@qatonic_innovations/qaios 0.3.0 → 0.3.2

package/README.md

@@ -48,7 +48,9 @@ The published package is `@qatonic_innovations/qaios`; the installed **command i
   ```
   Prefer **OpenAI**? Set `llm.provider: openai` and export `OPENAI_API_KEY`
   instead — see [Choose your LLM provider](#choose-your-llm-provider) below.
-  Keys are read from the environment and **never written to disk** by QAIOS.
+  Keys are read from the **environment** (`process.env`) and **never written to
+  disk** by QAIOS. QAIOS does not auto-load a `.env` file — export the key in
+  your shell (or use a `.env` runner like `dotenv-cli`) before running.
 - **Playwright** in your project, for `qaios run` / `snapshot` / `explore` / `a11y`:
   ```bash
   npm i -D @playwright/test && npx playwright install
@@ -123,7 +125,7 @@ Run `qaios <command> --help` for the full option list of any command.
 
 ```bash
 # Generate API tests from an OpenAPI spec
-qaios test --type api --spec ./openapi.yaml "exercise the /orders endpoints"
+qaios test --type api --api-spec ./openapi.yaml "exercise the /orders endpoints"
 
 # Run a suite; QAIOS classifies failures and self-heals locator drift
 qaios run

package/dist/index.js

@@ -843,6 +843,14 @@ var McpServerConfig = z.object({
 var QaiosConfig = z.object({
   version: z.literal(1),
   mode: Mode.default("LITE"),
+  // The application under test. `baseUrl` is read by run / snapshot / fix /
+  // test (CLI `--base-url` overrides it per run). OPTIONAL, not defaulted — a
+  // `.default({})` would make `qaios init` serialize an empty `app: {}` stub
+  // into every config, and a user later hand-adding an `app:` block would then
+  // hit a duplicate-key YAML error. Callers use `config?.app?.baseUrl`.
+  app: z.object({
+    baseUrl: z.string().url().optional()
+  }).optional(),
   llm: z.object({
     // Which LLM provider backs every skill. Default stays anthropic so
     // existing projects are unchanged. Set `openai` to use OpenAI instead;
@@ -2673,6 +2681,20 @@ function tempForTier(tier) {
       return 0.1;
   }
 }
+var DEFAULT_LLM_TIMEOUT_MS = 12e4;
+function llmTimeoutMs() {
+  const raw = process.env["QAIOS_LLM_TIMEOUT_MS"];
+  if (raw === void 0) return DEFAULT_LLM_TIMEOUT_MS;
+  const n = Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n >= 0 ? n : DEFAULT_LLM_TIMEOUT_MS;
+}
+function buildCallSignal(cancelSignal) {
+  const ms = llmTimeoutMs();
+  if (ms <= 0) return cancelSignal;
+  const timeout = AbortSignal.timeout(ms);
+  if (cancelSignal === void 0) return timeout;
+  return AbortSignal.any([timeout, cancelSignal]);
+}
 function schemaToJsonSchema(schema) {
   const probe = schema;
   if (typeof probe.toJSONSchema === "function") {
@@ -2742,7 +2764,8 @@ var SkillRunner = class {
           maxTokens: 16384,
           temperature: tempForTier(skill.modelTier)
         };
-        if (ctx.cancelSignal !== void 0) callOpts.signal = ctx.cancelSignal;
+        const signal = buildCallSignal(ctx.cancelSignal);
+        if (signal !== void 0) callOpts.signal = signal;
         response = await ctx.llm.call(callOpts);
       } catch (err) {
         ctx.auditLogger.append({
@@ -2978,13 +3001,19 @@ var CostTracker = class {
     const row = this.db.prepare(
       `SELECT
            COUNT(*) AS calls,
-           COALESCE(SUM(CAST(json_extract(model_call_json, '$.costUsdCents') AS INTEGER)), 0) AS cents
+           COALESCE(SUM(CAST(json_extract(model_call_json, '$.costUsdCents') AS INTEGER)), 0) AS cents,
+           COALESCE(SUM(
+             COALESCE(CAST(json_extract(model_call_json, '$.inputTokens') AS INTEGER), 0) +
+             COALESCE(CAST(json_extract(model_call_json, '$.outputTokens') AS INTEGER), 0) +
+             COALESCE(CAST(json_extract(model_call_json, '$.cacheReadTokens') AS INTEGER), 0) +
+             COALESCE(CAST(json_extract(model_call_json, '$.cacheWriteTokens') AS INTEGER), 0)
+           ), 0) AS tokens
          FROM audit_log
          WHERE workflow_id = ?
