create-qa-architect 5.0.0 → 5.0.1

package/.github/workflows/quality.yml

@@ -434,3 +434,6 @@ jobs:
           echo "- ${{ needs.detect-maturity.outputs.has-deps == 'true' && '✅' || '⏭️' }} Security: ${{ needs.detect-maturity.outputs.has-deps == 'true' && 'Enabled' || 'Skipped (no dependencies)' }}" >> $GITHUB_STEP_SUMMARY
           echo "- ${{ needs.detect-maturity.outputs.test-count > 0 && '✅' || '⏭️' }} Tests: ${{ needs.detect-maturity.outputs.test-count > 0 && 'Enabled' || 'Skipped (no test files)' }}" >> $GITHUB_STEP_SUMMARY
           echo "- ${{ needs.detect-maturity.outputs.maturity == 'production-ready' && '✅' || '⏭️' }} Documentation: ${{ needs.detect-maturity.outputs.maturity == 'production-ready' && 'Enabled' || 'Skipped (not production-ready)' }}" >> $GITHUB_STEP_SUMMARY
+      # PR_COMMENTS_PLACEHOLDER
+
+# ALERTS_PLACEHOLDER

package/LICENSE

@@ -0,0 +1,66 @@
+VIBE BUILD LAB COMMERCIAL LICENSE
+
+Copyright (c) 2025 Vibe Build Lab LLC. All rights reserved.
+
+COMMERCIAL SOFTWARE - FREEMIUM MODEL
+
+This software and associated documentation files (the "Software") are
+proprietary commercial products of Vibe Build Lab LLC.
+
+TERMS OF USE:
+
+1. FREE TIER
+   The basic CLI tool is available free of charge for personal and commercial use.
+   Free tier includes:
+   - Basic quality automation setup
+   - ESLint, Prettier, Husky configuration
+   - Standard pre-commit hooks
+
+2. PAID TIERS
+   - Pro: $59/month or $590/year
+     - Security scanning (Gitleaks + ESLint security)
+     - Smart Test Strategy
+     - Multi-language support
+     - Unlimited repos
+   - Team: $15/user/month (5-seat minimum)
+     - All Pro features
+     - RBAC and team policies
+     - Slack alerts
+     - Multi-repo dashboard
+   - Enterprise: $249/month + $499 onboarding
+     - All Team features
+     - SSO/SAML integration
+     - Custom policies
+     - Compliance pack
+     - Dedicated TAM
+
+3. VIBE LAB PRO BUNDLE
+   Pro tier is included in the Vibe Lab Pro subscription.
+   Team and Enterprise tiers are standalone purchases.
+
+4. PERMITTED USES
+   - Use the free tier without restriction
+   - Use paid features with active subscription
+   - Use for personal and commercial projects
+
+5. RESTRICTIONS
+   - NO redistribution of paid features
+   - NO resale or sublicensing
+   - NO circumventing license validation
+   - NO removal of copyright notices
+
+6. NO WARRANTY
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+
+7. LIMITATION OF LIABILITY
+   IN NO EVENT SHALL VIBE BUILD LAB LLC BE LIABLE FOR ANY CLAIM, DAMAGES OR
+   OTHER LIABILITY ARISING FROM THE USE OF THE SOFTWARE.
+
+For licensing inquiries: support@vibebuildlab.com
+
+---
+
+Vibe Build Lab LLC
+https://vibebuildlab.com

package/README.md

@@ -1,6 +1,8 @@
-# Create Quality Automation
+# QA Architect
 
-Bootstrap quality automation in JavaScript/TypeScript and Python projects with comprehensive tooling. One command adds ESLint, Prettier, Husky, lint-staged, security scanning, and GitHub Actions to any project.
+Quality automation CLI for JavaScript/TypeScript and Python projects. One command adds ESLint, Prettier, Husky, lint-staged, and GitHub Actions. Pro tiers add security scanning (Gitleaks), Smart Test Strategy, and multi-language support.
+
+**This repo = the free CLI.** For the Pro dashboard with repo analytics, CI integration, and automation workflows, see [QA Architect Pro](https://vibebuildlab.com/qa-architect-pro) (included in Vibe Lab Pro).
