@metasession.co/devaudit-cli 0.1.38 → 0.1.40

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.38",
+  "version": "0.1.40",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.38",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.40",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/SKILLS.md

@@ -93,10 +93,11 @@ node scripts/validate-adapter.cjs sdlc/files/_common/skills/<name>/SKILL.md
 
 ## Skills currently shipped
 
-| Skill               | Location          | Triggers (paraphrased)                                                                                                       | Additional emissions                             |
-| ------------------- | ----------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
-| `e2e-test-engineer` | `_common/skills/` | "add e2e tests", "bootstrap an e2e suite", "update the test pack", "are any tests obsolete", "run e2e tests and file issues" | `e2e/helpers/evidence.ts` (node-stack consumers) |
-| `sdlc-implementer`  | `_common/skills/` | "implement issue #N under the SDLC", "run the SDLC for issue #N", "automate REQ-XXX from issue to release", "resume REQ-XXX" | — (orchestrator; invokes `e2e-test-engineer`)    |
+| Skill                   | Location          | Triggers (paraphrased)                                                                                                                                                                                  | Additional emissions                                                              |
+| ----------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
+| `e2e-test-engineer`     | `_common/skills/` | "add e2e tests", "bootstrap an e2e suite", "update the test pack", "are any tests obsolete", "run e2e tests and file issues"                                                                            | `e2e/helpers/evidence.ts` + `evidence-shot-core.ts` (node-stack consumers)        |
+| `sdlc-implementer`      | `_common/skills/` | "implement issue #N under the SDLC", "run the SDLC for issue #N", "automate REQ-XXX from issue to release", "resume REQ-XXX"                                                                            | — (orchestrator; invokes `e2e-test-engineer` + `governance-doc-author`)           |
+| `governance-doc-author` | `_common/skills/` | "create / refresh the RoPA", "write a DPIA", "update the AI disclosure", "set up the periodic review schedule", "GDPR.Art-30 is MISSING on the matrix" (v0.1.37+)                                       | `references/incident-classification.md` (shared with `e2e-test-engineer`)         |
 
 `sdlc-implementer` is the **default entry point for a tracked change** — an **orchestration skill** that drives Claude Code's native tools (`gh`, shell, `devaudit` CLI, portal API) through the full 5-stage flow against a single GitHub issue, pausing only at the UAT-review gate (and at the plan checkpoint for HIGH/CRITICAL risk). It is synced into every consumer (`.claude/skills/sdlc-implementer/`) by `devaudit update`. It replaces an earlier roadmap of five atomic skills (`risk-classifier`, `commit-message-author`, `compliance-evidence-author`, `sast-triager`, `release-ticket-author`) that were deprioritised — Claude Code's innate capabilities already cover what those atomic skills wrapped; the value-add is end-to-end orchestration with framework-compliant pauses, not five discoverable helpers a human still has to compose.
 

package/sdlc/ai-rules/INSTRUCTIONS-SDLC.md

@@ -58,7 +58,7 @@ Read `SDLC/1-plan-requirement.md` for full details. Summary:
 2. Get next REQ ID: `grep -oP 'REQ-\d+' compliance/RTM.md | sort -t- -k2 -n | tail -1`
 3. Classify risk (use issue labels as input): LOW (internal, no auth) / MEDIUM (PII, user-facing, APIs) / HIGH (security, payments, RBAC). AI involvement raises risk by one level.
 4. Add to `compliance/RTM.md` Part B: `| REQ-XXX | #NNN | [RISK] | compliance/evidence/REQ-XXX/ | DRAFT | -- | -- |`
-5. **MEDIUM/HIGH risk:** Create `compliance/evidence/REQ-XXX/implementation-plan.md` — document approach, files, architecture decisions. **WAIT CHECKPOINT:** Present the plan to the developer. Do NOT proceed until approved.
+5. **MEDIUM/HIGH risk:** Create `compliance/evidence/REQ-XXX/implementation-plan.md` from `SDLC/Implementation_Plan_TEMPLATE.md` (synced from the framework in v0.1.37+). The template's shape is load-bearing — it carries the `## Framework attribution` section that closes **ISO 29119 §3.4** (test plan), **ISO 27001 A.8.25** (secure SDLC), **GDPR Art. 25** (data protection by design), and **EU AI Act Art. 11** (technical documentation). Don't delete sections — mark with `N/A — <reason>` if a clause genuinely doesn't apply. **WAIT CHECKPOINT:** Present the plan to the developer. Do NOT proceed until approved.
 6. Create `compliance/evidence/REQ-XXX/test-scope.md` with acceptance criteria (derived from the implementation plan for MEDIUM/HIGH).
 7. **WAIT CHECKPOINT:** Present the test scope to the developer. Do NOT proceed until confirmed.
 8. Create `compliance/evidence/REQ-XXX/test-plan.md` — map acceptance criteria to specific tests, list tests to add/update/remove. Distinguish unit tests (TDD, before implementation) from E2E tests (after implementation).

