator reviews each refresh before it counts.
           upload_governance() {
             local FILE="$1" TYPE="$2"
             if [ ! -f "$FILE" ]; then return 0; fi
@@ -175,12 +179,6 @@ jobs:
           }
           # Recognise governance docs at top-level OR under compliance/governance/
           # (operator's choice — both layouts are common).
-          upload_governance compliance/ropa.md             ropa
-          upload_governance compliance/governance/ropa.md  ropa
-          upload_governance compliance/dpia.md             dpia
-          upload_governance compliance/governance/dpia.md  dpia
-          upload_governance compliance/ai-disclosure.md             ai_disclosure
-          upload_governance compliance/governance/ai-disclosure.md  ai_disclosure
           upload_governance compliance/periodic-review.md             periodic_review
           upload_governance compliance/governance/periodic-review.md  periodic_review
           upload_governance compliance/incident-report.md             incident_report

package/sdlc/files/ci/periodic-review.yml.template

@@ -218,54 +218,62 @@ jobs:
             # consumer's portal base URL — fall back to the SDLC docs when
             # DEVAUDIT_BASE_URL isn't set in the workflow env.
             BASE="${DEVAUDIT_BASE_URL:-https://github.com/metasession-dev/DevAudit-Installer/blob/main/docs/governance-templates.md}"
-            PR_BODY=$(cat <<PRBODY
-Auto-generated quarterly periodic-review for **${REVIEW_ID}** by the \`Periodic Review\` workflow.
-
-## What auto-filled (~40%)
-
-- Review-period metrics: releases shipped, gate pass rate, SAST + dependency findings, audit-log volume, open issues
-- Frontmatter (\`review_id\`, period dates, generated_at)
-- Section 2 control-area headers wired to the right framework clauses
-
-## What still needs the operator (~60%)
-
-Each item below corresponds to a section of the doc. **Tick the box once the section is non-stub** — leaving REPLACE markers in place will fail audit review and the merge bar.
-
-### §3 Review notes
-- [ ] Qualitative observations on the review period (≥2 sentences; no \`REPLACE\` text remaining)
-- [ ] Cross-reference any incidents from this period (\`compliance/governance/incident-report-*.md\`)
-
-### §4 Control-effectiveness judgement
-*Closes \`SOC2.CC4.1\` + \`ISO27001.A.12.1\` only when ALL control areas have a non-stub judgement.*
-
-- [ ] Access control (ISO 27001 A.5.15) — effective / partially / not + 1-line evidence
-- [ ] Secure SDLC (ISO 27001 A.8.25) — judgement + evidence
-- [ ] Secure coding (ISO 27001 A.8.28) — judgement + evidence (SAST + dep-audit pass rate)
-- [ ] Security testing (ISO 27001 A.8.29) — judgement + evidence (E2E pass rate)
-- [ ] Change management (ISO 27001 A.8.32 + SOC 2 CC8.1) — judgement + evidence (four-eyes approvals count)
-- [ ] Monitoring activities (ISO 27001 A.8.16 + EU AI Act Art. 12) — judgement + evidence (audit-log volume / coverage)
-
-### §5 Follow-up actions
-- [ ] Each material finding → owner → due date (or "none for this period" stated explicitly)
-- [ ] Carry-over actions from last quarter's review → status updated
-
-### §6 Sign-off
-- [ ] Reviewer name + date (must be different from the actor who made code changes that the review is judging)
-- [ ] Approver name + date (when \`risk_tier\` is medium or higher — dual-actor required)
-
-## Closes once merged
-
-- \`SOC2.CC4.1\` (Monitoring of internal controls)
-- \`ISO27001.A.12.1\` (Operational procedures and responsibilities)
-
-Verify at \`${BASE}/projects/<slug>/compliance\` after the PR-merge push lands on develop — both clauses should flip MISSING → COVERED within ~2 minutes. Stays COVERED for 365 days (portal's \`freshnessDays\`), then flips to EXPIRED until the next quarterly review.
-
-See [\`docs/governance-templates.md\`](https://github.com/metasession-dev/DevAudit-Installer/blob/main/docs/governance-templates.md#soc-2--trust-services-criteria) for full guidance.
