@codyswann/lisa 1.14.0 → 1.16.0

package/expo/copy-overwrite/scripts/zap-baseline.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# OWASP ZAP Baseline Scan — Expo Web Export
+# Builds the Expo web export, serves it locally, and runs a ZAP baseline scan via Docker.
+# Outputs an HTML report to zap-report.html in the project root.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+TARGET_URL="${ZAP_TARGET_URL:-http://host.docker.internal:3000}"
+ZAP_RULES_FILE="${ZAP_RULES_FILE:-.zap/baseline.conf}"
+REPORT_FILE="zap-report.html"
+
+cd "$PROJECT_ROOT"
+
+# Verify Docker is available
+if ! command -v docker &> /dev/null; then
+  echo "Error: Docker is required but not installed."
+  echo "Install Docker from https://docs.docker.com/get-docker/"
+  exit 1
+fi
+
+if ! docker info &> /dev/null 2>&1; then
+  echo "Error: Docker daemon is not running."
+  exit 1
+fi
+
+# Detect package manager
+if [ -f "bun.lockb" ]; then
+  PKG_MGR="bun"
+elif [ -f "yarn.lock" ]; then
+  PKG_MGR="yarn"
+elif [ -f "pnpm-lock.yaml" ]; then
+  PKG_MGR="pnpm"
+else
+  PKG_MGR="npm"
+fi
+
+echo "==> Building Expo web export..."
+npx expo export --platform web
+
+echo "==> Starting static server on port 3000..."
+npx serve dist -l 3000 &
+SERVER_PID=$!
+
+cleanup() {
+  echo "==> Cleaning up..."
+  if [ -n "${SERVER_PID:-}" ]; then
+    kill "$SERVER_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+sleep 3
+if ! curl -sf http://localhost:3000 > /dev/null 2>&1; then
+  echo "Error: Static server failed to start"
+  exit 1
+fi
+
+echo "==> Running OWASP ZAP baseline scan..."
+ZAP_ARGS="-t $TARGET_URL"
+
+if [ -f "$ZAP_RULES_FILE" ]; then
+  echo "    Using rules file: $ZAP_RULES_FILE"
+  ZAP_ARGS="$ZAP_ARGS -c /zap/wrk/$(basename "$ZAP_RULES_FILE")"
+  MOUNT_RULES="-v $(dirname "$(realpath "$ZAP_RULES_FILE")"):/zap/wrk:ro"
+else
+  MOUNT_RULES=""
+fi
+
+docker run --rm \
+  --add-host=host.docker.internal:host-gateway \
+  -v "$(pwd)":/zap/wrk/:rw \
+  $MOUNT_RULES \
+  ghcr.io/zaproxy/zaproxy:stable \
+  zap-baseline.py $ZAP_ARGS \
+  -r "$REPORT_FILE" \
+  -J zap-report.json \
+  -w zap-report.md \
+  -l WARN || ZAP_EXIT=$?
+
+echo ""
+if [ -f "$REPORT_FILE" ]; then
+  echo "ZAP report saved to: $REPORT_FILE"
+fi
+
+if [ "${ZAP_EXIT:-0}" -ne 0 ]; then
+  echo "ZAP found medium+ severity findings (exit code: $ZAP_EXIT)"
+  echo "Review $REPORT_FILE for details."
+  exit "$ZAP_EXIT"
+else
+  echo "ZAP baseline scan passed — no medium+ severity findings."
+fi

package/expo/copy-overwrite/tsconfig.eslint.json

@@ -2,7 +2,8 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "rootDir": ".",
-    "noEmit": true
+    "noEmit": true,
+    "allowImportingTsExtensions": true
   },
   "include": [
     "app/**/*",

package/expo/copy-overwrite/tsconfig.expo.json

@@ -4,6 +4,13 @@
     "strict": true,
     "jsx": "react-native",
     "baseUrl": "./",
+    "noEmit": true,
+    "declaration": false,
+    "allowImportingTsExtensions": true,
+    "paths": {
+      "@/graphql/*": ["./generated/*"],
+      "@/*": ["./*"]
+    },
     "moduleSuffixes": [".ios", ".android", ".native", ".web", ""]
   }
 }

