npm - @dujaunpaul/qass - Versions diffs - 0.1.0 - Mend

@dujaunpaul/qass 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/LICENSE +40 -0
package/README.md +146 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +117 -0
package/dist/cli.js.map +1 -0
package/dist/core/config.d.ts +4 -0
package/dist/core/config.d.ts.map +1 -0
package/dist/core/config.js +128 -0
package/dist/core/config.js.map +1 -0
package/dist/core/diff-analyzer.d.ts +3 -0
package/dist/core/diff-analyzer.d.ts.map +1 -0
package/dist/core/diff-analyzer.js +194 -0
package/dist/core/diff-analyzer.js.map +1 -0
package/dist/core/discover.d.ts +3 -0
package/dist/core/discover.d.ts.map +1 -0
package/dist/core/discover.js +51 -0
package/dist/core/discover.js.map +1 -0
package/dist/core/license.d.ts +13 -0
package/dist/core/license.d.ts.map +1 -0
package/dist/core/license.js +132 -0
package/dist/core/license.js.map +1 -0
package/dist/core/report.d.ts +4 -0
package/dist/core/report.d.ts.map +1 -0
package/dist/core/report.js +95 -0
package/dist/core/report.js.map +1 -0
package/dist/core/runner.d.ts +3 -0
package/dist/core/runner.d.ts.map +1 -0
package/dist/core/runner.js +136 -0
package/dist/core/runner.js.map +1 -0
package/dist/core/test-planner.d.ts +3 -0
package/dist/core/test-planner.d.ts.map +1 -0
package/dist/core/test-planner.js +107 -0
package/dist/core/test-planner.js.map +1 -0
package/dist/integrations/cursor-rule.d.ts +2 -0
package/dist/integrations/cursor-rule.d.ts.map +1 -0
package/dist/integrations/cursor-rule.js +46 -0
package/dist/integrations/cursor-rule.js.map +1 -0
package/dist/integrations/mcp-server.d.ts +67 -0
package/dist/integrations/mcp-server.d.ts.map +1 -0
package/dist/integrations/mcp-server.js +61 -0
package/dist/integrations/mcp-server.js.map +1 -0
package/dist/runners/api/api-runner.d.ts +3 -0
package/dist/runners/api/api-runner.d.ts.map +1 -0
package/dist/runners/api/api-runner.js +258 -0
package/dist/runners/api/api-runner.js.map +1 -0
package/dist/runners/api/endpoint-discovery.d.ts +3 -0
package/dist/runners/api/endpoint-discovery.d.ts.map +1 -0
package/dist/runners/api/endpoint-discovery.js +106 -0
package/dist/runners/api/endpoint-discovery.js.map +1 -0
package/dist/runners/e2e/playwright-runner.d.ts +3 -0
package/dist/runners/e2e/playwright-runner.d.ts.map +1 -0
package/dist/runners/e2e/playwright-runner.js +309 -0
package/dist/runners/e2e/playwright-runner.js.map +1 -0
package/dist/runners/security/dynamic-checker.d.ts +3 -0
package/dist/runners/security/dynamic-checker.d.ts.map +1 -0
package/dist/runners/security/dynamic-checker.js +136 -0
package/dist/runners/security/dynamic-checker.js.map +1 -0
package/dist/runners/security/rules/auth-middleware.d.ts +13 -0
package/dist/runners/security/rules/auth-middleware.d.ts.map +1 -0
package/dist/runners/security/rules/auth-middleware.js +94 -0
package/dist/runners/security/rules/auth-middleware.js.map +1 -0
package/dist/runners/security/rules/config-audit.d.ts +14 -0
package/dist/runners/security/rules/config-audit.d.ts.map +1 -0
package/dist/runners/security/rules/config-audit.js +91 -0
package/dist/runners/security/rules/config-audit.js.map +1 -0
package/dist/runners/security/rules/dep-audit.d.ts +7 -0
package/dist/runners/security/rules/dep-audit.d.ts.map +1 -0
package/dist/runners/security/rules/dep-audit.js +82 -0
package/dist/runners/security/rules/dep-audit.js.map +1 -0
package/dist/runners/security/rules/input-sanitization.d.ts +12 -0
package/dist/runners/security/rules/input-sanitization.d.ts.map +1 -0
package/dist/runners/security/rules/input-sanitization.js +64 -0
package/dist/runners/security/rules/input-sanitization.js.map +1 -0
package/dist/runners/security/rules/rate-limit-audit.d.ts +11 -0
package/dist/runners/security/rules/rate-limit-audit.d.ts.map +1 -0
package/dist/runners/security/rules/rate-limit-audit.js +51 -0
package/dist/runners/security/rules/rate-limit-audit.js.map +1 -0
package/dist/runners/security/rules/secrets-scan.d.ts +4 -0
package/dist/runners/security/rules/secrets-scan.d.ts.map +1 -0
package/dist/runners/security/rules/secrets-scan.js +129 -0
package/dist/runners/security/rules/secrets-scan.js.map +1 -0
package/dist/runners/security/rules/xss-vectors.d.ts +13 -0
