@soulbatical/tetra-dev-toolkit 1.4.0 → 1.5.0

package/bin/tetra-setup.js

@@ -19,6 +19,8 @@
  *   tetra-setup lighthouse   # Setup Lighthouse CI budgets
  *   tetra-setup commitlint   # Setup commitlint + commit-msg hook
  *   tetra-setup depcruiser   # Setup dependency-cruiser
+ *   tetra-setup knip         # Setup Knip (dead code detection)
+ *   tetra-setup license-audit # Setup license compliance checking
  */
 
 import { program } from 'commander'
@@ -32,7 +34,7 @@ program
   .name('tetra-setup')
   .description('Setup Tetra Dev Toolkit in your project')
   .version('1.2.0')
-  .argument('[component]', 'Component to setup: hooks, ci, config, prettier, eslint-security, coverage, lighthouse, commitlint, depcruiser, or all')
+  .argument('[component]', 'Component to setup: hooks, ci, config, prettier, eslint-security, coverage, lighthouse, commitlint, depcruiser, knip, license-audit, or all')
   .option('-f, --force', 'Overwrite existing files')
   .action(async (component, options) => {
     console.log('')
@@ -73,9 +75,15 @@ program
         case 'depcruiser':
           await setupDepCruiser(options)
           break
+        case 'knip':
+          await setupKnip(options)
+          break
+        case 'license-audit':
+          await setupLicenseAudit(options)
+          break
         default:
           console.log(`Unknown component: ${comp}`)
-          console.log('Available: hooks, ci, config, prettier, eslint-security, coverage, lighthouse, commitlint, depcruiser')
+          console.log('Available: hooks, ci, config, prettier, eslint-security, coverage, lighthouse, commitlint, depcruiser, knip, license-audit')
       }
     }
 
@@ -719,4 +727,88 @@ module.exports = {
   console.log('   📦 Run: npm install --save-dev dependency-cruiser')
 }
 
+// ─── Knip (Dead Code Detection) ─────────────────────────────
+
+async function setupKnip(options) {
+  console.log('🔍 Setting up Knip (dead code detection)...')
+
+  const knipPath = join(projectRoot, 'knip.config.ts')
+  if (!existsSync(knipPath) || options.force) {
+    const content = `import type { KnipConfig } from 'knip'
+
+const config: KnipConfig = {
+  entry: ['src/index.{ts,js}', 'src/main.{ts,tsx}'],
+  project: ['src/**/*.{ts,tsx,js,jsx}'],
+  ignore: [
+    '**/*.test.{ts,tsx}',
+    '**/*.spec.{ts,tsx}',
+    '**/test/**',
+    '**/tests/**'
+  ],
+  ignoreDependencies: [
+    // Add dependencies that are used but not detected by Knip
+  ]
+}
+
+export default config
+`
+    writeFileSync(knipPath, content)
+    console.log('   ✅ Created knip.config.ts')
+  } else {
+    console.log('   ⏭️  knip.config.ts already exists')
+  }
+
+  // Add scripts
+  const packagePath = join(projectRoot, 'package.json')
+  if (existsSync(packagePath)) {
+    const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'))
+    pkg.scripts = pkg.scripts || {}
+    let changed = false
+
+    if (!pkg.scripts.knip && !pkg.scripts['check:unused']) {
+      pkg.scripts.knip = 'knip'
+      pkg.scripts['knip:fix'] = 'knip --fix'
+      changed = true
+    }
+
+    if (changed) {
+      writeFileSync(packagePath, JSON.stringify(pkg, null, 2) + '\n')
+      console.log('   ✅ Added knip scripts to package.json')
+    }
+  }
+
+  console.log('   📦 Run: npm install --save-dev knip')
+}
+
+// ─── License Audit ──────────────────────────────────────────
+
+async function setupLicenseAudit(options) {
+  console.log('📜 Setting up license compliance checking...')
+
+  // Add license check script
+  const packagePath = join(projectRoot, 'package.json')
+  if (existsSync(packagePath)) {
+    const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'))
+    pkg.scripts = pkg.scripts || {}
+    let changed = false
+
+    if (!pkg.scripts['check:licenses']) {
+      pkg.scripts['check:licenses'] = 'license-checker --production --failOn "GPL-2.0;GPL-3.0;AGPL-1.0;AGPL-3.0" --excludePrivatePackages'
+      changed = true
+    }
+    if (!pkg.scripts['licenses:summary']) {
+      pkg.scripts['licenses:summary'] = 'license-checker --production --summary'
+      changed = true
+    }
+
+    if (changed) {
+      writeFileSync(packagePath, JSON.stringify(pkg, null, 2) + '\n')
+      console.log('   ✅ Added license check scripts to package.json')
+      console.log('   ℹ️  Blocked licenses: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0')
+    }
+  }
+
+  console.log('   📦 Run: npm install --save-dev license-checker')
+}
+
 program.parse()

