@metasession.co/devaudit-cli 0.1.45 → 0.1.49

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.45",
+  "version": "0.1.49",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.45",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.49",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/scripts/upload-evidence.sh

@@ -184,13 +184,33 @@ fi
 # Issue: devaudit#263.
 SUCCEEDED=0
 FAILED=0
+# devaudit#133 — central stub guard. Any file still carrying the
+# DevAudit starter banner ("STARTER TEMPLATE — REPLACE BEFORE
+# COMMITTING" / "...BEFORE GOING TO PRODUCTION" — both phrasings)
+# is skipped before the upload attempt so unedited placeholders
+# can't flip a clause to COVERED off a stub. The check is binary-
+# safe (-a) so it doesn't choke on PNGs or other non-text files.
+SKIPPED=0
 TOTAL_SIZE=0
 UPLOAD_URL="${DEVAUDIT_BASE_URL}/api/evidence/upload"
 MAX_ATTEMPTS=${UPLOAD_MAX_ATTEMPTS:-5}
 INITIAL_BACKOFF_SECONDS=${UPLOAD_INITIAL_BACKOFF_SECONDS:-1}
 
+is_unedited_starter_stub() {
+  # Match BOTH banner phrasings the SDLC has shipped (v0.1.36 changed
+  # the wording from "...GOING TO PRODUCTION" to "...COMMITTING").
+  # -a forces binary→text so we don't error on PNGs/PDFs; the regex
+  # won't match either of those formats by accident.
+  grep -aqE 'STARTER TEMPLATE.+REPLACE BEFORE' "$1"
+}
+
 for FILE in "${FILES[@]}"; do
   FILENAME=$(basename "$FILE")
+  if is_unedited_starter_stub "$FILE"; then
+    echo "SKIPPED ${FILENAME} — unedited starter stub (replace the STARTER TEMPLATE banner to upload)"
+    SKIPPED=$((SKIPPED + 1))
+    continue
+  fi
   FILE_SIZE=$(stat -c%s "$FILE" 2>/dev/null || stat -f%z "$FILE")
   echo -n "Uploading ${FILENAME}... "
   CURL_ARGS=(
@@ -267,8 +287,10 @@ done
 # --- Summary ---
 echo ""
 echo "=== Upload Summary ==="
-echo "Files: ${SUCCEEDED} succeeded, ${FAILED} failed (${#FILES[@]} total)"
+echo "Files: ${SUCCEEDED} succeeded, ${FAILED} failed, ${SKIPPED} skipped (${#FILES[@]} total)"
 echo "Total size: $((TOTAL_SIZE / 1024)) KB"
+# Skipped stubs are intentional (devaudit#133) — they don't fail the
+# run. Only true upload failures bump the exit code.
 if [ "$FAILED" -gt 0 ]; then
   exit 1
 fi

package/sdlc/files/_common/governance/incident-report.md.template

@@ -29,9 +29,9 @@ last_reviewed_at: "REPLACE — YYYY-MM-DD"
 
 ## Uploading this artefact
 
-- **File path:** `compliance/governance/incident-report.md` (the template) or `compliance/governance/incident-report-<id>.md` (per-incident — recommended; the `incident-export.yml` workflow auto-produces these from closed GitHub issues labelled `incident`)
-- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` uploads this file as `incident_report` evidence via the `upload_governance` helper.
-- **Verify after merge:** open `/projects/<slug>/compliance`. `ISO29119.3.5.4` always flips to COVERED (baseline). `SOC2.CC7.2`, `GDPR.Art-33`, `GDPR.Art-34` flip only when the relevant attribution sections below are non-stub.
+- **File path:** `compliance/governance/incident-report-<id>.md` (per-incident — recommended; the `incident-export.yml` workflow auto-produces these from closed GitHub issues labelled `incident`). The bare `incident-report.md` is the unedited starter — kept on disk as a reference but **skipped by the uploader** until you replace the STARTER TEMPLATE banner.
+- **Upload trigger:** automatic — on every push to `develop` that touches `compliance/**`, `compliance-evidence.yml` globs `incident-report*.md` under both layouts and uploads each non-stub file as `incident_report` evidence via the `upload_governance` helper. The starter stub is filtered out centrally by `upload-evidence.sh` (devaudit#133).
+- **Verify after merge:** open `/projects/<slug>/compliance`. `ISO29119.3.5.4` flips to COVERED only when a non-stub `incident-report*.md` lands. `SOC2.CC7.2`, `GDPR.Art-33`, `GDPR.Art-34` flip only when the relevant attribution sections below are non-stub.
 - **Refresh cadence:** none — incidents are point-in-time. Authoring is event-driven.
 
