@ivorycanvas/qamap 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (98) hide show
  1. package/CHANGELOG.md +93 -0
  2. package/LICENSE +21 -0
  3. package/README.md +636 -0
  4. package/dist/cli.d.ts +2 -0
  5. package/dist/cli.js +879 -0
  6. package/dist/cli.js.map +1 -0
  7. package/dist/config.d.ts +5 -0
  8. package/dist/config.js +114 -0
  9. package/dist/config.js.map +1 -0
  10. package/dist/context.d.ts +1 -0
  11. package/dist/context.js +126 -0
  12. package/dist/context.js.map +1 -0
  13. package/dist/doctor.d.ts +32 -0
  14. package/dist/doctor.js +200 -0
  15. package/dist/doctor.js.map +1 -0
  16. package/dist/domain-language.d.ts +25 -0
  17. package/dist/domain-language.js +655 -0
  18. package/dist/domain-language.js.map +1 -0
  19. package/dist/domains.d.ts +33 -0
  20. package/dist/domains.js +258 -0
  21. package/dist/domains.js.map +1 -0
  22. package/dist/e2e.d.ts +326 -0
  23. package/dist/e2e.js +6869 -0
  24. package/dist/e2e.js.map +1 -0
  25. package/dist/eval.d.ts +40 -0
  26. package/dist/eval.js +374 -0
  27. package/dist/eval.js.map +1 -0
  28. package/dist/flows.d.ts +32 -0
  29. package/dist/flows.js +246 -0
  30. package/dist/flows.js.map +1 -0
  31. package/dist/fs.d.ts +7 -0
  32. package/dist/fs.js +132 -0
  33. package/dist/fs.js.map +1 -0
  34. package/dist/github.d.ts +34 -0
  35. package/dist/github.js +183 -0
  36. package/dist/github.js.map +1 -0
  37. package/dist/history.d.ts +173 -0
  38. package/dist/history.js +247 -0
  39. package/dist/history.js.map +1 -0
  40. package/dist/index.d.ts +35 -0
  41. package/dist/index.js +20 -0
  42. package/dist/index.js.map +1 -0
  43. package/dist/manifest-suggestions.d.ts +67 -0
  44. package/dist/manifest-suggestions.js +673 -0
  45. package/dist/manifest-suggestions.js.map +1 -0
  46. package/dist/manifest.d.ts +212 -0
  47. package/dist/manifest.js +1607 -0
  48. package/dist/manifest.js.map +1 -0
  49. package/dist/qa.d.ts +53 -0
  50. package/dist/qa.js +361 -0
  51. package/dist/qa.js.map +1 -0
  52. package/dist/report.d.ts +5 -0
  53. package/dist/report.js +164 -0
  54. package/dist/report.js.map +1 -0
  55. package/dist/review.d.ts +31 -0
  56. package/dist/review.js +383 -0
  57. package/dist/review.js.map +1 -0
  58. package/dist/scanner.d.ts +3 -0
  59. package/dist/scanner.js +797 -0
  60. package/dist/scanner.js.map +1 -0
  61. package/dist/severity.d.ts +3 -0
  62. package/dist/severity.js +9 -0
  63. package/dist/severity.js.map +1 -0
  64. package/dist/test-evidence.d.ts +39 -0
  65. package/dist/test-evidence.js +303 -0
  66. package/dist/test-evidence.js.map +1 -0
  67. package/dist/test-plan.d.ts +35 -0
  68. package/dist/test-plan.js +573 -0
  69. package/dist/test-plan.js.map +1 -0
  70. package/dist/types.d.ts +60 -0
  71. package/dist/types.js +2 -0
  72. package/dist/types.js.map +1 -0
  73. package/dist/verify.d.ts +27 -0
  74. package/dist/verify.js +244 -0
  75. package/dist/verify.js.map +1 -0
  76. package/dist/version.d.ts +2 -0
  77. package/dist/version.js +3 -0
  78. package/dist/version.js.map +1 -0
  79. package/docs/adoption.md +166 -0
  80. package/docs/agent-skill.md +94 -0
  81. package/docs/api-contracts.md +30 -0
  82. package/docs/assets/qamap-30s-demo.gif +0 -0
  83. package/docs/configuration.md +277 -0
  84. package/docs/e2e-output-examples.md +464 -0
  85. package/docs/ecosystem.md +41 -0
  86. package/docs/eval.md +52 -0
  87. package/docs/github-action.md +89 -0
  88. package/docs/manifest.md +350 -0
  89. package/docs/quickstart-demo.md +268 -0
  90. package/docs/release-validation.md +247 -0
  91. package/docs/releasing.md +112 -0
  92. package/docs/roadmap.md +67 -0
  93. package/docs/rules.md +28 -0
  94. package/docs/verify.md +44 -0
  95. package/package.json +80 -0
  96. package/schema/qamap-manifest.schema.json +323 -0
  97. package/schema/qamap.schema.json +58 -0
  98. package/skills/qamap-pr-qa/SKILL.md +81 -0
@@ -0,0 +1,247 @@
1
+ # 0.2.1 Patch Release Validation
2
+
3
+ QAMap should not publish a patch or minor version only because the CLI commands work in fixtures. The `0.2.1` release should prove that the manifest-backed QA skill flow is useful across representative repositories without requiring an LLM call.