package/expo/copy-overwrite/tsconfig.json

@@ -1,3 +1,5 @@
 {
-  "extends": ["./tsconfig.expo.json", "./tsconfig.local.json"]
+  "extends": ["./tsconfig.expo.json", "./tsconfig.local.json"],
+  "include": ["**/*.ts", "**/*.tsx", "nativewind-env.d.ts"],
+  "exclude": ["node_modules", "dist", "web-build"]
 }

package/expo/create-only/.github/workflows/ci.yml

@@ -25,6 +25,14 @@ jobs:
       node_version: '22.21.1'
       package_manager: 'bun'
 
+  zap:
+    name: 🕷️ ZAP Baseline Scan
+    needs: [quality]
+    uses: ./.github/workflows/zap-baseline.yml
+    with:
+      node_version: '22.21.1'
+      package_manager: 'bun'
+
   create_issue_on_failure:
     name: 📌 Create Issue on Failure
     needs: [quality]

package/expo/create-only/babel.config.js

@@ -0,0 +1,27 @@
+/**
+ * Babel Configuration
+ *
+ * Configures Babel for Expo with NativeWind JSX transform support.
+ * This file is create-only — Lisa will create it but never overwrite
+ * your customizations.
+ *
+ * @remarks Required by the `jest.expo.ts` babel-jest transform which
+ * uses a metro caller config. Without this file, babel-jest cannot
+ * resolve the correct presets for React Native compilation.
+ * @see https://docs.expo.dev/versions/latest/config/babel/
+ * @module babel.config
+ */
+module.exports = function (api) {
+  api.cache(true);
+  return {
+    presets: [
+      [
+        "babel-preset-expo",
+        {
+          jsxImportSource: "nativewind",
+        },
+      ],
+      "nativewind/babel",
+    ],
+  };
+};

package/expo/create-only/jest.config.local.ts

@@ -0,0 +1,34 @@
+/**
+ * Jest Configuration - Project-Local Customizations
+ *
+ * Add project-specific Jest settings here. This file is create-only,
+ * meaning Lisa will create it but never overwrite your customizations.
+ *
+ * The Expo stack's `jest.expo.ts` provides haste, resolver, transform,
+ * and base coverage settings. This file should only contain settings
+ * that are project-specific or need to override the base config.
+ *
+ * @remarks `setupFiles` must define `__DEV__` and other React Native
+ * globals before any RN modules load — `jest.setup.pre.js` handles this.
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.config.local
+ */
+import type { Config } from "jest";
+
+const config: Config = {
+  setupFiles: ["<rootDir>/jest.setup.pre.js"],
+  setupFilesAfterEnv: ["<rootDir>/jest.setup.ts"],
+
+  // Path aliases matching tsconfig.expo.json paths
+  moduleNameMapper: {
+    "^@/(.*)$": "<rootDir>/$1",
+  },
+
+  coveragePathIgnorePatterns: [
+    "/node_modules/",
+    "/generated/",
+    "\\.mock\\.(ts|tsx|js|jsx)$",
+  ],
+};
+
+export default config;