 ## Framework attribution — which clauses THIS incident closes

package/sdlc/files/_common/scripts/update-sdlc-status.sh

@@ -0,0 +1,144 @@
+#!/usr/bin/env bash
+# update-sdlc-status.sh — Post or update the canonical SDLC status
+# sticky comment on a REQ tracking issue (devaudit#131).
+#
+# Purpose: long-running SDLC issues accumulate dozens of comments.
+# The operator scrolling the thread can't find "where are we right
+# now" without re-reading. This helper writes a marker-tagged comment
+# at a predictable shape; subsequent calls find + edit the existing
+# comment instead of stacking new ones, so the latest status always
+# lives in exactly one place on the issue.
+#
+# Idempotent — find-or-create. The marker is HTML-commented so it
+# doesn't show up in the rendered issue UI but is greppable via the
+# API. Subsequent invocations on the same issue replace the body
+# without dropping the marker.
+#
+# Usage:
+#   ./scripts/update-sdlc-status.sh <issue-number> "<last-step>" "<next-step>" [--repo owner/name] [--dry-run]
+#
+# Examples:
+#   ./scripts/update-sdlc-status.sh 322 \
+#     "Phase 2 complete — feat branch landed on develop" \
+#     "Phase 3 — sdlc-implementer auto-continuing"
+#
+#   ./scripts/update-sdlc-status.sh 322 \
+#     "Phase 4 — release PR #455 opened" \
+#     "Operator action — review + merge develop→main when ready" \
+#     --repo metasession-dev/wawagardenbar-app
+#
+# Required:
+#   - `gh` CLI authenticated (uses GITHUB_TOKEN or the current `gh auth` session)
+#   - The issue must exist
+#
+# Optional flags:
+#   --repo owner/name   Override repo (defaults to the cwd's git remote)
+#   --dry-run           Print the body + the gh command that would run,
+#                       without making any API calls. Used by the test
+#                       suite + safe for operator inspection.
+
+set -euo pipefail
+
+if [ "$#" -lt 3 ]; then
+  cat <<'USAGE' >&2
+Usage: update-sdlc-status.sh <issue-number> "<last-step>" "<next-step>" [--repo owner/name] [--dry-run]
+USAGE
+  exit 1
+fi
+
+ISSUE_NUM="$1"
+LAST_STEP="$2"
+NEXT_STEP="$3"
+shift 3
+
+REPO=""
+DRY_RUN=false
+while [ "$#" -gt 0 ]; do
+  case "$1" in
+    --repo)
+      REPO="$2"
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=true
+      shift
+      ;;
+    *)
+      echo "Unknown flag: $1" >&2
+      exit 1
+      ;;
+  esac
+done
+
+# Validate issue number is numeric early so we don't make bogus API