package/lib/checks/health/bundle-size.js

@@ -0,0 +1,156 @@
+/**
+ * Health Check: Bundle Size Tracking
+ *
+ * Checks for bundle size monitoring and regression prevention.
+ * Score: up to 2 points:
+ *   +1 for bundle analysis tool (bundlewatch, size-limit, @next/bundle-analyzer, webpack-bundle-analyzer)
+ *   +1 for budget config or CI integration (lighthouse budget counts)
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('bundle-size', 2, {
+    tool: null,
+    toolInstalled: false,
+    hasConfig: false,
+    configPath: null,
+    hasBudget: false,
+    hasCiIntegration: false,
+    message: ''
+  })
+
+  // Bundle analysis tools
+  const bundleTools = {
+    'bundlewatch': 'bundlewatch',
+    'size-limit': 'size-limit',
+    '@size-limit/preset-small-lib': 'size-limit',
+    '@size-limit/preset-app': 'size-limit',
+    '@next/bundle-analyzer': 'next-bundle-analyzer',
+    'webpack-bundle-analyzer': 'webpack-bundle-analyzer',
+    'rollup-plugin-visualizer': 'rollup-visualizer',
+    'source-map-explorer': 'source-map-explorer',
+    'vite-bundle-visualizer': 'vite-bundle-visualizer'
+  }
+
+  // Check package.json files
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json',
+    'frontend-user/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      // Check for bundle tools
+      for (const [dep, tool] of Object.entries(bundleTools)) {
+        if (allDeps[dep]) {
+          result.details.toolInstalled = true
+          result.details.tool = tool
+          result.score += 1
+          break
+        }
+      }
+
+      // Check for size-limit config in package.json
+      if (pkg['size-limit']) {
+        result.details.hasConfig = true
+        result.details.hasBudget = true
+        result.details.configPath = `${loc} (size-limit key)`
+      }
+
+      // Check for bundle analysis scripts
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name.includes('analyze') || name.includes('bundle') ||
+            cmd.includes('ANALYZE=true') || cmd.includes('bundle-analyzer') ||
+            cmd.includes('size-limit') || cmd.includes('bundlewatch')) {
+          result.details.hasConfig = true
+          result.details.configPath = result.details.configPath || `${loc} → ${name}`
+          break
+        }
+      }
+    } catch { /* ignore */ }
+
+    if (result.details.toolInstalled) break
+  }
+
+  // Check for bundlewatch config
+  const bundlewatchConfigs = [
+    '.bundlewatch.config.json',
+    'bundlewatch.config.js'
+  ]
+  for (const config of bundlewatchConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.hasConfig = true
+      result.details.hasBudget = true
+      result.details.configPath = config
+      if (!result.details.tool) result.details.tool = 'bundlewatch'
+      break
+    }
+  }
+
+  // Check for size-limit config
+  if (existsSync(join(projectPath, '.size-limit.json')) ||
+      existsSync(join(projectPath, '.size-limit.js'))) {
+    result.details.hasConfig = true
+    result.details.hasBudget = true
+    if (!result.details.tool) result.details.tool = 'size-limit'
+  }
+
+  // Check for Lighthouse budget (counts as budget)
+  if (existsSync(join(projectPath, 'lighthouse-budget.json')) ||
+      existsSync(join(projectPath, 'frontend-user/lighthouse-budget.json'))) {
+    result.details.hasBudget = true
+  }
+
+  // Check CI for bundle size checks
+  const workflowDir = join(projectPath, '.github/workflows')
+  if (existsSync(workflowDir)) {
+    try {
+      const files = readdirSync(workflowDir).filter(f => f.endsWith('.yml') || f.endsWith('.yaml'))
+      for (const file of files) {
+        try {
+          const content = readFileSync(join(workflowDir, file), 'utf-8')
+          if (content.includes('bundlewatch') || content.includes('size-limit') ||
+              content.includes('bundle-analyzer') || content.includes('lighthouse')) {
+            result.details.hasCiIntegration = true
+            break
+          }
+        } catch { /* ignore */ }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Budget or CI integration counts toward second point
+  if (result.details.hasBudget || result.details.hasCiIntegration) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No bundle size tracking — regressions go undetected'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.toolInstalled
+      ? `${result.details.tool} installed but no budget or CI enforcement`
+      : 'Budget defined but no analysis tool installed'
+  } else {
+    result.details.message = `Bundle size tracked via ${result.details.tool || 'lighthouse budgets'}`
+  }
+
+  return result
+}