 
 ---
 
@@ -19,7 +21,7 @@ Bootstrap quality automation in JavaScript/TypeScript and Python projects with c
 - **GitHub Actions** - Automated quality checks in CI/CD
 - **TypeScript Smart** - Auto-detects and configures TypeScript projects
 - **Python Support** - Complete Python toolchain with Black, Ruff, isort, mypy, pytest
-- **Security Automation** - npm audit and hardcoded secrets scanning
+- **Security Automation** - npm audit (Free), Gitleaks + ESLint security (Pro)
 - **Progressive Quality** - Adaptive checks based on project maturity
 - **Smart Test Strategy** - Risk-based pre-push validation (Pro feature)
 
@@ -37,35 +39,41 @@ Bootstrap quality automation in JavaScript/TypeScript and Python projects with c
 npx create-qa-architect@latest
 ```
 
-## Pricing & Licensing
+## Pricing
 
-### Freemium Model
+| Tier           | Price                     | What You Get                                                                                       |
+| -------------- | ------------------------- | -------------------------------------------------------------------------------------------------- |
+| **Free**       | $0                        | CLI tool, basic linting/formatting, npm audit (capped: 1 private repo, 50 runs/mo)                 |
+| **Pro**        | $59/mo or $590/yr         | **Security scanning (Gitleaks + ESLint security)**, Smart Test Strategy, multi-language, unlimited |
+| **Team**       | $15/user/mo (5-seat min)  | + RBAC, Slack alerts, multi-repo dashboard, team audit log                                         |
+| **Enterprise** | $249/mo + $499 onboarding | + SSO/SAML, custom policies, compliance pack, dedicated TAM                                        |
 
-| Tier           | Price       | Features                                                |
-| -------------- | ----------- | ------------------------------------------------------- |
-| **Free**       | $0          | Basic quality automation, 1 private repo, 2k LOC        |
-| **Pro**        | $59/mo      | Unlimited repos, Smart Test Strategy, security scanning |
-| **Team**       | $15/user/mo | All Pro features + shared quota, team policies          |
-| **Enterprise** | $249/mo     | SSO/SAML, custom patterns, compliance pack              |
+> **Pro included in [Vibe Lab Pro](https://vibebuildlab.com/pro)** — Team/Enterprise are standalone purchases.
 
-### License
+### Security Features by Tier
+
+| Feature                     | Free | Pro+ |
+| --------------------------- | ---- | ---- |
+| npm audit (basic)           | ✅   | ✅   |
+| Gitleaks (secrets scanning) | ❌   | ✅   |
+| ESLint security rules       | ❌   | ✅   |
 
-**Open Source (MIT)** - Free for personal and commercial use.
+### License
 
-[Get Started with Pro](https://vibebuildlab.com/cqa)
+**MIT License** for the CLI (this repository). Pro features require a paid subscription or Vibe Lab Pro membership. See [LICENSE](LICENSE).