+# calls when the caller fat-fingers the arg order.
+if ! [[ "$ISSUE_NUM" =~ ^[1-9][0-9]*$ ]]; then
+  echo "Error: issue number must be a positive integer, got: $ISSUE_NUM" >&2
+  exit 1
+fi
+
+MARKER='<!-- sdlc-implementer:status -->'
+
+# Body shape — keep this compact and load-bearing. The marker MUST be
+# the first line so the find-existing pass can use startswith() in
+# the gh JSON filter without false positives.
+BODY=$(cat <<EOF
+$MARKER
+
+**🟢 LAST STEP** — $LAST_STEP
+
+**🔵 NEXT STEP** — $NEXT_STEP
+
+---
+
+_Updated by \`sdlc-implementer\` on every stage transition. The full SDLC trail lives in the comments below; this comment is the always-current pointer._
+EOF
+)
+
+REPO_FLAG=""
+if [ -n "$REPO" ]; then
+  REPO_FLAG="--repo $REPO"
+fi
+
+if [ "$DRY_RUN" = "true" ]; then
+  echo "[dry-run] would update sticky on issue #$ISSUE_NUM${REPO:+ in $REPO}"
+  echo "----- body -----"
+  echo "$BODY"
+  echo "----- end body -----"
+  exit 0
+fi
+
+# Find an existing status sticky on this issue. We grep through the
+# comments looking for the canonical marker; if found, edit it; if
+# not, create a fresh one.
+#
+# gh's --jq filter handles the lookup server-side so we don't drag
+# every comment back to local. `startswith` is the right matcher
+# because the marker is always the first line.
+EXISTING_ID=""
+# Build the api endpoint. Without --repo, gh resolves from the current
+# git remote — same as `gh issue …` does elsewhere in the framework.
+if [ -n "$REPO" ]; then
+  EXISTING_ID=$(gh api "repos/$REPO/issues/$ISSUE_NUM/comments" --paginate \
+    --jq '.[] | select(.body | startswith("'"$MARKER"'")) | .id' | head -1)
+else
+  EXISTING_ID=$(gh api "repos/{owner}/{repo}/issues/$ISSUE_NUM/comments" --paginate \
+    --jq '.[] | select(.body | startswith("'"$MARKER"'")) | .id' | head -1)
+fi
+
+if [ -n "$EXISTING_ID" ]; then
+  echo "Updating existing SDLC status sticky (comment id: $EXISTING_ID)"
+  if [ -n "$REPO" ]; then
+    gh api "repos/$REPO/issues/comments/$EXISTING_ID" -X PATCH \
+      --field "body=$BODY" >/dev/null
+  else
+    gh api "repos/{owner}/{repo}/issues/comments/$EXISTING_ID" -X PATCH \
+      --field "body=$BODY" >/dev/null
+  fi
+else
+  echo "Posting new SDLC status sticky on issue #$ISSUE_NUM"
+  # shellcheck disable=SC2086  # REPO_FLAG must split on space
+  gh issue comment "$ISSUE_NUM" $REPO_FLAG --body "$BODY" >/dev/null
+fi
+
+echo "SDLC status updated."