package/sdlc/files/_common/governance/ai-disclosure.md.template

@@ -22,10 +22,10 @@ risk_class: "REPLACE — minimal | limited | high | unacceptable"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/ai-disclosure.md`
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `ai_disclosure` evidence.
-- **Verify after merge:** open `/projects/<slug>/compliance`. The **EU AI Act Art. 13** clause should flip MISSING → COVERED within ~2 minutes.
-- **Refresh cadence:** every 180 days, or whenever an AI tool / model / prompt-class is added or materially changed. Source data: git `Co-Authored-By: Claude` trailers + CI usage logs + per-REQ implementation-plan §5.
+- **File path:** `compliance/governance/ai-disclosure.md` (kept in-repo for review; CI does NOT upload it).
+- **Upload trigger:** manual via the portal Upload Evidence form at `/projects/<slug>/upload` — select evidence type `ai_disclosure`. Tier-2 governance docs are operator-uploaded only since DevAudit-Installer v0.1.39 — the previous CI auto-upload was treating placeholder content as canonical evidence. The matrix MISSING row for `EUAIA.Art-13` renders an `Upload ai-disclosure.md →` deep-link that pre-fills the form for you.
+- **Verify after upload:** open `/projects/<slug>/compliance`. The **EU AI Act Art. 13** clause should flip MISSING → COVERED immediately.
+- **Refresh cadence:** every 180 days, or whenever an AI tool / model / prompt-class is added or materially changed. The portal renders an inline `Expires YYYY-MM-DD` on the clause (amber within 30 days, red once stale). Source data for each refresh: git `Co-Authored-By: Claude` trailers + CI usage logs + per-REQ implementation-plan §5.
 
 ## Framework checklist — EU AI Act Art. 13
 

package/sdlc/files/_common/governance/dpia.md.template

@@ -22,10 +22,10 @@ risk_level: "REPLACE — low | medium | high"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/dpia.md` (or `dpia-<reqid>.md` for a per-REQ DPIA tied to a HIGH-risk requirement)
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `dpia` evidence.
-- **Verify after merge:** open `/projects/<slug>/compliance`. The **GDPR Art. 35** clause should flip MISSING → COVERED within ~2 minutes.
-- **Refresh cadence:** annually (365 days), or sooner whenever the assessed processing materially changes (new data category, new recipient, new automated-decision path).
+- **File path:** `compliance/governance/dpia.md` (or `dpia-<reqid>.md` for a per-REQ DPIA tied to a HIGH-risk requirement). Kept in-repo for review; CI does NOT upload it.
+- **Upload trigger:** manual via the portal Upload Evidence form at `/projects/<slug>/upload` — select evidence type `dpia`. Tier-2 governance docs are operator-uploaded only since DevAudit-Installer v0.1.39 — the previous CI auto-upload was treating placeholder content as canonical evidence. The matrix MISSING row for `GDPR.Art-35` renders an `Upload dpia.md →` deep-link that pre-fills the form for you.
+- **Verify after upload:** open `/projects/<slug>/compliance`. The **GDPR Art. 35** clause should flip MISSING → COVERED immediately.
+- **Refresh cadence:** annually (365 days), or sooner whenever the assessed processing materially changes (new data category, new recipient, new automated-decision path). The portal renders an inline `Expires YYYY-MM-DD` on the clause (amber within 30 days, red once stale).
 
