@metasession.co/devaudit-cli 0.1.52 → 0.1.54

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.52",
+  "version": "0.1.54",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.52",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.54",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/scripts/upload-evidence.sh

@@ -133,6 +133,42 @@ fi
 # Strip any trailing slash so we don't double-up later.
 DEVAUDIT_BASE_URL="${DEVAUDIT_BASE_URL%/}"
 
+# --- Base-URL drift check (devaudit-installer#143) ---
+# When the portal moves host (e.g. devaudit.metasession.co → devaudit.ai)
+# Cloudflare / the origin replies 301/302 with a Location header pointing
+# at the new host. Every consumer's CI that still uses the old base URL
+# fails every upload until DEVAUDIT_BASE_URL is rotated. We don't want
+# the failure mode to be a silent "evidence didn't upload" — surface the
+# drift loudly at the top of the run so the operator knows to rotate the
+# secret. (We still upload via `curl -L` so the run itself succeeds; the
+# warning is the nudge to fix the secret, not a hard stop.)
+probe_base_url_drift() {
+  # `${var:-}` so `set -u` doesn't trip if curl isn't installed or the
+  # network is offline. Probe with -I (HEAD); fall back to GET if HEAD
+  # is rejected by the upstream proxy. 5s connect + 10s overall is
+  # plenty for a redirect-only probe — we never read a body.
+  local probe_url="${DEVAUDIT_BASE_URL}/api/health"
+  local resp
+  resp=$(curl -sI -o /dev/null --max-time 10 --connect-timeout 5 \
+    -w "%{http_code} %{redirect_url}" "$probe_url" 2>/dev/null || true)
+  local code="${resp%% *}"
+  local redirect_url="${resp#* }"
+  if [[ "$code" =~ ^30[1278]$ ]] && [ -n "$redirect_url" ] && [ "$redirect_url" != " " ]; then
+    local old_host new_host
+    old_host=$(printf '%s' "$DEVAUDIT_BASE_URL" | sed -E 's|^https?://([^/]+).*|\1|')
+    new_host=$(printf '%s' "$redirect_url"      | sed -E 's|^https?://([^/]+).*|\1|')
+    if [ -n "$new_host" ] && [ "$old_host" != "$new_host" ]; then
+      echo "WARNING: DEVAUDIT_BASE_URL host '${old_host}' redirects to '${new_host}'."
+      echo "         Rotate the DEVAUDIT_BASE_URL secret in your CI environment to"
+      echo "         the new host to avoid silent breakage. (Uploads will still"
+      echo "         succeed this run — curl follows the redirect — but the"
+      echo "         underlying secret should be updated.)"
+      echo "         Ref: https://github.com/metasession-dev/DevAudit-Installer/issues/143"
+    fi
+  fi
+}
+probe_base_url_drift
+
 # --- Build metadata JSON ---
 # Assemble entries first; only emit `{ ... }` if at least one field is
 # set. Each entry is a `"key":"value"` JSON pair with the value
@@ -213,8 +249,12 @@ for FILE in "${FILES[@]}"; do
   fi
   FILE_SIZE=$(stat -c%s "$FILE" 2>/dev/null || stat -f%z "$FILE")
   echo -n "Uploading ${FILENAME}... "
+  # `-L` follows 3xx redirects (devaudit-installer#143). The portal host
+  # has moved before (devaudit.metasession.co → devaudit.ai); without -L
+  # every consumer's CI silently fails on a stale base URL. `--max-redirs 3`
+  # bounds the follow so a misconfigured redirect loop can't hang CI.
   CURL_ARGS=(
-    -X POST "$UPLOAD_URL"
+    -X POST -L --max-redirs 3 "$UPLOAD_URL"
     -H "Authorization: Bearer ${DEVAUDIT_API_KEY}"
     -F "file=@${FILE}"
     -F "projectSlug=${PROJECT_SLUG}"

package/sdlc/files/_common/Test_Architecture.md

@@ -39,7 +39,7 @@ These standards apply to all Metasession products, client engagements, and inter
 ### Speed over Exhaustiveness
 - Fast feedback prioritized (unit tests < 30 seconds)
 - Parallelization and sharding for E2E suites
-- Strategic test selection based on code changes
+- Strategic test selection based on code changes — first concrete implementation is the three-tier E2E gating model (smoke / critical / regression), see Test_Strategy.md § *E2E gating model* (v0.1.53+)
 - Regression suites optimized for execution time
 
 ### Traceability

package/sdlc/files/_common/Test_Policy.md

@@ -150,6 +150,18 @@ Testing effort is prioritized by risk level, determined at planning time:
 
 AI involvement in Medium or High categories raises risk by one level. The Test Strategy defines specific testing depth requirements per level.
 