package/sdlc/files/_common/scripts/update-sdlc-status.test.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+# update-sdlc-status.test.sh — Tests for the SDLC status sticky helper
+# (devaudit#131). Exercises --dry-run so no real API call is needed.
+#
+# Usage:
+#   ./scripts/update-sdlc-status.test.sh
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+HELPER="$SCRIPT_DIR/update-sdlc-status.sh"
+[ -x "$HELPER" ] || chmod +x "$HELPER"
+
+PASS=0
+FAIL=0
+ok() { echo "  ✓ $1"; PASS=$((PASS + 1)); }
+no() { echo "  ✗ $1"; FAIL=$((FAIL + 1)); }
+
+case_missing_args() {
+  echo "case: missing args exits non-zero with a usage line"
+  local out exit_code
+  out=$("$HELPER" 2>&1) && exit_code=0 || exit_code=$?
+  if [ "$exit_code" -ne 0 ]; then
+    ok "exit code non-zero ($exit_code)"
+  else
+    no "expected non-zero exit on missing args"
+  fi
+  if printf '%s\n' "$out" | grep -q "Usage:"; then
+    ok "stderr includes Usage line"
+  else
+    no "stderr missing Usage; got:\n$out"
+  fi
+}
+
+case_non_numeric_issue() {
+  echo "case: non-numeric issue number fails fast"
+  local out exit_code
+  out=$("$HELPER" "abc" "last" "next" --dry-run 2>&1) && exit_code=0 || exit_code=$?
+  if [ "$exit_code" -ne 0 ]; then
+    ok "exit code non-zero"
+  else
+    no "expected failure on non-numeric issue number"
+  fi
+  if printf '%s\n' "$out" | grep -q "must be a positive integer"; then
+    ok "error message names the problem"
+  else
+    no "wrong error message:\n$out"
+  fi
+}
+
+case_dry_run_emits_body() {
+  echo "case: --dry-run prints the body without invoking gh"
+  local out exit_code
+  out=$("$HELPER" 42 "Phase 1 complete — plan written" "Phase 2 — implement" --dry-run 2>&1) && exit_code=0 || exit_code=$?
+  if [ "$exit_code" -eq 0 ]; then
+    ok "exit code 0"
+  else
+    no "expected exit 0, got $exit_code"
+    return
+  fi
+  if printf '%s\n' "$out" | grep -q '<!-- sdlc-implementer:status -->'; then
+    ok "body includes marker comment"
+  else
+    no "body missing marker; got:\n$out"
+  fi
+  if printf '%s\n' "$out" | grep -qE '\*\*🟢 LAST STEP\*\* — Phase 1 complete'; then
+    ok "body includes LAST STEP line"
+  else
+    no "LAST STEP line missing or wrong format; got:\n$out"
+  fi
+  if printf '%s\n' "$out" | grep -qE '\*\*🔵 NEXT STEP\*\* — Phase 2 — implement'; then
+    ok "body includes NEXT STEP line"
+  else
+    no "NEXT STEP line missing or wrong format; got:\n$out"
+  fi
+  if printf '%s\n' "$out" | grep -q 'would update sticky on issue #42'; then
+    ok "dry-run header names the issue"
+  else
+    no "dry-run header missing issue number; got:\n$out"
+  fi
+}
+
+case_dry_run_repo_flag() {
+  echo "case: --repo flag is reflected in the dry-run header"
+  local out
+  out=$("$HELPER" 5 "a" "b" --repo metasession-dev/example --dry-run 2>&1)
+  if printf '%s\n' "$out" | grep -q 'in metasession-dev/example'; then
+    ok "dry-run header includes repo"
+  else
+    no "dry-run header missing repo; got:\n$out"
+  fi
+}
+
+case_unknown_flag_rejected() {
+  echo "case: unknown flag rejected"
+  local out exit_code
+  out=$("$HELPER" 1 "a" "b" --bogus 2>&1) && exit_code=0 || exit_code=$?
+  if [ "$exit_code" -ne 0 ] && printf '%s\n' "$out" | grep -q 'Unknown flag'; then
+    ok "unknown flag rejected with message"
+  else
+    no "expected unknown-flag rejection; got exit $exit_code, output:\n$out"
+  fi
+}
+
+case_marker_is_first_line() {
+  echo "case: marker is the FIRST line of the body (find-existing relies on startswith)"
+  local out
+  out=$("$HELPER" 1 "a" "b" --dry-run 2>&1)
+  # Extract just the body between the markers we print
+  local body
+  body=$(printf '%s\n' "$out" | awk '/^----- body -----$/,/^----- end body -----$/')
+  local first
+  first=$(printf '%s\n' "$body" | sed -n '2p') # line 1 is the "----- body -----" header; line 2 is the body's first line
+  if printf '%s\n' "$first" | grep -q '<!-- sdlc-implementer:status -->'; then
+    ok "marker is the body's first line"
+  else
+    no "marker not on first line; first line was: '$first'"
+  fi
+}
+
+case_missing_args
+case_non_numeric_issue
+case_dry_run_emits_body
+case_dry_run_repo_flag
+case_unknown_flag_rejected
+case_marker_is_first_line
+
+echo ""
+echo "=== update-sdlc-status.test.sh ==="
+echo "PASS: $PASS  FAIL: $FAIL"
+[ "$FAIL" -eq 0 ]

