@metasession.co/devaudit-cli 0.1.55 → 0.1.57

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.55",
+  "version": "0.1.57",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,8 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.55",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.57",
+    "ajv": "^8.20.0",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/README_TEMPLATE.md

@@ -332,7 +332,7 @@ upload-evidence:
   needs: [e2e-tests]
   if: github.event_name == 'pull_request'
   steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
 
     # Upload test artifacts
     - name: Upload E2E evidence
@@ -367,7 +367,7 @@ sync-compliance-docs:
   runs-on: ubuntu-latest
   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Upload compliance documents
       run: |
         for doc in compliance/RTM.md compliance/test-plan.md compliance/test-cases.md compliance/test-summary-report.md; do

package/sdlc/files/_common/skills/e2e-test-engineer/references/bootstrap.md

@@ -209,13 +209,13 @@ jobs:
   e2e:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with: { node-version: 'lts/*' }
       - run: npm ci
       - run: npx playwright install --with-deps
       - run: npm run test:e2e
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         if: always()
         with:
           name: playwright-report

package/sdlc/files/_common/skills/e2e-test-engineer/references/e2e-regression-3-tier.yml

@@ -46,11 +46,11 @@ jobs:
     name: E2E Regression Tests
     runs-on: ubuntu-latest # adapt to your runner; e.g. self-hosted, ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0 # for E2E_NEW_SPECS computation
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: '22' # match your project
           cache: 'npm'
@@ -111,7 +111,7 @@ jobs:
             npx playwright test --project="$PROJECT" --reporter=json,html
           fi
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         if: always()
         with:
           name: e2e-regression-report

package/sdlc/files/ci/check-release-approval.yml.template

@@ -33,7 +33,7 @@ jobs:
       PROJECT_SLUG: {{PROJECT_SLUG}}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           # The default `pull_request` checkout is a synthetic merge commit
           # with an empty body, so `derive-release-version.sh` can't see the

package/sdlc/files/ci/ci.yml.template

@@ -41,7 +41,7 @@ jobs:
 {{APP_ENV}}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           # Full history so the "new specs on this branch" calculation
           # (E2E_NEW_SPECS, below) can do a real diff against the merge
@@ -51,7 +51,7 @@ jobs:
 
       # ── Cached installs (skip if already present on self-hosted runner) ──
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: {{NODE_VERSION}}
 
@@ -209,7 +209,7 @@ jobs:
 
       # ── Upload artifacts ──
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         if: always()
         continue-on-error: true
         with:
@@ -232,22 +232,41 @@ jobs:
   register-release:
     name: Register Release
     runs-on: {{RUNNER}}
-    if: ${{ vars.DEVAUDIT_BASE_URL != '' }}
     outputs:
       version: ${{ steps.version.outputs.version }}
     env:
-      DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
+      DEVAUDIT_BASE_URL_VAR: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - name: Validate DevAudit env
+      - name: Resolve DevAudit base URL
         run: |
-          if [ -z "${DEVAUDIT_BASE_URL}" ] || [ -z "${DEVAUDIT_API_KEY}" ]; then
-            echo "::error::DEVAUDIT_BASE_URL (variable) and DEVAUDIT_API_KEY (secret) must both be set."
+          # Prefer sdlc-config.json devaudit.base_url (PR-visible) over the
+          # deprecated repo Variable — matching compliance-evidence.yml and
+          # check-release-approval.yml. DevAudit-Installer#156: gating this job
+          # on `vars.DEVAUDIT_BASE_URL` silently skipped release registration +
+          # evidence upload for consumers that moved base_url into
+          # sdlc-config.json (the v1.23.0 direction).
+          BASE=""
+          if [ -f sdlc-config.json ]; then
+            CONFIG_URL=$(jq -r '.devaudit.base_url // empty' sdlc-config.json 2>/dev/null || true)
+            [ -n "$CONFIG_URL" ] && BASE="$CONFIG_URL"
+          fi
+          if [ -n "$BASE" ]; then
+            echo "Using devaudit.base_url from sdlc-config.json: $BASE"
+          elif [ -n "$DEVAUDIT_BASE_URL_VAR" ]; then
+            BASE="$DEVAUDIT_BASE_URL_VAR"
+            echo "::warning::Using repo Variable DEVAUDIT_BASE_URL (deprecated in v1.23.0). Move base_url to sdlc-config.json devaudit.base_url for PR-visible config."
+          else
+            echo "::warning::No DevAudit base URL configured — skipping release registration. Set devaudit.base_url in sdlc-config.json."
+          fi
+          if [ -n "$BASE" ] && [ -z "${DEVAUDIT_API_KEY}" ]; then
+            echo "::error::DEVAUDIT_API_KEY (secret) must be set when a DevAudit base URL is configured."
             exit 1
           fi
-          echo "BASE=${DEVAUDIT_BASE_URL%/}" >> "$GITHUB_ENV"
+          echo "BASE=${BASE%/}" >> "$GITHUB_ENV"
+          echo "DEVAUDIT_BASE_URL=${BASE%/}" >> "$GITHUB_ENV"
 