+### E2E gate enforcement (v0.1.53+)
+
+The MoSCoW prioritisation of acceptance criteria maps onto three E2E gates, each enforced at a different point in the workflow:
+
+- **Must-tier ACs in the smoke subset** must pass on every push to the integration branch. Blocking — a red smoke gate stops the integration hop.
+- **Must-tier ACs in the critical subset** must pass on every PR to the release branch. Blocking — a red critical gate stops the release.
+- **Should/Could-tier ACs (full regression)** must pass on the next post-merge run to the release branch OR a hotfix issue is auto-filed. Not pre-merge blocking — the safety net is post-hoc triage by the operator within working hours.
+
+Operator override on a hotfix issue (accept-with-rationale) is logged on the issue itself + carried in the next release's `test-execution-summary.md` design record (devaudit#50). The framework does not permit silently shipping a failing test — every red regression spec ends as either fixed, reverted, or accepted-with-recorded-rationale.
+
+See Test_Strategy.md § *System Testing (E2E)* — *E2E gating model* for the tier definitions + cost philosophy.
+
 ---
 
 ## Roles & Responsibilities

package/sdlc/files/_common/Test_Strategy.md

@@ -38,6 +38,24 @@ Validates interactions between system components — API contracts, service inte
 
 End-to-end validation of complete user workflows from UI to database. Primary responsibility of the QA team. Automated using BDD frameworks that map acceptance criteria to executable specifications. Covers 100% of critical user paths.
 
+#### E2E gating model — three tiers (devaudit#152 follow-up, v0.1.53)
+
+Full E2E regression on every PR is expensive — a 30+ minute wait per release-PR blocks velocity for diminishing marginal safety once smoke covers the headline flows. The framework's gating model maps the existing MoSCoW prioritisation onto three tiers, each gated at a different point in the workflow:
+
+| Tier | Location | When it runs | Wall-clock target | Audit role |
+|---|---|---|---|---|
+| **smoke** | `e2e/smoke/*.spec.ts` | every push to `$INTEGRATION_BRANCH` (via `ci.yml`) | ~3–5 min | fast feedback on every change |
+| **critical** | `e2e/smoke/` + `e2e/critical/*.spec.ts` | PR-to-`$RELEASE_BRANCH` (via `e2e-regression.yml`) | ~10–15 min | release-readiness Must gate |
+| **regression** | all `e2e/**/*.spec.ts` | nightly + push-to-`$RELEASE_BRANCH` + `workflow_dispatch` | ~35 min (or your project's full pack) | full audit trail + drift catch |
+
+The mapping to MoSCoW: **Must-priority SRS items live in `e2e/smoke/` (fast feedback) and `e2e/critical/` (release gate); Should/Could items live in `e2e/` and are covered by the regression tier.** The classifier is the developer authoring the spec — see `skills/e2e-test-engineer/SKILL.md` Phase 3 for the decision tree.
+
+**Cost philosophy.** Smoke protects every push from breaking the headline flow. Critical protects every release from a Must-tier regression. Full regression protects the audit trail + catches drift overnight. We accept that a Should/Could-tier regression *can* slip past the PR gate; we catch it on the next post-merge run + auto-file a hotfix issue. The framework prefers this over a 35-min wait on every release because operator velocity matters and the safety net stays intact.
+
+**Post-merge safety net.** Every push to `$RELEASE_BRANCH` re-runs the full regression. On failure, `e2e-regression.yml` auto-files a `bug, priority:high` issue tagging the merge commit + the failing specs. The operator triages within working hours — hotfix forward, revert the commit, or accept-with-rationale if the failure is environmental. No automated revert (false positives + flakes + UAT-data drift are real classes; an operator triages each individually).
+
+**Reference workflow.** A copy-pasteable `e2e-regression.yml` shape lives at `skills/e2e-test-engineer/references/e2e-regression-3-tier.yml`. Adoption is opt-in per consumer (the framework doesn't currently sync this workflow; consumers own their own `e2e-regression.yml`).
+
 ### Acceptance Testing
 