package/sdlc/files/_common/skills/sdlc-implementer/SKILL.md

@@ -41,8 +41,80 @@ The orchestrator MUST invoke `e2e-test-engineer` for end-to-end and visual-regre
 - Never transcribe `e2e-test-engineer`'s six-phase workflow into this skill's body.
 - Call via the standard Claude Code Skill mechanism (`Skill(name: "e2e-test-engineer", …)`).
 
+**Structural enforcement (devaudit#132):** the contract is backed by two gates inside Phase 2 — a literal pre-test-work declaration before any `e2e/**/*.spec.ts` edit (step 3) and a mandatory self-audit before Phase 3 (step 9). Both are scripts the orchestrator follows, not prose it can rationalise around. If you find yourself about to skip either, that's the inertia trap the gates exist to interrupt — STOP, run the gate, and you'll usually find the delegation path is obvious from there.
+
 Unit-test and integration-test work stays with this skill until a counterpart unit-test skill ships. The full sub-skill call graph lives at [`references/call-graph.md`](./references/call-graph.md).
 
+## SDLC navigability — LAST/NEXT status sticky (devaudit#131)
+
+Long-running SDLC issues accumulate dozens of comments across multiple Claude Code sessions. The operator returning to the thread should be able to answer two questions in under five seconds:
+
+1. **What just happened?** — the most recent stage completion
+2. **What is the immediate next step?** — the single action the operator (or this skill on resume) should take next
+
+Two surfaces, one convention. Both are mandatory:
+
+### 1. Sticky comment on the REQ issue
+
+At **every stage transition** AND **every operator-action handoff** (waiting for review, waiting for merge, waiting for prod apply), invoke the helper:
+
+```bash
+bash scripts/update-sdlc-status.sh "$ISSUE_NUM" \
+  "<one sentence describing the step just completed>" \
+  "<one sentence describing the immediate next step + actor>"
+```
+
+The helper is idempotent — finds the marker-tagged comment and edits it, or creates one if none exists. So calling it on every transition keeps the same comment current; it never spawns duplicates.
+
+LAST sentence rules:
+
+- One sentence. Name the phase / artefact / outcome.
+- Include load-bearing identifiers — PR numbers, file paths, gate names — so the operator can act without re-scrolling.
+- Past tense.
+
+NEXT sentence rules:
+
+- One sentence. **Always name the actor** (operator action / `sdlc-implementer` auto-continues / waiting for CI / waiting for review).
+- Include the artefact to act on — issue number, PR number, migration path, command to run.
+- If the next step is operator-only and we're paused: say so explicitly. "Operator action — apply Prisma migration 13 to prod, then merge develop→main PR #458."
+
+Examples:
+
+```
+LAST: Phase 1 complete — implementation plan written to compliance/plans/REQ-074/implementation-plan.md (risk class MEDIUM)
+NEXT: Phase 2 — sdlc-implementer auto-continuing
+```
+
+```
+LAST: Phase 4 — release PR #455 opened against develop, CI running
+NEXT: Operator action — review PR #455 + merge when CI green; sdlc-implementer halts here until you ping resume REQ-074
+```
+
+```
+LAST: Phase 5 complete — release v1.2.0 marked Released; post-deploy smoke evidence uploaded
+NEXT: Done — close issue + retire feature branch (sdlc-implementer halts)
+```
+
+### 2. In-chat LAST/NEXT line (Claude Code surface)
+
+Lead every substantive turn with the same two-line shape so the operator can `Ctrl-F NEXT:` in the chat transcript to find the current pointer without re-reading:
+
+```
+**LAST:** <one sentence>
+**NEXT:** <one sentence with actor>
+```
+
+Skip it for trivial turns (acknowledging a "merged" / one-line confirmations / chitchat). It's for SDLC work, not every message. The two surfaces (sticky comment + chat line) should always agree — if they diverge, the comment is canonical (it's what the operator scrolling the issue sees).
+
+### When to update
+
+- After every Phase transition (Phase 0 → 1, 1 → 2, …, 5 → done)
+- On every operator-action handoff (paused for review, paused for merge, paused for prod apply, paused for migration)
+- On the change-request loop (Phase 5 rejection → re-enter Phase 2)
+- On error halt (gate failure exhausted retries, operator-only decision needed)
+
+Do **not** update on every internal step within a phase — that just spams the sticky. The transition + handoff cadence is the right frequency.
+
 ## The workflow
 
 A triage step (Phase 0) routes the issue, then up to five phases for tracked work. Phase 0 plus Phases 1–4 run in one Claude Code session; Phase 5 is invoked separately by the user after UAT. The off-ramps from Phase 0 (housekeeping / trivial / doc-only) don't enter Phase 1 — they run the **Lightweight path** (below), which the skill drives to merge.
@@ -146,6 +218,7 @@ Reached from Phase 0 for non-tracked change-types. The skill drives this end-to-
 
 Reached only on the **tracked** route from Phase 0 (the issue is already fetched and classified).
 