 
 ## Tech Stack
 
-| Component       | Technology                |
-| --------------- | ------------------------- |
-| **Runtime**     | Node.js 20+               |
-| **Linting**     | ESLint 9 (flat config)    |
-| **Formatting**  | Prettier 3                |
-| **CSS Linting** | Stylelint 16              |
-| **Git Hooks**   | Husky 9 + lint-staged 15  |
-| **Python**      | Black, Ruff, mypy, pytest |
-| **Performance** | Lighthouse CI             |
-| **Security**    | Gitleaks, npm audit       |
+| Component       | Technology                                         |
+| --------------- | -------------------------------------------------- |
+| **Runtime**     | Node.js 20+                                        |
+| **Linting**     | ESLint 9 (flat config)                             |
+| **Formatting**  | Prettier 3                                         |
+| **CSS Linting** | Stylelint 16                                       |
+| **Git Hooks**   | Husky 9 + lint-staged 15                           |
+| **Python**      | Black, Ruff, mypy, pytest                          |
+| **Performance** | Lighthouse CI                                      |
+| **Security**    | npm audit (Free), Gitleaks + ESLint security (Pro) |
 
 ## Getting Started
 
@@ -157,6 +165,8 @@ your-project/
 ├── .husky/                      # Pre-commit hooks
 ├── .editorconfig                # Editor defaults
 ├── .eslintignore                # ESLint ignore patterns
+├── .lighthouserc.js             # Lighthouse CI config
+├── .npmrc                       # npm configuration
 ├── .nvmrc                       # Node version pinning
 ├── .prettierrc                  # Prettier configuration
 ├── .stylelintrc.json            # Stylelint rules
@@ -182,9 +192,9 @@ npm run validate:pre-push   # Pre-push validation
 - [x] Progressive quality (maturity detection)
 - [x] Python toolchain support
 - [x] Smart test strategy (Pro)
+- [x] Monorepo support (Nx, Turborepo, Lerna, Rush, npm/pnpm/yarn workspaces)
 - [ ] Rust and Go support
 - [ ] VS Code extension
-- [ ] Monorepo support
 
 ## Contributing
 
@@ -199,14 +209,18 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
 ## Support
 
-1. Check the [Troubleshooting Guide](./TROUBLESHOOTING.md)
-2. Review GitHub Actions logs
-3. Open an issue in this repository
+1. Review GitHub Actions logs
+2. Open an issue in this repository
 
 ## License
 
-MIT License - free to use in any project. See [LICENSE](LICENSE) for details.
+MIT License - the CLI is free to use in any project. Pro/Team/Enterprise features require a paid subscription. See [LICENSE](LICENSE) for details.
+
+## Legal
+
+- [Privacy Policy](https://vibebuildlab.com/privacy-policy)
+- [Terms of Service](https://vibebuildlab.com/terms)
 
 ---
 
-> Discover more tools at **https://www.vibebuildlab.com**.
+> **Vibe Build Lab LLC** · [vibebuildlab.com](https://vibebuildlab.com)

package/create-saas-monetization.js

@@ -13,6 +13,16 @@
  * - Conversion landing page
  * - Beta user email campaigns
  * - Upgrade prompts and messaging
+ *
+ * Roadmap / Future Ideas:
+ * - Extract licensing to shared npm package (@vibebuildlab/licensing)
+ *   - Single source of truth across all Vibe Lab products
+ *   - Central license server with one API for all products
+ *   - Device/activation limits (optional enforcement)
+ *   - License revocation for chargebacks
+ * - Team/seat-based licensing with org management
+ * - SSO/SAML integration for Enterprise tier
+ * - Usage-based billing option (metered pricing)
  */
 
 'use strict'

package/docs/ARCHITECTURE.md

@@ -0,0 +1,54 @@
+# Architecture
+
+## Overview
+
+QA Architect is a CLI tool that bootstraps quality automation in JavaScript/TypeScript and Python projects.
+
+## Core Components
+
+```
+create-qa-architect/
+├── setup.js              # Main CLI entry point
+├── lib/
+│   ├── smart-strategy-generator.js    # Smart test strategy (Pro)
+│   ├── dependency-monitoring-*.js     # Dependency monitoring
+│   └── validation/                    # Validation utilities
+├── templates/            # Project templates
+│   ├── eslint.config.cjs
+│   ├── .prettierrc
+│   ├── .husky/
+│   └── scripts/
+└── config/               # Language-specific configs
+    ├── pyproject.toml
+    └── quality-python.yml
+```
+
+## Data Flow
+
+1. **Detection Phase**: Detect project type (JS/TS/Python/mixed)
+2. **Configuration Phase**: Generate appropriate configs
+3. **Installation Phase**: Copy templates, update package.json
+4. **Validation Phase**: Verify setup is complete
+
+## Extension Points
+
+- Custom templates via `--template` flag
+- Language detection can be extended in `setup.js`
+- New quality checks via template files
+
+## Smart Test Strategy (Pro)
+
+Risk-based pre-push validation that adapts to change context:
+
+1. Calculate risk score (0-10) based on files changed
+2. Select appropriate test tier (minimal → comprehensive)
+3. Run tests with appropriate depth
+
+## CLI Flags
+
+- `--update` - Update existing setup
+- `--deps` - Dependency monitoring only
+- `--security-config` - Security validation
+- `--check-maturity` - Project maturity report
+- `--comprehensive` - Full validation suite
+

package/docs/DEPLOYMENT.md

@@ -0,0 +1,63 @@
+# Deployment Guide
+
+## Overview
+
+QA Architect is published to npm as `create-qa-architect`.
