@codyswann/lisa 1.13.0 → 1.15.0

package/typescript/copy-overwrite/.github/workflows/quality.yml

@@ -18,6 +18,7 @@
 #   - Snyk dependency vulnerability scanning
 #   - GitGuardian secret detection
 #   - FOSSA license compliance checking
+#   - OWASP ZAP DAST baseline scanning
 # - E2E testing:
 #   - Playwright web E2E tests (auto-detects playwright.config.ts)
 #   - Maestro Cloud mobile E2E tests (requires MAESTRO_API_KEY, project ID, and app binary)
@@ -54,10 +55,20 @@ on:
         default: 'npm'
         type: string
       skip_jobs:
-        description: 'Jobs to skip (comma-separated: lint,lint_slow,typecheck,test,test:unit,test:integration,test:e2e,maestro_e2e,playwright_e2e,format,build,dead_code,sg_scan,npm_security_scan,github_issue)'
+        description: 'Jobs to skip (comma-separated: lint,lint_slow,typecheck,test,test:unit,test:integration,test:e2e,maestro_e2e,playwright_e2e,format,build,dead_code,sg_scan,npm_security_scan,zap_baseline,github_issue)'
         required: false
         default: ''
         type: string
+      zap_target_url:
+        description: 'Target URL for OWASP ZAP baseline scan (leave empty to skip ZAP)'
+        required: false
+        default: ''
+        type: string
+      zap_rules_file:
+        description: 'Path to ZAP rules configuration file'
+        required: false
+        default: '.zap/baseline.conf'
+        type: string
       working_directory:
         description: 'Directory to run commands in (if not root)'
         required: false
@@ -1242,12 +1253,74 @@ jobs:
           echo "::warning::FOSSA license compliance check skipped - FOSSA_API_KEY not configured"
           echo "To enable license compliance checking, add FOSSA_API_KEY to your repository secrets"
 
+  zap_baseline:
+    name: 🕷️ OWASP ZAP Baseline
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: ${{ !contains(inputs.skip_jobs, 'zap_baseline') && inputs.zap_target_url != '' }}
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v4
+
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+          cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
+
+      - name: 🍞 Setup Bun
+        if: inputs.package_manager == 'bun'
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: 📦 Install dependencies
+        run: |
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            npm ci
+          elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
+            yarn install --frozen-lockfile
+          elif [ "${{ inputs.package_manager }}" = "bun" ]; then
+            bun install --frozen-lockfile
+          fi
+        working-directory: ${{ inputs.working_directory || '.' }}
+
+      - name: 🔍 Check for ZAP rules file
+        id: check_rules
+        run: |
+          if [ -f "${{ inputs.zap_rules_file }}" ]; then
+            echo "has_rules=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_rules=false" >> $GITHUB_OUTPUT
+          fi
+        working-directory: ${{ inputs.working_directory || '.' }}
+
+      - name: 🕷️ Run ZAP baseline scan
+        uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: ${{ inputs.zap_target_url }}
+          rules_file_name: ${{ steps.check_rules.outputs.has_rules == 'true' && inputs.zap_rules_file || '' }}
+          fail_action: true
+          allow_issue_writing: false
+          artifact_name: 'zap-report'
+
+      - name: 📤 Upload ZAP report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-baseline-report-${{ github.run_id }}
+          path: |
+            zap-report.html
+            zap-report.json
+            zap-report.md
+          retention-days: 14
+
   # Enterprise security tools summary
   security_tools_summary:
     name: 🔒 Security Tools Summary
     runs-on: ubuntu-latest
-    if: always() && (needs.sonarcloud.result != 'skipped' || needs.snyk.result != 'skipped' || needs.secret_scanning.result != 'skipped' || needs.license_compliance.result != 'skipped')
-    needs: [sonarcloud, snyk, secret_scanning, license_compliance]
+    if: always() && (needs.sonarcloud.result != 'skipped' || needs.snyk.result != 'skipped' || needs.secret_scanning.result != 'skipped' || needs.license_compliance.result != 'skipped' || needs.zap_baseline.result != 'skipped')
+    needs: [sonarcloud, snyk, secret_scanning, license_compliance, zap_baseline]
     steps:
       - name: 📝 Generate security tools summary
         run: |
@@ -1292,6 +1365,15 @@ jobs:
             echo "- 📜 **FOSSA License Compliance**: ❌ Failed" >> $GITHUB_STEP_SUMMARY
           fi
 
