@ivorycanvas/qamap 0.3.3 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/CHANGELOG.md +54 -0
  2. package/README.md +44 -578
  3. package/dist/agent-init.d.ts +16 -0
  4. package/dist/agent-init.js +110 -0
  5. package/dist/agent-init.js.map +1 -0
  6. package/dist/cli.js +17 -1
  7. package/dist/cli.js.map +1 -1
  8. package/dist/context.d.ts +1 -0
  9. package/dist/context.js +4 -0
  10. package/dist/context.js.map +1 -1
  11. package/dist/domain-language.js +48 -5
  12. package/dist/domain-language.js.map +1 -1
  13. package/dist/e2e.d.ts +4 -0
  14. package/dist/e2e.js +385 -74
  15. package/dist/e2e.js.map +1 -1
  16. package/dist/fixture-insight.d.ts +8 -0
  17. package/dist/fixture-insight.js +193 -0
  18. package/dist/fixture-insight.js.map +1 -0
  19. package/dist/fs.js +11 -0
  20. package/dist/fs.js.map +1 -1
  21. package/dist/index.d.ts +2 -1
  22. package/dist/index.js +2 -1
  23. package/dist/index.js.map +1 -1
  24. package/dist/manifest.d.ts +5 -0
  25. package/dist/manifest.js +615 -57
  26. package/dist/manifest.js.map +1 -1
  27. package/dist/qa.d.ts +4 -0
  28. package/dist/qa.js +125 -18
  29. package/dist/qa.js.map +1 -1
  30. package/dist/terminal.d.ts +2 -0
  31. package/dist/terminal.js +51 -0
  32. package/dist/terminal.js.map +1 -0
  33. package/dist/test-plan.js +56 -6
  34. package/dist/test-plan.js.map +1 -1
  35. package/dist/version.d.ts +1 -1
  36. package/dist/version.js +1 -1
  37. package/docs/adoption.md +62 -0
  38. package/docs/agent-format.md +52 -0
  39. package/docs/agent-skill.md +17 -1
  40. package/docs/benchmarking.md +65 -20
  41. package/docs/commands.md +242 -0
  42. package/docs/configuration.md +11 -0
  43. package/docs/e2e-output-examples.md +8 -4
  44. package/docs/guardrails.md +64 -0
  45. package/docs/manifest.md +7 -3
  46. package/docs/quickstart-demo.md +1 -1
  47. package/docs/release-validation.md +35 -34
  48. package/docs/releasing.md +13 -10
  49. package/docs/roadmap.md +9 -14
  50. package/package.json +4 -3
  51. package/schema/qamap-agent.schema.json +171 -0
  52. package/skills/qamap-pr-qa/SKILL.md +1 -0
@@ -0,0 +1,64 @@
1
+ # Repository Guardrails
2
+
3
+ The QA draft loop is QAMap's core product. This optional second layer statically scans a repository for the settings that make AI-assisted work risky.
4
+
5
+ ## Running the scanner
6
+
7
+ The scanner checks agent instructions, MCP configs, committed env files, risky package scripts, workflow permissions, and validation signals before agent work becomes review churn.
8
+
9
+ For a repository baseline before broad agent use, run:
10
+
11
+ ```sh
12
+ qamap scan .
13
+ ```
14
+
15
+ ```txt
16
+ Findings: 6 (high: 3, medium: 2, low: 1, info: 0)
17
+
18
+ HIGH
19
+ - QM003 Suspicious agent instruction text (AGENTS.md)
20
+ Fix: Remove untrusted instruction text or move examples into clearly fenced documentation.
21
+ ```
22
+
23
+ See the rule table below and [docs/rules.md](rules.md) for what the scanner checks.
24
+
25
+ When developing QAMap from source:
26
+
27
+ ```sh
28
+ git clone https://github.com/IvoryCanvas/qamap.git
29
+ cd qamap
30
+ pnpm install
31
+ pnpm build
32
+ node dist/cli.js scan /path/to/repo
33
+ ```
34
+
35
+ QAMap is a local-first PR verification planner with a repository-level verification manifest loop, not a finished automatic QA bot. A good result is a clear answer to "what should this branch prove before merge?", plus manifest-backed E2E, fixture, selector, and validation work that a developer can turn into real regression coverage. Many first drafts will correctly report `review-only` or `near-runnable` until the project adds runner config, stable selectors, deterministic fixtures, or team-owned manifest entries.
36
+
37
+
38
+ ## What It Checks
39
+
40
+ The first release focuses on high-signal checks that are useful across many repositories.
41
+
42
+ | Rule | Severity | What it catches |
43
+ | --- | --- | --- |
44
+ | `QM001` | medium | Missing agent instruction files. |
45
+ | `QM002` | medium | Conflicting agent guidance. |
46
+ | `QM003` | high | Suspicious instruction text that can misdirect agents. |
47
+ | `QM004` | medium/high | Risky MCP command configuration. |
48
+ | `QM005` | high | Secret-like values embedded in MCP config. |
49
+ | `QM006` | medium | Missing or placeholder test scripts. |
50
+ | `QM007` | low | Missing GitHub Actions workflows. |
51
+ | `QM008` | high | Committed local environment files. |
52
+ | `QM009` | high | Package scripts that can publish, push, merge, or run unsafe shell pipelines. |
53
+ | `QM010` | medium | Broad workflow permissions or risky workflow triggers. |
54
+ | `QM011` | low | Missing community health files. |
55
+ | `QM012` | medium/high | Risky committed agent settings, hooks, or broad shell permissions. |
56
+ | `QM013` | low | API endpoints documented only in prose without a contract source. |
57
+
58
+ See [docs/rules.md](rules.md) for the rule catalog.
59
+ See [docs/ecosystem.md](ecosystem.md) for the agent ecosystem surfaces QAMap tracks.
60
+ See [docs/api-contracts.md](api-contracts.md) for the API contract source-of-truth check.
61
+ See [docs/verify.md](verify.md) for the combined PR verification report.
62
+ See [docs/eval.md](eval.md) for the change readiness evaluation.
63
+ See [docs/releasing.md](releasing.md) for the npm release runbook.
64
+
package/docs/manifest.md CHANGED
@@ -32,7 +32,7 @@ qamap e2e draft . --manifest /tmp/qamap-manifest.yaml --base origin/main --head
32
32
 