 ## Framework checklist — GDPR Art. 35
 

package/sdlc/files/_common/governance/ropa.md.template

@@ -20,10 +20,10 @@ processing_activities: []
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/ropa.md`
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, the `compliance-evidence.yml` workflow uploads this file as `ropa` evidence via the `upload_governance` helper.
-- **Verify after merge:** open `/projects/<slug>/compliance` on the DevAudit portal. The **GDPR Art. 30** clause should flip MISSING → COVERED within ~2 minutes.
-- **Refresh cadence:** annually (365 days). The portal flags the clause as `expired` once the most-recent ropa upload is older than that window.
+- **File path:** `compliance/governance/ropa.md` (kept in-repo for review; CI does NOT upload it).
+- **Upload trigger:** manual via the portal Upload Evidence form at `/projects/<slug>/upload` — select evidence type `ropa`. Tier-2 governance docs are operator-uploaded only since DevAudit-Installer v0.1.39 — the previous CI auto-upload was treating placeholder content as canonical evidence. The matrix MISSING row for `GDPR.Art-30` renders an `Upload ropa.md →` deep-link that pre-fills the form for you.
+- **Verify after upload:** open `/projects/<slug>/compliance` on the DevAudit portal. The **GDPR Art. 30** clause should flip MISSING → COVERED immediately.
+- **Refresh cadence:** annually (365 days). The portal renders an inline `Expires YYYY-MM-DD` on the clause (amber within 30 days, red once stale).
 
 ## Framework checklist — GDPR Art. 30
 

package/sdlc/files/_common/skills/e2e-test-engineer/SKILL.md

@@ -327,7 +327,7 @@ test('AC1: edit dialog opens with fields pre-filled', async ({ page }) => {
 - Call `evidenceShot` **immediately after** the AC-proving assertion, before navigating, closing dialogs, or any further interaction.
 - AC number is a separate argument (`ac: number`) — the helper composes the filename `REQ-XXX-AC<n>-<slug>.png`. The slug describes what the screenshot proves (`edit-dialog-prefilled`), NOT the AC number.
 - Slug is kebab-case lowercase (`[a-z0-9-]+`). Capitalised slugs, underscores, or spaces throw.
-- One screenshot per AC, not per test.
+- One **canonical** screenshot per AC; additional stage screenshots are tier-gated — see *Screenshot density per spec role* below.
 - Failure forensics stays untouched (`screenshot: 'only-on-failure'` + `trace: 'on-first-retry'`).
 
 The helper is shipped automatically into `e2e/helpers/evidence.ts` by the SDLC sync (node-stack consumers). Output lands at `compliance/evidence/<REQ-ID>/screenshots/REQ-XXX-AC<n>-<slug>.png` — commit these PNGs as part of the evidence pack so reviewers can corroborate the test-plan AC mapping.
@@ -336,6 +336,43 @@ The helper also writes a sidecar `<filename>.meta.json` containing the AC mappin
 
 The canonical helper source lives at `references/evidence.ts` in this skill.
 
+### Screenshot density per spec role
+
+The number of `evidenceShot` calls per spec should scale to the spec's role:
+
+- **While the spec is a feature artefact** (newly authored on the branch, before merge to develop): capture multiple stages — every meaningful transition or state the AC documents. The dense evidence is what reviewers use to verify the AC was met end-to-end during the feature cycle.
+- **Once the spec joins the regression pack** (post-merge, `git diff --diff-filter=A` no longer matches it): capture only the canonical "this still works" anchor per AC. Re-running the dense journey on every regression cycle is noise and inflates CI artefact storage with little signal.
+
+The `EvidenceShotOrigin` signal (`'feature' | 'regression'`) auto-detects from `E2E_NEW_SPECS`. Mark stage screenshots with `{ tier: 'feature' }`; the helper auto-suppresses them on regression runs. The canonical anchor uses the default tier (`'always'`).
+
+```ts
+test('AC7: stock dial completes the transition', async ({ page }) => {
+  // Stage screenshots — fire while the spec is a feature artefact;
+  // auto-suppress once it graduates into the regression pack.
+  await openStockDial(page, item.id);
+  await evidenceShot(page, 'REQ-066', 7, 'dial-open',  { tier: 'feature' });
+  await advanceDial(page);
+  await evidenceShot(page, 'REQ-066', 7, 'in-progress', { tier: 'feature' });
+
+  // Canonical anchor — always fires (default tier: 'always').
+  // This is the artefact every future regression run re-captures as
+  // proof the AC still holds.
+  await expect(dial.getByRole('status')).toHaveText('Completed');
+  await evidenceShot(page, 'REQ-066', 7, 'completed');
+});
+```
+
+A reasonable default per AC:
+
+- 1× canonical "completed / final state" shot (tier `'always'`).
+- 1–3× stage shots covering the meaningful intermediate transitions (tier `'feature'`).
+
+When to deviate:
+
+- **Single-shot ACs** (one assertion that's its own proof — e.g. *"the form submits and returns to the list"*) need only the canonical anchor. Don't manufacture stages just to hit the 1–3 band.
+- **Long flows** (>3 meaningful transitions) keep all stages tier `'feature'`. The post-merge regression run still has the canonical anchor to corroborate the AC; the dense journey is on the feature PR for reviewers and in the audit-pack download for that release forever.
+- **Reviewer pushback that evidence feels thin** (single-shot per AC across a HIGH-risk REQ) almost always means tier `'feature'` stages are missing — add them on the feature branch where they actually fire, not after.
+
 ---
 