+          # OWASP ZAP Baseline status
+          if [ "${{ needs.zap_baseline.result }}" == "skipped" ]; then
+            echo "- 🕷️ **OWASP ZAP Baseline**: ⏭️ Skipped (no target URL)" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ needs.zap_baseline.result }}" == "success" ]; then
+            echo "- 🕷️ **OWASP ZAP Baseline**: ✅ Passed" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- 🕷️ **OWASP ZAP Baseline**: ❌ Failed" >> $GITHUB_STEP_SUMMARY
+          fi
+
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## 📊 Security Posture" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -1328,7 +1410,14 @@ jobs:
             fi
           fi
 
-          echo "- **Active Security Tools**: $ACTIVE_TOOLS / 4" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ needs.zap_baseline.result }}" != "skipped" ]; then
+            ACTIVE_TOOLS=$((ACTIVE_TOOLS + 1))
+            if [ "${{ needs.zap_baseline.result }}" == "success" ]; then
+              PASSED_TOOLS=$((PASSED_TOOLS + 1))
+            fi
+          fi
+
+          echo "- **Active Security Tools**: $ACTIVE_TOOLS / 5" >> $GITHUB_STEP_SUMMARY
           echo "- **Passed Checks**: $PASSED_TOOLS / $ACTIVE_TOOLS" >> $GITHUB_STEP_SUMMARY
 
           if [ $ACTIVE_TOOLS -gt 0 ]; then
@@ -1382,6 +1471,7 @@ jobs:
         snyk,
         secret_scanning,
         license_compliance,
+        zap_baseline,
       ]
     steps:
       - name: 📋 Validate compliance framework
@@ -1594,6 +1684,7 @@ jobs:
         snyk,
         secret_scanning,
         license_compliance,
+        zap_baseline,
         compliance_validation,
       ]
     steps:
@@ -1648,7 +1739,8 @@ jobs:
                   sonarcloud: '${{ needs.sonarcloud.result }}',
                   snyk: '${{ needs.snyk.result }}',
                   secret_scan: '${{ needs.secret_scanning.result }}',
-                  license_check: '${{ needs.license_compliance.result }}'
+                  license_check: '${{ needs.license_compliance.result }}',
+                  zap_baseline: '${{ needs.zap_baseline.result }}'
                 },
                 compliance: '${{ needs.compliance_validation.result }}'
               },
@@ -1806,6 +1898,7 @@ jobs:
         snyk,
         secret_scanning,
         license_compliance,
+        zap_baseline,
       ]
     steps:
       - name: 📊 Generate performance report
@@ -1856,6 +1949,7 @@ jobs:
           echo "| Snyk | ${{ needs.snyk.result }} | Security |" >> $GITHUB_STEP_SUMMARY
           echo "| Secret Scan | ${{ needs.secret_scanning.result }} | Security |" >> $GITHUB_STEP_SUMMARY
           echo "| License Check | ${{ needs.license_compliance.result }} | Security |" >> $GITHUB_STEP_SUMMARY
+          echo "| ZAP Baseline | ${{ needs.zap_baseline.result }} | Security |" >> $GITHUB_STEP_SUMMARY
 
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## 💡 Performance Tips" >> $GITHUB_STEP_SUMMARY
@@ -1885,6 +1979,7 @@ jobs:
           [ "${{ needs.snyk.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
           [ "${{ needs.secret_scanning.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
           [ "${{ needs.license_compliance.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
+          [ "${{ needs.zap_baseline.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
 
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## 🚀 Optimization Metrics" >> $GITHUB_STEP_SUMMARY

