@qatonic_innovations/qaios 0.2.0 → 0.3.1

package/README.md

@@ -35,18 +35,20 @@ The published package is `@qatonic_innovations/qaios`; the installed **command i
 
 ### Requirements
 
-- **Node.js 20 LTS recommended.** QAIOS bundles a native SQLite module
-  (better-sqlite3) for its local audit log; Node 20 LTS has the widest
-  prebuilt-binary coverage. Newer Node usually works but may need to compile
-  the binary (build tools + network access).
-- An **Anthropic API key** — get one at
-  [console.anthropic.com](https://console.anthropic.com/settings/keys), then
-  put it in your environment:
+- **Node.js 22 LTS or newer.** QAIOS uses Node's **built-in** SQLite
+  (`node:sqlite`, stable in Node 22) for its local audit log — **no native
+  module to compile**, so `npm install` is just a download. (On Node < 22 the
+  built-in isn't available; upgrade Node.)
+- An **LLM provider API key.** QAIOS uses **Anthropic** by default — get a key
+  at [console.anthropic.com](https://console.anthropic.com/settings/keys) and
+  export it:
   ```bash
   export ANTHROPIC_API_KEY=sk-ant-...      # macOS/Linux
   setx ANTHROPIC_API_KEY "sk-ant-..."      # Windows (open a NEW shell after)
   ```
-  The key is read from the environment and **never written to disk** by QAIOS.
+  Prefer **OpenAI**? Set `llm.provider: openai` and export `OPENAI_API_KEY`
+  instead — see [Choose your LLM provider](#choose-your-llm-provider) below.
+  Keys are read from the environment and **never written to disk** by QAIOS.
 - **Playwright** in your project, for `qaios run` / `snapshot` / `explore` / `a11y`:
   ```bash
   npm i -D @playwright/test && npx playwright install
@@ -57,14 +59,9 @@ The published package is `@qatonic_innovations/qaios`; the installed **command i
 
 ### Install troubleshooting
 
-If `qaios init` fails with a SQLite/native-binding error
-(`Could not load the native SQLite module`):
-
-- Confirm your Node version: `node -v` (prefer 20 LTS).
-- Rebuild the binary: `npm rebuild better-sqlite3` — or reinstall qaios.
-- Behind a proxy/firewall? The prebuilt binary is fetched from GitHub
-  release assets; allow that host, or install C/C++ build tools so it can
-  compile locally.
+QAIOS has **no native dependencies** — it uses Node's built-in SQLite — so
+install is friction-free. If `qaios init` reports a SQLite/`node:sqlite` error,
+your Node is too old: run `node -v` and upgrade to **Node 22 LTS or newer**.
 
 `qaios doctor` will tell you exactly which check failed and what to run.
 
@@ -126,7 +123,7 @@ Run `qaios <command> --help` for the full option list of any command.
 
 ```bash
 # Generate API tests from an OpenAPI spec
-qaios test --type api --spec ./openapi.yaml "exercise the /orders endpoints"
+qaios test --type api --api-spec ./openapi.yaml "exercise the /orders endpoints"
 
 # Run a suite; QAIOS classifies failures and self-heals locator drift
 qaios run
@@ -204,6 +201,39 @@ provider's native guaranteed-schema mode (Anthropic forced tool-use / OpenAI
 strict function calling), so generated artifacts stay schema-valid. You can
 override the key's env-var name with `llm.apiKeyEnv` if needed.
 
+#### Picking a model
+
+`llm.model` is a free-form string passed straight to the provider — **any model
+that provider's API accepts works**, not just the defaults. When `llm.model` is
+omitted, QAIOS uses a sensible default per provider:
+
+| Provider    | Default             | Other examples you can set                        |
+| ----------- | ------------------- | ------------------------------------------------- |
+| `anthropic` | `claude-sonnet-4-6` | `claude-opus-4-7`, `claude-haiku-4-5-20251001`, … |
+| `openai`    | `gpt-4o`            | `gpt-4o-mini` (cheaper), `gpt-4.1`, …             |
+
+```yaml
+llm:
+  provider: openai
+  model: gpt-4o-mini # any OpenAI model id
+```
+
+Two things to know about non-default models:
+
+- **Cost tracking.** QAIOS knows exact pricing for a built-in set of models
+  (Sonnet/Opus/Haiku and gpt-4o/4o-mini/4.1/4.1-mini). A model **outside** that
+  set still runs fine, but the USD figure in the audit log is approximate — it
+  bills at a default rate and prints a one-time `no pricing for model …`
+  warning. The per-workflow call/cost **cap still applies** regardless.
+- **Structured output.** QAIOS relies on the provider's strict tool/function
+  calling. The defaults are chosen for strong schema adherence; a much older or
+  unusual model may fail validation more often (the built-in retry loop
+  recovers from occasional misses).
+
+The defaults are the **live-validated** starting points — every skill is
+exercised end-to-end against them. Other models share the same code path but
+aren't individually certified.
+
 ### Operating modes
 