4
+
5
+ ## Release Bar
6
+
7
+ QAMap is ready for `0.2.1` when the commands below produce useful, reviewable output for each representative repository type:
8
+
9
+ - manifest-free `qamap qa` output that works as a PR comment/checklist draft
10
+ - packaged `skills/qamap-pr-qa/SKILL.md` template included in the npm tarball
11
+ - repository baseline generation with `.qamap/manifest.yaml`
12
+ - manifest validation that catches stale or ambiguous team verification policy
13
+ - branch-level manifest explanation with clear update paths
14
+ - manifest-driven E2E drafts that use declared routes and checks before heuristic candidates
15
+ - web app with Playwright-compatible routes and components
16
+ - mobile or Expo/React Native app with Maestro-compatible screens
17
+ - API or backend service repo with contract-oriented checklist output
18
+ - CLI package with command-oriented checklist output
19
+ - monorepo package scanned with `--workspace-root`
20
+ - monorepo root that points reviewers to changed app/package targets
21
+ - test-light project with little or no existing E2E coverage
22
+ - API-dependent UI flow that needs deterministic mock or fixture data
23
+ - evidence-only branches where only tests, docs, or generated output changed
24
+
25
+ For each target, record:
26
+
27
+ - command used
28
+ - base/head refs or working-tree mode
29
+ - recommended runner
30
+ - generated flow language brief quality
31
+ - draft readiness summary
32
+ - draft self-check status and blockers
33
+ - required and recommended draft action items
34
+ - previewed or generated file paths
35
+ - manual notes about false positives, missing context, or weak selectors
36
+
37
+ ## Required Commands
38
+
39
+ Run these from a clean checkout of QAMap before any release candidate:
40
+
41
+ ```sh
42
+ pnpm run release:check
43
+ ```
44
+
45
+ `release:check` expands to the required local suite: `pnpm test`, `pnpm scan`, `git diff --check`, coverage thresholds, and `pnpm pack --dry-run`. If a release candidate fails, run the individual command directly to inspect the failure.
46
+
47
+ Run the npm publish preview after the local release gate passes:
48
+
49
+ ```sh
50
+ npm publish --dry-run --access public
51
+ ```
52
+
53
+ Run these against every representative target repository:
54
+
55
+ ```sh
56
+ node dist/cli.js e2e plan <target> --base <base> --head <head> --format markdown
57
+ node dist/cli.js e2e plan <target> --base <base> --head <head> --format json
58
+ node dist/cli.js qa <target> --base <base> --head <head> --format markdown
59
+ node dist/cli.js qa <target> --base <base> --head <head> --format json
60
+ node dist/cli.js e2e draft <target> --base <base> --head <head> --output <tmp-output-dir> --dry-run
61
+ node dist/cli.js qa <target> --manifest <tmp-manifest-file> --base <base> --head <head> --format markdown
62
+ node dist/cli.js e2e draft <target> --manifest <tmp-manifest-file> --base <base> --head <head> --dry-run
63
+ node dist/cli.js e2e draft <target> --base <base> --head <head> --output <tmp-output-dir>
64
+ node dist/cli.js e2e draft <target> --base <base> --head <head> --output <tmp-output-dir> --force --json
65
+ node dist/cli.js manifest init <target> --write <tmp-manifest-file> --force --format json
66
+ node dist/cli.js manifest validate <target> --manifest <tmp-manifest-file> --format markdown
67
+ node dist/cli.js manifest validate <target> --format markdown
68
+ node dist/cli.js manifest context <target> --format markdown
69
+ node dist/cli.js manifest explain <target> --manifest <tmp-manifest-file> --base <base> --head <head> --format markdown
70
+ node dist/cli.js manifest explain <target> --base <base> --head <head> --format markdown
71
+ ```
72
+
73
+ For monorepos, include:
74
+
75
+ ```sh
76
+ node dist/cli.js e2e plan <package> --workspace-root <repo-root> --base <base> --head <head> --format markdown
77
+ node dist/cli.js qa <package> --workspace-root <repo-root> --base <base> --head <head> --format markdown
78
+ node dist/cli.js e2e draft <package> --workspace-root <repo-root> --base <base> --head <head> --output <tmp-output-dir> --dry-run
79
+ node dist/cli.js e2e draft <package> --workspace-root <repo-root> --base <base> --head <head> --output <tmp-output-dir>
80
+ ```
81
+
82
+ ## Expected Evidence
83
+
84
+ The E2E plan should show:
85
+
86
+ - runner recommendation with clear evidence
87
+ - execution profile with start command, test command, base URL or app id when discoverable, confidence, and blockers
88
+ - runner setup proposal with install commands, explicit `qamap e2e setup` acceptance command, files to create/update, and next commands when the repo lacks an E2E runner
89
+ - setup output that reports the first generated changed-flow draft file after the accepted runner setup is applied
90
+ - bootstrap steps when the project lacks E2E setup
91
+ - domain language and candidate user scenarios
92
+ - matched `.qamap/domains.yml` or `.qamap/flows.yml` entries when present
93
+ - validation matrix rows for fixture, coverage, setup, and testability gaps
94
+
95
+ The E2E draft should show:
96
+
97
+ - `verification-manifest` as the draft source when a matched manifest flow is strong enough
98
+ - manifest evidence comments inside generated drafts
99
+ - external `--manifest <file>` previews that let teams test generated manifest quality without writing `.qamap/manifest.yaml` into target repos
100
+ - manifest checks converted into draft steps or coverage notes
101
+ - previewed or generated Maestro, Playwright, or manual draft files
102
+ - `dryRun` mode and `preview` file status when `--dry-run` is used
103
+ - `languageBrief` for each draft file
104
+ - `promotionStatus` for each draft file
105
+ - `runnableStatus` and execution blockers for each draft file
106
+ - `selfCheck` status, summary, command, warnings, and blockers for each generated draft file
107
+ - `actionItems` grouped by assertion, fixture, selector, runner, validation, or manifest
108
+ - `actionSummary` with required and recommended action counts
109
+ - `readinessSummary` with score, level, self-check counts, TODO counts, execution blocker counts, and top blockers
110
+ - Playwright `test.step()` names that read like the product journey
111
+
112
+ The QA draft should show:
113
+
114
+ - no-write PR comment/checklist output from `qamap qa`
115
+ - no cloud and no LLM token positioning in the output
116
+ - affected flow language with changed files and reviewer question
117
+ - suggested E2E or manual checklist path
118
+ - runner recommendation inherited from the E2E planner
119
+ - missing fixture, selector, assertion, runner, validation, or manifest evidence
120
+ - PR checklist items that can be pasted into a pull request
121
+ - optional manifest repair path when a manifest-backed recommendation is wrong
122
+
123
+ The packaged skill template should show:
124
+
125
+ - a concise `SKILL.md` with valid frontmatter
126
+ - a default `qamap qa` command for PR finalization
127
+ - monorepo scoped command guidance
128
+ - clear warning that QAMap output is QA planning evidence, not proof that QA passed
129
+ - manifest repair guidance for wrong or broad recommendations
130
+
131
+ The manifest commands should show:
132
+
133
+ - generated `$schema` pointing at `schema/qamap-manifest.schema.json`
134
+ - domains with narrow enough path patterns to explain matches
135
+ - flows with anchors and checks that can shape generated drafts
136
+ - `manifest validate` status, issue counts, and concrete recommendations
137
+ - `manifest explain` matches with confidence, entry route, required checks, evidence path, and update path
138
+
139
+ ## Golden Demo Acceptance Bar
140
+
141
+ The public demo must prove the product shape, not only command execution. Before promoting a release, run or update a small demo where a realistic PR diff produces a concrete E2E starting point:
142
+
143
+ - The output names the affected product feature and user flow in domain language.