package/typescript/copy-overwrite/jest.base.ts

@@ -0,0 +1,112 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - Shared Base
+ *
+ * Exports shared configuration pieces that can be imported by
+ * project-specific jest.config.ts files. Reduces duplication between
+ * typescript, expo, nestjs, and other project type configurations.
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.base
+ */
+import type { Config } from "jest";
+
+/**
+ * Default coverage thresholds used when not specified in project config.
+ * Projects can override via jest.thresholds.json.
+ */
+export const defaultThresholds: Config["coverageThreshold"] = {
+  global: {
+    statements: 70,
+    branches: 70,
+    functions: 70,
+    lines: 70,
+  },
+};
+
+/**
+ * Default patterns to exclude from coverage collection.
+ * Common across all stacks — stack-specific configs extend this list.
+ */
+export const defaultCoverageExclusions: readonly string[] = [
+  "!**/*.d.ts",
+  "!**/index.ts",
+  "!**/node_modules/**",
+  "!**/dist/**",
+  "!**/*.test.ts",
+  "!**/*.spec.ts",
+  "!**/*.mock.ts",
+  "!**/test/**",
+  "!**/tests/**",
+  "!**/__tests__/**",
+  "!**/__mocks__/**",
+];
+
+/**
+ * Merges project-specific threshold overrides into default thresholds.
+ * Allows projects to selectively raise or lower coverage requirements
+ * via jest.thresholds.json without replacing the entire threshold object.
+ *
+ * Spreads all top-level keys from both defaults and overrides (including
+ * per-path/per-file patterns like `"./src/api/": { branches: 80 }`).
+ * The `global` key receives special treatment: its properties are
+ * shallow-merged so individual metrics can be overridden without
+ * replacing the entire global object.
+ *
+ * @param defaults - Base thresholds from the stack config
+ * @param overrides - Project-specific overrides from jest.thresholds.json
+ * @returns Merged thresholds with overrides taking precedence
+ */
+export const mergeThresholds = (
+  defaults: Config["coverageThreshold"],
+  overrides: Config["coverageThreshold"]
+): Config["coverageThreshold"] => ({
+  ...defaults,
+  ...overrides,
+  global: {
+    ...(defaults?.global as Record<string, number>),
+    ...(overrides?.global as Record<string, number>),
+  },
+});
+
+/**
+ * Merges multiple Jest configs together with array concatenation and
+ * shallow object merging. Later configs take precedence for scalar values.
+ * Arrays are concatenated and deduplicated to allow additive composition.
+ *
+ * @param configs - Jest config objects to merge in order of precedence
+ * @returns Single merged Jest config
+ * @remarks Used by entry-point jest.config.ts files to combine stack config
+ * with project-local overrides without losing array values like testMatch
+ * or collectCoverageFrom.
+ */
+export const mergeConfigs = (...configs: Config[]): Config =>
+  configs.reduce(
+    (acc, config) =>
+      (Object.keys(config) as (keyof Config)[]).reduce((merged, key) => {
+        const accVal = acc[key];
+        const configVal = config[key];
+
+        const mergedValue =
+          Array.isArray(accVal) && Array.isArray(configVal)
+            ? [...new Set([...accVal, ...configVal])]
+            : typeof accVal === "object" &&
+                accVal !== null &&
+                !Array.isArray(accVal) &&
+                typeof configVal === "object" &&
+                configVal !== null &&
+                !Array.isArray(configVal)
+              ? {
+                  ...(accVal as Record<string, unknown>),
+                  ...(configVal as Record<string, unknown>),
+                }
+              : configVal;
+
+        return { ...merged, [key]: mergedValue };
+      }, acc),
+    {} as Config
+  );

package/typescript/copy-overwrite/jest.config.ts

@@ -0,0 +1,34 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - Main Entry Point (TypeScript)
+ *
+ * Imports the TypeScript-specific configuration and project-local customizations.
+ * Do not modify this file directly - use jest.config.local.ts for project-specific settings.
+ *
+ * Inheritance chain:
+ *   jest.config.ts (this file)
+ *   └── jest.typescript.ts
+ *       └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.config
+ */
+import { mergeConfigs, mergeThresholds } from "./jest.base.ts";
+import {
+  defaultThresholds,
+  getTypescriptJestConfig,
+} from "./jest.typescript.ts";
+
+import localConfig from "./jest.config.local.ts";
+import thresholdsOverrides from "./jest.thresholds.json" with { type: "json" };
+
+const thresholds = mergeThresholds(defaultThresholds, thresholdsOverrides);
+
+export default mergeConfigs(
+  getTypescriptJestConfig({ thresholds }),
+  localConfig
+);