 ## Principles

package/sdlc/files/_common/skills/e2e-test-engineer/references/evidence-shot-core.ts

@@ -7,6 +7,23 @@
 
 export type EvidenceShotOrigin = 'feature' | 'regression';
 
+/**
+ * Capture density tier. Lets spec authors mark intermediate-state
+ * screenshots that only matter while the spec is being authored on a
+ * feature branch — once the spec joins the regression pack, those
+ * become noise and inflate CI artefact storage.
+ *
+ * - `'always'` (default) — capture on every run. Use for the canonical
+ *   "this still works" anchor per AC; the artefact reviewers rely on
+ *   to corroborate the test-plan mapping across every release.
+ * - `'feature'` — capture only when the spec's origin is `feature`
+ *   (i.e. the spec was added on the current branch per
+ *   `E2E_NEW_SPECS`). Auto-suppressed once the spec graduates into
+ *   the regression pack. Use for stage screenshots covering meaningful
+ *   intermediate transitions reviewers want during the feature cycle.
+ */
+export type EvidenceShotTier = 'always' | 'feature';
+
 export interface EvidenceShotSidecar {
   readonly origin: EvidenceShotOrigin;
   readonly reqId: string;
@@ -16,6 +33,20 @@ export interface EvidenceShotSidecar {
   readonly capturedAt: string;
 }
 
+/**
+ * Pure decision: should the capture be suppressed?
+ *
+ * The only suppression case is `tier='feature'` × `origin='regression'`
+ * — a stage screenshot whose spec has graduated into the regression
+ * pack. Every other (tier, origin) combination captures.
+ */
+export function shouldSuppressEvidenceShot(
+  tier: EvidenceShotTier,
+  origin: EvidenceShotOrigin,
+): boolean {
+  return tier === 'feature' && origin === 'regression';
+}
+
 const REQ_ID_RE = /^REQ-[A-Z0-9-]+$/;
 const SLUG_RE = /^[a-z0-9-]+$/;
 

package/sdlc/files/_common/skills/e2e-test-engineer/references/evidence.ts

@@ -4,12 +4,14 @@ import { test, type Page } from '@playwright/test';
 import {
   autoDetectEvidenceShotOrigin,
   composeScreenshotFilename,
+  shouldSuppressEvidenceShot,
   validateEvidenceShotInputs,
   type EvidenceShotOrigin,
   type EvidenceShotSidecar,
+  type EvidenceShotTier,
 } from './evidence-shot-core';
 
-export type { EvidenceShotOrigin };
+export type { EvidenceShotOrigin, EvidenceShotTier };
 
 export interface EvidenceShotOptions {
   /** Capture the full page rather than the viewport. Default: true. */
@@ -21,6 +23,14 @@ export interface EvidenceShotOptions {
    * the calling spec's file appears in that list, else `regression`.
    */
   readonly origin?: EvidenceShotOrigin;
+  /**
+   * Capture density tier. Default: `'always'`. Set to `'feature'` for
+   * intermediate-state screenshots that should only fire while the
+   * spec is on a feature branch — they auto-suppress once the spec
+   * graduates into the regression pack. See the SKILL.md "Screenshot
+   * density per spec role" section for the density policy.
+   */
+  readonly tier?: EvidenceShotTier;
 }
 