144
+ - The output names the draft file that would be created or previewed.
145
+ - The draft includes route or screen entry, realistic actions, and at least one meaningful assertion.
146
+ - The report explains why the test was recommended from changed files and manifest evidence.
147
+ - The report names the manifest path to update if the recommendation is wrong.
148
+ - Remaining gaps are specific, such as auth fixture, API mock, stable selector, runner config, or validation command.
149
+ - The demo makes clear when output is `--dry-run`, `review-only`, `near-runnable`, or `runnable-candidate`.
150
+
151
+ Avoid demos that only say broad phrases such as "fixture needed", "selector missing", or "Offer flow recommended" without showing why those gaps matter for the changed behavior.
152
+
153
+ ## Current Fixture Evidence Matrix
154
+
155
+ The matrix below is public, fixture-backed evidence from the repository test suite. It is not a substitute for final manual validation against real projects, but it proves the release bar with reproducible scenarios that can run in CI without an LLM call.
156
+
157
+ | Target | Fixture-backed coverage | Expected output |
158
+ | --- | --- | --- |
159
+ | Manifest-free QA skill entrypoint | `qa command emits a PR comment draft without requiring a manifest` | `qamap qa` works without `.qamap/manifest.yaml`, emits a local-first PR QA draft, names affected flow, changed files, suggested E2E/checklist path, missing evidence, PR checklist, agent handoff, and says manifest is optional upgrade rather than a first-use gate. |
160
+ | Packaged PR QA skill template | `package metadata includes the portable PR QA skill template` | npm package metadata includes `skills`, and `skills/qamap-pr-qa/SKILL.md` contains the local PR QA workflow, `qamap qa` command, and manifest repair guidance. |
161
+ | Verification manifest loop | `manifest init creates a baseline verification manifest`; `manifest init keeps Expo app file domains specific`; `manifest init captures advisory instruction context`; `manifest bootstrap produces concrete PR E2E draft from repo QA memory`; `e2e draft can use an external verification manifest for read-only adoption preview`; `manifest matches explain e2e and verify recommendations`; `manifest validate reports missing and stale manifest policy` | Generated `.qamap/manifest.yaml` includes `$schema`, domains, flows, anchors, checks, runner, source, and confidence; context preview reports repo-local instruction sources, role summaries, validation commands, safety rules, and diagnostics; validator reports missing/stale/duplicate policy; explain output maps branch changes to manifest domains/flows/checks; E2E drafts prefer `verification-manifest` sources with manifest evidence, route entry, detected input/action selectors, required checks, and manifest repair paths; external manifests can be passed with `--manifest` for read-only adoption smoke tests. |
162
+ | Web app with Playwright routes | `generateE2ePlan matches committed core flow definitions`; `generateE2eDraft uses web selectors in Playwright specs`; `generateE2eDraft dry run previews files without writing drafts`; `generateE2eDraft asserts changed HTML success copy in Playwright specs`; `generateE2ePlan captures Playwright execution profile and self-check blockers`; `generateE2ePlan infers Playwright base URLs from dev scripts`; `generateE2eDraft supports Next app router route groups and concrete route hints`; `generateE2ePlan reads React Router object route paths`; `generateE2eDraft fills dynamic route params from concrete route hints`; `generateE2eDraft emits runnable Playwright role and input actions` | `Web` project profile, `playwright` runner, core-flow names such as `Checkout purchase`, route-aware Playwright drafts, dry-run preview status without filesystem writes, stable selector hints, changed HTML success copy assertions, execution profile, dev-script base URL hints, opt-in Playwright setup proposal, Next App Router route groups, React Router object paths, dynamic route params, draft self-check status, action items, and validation gaps. |
163
+ | Expo / React Native mobile app | `generateE2ePlan recommends mobile flows for Expo changes`; `generateE2ePlan detects Maestro app ids from app config files`; `generateE2eDraft scopes entrypoint hints to each domain scenario`; `generateE2eDraft names changed component actions before generic primary journeys` | `Expo / React Native` project profile, `maestro` runner, app id and launch command hints from `app.json` or `app.config.*`, Maestro YAML drafts, `testID`/`accessibilityLabel` selector hints, action-specific scenario names such as `Offer Content URL Submit`, and mobile setup actions. |
164
+ | API or backend service | `generateE2ePlan detects API service projects and suggests contract checklists`; `generateE2ePlan detects Django service apps from a workspace root`; `generateE2ePlan names versioned API service paths with domain language`; `generateE2ePlan uses matched core flow names for API service contracts` | `API / service` project profile, manual contract checklist, Django/FastAPI-style service signals when present, domain-aware titles such as `Offer API contract`, API consumer actor, endpoint/handler/service-path trigger, service start/test command hints, and contract failure coverage. |
165