package/lib/checks/health/dependency-automation.js

@@ -0,0 +1,116 @@
+/**
+ * Health Check: Dependency Update Automation
+ *
+ * Checks for automated dependency updates via Renovate or Dependabot.
+ * Score: up to 2 points:
+ *   +1 for Renovate or Dependabot config exists
+ *   +1 for automerge or schedule configured (indicates active maintenance)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('dependency-automation', 2, {
+    tool: null,
+    configFound: false,
+    configPath: null,
+    hasSchedule: false,
+    hasAutomerge: false,
+    message: ''
+  })
+
+  // Check for Renovate config
+  const renovateConfigs = [
+    'renovate.json',
+    'renovate.json5',
+    '.renovaterc',
+    '.renovaterc.json',
+    '.renovaterc.json5',
+    '.github/renovate.json',
+    '.github/renovate.json5'
+  ]
+
+  for (const config of renovateConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.tool = 'renovate'
+    result.details.configFound = true
+    result.details.configPath = config
+    result.score += 1
+
+    try {
+      const content = readFileSync(configPath, 'utf-8')
+      if (content.includes('schedule')) result.details.hasSchedule = true
+      if (content.includes('automerge')) result.details.hasAutomerge = true
+    } catch { /* ignore */ }
+    break
+  }
+
+  // Also check package.json for renovate key
+  if (!result.details.configFound) {
+    const pkgPath = join(projectPath, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        if (pkg.renovate) {
+          result.details.tool = 'renovate'
+          result.details.configFound = true
+          result.details.configPath = 'package.json (renovate key)'
+          result.score += 1
+
+          const content = JSON.stringify(pkg.renovate)
+          if (content.includes('schedule')) result.details.hasSchedule = true
+          if (content.includes('automerge')) result.details.hasAutomerge = true
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Check for Dependabot config
+  if (!result.details.configFound) {
+    const dependabotPath = join(projectPath, '.github/dependabot.yml')
+    const dependabotAlt = join(projectPath, '.github/dependabot.yaml')
+
+    const depPath = existsSync(dependabotPath) ? dependabotPath :
+                    existsSync(dependabotAlt) ? dependabotAlt : null
+
+    if (depPath) {
+      result.details.tool = 'dependabot'
+      result.details.configFound = true
+      result.details.configPath = depPath.replace(projectPath + '/', '')
+      result.score += 1
+
+      try {
+        const content = readFileSync(depPath, 'utf-8')
+        if (content.includes('schedule')) result.details.hasSchedule = true
+        // Dependabot doesn't have automerge natively, but check for it
+        if (content.includes('auto-merge') || content.includes('automerge')) {
+          result.details.hasAutomerge = true
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  // Bonus point for active config
+  if (result.details.hasSchedule || result.details.hasAutomerge) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No dependency update automation — outdated deps accumulate silently'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = `${result.details.tool} configured but no schedule or automerge`
+  } else {
+    result.details.message = `Dependencies auto-updated via ${result.details.tool}`
+  }
+
+  return result
+}

package/lib/checks/health/index.js

@@ -1,5 +1,5 @@
 /**
- * Health Checks — All 23 project health checks
+ * Health Checks — All 28 project health checks
  *
  * Main entry: scanProjectHealth(projectPath, projectName, options?)
  * Individual checks available via named imports.
@@ -32,3 +32,8 @@ export { check as checkCoverageThresholds } from './coverage-thresholds.js'
 export { check as checkEslintSecurity } from './eslint-security.js'
 export { check as checkDependencyCruiser } from './dependency-cruiser.js'
 export { check as checkConventionalCommits } from './conventional-commits.js'
+export { check as checkKnip } from './knip.js'
+export { check as checkDependencyAutomation } from './dependency-automation.js'
+export { check as checkLicenseAudit } from './license-audit.js'
+export { check as checkSast } from './sast.js'
+export { check as checkBundleSize } from './bundle-size.js'