33
33
  `manifest init` reads the current checkout on disk. It does not silently switch to the default branch, because changing a developer's branch or working tree would be surprising and unsafe. If the team wants the manifest to represent the default product baseline, run it from the default branch after pulling the latest changes.
34
34
 
35
- `manifest context` is the read-only preview step. It shows which repo-local documents QAMap sees, how each source is classified, which validation commands and safety rules were extracted, and which manifest path should be reviewed if the context is missing or stale. Use it before `manifest init` when you want to understand the bootstrap input without writing `.qamap/manifest.yaml`.
35
+ `manifest context` is the read-only preview step. It shows which repo-local documents QAMap sees, how each source is classified, which validation commands were collected (from project configuration such as `package.json` scripts and pytest setup, plus instruction docs), which safety rules were extracted, and which manifest path should be reviewed if the context is missing or stale. Use it before `manifest init` when you want to understand the bootstrap input without writing `.qamap/manifest.yaml`.
36
36
 
37
37
  During baseline generation, QAMap also looks for repo-local context documents that often contain verification knowledge not visible in source files:
38
38
 
@@ -56,6 +56,10 @@ QAMap cannot know every team's product priorities from file paths alone. The man
56
56
 
57
57
  When a recommendation is wrong, edit the manifest path shown in QAMap output. The next branch should get better recommendations without another explanation.
58
58
 
59
+ For server projects, the generated baseline can include manual API contract flows inferred from common route, controller, handler, and framework-backed service modules. These flows use file anchors and start with success-contract and invalid-request checks; maintainers should still review names, criticality, and project-specific failure behavior before committing them as team policy.
60
+
61
+ A domain match is useful even when no declared flow anchor matches. In that case QAMap keeps the existing code-derived flow, steps, selectors, and entrypoint, and adds the manifest domain as provenance. It does not fabricate flow-level checks. Add or correct a flow anchor when the team wants the manifest to supply durable checks and runner details on later PRs.
62
+
59
63
  ## Concrete Bootstrap Example
60
64
 
61
65
  A first baseline can be useful before a human writes YAML by hand. Suppose the default branch has:
@@ -196,7 +200,7 @@ The report includes:
196
200
 
197
201
  - role summary by source file, such as `verification-rubric`, `test-runner`, `agent-skill`, or `harness-config`
198
202
  - captured context sources with kind, confidence, roles, and signals
199
- - validation commands and safety rules extracted from local docs
203
+ - validation commands (project configuration first, then local docs) and safety rules extracted from prose
200
204
  - diagnostics that point to the manifest path to edit when context is missing, stale, too broad, or not connected to checks
201
205
 
