create-qa-architect 5.0.0

package/lib/security-enhancements.js

@@ -0,0 +1,340 @@
+/**
+ * Security-First Configuration Enhancements
+ * Comprehensive security scanning and validation by default
+ */
+
+const fs = require('fs')
+const path = require('path')
+
+/**
+ * Generate enhanced security configuration
+ * Makes security scanning the default, not optional
+ */
+function generateSecurityFirstConfig(_projectPath = '.') {
+  const securityConfig = {
+    // Secret scanning configuration
+    gitleaks: {
+      enabled: true,
+      configPath: '.gitleaks.toml',
+      blockCommits: true,
+      scanHistory: false, // Don't scan full history by default for performance
+    },
+
+    // Dependency vulnerability scanning
+    npm: {
+      audit: {
+        enabled: true,
+        level: 'high', // Only block on high/critical vulnerabilities
+        autoFix: true,
+        excludePatterns: [],
+      },
+    },
+
+    // ESLint security rules
+    eslint: {
+      security: {
+        enabled: true,
+        rules: {
+          'security/detect-object-injection': 'error',
+          'security/detect-non-literal-regexp': 'error',
+          'security/detect-unsafe-regex': 'error',
+          'security/detect-eval-with-expression': 'error',
+          'security/detect-no-csrf-before-method-override': 'error',
+        },
+      },
+    },
+
+    // GitHub Actions security
+    github: {
+      actionlint: {
+        enabled: true,
+        blockWorkflows: true,
+      },
+      dependabot: {
+        enabled: true,
+        autoMerge: false, // Manual review required
+      },
+    },
+  }
+
+  return securityConfig
+}
+
+/**
+ * Generate comprehensive security npm scripts
+ */
+function getSecurityScripts() {
+  return {
+    // Core security audit commands
+    'security:audit': 'npm audit --audit-level high',
+    'security:audit:fix': 'npm audit fix',
+    'security:secrets': 'npx gitleaks detect --no-banner --redact --verbose',
+    'security:secrets:baseline':
+      'npx gitleaks detect --no-banner --redact --baseline-path .gitleaksignore',
+
+    // Comprehensive security check (all tools)
+    'security:check':
+      'npm run security:audit && npm run security:secrets && npm run security:eslint',
+    'security:eslint': 'npx eslint . --config eslint-security.config.js',
+
+    // CI/CD security validation
+    'security:ci': 'npm run security:check && npm run validate:workflows',
+    'validate:workflows': 'npx actionlint .github/workflows/*.yml',
+
+    // Security reporting
+    'security:report': 'npm run security:check > security-report.txt 2>&1',
+    'security:baseline':
+      'npm run security:secrets:baseline && npm run security:audit',
+  }
+}
+
+/**
+ * Generate .gitleaks.toml configuration
+ * Comprehensive secret detection patterns
+ */
+function generateGitleaksConfig() {
+  return `# Gitleaks configuration for comprehensive secret detection
+# Generated by create-qa-architect
+
+[extend]
+# Use default gitleaks rules as base
+useDefault = true
+
+# Additional custom patterns for common secrets
+[[rules]]
+description = "JWT tokens"
+id = "jwt-token"
+regex = '''eyJ[A-Za-z0-9_/+-]{10,}={0,2}'''
+tags = ["key", "JWT"]
+
+[[rules]]
+description = "Base64 encoded secrets (long)"
+id = "base64-secret"
+regex = '''[A-Za-z0-9+/]{40,}={0,2}'''
+tags = ["secret", "base64"]
+keywords = ["secret", "key", "token", "password"]
+
+[[rules]]
+description = "Environment variable secrets"
+id = "env-secret"
+regex = '''(?i)(api_key|secret|password|token)\\s*=\\s*['""][^'"\\s]{10,}['""]'''
+tags = ["env", "secret"]
+
+# Allowlist for test files and examples
+[[rules.allowlist]]
+description = "Test secrets and examples"
+regexes = [
+  '''test_secret_.*''',
+  '''example_.*''',
+  '''dummy_.*''',
+  '''fake_.*'''
+]
+paths = [
+  '''tests/''',
+  '''test/''',
+  '''__tests__/''',
+  '''examples/''',
+  '''docs/''',
+  '''.md$'''
+]
+
+# Global allowlist for common false positives
+[[allowlist]]
+description = "Common false positives"
+regexes = [
+  '''EXAMPLE_.*''',
+  '''your_.*_here''',
+  '''replace_with_.*''',
+  '''TODO:.*'''
+]
+`
+}
+
+/**
+ * Generate eslint-security.config.js for security-specific linting
