@soulbatical/tetra-dev-toolkit 1.20.0 → 2.0.0

package/bin/tetra-setup.js

@@ -43,7 +43,7 @@ program
     console.log('')
 
     const components = component === 'all' || !component
-      ? ['hooks', 'ci', 'config', 'smoke']
+      ? ['hooks', 'ci', 'config']
       : [component]
 
     for (const comp of components) {
@@ -81,12 +81,9 @@ program
         case 'license-audit':
           await setupLicenseAudit(options)
           break
-        case 'smoke':
-          await setupSmoke(options)
-          break
         default:
           console.log(`Unknown component: ${comp}`)
-          console.log('Available: hooks, ci, config, smoke, prettier, eslint-security, coverage, lighthouse, commitlint, depcruiser, knip, license-audit')
+          console.log('Available: hooks, ci, config, prettier, eslint-security, coverage, lighthouse, commitlint, depcruiser, knip, license-audit')
       }
     }
 
@@ -870,171 +867,4 @@ async function setupLicenseAudit(options) {
   console.log('   📦 Run: npm install --save-dev license-checker')
 }
 
-// ─── Smoke Tests ─────────────────────────────────────────────
-
-async function setupSmoke(options) {
-  console.log('🔥 Setting up smoke tests...')
-
-  // Step 1: Detect project name from git remote or package.json
-  let projectName = null
-  try {
-    const remoteUrl = execSync('git remote get-url origin 2>/dev/null', { encoding: 'utf8' }).trim()
-    const match = remoteUrl.match(/\/([^/]+?)(?:\.git)?$/)
-    if (match) projectName = match[1]
-  } catch { /* no git remote */ }
-
-  if (!projectName) {
-    try {
-      const pkg = JSON.parse(readFileSync(join(projectRoot, 'package.json'), 'utf-8'))
-      projectName = pkg.name?.replace(/^@[^/]+\//, '') || null
-    } catch { /* no package.json */ }
-  }
-
-  if (!projectName) {
-    const { basename } = await import('path')
-    projectName = basename(projectRoot)
-  }
-
-  console.log(`   Project: ${projectName}`)
-
-  // Step 2: Get deploy config from ralph-manager
-  let backendUrl = null
-  let frontendUrl = null
-
-  const ralphUrl = process.env.RALPH_MANAGER_API || 'http://localhost:3005'
-  try {
-    const resp = await fetch(`${ralphUrl}/api/internal/projects?name=${encodeURIComponent(projectName)}`, {
-      signal: AbortSignal.timeout(5000),
-    })
-    if (resp.ok) {
-      const { data } = await resp.json()
-      if (data?.deploy_config) {
-        const dc = data.deploy_config
-        backendUrl = dc.backend?.url || (dc.domains?.api_domain ? `https://${dc.domains.api_domain}` : null)
-        frontendUrl = dc.frontend?.url || (dc.domains?.frontend_domain ? `https://${dc.domains.frontend_domain}` : null)
-      }
-    }
-  } catch {
-    console.log('   ⚠️  Could not reach ralph-manager — using manual detection')
-  }
-
-  // Fallback: detect from railway.json
-  if (!backendUrl) {
-    const railwayPath = join(projectRoot, 'railway.json')
-    if (existsSync(railwayPath)) {
-      // Railway auto-deploy URL convention: {service-name}-production.up.railway.app
-      backendUrl = `https://${projectName}-production.up.railway.app`
-      console.log(`   ℹ️  Guessed Railway URL: ${backendUrl}`)
-    }
-  }
-
-  if (!backendUrl) {
-    console.log('   ❌ Could not detect production URL.')
-    console.log('   Add deploy_config in ralph-manager or pass --url manually.')
-    console.log('   You can also add "smoke.baseUrl" to .tetra-quality.json manually.')
-    return
-  }
-
-  console.log(`   Backend: ${backendUrl}`)
-  if (frontendUrl) console.log(`   Frontend: ${frontendUrl}`)
-
-  // Step 3: Add smoke config to .tetra-quality.json
-  const configPath = join(projectRoot, '.tetra-quality.json')