package/expo/create-only/jest.config.react-native-mock.js

@@ -0,0 +1,88 @@
+/**
+ * React Native TurboModule Mock Configuration
+ *
+ * Provides mock implementations for React Native's TurboModule native
+ * modules used in the test environment. These mocks are loaded by
+ * `jest.setup.pre.js` via `__turboModuleProxy`.
+ *
+ * @remarks Projects should add additional module mocks as needed.
+ * Only the baseline modules required by React Native core are included
+ * here — project-specific native modules (e.g., camera, maps) should
+ * be added to the project's copy of this file.
+ * @see https://reactnative.dev/docs/the-new-architecture/pillars-turbomodules
+ * @module jest.config.react-native-mock
+ */
+
+// Dynamically read React Native version from package.json
+const fs = require("fs");
+const path = require("path");
+
+/**
+ * Parses React Native version from package.json for PlatformConstants mock
+ * @returns The React Native version object with major, minor, and patch numbers
+ * @remarks Falls back to 0.81.4 if parsing fails — update the fallback
+ * when upgrading React Native
+ */
+const getReactNativeVersion = () => {
+  try {
+    const packageJson = JSON.parse(
+      fs.readFileSync(path.join(__dirname, "package.json"), "utf8")
+    );
+    const version = packageJson.dependencies["react-native"];
+    // Handle version formats: "0.81.4", "^0.81.4", "~0.81.4"
+    const versionMatch = version.match(/(\d+)\.(\d+)\.(\d+)/);
+    if (versionMatch) {
+      return {
+        major: parseInt(versionMatch[1], 10),
+        minor: parseInt(versionMatch[2], 10),
+        patch: parseInt(versionMatch[3], 10),
+      };
+    }
+  } catch (error) {
+    // Fallback to a default version if parsing fails
+    console.warn(
+      "Failed to parse React Native version from package.json:",
+      error
+    );
+  }
+  // Fallback version
+  return { major: 0, minor: 81, patch: 4 };
+};
+
+module.exports = {
+  PlatformConstants: {
+    getConstants: () => ({
+      reactNativeVersion: getReactNativeVersion(),
+      forceTouchAvailable: false,
+      osVersion: "14.4",
+      systemName: "iOS",
+      interfaceIdiom: "phone",
+    }),
+  },
+  AppState: {
+    getConstants: () => ({ initialAppState: "active" }),
+    getCurrentAppState: () => Promise.resolve({ app_state: "active" }),
+    addListener: () => {},
+    addEventListener: () => {},
+    removeListeners: () => {},
+    removeEventListener: () => {},
+    currentState: "active",
+  },
+  Appearance: {
+    getConstants: () => ({ initialColorScheme: "light" }),
+    getColorScheme: () => "light",
+    setColorScheme: () => {},
+    addChangeListener: () => ({ remove: () => {} }),
+    removeChangeListener: () => {},
+    addListener: () => ({ remove: () => {} }),
+    removeListeners: () => {},
+  },
+  DeviceInfo: {
+    getConstants: () => ({
+      Dimensions: {
+        window: { width: 375, height: 667, scale: 2, fontScale: 1 },
+        screen: { width: 375, height: 667, scale: 2, fontScale: 1 },
+      },
+    }),
+  },
+};