package/dist/runners/security/rules/xss-vectors.d.ts.map +1 -0
package/dist/runners/security/rules/xss-vectors.js +76 -0
package/dist/runners/security/rules/xss-vectors.js.map +1 -0
package/dist/runners/security/static-analyzer.d.ts +7 -0
package/dist/runners/security/static-analyzer.d.ts.map +1 -0
package/dist/runners/security/static-analyzer.js +87 -0
package/dist/runners/security/static-analyzer.js.map +1 -0
package/dist/runners/unit/unit-runner.d.ts +3 -0
package/dist/runners/unit/unit-runner.d.ts.map +1 -0
package/dist/runners/unit/unit-runner.js +157 -0
package/dist/runners/unit/unit-runner.js.map +1 -0
package/dist/types.d.ts +153 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +2 -0
package/dist/types.js.map +1 -0
package/dist/util/glob.d.ts +2 -0
package/dist/util/glob.d.ts.map +1 -0
package/dist/util/glob.js +32 -0
package/dist/util/glob.js.map +1 -0
package/package.json +68 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,40 @@
+QASS — Proprietary Software License
+Copyright (c) 2026 Dujaun Paul. All rights reserved.
+This software and its source code are the proprietary property of Dujaun Paul
+("Licensor"). By installing, downloading, or using this software ("QASS"), you
+agree to the following terms:
+1. GRANT OF USE
+   You are granted a non-exclusive, non-transferable, revocable license to use
+   QASS in accordance with the plan you have purchased (Free, Pro, or Team).
+2. RESTRICTIONS
+   You may NOT:
+   - Copy, modify, merge, or create derivative works of this software
+   - Distribute, sublicense, sell, or make this software available to third
+     parties
+   - Reverse engineer, decompile, or disassemble this software
+   - Remove or alter any proprietary notices or labels
+3. FREE TIER
+   The Free tier grants usage of the core security scanner and basic smoke
+   testing features at no cost, subject to these license terms. Free tier
+   usage does not grant any rights to the source code.
+4. PAID TIERS
+   Pro and Team features require a valid license key. Usage without a valid
+   license key constitutes a violation of this agreement.
+5. NO WARRANTY
+   THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED. THE LICENSOR SHALL NOT BE LIABLE FOR ANY CLAIMS, DAMAGES, OR OTHER
+   LIABILITY ARISING FROM THE USE OF THIS SOFTWARE.
+6. TERMINATION
+   This license is effective until terminated. It terminates automatically if
+   you fail to comply with any term. Upon termination, you must destroy all
+   copies of this software in your possession.
+For licensing inquiries: dujaun@qass.dev

package/README.md ADDED Viewed

@@ -0,0 +1,146 @@
+# QASS
+**QA + Security Scanner for vibe-coded apps.**
+Your AI writes code. QASS catches the security holes, broken flows, and silent failures it left behind — before your users do. Works with Cursor, Windsurf, Copilot, and any AI editor.
+## Install
+```bash
+npm install -g qass
+```
+Or run without installing:
+```bash
+npx qass scan --project .
+```
+## Quick Start
+```bash
+# Initialize config in your project
+qass init --project .
+# Run a full security scan
+qass scan --project . --full
+# Run tests based on your latest git changes
+qass test --project . --diff HEAD
+```
+## What It Catches
+### Free
+- **7 static security rules** — missing auth middleware, SQL/NoSQL injection, hardcoded secrets, XSS vectors, CORS misconfiguration, rate limiting gaps, dependency CVEs
+- **Basic smoke crawl** — page load verification, console error detection
+- **Endpoint discovery** — auto-detects Express routes
+- **Git diff analysis** — only scans what changed
+- **AI-readable reports** — structured for your AI editor to read and fix
+### Pro
+- **Full smoke crawl** — clicks every button, fills every form, catches silent failures
+- **Visual regression** — pixel-diff screenshots against baselines
+- **Flow testing** — multi-step user journeys defined in YAML
+- **API testing** — auth, plan gating, response validation with Supabase support
+- **Dynamic security probing** — tests live endpoints for error disclosure, missing headers
+## How It Works With AI Editors
+QASS generates a rule file that tells your AI editor to run tests after every code change:
+```bash
+# Generate a Cursor Rule
+qass cursor-rule --project .