 Validates that requirements and acceptance criteria are met from a business perspective. Conducted in staging environments mirroring production. Requires sign-off from Product Managers. May include formal UAT with stakeholders for regulated features.

package/sdlc/files/_common/skills/adr-author/SKILL.md

@@ -206,7 +206,7 @@ I have reviewed the ADR-worthiness verdict above and confirm:
 
 **Step 2 — Tag for upload.** The CI's `compliance-evidence.yml` uploads this file as `evidence_type=architecture_decision` (added to META-COMPLY's `EVIDENCE_TYPE_REGISTRY` in the paired sub-PR). The framework-coverage matrix maps this to clauses per `framework-registry-auditor`'s review — see the META-COMPLY-side PR for the final clause attributions (v1 may ship orphan-by-design if the auditor rejects proposed mappings; see [`requirements-aligner`](../requirements-aligner/SKILL.md) for the precedent).
 
-**Step 3 — Hand-off back to `sdlc-implementer`.** The skill's job ends at the artefact + the operator sign-off. The parent orchestrator continues with the rest of Stage 3.
+**Step 3 — Return to the running `sdlc-implementer` context.** The skill's job ends at the artefact + the operator sign-off. The orchestrator immediately continues with the rest of Stage 3 inline — no pause, no operator nudge needed. (Skills run in the same invocation context; control returns synchronously when this skill exits. See `sdlc-implementer/SKILL.md` § *Sub-skill return semantics*.)
 
 ### Phase 3 — Per-REQ ad-hoc audit
 

package/sdlc/files/_common/skills/e2e-test-engineer/SKILL.md

@@ -131,6 +131,26 @@ Resist padding. A new endpoint doesn't need a test that re-verifies login if log
 
 For each scenario, write a one-line description. Present the full grouped list to the user before writing any code: *"Here's the coverage I'd propose — anything to add or drop?"*
 
+#### Classify each spec into a tier (devaudit#152 follow-up, v0.1.53)
+
+When designing each scenario, also pick the tier it'll live in. Three tiers map to MoSCoW priority + gating point (see `Test_Strategy.md` § *E2E gating model*):
+
+| Tier | File location | Picks this when… |
+|---|---|---|
+| **smoke** | `e2e/smoke/*.spec.ts` | Cross-cutting sanity that proves the app is up: login, basic nav, one canonical CRUD per main domain. Runs on every push to the integration branch. Keep small — total smoke wall-clock target is ~3–5 min. |
+| **critical** | `e2e/critical/*.spec.ts` | Must-priority SRS item that breaks a headline flow if it regresses. Examples: payment authorisation, order completion, admin permission editing, RBAC enforcement on financial surfaces. Runs on PR-to-release-branch. Total critical wall-clock target ~10–15 min (includes smoke). |
+| **regression** | `e2e/<area>/*.spec.ts` | Should/Could-priority SRS item, edge cases, less-load-bearing flows. Runs nightly + post-merge + dispatch. Total full pack can be 30+ min; that's the point of the tier. |
+
+Decision tree, applied per scenario:
+
+1. **Does the spec prove a Must-priority SRS AC (or a baseline "app is up" sanity check)?** → smoke or critical.
+2. **Within Must: would a regression here break a headline business flow visible to a paying customer or stop a release from shipping?** → critical. Otherwise → smoke.
+3. **Should/Could priority, edge case, advanced flow?** → regression (file under `e2e/<area>/`, not under `e2e/smoke/` or `e2e/critical/`).
+
+When you can't decide between critical and regression, default to **regression** — promoting a spec from regression → critical later is cheap (move the file); demoting in the other direction is rarely needed but equally cheap. The cost of putting a Should spec in critical is everyone waiting longer on every PR-to-main for a low-value signal.
+
+Record the tier choice in the eventual `test-execution-summary.md` § *Test design* (devaudit#50) — Layers covered should name which tier each new spec landed in. Reviewers verify the tier choice is defensible during the WAIT CHECKPOINT.
+
 ### Phase 4 — Reconcile with existing tests
 