202
206
  This command is useful when an E2E recommendation feels too vague. Instead of asking an LLM to re-read the repository, inspect the report, correct the repo-local context or `.qamap/manifest.yaml`, then rerun `qamap e2e draft`.
@@ -268,7 +272,7 @@ flows:
268
272
  | `flows[].checks[].steps` | Optional concrete steps for this check. These are used before the title parser. |
269
273
  | `context.instructionFiles` | Advisory repo-local context sources used while bootstrapping the manifest. |
270
274
  | `context.instructionFiles[].roles` | Advisory role classification for a context source, such as `verification-rubric`, `workflow-lifecycle`, `agent-skill`, or `harness-config`. |
271
- | `context.validationCommands` | Validation commands inferred from context documents. |
275
+ | `context.validationCommands` | Validation commands from project configuration (verification-shaped `package.json` scripts, detected pytest setup) and context documents, ground truth first. |
272
276
  | `context.safetyRules` | Workflow or safety rules inferred from context documents, with token-like values redacted. |
273
277
  | `source.kind` | `inferred` for QAMap-generated entries or `declared` after human review. |
274
278
  | `source.confidence` | `low`, `medium`, or `high` confidence in the entry. |
@@ -168,7 +168,7 @@ Summary
168
168
  - Project: Web
169
169
  - Recommended runner: Playwright
170
170
  - Manifest: .qamap/manifest.yaml
171
- - Readiness: near-runnable
171
+ - Stage: almost runnable (3 of 4)
172
172
 
173
173
  PR Comment Draft
174
174
  - Affected flow: Checkout purchase
@@ -1,5 +1,33 @@
1
1
  # Release Validation
2
2
 
3
+ ## 0.3.5 - 2026-07-11
4
+
5
+ Validated as a manifest-feedback reliability patch:
6
+
7
+ | Gate | Current result |
8
+ | --- | --- |
9
+ | `pnpm test` | 127/127 passing |
10
+ | `pnpm bench:ci` | Eight public PR fixtures pass; API and reverse-import fixtures also generate an external base manifest and require a manifest-backed head flow |
11
+ | Coverage | Lines 86.09%, branches 83.18%, functions 94.66% |
12
+ | `npm publish --dry-run --access public` | Passed for `@ivorycanvas/qamap@0.3.5`; 115 files, 772.8 kB packed |
13
+ | API manifest baseline | Common server modules produce manual contract flows with API anchors and success/failure checks |
14
+ | Domain fallback | Domain-only matches preserve manifest provenance without claiming unrelated files or inventing manifest checks |
15
+ | Privacy | Public changes use synthetic fixtures; private smoke output remains outside the repository |
16
+
17
+ ## 0.3.4 - 2026-07-10
18
+
19
+ Validated before publishing `0.3.4` with a committed, CI-enforced recommendation contract instead of relying only on private smoke repositories:
20
+
21
+ | Gate | Current result |
22
+ | --- | --- |
23
+ | `pnpm test` | 124/124 passing |
24
+ | `pnpm bench:ci` | Eight public PR fixtures pass runner, flow naming, file reach, selector/evidence, command, generic-title, blank-action, and agent payload requirements |
25
+ | Coverage | Lines 86.19%, branches 83.37%, functions 94.87% |
26
+ | Reverse import fixture | Shared component change reaches and names the consuming checkout page |
27
+ | API service fixture | Backend route changes produce an API contract, not a browser UI journey |
28
+ | Agent contract | Real output validates against `schema/qamap-agent.schema.json` and stays below the 4KB fixture limit |
29
+ | Verification-only regressions | Native config changes use existing build commands without fabricated journeys; changed Maestro files are returned as existing evidence without duplicate drafts or selector/fixture noise |
30
+
3
31
  ## 0.3.3 - 2026-07-05
4
32
 
5
33
  Validated before publishing `0.3.3` (at-a-glance qa verdict, diff-anchored action naming incl. button/link text and logic-only fallbacks, observed-response assertions with diff-derived status bounds, Vue bound-attribute/i18n selector fixes):
@@ -22,7 +50,7 @@ Validated before publishing `0.3.2` (reverse import graph, diff-anchored steps a
22
50
  | `pnpm test` | 100/100 passing |
23
51
  | `pnpm scan` (self-scan) | 0 findings |
24
52
  | Coverage thresholds (lines/branches/functions >= 80) | Passing |
25
- | `pnpm bench` against four pinned local benchmark targets (web monorepo, Python API server, Expo app, legacy Vue app) | Runner choice 4/4, labeled must-reach recall 9/9, blank actions 0, no metric regressions vs the previous baseline |
53
+ | `pnpm bench` against four pinned local benchmark repositories covering common stack shapes (monorepo, API server, mobile, legacy web) | Runner choice 4/4, labeled must-reach recall 9/9, blank actions 0, no metric regressions vs the previous baseline |
26
54
  | README demo | Real recorded run; the generated starter spec passes against the demo app |
27
55
 
28
56
  Historical validation notes for earlier releases follow below.
@@ -33,7 +61,7 @@ QAMap should not publish a patch or minor version only because the CLI commands
33
61
 
34
62
  ## Release Bar
35
63
 
36
- QAMap is ready for `0.2.1` when the commands below produce useful, reviewable output for each representative repository type:
64
+ QAMap is ready for the next public release when the commands below produce useful, reviewable output for each representative repository type:
37
65
 
38
66
  - manifest-free `qamap qa` output that works as a PR comment/checklist draft
39
67
  - packaged `skills/qamap-pr-qa/SKILL.md` template included in the npm tarball
@@ -71,7 +99,7 @@ Run these from a clean checkout of QAMap before any release candidate:
71
99
  pnpm run release:check
72
100
  ```
73
101
 
74
- `release:check` expands to the required local suite: `pnpm test`, `pnpm scan`, `git diff --check`, coverage thresholds, and `pnpm pack --dry-run`. If a release candidate fails, run the individual command directly to inspect the failure.
102
+ `release:check` expands to the required local suite: `pnpm test`, `pnpm scan`, `pnpm bench:ci`, `git diff --check`, coverage thresholds, and `pnpm pack --dry-run`. If a release candidate fails, run the individual command directly to inspect the failure.
75
103
 
76
104
  Run the npm publish preview after the local release gate passes:
77
105
 
@@ -202,40 +230,13 @@ The matrix below is public, fixture-backed evidence from the repository test sui
202
230
 
203
231
  See [E2E output examples](e2e-output-examples.md) for the kind of plan and draft snippets users should see from the current release.
204
232
 
205
- ## Latest PR Validation Snapshot
206
-
207
- Last verified on 2026-07-03 for the 0.3.1 README demo patch after removing the stale animated GIF from the README and npm tarball:
208
-
209
- | Check | Result |
210
- | --- | --- |
211
- | `pnpm test` | 95 tests passed. |
212
- | `git diff --check` | Passed. |
213
- | `pnpm pack --dry-run` | Passed; tarball includes 97 files and no committed demo GIF. |
214
- | `npm publish --dry-run --access public` | Passed for `@ivorycanvas/qamap@0.3.1`; package size is 289.1 kB and includes the manifest schema, quick-start docs, release docs, and `skills/qamap-pr-qa/SKILL.md`. |
215
-
216
- ## Real Repository Smoke Snapshot
217
-
218
- The latest smoke run used private representative repositories and wrote draft output only under `/tmp/qamap-preview-*`. The smoke commands did not run `e2e setup` or write generated files into the target repositories. The table records public-safe target shapes rather than private repository names.
219
-
220
- 2026-07-02 follow-up smoke on PR #71 ran `manifest context`, `manifest init --write /tmp/...`, `e2e plan`, and `e2e draft --dry-run` across 14 local Git repositories plus package-scoped scans for a large frontend monorepo. All commands completed without changing target repository status. The run exposed one important adoption need: users should be able to generate a manifest outside the target repo and pass it back into PR commands. PR #71 now supports that read-only preview through `--manifest <file>`.
221
-
222
- The same follow-up also showed the next quality gap. External manifest previews work, but many real branch changes did not match route/page-only manifest anchors, so generated drafts often stayed `domain-language`, `review-only`, or `near-runnable` instead of `verification-manifest`. The next release bar should improve component, function, API client, query, schema, and test anchors so manifest matches cover more than route files.
223
-
224
- | Target shape | Base/head mode | Result | Follow-up signal |
225
- | --- | --- | --- | --- |
226
- | Expo / React Native manifest baseline | `manifest init` wrote only to `/tmp/qamap-journal-note-manifest.yaml` | Generated 9 domains, 8 flows, 8 anchors, and 16 checks without changing the target repo. Direct `app/*.tsx` screens now produce specific paths such as `app/SentimentChatPage.tsx`; `+not-found.tsx` is not promoted as a product domain. | Good 0.2.x signal for baseline quality. Remaining work is richer screen/route semantics and selector-specific checks. |
227
- | Web monorepo package | Package scan with `--workspace-root`, feature branch compared with `main`, working tree included | Detected `web`, recommended Playwright, inferred a concrete route, produced changed-flow specs, and correctly blocked promotion because Playwright config, deterministic fixture/mock data, selector evidence, and validation evidence were missing. | Flow naming improved, but docs/design-only files can still create low-signal drafts that should be filtered or demoted. |
228
- | Expo / React Native app | Feature branch compared with `develop`, working tree included | Detected `expo-react-native`, recommended Maestro, found an existing Jest suite, produced multiple near-runnable YAML drafts, and gave useful blockers for missing Maestro directory plus missing stable mobile selectors. | Strongest current real-repo result; remaining gap is selector and app-specific setup quality. |
229
- | Nuxt / Vue web app with existing Playwright tests | `origin/develop` to `HEAD`, working tree included | Detected `web`, recommended Playwright, recognized existing test evidence, and blocked draft promotion because no Playwright config or runnable route/screen entrypoint was inferred. | Test-only or generated-test changes can still produce generic smoke draft names; QAMap should better distinguish changed tests from changed product behavior. |
230
- | Django-style API service | `origin/develop` to `HEAD`, working tree included | Detected `api-service`, selected manual output, found a large pytest suite, generated API contract and configuration checklists with zero TODOs, and avoided browser/device runner assumptions. | Good service classification; fixture readiness should become more endpoint-specific. |
231
- | Design token repository | `main` to `HEAD`, working tree included | Detected `design-tokens`, selected manual output, avoided browser/device selector requirements, and produced review-only artifact validation output. | Docs-only or style-only changes may still surface content/theme wording instead of token artifact language. |
232
- | Taxonomy / data catalog repository | `main` to `HEAD`, working tree included | Detected `data-catalog`, selected manual output, avoided API mock requirements, and produced review-only checklist output with no TODOs. | Catalog-specific changes are handled, but docs/config-only changes should be labeled more explicitly as low-signal. |
233
+ ## Private Smoke Protocol
233
234
 
234
- Interpretation: the `0.2.1` release should be described as a planner that removes blank-page verification work by combining static analysis with repo-local manifest memory. The smoke results are useful, but they also show that many real repositories will start at `review-only` or `near-runnable` until teams add runner config, selectors, fixtures, validation evidence, and durable manifests.
235
+ Private repositories may be used as local, read-only diagnostics, but their raw output is never release documentation or fixture input. Write manifests and drafts only to an operating-system temp directory, compare target `git status` before and after, and retain no repository names, paths, flow titles, source excerpts, or domain vocabulary in commits or pull requests. Reduce every confirmed defect to a minimal synthetic fixture before it enters the public suite.
235
236
 
236
237
  ## Ongoing Validation Notes
237
238
 
238
- The release candidate has passed the fixture-backed suite, package dry-run, npm publish dry-run, and representative private-repository smoke checks recorded above. For future patch releases, record only public-safe notes in this document or in release notes:
239
+ The release candidate must pass the fixture-backed suite, package dry-run, and read-only smoke protocol. Record only public synthetic evidence in this document or in release notes:
239
240
 
240
241
  - whether the generated flow names match the team's domain language
241
242
  - whether the recommended runner is plausible
@@ -246,7 +247,7 @@ The release candidate has passed the fixture-backed suite, package dry-run, npm
246
247
 
247
248
  ## Stop Conditions
248
249
 
249
- Do not publish `0.2.1` if any representative target shows one of these problems:
250
+ Do not publish the current candidate if any representative target shows one of these problems:
250
251
 
251
252
  - generated flow names are dominated by generic folder names instead of product language
252
253
  - test-only or docs-only changes are presented as confident product journeys without low-signal wording
package/docs/releasing.md CHANGED
@@ -26,6 +26,7 @@ The gate must pass:
26
26
 
27
27
  - `pnpm test`
28
28
  - `pnpm scan`
29
+ - `pnpm bench:ci`
29
30
  - `git diff --check`
30
31
  - coverage thresholds for lines, branches, and functions
31
32
  - `pnpm pack --dry-run`
@@ -45,6 +46,7 @@ The tarball must include runtime output, public documentation, schemas, and pack
45
46
 
46
47
  - `dist`
47
48
  - `docs`
49
+ - `skills`
48
50
  - `schema`
49
51
  - `README.md`
50
52
  - `CHANGELOG.md`
@@ -65,9 +67,10 @@ npm publish --access public
65
67
  After publish, verify the public package can be executed without a source checkout:
66
68
 
67
69
  ```sh
68
- pnpm dlx @ivorycanvas/qamap@0.3.1 scan .
69
- pnpm dlx @ivorycanvas/qamap@0.3.1 manifest validate .
70
- pnpm dlx @ivorycanvas/qamap@0.3.1 e2e draft . --base origin/main --head HEAD --dry-run
70
+ VERSION="$(node -p "require('./package.json').version")"
71
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" qa . --base origin/main --head HEAD
72
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" manifest validate .
73
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" e2e draft . --base origin/main --head HEAD --dry-run
71
74
  ```
72
75
 
73
76
  Use a fresh shell or temporary directory for the smoke check when possible.
@@ -77,8 +80,8 @@ Use a fresh shell or temporary directory for the smoke check when possible.
77
80
  After npm publish succeeds:
78
81
 
79
82
  ```sh
80
- git tag v0.3.1
81
- git push origin v0.3.1
83
+ git tag "v$VERSION"
84
+ git push origin "v$VERSION"
82
85
  ```
83
86
 
84
87
  Create a GitHub Release for the tag with:
@@ -93,13 +96,13 @@ Create a GitHub Release for the tag with:
93
96
  After the tag and GitHub Release are visible, run:
94
97
 
95
98
  ```sh
96
- pnpm dlx @ivorycanvas/qamap@0.3.1 --version
97
- pnpm dlx @ivorycanvas/qamap@0.3.1 scan .
98
- pnpm dlx @ivorycanvas/qamap@0.3.1 manifest explain . --base origin/main --head HEAD
99
- pnpm dlx @ivorycanvas/qamap@0.3.1 verify . --base origin/main --head HEAD
99
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" --version
100
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" qa . --base origin/main --head HEAD --format agent
101
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" manifest explain . --base origin/main --head HEAD
102
+ pnpm dlx "@ivorycanvas/qamap@$VERSION" verify . --base origin/main --head HEAD
100
103
  ```
101
104
 
102
- Then update any public setup examples that should pin to `v0.3.1`.
105
+ Then update any public setup examples that should pin to the new `v$VERSION` tag.
103
106
 
104
107
  ## Rollback Notes
105
108
 
package/docs/roadmap.md CHANGED
@@ -28,28 +28,23 @@ Before treating the next public release as ready, the golden demo must satisfy t
28
28
 
29
29
  ## Now
30
30
 
31
- - Keep the scanner fast, static, and easy to understand.
32
- - Keep the [release validation checklist](release-validation.md), [manifest guide](manifest.md), and public [E2E output examples](e2e-output-examples.md) aligned with the current release bar.
33
- - Keep the [release runbook](releasing.md) ready for npm publishing and versioned GitHub Action follow-up.
34
- - Improve adoption docs and sample output so new maintainers understand the QA manifest plus PR-to-E2E draft loop quickly.
31
+ - Treat the committed [benchmark contract](benchmarking.md) as the quality gate for recommendations, not only implementation correctness. Reduce real failures into public fixtures and require `pnpm bench:ci` on every PR.
32
+ - Make `qa` the primary product surface. Its first screen and `--format agent` payload should agree on affected behavior, reviewer question, repository evidence, draft path, and missing trust requirements.
33
+ - Improve changed-file impact mapping from shared symbols and components to consuming routes, screens, API contracts, and manifest flows.
34
+ - Keep the [release validation checklist](release-validation.md), [manifest guide](manifest.md), public [E2E output examples](e2e-output-examples.md), and README examples aligned with captured output from the public fixtures.
35
35
  - Stabilize the manifest feedback loop with `.qamap/manifest.yaml`, `manifest init`, `manifest validate`, `manifest explain`, JSON Schema, and manifest-driven E2E draft shaping.
36
36
  - Keep `manifest context` useful as a pre-init sanity check for repo-local QA memory, harness docs, agent instructions, and runbooks.
37
37
  - Improve generated drafts until the golden demo feels like a real starting point, not a generic checklist.
38
- - Make `qa` the best first-run experience for AI-assisted PRs; keep `verify`, `e2e`, and `manifest` as the deeper layers behind it.
39
- - Keep `eval` explainable enough that maintainers trust the score and know what to fix.
40
- - Keep expanding representative validation targets beyond JavaScript so planning advice works for Python, Go, Rust, and JVM repositories.
38
+ - Keep `verify`, `e2e`, and `manifest` as deeper layers behind `qa`; freeze new scanner, doctor, eval, domains, flows, and history features until the core QA contract is consistently useful.
41
39
 
42
40
  ## Next
43
41
 
44
- - Publish a versioned GitHub Action release tag after the first public package is ready.
45
- - Improve `doctor` output with clearer scoring and remediation grouping.
46
- - Improve `review` output for changed-line locations.
47
- - Expand manifest support with richer anchors, symbol-level matching, and configurable taste rubrics.
48
- - Map changed symbols to manifest anchors after the path/route baseline is stable.
42
+ - Add symbol-level anchors for exported components, hooks, API clients, handlers, schemas, and queries after the public import-impact fixture stays stable.
43
+ - Add a manifest correction command that proposes the exact flow/anchor patch and applies it only after human approval, avoiding routine hand-edits to YAML.
44
+ - Add stronger deterministic draft adapters for Playwright and Maestro while keeping `manual` output for API, CLI, token, and catalog repositories.
45
+ - Expand the public benchmark corpus with package-scoped monorepos, auth/session changes, dynamic routes, API failure fixtures, and non-JavaScript services.
49
46
  - Keep the `--format agent` output a stable, versioned contract that skills and MCP wrappers can rely on.
50
- - Add language-specific domain patterns for backend services, CLIs, libraries, mobile apps, and infrastructure repositories.
51
47
  - Continue expanding agent surface detection across popular coding-agent tools without making the public workflow depend on a single vendor.
52
- - Generate rule documentation from scanner metadata.
53
48
 
54
49
  ## Later
55
50
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ivorycanvas/qamap",
3
- "version": "0.3.3",
3
+ "version": "0.3.5",
4
4
  "description": "Local-first QA skill that turns PR diffs into affected flows, missing evidence, and E2E drafts with no cloud or LLM token.",
5
5
  "type": "module",
6
6
  "packageManager": "pnpm@10.32.1",
@@ -24,8 +24,9 @@
24
24
  "coverage": "pnpm build && node --test --experimental-test-coverage --test-coverage-include=\"dist/**/*.js\" --test-coverage-lines=80 --test-coverage-branches=80 --test-coverage-functions=80 test/*.test.mjs",
25
25
  "scan": "pnpm build && node dist/cli.js scan .",
26
26
  "report": "pnpm build && node dist/cli.js report . --output QAMAP_REPORT.md",
27
- "release:check": "pnpm test && pnpm scan && git diff --check && pnpm run coverage && pnpm pack --dry-run",
28
- "bench": "pnpm build && node scripts/bench.mjs"
27
+ "release:check": "pnpm test && pnpm scan && pnpm bench:ci && git diff --check && pnpm run coverage && pnpm pack --dry-run",
28
+ "bench": "pnpm build && node scripts/bench.mjs",
29
+ "bench:ci": "pnpm build && node scripts/bench.mjs --config bench.config.json --assert"
29
30
  },
30
31
  "keywords": [
31
32
  "ai",
@@ -0,0 +1,171 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-07/schema#",
3
+ "$id": "https://raw.githubusercontent.com/IvoryCanvas/qamap/main/schema/qamap-agent.schema.json",
4
+ "title": "QAMap agent QA summary (qamap.qa v1)",
5
+ "description": "The single-line JSON object printed by `qamap qa --format agent`. Within schema version 1, fields are only ever added — existing fields are never removed or retyped. A breaking change bumps schema.version to 2.",
6
+ "type": "object",
7
+ "additionalProperties": true,
8
+ "required": [
9
+ "schema",
10
+ "base",
11
+ "head",
12
+ "project",
13
+ "runner",
14
+ "manifest",
15
+ "readiness",
16
+ "testSuite",
17
+ "flows",
18
+ "requiredEvidence",
19
+ "recommendedEvidenceCount",
20
+ "requiredBootstrap",
21
+ "prChecklist",
22
+ "commands"
23
+ ],
24
+ "properties": {
25
+ "schema": {
26
+ "type": "object",
27
+ "required": ["name", "version"],
28
+ "properties": {
29
+ "name": { "const": "qamap.qa" },
30
+ "version": { "const": 1 }
31
+ }
32
+ },
33
+ "base": {
34
+ "type": "string",
35
+ "description": "Git ref the diff was computed against."
36
+ },
37
+ "head": {
38
+ "type": "string",
39
+ "description": "Git ref of the change under review."
40
+ },
41
+ "project": {
42
+ "type": "string",
43
+ "description": "Detected project type, for example web, react-native, node, python, unknown."
44
+ },
45
+ "runner": {
46
+ "type": "string",
47
+ "enum": ["maestro", "playwright", "manual"],
48
+ "description": "Recommended E2E runner for this repository."
49
+ },
50
+ "manifest": {
51
+ "type": ["string", "null"],
52
+ "description": "Path of the verification manifest in use, or null when the run used repo signals and the PR diff only."
53
+ },
54
+ "readiness": {
55
+ "type": "object",
56
+ "required": ["score", "level"],
57
+ "properties": {
58
+ "score": { "type": "number", "minimum": 0, "maximum": 100 },
59
+ "level": {
60
+ "type": "string",
61
+ "enum": ["ready", "near-runnable", "needs-work", "blocked"],
62
+ "description": "Stable machine value; human reports render this as a stage on a four-step journey."
