@metasession.co/devaudit-cli 0.1.44 → 0.1.47

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.44",
+  "version": "0.1.47",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.44",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.47",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/scripts/upload-evidence.sh

@@ -184,13 +184,33 @@ fi
 # Issue: devaudit#263.
 SUCCEEDED=0
 FAILED=0
+# devaudit#133 — central stub guard. Any file still carrying the
+# DevAudit starter banner ("STARTER TEMPLATE — REPLACE BEFORE
+# COMMITTING" / "...BEFORE GOING TO PRODUCTION" — both phrasings)
+# is skipped before the upload attempt so unedited placeholders
+# can't flip a clause to COVERED off a stub. The check is binary-
+# safe (-a) so it doesn't choke on PNGs or other non-text files.
+SKIPPED=0
 TOTAL_SIZE=0
 UPLOAD_URL="${DEVAUDIT_BASE_URL}/api/evidence/upload"
 MAX_ATTEMPTS=${UPLOAD_MAX_ATTEMPTS:-5}
 INITIAL_BACKOFF_SECONDS=${UPLOAD_INITIAL_BACKOFF_SECONDS:-1}
 
+is_unedited_starter_stub() {
+  # Match BOTH banner phrasings the SDLC has shipped (v0.1.36 changed
+  # the wording from "...GOING TO PRODUCTION" to "...COMMITTING").
+  # -a forces binary→text so we don't error on PNGs/PDFs; the regex
+  # won't match either of those formats by accident.
+  grep -aqE 'STARTER TEMPLATE.+REPLACE BEFORE' "$1"
+}
+
 for FILE in "${FILES[@]}"; do
   FILENAME=$(basename "$FILE")
+  if is_unedited_starter_stub "$FILE"; then
+    echo "SKIPPED ${FILENAME} — unedited starter stub (replace the STARTER TEMPLATE banner to upload)"
+    SKIPPED=$((SKIPPED + 1))
+    continue
+  fi
   FILE_SIZE=$(stat -c%s "$FILE" 2>/dev/null || stat -f%z "$FILE")
   echo -n "Uploading ${FILENAME}... "
   CURL_ARGS=(
@@ -267,8 +287,10 @@ done
 # --- Summary ---
 echo ""
 echo "=== Upload Summary ==="
-echo "Files: ${SUCCEEDED} succeeded, ${FAILED} failed (${#FILES[@]} total)"
+echo "Files: ${SUCCEEDED} succeeded, ${FAILED} failed, ${SKIPPED} skipped (${#FILES[@]} total)"
 echo "Total size: $((TOTAL_SIZE / 1024)) KB"
+# Skipped stubs are intentional (devaudit#133) — they don't fail the
+# run. Only true upload failures bump the exit code.
 if [ "$FAILED" -gt 0 ]; then
   exit 1
 fi

package/sdlc/SKILLS.md

@@ -93,18 +93,39 @@ node scripts/validate-adapter.cjs sdlc/files/_common/skills/<name>/SKILL.md
 