 /**
@@ -59,15 +69,15 @@ export async function evidenceShot(
   opts: EvidenceShotOptions = {},
 ): Promise<void> {
   validateEvidenceShotInputs(reqId, ac, slug);
+  const tier: EvidenceShotTier = opts.tier ?? 'always';
+  const specFile = resolveSpecFile();
+  const origin = opts.origin ?? autoDetectEvidenceShotOrigin(specFile, process.env.E2E_NEW_SPECS);
+  if (shouldSuppressEvidenceShot(tier, origin)) return;
   const fileName = composeScreenshotFilename(reqId, ac, slug);
   const dir = path.join(process.cwd(), 'compliance/evidence', reqId, 'screenshots');
   const pngPath = path.join(dir, fileName);
   const sidecarPath = `${pngPath}.meta.json`;
-
   await page.screenshot({ path: pngPath, fullPage: opts.fullPage ?? true });
-
-  const specFile = resolveSpecFile();
-  const origin = opts.origin ?? autoDetectEvidenceShotOrigin(specFile, process.env.E2E_NEW_SPECS);
   const sidecar: EvidenceShotSidecar = {
     origin,
     reqId,

package/sdlc/files/_common/skills/governance-doc-author/SKILL.md

@@ -7,13 +7,13 @@ description: Author or refresh one of the project's governance documents — RoP
 
 Author or refresh a single governance document so it correctly closes the framework clauses it's meant to satisfy. Five document classes covered:
 
-| Document | File | Closes |
-|---|---|---|
-| **RoPA** | `compliance/governance/ropa.md` | `GDPR.Art-30` |
-| **DPIA** | `compliance/governance/dpia.md` (or `dpia-<reqid>.md`) | `GDPR.Art-35` |
-| **AI Use Disclosure** | `compliance/governance/ai-disclosure.md` | `EUAIA.Art-13` |
-| **Periodic Security Review Schedule** | `SDLC/Periodic_Security_Review_Schedule.md` *(Tier 2, uploaded as `compliance_document` via the portal Upload form)* | `ISO27001.A.12.1` (the schedule itself; the quarterly runs close `ISO27001.A.12.1` + `SOC2.CC4.1` via `periodic_review` evidence — see Phase 6) |
-| **Incident Report (project-level template)** | `compliance/governance/incident-report.md` | `ISO29119.3.5.4` baseline; conditionals via [[incident-classification]] |
+| Document | Tier | File | Upload path | Closes |
+|---|---|---|---|---|
+| **RoPA** | 2 | `compliance/governance/ropa.md` | **Portal Upload form** (type `ropa`) — CI does NOT auto-upload since v0.1.39 | `GDPR.Art-30` |
+| **DPIA** | 2 | `compliance/governance/dpia.md` (or `dpia-<reqid>.md`) | **Portal Upload form** (type `dpia`) — CI does NOT auto-upload since v0.1.39 | `GDPR.Art-35` |
+| **AI Use Disclosure** | 2 | `compliance/governance/ai-disclosure.md` | **Portal Upload form** (type `ai_disclosure`) — CI does NOT auto-upload since v0.1.39 | `EUAIA.Art-13` |
+| **Periodic Security Review Schedule** | 2 | `SDLC/Periodic_Security_Review_Schedule.md` | **Portal Upload form** (type `compliance_document`) | `ISO27001.A.12.1` schedule expectation (quarterly runs close it via `periodic_review` evidence — see Phase 6) |
+| **Incident Report (project-level template)** | 3 | `compliance/governance/incident-report.md` | **CI auto-upload** via `compliance-evidence.yml` | `ISO29119.3.5.4` baseline; conditionals via [[incident-classification]] |
 
 Each doc has a starter template under `sdlc/files/_common/governance/*.md.template` (installed on demand via `devaudit bootstrap-governance` since v0.1.36). This skill does NOT regenerate the template — it walks the operator through *filling it in* against the project's actual state.
 
@@ -23,7 +23,7 @@ Each doc has a starter template under `sdlc/files/_common/governance/*.md.templa
 - Authoring or refreshing one (or more) of the five governance docs above.
 - Gathering source data from the codebase / CI runs / git history.
 - Confirming framework attribution before commit.
-- Driving the commit + push → CI auto-upload → portal verification loop.
+- Driving the commit + push → portal upload (manual for Tier 1/2, CI auto for Tier 3) → portal verification loop.
 
