@metasession.co/devaudit-cli 0.1.59 → 0.1.60

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.js +1 -1
  2. package/dist/index.js.map +1 -1
  3. package/package.json +2 -2
  4. package/sdlc/files/_common/0-project-setup.md +1 -1
  5. package/sdlc/files/_common/skills/sdlc-implementer/SKILL.md +3 -3
  6. package/sdlc/files/ci/ci.yml.template +9 -2
  7. package/sdlc/files/ci/python/ci.yml.template +9 -3
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@metasession.co/devaudit-cli",
3
- "version": "0.1.59",
3
+ "version": "0.1.60",
4
4
  "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -33,7 +33,7 @@
33
33
  },
34
34
  "dependencies": {
35
35
  "@clack/prompts": "^0.8.2",
36
- "@metasession.co/devaudit-plugin-sdk": "^0.1.59",
36
+ "@metasession.co/devaudit-plugin-sdk": "^0.1.60",
37
37
  "ajv": "^8.20.0",
38
38
  "commander": "^12.1.0",
39
39
  "consola": "^3.2.3",
package/sdlc/files/_common/0-project-setup.md CHANGED
@@ -133,7 +133,7 @@ This is the **independent verification gate**. Tests run locally during developm
133
133
  | CI | Push to `develop` | TypeScript + SAST + dependency audit + E2E + build | Quality gates + independent verification |
134
134
  | Deploy | Merge to `main` | Auto-deploy to hosting platform | Production release |
135
135
 
136
- PRs to `main` do not trigger a separate CI run. Branch protection required status checks ensure the commit already passed Quality Gates on the develop push. This avoids duplicate CI runs.
136
+ PRs to the integration branch run `Quality Gates` before merge. PRs to `main` do not trigger a duplicate quality-gates run; branch protection required status checks ensure the commit already passed Quality Gates on the integration branch.
137
137
 
138
138
  ### GitHub Actions Workflow File
139
139
 
package/sdlc/files/_common/skills/sdlc-implementer/SKILL.md CHANGED
@@ -218,7 +218,7 @@ _Workflow tweak (CI artifact upload, gate timeout bump, etc.)_
218
218
 
219
219
  Reached from Phase 0 for non-tracked change-types. The skill drives this end-to-end; the only difference from the tracked cycle is the absence of _ceremony_, not the absence of _guidance_. It pauses only where a human is genuinely required (PR review, merge).
220
220
 
221
- **CI trigger shape — read once before step 7.** The DevAudit-Installer-generated `ci.yml.template` defaults to **post-merge-only** triggers (`push: branches: [<integration>]`, no `pull_request:` trigger). On these projects there will be **no PR-time checks** to wait for review + merge is the gate, and the post-merge CI run on the integration branch is the actual quality gate. A consumer who has explicitly added a `pull_request:` trigger has PR-time CI in addition. The skill must adapt step 7's wording to whichever shape the project uses; never poll a PR for checks that the template doesn't trigger.
221
+ **CI trigger shape — read once before step 7.** DevAudit-Installer-generated `ci.yml.template` runs `Quality Gates` on PRs to the integration branch and on pushes to the integration branch. Older consumers may still have post-merge-only CI (`push: branches: [<integration>]`, no `pull_request:` trigger) until they re-run `devaudit update`. The skill must adapt step 7's wording to whichever shape the project uses; never poll a PR for checks that won't arrive on that consumer yet.
222
222
 
223
223
  1. **Branch off `$INTEGRATION_BRANCH`** with a housekeeping prefix — `chore/…`, `docs/…`, `ci/…`, `build/…`, `test/…`, or `compliance/…` for a doc-only change against an existing REQ.
224
224
  2. **Make the change**, single-purpose. If it turns out to touch runtime behaviour in `app/` / `lib/`, stop and reclassify as tracked — the commit-type rule is the backstop.
@@ -227,8 +227,8 @@ Reached from Phase 0 for non-tracked change-types. The skill drives this end-to-
227
227
  5. **Push and open the PR** into `$INTEGRATION_BRANCH` (`gh pr create --base "$INTEGRATION_BRANCH" --head <branch>`). CI runs the same quality gates; `compliance-validation.yml` finds no `REQ-XXX` and skips artifact validation.
228
228
  6. **For `ci:` changes, verify-via-dispatch before merging.** `gh workflow run <workflow.yml> --ref <branch>` fires the modified workflow against the PR branch. If the change broke a step, the dispatch run fails loudly and you fix-forward _before_ the merge ships the broken gate to `$INTEGRATION_BRANCH`. This is the cheapest insurance against silent CI regressions — a `ci:` change that breaks a gate is most damaging _after_ it lands.
229
229
  7. **Report honest status — adapt to the project's CI trigger shape (devaudit-installer#145).** Check whether `.github/workflows/ci.yml` has a `pull_request:` trigger.
230
- - **PR-time CI present** — wait for CI to settle, name any failing check, fix and re-push. Never announce "ready" while a required check is red.
231
- - **Post-merge-only CI (the DevAudit-Installer default — `push: branches: [<integration>]` with no `pull_request:` trigger)** — say so explicitly in the LAST/NEXT sticky: _"no PR-time checks will fire; review + merge is the gate; CI runs post-merge on `$INTEGRATION_BRANCH`."_ Don't poll the PR for checks that won't arrive. The post-merge run (CI Pipeline + Compliance Evidence Upload on the integration branch) is the actual gate; address it via fix-forward if it fails.
230
+ - **PR-time CI present (current DevAudit default)** — wait for `gh pr checks <PR>` to report `Quality Gates`, name any failing check, fix and re-push. Never announce "ready" while a required check is red. Release registration and evidence upload still happen on the post-merge push to `$INTEGRATION_BRANCH`.
231
+ - **Post-merge-only CI (older generated workflows — `push: branches: [<integration>]` with no `pull_request:` trigger)** — say so explicitly in the LAST/NEXT sticky: _"no PR-time checks will fire; review + merge is the gate; CI runs post-merge on `$INTEGRATION_BRANCH`."_ Don't poll the PR for checks that won't arrive. The post-merge run (CI Pipeline + Compliance Evidence Upload on the integration branch) is the actual gate; address it via fix-forward if it fails.
232
232
 