 - **LITE** (default) — HIGH/CRITICAL risk pauses for review; routine work flows through.

package/dist/index.js

@@ -6,8 +6,8 @@ import { realpathSync, readFileSync, existsSync, rmSync, mkdirSync, writeFileSyn
 import path12 from 'path';
 import { fileURLToPath } from 'url';
 import { Command, InvalidArgumentError } from 'commander';
-import Database from 'better-sqlite3';
 import { createHash } from 'crypto';
+import { createRequire } from 'module';
 import { z, ZodError } from 'zod';
 import { monotonicFactory } from 'ulid';
 import Anthropic from '@anthropic-ai/sdk';
@@ -843,6 +843,14 @@ var McpServerConfig = z.object({
 var QaiosConfig = z.object({
   version: z.literal(1),
   mode: Mode.default("LITE"),
+  // The application under test. `baseUrl` is read by run / snapshot / fix /
+  // test (CLI `--base-url` overrides it per run). OPTIONAL, not defaulted — a
+  // `.default({})` would make `qaios init` serialize an empty `app: {}` stub
+  // into every config, and a user later hand-adding an `app:` block would then
+  // hit a duplicate-key YAML error. Callers use `config?.app?.baseUrl`.
+  app: z.object({
+    baseUrl: z.string().url().optional()
+  }).optional(),
   llm: z.object({
     // Which LLM provider backs every skill. Default stays anthropic so
     // existing projects are unchanged. Set `openai` to use OpenAI instead;
@@ -1134,6 +1142,92 @@ function ensureDirExists(dir) {
     throw err;
   }
 }
+var nodeRequire = createRequire(import.meta.url);
+var { DatabaseSync } = nodeRequire("node:sqlite");
+var StatementAdapter = class {
+  constructor(stmt) {
+    this.stmt = stmt;
+  }
+  stmt;
+  run(...params) {
+    return this.stmt.run(...params);
+  }
+  get(...params) {
+    return this.stmt.get(...params);
+  }
+  all(...params) {
+    return this.stmt.all(...params);
+  }
+};
+var SqliteDb = class {
+  db;
+  /** Current nesting depth of `transaction()` — drives BEGIN vs SAVEPOINT. */
+  txDepth = 0;
+  constructor(location) {
+    this.db = new DatabaseSync(location);
+  }
+  prepare(sql) {
+    return new StatementAdapter(this.db.prepare(sql));
+  }
+  exec(sql) {
+    this.db.exec(sql);
+  }
+  /**
+   * better-sqlite3-compatible `pragma()`. Two call shapes are used in the repo:
+   *   - a SET:  `pragma('journal_mode = WAL')` / `pragma('foreign_keys = ON')`
+   *   - a READ: `pragma('journal_mode', { simple: true })` → the scalar value
+   * node:sqlite has no pragma helper, so route through exec/prepare. A statement
+   * containing `=` is a set (no useful result); otherwise it's a read.
+   */
+  pragma(source, opts = {}) {
+    const isSet = source.includes("=");
+    if (isSet) {
+      this.db.exec(`PRAGMA ${source}`);
+      return void 0;
+    }
+    const rows = this.db.prepare(`PRAGMA ${source}`).all();
+    if (opts.simple === true) {
+      const first = rows[0];
+      if (first === void 0) return void 0;
+      const keys = Object.keys(first);
+      return keys.length > 0 ? first[keys[0]] : void 0;
+    }
+    return rows;
+  }
+  /**
+   * better-sqlite3-compatible `transaction(fn)`: returns a callable that runs
