npm - @metasession.co/devaudit-cli - Versions diffs - 0.1.8 → 0.1.10 - Mend

@metasession.co/devaudit-cli 0.1.8 → 0.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/package.json +2 -2
package/sdlc/files/ci/ci.yml.template +29 -59

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@metasession.co/devaudit-cli",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
   "type": "module",
   "bin": {
@@ -33,7 +33,7 @@
   },
   "dependencies": {
     "@clack/prompts": "^0.8.2",
-    "@metasession.co/devaudit-plugin-sdk": "^0.1.8",
+    "@metasession.co/devaudit-plugin-sdk": "^0.1.10",
     "commander": "^12.1.0",
     "consola": "^3.2.3",
     "env-paths": "^3.0.0",

package/sdlc/files/ci/ci.yml.template CHANGED Viewed

@@ -82,9 +82,13 @@ jobs:
       - name: SAST Scan
         run: |
+          # --output writes the JSON report to the file directly; stderr
+          # (progress/metrics/version notices) goes to /dev/null. Using
+          # `> file 2>&1` instead merged semgrep's stderr into the JSON and
+          # produced an unparseable file (DevAudit #48).
           semgrep scan --config auto {{SOURCE_DIRS}} \
             --severity ERROR --severity WARNING \
-            --json > sast-results.json 2>&1 || true
+            --json --output sast-results.json 2>/dev/null || true
           FINDINGS=$(python3 -c "
           import json
           with open('sast-results.json') as f:
@@ -103,7 +107,8 @@ jobs:
       - name: Dependency Audit
         run: |
-          npm audit --json > dependency-audit.json 2>&1 || true
+          # stderr → /dev/null so warnings can't corrupt the JSON (DevAudit #48)
+          npm audit --json > dependency-audit.json 2>/dev/null || true
           ACCEPTED="{{ACCEPTED_DEP_RISKS}}"
           UNACCEPTED=$(python3 -c "
           import json
@@ -136,9 +141,15 @@ jobs:
         run: npx wait-on http://localhost:3000 --timeout 120000
       - name: E2E Tests
-        run: |
-          PLAYWRIGHT_HTML_REPORTER_OPEN=never npx playwright test --project={{E2E_PROJECT}} --reporter=json,html > e2e-results.json 2>/dev/null \
-            || PLAYWRIGHT_HTML_REPORTER_OPEN=never npx playwright test --project={{E2E_PROJECT}} --reporter=html
+        env:
+          # PLAYWRIGHT_JSON_OUTPUT_NAME makes the json reporter write straight
+          # to the file. Capturing stdout (`> e2e-results.json`) instead mixed
+          # the html reporter's "To open report" line in after the JSON blob
+          # and produced an unparseable file (DevAudit #48). html report still
+          # lands in playwright-report/.
+          PLAYWRIGHT_HTML_REPORTER_OPEN: never
+          PLAYWRIGHT_JSON_OUTPUT_NAME: e2e-results.json
+        run: npx playwright test --project={{E2E_PROJECT}} --reporter=json,html
       # ── Gate 5: Build ──
@@ -273,7 +284,7 @@ jobs:
           if [ ! -f ci-evidence/sast-results.json ]; then
             VENV="$HOME/.semgrep-venv"
             if [ -x "$VENV/bin/semgrep" ]; then
-              "$VENV/bin/semgrep" scan --config auto {{SOURCE_DIRS}} --json > ci-evidence/sast-results.json 2>/dev/null || echo '{"results":[]}' > ci-evidence/sast-results.json
+              "$VENV/bin/semgrep" scan --config auto {{SOURCE_DIRS}} --json --output ci-evidence/sast-results.json 2>/dev/null || echo '{"results":[]}' > ci-evidence/sast-results.json
             else
               echo '{"results":[]}' > ci-evidence/sast-results.json
             fi
@@ -327,59 +338,18 @@ jobs:
               --category test_report ${FLAGS}
           fi
-          # Upload compliance docs (planning category)
-          for DOC in compliance/RTM.md compliance/test-plan.md compliance/test-cases.md; do
-            if [ -f "$DOC" ]; then
-              upload "$(basename "$DOC")" \
-                {{PROJECT_SLUG}} _compliance-docs compliance_document "$DOC" \
-                --category planning ${FLAGS}
-            fi
-          done
-          # Upload release tickets (pending only — approved releases are historical)
-          for DIR in compliance/pending-releases; do
-            if [ -d "$DIR" ]; then
-              for TICKET in "$DIR"/*.md; do
-                [ -f "$TICKET" ] || continue
-                upload "$(basename "$TICKET")" \
-                  {{PROJECT_SLUG}} _compliance-docs compliance_document "$TICKET" \
-                  --category release_artifact ${FLAGS}
-              done
-            fi
-          done
-          # Upload per-requirement evidence — scoped to requirements with a
-          # pending release ticket. Without this scoping every historical
-          # compliance/evidence/REQ-*/ folder would be re-uploaded on every
-          # run, re-populating the release-requirement matrix with the full
-          # project catalogue (DevAudit #133).
-          IN_SCOPE_REQS=()
-          if [ -d compliance/pending-releases ]; then
-            for TICKET in compliance/pending-releases/RELEASE-TICKET-REQ-*.md; do
-              [ -f "$TICKET" ] || continue
-              REQ_ID=$(basename "$TICKET" .md | sed 's/^RELEASE-TICKET-//')
-              IN_SCOPE_REQS+=("$REQ_ID")
-            done
-          fi
-          if [ ${#IN_SCOPE_REQS[@]} -eq 0 ]; then
-            echo "No pending release tickets found — skipping per-requirement evidence upload"
-          else
-            echo "In-scope requirements for this release: ${IN_SCOPE_REQS[*]}"
-            for REQ_ID in "${IN_SCOPE_REQS[@]}"; do
-              REQ_DIR="compliance/evidence/${REQ_ID}/"
-              if [ ! -d "$REQ_DIR" ]; then
-                echo "Warning: pending ticket for ${REQ_ID} but no ${REQ_DIR} on disk"
-                continue
-              fi
-              for ARTIFACT in "$REQ_DIR"*.md; do
-                [ -f "$ARTIFACT" ] || continue
-                upload "${REQ_ID}/$(basename "$ARTIFACT")" \
-                  {{PROJECT_SLUG}} "${REQ_ID}" compliance_document "$ARTIFACT" \
-                  --category planning ${FLAGS}
-              done
-            done
-          fi
+          # NOTE: committed compliance docs (planning category: RTM/test-plan/
+          # test-cases, release tickets, and per-requirement
+          # compliance/evidence/REQ-*/ folders) are intentionally NOT uploaded
+          # here. compliance-evidence.yml is the single owner of those — it
+          # fires on every compliance/** push and uploads them to the same
+          # release (both workflows resolve the same version via
+          # derive-release-version.sh). Uploading them here too meant any push
+          # touching both code and compliance/ ran both workflows and inserted
+          # a duplicate row for every doc (evidence is append-only, no upsert),
+          # and re-populated the release matrix with the full catalogue. This
+          # job now uploads ONLY run-generated gate evidence (security_scan /
+          # ci_pipeline / test_report) above. See issue #45.
           if [ "$UPLOAD_FAILURES" -gt 0 ]; then
             echo "::error::${UPLOAD_FAILURES} evidence upload(s) failed — release is missing gate evidence and cannot pass UAT review"