-PRBODY
-)
+            # Assemble the PR body via printf to a temp file. We avoided
+            # a heredoc here because <<PRBODY preserves leading whitespace
+            # literally — and any body line at YAML column 1 breaks the
+            # surrounding `run: |` block scalar (prettier-yaml fails with
+            # "collection cannot be both a mapping and a sequence").
+            # printf '%s\n' …list of lines… keeps every line inside the
+            # block scalar's indentation discipline.
+            PR_BODY_FILE=$(mktemp)
+            printf '%s\n' \
+              "Auto-generated quarterly periodic-review for **${REVIEW_ID}** by the \`Periodic Review\` workflow." \
+              "" \
+              "## What auto-filled (~40%)" \
+              "" \
+              "- Review-period metrics: releases shipped, gate pass rate, SAST + dependency findings, audit-log volume, open issues" \
+              "- Frontmatter (\`review_id\`, period dates, generated_at)" \
+              "- Section 2 control-area headers wired to the right framework clauses" \
+              "" \
+              "## What still needs the operator (~60%)" \
+              "" \
+              "Each item below corresponds to a section of the doc. **Tick the box once the section is non-stub** — leaving REPLACE markers in place will fail audit review and the merge bar." \
+              "" \
+              "### §3 Review notes" \
+              "- [ ] Qualitative observations on the review period (≥2 sentences; no \`REPLACE\` text remaining)" \
+              "- [ ] Cross-reference any incidents from this period (\`compliance/governance/incident-report-*.md\`)" \
+              "" \
+              "### §4 Control-effectiveness judgement" \
+              "*Closes \`SOC2.CC4.1\` + \`ISO27001.A.12.1\` only when ALL control areas have a non-stub judgement.*" \
+              "" \
+              "- [ ] Access control (ISO 27001 A.5.15) — effective / partially / not + 1-line evidence" \
+              "- [ ] Secure SDLC (ISO 27001 A.8.25) — judgement + evidence" \
+              "- [ ] Secure coding (ISO 27001 A.8.28) — judgement + evidence (SAST + dep-audit pass rate)" \
+              "- [ ] Security testing (ISO 27001 A.8.29) — judgement + evidence (E2E pass rate)" \
+              "- [ ] Change management (ISO 27001 A.8.32 + SOC 2 CC8.1) — judgement + evidence (four-eyes approvals count)" \
+              "- [ ] Monitoring activities (ISO 27001 A.8.16 + EU AI Act Art. 12) — judgement + evidence (audit-log volume / coverage)" \
+              "" \
+              "### §5 Follow-up actions" \
+              "- [ ] Each material finding → owner → due date (or \"none for this period\" stated explicitly)" \
+              "- [ ] Carry-over actions from last quarter's review → status updated" \
+              "" \
+              "### §6 Sign-off" \
+              "- [ ] Reviewer name + date (must be different from the actor who made code changes that the review is judging)" \
+              "- [ ] Approver name + date (when \`risk_tier\` is medium or higher — dual-actor required)" \
+              "" \
+              "## Closes once merged" \
+              "" \
+              "- \`SOC2.CC4.1\` (Monitoring of internal controls)" \
+              "- \`ISO27001.A.12.1\` (Operational procedures and responsibilities)" \
+              "" \
+              "Verify at \`${BASE}/projects/<slug>/compliance\` after the PR-merge push lands on develop — both clauses should flip MISSING → COVERED within ~2 minutes. Stays COVERED for 365 days (portal's \`freshnessDays\`), then flips to EXPIRED until the next quarterly review." \
+              "" \
+              "See [\`docs/governance-templates.md\`](https://github.com/metasession-dev/DevAudit-Installer/blob/main/docs/governance-templates.md#soc-2--trust-services-criteria) for full guidance." \
+              > "$PR_BODY_FILE"
             gh pr create --base develop --head "${BRANCH}" \
               --title "chore(compliance): periodic review ${REVIEW_ID}" \
-              --body "$PR_BODY"
+              --body-file "$PR_BODY_FILE"
+            rm -f "$PR_BODY_FILE"
           else
             echo "PR #${EXISTING} already open for this period — branch updated in place."
           fi