+# Creates .cursor/rules/qass.mdc
+```
+The rule instructs your AI to:
+1. Run `qass test` after making changes
+2. Read the report at `.qass/results/latest.md`
+3. Fix every finding (each has exact file, line, and fix instructions)
+4. Re-run until clean
+5. Only then tell you it's done
+This works with any AI editor that can run terminal commands — Cursor, Windsurf, Copilot, Bolt, Lovable.
+## Configuration
+QASS uses a `.qass/config.yaml` file in your project root:
+```yaml
+project:
+  name: my-app
+services:
+  api:
+    framework: express
+    entry: src/server.ts
+    port: 3001
+  frontend:
+    framework: nextjs
+    port: 3000
+security:
+  static_rules:
+    - auth-middleware
+    - input-sanitization
+    - secrets-scan
+    - xss-vectors
+    - config-audit
+    - rate-limit-audit
+    - dep-audit
+  severity_threshold: LOW
+paths:
+  api_routes: "src/**/*.routes.ts"
+  middleware: "src/middleware/**"
+  frontend_pages: "app/**/page.tsx"
+  components: "components/**/*.tsx"
+```
+Run `qass init` to generate a default config.
+## CLI Commands
+| Command | Description |
+|---------|-------------|
+| `qass init` | Initialize `.qass/config.yaml` in your project |
+| `qass scan` | Run security scan only |
+| `qass test` | Run full test suite (security + API + E2E + unit) |
+| `qass discover` | List discovered endpoints, pages, and accounts |
+| `qass cursor-rule` | Generate AI editor rule file |
+| `qass activate <key>` | Activate a Pro/Team license |
+| `qass status` | Show current license and plan info |
+## Reports
+QASS generates reports in two formats:
+- **`.qass/results/latest.json`** — machine-readable, for programmatic use
+- **`.qass/results/latest.md`** — human/AI-readable, with fix instructions
+Each finding includes:
+```markdown
+#### MEDIUM: input-sanitization — routes/contacts.ts:6
+**Issue**: Unsanitized user input passed to .filter()
+**Fix**: Use a sanitization function: const q = sanitize(req.query.q);
+```
+## Requirements
+- Node.js >= 20.11.0
+- Git (for diff analysis)
+- Playwright (optional, for E2E testing): `npm i -D playwright`
+- Vitest (optional, for unit test generation): `npm i -D vitest`
+## License
+Proprietary. See [LICENSE](./LICENSE) for details.
+Free tier available. Pro and Team require a license key — see [qass.dev](https://qass.dev) for pricing.

package/dist/cli.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,117 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import chalk from "chalk";
+import { loadConfig, initConfig } from "./core/config.js";
+const program = new Command();
+program
+    .name("qass")
+    .description("QA + Security Scanner for vibe-coded apps. Ship fast. Ship safe.")
+    .version("0.1.0");
+program
+    .command("init")
+    .description("Initialize QASS config in a project")
+    .option("-p, --project <path>", "Project root path", ".")
+    .action(async (opts) => {
+    try {
+        const configPath = await initConfig(opts.project);
+        console.log(chalk.green("✓") + ` Config created at ${configPath}`);
+        console.log(chalk.dim("  Edit .qass/config.yaml to configure your project."));
+    }
+    catch (e) {
+        console.error(chalk.red("✗"), e instanceof Error ? e.message : "Failed to initialize");
+        process.exit(1);
+    }
+});
+program
+    .command("test")
+    .description("Run tests based on git diff")
+    .option("-p, --project <path>", "Project root path", ".")