 For the area touched by the change, look at what's already there.

package/sdlc/files/_common/skills/e2e-test-engineer/references/e2e-regression-3-tier.yml

@@ -0,0 +1,178 @@
+# Reference: three-tier E2E gating workflow (devaudit#152 follow-up, v0.1.53)
+#
+# Copy this into your consumer-owned .github/workflows/e2e-regression.yml
+# to adopt the 3-tier model: smoke (every develop push, fast) / critical
+# (PR-to-main, ~10-15 min target) / regression (nightly + push-to-main +
+# dispatch, full audit trail with auto-issue on failure).
+#
+# The framework does NOT sync this file automatically — your consumer
+# owns its e2e-regression.yml. Apply the patterns below to your own
+# file; keep any consumer-specific env / matrix / runner customisations.
+#
+# Tier definitions:
+#   - smoke   — runs on develop push via ci.yml (no change here)
+#   - critical — Playwright project that selects e2e/smoke/ + e2e/critical/
+#   - regression — Playwright project that selects all e2e/**/*.spec.ts
+#
+# playwright.config.ts must define the `critical` project for this to
+# fire; if it doesn't, the gate falls back to the existing `smoke`
+# project so PR-to-main stays green during migration.
+
+name: E2E Regression
+
+on:
+  pull_request:
+    branches: [main] # critical-tier gate before merge
+  push:
+    branches: [main] # full regression after merge; auto-issues on failure
+  schedule:
+    - cron: '0 2 * * *' # nightly full regression
+  workflow_dispatch:
+    inputs:
+      specs:
+        description: 'Optional: space-separated spec paths or --grep pattern for a scoped run. Empty = full regression.'
+        required: false
+
+permissions:
+  contents: read
+  issues: write # post-merge auto-issue on regression failure
+
+concurrency:
+  group: e2e-regression-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  e2e:
+    name: E2E Regression Tests
+    runs-on: ubuntu-latest # adapt to your runner; e.g. self-hosted, ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # for E2E_NEW_SPECS computation
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22' # match your project
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci --legacy-peer-deps
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium
+
+      # Decide which Playwright project to run based on the trigger.
+      # PR-to-main uses critical with smoke fall-back; push-to-main and
+      # schedule run the full regression project; workflow_dispatch
+      # accepts an optional spec filter.
+      - name: Determine E2E project + spec selector
+        id: select
+        run: |
+          set -euo pipefail
+          EVENT="${{ github.event_name }}"
+          case "$EVENT" in
+            pull_request)
+              if grep -qE "name:\s*['\"]critical['\"]" playwright.config.ts 2>/dev/null; then
+                echo "project=critical" >> "$GITHUB_OUTPUT"
+                echo "Using critical-tier project (smoke + e2e/critical/)"
+              else
+                echo "project=smoke" >> "$GITHUB_OUTPUT"
+                echo "::warning::No 'critical' Playwright project defined; falling back to smoke. See e2e-test-engineer/references/e2e-regression-3-tier.yml + the Phase 3 tier-classification guide."
+              fi
+              echo "specs=" >> "$GITHUB_OUTPUT"
+              ;;
+            push|schedule)
+              echo "project=regression" >> "$GITHUB_OUTPUT"
+              echo "specs=" >> "$GITHUB_OUTPUT"
+              echo "Running full regression project"
+              ;;
+            workflow_dispatch)
+              echo "project=regression" >> "$GITHUB_OUTPUT"
+              echo "specs=${{ github.event.inputs.specs }}" >> "$GITHUB_OUTPUT"