+ | CLI package | `generateE2ePlan detects CLI packages and suggests command verification checklists` | `CLI` project profile from `package.json` bin entries, manual command verification checklist, CLI user or maintainer actor language, command invocation trigger, stdout/stderr/generated-file/exit-code success signal, valid and invalid argument coverage, and no required API fixture action unless the changed command path explicitly exposes network or fixture evidence. |
166
+ | Design tokens and data catalogs | `generateE2ePlan detects design token packages and suggests artifact validation`; `generateE2ePlan detects data catalog repositories and suggests catalog verification` | `Design tokens` and `Data catalog` project profiles, manual artifact/catalog checklist, token or catalog actor language, schema/generated output/consumer fixture coverage, fixture readiness marked not needed for API mocks, and validation matrix rows that do not require browser/device selectors. |
167
+ | Monorepo root and package targeting | `generateE2ePlan surfaces package-scoped targets for monorepo root changes`; `generateE2ePlan matches workspace core flows for package scans`; `generateTestPlan scopes monorepo changes to the requested package` | Root plans list changed app/package targets with package names, project type, runner, and scoped commands; package scans keep package-local changed files, workspace-level `.qamap/flows.yml` matches, package-local generated drafts, and no leaked workspace path prefixes in package drafts. |
168
+ | Release and package metadata | `generateE2ePlan avoids turning release metadata into domain journeys`; `generateE2ePlan keeps package release metadata out of product workflows`; `generateE2ePlan treats agent and repo metadata as configuration, not product journeys` | Changelog, changeset, release manifest, package version, and repo metadata changes produce maintainer/release-operator configuration verification flows instead of product journeys or user-facing E2E drafts. |
169
+ | Test-light project | `generateE2ePlan builds a bootstrap plan for projects without tests`; `generateE2ePlan infers Playwright base URLs from dev scripts`; `generateE2eDraft creates a fallback smoke draft without changed files` | Required bootstrap steps for runner setup, opt-in `qamap e2e setup`, generated setup output that includes the first changed-flow draft file, fixture/mock data, testability, and validation evidence before generated drafts are treated as regression coverage. |
170
+ | API-dependent UI flow | `generateE2ePlan flags missing mock fixtures for API-dependent UI flows` | Playwright-compatible UI flow plus fixture/mock readiness actions, inferred endpoint hints, and route-fulfillment scaffold slots for success, empty, unauthorized, timeout, and server-error responses. |
171
+ | Existing test evidence | `generateE2ePlan evaluates existing test suite coverage evidence`; `generateE2ePlan keeps generic test filenames from overmatching unrelated services` | Coverage evidence rows that distinguish covered, partial, and missing targets without matching unrelated generic test filenames. |
172
+ | Evidence-only changes | `generateE2ePlan treats test-only changes as evidence verification, not product journeys`; `generateE2ePlan treats docs-only changes as documentation verification`; `generateE2ePlan treats generated-only changes as generated artifact verification` | Test-only, docs-only, and generated-output-only branches produce maintainer-oriented evidence checklists instead of product journeys inferred from filenames such as `admin-primary-journey.spec.ts` or generated API clients. |
173
+
174
+ See [E2E output examples](e2e-output-examples.md) for the kind of plan and draft snippets users should see from the `0.2.1` release.
175
+
176
+ ## Latest PR Validation Snapshot
177
+
178
+ Last verified on 2026-07-03 on PR #71 after adding the manifest-free `qamap qa` PR QA skill entrypoint, the packaged `qamap-pr-qa` skill template, README repositioning, agent handoff docs, repo-context manifest PoC path, ADR-derived flow naming, and manifest-backed selector/action draft shaping:
179
+
180
+ | Check | Result |
181
+ | --- | --- |
182
+ | `pnpm test` | 90 tests passed. |
183
+ | `pnpm scan` | 0 findings. |
184
+ | `git diff --check` | Passed. |
185
+ | `pnpm pack --dry-run` | Passed; tarball includes `dist`, `docs`, `docs/assets/qamap-30s-demo.gif`, `schema`, `skills/qamap-pr-qa/SKILL.md`, `README.md`, `CHANGELOG.md`, `LICENSE`, and `package.json`. |
186
+ | Coverage threshold | Passed the 80% line, branch, and function gates; latest run reported 85.27% line, 81.59% branch, and 94.26% function coverage. |
187
+ | `pnpm run release:check` | Passed as the single local release gate for this PR state, including `qamap qa` coverage, the packaged PR QA skill template, and `dist/qa.*` pack output. |
188
+ | `npm publish --dry-run --access public` | Passed for `@ivorycanvas/qamap@0.3.0`; tarball includes 98 files, `schema/qamap-manifest.schema.json`, `docs/manifest.md`, `docs/quickstart-demo.md`, `skills/qamap-pr-qa/SKILL.md`, and the demo GIF. |
189
+
190
+ ## Real Repository Smoke Snapshot
191
+
192
+ The latest smoke run used private representative repositories and wrote draft output only under `/tmp/qamap-preview-*`. The smoke commands did not run `e2e setup` or write generated files into the target repositories. The table records public-safe target shapes rather than private repository names.