+ */
+function generateEslintSecurityConfig() {
+  return `// ESLint security configuration
+// Generated by create-qa-architect
+
+const security = require('eslint-plugin-security')
+
+module.exports = [
+  {
+    plugins: {
+      security
+    },
+    rules: {
+      // Critical security rules (errors)
+      'security/detect-object-injection': 'error',
+      'security/detect-non-literal-regexp': 'error',
+      'security/detect-unsafe-regex': 'error',
+      'security/detect-eval-with-expression': 'error',
+      'security/detect-no-csrf-before-method-override': 'error',
+      'security/detect-buffer-noassert': 'error',
+      'security/detect-child-process': 'error',
+      'security/detect-disable-mustache-escape': 'error',
+      'security/detect-new-buffer': 'error',
+      'security/detect-possible-timing-attacks': 'error',
+      'security/detect-pseudoRandomBytes': 'error',
+
+      // Warning-level security rules
+      'security/detect-bidi-characters': 'warn',
+      'security/detect-non-literal-fs-filename': 'warn',
+      'security/detect-non-literal-require': 'warn'
+    }
+  }
+]
+`
+}
+
+/**
+ * Apply security-first configuration to project
+ */
+function applySecurityFirstConfiguration(projectPath = '.') {
+  const securityFixes = []
+
+  // 1. Generate .gitleaks.toml
+  const gitleaksConfigPath = path.join(projectPath, '.gitleaks.toml')
+  if (!fs.existsSync(gitleaksConfigPath)) {
+    fs.writeFileSync(gitleaksConfigPath, generateGitleaksConfig())
+    securityFixes.push(
+      '✅ Created .gitleaks.toml - comprehensive secret detection'
+    )
+  }
+
+  // 2. Generate eslint-security.config.js
+  const eslintSecurityPath = path.join(projectPath, 'eslint-security.config.js')
+  if (!fs.existsSync(eslintSecurityPath)) {
+    fs.writeFileSync(eslintSecurityPath, generateEslintSecurityConfig())
+    securityFixes.push(
+      '✅ Created eslint-security.config.js - security-focused linting'
+    )
+  }
+
+  // 3. Create .gitleaksignore for managing false positives
+  const gitleaksIgnorePath = path.join(projectPath, '.gitleaksignore')
+  if (!fs.existsSync(gitleaksIgnorePath)) {
+    const ignoreContent = `# Gitleaks ignore file
+# Add specific secrets that are false positives or test data
+# Format: <rule-id>:<file-path>:<line-number>:<commit-hash>
+
+# Example:
+# jwt-token:tests/fixtures/example.js:15:abc123def456
+`
+    fs.writeFileSync(gitleaksIgnorePath, ignoreContent)
+    securityFixes.push('✅ Created .gitleaksignore - manage false positives')
+  }
+
+  // 4. Generate security documentation
+  const securityDocsPath = path.join(projectPath, 'SECURITY.md')
+  if (!fs.existsSync(securityDocsPath)) {
+    const securityDocs = generateSecurityDocumentation()
+    fs.writeFileSync(securityDocsPath, securityDocs)
+    securityFixes.push(
+      '✅ Created SECURITY.md - security policies and procedures'
+    )
+  }
+
+  return securityFixes
+}
+
+/**
+ * Generate SECURITY.md documentation
+ */
+function generateSecurityDocumentation() {
+  return `# Security Policy
+
+## Automated Security Scanning
+
+This project uses multiple layers of automated security scanning:
+
+### Secret Detection
+- **Tool**: Gitleaks
+- **Configuration**: \`.gitleaks.toml\`
+- **Coverage**: API keys, passwords, tokens, certificates
+- **Pre-commit**: Blocks commits containing secrets
+- **CI/CD**: Scans all pull requests
+
+### Dependency Scanning
+- **Tool**: npm audit
+- **Level**: High and critical vulnerabilities only
+- **Auto-fix**: Enabled for compatible updates
+- **CI/CD**: Fails builds on high/critical vulnerabilities
+
+### Code Security Scanning
+- **Tool**: ESLint security plugin
+- **Configuration**: \`eslint-security.config.js\`
+- **Coverage**: Injection attacks, unsafe patterns, crypto issues
+- **Pre-commit**: Blocks commits with security violations
+
+### Workflow Security
+- **Tool**: actionlint
+- **Coverage**: GitHub Actions workflow security issues
+- **CI/CD**: Validates workflow syntax and security
+
+## Manual Security Commands
+
+\`\`\`bash
+# Run all security checks
+npm run security:check
+
+# Check for secrets
+npm run security:secrets
+
+# Check dependencies
+npm run security:audit
+
+# Fix dependency issues
+npm run security:audit:fix
+
+# Generate security report
+npm run security:report
+\`\`\`
+
+## Reporting Security Issues
+
+If you discover a security vulnerability:
+
+1. **DO NOT** create a public GitHub issue
+2. Email security reports to: [Your security email]
+3. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if known)
+
+## Security Best Practices
+
+### For Developers
+- Never commit secrets, API keys, or passwords
+- Use environment variables for sensitive configuration
+- Run \`npm run security:check\` before pushing
+- Keep dependencies updated
+- Review security scanner output carefully
+
+### For CI/CD
+- All security checks must pass before merge
+- Dependency updates require security review
+- Secrets stored in secure environment variables
+- Regular security audits in automated schedules
+
+## Security Contact
+
+For security-related questions: [Your contact information]
+
+## Policy Updates
+
+This security policy is reviewed and updated quarterly.
+Last updated: [Current date]
+`
+}
+
+module.exports = {
+  generateSecurityFirstConfig,
+  getSecurityScripts,
+  generateGitleaksConfig,
+  generateEslintSecurityConfig,
+  applySecurityFirstConfiguration,
+  generateSecurityDocumentation,
+}

package/lib/setup-enhancements.js

@@ -0,0 +1,317 @@
+/**
+ * Setup Enhancements
+ * Critical fixes to prevent production issues that bypassed reviews and tests
+ */
+
+const fs = require('fs')
+const path = require('path')
+const {
+  generateTestsTypeScriptConfig,
+  getEnhancedTypeScriptScripts,
+  getEnhancedLintStaged,
+  detectProjectType,
+  getProjectQualityConfig,
+} = require('./typescript-config-generator')
+
+const {
+  applySecurityFirstConfiguration,
+  getSecurityScripts,
+} = require('./security-enhancements')
+
+/**
+ * Apply critical quality fixes that prevent production issues
+ * These fixes address gaps that allowed 13+ TypeScript errors to reach production
+ */
+function applyProductionQualityFixes(projectPath = '.', options = {}) {
+  const {
+    hasTypeScript = false,
+    hasPython = false,
+    skipTypeScriptTests = false,
+  } = options
+
+  console.log('\n🔧 Applying Critical Quality Fixes...')
+
+  const fixes = []
+
+  // Fix 1: Generate tests/tsconfig.json (CRITICAL)
+  if (hasTypeScript && !skipTypeScriptTests) {
+    try {
+      const testsTsConfigPath = generateTestsTypeScriptConfig(projectPath)
+      fixes.push(
+        `✅ Created ${testsTsConfigPath} - TypeScript now validates test files`
+      )
+      console.log('   🎯 Fix: TypeScript errors in tests will now be caught')
+    } catch (error) {
+      console.warn(
+        `⚠️  Could not generate tests TypeScript config: ${error.message}`
+      )
+    }
+  }
+
+  // Fix 2: Enhanced npm scripts with comprehensive quality gates
+  const enhancedScripts = getEnhancedTypeScriptScripts()
+  fixes.push('✅ Added comprehensive npm scripts:')
+  fixes.push('   • type-check:all - validates both src and tests')
+  fixes.push('   • quality:check - comprehensive pre-commit gate')
+  fixes.push('   • quality:ci - full CI validation')
+
+  // Fix 3: Project-specific quality configuration
+  const projectType = detectProjectType(projectPath)
+  const qualityConfig = getProjectQualityConfig(projectType)
+
+  fixes.push(`✅ Detected project type: ${projectType}`)
+  fixes.push(`   🎯 Applied ${projectType}-specific quality standards`)
+
+  // Fix 4: Enhanced pre-commit hooks
+  const enhancedLintStaged = getEnhancedLintStaged(hasPython, hasTypeScript)
+  fixes.push('✅ Enhanced pre-commit hooks:')
+  if (hasTypeScript) {
+    fixes.push('   • TypeScript validation on ALL .ts/.tsx files')
+    fixes.push('   • Separate test TypeScript validation')
+  }
+  fixes.push('   • Comprehensive ESLint + Prettier + Stylelint')
+
+  // Fix 5: Copy quality troubleshooting guide
+  copyQualityTroubleshootingGuide(projectPath)
+  fixes.push('✅ Added QUALITY_TROUBLESHOOTING.md')
+  fixes.push('   🎯 Diagnostic commands for common production issues')
+
+  // Fix 6: Copy integration test templates based on project type
+  copyIntegrationTestTemplates(projectPath, projectType)