+    .option("-d, --diff <ref>", "Git diff reference", "HEAD")
+    .option("-t, --type <type>", "Test type: api, e2e, unit, security, smoke, all", "all")
+    .action(async (opts) => {
+    try {
+        const config = await loadConfig(opts.project);
+        console.log(chalk.blue("QASS") +
+            chalk.dim(` testing ${config.project.name}...`));
+        const { runTests } = await import("./core/runner.js");
+        await runTests(config, opts.project, opts.diff, opts.type);
+    }
+    catch (e) {
+        console.error(chalk.red("✗"), e instanceof Error ? e.message : "Test run failed");
+        process.exit(1);
+    }
+});
+program
+    .command("scan")
+    .description("Run security scan only")
+    .option("-p, --project <path>", "Project root path", ".")
+    .option("-d, --diff <ref>", "Git diff reference", "HEAD")
+    .option("--full", "Scan all files, not just changed ones", false)
+    .action(async (opts) => {
+    try {
+        const config = await loadConfig(opts.project);
+        console.log(chalk.blue("QASS") +
+            chalk.dim(` scanning ${config.project.name}...`));
+        const { runTests } = await import("./core/runner.js");
+        await runTests(config, opts.project, opts.diff, "security", opts.full);
+    }
+    catch (e) {
+        console.error(chalk.red("✗"), e instanceof Error ? e.message : "Scan failed");
+        process.exit(1);
+    }
+});
+program
+    .command("discover")
+    .description("List discovered endpoints and pages")
+    .option("-p, --project <path>", "Project root path", ".")
+    .action(async (opts) => {
+    try {
+        const config = await loadConfig(opts.project);
+        const { discover } = await import("./core/discover.js");
+        await discover(config, opts.project);
+    }
+    catch (e) {
+        console.error(chalk.red("✗"), e instanceof Error ? e.message : "Discovery failed");
+        process.exit(1);
+    }
+});
+program
+    .command("cursor-rule")
+    .description("Generate Cursor Rule for this project")
+    .option("-p, --project <path>", "Project root path", ".")
+    .action(async (opts) => {
+    try {
+        const { generateCursorRule } = await import("./integrations/cursor-rule.js");
+        const rulePath = await generateCursorRule(opts.project);
+        console.log(chalk.green("✓") + ` Cursor rule created at ${rulePath}`);
+    }
+    catch (e) {
+        console.error(chalk.red("✗"), e instanceof Error ? e.message : "Failed to generate rule");
+        process.exit(1);
+    }
+});
+program
+    .command("activate <key>")
+    .description("Activate a Pro or Team license key")
+    .action(async (key) => {
+    const { activateLicense } = await import("./core/license.js");
+    const ok = await activateLicense(key);
+    if (!ok)
+        process.exit(1);
+});
+program
+    .command("deactivate")
+    .description("Remove license from this machine")
+    .action(async () => {
+    const { deactivateLicense } = await import("./core/license.js");
+    await deactivateLicense();
+});
+program
+    .command("status")
+    .description("Show current license and plan info")
+    .action(async () => {
+    const { showStatus } = await import("./core/license.js");
+    await showStatus();
+});
+program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE1D,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,MAAM,CAAC;KACZ,WAAW,CAAC,kEAAkE,CAAC;KAC/E,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,qCAAqC,CAAC;KAClD,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,EAAE,GAAG,CAAC;KACxD,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,sBAAsB,UAAU,EAAE,CAAC,CAAC;QACnE,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CAAC,qDAAqD,CAAC,CACjE,CAAC;IACJ,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EACd,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,CACxD,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,6BAA6B,CAAC;KAC1C,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,EAAE,GAAG,CAAC;KACxD,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,CAAC;KACxD,MAAM,CACL,mBAAmB,EACnB,iDAAiD,EACjD,KAAK,CACN;KACA,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;YAChB,KAAK,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,CAClD,CAAC;QAEF,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACtD,MAAM,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EACd,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,CACnD,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,EAAE,GAAG,CAAC;KACxD,MAAM,CAAC,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,CAAC;KACxD,MAAM,CAAC,QAAQ,EAAE,uCAAuC,EAAE,KAAK,CAAC;KAChE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;YAChB,KAAK,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,CACnD,CAAC;QAEF,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACtD,MAAM,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACzE,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EACd,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAC/C,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,qCAAqC,CAAC;KAClD,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,EAAE,GAAG,CAAC;KACxD,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACxD,MAAM,QAAQ,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EACd,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,CACpD,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,aAAa,CAAC;KACtB,WAAW,CAAC,uCAAuC,CAAC;KACpD,MAAM,CAAC,sBAAsB,EAAE,mBAAmB,EAAE,GAAG,CAAC;KACxD,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,IAAI,CAAC;QACH,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CACzC,+BAA+B,CAChC,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,2BAA2B,QAAQ,EAAE,CAAC,CAAC;IACxE,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EACd,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,yBAAyB,CAC3D,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,gBAAgB,CAAC;KACzB,WAAW,CAAC,oCAAoC,CAAC;KACjD,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;IAC5B,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,YAAY,CAAC;KACrB,WAAW,CAAC,kCAAkC,CAAC;KAC/C,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAChE,MAAM,iBAAiB,EAAE,CAAC;AAC5B,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,oCAAoC,CAAC;KACjD,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACzD,MAAM,UAAU,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/core/config.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { QassConfig } from "../types.js";
+export declare function loadConfig(projectPath: string): Promise<QassConfig>;
+export declare function initConfig(projectPath: string): Promise<string>;
+//# sourceMappingURL=config.d.ts.map

package/dist/core/config.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAK9C,wBAAsB,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAiBzE;AAiBD,wBAAsB,UAAU,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAmCrE"}

package/dist/core/config.js ADDED Viewed

@@ -0,0 +1,128 @@
+import { readFile, access, copyFile, mkdir } from "node:fs/promises";
+import { resolve, join } from "node:path";
+import { parse as parseYaml } from "yaml";
+const CONFIG_DIR = ".qass";
+const CONFIG_FILE = "config.yaml";
+export async function loadConfig(projectPath) {
+    const configPath = resolve(projectPath, CONFIG_DIR, CONFIG_FILE);
+    try {
+        await access(configPath);
+    }
+    catch {
+        throw new Error(`No QASS config found at ${configPath}\nRun 'qass init --project ${projectPath}' to create one.`);
+    }
+    const raw = await readFile(configPath, "utf-8");
+    const envResolved = resolveEnvVars(raw);
+    const config = parseYaml(envResolved);
+    validateConfig(config);
+    return config;
+}
+function resolveEnvVars(content) {
+    return content.replace(/\$\{(\w+)\}/g, (_, name) => {
+        return process.env[name] ?? "";
+    });
+}
+function validateConfig(config) {
+    if (!config.project?.name) {
+        throw new Error("Config missing required field: project.name");
+    }
+    if (!config.project?.root) {
+        throw new Error("Config missing required field: project.root");
+    }
+}
+export async function initConfig(projectPath) {
+    const targetDir = resolve(projectPath, CONFIG_DIR);
+    const targetFile = join(targetDir, CONFIG_FILE);
+    try {
+        await access(targetFile);
+        throw new Error(`Config already exists at ${targetFile}`);
+    }
+    catch (e) {
+        if (e instanceof Error && e.message.startsWith("Config already exists")) {
+            throw e;
+        }
+    }
+    await mkdir(targetDir, { recursive: true });
+    const templatePath = resolve(import.meta.dirname, "..", "templates", "config.example.yaml");
+    try {
+        await access(templatePath);
+        await copyFile(templatePath, targetFile);
+    }
+    catch {
+        const defaultConfig = generateDefaultConfig(projectPath);
+        const { writeFile } = await import("node:fs/promises");
+        await writeFile(targetFile, defaultConfig, "utf-8");
+    }
+    await mkdir(join(targetDir, "results"), { recursive: true });
+    await mkdir(join(targetDir, "baselines"), { recursive: true });
+    return targetFile;
+}
+function generateDefaultConfig(projectPath) {
+    const name = projectPath.split(/[\\/]/).pop() ?? "my-project";
+    return `project:
+  name: ${name}
+  root: .
+# services:
+#   api:
+#     start: "npm run dev"
+#     port: 3000
+#     health: "http://localhost:3000/health"
+#   frontend:
+#     start: "npm run dev"
+#     port: 3001
+#     url: "http://localhost:3001"
+# auth:
+#   provider: supabase
+#   supabase_url: \${NEXT_PUBLIC_SUPABASE_URL}
+#   supabase_anon_key: \${NEXT_PUBLIC_SUPABASE_ANON_KEY}
+# test_accounts:
+#   - email: test@example.com
+#     password: TestPass123!