+              if [ -n "${{ github.event.inputs.specs }}" ]; then
+                echo "Scoped dispatch: ${{ github.event.inputs.specs }}"
+              fi
+              ;;
+          esac
+
+      - name: Run E2E suite
+        id: run
+        env:
+          PLAYWRIGHT_HTML_REPORTER_OPEN: never
+          PLAYWRIGHT_JSON_OUTPUT_NAME: e2e-regression-results.json
+          # Add your e2e_env values here as needed (DEVAUDIT_BASE_URL etc.)
+        run: |
+          set -euo pipefail
+          PROJECT="${{ steps.select.outputs.project }}"
+          SPECS="${{ steps.select.outputs.specs }}"
+          if [ -n "$SPECS" ]; then
+            npx playwright test --project="$PROJECT" --reporter=json,html $SPECS
+          else
+            npx playwright test --project="$PROJECT" --reporter=json,html
+          fi
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: e2e-regression-report
+          path: |
+            e2e-regression-results.json
+            playwright-report/
+            test-results/
+
+      # ─────────────────────────────────────────────────────────────
+      # Post-merge auto-issue on regression failure (push:branches:[main])
+      #
+      # Catches regressions that slipped past the critical-tier PR gate.
+      # Opens a high-priority issue tagging the merge commit + the
+      # failing specs so the operator can triage within working hours.
+      # No auto-revert — that's intentionally an operator decision.
+      # ─────────────────────────────────────────────────────────────
+      - name: Open hotfix issue on post-merge regression
+        if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          MERGE_SHA="${{ github.sha }}"
+          MERGE_SHA_SHORT=$(echo "$MERGE_SHA" | cut -c1-7)
+          RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
+          # Extract failing spec names from the JSON reporter output if available.
+          FAILING=""
+          if [ -f e2e-regression-results.json ]; then
+            FAILING=$(jq -r '
+              [.. | objects | select(.status == "failed" or .status == "timedOut") | .title // empty]
+              | unique | .[]
+            ' e2e-regression-results.json 2>/dev/null | head -20 || true)
+          fi
+          if [ -z "$FAILING" ]; then
+            FAILING="(see the failing run logs — could not parse spec titles from reporter output)"
+          fi
+
+          BODY=$(cat <<EOF
+          ## Post-merge regression caught on \`main\`
+
+          The full regression suite failed on the post-merge run for commit \`${MERGE_SHA_SHORT}\`. The critical-tier PR gate let this slip through.
+
+          **Failing specs (best-effort extracted from the JSON reporter):**
+
+          \`\`\`
+          ${FAILING}
+          \`\`\`
+
+          **Triage actions:**
+
+          - [ ] Read the run log: ${RUN_URL}
+          - [ ] Pull \`e2e-regression-report\` artifact from the run; inspect \`test-results/<spec>/error-context.md\` for page state at failure
+          - [ ] Decide: hotfix on \`main\`, revert \`${MERGE_SHA_SHORT}\`, or accept-with-rationale if the failure is environmental
+          - [ ] If the failing spec is a Must-tier candidate that should have caught this pre-merge, move it from \`e2e/\` to \`e2e/critical/\` so the next PR-to-main runs it
+
+          **Auto-filed by:** \`e2e-regression.yml\` (devaudit#152 3-tier gating, v0.1.53+)
+          EOF
+          )
+
+          gh issue create \
+            --title "[hotfix] Post-merge regression on \`${MERGE_SHA_SHORT}\` — full E2E failed" \
+            --body "$BODY" \
+            --label "bug,priority:high"