package/expo/create-only/jest.setup.pre.js

@@ -0,0 +1,106 @@
+/**
+ * Jest Pre-Setup File
+ *
+ * Runs before Jest loads any other modules to set up global flags needed
+ * by React Native. This file must be JavaScript (not TypeScript) and must
+ * not import any modules that depend on the global flags being set.
+ *
+ * @remarks
+ * - Listed in `setupFiles` (runs before test framework loads)
+ * - Sets `__DEV__`, `IS_REACT_ACT_ENVIRONMENT`, and other RN globals
+ * - Stubs `__turboModuleProxy` so native module requires don't throw
+ * - React 19 throws null on cleanup — the unhandledRejection handler
+ *   suppresses those while still surfacing real errors
+ * @see https://github.com/expo/expo/issues/38046 React 19 cleanup issue
+ * @see https://github.com/expo/expo/issues/40184 Jest 30 + expo-router
+ * @module jest.setup.pre
+ */
+
+// Polyfill structuredClone for jsdom environment
+// structuredClone is available in Node.js 17+ but jsdom doesn't expose it
+if (typeof global.structuredClone === "undefined") {
+  global.structuredClone = val => JSON.parse(JSON.stringify(val));
+}
+
+// Handle unhandled promise rejections BEFORE any other code runs
+// This must be set up first to catch React 19 "thrown: null" issues
+// Store the handler so it can be removed after tests complete (in jest.setup.ts)
+global.__unhandledRejectionHandler = (reason, _promise) => {
+  // Silently ignore null rejections from React 19 cleanup
+  if (reason === null) {
+    return;
+  }
+  // Re-throw other unhandled rejections so tests still fail for real issues
+  throw reason;
+};
+process.on("unhandledRejection", global.__unhandledRejectionHandler);
+
+// Disable RTLRN's auto cleanup to avoid "thrown: null" errors from React 19
+// We handle cleanup manually in jest.setup.ts
+process.env.RNTL_SKIP_AUTO_CLEANUP = "true";
+
+// Set React Native test environment flags BEFORE any modules are loaded
+global.__DEV__ = true;
+global.IS_REACT_ACT_ENVIRONMENT = true;
+global.IS_REACT_NATIVE_TEST_ENVIRONMENT = true;
+
+// Mock React Native bridge for testing
+global.__fbBatchedBridgeConfig = {
+  remoteModuleConfig: [],
+  localModulesConfig: [],
+};
+
+// Mock TurboModuleRegistry using external mock configuration
+const mockModules = require("./jest.config.react-native-mock");
+
+global.__turboModuleProxy = function (moduleName) {
+  return mockModules[moduleName] || null;
+};
+
+// Ensure global timers are available (required by @testing-library/react-native)
+// Jest's environment should have these, but we ensure they're set
+if (typeof global.setTimeout === "undefined") {
+  global.setTimeout = globalThis.setTimeout;
+}
+if (typeof global.clearTimeout === "undefined") {
+  global.clearTimeout = globalThis.clearTimeout;
+}
+if (typeof global.setInterval === "undefined") {
+  global.setInterval = globalThis.setInterval;
+}
+if (typeof global.clearInterval === "undefined") {
+  global.clearInterval = globalThis.clearInterval;
+}
+
+// Mock window object for web-specific code in platform-agnostic tests
+// This allows tests that check Platform.OS === 'web' branches to work
+// Important: Include timer functions because RTLRN checks typeof window !== 'undefined'
+global.window = {
+  // Timer functions (required by RTLRN)
+  setTimeout: global.setTimeout,
+  clearTimeout: global.clearTimeout,
+  setInterval: global.setInterval,
+  clearInterval: global.clearInterval,
+  setImmediate: global.setImmediate,
+  // Web-specific mocks
+  confirm: jest.fn(() => true),
+  alert: jest.fn(),
+  open: jest.fn(),
+  location: {
+    href: "",
+    origin: "http://localhost",
+    pathname: "/",
+    search: "",
+    hash: "",
+  },
+  addEventListener: jest.fn(),
+  removeEventListener: jest.fn(),
+  navigator: {
+    userAgent: "jest-test",
+  },
+  matchMedia: jest.fn(() => ({
+    matches: false,
+    addListener: jest.fn(),
+    removeListener: jest.fn(),
+  })),
+};