            AND event = 'model.called'
            AND model_call_json IS NOT NULL`
     ).get(workflowId);
-    return { calls: row.calls, usdCents: row.cents };
+    return { calls: row.calls, usdCents: row.cents, tokens: row.tokens };
   }
   /**
    * Remaining budget for the workflow. Returns negative numbers when
@@ -5143,6 +5172,7 @@ var Orchestrator = class {
     if (to === "completed" || to === "failed" || to === "cancelled") {
       const snap = this.costTracker.current(workflowId);
       updates.costUsdCents = snap.usdCents;
+      updates.costTokens = snap.tokens;
     }
     this.workflowsRepo.update(workflowId, updates);
     const phase = phaseForState(to);
@@ -9708,7 +9738,8 @@ async function runFix(opts) {
     const runResult = await adapter.run({
       cwd,
       workflowId,
-      pattern: resolvedTestFile
+      pattern: resolvedTestFile,
+      extraArgs: ["--retries=2"]
     });
     const passed = runResult.runRow.failedCount === 0 && runResult.runRow.status !== "errored";
     let rolledBack = false;
@@ -10514,6 +10545,13 @@ async function runMcp(opts) {
     if (ownsStorage) storage.close();
   }
 }
+function withTimeout(promise, ms, message) {
+  let timer;
+  const timeout = new Promise((_resolve, reject) => {
+    timer = setTimeout(() => reject(new McpError("qaios.mcp.test_timeout", message)), ms);
+  });
+  return Promise.race([promise, timeout]).finally(() => clearTimeout(timer));
+}
 function listServers(repo, opts, writeOut) {
   const servers = repo.list();
   if (opts.json === true) {
@@ -10653,8 +10691,13 @@ async function testServer(repo, opts, writeOut) {
     servers: [{ ...config, enabled: true }]
   });
   const ownsClient = opts.mcpClient === void 0;
+  const MCP_TEST_TIMEOUT_MS = 15e3;
   try {
-    const tools = await client.listTools(opts.name);
+    const tools = await withTimeout(
+      client.listTools(opts.name),
+      MCP_TEST_TIMEOUT_MS,
+      `MCP server "${opts.name}" did not respond within ${MCP_TEST_TIMEOUT_MS / 1e3}s \u2014 is it a valid MCP server?`
+    );
     writeOut(`\u2713 Connected to "${opts.name}". Tools (${tools.length}):`);
     for (const t of tools) {
       writeOut(`  - ${t.name}${t.description !== void 0 ? ` \u2014 ${t.description}` : ""}`);
@@ -10766,7 +10809,8 @@ async function runReview(opts) {
         resumedWorkflows: []
       };
     }
-    if (opts.nonInteractive === true && opts.decideForTests === void 0) {
+    const decide = opts.autoApprove === true ? () => "approve" : opts.decideForTests;
+    if (opts.nonInteractive === true && decide === void 0) {
       return {
         exitCode: ExitCode.USER_ERROR,
         decisions: [],
@@ -10774,7 +10818,7 @@ async function runReview(opts) {
         resumedWorkflows: [],
         error: {
           code: "qaios.review.requires_tty",
-          message: "qaios review needs an interactive terminal \u2014 pass --auto-approve or run without --non-interactive."
+          message: "qaios review needs an interactive terminal \u2014 pass --auto-approve to approve all pending gates non-interactively, or run without --non-interactive."
         }
       };
     }
@@ -10808,9 +10852,9 @@ async function runReview(opts) {
         );
       }
     };
-    if (opts.decideForTests !== void 0) {
+    if (decide !== void 0) {
       for (const gate of pending) {
-        await onDecide(gate, opts.decideForTests(gate));
+        await onDecide(gate, decide(gate));
       }
       return {
         exitCode: ExitCode.SUCCESS,
@@ -10819,15 +10863,15 @@ async function runReview(opts) {
         resumedWorkflows: Array.from(resumedSet)
       };
     }
-    const [{ render }, { GateReview: GateReview2 }] = await Promise.all([
+    const [React3, { render }, { GateReview: GateReview2 }] = await Promise.all([
+      import('react'),
       import('ink'),
       Promise.resolve().then(() => (init_GateReview(), GateReview_exports))
     ]);
     await new Promise((resolve) => {
       let chain = Promise.resolve();
       const instance = render(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        GateReview2({
+        React3.createElement(GateReview2, {
           gates: pending,
           onDecide: (gate, action) => {
             chain = chain.then(() => onDecide(gate, action));
@@ -11084,9 +11128,32 @@ var GLYPH5 = {
   warn: "\u26A0",
   blocked: "\u23F8"
 };
+var SnapshotSpecError = class extends Error {
+  constructor(userMessage) {
+    super(userMessage);
+    this.userMessage = userMessage;
+  }
+  userMessage;
+};
 function loadSnapshotSpec(specPath) {
-  const raw = JSON.parse(readFileSync(specPath, "utf-8"));
-  const snapshots = Array.isArray(raw["snapshots"]) ? raw["snapshots"] : Array.isArray(raw["designSpec"]?.["snapshots"]) ? raw["designSpec"]["snapshots"] : [];
+  let raw;
+  try {
+    raw = JSON.parse(readFileSync(specPath, "utf-8"));
+  } catch (err) {
+    throw new SnapshotSpecError(`could not read/parse ${specPath}: ${err.message}`);
+  }
+  const rawSnapshots = Array.isArray(raw["snapshots"]) ? raw["snapshots"] : Array.isArray(raw["designSpec"]?.["snapshots"]) ? raw["designSpec"]["snapshots"] : [];