-  let config = {}
-
-  if (existsSync(configPath)) {
-    try {
-      config = JSON.parse(readFileSync(configPath, 'utf-8'))
-    } catch { /* invalid JSON, start fresh */ }
-  }
-
-  if (!config.smoke || options.force) {
-    config.smoke = {
-      baseUrl: backendUrl,
-      ...(frontendUrl ? { frontendUrl } : {}),
-      timeout: 10000,
-      checks: {
-        health: true,
-        healthDeep: true,
-        authEndpoints: [
-          { path: '/api/admin/users', expect: { status: 401 }, description: 'Auth wall: admin' },
-        ],
-        ...(frontendUrl ? {
-          frontendPages: [
-            { path: '/', expect: { status: 200 }, description: 'Homepage' },
-          ]
-        } : {}),
-      },
-      notify: {
-        telegram: true,
-        onSuccess: false,
-        onFailure: true,
-      },
-    }
-
-    writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n')
-    console.log('   ✅ Added smoke config to .tetra-quality.json')
-  } else {
-    console.log('   ⏭️  Smoke config already exists (use --force to overwrite)')
-  }
-
-  // Step 4: Create post-deploy GitHub Actions workflow
-  const workflowDir = join(projectRoot, '.github/workflows')
-  if (!existsSync(workflowDir)) {
-    mkdirSync(workflowDir, { recursive: true })
-  }
-
-  const smokeWorkflowPath = join(workflowDir, 'post-deploy-tests.yml')
-  if (!existsSync(smokeWorkflowPath) || options.force) {
-    let workflowContent = `name: Post-Deploy Smoke Tests
-
-on:
-  # Triggered after deploy via webhook
-  repository_dispatch:
-    types: [deploy-completed]
-
-  # Manual trigger
-  workflow_dispatch:
-
-  # Scheduled: every 6 hours
-  schedule:
-    - cron: '0 */6 * * *'
-
-jobs:
-  smoke:
-    uses: mralbertzwolle/tetra/.github/workflows/smoke-tests.yml@main
-    with:
-      backend-url: ${backendUrl}
-`
-    if (frontendUrl) {
-      workflowContent += `      frontend-url: ${frontendUrl}\n`
-    }
-    workflowContent += `      wait-seconds: 30
-      post-deploy: true
-`
-
-    writeFileSync(smokeWorkflowPath, workflowContent)
-    console.log('   ✅ Created .github/workflows/post-deploy-tests.yml')
-  } else {
-    console.log('   ⏭️  Post-deploy workflow already exists (use --force to overwrite)')
-  }
-
-  // Step 5: Verify smoke tests work
-  console.log('')
-  console.log('   🧪 Quick verification...')
-  try {
-    const resp = await fetch(`${backendUrl}/api/health`, { signal: AbortSignal.timeout(10000) })
-    if (resp.ok) {
-      console.log(`   ✅ ${backendUrl}/api/health → ${resp.status} OK`)
-    } else {
-      console.log(`   ⚠️  ${backendUrl}/api/health → ${resp.status}`)
-    }
-  } catch (err) {
-    console.log(`   ❌ ${backendUrl}/api/health → ${err.message}`)
-  }
-
-  console.log('')
-  console.log('   Next: run `tetra-smoke` to test all endpoints')
-}
-
 program.parse()

package/lib/checks/health/index.js

@@ -38,4 +38,3 @@ export { check as checkLicenseAudit } from './license-audit.js'
 export { check as checkSast } from './sast.js'
 export { check as checkBundleSize } from './bundle-size.js'
 export { check as checkSecurityLayers } from './security-layers.js'
-export { check as checkSmokeReadiness } from './smoke-readiness.js'

package/lib/checks/health/scanner.js

@@ -34,7 +34,6 @@ import { check as checkLicenseAudit } from './license-audit.js'
 import { check as checkSast } from './sast.js'
 import { check as checkBundleSize } from './bundle-size.js'
 import { check as checkSecurityLayers } from './security-layers.js'
-import { check as checkSmokeReadiness } from './smoke-readiness.js'
 import { calculateHealthStatus } from './types.js'
 