193
+
194
+ 2026-07-02 follow-up smoke on PR #71 ran `manifest context`, `manifest init --write /tmp/...`, `e2e plan`, and `e2e draft --dry-run` across 14 local Git repositories plus package-scoped scans for a large frontend monorepo. All commands completed without changing target repository status. The run exposed one important adoption need: users should be able to generate a manifest outside the target repo and pass it back into PR commands. PR #71 now supports that read-only preview through `--manifest <file>`.
195
+
196
+ The same follow-up also showed the next quality gap. External manifest previews work, but many real branch changes did not match route/page-only manifest anchors, so generated drafts often stayed `domain-language`, `review-only`, or `near-runnable` instead of `verification-manifest`. The next release bar should improve component, function, API client, query, schema, and test anchors so manifest matches cover more than route files.
197
+
198
+ | Target shape | Base/head mode | Result | Follow-up signal |
199
+ | --- | --- | --- | --- |
200
+ | Expo / React Native manifest baseline | `manifest init` wrote only to `/tmp/qamap-mood-note-manifest.yaml` | Generated 9 domains, 8 flows, 8 anchors, and 16 checks without changing the target repo. Direct `app/*.tsx` screens now produce specific paths such as `app/EmotionChatPage.tsx`; `+not-found.tsx` is not promoted as a product domain. | Good 0.2.x signal for baseline quality. Remaining work is richer screen/route semantics and selector-specific checks. |
201
+ | Web monorepo package | Package scan with `--workspace-root`, feature branch compared with `main`, working tree included | Detected `web`, recommended Playwright, inferred a concrete route, produced changed-flow specs, and correctly blocked promotion because Playwright config, deterministic fixture/mock data, selector evidence, and validation evidence were missing. | Flow naming improved, but docs/design-only files can still create low-signal drafts that should be filtered or demoted. |
202
+ | Expo / React Native app | Feature branch compared with `develop`, working tree included | Detected `expo-react-native`, recommended Maestro, found an existing Jest suite, produced multiple near-runnable YAML drafts, and gave useful blockers for missing Maestro directory plus missing stable mobile selectors. | Strongest current real-repo result; remaining gap is selector and app-specific setup quality. |
203
+ | Nuxt / Vue web app with existing Playwright tests | `origin/develop` to `HEAD`, working tree included | Detected `web`, recommended Playwright, recognized existing test evidence, and blocked draft promotion because no Playwright config or runnable route/screen entrypoint was inferred. | Test-only or generated-test changes can still produce generic smoke draft names; QAMap should better distinguish changed tests from changed product behavior. |
204
+ | Django-style API service | `origin/develop` to `HEAD`, working tree included | Detected `api-service`, selected manual output, found a large pytest suite, generated API contract and configuration checklists with zero TODOs, and avoided browser/device runner assumptions. | Good service classification; fixture readiness should become more endpoint-specific. |
205
+ | Design token repository | `main` to `HEAD`, working tree included | Detected `design-tokens`, selected manual output, avoided browser/device selector requirements, and produced review-only artifact validation output. | Docs-only or style-only changes may still surface content/theme wording instead of token artifact language. |
206
+ | Taxonomy / data catalog repository | `main` to `HEAD`, working tree included | Detected `data-catalog`, selected manual output, avoided API mock requirements, and produced review-only checklist output with no TODOs. | Catalog-specific changes are handled, but docs/config-only changes should be labeled more explicitly as low-signal. |
207
+
208
+ Interpretation: the `0.2.1` release should be described as a planner that removes blank-page verification work by combining static analysis with repo-local manifest memory. The smoke results are useful, but they also show that many real repositories will start at `review-only` or `near-runnable` until teams add runner config, selectors, fixtures, validation evidence, and durable manifests.
209
+
210
+ ## Ongoing Validation Notes
211
+
212
+ The release candidate has passed the fixture-backed suite, package dry-run, npm publish dry-run, and representative private-repository smoke checks recorded above. For future patch releases, record only public-safe notes in this document or in release notes:
213
+
214
+ - whether the generated flow names match the team's domain language
215
+ - whether the recommended runner is plausible
216
+ - whether generated drafts identify the right actor, trigger, success signal, and edge cases
217
+ - whether action items are concrete enough for a developer to convert into runnable tests
218
+ - whether false positives are caused by missing manifests, weak selectors, or unsupported project structure
219
+ - whether test-only, docs-only, or generated-output-only changes are clearly demoted instead of being presented as product journeys
220
+
221
+ ## Stop Conditions
222
+
223
+ Do not publish `0.2.1` if any representative target shows one of these problems:
224
+
225
+ - generated flow names are dominated by generic folder names instead of product language
226
+ - test-only or docs-only changes are presented as confident product journeys without low-signal wording
227
+ - execution profiles hide missing start commands, base URLs, app ids, or runner config needed to run generated drafts
228
+ - draft self-checks fail to report unresolved placeholder locators, route params, missing runner structure, or TODO-heavy generated files
229
+ - monorepo package scans report workspace-root paths in generated package-local drafts
230
+ - Playwright drafts cannot express dynamic route parameters with fixture placeholders
231
+ - API-dependent flows fail to produce fixture or mock readiness actions or concrete endpoint-based mock scaffold slots
232
+ - manifest baselines are dominated by broad catch-all paths such as `app/**` when file-specific screen paths are available
233
+ - manifest recommendations do not show why they happened or which manifest path to update
234
+ - draft Markdown or JSON omits required action items for selector, fixture, setup, or validation gaps
235
+ - generated files overwrite existing files without `--force`
236
+ - `pnpm pack --dry-run` excludes required runtime files
237
+
238
+ ## Release Notes Checklist
239
+
240
+ For every publish candidate, update or confirm:
241
+
242
+ - `README.md` install section
243
+ - README and adoption docs for the working-base / verification-base positioning
244
+ - `CHANGELOG.md`
245
+ - [release runbook](releasing.md)
246
+ - GitHub Action release tag notes, if the action is versioned with the package
247
+ - package provenance or npm publishing notes
@@ -0,0 +1,112 @@
1
+ # Release Runbook
2
+
3
+ This runbook defines the release process for `qamap`. It is intentionally conservative: the package should be published only when the local release gate, documentation, and representative repository validation all agree.