+0. **Initialise SDLC status sticky** on the issue: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Phase 0 complete — classified as tracked SDLC work" "Phase 1 — sdlc-implementer authoring implementation plan"`. From now until the issue closes, the sticky is the always-current pointer to "what's next" — the operator scans it on every return to the issue.
 1. **Confirm the issue scope.** Re-read the `gh issue view <N>` output from Phase 0 — title, body, all comments — with implementation in mind.
 2. **Classify risk** per `Test_Policy.md` §Risk-Based Testing. Emit a one-paragraph rationale citing the signals you used (auth surface, financial calc, data egress, RBAC, AI decisioning, etc.).
 3. **Assign REQ-XXX.** Inspect `compliance/RTM.md` for existing entries; take the next free number. If the issue references an existing REQ, use that instead.
@@ -169,6 +242,7 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
 9. **Update `compliance/RTM.md`** with the new entry: REQ-XXX, title, risk class, linked issue, linked test cases (placeholder).
 10. **Post plan summary as an issue comment.** Format: TL;DR; Risk class + signals; Acceptance criteria (with SRS-IDs); Architectural decisions (ADR-NNN reference or no-ADR rationale); Risk register entries (RISK-NNN list); Technical approach (one paragraph); Dependencies; Test scope.
 11. **Checkpoint** — pause for human approval **iff** risk class is HIGH or CRITICAL. LOW and MEDIUM pass through to Phase 2 automatically. The checkpoint can be forced on for all classes via the `--require-plan-approval` flag (or `DEVAUDIT_REQUIRE_PLAN_APPROVAL=1` env var) for orgs that want it always-on.
+12. **Update SDLC status sticky** before exiting Phase 1: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Phase 1 complete — plan written to compliance/plans/REQ-XXX/implementation-plan.md (risk class <CLASS>)" "Phase 2 — sdlc-implementer auto-continuing"` (or "Operator action — review plan + ping resume" if the HIGH/CRITICAL checkpoint paused).
 
 ### Phase 2 — Implement and test (SDLC stage 2)
 
@@ -178,7 +252,13 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
    - MEDIUM — unit + integration; e2e for any UI-facing change.
    - HIGH — unit + integration + e2e for every user-visible path + at least one negative/abuse test.
    - CRITICAL — HIGH plus targeted security tests (authz bypass attempts, input fuzzing where applicable).
-3. **For any e2e or visual-regression test work in this step, invoke `e2e-test-engineer`** — do not author e2e tests directly. The orchestrator passes the implementation plan + the diff so far to the e2e-test-engineer skill, which derives scenarios, reconciles with the existing pack, and runs the suite.
+3. **E2E delegation gate — pre-test-work declaration (devaudit#132).** Before creating or editing **any** `e2e/**/*.spec.ts` file in this phase, follow these three steps in order. The literal script exists because the "MUST invoke" prose alone has been bypassed by inertia in past runs; the declaration is the structural defence.
+
+   a. Output the single literal line, verbatim: `Delegating e2e test work to e2e-test-engineer.`
+   b. Immediately invoke `Skill(name: "e2e-test-engineer", args: "<the change summary + plan pointer>")`. The change summary is one sentence; the plan pointer is `compliance/plans/REQ-XXX/implementation-plan.md`.
+   c. **Do not author or edit any `e2e/**/*.spec.ts` file in this skill's own tool calls.** The e2e-test-engineer skill owns spec authoring end-to-end — including the "this AC needs no e2e" decision. If you feel the urge to write a spec inline, that's the inertia trap — STOP and re-invoke the skill.
+
+   When in doubt about whether work qualifies: visual-regression tests, screenshot diffs, browser-driven flows, any file ending in `.spec.ts` under `e2e/`, and any `playwright.config.ts`/`evidence/`/`baselines/` directory all qualify. Unit/integration tests under `tests/unit/`, `tests/integration/`, or stack-equivalent paths stay with this orchestrator.
 4. **Implement against the plan.** Reference `compliance/plans/REQ-XXX/implementation-plan.md` as you go. Any deviation from the plan must be noted in the plan itself under a `## Plan deviation` section — never silently diverge.
 5. **Run gates locally, cheap-first.** The gates are not equivalent-cost — `npm run lint` is seconds, `npx playwright test` is 30–60 minutes. Iterate on the fast gates; spend the e2e cost once.
 