package/expo/create-only/jest.setup.ts

@@ -0,0 +1,118 @@
+/**
+ * Jest Setup File
+ *
+ * Configures the testing environment after Jest loads modules.
+ * Sets up React Native Testing Library matchers, global mocks,
+ * and manual cleanup for React 19 compatibility.
+ *
+ * @remarks
+ * - Listed in `setupFilesAfterEnv` (runs after test framework loads)
+ * - Basic globals like `__DEV__` are set earlier in `jest.setup.pre.js`
+ * - Manual cleanup replaces RTLRN auto-cleanup to handle React 19's
+ *   null-throw behavior during component teardown
+ * @see https://github.com/expo/expo/issues/38046 React 19 cleanup issue
+ * @see https://github.com/expo/expo/issues/40184 Jest 30 + expo-router
+ * @see {@link https://callstack.github.io/react-native-testing-library/ | RTLRN Docs}
+ * @module jest.setup
+ */
+
+// Import from pure to avoid auto-cleanup (we set RNTL_SKIP_AUTO_CLEANUP in pre-setup)
+// Then extend Jest matchers with React Native Testing Library matchers
+import { cleanup } from "@testing-library/react-native/pure";
+import "@testing-library/react-native/build/matchers/extend-expect";
+
+// Mock environment variables module for type-safe env access in tests
+// Tests can override specific values via jest.spyOn or jest.doMock
+// Replace the mock below with your project's actual env module and values
+jest.mock("@/lib/env", () => ({
+  env: {
+    EXPO_PUBLIC_ENV: "dev",
+    // Add your project-specific environment variables here
+  },
+}));
+
+// Extend global type for the unhandledRejection handler set in jest.setup.pre.js
+declare global {
+  let __unhandledRejectionHandler:
+    | ((reason: unknown, promise: Promise<unknown>) => void)
+    | undefined;
+}
+
+// Manual cleanup after each test (replacing RTLRN's auto cleanup)
+// This handles React 19's cleanup which can throw null
+afterEach(async () => {
+  try {
+    await cleanup();
+  } catch (error) {
+    // Silently ignore null throws from React 19 cleanup
+    if (error !== null) {
+      throw error;
+    }
+  }
+});
+
+// Mock ResizeObserver for tests that use it
+// eslint-disable-next-line functional/no-classes -- Mock implementation required for testing
+global.ResizeObserver = class ResizeObserver {
+  /** Starts observing an element — no-op for tests */
+  observe(): void {}
+  /** Stops observing an element — no-op for tests */
+  unobserve(): void {}
+  /** Disconnects observer — no-op for tests */
+  disconnect(): void {}
+};
+
+// Mock expo-router for tests using navigation hooks
+jest.mock("expo-router", () => ({
+  useRouter: jest.fn(() => ({
+    push: jest.fn(),
+    replace: jest.fn(),
+    back: jest.fn(),
+    canGoBack: jest.fn(() => true),
+  })),
+  usePathname: jest.fn(() => "/"),
+  useLocalSearchParams: jest.fn(() => ({})),
+  useGlobalSearchParams: jest.fn(() => ({})),
+  useSegments: jest.fn(() => []),
+  useNavigation: jest.fn(() => ({
+    navigate: jest.fn(),
+    goBack: jest.fn(),
+    getParent: jest.fn(() => ({
+      setOptions: jest.fn(),
+    })),
+  })),
+  Link: ({ children }: { children: React.ReactNode }) => children,
+  Stack: {
+    Screen: () => null,
+  },
+  Tabs: {
+    Screen: () => null,
+  },
+}));
+
+// Mock @react-native-firebase/analytics
+jest.mock("@react-native-firebase/analytics", () => {
+  const logEvent = jest.fn();
+  const getAnalytics = jest.fn(() => ({}));
+  return { logEvent, getAnalytics };
+});
+
+// Mock firebase/analytics
+jest.mock("firebase/analytics", () => {
+  const logEvent = jest.fn();
+  const getAnalytics = jest.fn(() => ({}));
+  return { logEvent, getAnalytics };
+});
+
+// Clear mocks after each test
+afterEach(() => {
+  jest.clearAllMocks();
+});
+
+// Remove the unhandledRejection handler after all tests to allow Jest to exit cleanly
+// The handler is registered in jest.setup.pre.js and stored on global
+afterAll(() => {
+  if (__unhandledRejectionHandler) {
+    process.removeListener("unhandledRejection", __unhandledRejectionHandler);
+  }
+});

package/expo/create-only/tsconfig.local.json

@@ -1,9 +1,3 @@
 {
-  "compilerOptions": {
-    "paths": {
-      "@/*": ["./*"]
-    }
-  },
-  "include": ["**/*.ts", "**/*.tsx"],
-  "exclude": ["node_modules"]
+  "compilerOptions": {}
 }