+   * `fn` atomically, rolling back on throw. node:sqlite has no transaction
+   * helper, so wrap explicitly — and like better-sqlite3, be **savepoint-aware**
+   * so NESTED `transaction()` calls don't error with "cannot start a transaction
+   * within a transaction". The outermost call uses BEGIN/COMMIT/ROLLBACK; a
+   * nested call uses a uniquely-named SAVEPOINT / RELEASE / ROLLBACK TO.
+   */
+  transaction(fn) {
+    return (...args) => {
+      const nested = this.txDepth > 0;
+      const savepoint = `qaios_sp_${this.txDepth}`;
+      this.db.exec(nested ? `SAVEPOINT ${savepoint}` : "BEGIN");
+      this.txDepth += 1;
+      try {
+        const result = fn(...args);
+        this.db.exec(nested ? `RELEASE ${savepoint}` : "COMMIT");
+        this.txDepth -= 1;
+        return result;
+      } catch (err) {
+        this.txDepth -= 1;
+        try {
+          this.db.exec(nested ? `ROLLBACK TO ${savepoint}` : "ROLLBACK");
+          if (nested) this.db.exec(`RELEASE ${savepoint}`);
+        } catch {
+        }
+        throw err;
+      }
+    };
+  }
+  close() {
+    this.db.close();
+  }
+};
 var __dirname$1 = path12.dirname(fileURLToPath(import.meta.url));
 var DEFAULT_MIGRATIONS_DIR = path12.resolve(__dirname$1, "migrations");
 var Storage = class _Storage {
@@ -1150,7 +1244,7 @@ var Storage = class _Storage {
    * (recommended for tests).
    */
   static open(dbPath, opts = {}) {
-    const db = new Database(dbPath);
+    const db = new SqliteDb(dbPath);
     try {
       if (!opts.disableWal && dbPath !== ":memory:") {
         db.pragma("journal_mode = WAL");
@@ -2083,6 +2177,12 @@ var PRICING = {
     cacheReadPerMTok: 0.3,
     cacheWritePerMTok: 3.75
   },
+  "claude-opus-4-8": {
+    inputPerMTok: 15,
+    outputPerMTok: 75,
+    cacheReadPerMTok: 1.5,
+    cacheWritePerMTok: 18.75
+  },
   "claude-opus-4-7": {
     inputPerMTok: 15,
     outputPerMTok: 75,
@@ -2581,6 +2681,20 @@ function tempForTier(tier) {
       return 0.1;
   }
 }
+var DEFAULT_LLM_TIMEOUT_MS = 12e4;
+function llmTimeoutMs() {
+  const raw = process.env["QAIOS_LLM_TIMEOUT_MS"];
+  if (raw === void 0) return DEFAULT_LLM_TIMEOUT_MS;
+  const n = Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n >= 0 ? n : DEFAULT_LLM_TIMEOUT_MS;
+}
+function buildCallSignal(cancelSignal) {
+  const ms = llmTimeoutMs();
+  if (ms <= 0) return cancelSignal;
+  const timeout = AbortSignal.timeout(ms);
+  if (cancelSignal === void 0) return timeout;
+  return AbortSignal.any([timeout, cancelSignal]);
+}
 function schemaToJsonSchema(schema) {
   const probe = schema;
   if (typeof probe.toJSONSchema === "function") {
@@ -2650,7 +2764,8 @@ var SkillRunner = class {
           maxTokens: 16384,
           temperature: tempForTier(skill.modelTier)
         };
-        if (ctx.cancelSignal !== void 0) callOpts.signal = ctx.cancelSignal;
+        const signal = buildCallSignal(ctx.cancelSignal);
+        if (signal !== void 0) callOpts.signal = signal;
         response = await ctx.llm.call(callOpts);
       } catch (err) {
         ctx.auditLogger.append({
@@ -6802,7 +6917,7 @@ function directoryIsEmpty(projectRoot) {
 }
 