 ## Skills currently shipped
 
-| Skill                   | Location          | Triggers (paraphrased)                                                                                                                                                                                  | Additional emissions                                                              |
-| ----------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
-| `e2e-test-engineer`     | `_common/skills/` | "add e2e tests", "bootstrap an e2e suite", "update the test pack", "are any tests obsolete", "run e2e tests and file issues"                                                                            | `e2e/helpers/evidence.ts` + `evidence-shot-core.ts` (node-stack consumers)        |
-| `sdlc-implementer`      | `_common/skills/` | "implement issue #N under the SDLC", "run the SDLC for issue #N", "automate REQ-XXX from issue to release", "resume REQ-XXX"                                                                            | — (orchestrator; invokes `e2e-test-engineer` + `governance-doc-author`)           |
-| `governance-doc-author` | `_common/skills/` | "create / refresh the RoPA", "write a DPIA", "update the AI disclosure", "set up the periodic review schedule", "GDPR.Art-30 is MISSING on the matrix" (v0.1.37+)                                       | `references/incident-classification.md` (shared with `e2e-test-engineer`)         |
+| Skill                   | Location          | Triggers (paraphrased)                                                                                                                                                                                                                                                                             | Additional emissions                                                                                                                                                       |
+| ----------------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `e2e-test-engineer`     | `_common/skills/` | "add e2e tests", "bootstrap an e2e suite", "update the test pack", "are any tests obsolete", "run e2e tests and file issues"                                                                                                                                                                       | `e2e/helpers/evidence.ts` + `evidence-shot-core.ts` (node-stack consumers)                                                                                                 |
+| `sdlc-implementer`      | `_common/skills/` | "implement issue #N under the SDLC", "run the SDLC for issue #N", "automate REQ-XXX from issue to release", "resume REQ-XXX"                                                                                                                                                                       | — (orchestrator; invokes `e2e-test-engineer`, `governance-doc-author`, and the three SoT-alignment skills)                                                                 |
+| `governance-doc-author` | `_common/skills/` | "create / refresh the RoPA", "write a DPIA", "update the AI disclosure", "set up the periodic review schedule", "GDPR.Art-30 is MISSING on the matrix" (v0.1.37+)                                                                                                                                  | `references/incident-classification.md` (shared with `e2e-test-engineer`)                                                                                                  |
+| `requirements-aligner`  | `_common/skills/` | "align SRS for REQ-XXX", "what SRS items did this REQ need?", "is the SRS in sync with this branch?" (v0.1.42+). Auto-invoked by `sdlc-implementer` at Stage 1 plan-APPROVAL + Stage 3 evidence-pack.                                                                                              | Maintains `docs/SRS.md`; drops `compliance/evidence/REQ-XXX/srs-alignment.md` per cycle.                                                                                   |
+| `adr-author`            | `_common/skills/` | "draft an ADR for REQ-XXX", "does this REQ need an ADR?", "is the architectural decision documented?" (v0.1.43+). Auto-invoked by `sdlc-implementer` at Stage 1 + Stage 3.                                                                                                                         | Maintains `docs/ADR/ADR-NNN-<slug>.md`; drops `compliance/evidence/REQ-XXX/architecture-decision.md` per cycle. Closes `ISO27001.A.8.25`.                                  |
+| `risk-register-keeper`  | `_common/skills/` | "draft a risk-register entry for REQ-XXX", "is the risk register up to date for this branch?", "incident-report-N just exported, draft the residual-risk entry" (v0.1.44+). Auto-invoked by `sdlc-implementer` at Stage 1 (MEDIUM/HIGH) + Stage 3, and by `incident-export.yml` at incident close. | Maintains `compliance/risk-register.md` + the `governance/risk-register.md.template` starter; drops `compliance/evidence/REQ-XXX/risk-assessment.md`. Closes `SOC2.CC3.2`. |
 
 `sdlc-implementer` is the **default entry point for a tracked change** — an **orchestration skill** that drives Claude Code's native tools (`gh`, shell, `devaudit` CLI, portal API) through the full 5-stage flow against a single GitHub issue, pausing only at the UAT-review gate (and at the plan checkpoint for HIGH/CRITICAL risk). It is synced into every consumer (`.claude/skills/sdlc-implementer/`) by `devaudit update`. It replaces an earlier roadmap of five atomic skills (`risk-classifier`, `commit-message-author`, `compliance-evidence-author`, `sast-triager`, `release-ticket-author`) that were deprioritised — Claude Code's innate capabilities already cover what those atomic skills wrapped; the value-add is end-to-end orchestration with framework-compliant pauses, not five discoverable helpers a human still has to compose.
 