package/sdlc/files/_common/skills/requirements-aligner/SKILL.md

@@ -132,7 +132,7 @@ I have reviewed the AC-to-SRS-item traces above and confirm:
 
 **Step 2 — Tag for upload.** The CI's `compliance-evidence.yml` uploads this file as `evidence_type=srs_alignment` (added to META-COMPLY's `EVIDENCE_TYPE_REGISTRY` in the paired sub-PR). The framework-coverage matrix then closes `ISO29119.3.4` (Test Plan — requirements traceability) and `SOC2.CC2.1` (Communication of policies — when paired with INSTRUCTIONS.md) for this REQ.
 
-**Step 3 — Hand-off back to `sdlc-implementer`.** The skill's job ends at the artefact + the operator sign-off. The parent orchestrator continues with the rest of Stage 3 (security summary, evidence upload, release ticket).
+**Step 3 — Return to the running `sdlc-implementer` context.** The skill's job ends at the artefact + the operator sign-off. The orchestrator immediately continues with the rest of Stage 3 (security summary, evidence upload, release ticket) inline — no pause, no operator nudge needed. (Skills run in the same invocation context; control returns synchronously when this skill exits. See `sdlc-implementer/SKILL.md` § *Sub-skill return semantics*.)
 
 ### Phase 3 — Per-REQ ad-hoc audit
 

package/sdlc/files/_common/skills/risk-register-keeper/SKILL.md

@@ -163,7 +163,7 @@ I have reviewed the risk register entries above and confirm:
 
 **Step 2 — Tag for upload.** The CI's `compliance-evidence.yml` uploads this file as `evidence_type=risk_assessment` (added to META-COMPLY's `EVIDENCE_TYPE_REGISTRY` in the paired sub-PR). The framework-coverage matrix attribution depends on `framework-registry-auditor`'s review — see the META-COMPLY-side PR for final clause closures.
 
-**Step 3 — Hand-off back to `sdlc-implementer`.** The skill's job ends at the artefact + operator sign-off.
+**Step 3 — Return to the running `sdlc-implementer` context.** The skill's job ends at the artefact + the operator sign-off. The orchestrator immediately continues with the rest of Stage 3 inline — no pause, no operator nudge needed. (Skills run in the same invocation context; control returns synchronously when this skill exits. See `sdlc-implementer/SKILL.md` § *Sub-skill return semantics*.)
 
 ### Phase 4 — `solo_with_gap` approval check
 

package/sdlc/files/_common/skills/sdlc-implementer/SKILL.md

@@ -45,6 +45,20 @@ The orchestrator MUST invoke `e2e-test-engineer` for end-to-end and visual-regre
 
 Unit-test and integration-test work stays with this skill until a counterpart unit-test skill ships. The full sub-skill call graph lives at [`references/call-graph.md`](./references/call-graph.md).
 
+## Sub-skill return semantics (devaudit-installer#144)
+
+**Sub-skills return findings synchronously; do not wait for operator confirmation between sub-skill returns.** Invoking a Skill loads its instructions into this same invocation context — there is no separate agent, no separate process. When a sub-skill emits its final summary and stops, this orchestrator's next step runs immediately, in the same turn if possible.
+
+The literal phrasing _"Returns to the running `sdlc-implementer` context"_ at the tail of each sub-skill (`requirements-aligner`, `adr-author`, `risk-register-keeper`, and any future siblings) does **not** mean "pause and wait for the operator to nudge you" — it means "you have control again; keep going with the parent workflow." A chain of three sub-skill calls in Phase 1 (steps 6 → 7 → 8) or Phase 3 (steps 1 → 2 → 3) is a single flowing sequence; do not stop between them.
+
+The only pauses in the whole workflow are the explicitly-named checkpoints:
+
+- **Phase 1 step 11** — pause for human approval **iff** risk class is HIGH or CRITICAL (or `--require-plan-approval` is set).
+- **Phase 4 step 5** — hard stop, release PR opened, awaiting UAT review on the portal.
+- **Phase 5** — invoked separately by the user (`resume REQ-XXX`).
+
+Everything else is silent continuation. The rule is **opt-in-to-pause, not opt-out-of-pause**. If you find yourself stopping after a sub-skill's "Return to the running `sdlc-implementer` context" line and waiting for the operator to ask _"is anything happening?"_ — that is the bug this section exists to prevent. Keep going.
+
 ## SDLC navigability — LAST/NEXT status sticky (devaudit#131)
 
 Long-running SDLC issues accumulate dozens of comments across multiple Claude Code sessions. The operator returning to the thread should be able to answer two questions in under five seconds:
@@ -204,13 +218,19 @@ _Workflow tweak (CI artifact upload, gate timeout bump, etc.)_
 
 Reached from Phase 0 for non-tracked change-types. The skill drives this end-to-end; the only difference from the tracked cycle is the absence of _ceremony_, not the absence of _guidance_. It pauses only where a human is genuinely required (PR review, merge).
 