package/lib/checks/health/knip.js

@@ -0,0 +1,135 @@
+/**
+ * Health Check: Knip (Dead Code Detection)
+ *
+ * Checks for unused files, exports, and dependencies via Knip.
+ * Score: up to 3 points:
+ *   +1 for knip installed (in dependencies)
+ *   +1 for knip config file exists (knip.json, knip.config.ts, etc.)
+ *   +1 for knip script in package.json (e.g. check:unused, knip)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('knip', 3, {
+    installed: false,
+    configFound: false,
+    configPath: null,
+    hasScript: false,
+    scriptName: null,
+    hasAlternative: false,
+    alternativeTool: null,
+    message: ''
+  })
+
+  // Check for knip config files
+  const knipConfigs = [
+    'knip.json',
+    'knip.jsonc',
+    'knip.config.ts',
+    'knip.config.js',
+    'knip.config.mjs',
+    'knip.config.cjs',
+    '.knip.json',
+    '.knip.jsonc',
+    // Sub-packages
+    'backend/knip.json',
+    'backend/knip.config.ts',
+    'frontend/knip.json',
+    'frontend/knip.config.ts'
+  ]
+
+  for (const config of knipConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.configFound = true
+      result.details.configPath = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Check package.json for knip in dependencies and scripts
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      if (allDeps.knip) {
+        result.details.installed = true
+        result.score += 1
+      }
+
+      // Also check for knip key in package.json (inline config)
+      if (pkg.knip && !result.details.configFound) {
+        result.details.configFound = true
+        result.details.configPath = `${loc} (knip key)`
+        result.score += 1
+      }
+
+      // Check for knip script
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (cmd.includes('knip') || name === 'knip') {
+          result.details.hasScript = true
+          result.details.scriptName = `${loc} → ${name}`
+          result.score += 1
+          break
+        }
+      }
+
+      // Check for alternative dead code tools
+      if (allDeps['ts-prune'] || allDeps['unimported']) {
+        result.details.hasAlternative = true
+        result.details.alternativeTool = allDeps['ts-prune'] ? 'ts-prune' : 'unimported'
+      }
+
+      // Check for custom unused code scripts (partial credit)
+      if (!result.details.hasScript) {
+        for (const [name, cmd] of Object.entries(scripts)) {
+          if (typeof cmd !== 'string') continue
+          if (name.includes('unused') || name.includes('dead-code') ||
+              cmd.includes('unused') || cmd.includes('check-unused')) {
+            result.details.hasScript = true
+            result.details.scriptName = `${loc} → ${name} (custom)`
+            result.score += 1
+            break
+          }
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    if (result.details.hasAlternative) {
+      result.status = 'warning'
+      result.details.message = `Using ${result.details.alternativeTool} — consider migrating to Knip (more comprehensive)`
+    } else {
+      result.status = 'error'
+      result.details.message = 'No dead code detection configured — unused files and exports go undetected'
+    }
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.installed
+      ? 'Knip installed but no config or script'
+      : 'Dead code script exists but Knip not installed'
+  } else {
+    result.details.message = 'Dead code detection well-configured'
+  }
+
+  return result
+}