-**Sub-skill invocation requirement.** During its Phase 2 (Implement & test), the orchestrator **MUST** invoke `e2e-test-engineer` for any end-to-end or visual-regression test work — both scenario derivation from the implementation plan and execution of the resulting suite. The orchestrator does NOT author e2e tests directly. (Unit tests stay with the orchestrator until a unit-test counterpart skill ships.) The invocation pattern is documented in [docs/adding-a-skill.md §Orchestrator skills](../docs/adding-a-skill.md#orchestrator-skills-calling-other-skills); this is a hard contract — the orchestrator's SKILL.md fails review if it inlines `e2e-test-engineer`'s procedure.
+**Sub-skill invocation contract.** The orchestrator delegates at every phase rather than authoring inline:
+
+- **Phase 1 (Plan)** — invoke `requirements-aligner` to populate the AC table's SRS-ID column; invoke `adr-author` to decide ADR-worthiness + draft the ADR when warranted; invoke `risk-register-keeper` (MEDIUM/HIGH only by default) to draft RISK-NNN entries.
+- **Phase 2 (Implement & test)** — invoke `e2e-test-engineer` for ALL end-to-end or visual-regression test work. The orchestrator does NOT author e2e tests directly. (Unit tests stay with the orchestrator until a unit-test counterpart skill ships.)
+- **Phase 3 (Compile evidence)** — invoke each of `requirements-aligner`, `adr-author`, `risk-register-keeper` to drop their per-REQ Tier 3 traceability artefacts (`srs-alignment.md`, `architecture-decision.md`, `risk-assessment.md`).
+
+These delegations are hard contracts — the orchestrator's SKILL.md fails review if it inlines a specialist skill's procedure. The invocation pattern is documented in [docs/adding-a-skill.md §Orchestrator skills](../docs/adding-a-skill.md#orchestrator-skills-calling-other-skills).
 
 `sdlc-implementer` is **not** used for trivial / housekeeping changes (docs, formatting, dependency bumps, CI tweaks) — those skip the requirement and the ceremony. See [the change-type matrix](../docs/change-workflows.md) and the [trivial-change walkthrough](./files/_common/implementing-an-sdlc-issue.md#trivial-change-walkthrough).
 
+### The SoT-alignment skill family
+
+`requirements-aligner`, `adr-author`, and `risk-register-keeper` form the **SoT-alignment family** (v0.1.42 → v0.1.44). They share a uniform shape: each owns one persistent Tier 2 source-of-truth document, fires at Stage 1 plan-APPROVAL (advisory by default, configurable to block) and Stage 3 evidence-pack (hard gate on the per-REQ Tier 3 artefact), and produces a per-REQ traceability evidence file the CI uploads to the portal. The family closes the silent-drift gap between shipped code and the project's three SoT documents at edit time.
+
+| Skill                  | Tier 2 SoT it maintains       | Tier 3 per-REQ artefact              | Closes framework clause                                             |
+| ---------------------- | ----------------------------- | ------------------------------------ | ------------------------------------------------------------------- |
+| `requirements-aligner` | `docs/SRS.md`                 | `srs-alignment.md` (per REQ)         | none in v1 (orphan-by-design per framework-registry-auditor review) |
+| `adr-author`           | `docs/ADR/ADR-NNN-<slug>.md`  | `architecture-decision.md` (per REQ) | `ISO27001.A.8.25` Secure development life cycle                     |
+| `risk-register-keeper` | `compliance/risk-register.md` | `risk-assessment.md` (per REQ)       | `SOC2.CC3.2` Risk identification and assessment                     |
+
+Each skill is **configurable per project** via `sdlc-config.json` (`requirements_aligner`, `adr_author`, `risk_register_keeper` blocks) — `block_on_stage_1: false` is the default in v1 so the skill advises but doesn't block plan APPROVAL; flip to `true` once calibrated.
+
 ## Skills on the roadmap
 
 No concrete candidates are queued. A `unit-test-engineer` counterpart to `e2e-test-engineer` is the most likely next skill, but it lands only when day-to-day work repeatedly surfaces the pain and the orchestrator demonstrably needs it as a separable component. Tracking: [`metasession-dev/DevAudit-Installer#29`](https://github.com/metasession-dev/DevAudit-Installer/issues/29).