+**CI trigger shape — read once before step 7.** The DevAudit-Installer-generated `ci.yml.template` defaults to **post-merge-only** triggers (`push: branches: [<integration>]`, no `pull_request:` trigger). On these projects there will be **no PR-time checks** to wait for — review + merge is the gate, and the post-merge CI run on the integration branch is the actual quality gate. A consumer who has explicitly added a `pull_request:` trigger has PR-time CI in addition. The skill must adapt step 7's wording to whichever shape the project uses; never poll a PR for checks that the template doesn't trigger.
+
 1. **Branch off `$INTEGRATION_BRANCH`** with a housekeeping prefix — `chore/…`, `docs/…`, `ci/…`, `build/…`, `test/…`, or `compliance/…` for a doc-only change against an existing REQ.
 2. **Make the change**, single-purpose. If it turns out to touch runtime behaviour in `app/` / `lib/`, stop and reclassify as tracked — the commit-type rule is the backstop.
 3. **Run all gates locally** (`npm run lint`, `npx tsc --noEmit`, the test suite, `semgrep`, `npm audit` — or the stack-adapter equivalents). Trivial ≠ unverified; never `--no-verify`.
 4. **Commit** with a housekeeping type and **no** `REQ-XXX` — `docs:` / `chore:` / `ci:` / `build:` / `test:` / `revert:` are exempt from the `[REQ-XXX]` rule; a `compliance:` doc-only change references the existing REQ. `Co-Authored-By: Claude` if AI-assisted.
 5. **Push and open the PR** into `$INTEGRATION_BRANCH` (`gh pr create --base "$INTEGRATION_BRANCH" --head <branch>`). CI runs the same quality gates; `compliance-validation.yml` finds no `REQ-XXX` and skips artifact validation.
 6. **For `ci:` changes, verify-via-dispatch before merging.** `gh workflow run <workflow.yml> --ref <branch>` fires the modified workflow against the PR branch. If the change broke a step, the dispatch run fails loudly and you fix-forward _before_ the merge ships the broken gate to `$INTEGRATION_BRANCH`. This is the cheapest insurance against silent CI regressions — a `ci:` change that breaks a gate is most damaging _after_ it lands.
-7. **Report honest status** — wait for CI, name any failing check, fix and re-push. Never announce "ready" while a required check is red.
+7. **Report honest status — adapt to the project's CI trigger shape (devaudit-installer#145).** Check whether `.github/workflows/ci.yml` has a `pull_request:` trigger.
+   - **PR-time CI present** — wait for CI to settle, name any failing check, fix and re-push. Never announce "ready" while a required check is red.
+   - **Post-merge-only CI (the DevAudit-Installer default — `push: branches: [<integration>]` with no `pull_request:` trigger)** — say so explicitly in the LAST/NEXT sticky: _"no PR-time checks will fire; review + merge is the gate; CI runs post-merge on `$INTEGRATION_BRANCH`."_ Don't poll the PR for checks that won't arrive. The post-merge run (CI Pipeline + Compliance Evidence Upload on the integration branch) is the actual gate; address it via fix-forward if it fails.
+
+   Either way, never bypass a gate (no `--no-verify`, no `--admin` merge of a red required check); the only difference is **where** you wait for the gate to fire — before merge vs. after merge.
 8. **Guide review → merge.** A human still reviews the PR (separation of duties). There is **no** portal release approval, no UAT four-eyes, no Production gate, and no close-out. Merge once CI is green and the reviewer approves.
 9. **Done.** A housekeeping push produces at most a bare-date release (`vYYYY.MM.DD`) with no approval gate; a doc-only push attaches its docs to the existing `REQ-XXX` release. No further action required — report completion and stop.
 