package/lib/checks/health/license-audit.js

@@ -0,0 +1,133 @@
+/**
+ * Health Check: License Audit
+ *
+ * Checks for dependency license compliance tooling.
+ * Score: up to 2 points:
+ *   +1 for license-checker or license-report tool configured
+ *   +1 for forbidden license list or license check script
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('license-audit', 2, {
+    toolInstalled: false,
+    toolName: null,
+    hasConfig: false,
+    configPath: null,
+    hasScript: false,
+    scriptName: null,
+    hasForbiddenList: false,
+    message: ''
+  })
+
+  // License tools to check for
+  const licenseTools = [
+    'license-checker',
+    'license-checker-rspack',
+    'license-report',
+    'license-webpack-plugin',
+    'license-compliance',
+    'legally',
+    'nlf'
+  ]
+
+  // Check package.json files for license tools and scripts
+  const packageLocations = [
+    'package.json',
+    'backend/package.json',
+    'frontend/package.json'
+  ]
+
+  for (const loc of packageLocations) {
+    const pkgPath = join(projectPath, loc)
+    if (!existsSync(pkgPath)) continue
+
+    try {
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+
+      // Check for license tools
+      for (const tool of licenseTools) {
+        if (allDeps[tool]) {
+          result.details.toolInstalled = true
+          result.details.toolName = tool
+          result.score += 1
+          break
+        }
+      }
+
+      // Check for license scripts
+      const scripts = pkg.scripts || {}
+      for (const [name, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (name.includes('license') || cmd.includes('license-checker') ||
+            cmd.includes('license-report') || cmd.includes('license-compliance')) {
+          result.details.hasScript = true
+          result.details.scriptName = `${loc} → ${name}`
+          break
+        }
+      }
+
+      // Check for forbidden license patterns in scripts
+      for (const [, cmd] of Object.entries(scripts)) {
+        if (typeof cmd !== 'string') continue
+        if (cmd.includes('--failOn') || cmd.includes('--excludeLicenses') ||
+            cmd.includes('--production') || cmd.includes('forbidden')) {
+          result.details.hasForbiddenList = true
+          break
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Check for license config files
+  const licenseConfigs = [
+    '.licensechecker.json',
+    '.license-checker.json',
+    'license-checker-config.json',
+    '.license-report-config.json'
+  ]
+
+  for (const config of licenseConfigs) {
+    const configPath = join(projectPath, config)
+    if (!existsSync(configPath)) continue
+
+    result.details.hasConfig = true
+    result.details.configPath = config
+    result.score += 1
+
+    try {
+      const content = readFileSync(configPath, 'utf-8')
+      if (content.includes('GPL') || content.includes('forbidden') ||
+          content.includes('excludeLicenses') || content.includes('failOn')) {
+        result.details.hasForbiddenList = true
+      }
+    } catch { /* ignore */ }
+    break
+  }
+
+  // Script or forbidden list counts toward second point
+  if (!result.details.hasConfig && (result.details.hasScript || result.details.hasForbiddenList)) {
+    result.score += 1
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No license compliance tooling — GPL dependencies could go unnoticed'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = result.details.toolInstalled
+      ? `${result.details.toolName} installed but no forbidden license enforcement`
+      : 'License check script exists but no dedicated tool'
+  } else {
+    result.details.message = `License compliance enforced via ${result.details.toolName || 'config'}`
+  }
+
+  return result
+}

package/lib/checks/health/sast.js

@@ -0,0 +1,166 @@
+/**
+ * Health Check: SAST (Static Application Security Testing)
+ *
+ * Checks for SAST tooling like Semgrep, CodeQL, Snyk Code, or SonarQube.
+ * Enterprise security requirement — catches OWASP patterns statically.
+ * Score: up to 2 points:
+ *   +1 for SAST tool configured (config file or CI workflow)
+ *   +1 for SAST running in CI (GitHub Actions workflow)
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('sast', 2, {
+    tool: null,
+    configFound: false,
+    configPath: null,
+    ciIntegration: false,
+    ciWorkflow: null,
+    message: ''
+  })
+
+  // Check for Semgrep config
+  const semgrepConfigs = [
+    '.semgrep.yml',
+    '.semgrep.yaml',
+    '.semgrep/',
+    'semgrep.yml',
+    'semgrep.yaml'
+  ]
+
+  for (const config of semgrepConfigs) {
+    if (existsSync(join(projectPath, config))) {
+      result.details.tool = 'semgrep'
+      result.details.configFound = true
+      result.details.configPath = config
+      result.score += 1
+      break
+    }
+  }
+
+  // Check for CodeQL config
+  if (!result.details.configFound) {
+    const codeqlConfigs = [
+      '.github/codeql/codeql-config.yml',
+      '.github/codeql-config.yml',
+      'codeql-config.yml'
+    ]
+    for (const config of codeqlConfigs) {
+      if (existsSync(join(projectPath, config))) {
+        result.details.tool = 'codeql'
+        result.details.configFound = true
+        result.details.configPath = config
+        result.score += 1
+        break
+      }
+    }
+  }
+
+  // Check for SonarQube/SonarCloud config
+  if (!result.details.configFound) {
+    const sonarConfigs = [
+      'sonar-project.properties',
+      '.sonarcloud.properties'
+    ]
+    for (const config of sonarConfigs) {
+      if (existsSync(join(projectPath, config))) {
+        result.details.tool = 'sonarqube'
+        result.details.configFound = true
+        result.details.configPath = config
+        result.score += 1
+        break
+      }
+    }
+  }
+
+  // Check for Snyk config
+  if (!result.details.configFound) {
+    if (existsSync(join(projectPath, '.snyk'))) {
+      result.details.tool = 'snyk'
+      result.details.configFound = true
+      result.details.configPath = '.snyk'
+      result.score += 1
+    }
+  }
+
+  // Check CI workflows for SAST integration
+  const workflowDir = join(projectPath, '.github/workflows')
+  if (existsSync(workflowDir)) {
+    try {
+      const files = readdirSync(workflowDir).filter(f => f.endsWith('.yml') || f.endsWith('.yaml'))
+      for (const file of files) {
+        try {
+          const content = readFileSync(join(workflowDir, file), 'utf-8')
+          const lower = content.toLowerCase()
+
+          if (lower.includes('semgrep') || lower.includes('codeql') ||
+              lower.includes('sonarcloud') || lower.includes('sonarqube') ||
+              lower.includes('snyk') || lower.includes('returntocorp/semgrep') ||
+              lower.includes('github/codeql-action') || lower.includes('sonarsource')) {
+            result.details.ciIntegration = true
+            result.details.ciWorkflow = file
+            result.score += 1
+
+            // Detect tool from CI if not already found
+            if (!result.details.tool) {
+              if (lower.includes('semgrep')) result.details.tool = 'semgrep'
+              else if (lower.includes('codeql')) result.details.tool = 'codeql'
+              else if (lower.includes('sonar')) result.details.tool = 'sonarqube'
+              else if (lower.includes('snyk')) result.details.tool = 'snyk'
+              result.details.configFound = true
+            }
+            break
+          }
+        } catch { /* ignore individual file errors */ }
+      }
+    } catch { /* ignore */ }
+  }
+
+  // Check package.json for SAST-related dependencies or scripts
+  if (!result.details.configFound) {
+    const pkgPath = join(projectPath, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+        const scripts = pkg.scripts || {}
+
+        if (allDeps['snyk']) {
+          result.details.tool = 'snyk'
+          result.details.configFound = true
+          result.score += 1
+        }
+
+        for (const [name, cmd] of Object.entries(scripts)) {
+          if (typeof cmd !== 'string') continue
+          if (cmd.includes('semgrep') || cmd.includes('snyk code') ||
+              name.includes('sast') || name.includes('security:scan')) {
+            result.details.configFound = true
+            result.details.configPath = `package.json → ${name}`
+            if (!result.details.tool) result.details.tool = 'custom'
+            result.score += 1
+            break
+          }
+        }
+      } catch { /* ignore */ }
+    }
+  }
+
+  result.score = Math.min(result.score, result.maxScore)
+
+  // Determine status
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No SAST tooling — OWASP patterns not detected statically'
+  } else if (result.score < 2) {
+    result.status = 'warning'
+    result.details.message = `${result.details.tool} configured but not integrated in CI`
+  } else {
+    result.details.message = `SAST enabled via ${result.details.tool} (CI integrated)`
+  }
+
+  return result
+}