+
+## Prerequisites
+
+- Node.js 20+
+- npm account with publish access
+- Git repository access
+
+## Release Process
+
+### 1. Pre-Release Validation
+
+```bash
+npm run prerelease    # Run all tests and validations
+npm run test:coverage # Verify coverage thresholds
+```
+
+### 2. Version Bump
+
+```bash
+npm run release:patch  # Bug fixes (1.0.x)
+npm run release:minor  # New features (1.x.0)
+npm run release:major  # Breaking changes (x.0.0)
+```
+
+### 3. Publish
+
+GitHub Actions automatically publishes on tagged releases.
+
+For manual publish:
+
+```bash
+npm publish
+```
+
+## Verification
+
+After release, verify:
+
+```bash
+npx create-qa-architect@latest --version
+npx create-qa-architect@latest --help
+```
+
+## Rollback
+
+If issues are discovered:
+
+```bash
+npm unpublish create-qa-architect@VERSION
+# or
+npm deprecate create-qa-architect@VERSION "Critical bug, use VERSION instead"
+```
+
+## npm Registry
+
+- Package: https://www.npmjs.com/package/create-qa-architect
+- Documentation: https://github.com/vibebuildlab/create-qa-architect
+

package/docs/SLA_GATES.md

@@ -0,0 +1,28 @@
+# Quality Gates & Merge Readiness (Default Recommendations)
+
+These defaults are meant to give teams a simple, enforceable bar. They are intentionally conservative so most repos can adopt them on day one without re-architecting.
+
+## Targets
+
+- Coverage: **80%** (line) for critical paths; **70%** repo-wide minimum.
+- Lint: **0** blocking ESLint/Stylelint errors; warnings allowed but surface in PR comment/summary.
+- Secrets: **0** leaked secrets (gitleaks hard fail).
+- Dependency vulns: No **high/critical** advisories (npm/yarn/pnpm audit). Medium allowed with justification.
+- Performance budgets (CI): installs < 2m; test suite < 5m (already enforced in workflow).
+
+## How to enforce
+
+- GitHub Actions: quality.yml is wired to fail on lint/scan/test failures. Set env `MIN_COVERAGE=80` to gate on coverage (add a coverage reporter such as `c8` or `vitest --coverage`).
+- Branch protection: require the “Quality Checks” workflow to pass; enable dismiss stale approvals on push.
+- PR comments: run setup with `--pr-comments` to surface gate status in the PR thread.
+- Alerts: run setup with `--alerts-slack` to post failures to Slack.
+
+## Exceptions
+
+- Allow temporary waivers via labels (e.g., `risk-accepted`) and document in the PR body.
+- Lower coverage floors for greenfield proofs-of-concept (set `MIN_COVERAGE=60`) but time-box the exemption.
+
+## Next steps
+
+- Add repo-specific risk areas to `.qualityrc.json` under `riskAreas`.
+- Track SLA drift in reports (future: audit log + team dashboard hooks).

package/docs/TESTING.md

@@ -0,0 +1,62 @@
+# Testing Strategy
+
+## Overview
+
+QA Architect uses Jest for testing with a focus on integration tests that validate real CLI workflows.
