@metasession.co/devaudit-cli 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.js +1 -1
  2. package/dist/index.js.map +1 -1
  3. package/package.json +2 -2
  4. package/sdlc/files/_common/scripts/derive-release-version.sh +9 -5
  5. package/sdlc/files/_common/scripts/derive-release-version.test.sh +11 -0
  6. package/sdlc/files/ci/post-deploy-prod.yml.template +22 -3
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@metasession.co/devaudit-cli",
3
- "version": "0.1.4",
3
+ "version": "0.1.6",
4
4
  "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -33,7 +33,7 @@
33
33
  },
34
34
  "dependencies": {
35
35
  "@clack/prompts": "^0.8.2",
36
- "@metasession.co/devaudit-plugin-sdk": "^0.1.4",
36
+ "@metasession.co/devaudit-plugin-sdk": "^0.1.6",
37
37
  "commander": "^12.1.0",
38
38
  "consola": "^3.2.3",
39
39
  "env-paths": "^3.0.0",
package/sdlc/files/_common/scripts/derive-release-version.sh CHANGED
@@ -10,7 +10,9 @@
10
10
  # 2. Ref in commit body: "Ref: REQ-037" -> REQ-037
11
11
  # 3. Fallback: bare date -> v2026.05.17
12
12
  #
13
- # Multi-REQ commits: first match wins; subject takes priority over body.
13
+ # The id is taken from the bracketed subject tag or the `Ref:` line only —
14
+ # NOT from arbitrary REQ mentions in prose (e.g. a body line "target close:
15
+ # REQ-002" must not win over "Ref: REQ-001"). Subject takes priority over body.
14
16
  # Output: single line on stdout. Exit 0 in all normal cases.
15
17
  #
16
18
  # This ties a release record (project_id, version) to the feature the
@@ -24,15 +26,17 @@ set -euo pipefail
24
26
  SUBJECT=$(git log -1 --format='%s' 2>/dev/null || echo '')
25
27
  BODY=$(git log -1 --format='%b' 2>/dev/null || echo '')
26
28
 
27
- # 1. Subject: [REQ-XXX]
29
+ # 1. Subject: [REQ-XXX] — the bracketed tag only, not other REQ mentions.
28
30
  if echo "$SUBJECT" | grep -qE '\[REQ-[0-9]+\]'; then
29
- echo "$SUBJECT" | grep -oE 'REQ-[0-9]+' | head -1
31
+ echo "$SUBJECT" | grep -oE '\[REQ-[0-9]+\]' | head -1 | grep -oE 'REQ-[0-9]+'
30
32
  exit 0
31
33
  fi
32
34
 
33
- # 2. Body: Ref: REQ-XXX (case-insensitive on "Ref" and "REQ")
35
+ # 2. Body: the id on the `Ref:` line only (case-insensitive on "Ref"/"REQ").
36
+ # Scoping to the Ref: line prevents a prose mention earlier in the body
37
+ # (e.g. "target close: REQ-002") from being picked over the real ref.
34
38
  if echo "$BODY" | grep -qiE 'Ref:[[:space:]]*REQ-[0-9]+'; then
35
- echo "$BODY" | grep -ioE 'REQ-[0-9]+' | head -1 | tr '[:lower:]' '[:upper:]'
39
+ echo "$BODY" | grep -ioE 'Ref:[[:space:]]*REQ-[0-9]+' | head -1 | grep -oiE 'REQ-[0-9]+' | tr '[:lower:]' '[:upper:]'
36
40
  exit 0
37
41
  fi
38
42
 
package/sdlc/files/_common/scripts/derive-release-version.test.sh CHANGED
@@ -90,6 +90,17 @@ assert_eq "subject overrides body conflict -> REQ-037" "REQ-037" "$(run_helper)"
90
90
  make_fixture "$WORK/c6" "chore: bump deps"
91
91
  assert_eq "no tag -> bare date $TODAY" "$TODAY" "$(run_helper)"
92
92
 
93
+ # Case 7: a prose REQ mention earlier in the body must NOT beat the Ref:
94
+ # line. Regression for the META-JOBS misattribution where "target close:
95
+ # REQ-002" caused gate evidence to land on a REQ-002 release instead of
96
+ # the real Ref: REQ-001.
97
+ make_fixture "$WORK/c7" "chore(sdlc): accept dep advisories
98
+
99
+ Dependency advisories accepted under R-001; target close: REQ-002.
100
+
101
+ Ref: REQ-001"
102
+ assert_eq "prose REQ-002 before Ref: REQ-001 -> REQ-001" "REQ-001" "$(run_helper)"
103
+
93
104
  echo ""
94
105
  echo "=== Summary: $PASS pass / $FAIL fail ==="
95
106
 
package/sdlc/files/ci/post-deploy-prod.yml.template CHANGED
@@ -33,6 +33,8 @@ jobs:
33
33
 
34
34
  steps:
35
35
  - uses: actions/checkout@v4
36
+ with:
37
+ fetch-depth: 0 # full history so the merged commits' REQ tags are readable
36
38
 
37
39
  - name: Resolve DevAudit base URL and post-deploy terminal status
38
40
  run: |
@@ -76,12 +78,29 @@ jobs:
76
78
  - name: Resolve current release
77
79
  id: release
78
80
  run: |
79
- DATE_PREFIX="v$(date +%Y.%m.%d)"
81
+ # Resolve the release being PROMOTED — the same REQ the dev/UAT
82
+ # pipeline versioned (ci.yml / compliance-evidence.yml use
83
+ # derive-release-version.sh → REQ-XXX). The merge commit itself
84
+ # carries no REQ tag, so derive it from the commits merged into
85
+ # this push ([REQ-XXX] subject tags / Ref: lines), and only fall
86
+ # back to a bare date when the consumer uses date-versioned
87
+ # releases. Without this, a REQ-versioned release never converges:
88
+ # production evidence + the prod-review advance land on a phantom
89
+ # date release while the real REQ release stays uat_approved.
90
+ REQ=$(git log "${{ github.event.before }}..${{ github.sha }}" --format='%s%n%b' 2>/dev/null \
91
+ | grep -oiE '\[REQ-[0-9]+\]|Ref:[[:space:]]*REQ-[0-9]+' \
92
+ | grep -oiE 'REQ-[0-9]+' | head -1 | tr '[:lower:]' '[:upper:]' || true)
93
+ if [ -n "$REQ" ]; then
94
+ PREFIX="$REQ"
95
+ else
96
+ PREFIX="v$(date +%Y.%m.%d)"
97
+ fi
98
+ echo "Resolving release for version prefix: ${PREFIX}"
80
99
  RESP=$(curl -s -H "Authorization: Bearer ${DEVAUDIT_API_KEY}" \
81
- "${BASE}/api/ci/releases/resolve?projectSlug=${PROJECT_SLUG}&versionPrefix=${DATE_PREFIX}")
100
+ "${BASE}/api/ci/releases/resolve?projectSlug=${PROJECT_SLUG}&versionPrefix=${PREFIX}")
82
101
  VERSION=$(echo "$RESP" | jq -r '.latest.version // empty')
83
102
  if [ -z "$VERSION" ]; then
84
- VERSION="${DATE_PREFIX}"
103
+ VERSION="${PREFIX}"
85
104
  fi
86
105
  RELEASE_ID=$(echo "$RESP" | jq -r '.latest.id // empty')
87
106
  echo "version=${VERSION}" >> "$GITHUB_OUTPUT"