4
+
5
+ ## Release Owner Checklist
6
+
7
+ Before publishing, confirm:
8
+
9
+ - `package.json` version matches the intended npm version.
10
+ - `CHANGELOG.md` has a dated section for the version being published.
11
+ - `README.md`, [adoption](adoption.md), [E2E examples](e2e-output-examples.md), and [release validation](release-validation.md) describe the current CLI behavior.
12
+ - `pnpm run release:check` passes from a clean checkout.
13
+ - Representative repository smoke notes in [release validation](release-validation.md) do not hit any stop condition.
14
+ - npm login is available for a maintainer with publish permission for the `@ivorycanvas/qamap` package.
15
+
16
+ ## Local Release Gate
17
+
18
+ Run the full local gate:
19
+
20
+ ```sh
21
+ pnpm install
22
+ pnpm run release:check
23
+ ```
24
+
25
+ The gate must pass:
26
+
27
+ - `pnpm test`
28
+ - `pnpm scan`
29
+ - `git diff --check`
30
+ - coverage thresholds for lines, branches, and functions
31
+ - `pnpm pack --dry-run`
32
+
33
+ If the gate fails, fix the product or documentation issue before publishing. Do not publish with a known failing gate.
34
+
35
+ ## Package Preview
36
+
37
+ Inspect the package contents before publishing:
38
+
39
+ ```sh
40
+ pnpm pack --dry-run
41
+ npm publish --dry-run --access public
42
+ ```
43
+
44
+ The tarball must include runtime output, public documentation, schemas, and package metadata:
45
+
46
+ - `dist`
47
+ - `docs`
48
+ - `schema`
49
+ - `README.md`
50
+ - `CHANGELOG.md`
51
+ - `LICENSE`
52
+ - `package.json`
53
+
54
+ The tarball should not include local run history, generated temporary output, private smoke artifacts, or dependency folders.
55
+
56
+ ## npm Publish
57
+
58
+ Publish only after the release gate passes and the maintainer confirms npm auth:
59
+
60
+ ```sh
61
+ npm whoami
62
+ npm publish --access public
63
+ ```
64
+
65
+ After publish, verify the public package can be executed without a source checkout:
66
+
67
+ ```sh
68
+ pnpm dlx @ivorycanvas/qamap@0.3.0 scan .
69
+ pnpm dlx @ivorycanvas/qamap@0.3.0 manifest validate .
70
+ pnpm dlx @ivorycanvas/qamap@0.3.0 e2e draft . --base origin/main --head HEAD --dry-run
71
+ ```
72
+
73
+ Use a fresh shell or temporary directory for the smoke check when possible.
74
+
75
+ ## GitHub Release
76
+
77
+ After npm publish succeeds:
78
+
79
+ ```sh
80
+ git tag v0.3.0
81
+ git push origin v0.3.0
82
+ ```
83
+
84
+ Create a GitHub Release for the tag with:
85
+
86
+ - a concise release summary
87
+ - the current `CHANGELOG.md` section
88
+ - the latest local release gate numbers
89
+ - a note that the GitHub Action can be pinned to the version tag
90
+
91
+ ## Post-Release Verification
92
+
93
+ After the tag and GitHub Release are visible, run:
94
+
95
+ ```sh
96
+ pnpm dlx @ivorycanvas/qamap@0.3.0 --version
97
+ pnpm dlx @ivorycanvas/qamap@0.3.0 scan .
98
+ pnpm dlx @ivorycanvas/qamap@0.3.0 manifest explain . --base origin/main --head HEAD
99
+ pnpm dlx @ivorycanvas/qamap@0.3.0 verify . --base origin/main --head HEAD
100
+ ```
101
+
102
+ Then update any public setup examples that should pin to `v0.3.0`.
103
+
104
+ ## Rollback Notes
105
+
106
+ If a broken package is published:
107
+
108
+ - publish a patch version with the fix as soon as possible
109
+ - mark the broken npm version deprecated with a short reason
110
+ - update the GitHub Release notes to point users to the fixed version
111
+
112
+ Do not delete public release history unless there is a legal, credential, or severe security reason.
@@ -0,0 +1,67 @@
1
+ # Roadmap
2
+
3
+ QAMap starts as a local CLI for repo-level AI agent readiness. The project can grow in layers without becoming heavy.
4
+
5
+ ## North Star
6
+
7
+ QAMap should become a local-first QA skill plus optional QA memory layer: it maps PR changes to affected flows, drafts the E2E/checklist work needed before merge, and improves over time through a repository-level verification manifest. The goal is not to replace reviewers or QA. The goal is to remove the repeated blank-page work that makes developers skip good verification.
8
+
9
+ The sharp product position is:
10
+
11
+ ```txt
12
+ Do not re-prompt AI for the same QA context.
13
+ Run a local PR QA draft first, then capture team QA memory in the repo when repeated corrections should improve future recommendations.
14
+ ```
15
+
16
+ This means QAMap should be judged less like a generic test recorder and more like a manifest-backed PR verification assistant. A recorder captures what a person just clicked. QAMap should explain what the PR changed, which durable flow/check knowledge applies, and what test artifact should now exist.
