@metasession.co/devaudit-cli 0.1.45 → 0.1.47

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.45",
+  "version": "0.1.47",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.45",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.47",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/scripts/upload-evidence.sh

@@ -184,13 +184,33 @@ fi
 # Issue: devaudit#263.
 SUCCEEDED=0
 FAILED=0
+# devaudit#133 — central stub guard. Any file still carrying the
+# DevAudit starter banner ("STARTER TEMPLATE — REPLACE BEFORE
+# COMMITTING" / "...BEFORE GOING TO PRODUCTION" — both phrasings)
+# is skipped before the upload attempt so unedited placeholders
+# can't flip a clause to COVERED off a stub. The check is binary-
+# safe (-a) so it doesn't choke on PNGs or other non-text files.
+SKIPPED=0
 TOTAL_SIZE=0
 UPLOAD_URL="${DEVAUDIT_BASE_URL}/api/evidence/upload"
 MAX_ATTEMPTS=${UPLOAD_MAX_ATTEMPTS:-5}
 INITIAL_BACKOFF_SECONDS=${UPLOAD_INITIAL_BACKOFF_SECONDS:-1}
 
+is_unedited_starter_stub() {
+  # Match BOTH banner phrasings the SDLC has shipped (v0.1.36 changed
+  # the wording from "...GOING TO PRODUCTION" to "...COMMITTING").
+  # -a forces binary→text so we don't error on PNGs/PDFs; the regex
+  # won't match either of those formats by accident.
+  grep -aqE 'STARTER TEMPLATE.+REPLACE BEFORE' "$1"
+}
+
 for FILE in "${FILES[@]}"; do
   FILENAME=$(basename "$FILE")
+  if is_unedited_starter_stub "$FILE"; then
+    echo "SKIPPED ${FILENAME} — unedited starter stub (replace the STARTER TEMPLATE banner to upload)"
+    SKIPPED=$((SKIPPED + 1))
+    continue
+  fi
   FILE_SIZE=$(stat -c%s "$FILE" 2>/dev/null || stat -f%z "$FILE")
   echo -n "Uploading ${FILENAME}... "
   CURL_ARGS=(
@@ -267,8 +287,10 @@ done
 # --- Summary ---
 echo ""
 echo "=== Upload Summary ==="
-echo "Files: ${SUCCEEDED} succeeded, ${FAILED} failed (${#FILES[@]} total)"
+echo "Files: ${SUCCEEDED} succeeded, ${FAILED} failed, ${SKIPPED} skipped (${#FILES[@]} total)"
 echo "Total size: $((TOTAL_SIZE / 1024)) KB"
+# Skipped stubs are intentional (devaudit#133) — they don't fail the
+# run. Only true upload failures bump the exit code.
 if [ "$FAILED" -gt 0 ]; then
   exit 1
 fi

package/sdlc/files/_common/governance/incident-report.md.template

@@ -29,9 +29,9 @@ last_reviewed_at: "REPLACE — YYYY-MM-DD"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/incident-report.md` (the template) or `compliance/governance/incident-report-<id>.md` (per-incident — recommended; the `incident-export.yml` workflow auto-produces these from closed GitHub issues labelled `incident`)
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `incident_report` evidence via the `upload_governance` helper.
-- **Verify after merge:** open `/projects/<slug>/compliance`. `ISO29119.3.5.4` always flips to COVERED (baseline). `SOC2.CC7.2`, `GDPR.Art-33`, `GDPR.Art-34` flip only when the relevant attribution sections below are non-stub.
+- **File path:** `compliance/governance/incident-report-<id>.md` (per-incident — recommended; the `incident-export.yml` workflow auto-produces these from closed GitHub issues labelled `incident`). The bare `incident-report.md` is the unedited starter — kept on disk as a reference but **skipped by the uploader** until you replace the STARTER TEMPLATE banner.
+- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` globs `incident-report*.md` under both layouts and uploads each non-stub file as `incident_report` evidence via the `upload_governance` helper. The starter stub is filtered out centrally by `upload-evidence.sh` (devaudit#133).
+- **Verify after merge:** open `/projects/<slug>/compliance`. `ISO29119.3.5.4` flips to COVERED only when a non-stub `incident-report*.md` lands. `SOC2.CC7.2`, `GDPR.Art-33`, `GDPR.Art-34` flip only when the relevant attribution sections below are non-stub.
 - **Refresh cadence:** none — incidents are point-in-time. Authoring is event-driven.
 
 ## Framework attribution — which clauses THIS incident closes

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -290,8 +290,19 @@ jobs:
           # (operator's choice — both layouts are common).
           upload_governance compliance/periodic-review.md             periodic_review
           upload_governance compliance/governance/periodic-review.md  periodic_review
-          upload_governance compliance/incident-report.md             incident_report
-          upload_governance compliance/governance/incident-report.md  incident_report
+          # Incident reports: glob `incident-report*.md` so per-incident
+          # files (e.g. `incident-report-2026-001.md`, written by
+          # incident-export.yml from labelled GitHub issues) all
+          # upload as real evidence. The unedited starter
+          # `incident-report.md` matches the glob too but is skipped
+          # by upload-evidence.sh's central stub guard — so the stub
+          # can never flip ISO29119.3.5.4 to COVERED on its own
+          # (devaudit#133). `*.md` does not match `*.md.template`.
+          shopt -s nullglob
+          for f in compliance/incident-report*.md compliance/governance/incident-report*.md; do
+            upload_governance "$f" incident_report
+          done
+          shopt -u nullglob
 
           # ── Audit-log export (DevAudit-Installer#98 WS2) ──────────────
           # Snapshot the portal's audit log for the rolling 90-day window