 /**
@@ -77,8 +76,7 @@ export async function scanProjectHealth(projectPath, projectName, options = {})
     checkLicenseAudit(projectPath),
     checkSast(projectPath),
     checkBundleSize(projectPath),
-    checkSecurityLayers(projectPath),
-    checkSmokeReadiness(projectPath)
+    checkSecurityLayers(projectPath)
   ])
 
   const totalScore = checks.reduce((sum, c) => sum + c.score, 0)

package/lib/checks/health/types.js

@@ -5,7 +5,7 @@
  */
 
 /**
- * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'|'security-layers'|'smoke-readiness'} HealthCheckType
+ * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'|'security-layers'} HealthCheckType
  *
  * @typedef {'ok'|'warning'|'error'} HealthStatus
  *

package/lib/checks/hygiene/stella-compliance.js

@@ -29,7 +29,7 @@ const DUPLICATE_PATTERNS = [
   {
     pattern: /const QUESTIONS_DIR\s*=\s*join\(tmpdir\(\)/,
     label: 'Local QUESTIONS_DIR (telegram question store)',
-    allowedIn: ['stella/src/telegram.ts', 'backend/src/features/telegram/']
+    allowedIn: ['stella/src/telegram.ts']
   },
   {
     pattern: /function detectWorkspaceRef\(\)/,
@@ -49,7 +49,7 @@ const DUPLICATE_PATTERNS = [
   {
     pattern: /function splitMessage\(text:\s*string/,
     label: 'Local splitMessage helper (for telegram)',
-    allowedIn: ['stella/src/telegram.ts', 'tools/helpers.ts', 'backend/src/features/telegram/']
+    allowedIn: ['stella/src/telegram.ts', 'tools/helpers.ts']
   },
   {
     pattern: /function playMacAlert\(\)/,

package/lib/checks/security/deprecated-supabase-admin.js

@@ -24,23 +24,14 @@ export async function run(config, projectRoot) {
     summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
   }
 
-  // Check if project uses the systemDB/userDB pattern (local file OR tetra-core package)
-  const hasLocalSystemDb = existsSync(`${projectRoot}/backend/src/core/systemDb.ts`) ||
-                           existsSync(`${projectRoot}/src/core/systemDb.ts`)
+  // Check if project uses the systemDB/userDB pattern
+  const hasSystemDb = existsSync(`${projectRoot}/backend/src/core/systemDb.ts`) ||
+                      existsSync(`${projectRoot}/src/core/systemDb.ts`)
 
-  let hasTetraCore = false
-  for (const pkgPath of [`${projectRoot}/package.json`, `${projectRoot}/backend/package.json`]) {
-    if (!existsSync(pkgPath)) continue
-    try {
-      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
-      const deps = { ...pkg.dependencies, ...pkg.devDependencies }
-      if (deps['@soulbatical/tetra-core']) { hasTetraCore = true; break }
-    } catch { /* skip */ }
-  }
-
-  if (!hasLocalSystemDb && !hasTetraCore) {
+  if (!hasSystemDb) {
+    // Project doesn't use this pattern, skip check
     results.skipped = true
-    results.skipReason = 'Project does not use systemDB/userDB pattern (no local systemDb.ts and no @soulbatical/tetra-core)'
+    results.skipReason = 'Project does not use systemDB/userDB pattern'
     return results
   }
 

package/lib/checks/security/direct-supabase-client.js

@@ -63,15 +63,6 @@ const ALLOWED_FILES = [
   // Domain middleware (sets RLS session vars — needs direct client)
   /middleware\/domainOrganizationMiddleware\.ts$/,
 
-  // Auth routes that only use Supabase Auth API (not DB queries)
-  /routes\/auth\.ts$/,
-
-  // WebSocket auth verification (only uses auth.getUser for token validation)
-  /services\/terminalWebSocket\.ts$/,
-
-  // Frontend Supabase client (Vite apps — client-side auth only, no Tetra backend)
-  /frontend\/src\/lib\/supabase\.ts$/,
-
   // Scripts (not production code)
   /scripts\//,
 ]
@@ -83,19 +74,10 @@ export async function run(config, projectRoot) {
     summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
   }
 