       - name: Determine release version
         id: version
@@ -263,6 +282,7 @@ jobs:
           echo "Release version: ${VERSION}"
 
       - name: Ensure release exists
+        if: env.DEVAUDIT_BASE_URL != ''
         run: |
           chmod +x scripts/upload-evidence.sh 2>/dev/null || true
           # Create the release in DevAudit (no evidence yet — just registration)
@@ -273,6 +293,7 @@ jobs:
             --git-sha ${{ github.sha }} --branch ${{ github.ref_name }} || true
 
       - name: Sync known requirements from RTM
+        if: env.DEVAUDIT_BASE_URL != ''
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
@@ -343,15 +364,35 @@ jobs:
     # evidence — `status=failed` is itself the audit trail. `!cancelled()`
     # still guards against partial state on operator-cancel.
     # DevAudit-Installer#96.
-    if: ${{ always() && !cancelled() && vars.DEVAUDIT_BASE_URL != '' && needs.register-release.result == 'success' }}
+    if: ${{ always() && !cancelled() && needs.register-release.result == 'success' }}
     env:
-      DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
+      DEVAUDIT_BASE_URL_VAR: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+
+      - name: Resolve DevAudit base URL
+        run: |
+          # Prefer sdlc-config.json devaudit.base_url over the deprecated repo
+          # Variable (DevAudit-Installer#156). When neither is set the upload
+          # step below no-ops via `if: env.DEVAUDIT_BASE_URL != ''`.
+          BASE=""
+          if [ -f sdlc-config.json ]; then
+            CONFIG_URL=$(jq -r '.devaudit.base_url // empty' sdlc-config.json 2>/dev/null || true)
+            [ -n "$CONFIG_URL" ] && BASE="$CONFIG_URL"
+          fi
+          if [ -n "$BASE" ]; then
+            echo "Using devaudit.base_url from sdlc-config.json: $BASE"
+          elif [ -n "$DEVAUDIT_BASE_URL_VAR" ]; then
+            BASE="$DEVAUDIT_BASE_URL_VAR"
+            echo "::warning::Using repo Variable DEVAUDIT_BASE_URL (deprecated in v1.23.0). Move base_url to sdlc-config.json devaudit.base_url for PR-visible config."
+          else
+            echo "::warning::No DevAudit base URL configured — skipping evidence upload. Set devaudit.base_url in sdlc-config.json."
+          fi
+          echo "DEVAUDIT_BASE_URL=${BASE%/}" >> "$GITHUB_ENV"
 
       - name: Download CI gate artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         continue-on-error: true
         with:
           name: ci-results

package/sdlc/files/ci/close-out-release.yml.template

@@ -40,7 +40,7 @@ jobs:
       GH_TOKEN: ${{ github.token }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: develop
           fetch-depth: 0

package/sdlc/files/ci/compliance-evidence.yml.template

@@ -69,7 +69,7 @@ jobs:
       DEVAUDIT_BASE_URL_VAR: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           # Full history so `req_meta_args` can `git log --grep "[REQ-XXX]|Ref: REQ-XXX"`
           # against the implementation commits (the merge commit alone never
@@ -512,7 +512,7 @@ jobs:
     name: Upload E2E Regression Evidence
     if: github.event_name == 'workflow_run'
     runs-on: {{RUNNER}}
-    # actions: read is required so `actions/download-artifact@v4` with
+    # actions: read is required so `actions/download-artifact@v8` with
     # `run-id` can read another workflow's artifacts. Without it the
     # download step fails with a 404 even when the artifact exists.
     permissions:
@@ -522,7 +522,7 @@ jobs:
       DEVAUDIT_BASE_URL_VAR: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           # Check out the SHA the E2E Regression ran against — that
           # determines the release version + the in-scope REQs via the
@@ -557,7 +557,7 @@ jobs:
 