+
+## Running Tests
+
+```bash
+npm test                 # Run all tests
+npm run test:coverage    # Run with coverage report
+npm run test:watch       # Watch mode for development
+```
+
+## Test Structure
+
+```
+tests/
+├── setup.test.js           # Main CLI integration tests
+├── cli-deps-integration.test.js    # Dependency CLI tests
+├── real-world-packages.test.js     # Real package validation
+└── premium-dependency-monitoring.test.js  # Pro feature tests
+```
+
+## Coverage Requirements
+
+- **Overall**: 75%+ lines, statements, functions, branches
+- **New files**: 75%+ coverage before merging
+- **Critical files**: `setup.js` requires 80%+
+
+## Testing Patterns
+
+### Integration Tests
+
+Test real CLI workflows with temp directories:
+
+```javascript
+const testDir = createTempGitRepo()
+const result = execSync('node setup.js --deps', { cwd: testDir })
+assert(fs.existsSync(path.join(testDir, '.github/dependabot.yml')))
+```
+
+### Real-World Data
+
+Use real packages from the ecosystem, not toy examples:
+
+```javascript
+const TOP_PYTHON_PACKAGES = [
+  'django-cors-headers',
+  'scikit-learn',
+  'pytest-cov'
+]
+```
+
+## Pre-Release Validation
+
+Always run before release:
+
+```bash
+npm run prerelease  # Runs docs:check + all tests
+```
+

package/docs/security/SOC2_STARTER.md

@@ -0,0 +1,29 @@
+# SOC 2 Starter (Preflight Checklist)
+
+This starter doc is a lightweight preflight for teams using QA Architect. It is not a substitute for a real SOC 2 program, but it maps common CI/quality controls to SOC 2 CC/PII areas.
+
+## Controls to Wire First
+
+- **Change Management (CC8.1):** Require PR review + Quality Checks workflow pass; enable branch protection on main.
+- **Secure SDLC (CC6.1):** Keep ESLint security, gitleaks, dependency audit steps enabled; document exceptions in PRs.
+- **Logging & Alerts (CC7.2):** Turn on Slack alerts via `--alerts-slack` and keep CI logs for 90 days.
+- **Backup of Config (CC9.2):** Check in `.qualityrc.json`, `quality.yml`, and Dependabot configs; avoid secrets in repo.
+- **Access (CC6.2):** Use least-privilege GitHub tokens; rotate `GITLEAKS_TOKEN`/`SEMGREP_APP_TOKEN` every 90 days.
+
+## Evidence You Can Collect Today
+
+- CI run artifacts showing lint/test/security passes.
+- Dependency audit reports (npm audit logs) and gitleaks scan results.
+- Coverage reports (c8/Vitest/Jest) stored in artifacts.
+- PR comments from quality workflow (when `--pr-comments` is enabled).
+
+## Gaps to plan for
+
+- **SSO/SAML & RBAC:** Roadmap item (Enterprise); track in issue tracker.
+- **Audit logging:** Add a central log sink (e.g., S3/CloudWatch) for CI events.
+- **Vendor risk:** Document third-party actions; pin SHAs (already pinned in quality.yml) and review quarterly.
+
+## How to use this file
+
+- Keep it checked in; edit per repo to note exceptions and waivers.
+- Link it in onboarding docs so new contributors know the expected bar.

package/lib/dependency-monitoring-basic.js

@@ -17,6 +17,7 @@ function hasNpmProject(projectPath) {
 /**
  * Generate basic Dependabot configuration (Free Tier)
  * Limited to npm only, no framework detection, basic settings
+ * Supports monorepo per-package directories
  */
 function generateBasicDependabotConfig(options = {}) {
   const {
@@ -24,49 +25,95 @@ function generateBasicDependabotConfig(options = {}) {
     schedule = 'weekly',
     day = 'monday',
     time = '09:00',
+    monorepoInfo = null, // Optional monorepo detection result
   } = options
 
   if (!hasNpmProject(projectPath)) {
     return null // Only npm projects supported in free tier
   }
 
-  const config = {
-    version: 2,
-    updates: [
-      {
+  const updates = []
+
+  // If monorepo with resolved packages, create per-package entries
+  if (
+    monorepoInfo &&
+    monorepoInfo.isMonorepo &&
+    monorepoInfo.resolvedPackages &&
+    monorepoInfo.resolvedPackages.length > 0
+  ) {
+    // Root package
+    updates.push({
+      'package-ecosystem': 'npm',
+      directory: '/',
+      schedule: {
+        interval: schedule,
+        day: day,
+        time: time,
+      },
+      'open-pull-requests-limit': 5,
+      labels: ['dependencies', 'root'],
+      'commit-message': {
+        prefix: 'deps(root)',
+        include: 'scope',
+      },
+    })
+
+    // Per-package entries
+    for (const pkg of monorepoInfo.resolvedPackages) {
+      const dir = '/' + pkg.relativePath.replace(/\\/g, '/')
+      updates.push({
         'package-ecosystem': 'npm',
-        directory: '/',
+        directory: dir,
         schedule: {
           interval: schedule,
           day: day,
           time: time,
         },
-        'open-pull-requests-limit': 5,
-        labels: ['dependencies'],
+        'open-pull-requests-limit': 3,
+        labels: ['dependencies', pkg.name],
         'commit-message': {
-          prefix: 'deps',
+          prefix: `deps(${pkg.name})`,
           include: 'scope',
         },
-        // Note: Dependabot will create PRs for all dependency updates.