+#     role: default
+paths:
+  api_routes: "src/**/*.routes.ts"
+  frontend_pages: "app/**/page.tsx"
+  components: "components/**/*.tsx"
+# route_mounting:
+#   example.routes.ts: /api/v1/example
+# feature_matrix:
+#   feature_name: [role1, role2]
+security:
+  enabled: true
+  severity_threshold: LOW
+  static_rules:
+    - auth-middleware
+    - input-sanitization
+    - secrets-scan
+    - xss-vectors
+    - config-audit
+    - rate-limit-audit
+    - dep-audit
+  dynamic_checks: true
+e2e:
+  viewports:
+    - { width: 1280, height: 720, name: desktop }
+    - { width: 375, height: 812, name: mobile }
+  smoke_crawl: true
+  visual_regression: true
+  visual_threshold: 0.01
+  stuck_timeout: 10000
+  slow_response: 3000
+# flows:
+#   example_flow:
+#     as: default
+#     steps:
+#       - goto: /
+#       - assert_visible: "h1"
+`;
+}
+//# sourceMappingURL=config.js.map

package/dist/core/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAG1C,MAAM,UAAU,GAAG,OAAO,CAAC;AAC3B,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,WAAmB;IAClD,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;IAEjE,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,2BAA2B,UAAU,8BAA8B,WAAW,kBAAkB,CACjG,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,SAAS,CAAC,WAAW,CAAe,CAAC;IAEpD,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,OAAe;IACrC,OAAO,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE;QACjD,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,MAAkB;IACxC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,WAAmB;IAClD,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAEhD,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,4BAA4B,UAAU,EAAE,CAAC,CAAC;IAC5D,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACxE,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE5C,MAAM,YAAY,GAAG,OAAO,CAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,EACnB,IAAI,EACJ,WAAW,EACX,qBAAqB,CACtB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3B,MAAM,QAAQ,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,aAAa,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACvD,MAAM,SAAS,CAAC,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7D,MAAM,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE/D,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,qBAAqB,CAAC,WAAmB;IAChD,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,IAAI,YAAY,CAAC;IAC9D,OAAO;UACC,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+Db,CAAC;AACF,CAAC"}

package/dist/core/diff-analyzer.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { QassConfig, DiffAnalysis } from "../types.js";
+export declare function analyzeDiff(projectPath: string, diffRef: string, config: QassConfig): Promise<DiffAnalysis>;
+//# sourceMappingURL=diff-analyzer.d.ts.map

package/dist/core/diff-analyzer.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"diff-analyzer.d.ts","sourceRoot":"","sources":["../../src/core/diff-analyzer.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,UAAU,EACV,YAAY,EAGb,MAAM,aAAa,CAAC;AAsCrB,wBAAsB,WAAW,CAC/B,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CAevB"}

package/dist/core/diff-analyzer.js ADDED Viewed

@@ -0,0 +1,194 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { minimatch } from "minimatch";
+const exec = promisify(execFile);
+const FEATURE_KEYWORDS = {
+    logo_upload: ["logo", "logoUpload", "LogoUpload", "logo_upload"],
+    custom_branding: [
+        "branding",
+        "customBranding",
+        "brand_color",
+        "brandColor",
+        "display_name",
+    ],
+    route_optimization: [
+        "routeOptimiz",
+        "optimize-route",
+        "optimizeRoute",
+        "route_optimization",
+    ],
+    fleet_management: [
+        "fleet",
+        "Fleet",
+        "requireFleetOwner",
+        "fleetOperator",
+        "fleet_operators",
+    ],
+    analytics: ["analytics", "Analytics", "analyticsRoutes"],
+    api_access: ["apiAccess", "api_access"],
+    yaady_bot: ["yaady", "Yaady", "whatsapp", "WhatsApp", "yaadyBot"],
+    auth: ["auth", "signIn", "signUp", "requireCourier", "requireAdmin"],
+    plan_gating: [
+        "planGate",
+        "requireActiveCourierSubscription",
+        "SUBSCRIPTION_REQUIRED",
+        "PLAN_UPGRADE_REQUIRED",
+    ],
+};
+export async function analyzeDiff(projectPath, diffRef, config) {
+    const changedFiles = await getChangedFiles(projectPath, diffRef);
+    const categorized = categorizeFiles(changedFiles, config);
+    const affectedFeatures = detectAffectedFeatures(categorized, config);
+    const affectedRoles = detectAffectedRoles(affectedFeatures, config);
+    const changeCategories = [
+        ...new Set(categorized.map((f) => f.category)),
+    ];
+    return {
+        changedFiles: categorized,
+        affectedFeatures,