package/expo/package-lisa/package.lisa.json

@@ -18,7 +18,8 @@
       "fetch:graphql:schema:staging": "./scripts/fetch-graphql-schema.sh staging",
       "fetch:graphql:schema:production": "./scripts/fetch-graphql-schema.sh production",
       "export:web": "expo export --platform web --source-maps",
-      "pre-build:eas": "cat .gitignore > .easignore && cat .easignore.extra >> .easignore"
+      "pre-build:eas": "cat .gitignore > .easignore && cat .easignore.extra >> .easignore",
+      "security:zap": "bash scripts/zap-baseline.sh"
     },
     "dependencies": {
       "@apollo/client": "^3.10.8",
@@ -117,7 +118,8 @@
       "expo-atlas": "^0.4.0",
       "globals": "^16.0.0",
       "jest-environment-jsdom": "^30.2.0",
-      "jest-expo": "^54.0.12"
+      "jest-expo": "^54.0.12",
+      "serve": "^14.2.0"
     },
     "resolutions": {
       "eslint-plugin-react-hooks": "^7.0.0",

package/nestjs/copy-overwrite/.github/workflows/zap-baseline.yml

@@ -0,0 +1,123 @@
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+
+name: ZAP Baseline Scan (NestJS)
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        description: 'Node.js version to use'
+        required: false
+        default: '22.21.1'
+        type: string
+      package_manager:
+        description: 'Package manager to use (npm, yarn, or bun)'
+        required: false
+        default: 'bun'
+        type: string
+      zap_target_url:
+        description: 'Override URL for ZAP to scan (default: http://localhost:3000/graphql)'
+        required: false
+        default: 'http://localhost:3000/graphql'
+        type: string
+      zap_rules_file:
+        description: 'Path to ZAP rules configuration file'
+        required: false
+        default: '.zap/baseline.conf'
+        type: string
+
+jobs:
+  zap_baseline:
+    name: ZAP Baseline Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+          cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
+
+      - name: Setup Bun
+        if: inputs.package_manager == 'bun'
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: Install dependencies
+        run: |
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            npm ci
+          elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
+            yarn install --frozen-lockfile
+          elif [ "${{ inputs.package_manager }}" = "bun" ]; then
+            bun install --frozen-lockfile
+          fi
+
+      - name: Build project
+        run: ${{ inputs.package_manager }} run build
+
+      - name: Start NestJS server
+        run: |
+          ${{ inputs.package_manager }} run start &
+          SERVER_PID=$!
+          echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
+        env:
+          NODE_ENV: test
+          PORT: 3000
+
+      - name: Wait for server ready
+        run: |
+          echo "Waiting for NestJS server to be ready..."
+          RETRIES=30
+          until curl -sf http://localhost:3000/health > /dev/null 2>&1 || [ $RETRIES -eq 0 ]; do
+            echo "Waiting for server... ($RETRIES retries left)"
+            RETRIES=$((RETRIES - 1))
+            sleep 2
+          done
+          if [ $RETRIES -eq 0 ]; then
+            echo "Server failed to start within timeout"
+            exit 1
+          fi
+          echo "Server is ready"
+
+      - name: Check for ZAP rules file
+        id: check_rules
+        run: |
+          if [ -f "${{ inputs.zap_rules_file }}" ]; then
+            echo "has_rules=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_rules=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run ZAP baseline scan
+        uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: ${{ inputs.zap_target_url }}
+          rules_file_name: ${{ steps.check_rules.outputs.has_rules == 'true' && inputs.zap_rules_file || '' }}
+          fail_action: true
+          allow_issue_writing: false
+          artifact_name: 'zap-report-nestjs'
+
+      - name: Stop NestJS server
+        if: always()
+        run: |
+          if [ -n "$SERVER_PID" ]; then
+            kill "$SERVER_PID" 2>/dev/null || true
+          fi
+
+      - name: Upload ZAP report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-baseline-report-nestjs-${{ github.run_id }}
+          path: |
+            zap-report.html
+            zap-report.json
+            zap-report.md
+          retention-days: 14