+  fixes.push(`✅ Added ${projectType} integration test templates`)
+
+  // Fix 7: Apply security-first configuration
+  const securityFixes = applySecurityFirstConfiguration(projectPath)
+  fixes.push('✅ Applied security-first configuration:')
+  securityFixes.forEach(fix => fixes.push(`   ${fix}`))
+
+  // Fix 8: Add comprehensive security scripts
+  const securityScripts = getSecurityScripts()
+  fixes.push('✅ Added comprehensive security scripts:')
+  fixes.push('   • security:check - all security validations')
+  fixes.push('   • security:secrets - secret scanning')
+  fixes.push('   • security:audit - dependency vulnerabilities')
+
+  return {
+    enhancedScripts: { ...enhancedScripts, ...securityScripts },
+    enhancedLintStaged,
+    projectType,
+    qualityConfig,
+    fixes,
+  }
+}
+
+/**
+ * Copy quality troubleshooting guide to project
+ */
+function copyQualityTroubleshootingGuide(projectPath) {
+  const sourcePath = path.join(
+    __dirname,
+    '../templates/QUALITY_TROUBLESHOOTING.md'
+  )
+  const destPath = path.join(projectPath, 'QUALITY_TROUBLESHOOTING.md')
+
+  if (fs.existsSync(sourcePath)) {
+    fs.copyFileSync(sourcePath, destPath)
+  }
+}
+
+/**
+ * Copy integration test templates based on project type
+ */
+function copyIntegrationTestTemplates(projectPath, projectType) {
+  const templatesDir = path.join(__dirname, '../templates/integration-tests')
+  const targetTestsDir = path.join(projectPath, 'tests', 'integration')
+
+  // Create integration tests directory
+  if (!fs.existsSync(targetTestsDir)) {
+    fs.mkdirSync(targetTestsDir, { recursive: true })
+  }
+
+  // Copy project-type-specific template
+  const templateFile = `${projectType}.test.js`
+  const sourcePath = path.join(templatesDir, templateFile)
+  const destPath = path.join(targetTestsDir, 'example.test.js')
+
+  if (fs.existsSync(sourcePath)) {
+    fs.copyFileSync(sourcePath, destPath)
+
+    // Add README explaining the template
+    const readmePath = path.join(targetTestsDir, 'README.md')
+    const readmeContent = `# Integration Tests
+
+This directory contains integration tests for your ${projectType}.
+
+## Getting Started
+
+1. Review \`example.test.js\` for patterns specific to ${projectType} projects
+2. Rename and customize the example test for your use case
+3. Run integration tests: \`npm run test:integration\`
+
+## Test Types for ${projectType}
+
+${getTestTypesDocumentation(projectType)}
+
+## Troubleshooting
+
+See \`QUALITY_TROUBLESHOOTING.md\` in the project root for common issues.
+`
+    fs.writeFileSync(readmePath, readmeContent)
+  }
+}
+
+/**
+ * Get test types documentation for project type
+ */
+function getTestTypesDocumentation(projectType) {
+  const docs = {
+    'api-service': `
+- **Unit Tests**: Individual functions and modules
+- **Integration Tests**: Database operations, API endpoints
+- **E2E Tests**: Full request/response cycles
+- **Performance Tests**: Load testing, concurrency
+`,
+    'frontend-app': `
+- **Unit Tests**: Components, utilities, hooks
+- **Integration Tests**: Component interactions, forms
+- **E2E Tests**: Browser automation, user flows
+- **Accessibility Tests**: Screen reader, keyboard navigation
+`,
+    'cli-tool': `
+- **Unit Tests**: Individual commands and utilities
+- **Integration Tests**: File operations, command execution
+- **Command Tests**: CLI argument parsing, exit codes
+- **Cross-platform Tests**: Windows, macOS, Linux compatibility
+`,
+    library: `
+- **Unit Tests**: Public API methods
+- **Integration Tests**: Module interactions
+- **Type Tests**: TypeScript definitions
+- **Bundle Tests**: Distribution package validation
+`,
+  }
+
+  return (
+    docs[projectType] ||
+    `
+- **Unit Tests**: Individual functions and modules
+- **Integration Tests**: System component interactions
+- **E2E Tests**: Full application workflows
+`
+  )
+}
+
+/**
+ * Generate comprehensive pre-commit hook
+ * This replaces the narrow CLAUDE.md-only validation
+ */
+function generateEnhancedPreCommitHook(hasTypeScript, _hasPython) {
+  let hook = `#!/usr/bin/env sh
+# Enhanced pre-commit hook - prevents production issues
+
+echo "🔍 Running comprehensive quality checks..."