 // src/commands/doctor.ts
-var MIN_NODE_MAJOR = 20;
+var MIN_NODE_MAJOR = 22;
 function runDoctorEnv() {
   return { exitCode: ExitCode.SUCCESS, envSnapshot: snapshotEnv() };
 }
@@ -9992,18 +10107,14 @@ function runInit(opts = {}) {
     } catch {
     }
     const raw = err.message ?? String(err);
-    const isBindingError = /bindings file|was compiled against|NODE_MODULE_VERSION|\.node/i.test(
-      raw
-    );
-    const message = isBindingError ? `Could not load the native SQLite module (better-sqlite3). This usually means the prebuilt binary didn't download or doesn't match your Node version.
-  \u2022 Ensure you're on Node 20 LTS (run \`node -v\`).
-  \u2022 Reinstall to fetch/rebuild the binary: \`npm rebuild better-sqlite3\` (or reinstall qaios).
-  \u2022 Behind a proxy/firewall? The binary is fetched from GitHub releases \u2014 allow that, or install build tools so it can compile.
+    const isNodeTooOld = /node:sqlite|Cannot find module 'node:sqlite'|DatabaseSync/i.test(raw);
+    const message = isNodeTooOld ? `QAIOS needs Node's built-in SQLite (Node 22 LTS or newer).
+  \u2022 Check your version: \`node -v\` \u2014 upgrade to Node 22+ if it's older.
 Original error: ${raw}` : `Failed to initialise workflows.db: ${raw}`;
     return {
       exitCode: err instanceof StorageError ? ExitCode.INTERNAL : ExitCode.TOOL_ERROR,
       error: {
-        code: isBindingError ? "qaios.init.sqlite_binding_missing" : err instanceof StorageError ? err.code : "qaios.init.db_failed",
+        code: isNodeTooOld ? "qaios.init.node_too_old" : err instanceof StorageError ? err.code : "qaios.init.db_failed",
         message
       },
       detection
@@ -10426,6 +10537,13 @@ async function runMcp(opts) {
     if (ownsStorage) storage.close();
   }
 }
+function withTimeout(promise, ms, message) {
+  let timer;
+  const timeout = new Promise((_resolve, reject) => {
+    timer = setTimeout(() => reject(new McpError("qaios.mcp.test_timeout", message)), ms);
+  });
+  return Promise.race([promise, timeout]).finally(() => clearTimeout(timer));
+}
 function listServers(repo, opts, writeOut) {
   const servers = repo.list();
   if (opts.json === true) {
@@ -10565,8 +10683,13 @@ async function testServer(repo, opts, writeOut) {
     servers: [{ ...config, enabled: true }]
   });
   const ownsClient = opts.mcpClient === void 0;
+  const MCP_TEST_TIMEOUT_MS = 15e3;
   try {
-    const tools = await client.listTools(opts.name);
+    const tools = await withTimeout(
+      client.listTools(opts.name),
+      MCP_TEST_TIMEOUT_MS,
+      `MCP server "${opts.name}" did not respond within ${MCP_TEST_TIMEOUT_MS / 1e3}s \u2014 is it a valid MCP server?`
+    );
     writeOut(`\u2713 Connected to "${opts.name}". Tools (${tools.length}):`);
     for (const t of tools) {
       writeOut(`  - ${t.name}${t.description !== void 0 ? ` \u2014 ${t.description}` : ""}`);
@@ -12190,7 +12313,11 @@ function buildProgram() {
     }
     process.exit(result.exitCode);
   });
-  program.command("explore <url>").description("Run an exploratory testing session against a URL").option("--duration <seconds>", "time budget in seconds (default 600)", (v) => parseInt(v, 10)).option("--focus <text>", "optional natural-language focus hint").option("--charter-only", "generate charter and stop; no findings, no defects").option("--no-defects", "skip defect.create + filing for findings").option("--defect-target <target>", "where to file defects: stdout | github | jira").option("--defect-repo <repo>", "github repo (owner/repo) when --defect-target=github").option("--defect-project <project>", "jira project key when --defect-target=jira").action(async (url, cmdOpts, command) => {
+  program.command("explore <url>").description("Run an exploratory testing session against a URL").option(
+    "--duration <seconds>",
+    "time budget in seconds (min 60, default 600)",
+    (v) => parseInt(v, 10)
+  ).option("--focus <text>", "optional natural-language focus hint").option("--charter-only", "generate charter and stop; no findings, no defects").option("--no-defects", "skip defect.create + filing for findings").option("--defect-target <target>", "where to file defects: stdout | github | jira").option("--defect-repo <repo>", "github repo (owner/repo) when --defect-target=github").option("--defect-project <project>", "jira project key when --defect-target=jira").action(async (url, cmdOpts, command) => {
     const globalOpts = command.parent?.opts() ?? {};
     const opts = {
       url,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qatonic_innovations/qaios",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "type": "module",
   "description": "AI QA engineer in your terminal — designs, writes, runs, heals, and explores tests for web UI and APIs with audit-grade traceability.",
   "license": "MIT",
@@ -29,7 +29,7 @@
     "self-healing"
   ],
   "engines": {
-    "node": ">=20.0.0"
+    "node": ">=22.0.0"
   },
   "publishConfig": {
     "access": "public"
@@ -46,7 +46,6 @@
   "dependencies": {
     "@anthropic-ai/sdk": "^0.40.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
-    "better-sqlite3": "^11.7.0",
     "commander": "^12.1.0",
     "openai": "^4.77.0",
     "ink": "^5.2.1",
@@ -62,7 +61,6 @@
     "zod-to-json-schema": "^3.24.0"
   },
   "devDependencies": {
-    "@types/better-sqlite3": "^7.6.12",
     "@types/pixelmatch": "^5.2.6",
     "@types/pngjs": "^6.0.5",
     "@types/react": "^18.3.28",