-  // Build whitelist from hardcoded + config (canonical: security.directSupabaseClientWhitelist)
-  const configWhitelist = config?.security?.directSupabaseClientWhitelist || config?.directSupabaseClientWhitelist || []
-  const extraPatterns = configWhitelist.map(p => new RegExp(p.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')))
-  const allAllowed = [...ALLOWED_FILES, ...extraPatterns]
-
   // Get all TypeScript files
   const files = await glob('**/*.ts', {
     cwd: projectRoot,
     ignore: [
-      '**/node_modules/**',
-      '**/.next/**',
-      '**/dist/**',
-      '**/build/**',
       ...config.ignore,
       '**/*.test.ts',
       '**/*.spec.ts',
@@ -121,8 +103,8 @@ export async function run(config, projectRoot) {
 
         // Check for createClient import from supabase
         if (/import\s*\{[^}]*createClient[^}]*\}\s*from\s*['"]@supabase\/supabase-js['"]/.test(line)) {
-          // Check if this file is in the allowed list (hardcoded + config whitelist)
-          const isAllowed = allAllowed.some(pattern => pattern.test(file))
+          // Check if this file is in the allowed list
+          const isAllowed = ALLOWED_FILES.some(pattern => pattern.test(file))
 
           if (!isAllowed) {
             results.passed = false
@@ -143,7 +125,7 @@ export async function run(config, projectRoot) {
         // Also catch: const supabase = createClient(url, key) without the import
         // (in case someone imports it via re-export or variable)
         if (/createClient\s*\(\s*(?:process\.env|supabase|SUPABASE)/.test(line)) {
-          const isAllowed = allAllowed.some(pattern => pattern.test(file))
+          const isAllowed = ALLOWED_FILES.some(pattern => pattern.test(file))
           const isImportLine = /import/.test(line)
 
           if (!isAllowed && !isImportLine) {
@@ -189,5 +171,5 @@ function getFixSuggestion(file, content) {
   if (content.includes('AuthenticatedRequest') || content.includes('req.userToken')) {
     return `User context available — use adminDB(req) or userDB(req) instead of createClient()`
   }
-  return `Use one of: adminDB(req), userDB(req), publicDB(), superadminDB(req), or systemDB(context). See: stella_howto_get slug="tetra-architecture-guide"`
+  return `Use one of: adminDB(req), userDB(req), publicDB(), superadminDB(req), or systemDB(context)`
 }

package/lib/checks/security/frontend-supabase-queries.js

@@ -154,7 +154,7 @@ export async function run(config, projectRoot) {
                 severity: 'critical',
                 message: `BLOCKED: Frontend code has direct Supabase ${pattern.desc}. Move to backend API endpoint.`,
                 snippet: line.trim().substring(0, 120),
-                fix: `Create a backend route+controller+service, use adminDB(req), and call via apiClient.get() from frontend. See: stella_howto_get slug="tetra-architecture-guide" for the complete migration pattern.`
+                fix: `Create a backend API endpoint and call it via fetch() or your API client instead.`
               })
               results.summary.critical++
               results.summary.total++

package/lib/checks/security/hardcoded-secrets.js

@@ -34,13 +34,10 @@ export async function run(config, projectRoot) {
     summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
   }
 
-  // Get all source files (always exclude node_modules, even nested ones)
+  // Get all source files
   const files = await glob('**/*.{ts,tsx,js,jsx,json}', {
     cwd: projectRoot,
-    ignore: [
-      '**/node_modules/**',
-      ...config.ignore
-    ]
+    ignore: config.ignore
   })
 
   for (const file of files) {

package/lib/checks/security/systemdb-whitelist.js

@@ -63,9 +63,6 @@ const ALLOWED_FILE_PATTERNS = [
   /BaseCronService/,
   // Internal service-to-service routes (API key auth, no user JWT)
   /internalRoutes/,
-  // Billing routers — hybrid files with both authenticated admin routes and unauthenticated webhook handlers
-  // systemDB is needed for Tetra BillingService config callbacks (getSystemDB, getWebhookDB)
-  /billingRouter/,
 ]
 
 /**
@@ -83,14 +80,11 @@ const FORBIDDEN_FILE_PATTERNS = [
 ]
 