package/lib/checks/health/scanner.js

@@ -1,7 +1,7 @@
 /**
  * Project Health Scanner
  *
- * Orchestrates all 23 health checks and produces a HealthReport.
+ * Orchestrates all 28 health checks and produces a HealthReport.
  * This is the main entry point — consumers call scanProjectHealth().
  */
 
@@ -28,6 +28,11 @@ import { check as checkCoverageThresholds } from './coverage-thresholds.js'
 import { check as checkEslintSecurity } from './eslint-security.js'
 import { check as checkDependencyCruiser } from './dependency-cruiser.js'
 import { check as checkConventionalCommits } from './conventional-commits.js'
+import { check as checkKnip } from './knip.js'
+import { check as checkDependencyAutomation } from './dependency-automation.js'
+import { check as checkLicenseAudit } from './license-audit.js'
+import { check as checkSast } from './sast.js'
+import { check as checkBundleSize } from './bundle-size.js'
 import { calculateHealthStatus } from './types.js'
 
 /**
@@ -64,7 +69,12 @@ export async function scanProjectHealth(projectPath, projectName, options = {})
     checkCoverageThresholds(projectPath),
     checkEslintSecurity(projectPath),
     checkDependencyCruiser(projectPath),
-    checkConventionalCommits(projectPath)
+    checkConventionalCommits(projectPath),
+    checkKnip(projectPath),
+    checkDependencyAutomation(projectPath),
+    checkLicenseAudit(projectPath),
+    checkSast(projectPath),
+    checkBundleSize(projectPath)
   ])
 
   const totalScore = checks.reduce((sum, c) => sum + c.score, 0)

package/lib/checks/health/types.js

@@ -5,7 +5,7 @@
  */
 
 /**
- * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'} HealthCheckType
+ * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'} HealthCheckType
  *
  * @typedef {'ok'|'warning'|'error'} HealthStatus
  *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "publishConfig": {
     "access": "restricted"
   },