@@ -198,6 +278,17 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
    - **If `$INTEGRATION_BRANCH` ≠ `$RELEASE_BRANCH`** (develop-first): open a PR `feat/REQ-XXX-<slug> → $INTEGRATION_BRANCH` and merge it once CI is green. This is the **integration hop** — there is no UAT four-eyes gate here (that's the release PR in Phase 4); for MEDIUM+ risk get a peer review on this PR per the project's norms. The push to `$INTEGRATION_BRANCH` is what triggers `ci.yml` to register the release and upload gate evidence.
    - **If `$INTEGRATION_BRANCH` = `$RELEASE_BRANCH`** (trunk-only): do **not** merge to the protected branch here — leave the work on the feature branch; it becomes the release PR's head in Phase 4.
 
+9. **E2E delegation self-audit — mandatory before Phase 3 (devaudit#132).** Run `git diff "$INTEGRATION_BRANCH"...HEAD --name-only` and walk the file list. For **every** entry matching `e2e/**/*.spec.ts`, state out loud one of:
+
+   - _"Authored via `e2e-test-engineer` skill invocation on turn N."_ — with the turn pointer the operator can verify from the chat transcript.
+   - _"Pre-existing file; only mechanical edits (path renames, import fixes, lint-only) applied directly. No scenario / assertion / selector changes."_ — applies only to non-substantive sweeps where the e2e-test-engineer skill would have nothing to contribute.
+
+   If you cannot place a spec file in either category — STOP. Do not proceed to Phase 3. Revert the direct edits (`git checkout "$INTEGRATION_BRANCH" -- <file>`) and re-do the work via `Skill(name: "e2e-test-engineer", …)`. The audit must be honest: omitting a file or fabricating a turn pointer is worse than the original delegation gap because it pollutes the audit trail with a false attribution.
+
+   This is the post-hoc check that catches anything step 3 missed. If both gates fire (declaration before the spec edit + audit before Phase 3) and you still see a direct authoring path, that's evidence the gates need to be stronger and worth a follow-up issue.
+
+10. **Update SDLC status sticky** before exiting Phase 2: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Phase 2 complete — feat branch landed on $INTEGRATION_BRANCH; all gates green" "Phase 3 — sdlc-implementer auto-continuing (evidence compile)"`.
+
 ### Phase 3 — Compile evidence (SDLC stage 3)
 
 1. **Invoke `requirements-aligner` to drop the per-REQ SRS-alignment artefact.** The skill's Phase 2 produces `compliance/evidence/REQ-XXX/srs-alignment.md` — the per-REQ trace from each AC to its SRS item, with an operator sign-off block. The artefact uploads with `evidence_type=srs_alignment` (visible in Documents tab + audit-pack export; v1 orphan-by-design per META-COMPLY framework-registry-auditor). Call via the standard Skill mechanism; don't inline the alignment logic.
@@ -233,6 +324,7 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
    Evidence types: `screenshot`, `e2e_result`, `test_report`, `audit_log`, `compliance_document`, `manual_upload`, `srs_alignment` (from step 1), `architecture_decision` (from step 2), `risk_assessment` (from step 3).
 7. **Verify uploads landed.** `gh api` or `curl` against `https://devaudit.metasession.co/projects/<slug>/requirements/REQ-XXX/evidence` should show every artefact.
 8. **Update `compliance/RTM.md`** with portal links for each evidence row.
+9. **Update SDLC status sticky** before exiting Phase 3: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Phase 3 complete — evidence uploaded; SRS-alignment + ADR + risk-assessment artefacts attached" "Phase 4 — sdlc-implementer auto-continuing (open release PR)"`.
 