17
+
18
+ ## Release Bar
19
+
20
+ Before treating the next public release as ready, the golden demo must satisfy these conditions:
21
+
22
+ - First-run output is concrete, not broad: it names the affected feature, flow, draft file, and checks.
23
+ - Manifest authoring burden stays low: `manifest context` and `manifest init` provide a useful baseline before a human edits YAML.
24
+ - Generated E2E draft is a usable starting point: it has route/screen entry, meaningful actions, assertions, and clear TODOs only where repo data is missing.
25
+ - Recommendation evidence is explainable: output shows the changed file, manifest flow/check, and manifest path to repair when wrong.
26
+ - README demo shows the full loop: manifest-free PR QA draft, optional repo context baseline, PR mapping, E2E draft, and remaining validation gaps.
27
+ - One manifest correction should improve future PR recommendations without another LLM prompt.
28
+
29
+ ## Now
30
+
31
+ - Keep the scanner fast, static, and easy to understand.
32
+ - Keep the [release validation checklist](release-validation.md), [manifest guide](manifest.md), and public [E2E output examples](e2e-output-examples.md) aligned with the current release bar.
33
+ - Keep the [release runbook](releasing.md) ready for npm publishing and versioned GitHub Action follow-up.
34
+ - Improve adoption docs and sample output so new maintainers understand the QA manifest plus PR-to-E2E draft loop quickly.
35
+ - Stabilize the manifest feedback loop with `.qamap/manifest.yaml`, `manifest init`, `manifest validate`, `manifest explain`, JSON Schema, and manifest-driven E2E draft shaping.
36
+ - Keep `manifest context` useful as a pre-init sanity check for repo-local QA memory, harness docs, agent instructions, and runbooks.
37
+ - Improve generated drafts until the golden demo feels like a real starting point, not a generic checklist.
38
+ - Make `qa` the best first-run experience for AI-assisted PRs; keep `verify`, `e2e`, and `manifest` as the deeper layers behind it.
39
+ - Keep `eval` explainable enough that maintainers trust the score and know what to fix.
40
+ - Keep expanding representative validation targets beyond JavaScript so planning advice works for Python, Go, Rust, and JVM repositories.
41
+
42
+ ## Next
43
+
44
+ - Publish a versioned GitHub Action release tag after the first public package is ready.
45
+ - Improve `doctor` output with clearer scoring and remediation grouping.
46
+ - Improve `review` output for changed-line locations.
47
+ - Expand manifest support with richer anchors, symbol-level matching, and configurable taste rubrics.
48
+ - Match changed files to flows through a reverse import graph, not only declared anchor paths, so shared component and hook changes map to the flows that depend on them.
49
+ - Map changed symbols to manifest anchors after the path/route baseline is stable.
50
+ - Keep the `--format agent` output a stable, versioned contract that skills and MCP wrappers can rely on.
51
+ - Add language-specific domain patterns for backend services, CLIs, libraries, mobile apps, and infrastructure repositories.
52
+ - Continue expanding agent surface detection across popular coding-agent tools without making the public workflow depend on a single vendor.
53
+ - Generate rule documentation from scanner metadata.
54
+
55
+ ## Later
56
+
57
+ - Policy packs for open source, startup teams, and security-sensitive repositories.
58
+ - A memory or lessons workflow that captures repeated review feedback into durable agent instructions.
59
+ - VS Code and Cursor extension surfaces.
60
+ - Maintainer dashboard for repeated AI-assisted PR risks.
61
+
62
+ ## Non-Goals
63
+
64
+ - QAMap will not execute untrusted project code.
65
+ - QAMap will not replace tests, review, branch protection, threat modeling, or security review.
66
+ - QAMap will not become a general-purpose code style linter.
67
+ - QAMap will not become a deep MCP server analysis engine.
package/docs/rules.md ADDED
@@ -0,0 +1,28 @@
1
+ # QAMap Rules
2
+
3
+ QAMap rules are intentionally small and repository-level. The goal is to catch risks that are cheap to fix before an AI coding agent or PR reviewer loses time.
4
+
5
+ Rule behavior can be tuned in `qamap.config.json`. See [configuration.md](configuration.md) for ignored rules, severity overrides, and CI failure thresholds.
6
+
7
+ | Rule | Severity | Description |
8
+ | --- | --- | --- |
9
+ | `QM001` | medium | No agent instruction file was found. |
10
+ | `QM002` | medium | Agent instruction files appear to contradict each other. |
11
+ | `QM003` | high | Agent instructions contain suspicious override or secret-exposure text. |
12
+ | `QM004` | medium/high | MCP config is unreadable or starts risky commands. |
13
+ | `QM005` | high | MCP config appears to contain committed secret-like values. |
14
+ | `QM006` | medium | `package.json` has no usable test script. |
15
+ | `QM007` | low | No GitHub Actions workflow was found. |
16
+ | `QM008` | high | A local environment file appears to be committed. |
17
+ | `QM009` | high | Package scripts can publish, push, merge, or run unsafe shell pipelines. |
18
+ | `QM010` | medium | GitHub Actions workflow grants broad permissions or uses risky triggers. |
19
+ | `QM011` | low | Community health files are missing. |
20
+ | `QM012` | medium/high | Committed agent settings define risky hooks or broad shell permissions. |
21
+ | `QM013` | low | API endpoints are documented only in prose without a machine-readable contract source. |
22
+
23
+ ## Rule Design
24
+
25
+ - Prefer high-signal checks over noisy style rules.
26
+ - Avoid printing secret values in evidence.
27
+ - Do not execute project code while scanning.