+        affectedRoles,
+        changeCategories,
+    };
+}
+async function getChangedFiles(projectPath, diffRef) {
+    const files = [];
+    try {
+        const { stdout: nameStatus } = await exec("git", ["diff", "--name-status", diffRef], { cwd: projectPath });
+        for (const line of nameStatus.trim().split("\n")) {
+            if (!line)
+                continue;
+            const [status, ...pathParts] = line.split("\t");
+            const filePath = pathParts.join("\t");
+            if (!filePath)
+                continue;
+            files.push({
+                path: filePath,
+                status: status.startsWith("R") ? "R" : status,
+            });
+        }
+    }
+    catch {
+        try {
+            const { stdout: nameStatus } = await exec("git", ["diff", "--name-status", "--staged"], { cwd: projectPath });
+            for (const line of nameStatus.trim().split("\n")) {
+                if (!line)
+                    continue;
+                const [status, ...pathParts] = line.split("\t");
+                const filePath = pathParts.join("\t");
+                if (!filePath)
+                    continue;
+                files.push({
+                    path: filePath,
+                    status: status.startsWith("R") ? "R" : status,
+                });
+            }
+        }
+        catch {
+            return [];
+        }
+    }
+    for (const file of files) {
+        if (file.status === "D")
+            continue;
+        try {
+            const { stdout: diff } = await exec("git", ["diff", diffRef, "--", file.path], { cwd: projectPath });
+            file.diff = diff;
+        }
+        catch {
+            // no diff available
+        }
+    }
+    return files;
+}
+function categorizeFiles(files, config) {
+    const paths = config.paths ?? {};
+    return files.map((file) => {
+        let category = "other";
+        for (const [key, pattern] of Object.entries(paths)) {
+            if (minimatch(file.path, pattern)) {
+                category = mapKeyToCategory(key);
+                break;
+            }
+        }
+        if (category === "other") {
+            category = inferCategory(file.path);
+        }
+        const statusMap = {
+            A: "added",
+            M: "modified",
+            D: "deleted",
+            R: "renamed",
+        };
+        return {
+            path: file.path,
+            status: statusMap[file.status] ?? "modified",
+            category,
+            diff: file.diff,
+        };
+    });
+}
+function mapKeyToCategory(key) {
+    const mapping = {
+        api_routes: "api_route",
+        api_app: "config",
+        frontend_pages: "frontend_page",
+        components: "component",
+        shared_lib: "shared_lib",
+        middleware: "middleware",
+    };
+    return mapping[key] ?? "other";
+}
+function inferCategory(filePath) {
+    if (/\.routes\.(ts|js)$/.test(filePath))
+        return "api_route";
+    if (/middleware/i.test(filePath))
+        return "middleware";
+    if (/page\.(tsx|jsx)$/.test(filePath))
+        return "frontend_page";
+    if (/components?\//i.test(filePath))
+        return "component";
+    if (/migrations?\//i.test(filePath))
+        return "migration";
+    if (/package\.json$|tsconfig|\.env|config\.(ts|js|yaml|yml)$/.test(filePath))
+        return "config";
+    if (/shared|packages\//i.test(filePath))
+        return "shared_lib";
+    return "other";
+}
+function detectAffectedFeatures(files, _config) {
+    const features = new Set();
+    const allDiffs = files.map((f) => f.diff ?? "").join("\n");
+    for (const [feature, keywords] of Object.entries(FEATURE_KEYWORDS)) {
+        if (keywords.some((kw) => allDiffs.includes(kw))) {
+            features.add(feature);
+        }
+    }
+    for (const file of files) {
+        if (file.path.includes("fleet"))
+            features.add("fleet_management");
+        if (file.path.includes("analytics"))
+            features.add("analytics");
+        if (file.path.includes("yaady"))
+            features.add("yaady_bot");
+        if (file.path.includes("auth"))
+            features.add("auth");
+        if (file.path.includes("subscription"))
+            features.add("plan_gating");
+    }
+    return [...features];
+}
+function detectAffectedRoles(features, config) {
+    const roles = new Set();
+    const matrix = config.feature_matrix ?? {};
+    for (const feature of features) {
+        const featureRoles = matrix[feature];
+        if (featureRoles) {
+            featureRoles.forEach((r) => roles.add(r));
+        }
+    }
+    if (roles.size === 0 && config.test_accounts) {
+        config.test_accounts.forEach((a) => roles.add(a.role));
+    }
+    return [...roles];
+}
+//# sourceMappingURL=diff-analyzer.js.map