package/sdlc/files/ci/ci.yml.template

@@ -484,8 +484,21 @@ jobs:
           # moment each acceptance criterion is demonstrated, NOT the Playwright
           # report's trailing/failure capture. evidenceType `screenshot` →
           # image/png renders inline. Only when a pending release ticket defines
-          # the in-scope REQ(s); skipped on ordinary dev pushes. Best-effort: a
-          # screenshot upload failure warns but never blocks the gate.
+          # the in-scope REQ(s); skipped on ordinary dev pushes.
+          #
+          # devaudit-installer#147 — per-REQ glob scoping + UPLOAD_FAILURES
+          # accounting. Previously the SHOTS glob was project-wide
+          # (`ci-evidence/compliance/evidence/*/screenshots/*.png`) and the
+          # for-REQ loop uploaded that cross-product against every in-scope
+          # REQ. Out-of-scope REQs' legacy PNGs whose filenames don't match
+          # `REQ-XXX-AC<n>-<slug>.png` then 400'd at the portal — and the
+          # `|| echo "::warning::..."` swallowed the failure so the step
+          # reported SUCCESS while screenshots were quietly missing. Now each
+          # in-scope REQ globs its OWN screenshots/ directory; out-of-scope
+          # legacy folders are intentionally ignored. To re-upload an older
+          # REQ's screenshots, add its release ticket back under
+          # compliance/pending-releases/. Failures now bump UPLOAD_FAILURES
+          # so the step exits non-zero and the release PR turns red.
           SHOT_REQS=()
           if [ -d compliance/pending-releases ]; then
             for TICKET in compliance/pending-releases/RELEASE-TICKET-REQ-*.md; do
@@ -494,14 +507,8 @@ jobs:
             done
           fi
           shopt -s nullglob
-          # Only this run's freshly-generated screenshots (from the ci-results
-          # artifact). The full pack regenerates them every run, so the committed
-          # copies under compliance/evidence/ are redundant here — globbing both
-          # uploaded every image twice (deduped on display, but wasteful + rate-limit
-          # pressure) and swept in legacy screenshots from unrelated past releases.
-          SHOTS=(ci-evidence/compliance/evidence/*/screenshots/*.png)
-          if [ "${#SHOT_REQS[@]}" -gt 0 ] && [ "${#SHOTS[@]}" -gt 0 ]; then
-            echo "Uploading ${#SHOTS[@]} evidence screenshot(s) for: ${SHOT_REQS[*]}"
+          if [ "${#SHOT_REQS[@]}" -gt 0 ]; then
+            echo "Uploading per-AC evidence screenshots for: ${SHOT_REQS[*]}"
             SHOT_TMP="$(mktemp -d)"
             for REQ in "${SHOT_REQS[@]}"; do
               # Per-REQ release metadata for the portal (no-clobbered on existing rows):
@@ -518,7 +525,16 @@ jobs:
               REQ_META=()
               [ -n "$REQ_TITLE" ] && REQ_META+=(--release-title "$REQ_TITLE")
               [ -n "$REQ_CT" ] && REQ_META+=(--change-type "$REQ_CT")
-              for PNG in "${SHOTS[@]}"; do
+              # devaudit-installer#147 — per-REQ scoped glob. ONLY this REQ's
+              # own screenshots/ directory; legacy folders for REQs not in
+              # SHOT_REQS are intentionally ignored.
+              REQ_SHOTS=(ci-evidence/compliance/evidence/"$REQ"/screenshots/*.png)
+              if [ "${#REQ_SHOTS[@]}" -eq 0 ]; then
+                echo "No per-AC screenshots for ${REQ} (none captured by evidenceShot this run)"
+                continue
+              fi
+              echo "Uploading ${#REQ_SHOTS[@]} screenshot(s) for ${REQ}"
+              for PNG in "${REQ_SHOTS[@]}"; do
                 # The basename is the canonical evidenceShot filename
                 # `REQ-XXX-AC<n>-<slug>.png`. The portal validates this
                 # shape on upload — anything else is rejected with 400.
@@ -540,12 +556,22 @@ jobs:
                   fi
                 fi
 
-                bash scripts/upload-evidence.sh \
+                if bash scripts/upload-evidence.sh \
                   {{PROJECT_SLUG}} "$REQ" screenshot "$NAMED" \
                   --category test_report ${FLAGS} --release "$REQ" \
                   "${REQ_META[@]}" \
-                  "${ORIGIN_META[@]}" \
-                  || echo "::warning::evidence screenshot upload failed: ${PNG} -> ${REQ}"
+                  "${ORIGIN_META[@]}"
+                then
+                  :
+                else
+                  # devaudit-installer#147 — feed the same UPLOAD_FAILURES
+                  # counter that gate uploads use, so a screenshot
+                  # rejected by the portal's filename validator (or any
+                  # other failure mode) turns the step RED instead of
+                  # silently warning.
+                  echo "::warning::evidence screenshot upload failed: ${PNG} -> ${REQ}"
+                  UPLOAD_FAILURES=$((UPLOAD_FAILURES + 1))
+                fi
               done
             done
           fi