+
+# Run lint-staged (file-specific checks)
+npx lint-staged
+
+# Critical: TypeScript validation on ALL files
+`
+
+  if (hasTypeScript) {
+    hook += `echo "🔧 Checking TypeScript..."
+if ! npm run type-check:all; then
+  echo "❌ TypeScript validation failed"
+  echo "💡 Run: npm run type-check:all to see errors"
+  echo "📖 See QUALITY_TROUBLESHOOTING.md for help"
+  exit 1
+fi
+
+`
+  }
+
+  hook += `# Fast test suite for immediate feedback
+echo "🧪 Running fast tests..."
+if ! npm run test:fast --if-present; then
+  echo "❌ Fast tests failed"
+  echo "💡 Run: npm test for details"
+  echo "📖 See QUALITY_TROUBLESHOOTING.md for help"
+  exit 1
+fi
+
+echo "✅ All quality checks passed"
+`
+
+  return hook
+}
+
+/**
+ * Validate project setup for common gaps
+ * This catches configuration issues that cause production problems
+ */
+function validateProjectSetup(projectPath = '.') {
+  const warnings = []
+  const errors = []
+
+  // Check 1: TypeScript configuration completeness
+  const tsConfigPath = path.join(projectPath, 'tsconfig.json')
+  const testsTsConfigPath = path.join(projectPath, 'tests/tsconfig.json')
+
+  if (fs.existsSync(tsConfigPath) && !fs.existsSync(testsTsConfigPath)) {
+    errors.push(
+      '❌ CRITICAL: TypeScript config exists but tests/tsconfig.json missing'
+    )
+    errors.push(
+      '   🎯 This allows TypeScript errors in tests to reach production'
+    )
+    errors.push(
+      '   💡 Fix: create-qa-architect will generate tests/tsconfig.json'
+    )
+  }
+
+  // Check 2: Pre-commit hook comprehensiveness
+  const preCommitPath = path.join(projectPath, '.husky/pre-commit')
+  if (fs.existsSync(preCommitPath)) {
+    const preCommitContent = fs.readFileSync(preCommitPath, 'utf8')
+
+    if (!preCommitContent.includes('type-check')) {
+      warnings.push('⚠️  Pre-commit hook missing TypeScript validation')
+      warnings.push('   💡 Add: npm run type-check:all to .husky/pre-commit')
+    }
+
+    if (!preCommitContent.includes('test')) {
+      warnings.push('⚠️  Pre-commit hook missing test validation')
+      warnings.push('   💡 Add: npm run test:fast to .husky/pre-commit')
+    }
+  }
+
+  // Check 3: Quality gate scripts
+  const packageJsonPath = path.join(projectPath, 'package.json')
+  if (fs.existsSync(packageJsonPath)) {
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'))
+    const scripts = packageJson.scripts || {}
+
+    if (!scripts['type-check:all']) {
+      warnings.push('⚠️  Missing comprehensive TypeScript validation script')
+      warnings.push(
+        '   💡 Add: "type-check:all": "npm run type-check && npm run type-check:tests"'
+      )
+    }
+
+    if (!scripts['quality:check']) {
+      warnings.push('⚠️  Missing comprehensive quality check script')
+      warnings.push(
+        '   💡 Add: "quality:check": "npm run type-check:all && npm run lint && npm test"'
+      )
+    }
+  }
+
+  return { warnings, errors }
+}
+
+module.exports = {
+  applyProductionQualityFixes,
+  copyQualityTroubleshootingGuide,
+  copyIntegrationTestTemplates,
+  generateEnhancedPreCommitHook,
+  validateProjectSetup,
+}