 ### Phase 4 — Submit for UAT review (SDLC stage 4)
 
@@ -257,6 +349,7 @@ Reached only on the **tracked** route from Phase 0 (the issue is already fetched
 3. **Apply labels** — `awaiting-uat-review`, `risk:<class>`.
 4. **Comment on the issue**: "Implementation complete. PR #M opened. Evidence on portal: <link>. UAT review requested. Resume with `resume REQ-XXX` once UAT approval is granted on the portal."
 5. **Hard stop.** Phase 4 ends here. Do not proceed to merge; the human's next action is reviewing on the portal.
+6. **Update SDLC status sticky** before halting: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Phase 4 — release PR #<N> opened against $RELEASE_BRANCH; CI running" "Operator action — review PR #<N> + approve UAT release on the portal; sdlc-implementer halts until you ping resume REQ-XXX"`. This is a critical handoff — the sticky must reflect that the agent has stopped + the operator is on the hook.
 
 **When an external gate hangs or fails for unrelated reasons.** A required gate may fail for reasons outside the change's scope — flaky infra, an unrelated regression test that hangs at hour-plus runtime with no log activity, a known-failing suite. When this happens:
 
@@ -278,8 +371,9 @@ Invoked separately by the user after UAT activity on the portal. Trigger: "resum
      - Verify production smoke evidence uploaded (`--environment production`) at `https://devaudit.metasession.co/projects/<slug>/releases/<version>`.
      - Mark release as `Released` via portal API: `PATCH /releases/<version>` with `{"status": "released"}`.
      - Comment on the issue: "Released. Production smoke evidence: <link>."
+     - **Update SDLC status sticky** to the terminal state: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Phase 5 complete — release marked Released; production smoke evidence uploaded" "Done — close issue + retire feature branch (sdlc-implementer halts)"`.
      - Close the issue.
-     - If production smoke fails: do NOT mark as Released. File an `[INCIDENT]` defect issue, page the on-call per the project's incident playbook, follow the rollback plan from the implementation plan.
+     - If production smoke fails: do NOT mark as Released. File an `[INCIDENT]` defect issue, page the on-call per the project's incident playbook, follow the rollback plan from the implementation plan. **Update the sticky** to reflect the incident state: `… "Phase 5 BLOCKED — production smoke failed; INCIDENT issue #N filed" "Operator action — read INCIDENT #N + execute rollback per plan"`.
 
    - **Changes requested** → run change-request loop:
      - Fetch change-request comments from the PR (`gh pr view <M> --comments`) and from the portal release page.
@@ -289,6 +383,7 @@ Invoked separately by the user after UAT activity on the portal. Trigger: "resum
      - Push to the same branch (no force-push). The PR auto-updates.
      - Re-request UAT review on the portal: `POST /api/projects/<slug>/releases/<version>/approval-requests`.
      - Comment on the issue: "Change requests addressed in commits <SHAs>. UAT re-review requested."
+     - **Update SDLC status sticky** for the re-review handoff: `bash scripts/update-sdlc-status.sh "$ISSUE_NUM" "Change-request iteration N applied; PR pushed; re-review requested" "Operator action — re-review on portal; sdlc-implementer halts until you ping resume REQ-XXX"`.
      - Hard stop again. The portal's release-approval state has reset; UAT must explicitly re-approve.
 
    - **Still pending UAT (no approval, no change-request)** → report "UAT review still pending on the portal at <link>" and stop. Do not act.

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -290,8 +290,19 @@ jobs:
           # (operator's choice — both layouts are common).
           upload_governance compliance/periodic-review.md             periodic_review
           upload_governance compliance/governance/periodic-review.md  periodic_review
-          upload_governance compliance/incident-report.md             incident_report
-          upload_governance compliance/governance/incident-report.md  incident_report
+          # Incident reports: glob `incident-report*.md` so per-incident
+          # files (e.g. `incident-report-2026-001.md`, written by
+          # incident-export.yml from labelled GitHub issues) all
+          # upload as real evidence. The unedited starter
+          # `incident-report.md` matches the glob too but is skipped
+          # by upload-evidence.sh's central stub guard — so the stub
+          # can never flip ISO29119.3.5.4 to COVERED on its own
+          # (devaudit#133). `*.md` does not match `*.md.template`.
+          shopt -s nullglob
+          for f in compliance/incident-report*.md compliance/governance/incident-report*.md; do
+            upload_governance "$f" incident_report
+          done
+          shopt -u nullglob
 
           # ── Audit-log export (DevAudit-Installer#98 WS2) ──────────────
           # Snapshot the portal's audit log for the rolling 90-day window