 **Out of scope**
 - Incident response itself — that path is the `e2e-test-engineer` skill's defect-filing flow plus `incident-export.yml` on issue close.
@@ -104,10 +104,15 @@ If any required section is still stub, **do not commit**. Surface the gap in the
 
 ### Phase 5 — Commit + verify
 
+Tier 1/2 docs (RoPA, DPIA, AI Disclosure, Periodic Security Review Schedule) and Tier 3 per-event docs (Incident Report template) take different upload paths since DevAudit-Installer v0.1.39. The skill must drive the right one based on which doc Phase 0 routed to.
+
 1. Show the operator the diff. Confirm before committing (per the **Confirm before destructive or public actions** principle).
 2. Commit with a conventional-commit message: `compliance(governance): refresh <doc> for <reason>` — e.g. `compliance(governance): refresh ropa.md — annual review 2026-Q2`.
-3. Push to the current working branch. Surface the path: "next `git push` to `develop` → `compliance-evidence.yml` auto-uploads as `<evidence_type>`, closing `<framework_clause>` within ~2 minutes."
-4. Suggest the operator open `/projects/<slug>/compliance` on the portal post-merge to verify the clause flipped MISSING → COVERED.
+3. Push to the current working branch.
+4. Drive upload based on doc class:
+   - **Tier 1/2 (RoPA, DPIA, AI Disclosure, Periodic Security Review Schedule)** — CI does NOT upload these. Direct the operator to the portal Upload Evidence form at `/projects/<slug>/upload`. Surface the exact evidence type to select (`ropa` / `dpia` / `ai_disclosure` / `compliance_document` respectively) and remind them: "the matrix MISSING row for the corresponding clause renders an `Upload <filename> →` deep-link that pre-fills the form."
+   - **Tier 3 (Incident Report template, plus per-event `periodic-review.md` and `incident-report-<n>.md`)** — CI auto-uploads via `compliance-evidence.yml`. Surface: "next `git push` to `develop` → `compliance-evidence.yml` auto-uploads as `<evidence_type>`, closing `<framework_clause>` within ~2 minutes."
+5. Suggest the operator open `/projects/<slug>/compliance` on the portal post-upload to verify the clause flipped MISSING → COVERED. For docs with freshness windows (365d for RoPA / DPIA / Test_Policy / Test_Strategy / AGENT / INSTRUCTIONS; 180d for AI Disclosure) the matrix renders an inline `Expires YYYY-MM-DD` label — confirm it reads the expected date for the upload.
 
 ### Phase 6 — Special case: the Periodic Review Schedule vs the quarterly review itself
 

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -156,13 +156,17 @@ jobs:
               || echo "Warning: Failed to upload test-summary-report.md"
           fi
 
-          # Project-level governance docs (devaudit#370 Phase 3a). When the
-          # operator commits any of these markdown files, upload with the
-          # precise evidence_type so the portal's framework-coverage matrix
-          # auto-closes the matching clauses (GDPR.Art-30 for ropa, GDPR.Art-35
-          # for dpia, EUAIA.Art-13 for ai_disclosure, SOC2.CC4.1 + ISO27001.A.12.1
-          # for periodic_review, etc.). Each path is optional — skipped silently
-          # when the file is absent.
+          # Tier 3 per-event governance docs (devaudit#370 Phase 3a, narrowed
+          # in v0.1.39). Only periodic-review and incident-report are CI-uploaded
+          # — both are auto-generated by other workflows (periodic-review by the
+          # quarterly cron, incident-report by the incident-export workflow).
+          #
+          # Tier 1/2 governance docs (Test_Policy, AGENT, INSTRUCTIONS,
+          # Test_Strategy, Test_Architecture, Periodic_Security_Review_Schedule,
+          # ROPA, DPIA, AI Disclosure) are operator-uploaded via the portal
+          # Upload Evidence form. CI auto-upload was removed because placeholder
+          # starter content was landing as canonical evidence; the portal form
+          # ensures the operator reviews each refresh before it counts.
           upload_governance() {
             local FILE="$1" TYPE="$2"
             if [ ! -f "$FILE" ]; then return 0; fi
@@ -175,12 +179,6 @@ jobs:
           }
           # Recognise governance docs at top-level OR under compliance/governance/
           # (operator's choice — both layouts are common).
-          upload_governance compliance/ropa.md             ropa
-          upload_governance compliance/governance/ropa.md  ropa
-          upload_governance compliance/dpia.md             dpia
-          upload_governance compliance/governance/dpia.md  dpia
-          upload_governance compliance/ai-disclosure.md             ai_disclosure
-          upload_governance compliance/governance/ai-disclosure.md  ai_disclosure
           upload_governance compliance/periodic-review.md             periodic_review
           upload_governance compliance/governance/periodic-review.md  periodic_review
           upload_governance compliance/incident-report.md             incident_report