-        // To auto-merge specific updates (e.g., security patches), add a GitHub Actions
-        // workflow with conditions like: if: contains(github.event.pull_request.labels.*.name, 'security')
-        // See: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+      })
+    }
+  } else {
+    // Single package (non-monorepo)
+    updates.push({
+      'package-ecosystem': 'npm',
+      directory: '/',
+      schedule: {
+        interval: schedule,
+        day: day,
+        time: time,
       },
-      // GitHub Actions monitoring (free tier includes this)
-      {
-        'package-ecosystem': 'github-actions',
-        directory: '/',
-        schedule: {
-          interval: schedule,
-          day: day,
-          time: time,
-        },
-        labels: ['dependencies', 'github-actions'],
-        'commit-message': {
-          prefix: 'deps(actions)',
-        },
+      'open-pull-requests-limit': 5,
+      labels: ['dependencies'],
+      'commit-message': {
+        prefix: 'deps',
+        include: 'scope',
       },
-    ],
+    })
+  }
+
+  // GitHub Actions monitoring (free tier includes this)
+  updates.push({
+    'package-ecosystem': 'github-actions',
+    directory: '/',
+    schedule: {
+      interval: schedule,
+      day: day,
+      time: time,
+    },
+    labels: ['dependencies', 'github-actions'],
+    'commit-message': {
+      prefix: 'deps(actions)',
+    },
+  })
+
+  const config = {
+    version: 2,
+    updates: updates,
   }
 
   return config

package/lib/licensing.js

@@ -396,7 +396,7 @@ function showUpgradeMessage(feature) {
     console.log('')
     console.log('   🎁 Start 14-day free trial - no credit card required')
     console.log('')
-    console.log('🚀 Upgrade: https://vibebuildlab.com/cqa')
+    console.log('🚀 Upgrade: https://vibebuildlab.com/qaa')
     console.log(
       '🔑 Activate: npx create-qa-architect@latest --activate-license'
     )
@@ -414,7 +414,7 @@ function showUpgradeMessage(feature) {
     console.log('   ✅ Slack/email alerts for failures')
     console.log('   ✅ Priority support (business hours)')
     console.log('')
-    console.log('👥 Upgrade: https://vibebuildlab.com/cqa/team')
+    console.log('👥 Upgrade: https://vibebuildlab.com/qaa/team')
   } else if (license.tier === LICENSE_TIERS.TEAM) {
     console.log('\n🏢 Upgrade to ENTERPRISE - $249/month (annual) + onboarding')
     console.log('')
@@ -795,7 +795,8 @@ function checkUsageCaps(operation = 'general') {
     usage: {
       prePushRuns: usage.prePushRuns,
       dependencyPRs: usage.dependencyPRs,
-      repos: usage.repos.length,
+      repos: usage.repos || [],
+      repoCount: (usage.repos || []).length,
     },
     caps: {
       maxPrePushRunsPerMonth: caps.maxPrePushRunsPerMonth,
@@ -957,7 +958,7 @@ function showLicenseStatus() {
   // Show upgrade path
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n💡 Upgrade to PRO for unlimited access + security scanning')
-    console.log('   → https://vibebuildlab.com/cqa')
+    console.log('   → https://vibebuildlab.com/qaa')
   }
 }