package/typescript/copy-overwrite/jest.typescript.ts

@@ -0,0 +1,72 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - TypeScript Stack
+ *
+ * Provides TypeScript/Node-specific Jest configuration.
+ * Imports shared utilities from jest.base.ts.
+ * Stack-specific configs (expo, nestjs, cdk) should import and extend this.
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.typescript
+ */
+import type { Config } from "jest";
+
+import {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+} from "./jest.base.ts";
+
+// Re-export base utilities for stack-specific configs to use
+export {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+};
+
+/**
+ * Options for configuring the TypeScript Jest config factory.
+ */
+interface TypescriptJestOptions {
+  /** Coverage thresholds (merged defaults + project overrides) */
+  readonly thresholds?: Config["coverageThreshold"];
+}
+
+/**
+ * Creates a Jest configuration for TypeScript/Node projects using ts-jest.
+ *
+ * @param options - Configuration options for threshold overrides
+ * @param options.thresholds - Coverage thresholds (merged defaults + project overrides)
+ * @returns Jest config object with ts-jest transform, ESM support, and coverage settings
+ * @remarks Uses ts-jest ESM preset for projects with "type": "module" in package.json.
+ * Projects needing CommonJS should override the preset in jest.config.local.ts.
+ */
+export const getTypescriptJestConfig = ({
+  thresholds = defaultThresholds,
+}: TypescriptJestOptions = {}): Config => ({
+  preset: "ts-jest/presets/default-esm",
+  testEnvironment: "node",
+  testMatch: ["<rootDir>/tests/**/*.test.ts", "<rootDir>/src/**/*.test.ts"],
+  testPathIgnorePatterns: ["/node_modules/", "/dist/"],
+  moduleNameMapper: {
+    "^(\\.{1,2}/.*)\\.js$": "$1",
+  },
+  transform: {
+    "^.+\\.tsx?$": [
+      "ts-jest",
+      {
+        useESM: true,
+      },
+    ],
+  },
+  extensionsToTreatAsEsm: [".ts"],
+  collectCoverageFrom: ["src/**/*.ts", ...defaultCoverageExclusions],
+  coverageThreshold: thresholds,
+  testTimeout: 10000,
+});

package/typescript/copy-overwrite/tsconfig.base.json

@@ -0,0 +1,15 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "compilerOptions": {
+    "strict": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "esModuleInterop": true,
+    "resolveJsonModule": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "declaration": true,
+    "sourceMap": true,
+    "baseUrl": "./"
+  }
+}

package/typescript/copy-overwrite/tsconfig.eslint.json

@@ -2,8 +2,9 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "rootDir": ".",
-    "noEmit": true
+    "noEmit": true,
+    "allowImportingTsExtensions": true
   },
-  "include": ["src/**/*", "tests/**/*", "test/**/*", "*.config.ts", "eslint.*.ts"],
+  "include": ["src/**/*", "tests/**/*", "test/**/*", "*.config.ts", "eslint.*.ts", "jest.*.ts"],
   "exclude": ["node_modules", "dist", "build"]
 }

package/typescript/copy-overwrite/tsconfig.json

@@ -0,0 +1,5 @@
+{
+  "extends": ["./tsconfig.typescript.json", "./tsconfig.local.json"],
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}

package/typescript/copy-overwrite/tsconfig.typescript.json

@@ -0,0 +1,11 @@
+{
+  "extends": "./tsconfig.base.json",
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "noUnusedLocals": true,
+    "noUnusedParameters": true
+  }
+}

package/typescript/create-only/jest.config.local.ts

@@ -0,0 +1,30 @@
+/**
+ * Jest Configuration - Project-Local Customizations
+ *
+ * Add project-specific Jest settings here. This file is create-only,
+ * meaning Lisa will create it but never overwrite your customizations.
+ *
+ * Example:
+ * ```ts
+ * import type { Config } from "jest";
+ *
+ * const config: Config = {
+ *   moduleNameMapper: {
+ *     "^@/(.*)$": "<rootDir>/src/$1",
+ *   },
+ *   setupFiles: ["<rootDir>/jest.setup.ts"],
+ * };
+ *
+ * export default config;
+ * ```
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.config.local
+ */
+import type { Config } from "jest";
+
+const config: Config = {
+  // Add project-specific settings here
+};
+
+export default config;

package/typescript/create-only/jest.thresholds.json

@@ -0,0 +1,8 @@
+{
+  "global": {
+    "statements": 70,
+    "branches": 70,
+    "functions": 70,
+    "lines": 70
+  }
+}

package/typescript/create-only/tsconfig.local.json

@@ -0,0 +1,6 @@
+{
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  }
+}