 /**
- * Default maximum allowed whitelist size — override via .tetra-quality.json:
- * { "supabase": { "maxWhitelistEntries": 50 } }
+ * Maximum allowed whitelist size — anything above indicates architectural problems
  */
-const DEFAULT_MAX_WHITELIST_SIZE = 35
+const MAX_WHITELIST_SIZE = 35
 
 export async function run(config, projectRoot) {
-  // Canonical: security.systemDbMaxEntries
-  const MAX_WHITELIST_SIZE = config?.security?.systemDbMaxEntries || config?.systemDB?.maxWhitelistEntries || DEFAULT_MAX_WHITELIST_SIZE
   const results = {
     passed: true,
     findings: [],
@@ -112,118 +106,39 @@ export async function run(config, projectRoot) {
     }
   }
 
-  // Also check if project has tetra-core as npm package (no local systemDb.ts)
-  let hasTetraCore = false
-  for (const pkgPath of [`${projectRoot}/package.json`, `${projectRoot}/backend/package.json`]) {
-    if (existsSync(pkgPath)) {
-      try {
-        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
-        const deps = { ...pkg.dependencies, ...pkg.devDependencies }
-        if (deps['@soulbatical/tetra-core']) { hasTetraCore = true; break }
-      } catch { /* skip */ }
-    }
-  }
-
-  if (!systemDbPath && !hasTetraCore) {
+  if (!systemDbPath) {
     results.skipped = true
-    results.skipReason = 'No systemDb.ts found and no @soulbatical/tetra-core dependency'
+    results.skipReason = 'No systemDb.ts found'
     return results
   }
 
-  let whitelist = new Set()
-
-  // Only check whitelist size if there's a local systemDb.ts
-  if (systemDbPath) {
-    const systemDbContent = readFileSync(systemDbPath, 'utf-8')
-    const whitelistMatch = systemDbContent.match(/new Set\s*(?:<[^>]+>)?\s*\(\s*\[([\s\S]*?)\]\s*\)/m)
-
-    if (whitelistMatch) {
-      const rawLines = whitelistMatch[1].split('\n')
-      let groupComment = null
-
-      for (let i = 0; i < rawLines.length; i++) {
-        const line = rawLines[i].trim()
-
-        // Track group comments — a comment line that is NOT inline with an entry
-        // Group comments apply to ALL entries below them until the next group comment
-        if (/^\s*\/\//.test(line) && !line.match(/['"][^'"]+['"]/)) {
-          const commentText = line.replace(/^\s*\/\/\s*/, '').trim()
-          if (commentText.length > 0) {
-            groupComment = commentText
-          }
-          continue
-        }
-
-        // Skip empty lines (don't reset group comment)
-        if (!line || line === ',') continue
-
-        const entryMatch = line.match(/['"]([^'"]+)['"]/)
-        if (!entryMatch) continue
-
-        const entry = entryMatch[1]
-        whitelist.add(entry)
-
-        // Check for inline comment: 'entry', // reason
-        const inlineCommentMatch = line.match(/['"][^'"]+['"]\s*,?\s*\/\/\s*(.+)/)
-        const inlineReason = inlineCommentMatch ? inlineCommentMatch[1].trim() : null
-
-        // Entry is justified if it has an inline comment OR falls under a group comment
-        const hasJustification = inlineReason || groupComment
+  const systemDbContent = readFileSync(systemDbPath, 'utf-8')
+  const whitelistMatch = systemDbContent.match(/new Set\s*(?:<[^>]+>)?\s*\(\s*\[([\s\S]*?)\]\s*\)/m)
 
