@metasession.co/devaudit-cli 0.1.7 → 0.1.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.7",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.9",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/_common/scripts/derive-release-version.sh

@@ -6,14 +6,18 @@
 #   VERSION=$(./scripts/derive-release-version.sh)
 #
 # Priority:
-#   1. REQ tag in commit subject: "[REQ-037] feat(kitchen): ..." -> REQ-037
-#   2. Ref in commit body:        "Ref: REQ-037"                 -> REQ-037
-#   3. Fallback:                  bare date                      -> v2026.05.17
+#   1. REQ tag in commit subject:   "[REQ-037] feat(kitchen): ..." -> REQ-037
+#   2. Ref in commit body:          "Ref: REQ-037"                 -> REQ-037
+#   3. Bracketed tag in commit body: merge commit whose body is the PR title
+#                                    "... [REQ-037] ..."           -> REQ-037
+#   4. Fallback:                    bare date                      -> v2026.05.17
 #
-# The id is taken from the bracketed subject tag or the `Ref:` line only —
-# NOT from arbitrary REQ mentions in prose (e.g. a body line "target close:
-# REQ-002" must not win over "Ref: REQ-001"). Subject takes priority over body.
-# Output: single line on stdout. Exit 0 in all normal cases.
+# The id is taken from a bracketed [REQ-XXX] tag (subject or body) or the
+# `Ref:` line — NOT from unbracketed prose (e.g. "target close: REQ-002" must
+# not win over "Ref: REQ-001"). Step 3 exists because a "Merge pull request"
+# commit carries the PR title (with its [REQ-XXX] tag) in the body, not the
+# subject — without it, PR-merged work falls through to the date fallback and
+# fragments onto a phantom date release. Output: single line on stdout.
 #
 # This ties a release record (project_id, version) to the feature the
 # commits belong to, so all CI uploads for one REQ converge on one
@@ -40,5 +44,14 @@ if echo "$BODY" | grep -qiE 'Ref:[[:space:]]*REQ-[0-9]+'; then
   exit 0
 fi
 
-# 3. Fallback: bare date in UTC
+# 3. Body: a bracketed [REQ-XXX] anywhere in the body. Catches a merge commit
+# whose body is the PR title — e.g. subject "Merge pull request #7 from …",
+# body "chore(deps): [REQ-002] …". Bracketed-only, so an unbracketed prose
+# mention ("target close: REQ-002") still cannot win over a real Ref: above.
+if echo "$BODY" | grep -qE '\[REQ-[0-9]+\]'; then
+  echo "$BODY" | grep -oE '\[REQ-[0-9]+\]' | head -1 | grep -oE 'REQ-[0-9]+'
+  exit 0
+fi
+
+# 4. Fallback: bare date in UTC
 echo "v$(date -u +%Y.%m.%d)"

package/sdlc/files/_common/scripts/derive-release-version.test.sh

@@ -101,6 +101,16 @@ Dependency advisories accepted under R-001; target close: REQ-002.
 Ref: REQ-001"
 assert_eq "prose REQ-002 before Ref: REQ-001 -> REQ-001" "REQ-001" "$(run_helper)"
 
+# Case 8: a "Merge pull request" commit carries the PR title (with its
+# bracketed [REQ-XXX] tag) in the BODY, not the subject, and no Ref: line.
+# Must resolve from the body bracket, not fall through to the date.
+# Regression for REQ-002 landing on a phantom v<date> release after a
+# feature->develop PR merge.
+make_fixture "$WORK/c8" "Merge pull request #7 from metasession-dev/feat/req-002
+
+chore(deps): [REQ-002] dependency hardening — close R-001"
+assert_eq "merge-commit body [REQ-002] -> REQ-002" "REQ-002" "$(run_helper)"
+
 echo ""
 echo "=== Summary: $PASS pass / $FAIL fail ==="
 

package/sdlc/files/ci/ci.yml.template

@@ -327,59 +327,18 @@ jobs:
               --category test_report ${FLAGS}
           fi
 
-          # Upload compliance docs (planning category)
-          for DOC in compliance/RTM.md compliance/test-plan.md compliance/test-cases.md; do
-            if [ -f "$DOC" ]; then
-              upload "$(basename "$DOC")" \
-                {{PROJECT_SLUG}} _compliance-docs compliance_document "$DOC" \
-                --category planning ${FLAGS}
-            fi
-          done
-
-          # Upload release tickets (pending only — approved releases are historical)
-          for DIR in compliance/pending-releases; do
-            if [ -d "$DIR" ]; then
-              for TICKET in "$DIR"/*.md; do
-                [ -f "$TICKET" ] || continue
-                upload "$(basename "$TICKET")" \
-                  {{PROJECT_SLUG}} _compliance-docs compliance_document "$TICKET" \
-                  --category release_artifact ${FLAGS}
-              done
-            fi
-          done
-
-          # Upload per-requirement evidence — scoped to requirements with a
-          # pending release ticket. Without this scoping every historical
-          # compliance/evidence/REQ-*/ folder would be re-uploaded on every
-          # run, re-populating the release-requirement matrix with the full
-          # project catalogue (DevAudit #133).
-          IN_SCOPE_REQS=()
-          if [ -d compliance/pending-releases ]; then
-            for TICKET in compliance/pending-releases/RELEASE-TICKET-REQ-*.md; do
-              [ -f "$TICKET" ] || continue
-              REQ_ID=$(basename "$TICKET" .md | sed 's/^RELEASE-TICKET-//')
-              IN_SCOPE_REQS+=("$REQ_ID")
-            done
-          fi
-
-          if [ ${#IN_SCOPE_REQS[@]} -eq 0 ]; then
-            echo "No pending release tickets found — skipping per-requirement evidence upload"
-          else
-            echo "In-scope requirements for this release: ${IN_SCOPE_REQS[*]}"
-            for REQ_ID in "${IN_SCOPE_REQS[@]}"; do
-              REQ_DIR="compliance/evidence/${REQ_ID}/"
-              if [ ! -d "$REQ_DIR" ]; then
-                echo "Warning: pending ticket for ${REQ_ID} but no ${REQ_DIR} on disk"
-                continue
-              fi
-              for ARTIFACT in "$REQ_DIR"*.md; do
-                [ -f "$ARTIFACT" ] || continue
-                upload "${REQ_ID}/$(basename "$ARTIFACT")" \
-                  {{PROJECT_SLUG}} "${REQ_ID}" compliance_document "$ARTIFACT" \
-                  --category planning ${FLAGS}
-              done
-            done
-          fi
+          # NOTE: committed compliance docs (planning category: RTM/test-plan/
+          # test-cases, release tickets, and per-requirement
+          # compliance/evidence/REQ-*/ folders) are intentionally NOT uploaded
+          # here. compliance-evidence.yml is the single owner of those — it
+          # fires on every compliance/** push and uploads them to the same
+          # release (both workflows resolve the same version via
+          # derive-release-version.sh). Uploading them here too meant any push
+          # touching both code and compliance/ ran both workflows and inserted
+          # a duplicate row for every doc (evidence is append-only, no upsert),
+          # and re-populated the release matrix with the full catalogue. This
+          # job now uploads ONLY run-generated gate evidence (security_scan /
+          # ci_pipeline / test_report) above. See issue #45.
 
           if [ "$UPLOAD_FAILURES" -gt 0 ]; then
             echo "::error::${UPLOAD_FAILURES} evidence upload(s) failed — release is missing gate evidence and cannot pass UAT review"