       - name: Download E2E Regression artifact
         if: steps.resolve.outputs.skip != 'true'
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: e2e-regression-report
           path: e2e-artifacts/

package/sdlc/files/ci/compliance-validation.yml.template

@@ -23,7 +23,7 @@ jobs:
     name: Compliance Validation
     runs-on: {{RUNNER}}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

package/sdlc/files/ci/incident-export.yml.template

@@ -38,7 +38,7 @@ jobs:
     # skips this job entirely on unlabelled issue closes.
     if: contains(github.event.issue.labels.*.name, 'incident')
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.DEVAUDIT_USER_TOKEN || github.token }}

package/sdlc/files/ci/periodic-review.yml.template

@@ -34,7 +34,7 @@ jobs:
     name: Generate quarterly periodic-review.md
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           # Need write access for the chore branch.

package/sdlc/files/ci/post-deploy-prod.yml.template

@@ -44,7 +44,7 @@ jobs:
       RELEASE_INPUT: ${{ github.event.inputs.release }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0   # full history so merged commits' REQ tags are readable
 

package/sdlc/files/ci/python/ci.yml.template

@@ -45,9 +45,9 @@ jobs:
 {{APP_ENV}}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '{{PYTHON_VERSION}}'
           cache: pip
@@ -164,11 +164,11 @@ jobs:
 
       # ── Upload artifacts ──
 
-      # actions/upload-artifact@v4 doesn't honour the job's `working-directory`;
+      # actions/upload-artifact@v7 doesn't honour the job's `working-directory`;
       # paths are workspace-relative. Prefix with WORKING_DIR_PREFIX so artifacts
       # uploaded from a subdir project (e.g. mission-control-api/) include the
       # subdir in their stored path, matching where the gate steps wrote them.
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         if: always()
         continue-on-error: true
         with:
@@ -191,7 +191,7 @@ jobs:
       DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Validate DevAudit env
         run: |
@@ -293,7 +293,7 @@ jobs:
       DEVAUDIT_BASE_URL: ${{ vars.DEVAUDIT_BASE_URL }}
       DEVAUDIT_API_KEY: ${{ secrets.DEVAUDIT_API_KEY }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       # Download to workspace root: upload-artifact@v4 preserves the file's
       # workspace-relative path (e.g. mission-control-api/ci-evidence/sast.json
@@ -301,7 +301,7 @@ jobs:
       # those exact paths so the upload-evidence.sh references below resolve
       # without nesting.
       - name: Download CI gate artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         continue-on-error: true
         with:
           name: ci-results
@@ -352,15 +352,19 @@ jobs:
 
           mkdir -p {{WORKING_DIR_PREFIX}}ci-evidence
 
+          # Precise evidence_type=sast_report (matches the node template; the
+          # imprecise audit_log used pre-devaudit#370 made the portal's SAST and
+          # dependency panels show identical content — DevAudit-Installer#157).
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json ]; then
             upload sast-results.json \
-              {{PROJECT_SLUG}} _compliance-docs audit_log {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json \
+              {{PROJECT_SLUG}} _compliance-docs sast_report {{WORKING_DIR_PREFIX}}ci-evidence/sast-results.json \
               --category security_scan --gate-status "$STATUS_SAST" ${FLAGS}
           fi
 
+          # Precise evidence_type=dependency_audit (matches the node template).
           if [ -f {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json ]; then
             upload dependency-audit.json \
-              {{PROJECT_SLUG}} _compliance-docs audit_log {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json \
+              {{PROJECT_SLUG}} _compliance-docs dependency_audit {{WORKING_DIR_PREFIX}}ci-evidence/dependency-audit.json \
               --category security_scan --gate-status "$STATUS_DEPAUDIT" ${FLAGS}
           fi
 

package/sdlc/files/stacks/_schema/adapter.schema.json

@@ -123,7 +123,7 @@
         "action": {
           "type": "string",
           "pattern": "^[^@]+@v[0-9]+$",
-          "description": "GitHub Actions reference — e.g. actions/setup-node@v4, actions/setup-python@v5."
+          "description": "GitHub Actions reference — e.g. actions/setup-node@v6, actions/setup-python@v6."
         },
         "with": {
           "type": "object",

package/sdlc/files/stacks/node/adapter.json

@@ -30,7 +30,7 @@
     "test": "ci-evidence/e2e-results.json"
   },
   "runtime_setup": {
-    "action": "actions/setup-node@v4",
+    "action": "actions/setup-node@v6",
     "with": { "node-version": "{{NODE_VERSION}}", "cache": "npm" }
   },
   "config_keys": {

package/sdlc/files/stacks/python/adapter.json

@@ -21,7 +21,7 @@
     "test": "ci-evidence/junit.xml"
   },
   "runtime_setup": {
-    "action": "actions/setup-python@v5",
+    "action": "actions/setup-python@v6",
     "with": { "python-version": "{{PYTHON_VERSION}}", "cache": "pip" }
   },
   "config_keys": {