233
233
  Either way, never bypass a gate (no `--no-verify`, no `--admin` merge of a red required check); the only difference is **where** you wait for the gate to fire — before merge vs. after merge.
234
234
  8. **Guide review → merge.** A human still reviews the PR (separation of duties). There is **no** portal release approval, no UAT four-eyes, no Production gate, and no close-out. Merge once CI is green and the reviewer approves.
package/sdlc/files/ci/ci.yml.template CHANGED
@@ -1,4 +1,4 @@
1
- # CI Pipeline — all gates on every code push to develop
1
+ # CI Pipeline — all gates on PRs to develop and code pushes to develop
2
2
  #
3
3
  # Generated by `devaudit install` / `devaudit update` from sdlc-config.json.
4
4
  # Do not edit manually — re-run the CLI (`devaudit update`) to regenerate.
@@ -6,13 +6,16 @@
6
6
  # Single consolidated job — on a self-hosted runner, parallel jobs run
7
7
  # sequentially anyway. One checkout + one cached npm ci = fast.
8
8
  #
9
- # PRs to main inherit commit status via branch protection.
9
+ # PRs to develop run Quality Gates before integration. PRs to main inherit
10
+ # commit status via branch protection.
10
11
  # Compliance validation runs separately on PRs (compliance-validation.yml).
11
12
 
12
13
  name: CI Pipeline
13
14
 
14
15
  on:
15
16
  workflow_dispatch:
17
+ pull_request:
18
+ branches: [develop]
16
19
  push:
17
20
  branches: [develop]
18
21
  paths-ignore:
@@ -232,6 +235,10 @@ jobs:
232
235
  register-release:
233
236
  name: Register Release
234
237
  runs-on: {{RUNNER}}
238
+ # PRs to develop should report Quality Gates without mutating DevAudit
239
+ # releases or evidence. Release registration remains a develop-push /
240
+ # manual-dispatch side effect.
241
+ if: ${{ github.event_name != 'pull_request' }}
235
242
  outputs:
236
243
  version: ${{ steps.version.outputs.version }}
237
244
  env:
package/sdlc/files/ci/python/ci.yml.template CHANGED
@@ -1,17 +1,20 @@
1
- # CI Pipeline — all gates on every code push to develop (Python stack)
1
+ # CI Pipeline — all gates on PRs to develop and code pushes to develop (Python stack)
2
2
  #
3
3
  # Generated by `devaudit install` / `devaudit update` from sdlc-config.json + stacks/python/adapter.json.
4
4
  # Do not edit manually — re-run the CLI (`devaudit update`) to regenerate.
5
5
  #
6
6
  # Single consolidated job. Order: install → ruff → mypy → semgrep → pip-audit → pytest → build.
7
7
  #
8
- # PRs to main inherit commit status via branch protection.
8
+ # PRs to develop run Quality Gates before integration. PRs to main inherit
9
+ # commit status via branch protection.
9
10
  # Compliance validation runs separately on PRs (compliance-validation.yml).
10
11
 
11
12
  name: CI Pipeline
12
13
 
13
14
  on:
14
15
  workflow_dispatch:
16
+ pull_request:
17
+ branches: [develop]
15
18
  push:
16
19
  branches: [develop]
17
20
  paths-ignore:
@@ -184,7 +187,10 @@ jobs:
184
187
  register-release:
185
188
  name: Register Release
186
189
  runs-on: {{RUNNER}}
187
- if: ${{ vars.DEVAUDIT_BASE_URL != '' }}
190
+ # PRs to develop should report Quality Gates without mutating DevAudit
191
+ # releases or evidence. Release registration remains a develop-push /
192
+ # manual-dispatch side effect.
193
+ if: ${{ github.event_name != 'pull_request' && vars.DEVAUDIT_BASE_URL != '' }}
188
194
  outputs:
189
195
  version: ${{ steps.version.outputs.version }}
190
196
  env: