@mifort-solutions/qmetrix 1.0.0

package/src/dashboard/collectors/entities.mjs

@@ -0,0 +1,147 @@
+/** 5d. Data model — tables/columns/buckets parsed from supabase/migrations/*.sql. */
+import { existsSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { ROOT } from '../config.mjs';
+import { walk } from '../utils/fs.mjs';
+
+/** Split a CREATE TABLE body on top-level commas (ignoring nested parens). */
+function splitTopLevel(body) {
+  const parts = [];
+  let depth = 0;
+  let cur = '';
+  for (const ch of body) {
+    if (ch === '(') {
+      depth++;
+    } else if (ch === ')') {
+      depth--;
+    }
+    if (ch === ',' && depth === 0) {
+      parts.push(cur);
+      cur = '';
+    } else {
+      cur += ch;
+    }
+  }
+  if (cur.trim()) {
+    parts.push(cur);
+  }
+  return parts;
+}
+
+function parseColumns(body) {
+  const cols = [];
+  for (const raw of splitTopLevel(body)) {
+    const line = raw.trim().replace(/\s+/g, ' ');
+    if (!line) {
+      continue;
+    }
+    if (/^(PRIMARY|FOREIGN|CONSTRAINT|UNIQUE|CHECK)\b/i.test(line)) {
+      continue;
+    } // table-level
+    const m = /^"?([a-zA-Z0-9_]+)"?\s+(.+)$/.exec(line);
+    if (!m) {
+      continue;
+    }
+    const name = m[1];
+    const rest = m[2];
+    const typeM = /^([a-zA-Z0-9_]+(?:\s*\([^)]*\))?(?:\s*\[])?)/.exec(rest);
+    const type = (typeM ? typeM[1] : rest.split(' ')[0]).replace(/\s+/g, '');
+    const pk = /\bPRIMARY\s+KEY\b/i.test(rest);
+    const fkM = /\bREFERENCES\s+"?([a-zA-Z0-9_.]+)"?\s*(?:\(\s*"?([a-zA-Z0-9_]+)"?\s*\))?/i.exec(
+      rest,
+    );
+    cols.push({
+      name,
+      type,
+      pk,
+      notnull: pk || /\bNOT\s+NULL\b/i.test(rest),
+      fk: fkM ? { table: fkM[1].replace(/"/g, ''), col: fkM[2] || '' } : null,
+    });
+  }
+  return cols;
+}
+
+/** Parse CREATE TABLE / ALTER TABLE / indexes / storage buckets from migrations. */
+export function collectEntities() {
+  const dir = path.join(ROOT, 'supabase', 'migrations');
+  if (!existsSync(dir)) {
+    return { available: false, tables: [], buckets: [] };
+  }
+  const files = walk(dir)
+    .filter((f) => f.toLowerCase().endsWith('.sql'))
+    .sort();
+  if (!files.length) {
+    return { available: false, tables: [], buckets: [] };
+  }
+
+  const tables = new Map();
+  const buckets = [];
+  const ensure = (name) =>
+    tables.get(name) || tables.set(name, { name, columns: [], rls: false, indexes: [] }).get(name);
+
+  for (const f of files) {
+    let sql;
+    try {
+      sql = readFileSync(f, 'utf8');
+    } catch {
+      continue;
+    }
+    const clean = sql.replace(/\/\*[\s\S]*?\*\//g, '').replace(/--[^\n]*/g, '');
+    let m;
+
+    const ctRe =
+      /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?"?([a-zA-Z0-9_.]+)"?\s*\(([\s\S]*?)\)\s*;/gi;
+    while ((m = ctRe.exec(clean))) {
+      const t = ensure(m[1].replace(/"/g, ''));
+      for (const c of parseColumns(m[2])) {
+        if (!t.columns.find((x) => x.name === c.name)) {
+          t.columns.push(c);
+        }
+      }
+    }
+
+    const acRe =
+      /ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?"?([a-zA-Z0-9_.]+)"?\s+ADD\s+COLUMN\s+(?:IF\s+NOT\s+EXISTS\s+)?"?([a-zA-Z0-9_]+)"?\s+([a-zA-Z0-9_]+(?:\s*\([^)]*\))?(?:\s*\[])?)/gi;
+    while ((m = acRe.exec(clean))) {
+      const t = ensure(m[1].replace(/"/g, ''));
+      if (!t.columns.find((x) => x.name === m[2])) {
+        t.columns.push({
+          name: m[2],
+          type: m[3].replace(/\s+/g, ''),
+          pk: false,
+          notnull: false,
+          fk: null,
+        });
+      }
+    }
+
+    const rlsRe =
+      /ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?"?([a-zA-Z0-9_.]+)"?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi;
+    while ((m = rlsRe.exec(clean))) {
+      const t = tables.get(m[1].replace(/"/g, ''));
+      if (t) {
+        t.rls = true;
+      }
+    }
+
+    const idxRe =
+      /CREATE\s+(?:UNIQUE\s+)?INDEX\s+(?:IF\s+NOT\s+EXISTS\s+)?"?([a-zA-Z0-9_]+)"?\s+ON\s+"?([a-zA-Z0-9_.]+)"?\s*\(([^)]*)\)/gi;
+    while ((m = idxRe.exec(clean))) {
+      const t = tables.get(m[2].replace(/"/g, ''));
+      if (t) {
+        t.indexes.push({ name: m[1], cols: m[3].trim().replace(/\s+/g, ' ') });
+      }
+    }
+
+    const bkRe =
+      /INSERT\s+INTO\s+storage\.buckets[\s\S]*?VALUES\s*\(\s*'([^']+)'\s*,\s*'([^']+)'\s*,\s*(true|false)/gi;
+    while ((m = bkRe.exec(clean))) {
+      if (!buckets.find((b) => b.id === m[1])) {
+        buckets.push({ id: m[1], name: m[2], public: m[3] === 'true' });
+      }
+    }
+  }
+
+  return { available: true, tables: [...tables.values()], buckets };
+}

package/src/dashboard/collectors/graph.mjs

@@ -0,0 +1,105 @@
+/** 5. File relationship graph — internal import edges + fan-in/out. */
+import { readFileSync, statSync } from 'node:fs';
+import path from 'node:path';
+
+import { SRC } from '../config.mjs';
+import { rel, walk } from '../utils/fs.mjs';
+
+export function stripComments(code) {
+  return code.replace(/\/\*[\s\S]*?\*\//g, '').replace(/(^|[^:])\/\/.*$/gm, '$1');
+}
+
+export function resolveImport(spec, fromFile) {
+  let base;
+  if (spec.startsWith('@/')) {
+    base = path.join(SRC, spec.slice(2));
+  } else if (spec.startsWith('.')) {
+    base = path.resolve(path.dirname(fromFile), spec);
+  } else {
+    return null;
+  } // external package
+  const tries = [
+    base,
+    base + '.ts',
+    base + '.tsx',
+    base + '.js',
+    base + '.jsx',
+    path.join(base, 'index.ts'),
+    path.join(base, 'index.tsx'),
+    path.join(base, 'index.js'),
+    path.join(base, 'index.jsx'),
+  ];
+  for (const t of tries) {
+    try {
+      if (statSync(t).isFile()) {
+        return t;
+      }
+    } catch {}
+  }
+  return null;
+}
+
+export function externalName(spec) {
+  if (spec.startsWith('@/') || spec.startsWith('.')) {
+    return null;
+  }
+  if (spec.startsWith('@')) {
+    return spec.split('/').slice(0, 2).join('/');
+  }
+  return spec.split('/')[0];
+}
+
+export function collectGraph() {
+  const files = walk(SRC).filter((f) => /\.(ts|tsx|js|jsx)$/.test(f) && !f.endsWith('.d.ts'));
+  const set = new Set(files);
+  const idOf = new Map(files.map((f, i) => [f, i]));
+  const importRe =
+    /(?:\bimport\b[\s\S]*?\bfrom\s*|\bexport\b[\s\S]*?\bfrom\s*|\bimport\s*\(\s*|\brequire\s*\(\s*)["']([^"']+)["']/g;
+
+  const nodes = files.map((f) => ({
+    id: idOf.get(f),
+    label: rel(f).replace(/^src\//, ''),
+    group: rel(f).split('/')[1] || 'root',
+    fanIn: 0,
+    fanOut: 0,
+  }));
+  const edges = [];
+  const externals = new Map();
+
+  for (const f of files) {
+    let code;
+    try {
+      code = stripComments(readFileSync(f, 'utf8'));
+    } catch {
+      continue;
+    }
+    const seen = new Set();
+    let m;
+    while ((m = importRe.exec(code))) {
+      const spec = m[1];
+      if (seen.has(spec)) {
+        continue;
+      }
+      seen.add(spec);
+      const ext = externalName(spec);
+      if (ext) {
+        externals.set(ext, (externals.get(ext) || 0) + 1);
+        continue;
+      }
+      const target = resolveImport(spec, f);
+      if (target && set.has(target) && target !== f) {
+        edges.push({ source: idOf.get(f), target: idOf.get(target) });
+        nodes[idOf.get(f)].fanOut++;
+        nodes[idOf.get(target)].fanIn++;
+      }
+    }
+  }
+
+  return {
+    nodeCount: nodes.length,
+    edgeCount: edges.length,
+    externalCount: externals.size,
+    importedExternals: new Set(externals.keys()),
+    graph: { nodes, edges },
+  };
+}

package/src/dashboard/collectors/lint.mjs

@@ -0,0 +1,117 @@
+/** 3. Linter + typecheck — collect-only.
+ *
+ * Reads artifacts produced elsewhere (the dashboard never runs eslint/tsc itself):
+ *   - ESLint JSON  → dist/reports/eslint.json
+ *       generate with: npm run lint -- -f json -o dist/reports/eslint.json
+ *   - tsc --noEmit → dist/reports/tsc.log
+ *       generate with: npm run typecheck > dist/reports/tsc.log 2>&1
+ * When an artifact is absent the section is marked missing with the command above.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { ROOT } from '../config.mjs';
+import { rel } from '../utils/fs.mjs';
+
+const ESLINT_ARTIFACT = path.join(ROOT, 'dist', 'reports', 'eslint.json');
+const TSC_ARTIFACT = path.join(ROOT, 'dist', 'reports', 'tsc.log');
+
+const ESLINT_HINT = 'npm run lint -- -f json -o dist/reports/eslint.json';
+const TSC_HINT = 'npm run typecheck > dist/reports/tsc.log 2>&1';
+
+/** Parse an ESLint JSON-formatter array into the shape the renderer expects. */
+function parseEslint(json) {
+  let errors = 0,
+    warnings = 0;
+  const byRule = {};
+  const fileList = [];
+  const problems = [];
+  for (const f of json) {
+    if (!f.errorCount && !f.warningCount) {
+      continue;
+    }
+    errors += f.errorCount || 0;
+    warnings += f.warningCount || 0;
+    fileList.push({
+      file: rel(f.filePath),
+      errors: f.errorCount || 0,
+      warnings: f.warningCount || 0,
+    });
+    for (const m of f.messages || []) {
+      const id = m.ruleId || '(syntax)';
+      const b = (byRule[id] ||= { rule: id, errors: 0, warnings: 0 });
+      if (m.severity === 2) {
+        b.errors++;
+      } else {
+        b.warnings++;
+      }
+      problems.push({
+        file: rel(f.filePath),
+        line: m.line ?? 0,
+        column: m.column ?? 0,
+        rule: id,
+        severity: m.severity === 2 ? 'error' : 'warning',
+        message: m.message || '',
+      });
+    }
+  }
+  // errors first, then by file/line — this is the "where & what" detail list.
+  problems.sort(
+    (a, b) =>
+      (a.severity === b.severity ? 0 : a.severity === 'error' ? -1 : 1) ||
+      a.file.localeCompare(b.file) ||
+      a.line - b.line,
+  );
+  return {
+    available: true,
+    errors,
+    warnings,
+    rules: Object.values(byRule).sort((a, b) => b.errors - a.errors || b.warnings - a.warnings),
+    files: fileList.sort((a, b) => b.errors - a.errors || b.warnings - a.warnings).slice(0, 40),
+    problems,
+    problemsShown: Math.min(problems.length, 200),
+  };
+}
+
+export function collectLint() {
+  const out = { eslint: null, tsc: null };
+
+  // ── ESLint ──
+  if (existsSync(ESLINT_ARTIFACT)) {
+    let json;
+    try {
+      json = JSON.parse(readFileSync(ESLINT_ARTIFACT, 'utf8'));
+    } catch {
+      json = null;
+    }
+    out.eslint = Array.isArray(json)
+      ? parseEslint(json)
+      : {
+          available: false,
+          note: `dist/reports/eslint.json is not valid JSON. Regenerate: ${ESLINT_HINT}`,
+        };
+  } else {
+    out.eslint = { available: false, note: `Not generated. Run: ${ESLINT_HINT}` };
+  }
+
+  // ── tsc --noEmit ──
+  if (existsSync(TSC_ARTIFACT)) {
+    let txt;
+    try {
+      txt = readFileSync(TSC_ARTIFACT, 'utf8');
+    } catch {
+      txt = '';
+    }
+    const tsErrors = txt.split(/\r?\n/).filter((l) => /error TS\d+:/.test(l));
+    out.tsc = {
+      available: true,
+      ok: tsErrors.length === 0,
+      errors: tsErrors.length,
+      sample: tsErrors.slice(0, 30),
+    };
+  } else {
+    out.tsc = { available: false, note: `Not generated. Run: ${TSC_HINT}` };
+  }
+
+  return out;
+}

package/src/dashboard/collectors/routing.mjs

@@ -0,0 +1,82 @@
+/** 5b. Routing — Next.js App Router tree with resolved URLs. */
+import { existsSync, readdirSync } from 'node:fs';
+import path from 'node:path';
+
+import { SRC } from '../config.mjs';
+import { IGNORE_DIRS } from '../utils/fs.mjs';
+
+const ROUTE_FILE_KINDS = new Set([
+  'page',
+  'layout',
+  'route',
+  'loading',
+  'error',
+  'global-error',
+  'not-found',
+  'template',
+  'default',
+]);
+
+function routeFileKind(name) {
+  const base = name.replace(/\.(tsx|ts|jsx|js)$/, '');
+  return ROUTE_FILE_KINDS.has(base) ? base : null;
+}
+
+/** Walk src/app and build an expandable route tree with URL paths. */
+export function collectRouting() {
+  const appDir = path.join(SRC, 'app');
+  if (!existsSync(appDir)) {
+    return { available: false };
+  }
+
+  const build = (dir, seg) => {
+    let entries = [];
+    try {
+      entries = readdirSync(dir, { withFileTypes: true });
+    } catch {}
+    const node = {
+      seg,
+      dynamic: /^\[.+]$/.test(seg),
+      group: /^\(.+\)$/.test(seg),
+      kinds: [],
+      children: [],
+    };
+    for (const e of entries) {
+      if (e.isFile()) {
+        const k = routeFileKind(e.name);
+        if (k && !node.kinds.includes(k)) {
+          node.kinds.push(k);
+        }
+      }
+    }
+    for (const e of entries) {
+      if (e.isDirectory() && !IGNORE_DIRS.has(e.name)) {
+        node.children.push(build(path.join(dir, e.name), e.name));
+      }
+    }
+    node.kinds.sort();
+    node.children.sort((a, b) => a.seg.localeCompare(b.seg));
+    return node;
+  };
+
+  const root = build(appDir, '');
+  let pageCount = 0;
+  let routeCount = 0;
+  // Compute the URL each segment maps to (route groups don't appear in the URL).
+  const urlize = (node, parts) => {
+    const next = node.seg && !node.group ? [...parts, node.seg] : parts;
+    node.url = '/' + next.filter(Boolean).join('/');
+    if (node.kinds.includes('page')) {
+      pageCount++;
+    }
+    if (node.kinds.includes('route')) {
+      routeCount++;
+    }
+    for (const c of node.children) {
+      urlize(c, next);
+    }
+  };
+  urlize(root, []);
+
+  return { available: true, root, pageCount, routeCount };
+}

package/src/dashboard/collectors/security.mjs

@@ -0,0 +1,182 @@
+/** 6–9. Security scanners — local SARIF/JSON artifacts (Snyk, CodeQL, Checkmarx). */
+import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { ROOT } from '../config.mjs';
+import { rel, walk } from '../utils/fs.mjs';
+
+function findSarifFiles() {
+  const found = [];
+  // Primary location: dist/reports (where dev/scripts/security-scan.mjs writes). walk()
+  // skips dist/, so scan it explicitly.
+  const reportsDir = path.join(ROOT, 'dist', 'reports');
+  if (existsSync(reportsDir)) {
+    for (const name of readdirSync(reportsDir)) {
+      if (name.toLowerCase().endsWith('.sarif')) {
+        found.push(path.join(reportsDir, name));
+      }
+    }
+  }
+  // Back-compat: any *.sarif left elsewhere in the tree (e.g. downloaded from CI to root).
+  found.push(...walk(ROOT).filter((f) => f.toLowerCase().endsWith('.sarif')));
+  return found;
+}
+
+function parseSarif(file) {
+  let doc;
+  try {
+    doc = JSON.parse(readFileSync(file, 'utf8'));
+  } catch {
+    return null;
+  }
+  const sev = { critical: 0, high: 0, medium: 0, low: 0, note: 0 };
+  let driver = '';
+  const rules = {};
+  const findings = [];
+  for (const run of doc.runs || []) {
+    driver = run.tool?.driver?.name || driver;
+    // CodeQL (and others) attach `security-severity` / level + a human-readable
+    // title (shortDescription / help) to the rule, not the result.
+    const ruleMeta = {};
+    for (const r of run.tool?.driver?.rules || []) {
+      ruleMeta[r.id] = {
+        score: parseFloat(r.properties?.['security-severity']),
+        level: (r.defaultConfiguration?.level || '').toString().toLowerCase(),
+        title: (r.shortDescription?.text || r.name || '').trim(),
+      };
+    }
+    for (const res of run.results || []) {
+      const meta = ruleMeta[res.ruleId] || {};
+      const resScore = parseFloat(res.properties?.['security-severity']);
+      const score = Number.isNaN(resScore) ? meta.score : resScore;
+      const level = (res.level || meta.level || '').toString().toLowerCase();
+      let bucket = 'note';
+      if (!Number.isNaN(score)) {
+        bucket = score >= 9 ? 'critical' : score >= 7 ? 'high' : score >= 4 ? 'medium' : 'low';
+      } else if (level === 'error') {
+        bucket = 'high';
+      } else if (level === 'warning') {
+        bucket = 'medium';
+      } else if (level === 'note') {
+        bucket = 'low';
+      }
+      sev[bucket]++;
+      const rid = res.ruleId || 'rule';
+      rules[rid] = (rules[rid] || 0) + 1;
+
+      // "Why this is flagged" — the rule title is the headline reason, the result
+      // message is the specifics; keep both (deduped) plus the offending location.
+      const loc = res.locations?.[0]?.physicalLocation;
+      const uri = loc?.artifactLocation?.uri || '';
+      const line = loc?.region?.startLine || null;
+      const msg = (res.message?.text || '').trim();
+      const reason = meta.title && meta.title !== msg ? meta.title : msg || meta.title;
+      findings.push({
+        rule: rid,
+        severity: bucket,
+        reason,
+        detail: msg && msg !== reason ? msg : '',
+        where: uri ? `${uri}${line ? `:${line}` : ''}` : '',
+      });
+    }
+  }
+  const total = Object.values(sev).reduce((a, b) => a + b, 0);
+  // Most severe first, then by rule frequency, so the rendered list leads with what matters.
+  const rank = { critical: 0, high: 1, medium: 2, low: 3, note: 4 };
+  findings.sort((a, b) => rank[a.severity] - rank[b.severity]);
+  return {
+    driver,
+    sev,
+    total,
+    findings,
+    topRules: Object.entries(rules)
+      .sort((a, b) => b[1] - a[1])
+      .slice(0, 5),
+  };
+}
+
+export function collectSecurity(repo) {
+  const sarifFiles = findSarifFiles();
+  const parsed = sarifFiles
+    .map((f) => ({ file: rel(f), ...parseSarif(f) }))
+    .filter((p) => p && p.driver != null);
+
+  const matchByName = (...needles) =>
+    parsed.filter((p) =>
+      needles.some(
+        (n) => p.file.toLowerCase().includes(n) || (p.driver || '').toLowerCase().includes(n),
+      ),
+    );
+
+  const ghSecurity = repo
+    ? `https://github.com/${repo.owner}/${repo.name}/security/code-scanning`
+    : null;
+  const ciLink = (tool) =>
+    ghSecurity ? `${ghSecurity}?query=tool%3A${encodeURIComponent(tool)}` : null;
+
+  // ── Snyk ──
+  const snykReports = [...matchByName('snyk')];
+  // snyk test --json (non-SARIF) fallback — check dist/reports first, then repo root.
+  for (const name of ['snyk.json', 'snyk-deps.json', 'snyk-code.json']) {
+    const p = [path.join(ROOT, 'dist', 'reports', name), path.join(ROOT, name)].find((c) =>
+      existsSync(c),
+    );
+    if (p) {
+      try {
+        const j = JSON.parse(readFileSync(p, 'utf8'));
+        const arr = Array.isArray(j) ? j : j.vulnerabilities || [];
+        const sev = { critical: 0, high: 0, medium: 0, low: 0, note: 0 };
+        const findings = [];
+        for (const v of arr) {
+          const s = (v.severity || 'low').toLowerCase();
+          sev[s] = (sev[s] || 0) + 1;
+          findings.push({
+            rule: v.id || v.packageName || 'vuln',
+            severity: s,
+            reason: (v.title || v.id || '').trim(),
+            detail: v.packageName ? `${v.packageName}${v.version ? `@${v.version}` : ''}` : '',
+            where: '',
+          });
+        }
+        snykReports.push({
+          file: name,
+          driver: 'Snyk',
+          sev,
+          total: arr.length,
+          findings,
+          topRules: [],
+        });
+      } catch {}
+    }
+  }
+  const snyk = {
+    name: 'Snyk',
+    tool: 'Open Source + Code (SAST/SCA)',
+    workflow: existsSync(path.join(ROOT, '.github/workflows/snyk.yml')),
+    reports: snykReports,
+    dashboard: 'https://app.snyk.io',
+    ci: ciLink('snyk'),
+  };
+
+  // ── CodeQL ──
+  const codeql = {
+    name: 'CodeQL',
+    tool: 'GitHub semantic SAST (javascript-typescript)',
+    workflow: existsSync(path.join(ROOT, '.github/workflows/codeql.yml')),
+    reports: matchByName('codeql'),
+    ci: ciLink('CodeQL'),
+    dashboard: ghSecurity,
+  };
+
+  // ── Checkmarx ──
+  const checkmarx = {
+    name: 'Checkmarx One',
+    tool: 'SAST · SCA · secret detection',
+    workflow: existsSync(path.join(ROOT, '.github/workflows/checkmarx.yml')),
+    reports: matchByName('cx-results', 'checkmarx'),
+    ci: ciLink('Checkmarx'),
+    dashboard: 'https://ast.checkmarx.net',
+  };
+
+  return { snyk, codeql, checkmarx, ghSecurity, anySarif: parsed.length };
+}

package/src/dashboard/collectors/storybook.mjs

@@ -0,0 +1,33 @@
+/**
+ * Storybook — collect-only.
+ *
+ * Counts the story files in the source tree and checks whether a static Storybook has
+ * been built next to the dashboard (dist/site/storybook). It never builds Storybook
+ * itself; `npm run quality:dashboard` builds it first (or run `npm run build-storybook`).
+ */
+import { existsSync } from 'node:fs';
+import path from 'node:path';
+
+import { SRC } from '../config.mjs';
+import { walk } from '../utils/fs.mjs';
+
+const STORY_RE = /\.stories\.(tsx|jsx|ts|js|mdx)$/;
+
+/**
+ * @param {string} outDir directory the dashboard html is written to (its `storybook/`
+ *                        subfolder is where a built static Storybook is expected).
+ */
+export function collectStorybook(outDir) {
+  const storyCount = walk(SRC).filter((f) => STORY_RE.test(f)).length;
+  const builtIndex = path.join(outDir, 'storybook', 'index.html');
+  const built = existsSync(builtIndex);
+  return {
+    available: true,
+    storyCount,
+    built,
+    href: './storybook/',
+    note: built
+      ? null
+      : 'Static Storybook not built next to the dashboard. Run `npm run quality:dashboard` (or `npm run build-storybook`).',
+  };
+}

package/src/dashboard/config.mjs

@@ -0,0 +1,15 @@
+/**
+ * Shared paths for the quality-dashboard modules.
+ *
+ * These were previously a global closure inside quality-dashboard.mjs. Exporting
+ * them from one place keeps the collectors/utils free of `import.meta.url` math
+ * and gives every layer a single source of truth for where the project lives.
+ */
+import path from 'node:path';
+
+/** Repository root — the consuming repo's cwd (every QMetriX verb runs from the app root). */
+export const ROOT = process.cwd();
+/** Application source root. */
+export const SRC = path.join(ROOT, 'src');
+/** Optional curated dependency-notes.json location (app-side; absent → notes default to {}). */
+export const SCRIPTS_DIR = path.join(ROOT, 'dev', 'scripts');