63
+ }
64
+ }
65
+ },
66
+ "testSuite": {
67
+ "type": "object",
68
+ "required": ["present", "files"],
69
+ "properties": {
70
+ "present": { "type": "boolean" },
71
+ "files": { "type": "number", "minimum": 0 }
72
+ }
73
+ },
74
+ "firstDraftCommand": {
75
+ "type": "string",
76
+ "description": "One command that creates the first E2E draft. Only present when the repository has no test suite and the diff reaches a product journey."
77
+ },
78
+ "flows": {
79
+ "type": "array",
80
+ "description": "Affected user flows derived from the diff, most relevant first (capped).",
81
+ "items": {
82
+ "type": "object",
83
+ "required": ["title", "source", "draft", "steps", "selectors"],
84
+ "properties": {
85
+ "title": { "type": "string" },
86
+ "source": {
87
+ "type": "string",
88
+ "description": "Where the flow came from, for example verification-manifest, core-flow, domain-language, heuristic."
89
+ },
90
+ "draft": { "type": "string", "description": "Path of the fallback draft artifact for this flow. When verificationMode is present, run existing repository evidence first instead of generating it by default." },
91
+ "verificationMode": {
92
+ "type": "string",
93
+ "enum": ["existing-test-evidence", "configuration", "documentation", "generated-artifact"],
94
+ "description": "Why this flow should validate existing evidence instead of generating a new product-journey E2E draft."
95
+ },
96
+ "runnable": {
97
+ "type": "string",
98
+ "enum": ["runnable-candidate", "near-runnable", "review-only"],
99
+ "description": "How trustworthy the generated draft is as an executable test. Absent when not evaluated."
100
+ },
101
+ "entry": { "type": "string", "description": "Best entrypoint hint (route or screen). Absent when unknown." },
102
+ "changedFiles": {
103
+ "type": "array",
104
+ "items": { "type": "string" },
105
+ "description": "Changed or import-reached files that support this flow mapping (capped)."
106
+ },
107
+ "reviewQuestion": {
108
+ "type": "string",
109
+ "description": "The concrete question a reviewer should answer before merge."
110
+ },
111
+ "successSignal": {
112
+ "type": "string",
113
+ "description": "The observable result that would prove the flow still works."
114
+ },
115
+ "steps": { "type": "array", "items": { "type": "string" } },
116
+ "selectors": { "type": "array", "items": { "type": "string" } },
117
+ "existingEvidence": {
118
+ "type": "array",
119
+ "items": { "type": "string" },
120
+ "description": "Changed test files to execute instead of generating another draft. Present for test-evidence-only changes."
121
+ },
122
+ "evidence": {
123
+ "type": "array",
124
+ "items": { "type": "string" },
125
+ "description": "Short reasons and repository facts behind the mapping (capped)."
126
+ }
127
+ }
128
+ }
129
+ },
130
+ "requiredEvidence": {
131
+ "type": "array",
132
+ "description": "QA evidence the change still needs before merge (required priority only, capped at 8).",
133
+ "items": {
134
+ "type": "object",
135
+ "required": ["flow", "kind", "title"],
136
+ "properties": {
137
+ "flow": { "type": "string" },
138
+ "kind": { "type": "string" },
139
+ "title": { "type": "string" }
140
+ }
141
+ }
142
+ },
143
+ "recommendedEvidenceCount": {
144
+ "type": "number",
145
+ "minimum": 0,
146
+ "description": "Count of recommended-priority evidence items not listed here; run without --format agent to see them."
147
+ },
148
+ "requiredBootstrap": {
149
+ "type": "array",
150
+ "description": "Setup steps that must happen before drafts can be treated as regression coverage (capped at 3).",
151
+ "items": {
152
+ "type": "object",
153
+ "required": ["title", "action"],
154
+ "properties": {
155
+ "title": { "type": "string" },
156
+ "action": { "type": "string" }
157
+ }
158
+ }
159
+ },
160
+ "prChecklist": {
161
+ "type": "array",
162
+ "items": { "type": "string" },
163
+ "description": "Ready-to-paste PR checklist lines (capped)."
164
+ },
165
+ "commands": {
166
+ "type": "array",
167
+ "items": { "type": "string" },
168
+ "description": "Suggested commands to run next, most useful first (capped at 4)."
169
+ }
170
+ }
171
+ }
@@ -25,6 +25,7 @@ Use QAMap as a final local QA pass before presenting a pull request for human re
25
25
  ```
26
26
 
27
27
  Drop `--format agent` when a human will read the output directly; the default markdown report is written for people.
28
+ The agent JSON is a versioned contract (`schema: qamap.qa` v1, additive-only): see docs/agent-format.md in the QAMap repository.
28
29
 
29
30
  3. If the repository is a monorepo and the changed files are clearly inside one package, run a scoped pass too:
30
31