+  const snapshots = [];
+  rawSnapshots.forEach((s, i) => {
+    const parsed = VisualSnapshot.safeParse(s);
+    if (!parsed.success) {
+      const issues = parsed.error.issues.map((iss) => `${iss.path.join(".") || "(root)"}: ${iss.message}`).join("; ");
+      throw new SnapshotSpecError(
+        `spec ${specPath}: snapshots[${i}] is invalid \u2014 ${issues}. Each snapshot needs: id, name, route, setupSteps[], viewports[], priority (P0\u2013P3).`
+      );
+    }
+    snapshots.push(parsed.data);
+  });
   return {
     snapshots,
     ...typeof raw["featureName"] === "string" ? { featureName: raw["featureName"] } : {}
@@ -11134,7 +11201,18 @@ async function runSnapshotCapture(opts) {
       }
     };
   }
-  const { snapshots: allSnapshots } = loadSnapshotSpec(specAbs);
+  let allSnapshots;
+  try {
+    allSnapshots = loadSnapshotSpec(specAbs).snapshots;
+  } catch (err) {
+    if (err instanceof SnapshotSpecError) {
+      return {
+        exitCode: ExitCode.USER_ERROR,
+        error: { code: "qaios.snapshot_capture.invalid_spec", message: err.userMessage }
+      };
+    }
+    throw err;
+  }
   if (allSnapshots.length === 0) {
     return {
       exitCode: ExitCode.USER_ERROR,
@@ -11584,14 +11662,14 @@ async function runSnapshotReview(opts) {
         }
       };
     }
-    const [{ render }, { SnapshotReview: SnapshotReview2 }] = await Promise.all([
+    const [React3, { render }, { SnapshotReview: SnapshotReview2 }] = await Promise.all([
+      import('react'),
       import('ink'),
       Promise.resolve().then(() => (init_SnapshotReview(), SnapshotReview_exports))
     ]);
     await new Promise((resolve) => {
       const instance = render(
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        SnapshotReview2({
+        React3.createElement(SnapshotReview2, {
           items,
           onDecide,
           onExit: () => {
@@ -12278,7 +12356,11 @@ function buildProgram() {
     }
     process.exit(result.exitCode);
   });
-  program.command("explore <url>").description("Run an exploratory testing session against a URL").option("--duration <seconds>", "time budget in seconds (default 600)", (v) => parseInt(v, 10)).option("--focus <text>", "optional natural-language focus hint").option("--charter-only", "generate charter and stop; no findings, no defects").option("--no-defects", "skip defect.create + filing for findings").option("--defect-target <target>", "where to file defects: stdout | github | jira").option("--defect-repo <repo>", "github repo (owner/repo) when --defect-target=github").option("--defect-project <project>", "jira project key when --defect-target=jira").action(async (url, cmdOpts, command) => {
+  program.command("explore <url>").description("Run an exploratory testing session against a URL").option(
+    "--duration <seconds>",
+    "time budget in seconds (min 60, default 600)",
+    (v) => parseInt(v, 10)
+  ).option("--focus <text>", "optional natural-language focus hint").option("--charter-only", "generate charter and stop; no findings, no defects").option("--no-defects", "skip defect.create + filing for findings").option("--defect-target <target>", "where to file defects: stdout | github | jira").option("--defect-repo <repo>", "github repo (owner/repo) when --defect-target=github").option("--defect-project <project>", "jira project key when --defect-target=jira").action(async (url, cmdOpts, command) => {
     const globalOpts = command.parent?.opts() ?? {};
     const opts = {
       url,
@@ -12427,11 +12509,12 @@ function buildProgram() {
   configGroup.command("show").description("Print resolved config (defaults applied)").action((cmdOpts, command) => {
     void runConfigVerb("show", cmdOpts, command, {});
   });
-  program.command("review").description("Walk pending gates and approve/reject (interactive Ink TUI; W9-T2)").option("--workflow <id>", "restrict to one workflow id").action(async (cmdOpts, command) => {
+  program.command("review").description("Walk pending gates and approve/reject (interactive Ink TUI; W9-T2)").option("--workflow <id>", "restrict to one workflow id").option("--auto-approve", "approve all pending gates without prompting (CI-friendly)").action(async (cmdOpts, command) => {
     const globalOpts = command.parent?.opts() ?? {};
     const workflowFlag = typeof cmdOpts["workflow"] === "string" ? cmdOpts["workflow"] : typeof globalOpts["workflow"] === "string" ? globalOpts["workflow"] : void 0;
     const opts = {
       nonInteractive: Boolean(globalOpts["nonInteractive"]),
+      autoApprove: Boolean(cmdOpts["autoApprove"]),
       json: Boolean(globalOpts["json"]),
       quiet: Boolean(globalOpts["quiet"])
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qatonic_innovations/qaios",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "type": "module",
   "description": "AI QA engineer in your terminal — designs, writes, runs, heals, and explores tests for web UI and APIs with audit-grade traceability.",
   "license": "MIT",