-        if (!hasJustification) {
-          // Find line number in original file
-          const entryLineInFile = systemDbContent.substring(0, systemDbContent.indexOf(entry)).split('\n').length
-
-          results.findings.push({
-            file: systemDbPath.replace(projectRoot + '/', ''),
-            line: entryLineInFile,
-            type: 'whitelist-no-justification',
-            severity: 'high',
-            message: `systemDB whitelist entry '${entry}' has NO comment explaining WHY it needs service role key access. Add a group comment above or an inline comment.`,
-            fix: `Add a comment explaining why '${entry}' cannot use adminDB/userDB. Example:\n  // OAuth callback — browser redirect, no JWT in header\n  '${entry}',`
-          })
-          results.summary.high++
-          results.summary.total++
-          results.passed = false
-        }
-      }
-    }
-
-    if (whitelist.size > MAX_WHITELIST_SIZE) {
-      results.passed = false
-      results.findings.push({
-        file: systemDbPath.replace(projectRoot + '/', ''),
-        line: 1,
-        type: 'whitelist-too-large',
-        severity: 'critical',
-        message: `systemDB whitelist has ${whitelist.size} entries (max: ${MAX_WHITELIST_SIZE}). This indicates systemDB is being used where adminDB/userDB should be used instead.`,
-        fix: `Refactor: services should receive a supabase client via dependency injection, not create their own via systemDB(). Only cron jobs, webhooks, and OAuth callbacks should use systemDB.`
+  let whitelist = new Set()
+  if (whitelistMatch) {
+    const entries = whitelistMatch[1]
+      .split('\n')
+      .map(line => {
+        const m = line.match(/['"]([^'"]+)['"]/)
+        return m ? m[1] : null
       })
-      results.summary.critical++
-      results.summary.total++
-    }
+      .filter(Boolean)
+    whitelist = new Set(entries)
   }
 
-  // Also check .tetra-quality.json for documented whitelist with justifications
-  const configWhitelist = config?.supabase?.systemDbWhitelist || {}
-  if (typeof configWhitelist === 'object' && !Array.isArray(configWhitelist)) {
-    // Format: { "context-name": "reason why systemDB is needed" }
-    for (const [context, reason] of Object.entries(configWhitelist)) {
-      whitelist.add(context)
-      if (!reason || typeof reason !== 'string' || reason.trim().length < 5) {
-        results.findings.push({
-          file: '.tetra-quality.json',
-          line: 1,
-          type: 'config-whitelist-no-justification',
-          severity: 'high',
-          message: `systemDbWhitelist entry '${context}' has empty or insufficient justification: "${reason || ''}". Explain WHY this context cannot use adminDB/userDB.`,
-          fix: `In .tetra-quality.json, set: "systemDbWhitelist": { "${context}": "Reason: e.g. OAuth callback — no JWT available, browser redirect flow" }`
-        })
-        results.summary.high++
-        results.summary.total++
-        results.passed = false
-      }
-    }
+  if (whitelist.size > MAX_WHITELIST_SIZE) {
+    results.passed = false
+    results.findings.push({
+      file: systemDbPath.replace(projectRoot + '/', ''),
+      line: 1,
+      type: 'whitelist-too-large',
+      severity: 'critical',
+      message: `systemDB whitelist has ${whitelist.size} entries (max: ${MAX_WHITELIST_SIZE}). This indicates systemDB is being used where SupabaseUserClient should be used instead. Refactor services to accept a supabase client parameter instead of calling systemDB() directly.`,
+      fix: `Refactor: services should receive a supabase client via dependency injection, not create their own via systemDB(). Only cron jobs, webhooks, and OAuth callbacks should use systemDB.`
+    })
+    results.summary.critical++
+    results.summary.total++
   }
 
   // ─── Check 2: systemDB in forbidden locations ───────────────
@@ -231,10 +146,6 @@ export async function run(config, projectRoot) {
   const files = await glob('**/*.ts', {
     cwd: projectRoot,
     ignore: [
-      '**/node_modules/**',
-      '**/.next/**',
-      '**/dist/**',
-      '**/build/**',
       ...config.ignore,
       '**/systemDb.ts',
       '**/superadminDb.ts',

package/lib/config.js

@@ -42,13 +42,7 @@ export const DEFAULT_CONFIG = {
     // Code patterns
     checkSqlInjection: true,
     checkEvalUsage: true,
-    checkCommandInjection: true,
-
-    // Whitelists — project-specific overrides in .tetra-quality.json
-    directSupabaseClientWhitelist: [],  // Files allowed to import createClient directly
-    mixedDbWhitelist: [],               // Controllers allowed to mix DB helper types
-    routeConfigIgnore: [],              // Tables to skip in route↔config alignment check
-    systemDbMaxEntries: 35              // Max systemDB whitelist entries before warning
+    checkCommandInjection: true
   },
 
   // Stability checks