package/sdlc/files/_common/governance/incident-report.md.template

@@ -29,9 +29,9 @@ last_reviewed_at: "REPLACE — YYYY-MM-DD"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/incident-report.md` (the template) or `compliance/governance/incident-report-<id>.md` (per-incident — recommended; the `incident-export.yml` workflow auto-produces these from closed GitHub issues labelled `incident`)
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `incident_report` evidence via the `upload_governance` helper.
-- **Verify after merge:** open `/projects/<slug>/compliance`. `ISO29119.3.5.4` always flips to COVERED (baseline). `SOC2.CC7.2`, `GDPR.Art-33`, `GDPR.Art-34` flip only when the relevant attribution sections below are non-stub.
+- **File path:** `compliance/governance/incident-report-<id>.md` (per-incident — recommended; the `incident-export.yml` workflow auto-produces these from closed GitHub issues labelled `incident`). The bare `incident-report.md` is the unedited starter — kept on disk as a reference but **skipped by the uploader** until you replace the STARTER TEMPLATE banner.
+- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` globs `incident-report*.md` under both layouts and uploads each non-stub file as `incident_report` evidence via the `upload_governance` helper. The starter stub is filtered out centrally by `upload-evidence.sh` (devaudit#133).
+- **Verify after merge:** open `/projects/<slug>/compliance`. `ISO29119.3.5.4` flips to COVERED only when a non-stub `incident-report*.md` lands. `SOC2.CC7.2`, `GDPR.Art-33`, `GDPR.Art-34` flip only when the relevant attribution sections below are non-stub.
 - **Refresh cadence:** none — incidents are point-in-time. Authoring is event-driven.
 
 ## Framework attribution — which clauses THIS incident closes

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -40,9 +40,13 @@ jobs:
     # doesn't yet have its stub release-ticket on disk. Without these
     # the github-actions[bot] token gets HTTP 403 on the push + on the PR
     # create, and the auto-housekeeping path silently leaves a red badge
-    # on every docs-only / chore push. DEVAUDIT_USER_TOKEN remains optional
-    # for orgs with restricted Actions permissions — but is no longer
-    # required for the default-config flow. See DevAudit-Installer#122.
+    # on every docs-only / chore push.
+    #
+    # `DEVAUDIT_USER_TOKEN` is no longer consulted by this workflow (the
+    # auto-stub step now uses `github.token` directly — see the env block
+    # on that step). The permissions below grant everything `gh pr create`
+    # needs; preferring a (potentially stale) PAT was the cause of the
+    # 2026-06-07 401 chain on this issue.
     permissions:
       contents: write       # push the auto-PR branch
       pull-requests: write  # gh pr create
@@ -129,7 +133,19 @@ jobs:
       - name: Auto-generate housekeeping stubs (if needed)
         if: steps.resolve.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ secrets.DEVAUDIT_USER_TOKEN || github.token }}
+          # Use the workflow's GITHUB_TOKEN directly. The `permissions:`
+          # block on the job grants `contents: write` + `pull-requests:
+          # write`, which is everything `gh pr create` + `git push` need
+          # here. The earlier `secrets.DEVAUDIT_USER_TOKEN || github.token`
+          # fallback became a foot-gun once that permissions block landed
+          # — when an operator had set `DEVAUDIT_USER_TOKEN` historically
+          # (to work around the missing permissions) and the PAT later
+          # expired, every `gh pr create` 401'd as the workflow preferred
+          # the stale PAT over the live bot token. See DevAudit-Installer#122
+          # 2026-06-07 escalation. Orgs with policy that blocks the bot
+          # token from creating PRs can override per-workflow on their
+          # own; the canonical default no longer prefers a PAT.
+          GH_TOKEN: ${{ github.token }}
           VERSION: ${{ steps.version.outputs.version }}
         run: |
           # Guard: only fire for bare-date (housekeeping) versions.
@@ -274,8 +290,19 @@ jobs:
           # (operator's choice — both layouts are common).
           upload_governance compliance/periodic-review.md             periodic_review
           upload_governance compliance/governance/periodic-review.md  periodic_review
-          upload_governance compliance/incident-report.md             incident_report
-          upload_governance compliance/governance/incident-report.md  incident_report
+          # Incident reports: glob `incident-report*.md` so per-incident
+          # files (e.g. `incident-report-2026-001.md`, written by
+          # incident-export.yml from labelled GitHub issues) all
+          # upload as real evidence. The unedited starter
+          # `incident-report.md` matches the glob too but is skipped
+          # by upload-evidence.sh's central stub guard — so the stub
+          # can never flip ISO29119.3.5.4 to COVERED on its own
+          # (devaudit#133). `*.md` does not match `*.md.template`.
+          shopt -s nullglob
+          for f in compliance/incident-report*.md compliance/governance/incident-report*.md; do
+            upload_governance "$f" incident_report
+          done
+          shopt -u nullglob
 
           # ── Audit-log export (DevAudit-Installer#98 WS2) ──────────────
           # Snapshot the portal's audit log for the rolling 90-day window