28
+ - Keep rules explainable enough that a maintainer can fix them without reading QAMap internals.
package/docs/verify.md ADDED
@@ -0,0 +1,44 @@
1
+ # QAMap Verify
2
+
3
+ `qamap verify` is the PR-facing entry point for QAMap.
4
+
5
+ It combines:
6
+
7
+ - `review`: new QAMap findings and changed risky files introduced by a branch
8
+ - `eval`: verification-readiness gates for intent, risk, tests, and review size
9
+ - `test-plan`: domain-oriented scenarios inferred from changed files
10
+ - verification manifest matches from `.qamap/manifest.yaml` when the repository has team-owned domains, flows, anchors, and checks
11
+
12
+ Suggested commands are discovered statically from common project files:
13
+
14
+ - JavaScript/TypeScript: usable `package.json` scripts for test, typecheck, lint, build, and e2e
15
+ - Python: pytest, tox, Ruff, and mypy signals from `pyproject.toml`, pytest config, `tox.ini`, `uv.lock`, or Poetry files
16
+ - Go: `go test`, `go vet`, and `golangci-lint` when `go.mod` or golangci config exists
17
+ - Rust: `cargo test`, `cargo clippy`, and `cargo build` when `Cargo.toml` exists
18
+ - JVM: Gradle wrapper, Gradle build files, or Maven `pom.xml`
19
+
20
+ For custom stacks or team-specific flows, add `validationCommands` to `qamap.config.json`. Configured commands are shown before automatically discovered commands.
21
+
22
+ ## Usage
23
+
24
+ ```sh
25
+ qamap verify . --base origin/main --head HEAD --format markdown
26
+ qamap verify . --base origin/main --head HEAD --pr-body-file pr-body.md
27
+ qamap verify services/offer --workspace-root . --base origin/main --head HEAD --include-working-tree
28
+ ```
29
+
30
+ Use `--fail-on high` or `--fail-on medium` to fail on QAMap review findings at or above a severity threshold. Readiness and manifest recommendations stay advisory until the team decides to make them required PR evidence.
31
+
32
+ ## Output
33
+
34
+ The report answers the questions reviewers usually ask after an AI-assisted PR appears:
35
+
36
+ - Did this branch introduce new repo-level AI risks?
37
+ - Did it touch files that already had risky findings?
38
+ - Does the PR explain its intent, risk, rollback, or validation evidence?
39
+ - Which domain scenarios should be tested?
40
+ - Which manifest flows or checks explain the recommended verification work?
41
+ - Which commands should the author or reviewer run?
42
+ - Is the diff small enough to review without excessive verification tax?
43
+
44
+ `verify` is intentionally static and no-token by default. It does not execute project code and does not send source code to an LLM service.
package/package.json ADDED
@@ -0,0 +1,80 @@
1
+ {
2
+ "name": "@ivorycanvas/qamap",
3
+ "version": "0.3.0",
4
+ "description": "Local-first QA skill that turns PR diffs into affected flows, missing evidence, and E2E drafts with no cloud or LLM token.",
5
+ "type": "module",
6
+ "packageManager": "pnpm@10.32.1",
7
+ "bin": {
8
+ "qamap": "dist/cli.js"
9
+ },
10
+ "files": [
11
+ "dist",
12
+ "docs",
13
+ "skills",
14
+ "schema",
15
+ "README.md",
16
+ "CHANGELOG.md",
17
+ "LICENSE"
18
+ ],
19
+ "scripts": {
20
+ "build": "tsc -p tsconfig.json",
21
+ "check": "tsc -p tsconfig.json --noEmit",
22
+ "prepack": "pnpm build",
23
+ "test": "pnpm build && node --test test/*.test.mjs",
24
+ "coverage": "pnpm build && node --test --experimental-test-coverage --test-coverage-include=\"dist/**/*.js\" --test-coverage-lines=80 --test-coverage-branches=80 --test-coverage-functions=80 test/*.test.mjs",
25
+ "scan": "pnpm build && node dist/cli.js scan .",
26
+ "report": "pnpm build && node dist/cli.js report . --output QAMAP_REPORT.md",
27
+ "release:check": "pnpm test && pnpm scan && git diff --check && pnpm run coverage && pnpm pack --dry-run"
28
+ },
29
+ "keywords": [
30
+ "ai",
31
+ "agents",
32
+ "coding-agents",
33
+ "agent-skill",
34
+ "agent-readiness",
35
+ "ai-security",
36
+ "local-first",
37
+ "mcp",
38
+ "preflight",
39
+ "pull-request",
40
+ "e2e",
41
+ "e2e-testing",
42
+ "qa",
43
+ "qa-automation",
44
+ "test-planning",
45
+ "test-generation",
46
+ "verification-manifest",
47
+ "verification-loop",
48
+ "test-manifest",
49
+ "playwright",
50
+ "maestro",
51
+ "repository-security",
52
+ "security",
53
+ "developer-tools",
54
+ "github-actions",
55
+ "guardrails"
56
+ ],
57
+ "author": "IvoryCanvas",
58
+ "license": "MIT",
59
+ "homepage": "https://github.com/IvoryCanvas/qamap#readme",
60
+ "repository": {
61
+ "type": "git",
62
+ "url": "git+https://github.com/IvoryCanvas/qamap.git"
63
+ },
64
+ "bugs": {
65
+ "url": "https://github.com/IvoryCanvas/qamap/issues"
66
+ },
67
+ "engines": {
68
+ "node": ">=20"
69
+ },
70
+ "publishConfig": {
71
+ "access": "public"
72
+ },
73
+ "devDependencies": {
74
+ "@types/node": "^24.0.0",
75
+ "typescript": "^5.8.0"
76
+ },
77
+ "dependencies": {
78
+ "yaml": "^2.9.0"
79
+ }
80
+ }