create-qa-architect 5.0.0

package/.github/workflows/claude-md-validation.yml

@@ -0,0 +1,82 @@
+name: CLAUDE.md Validation
+
+on:
+  push:
+    branches: [main, master, develop]
+    paths:
+      - 'CLAUDE.md'
+      - 'package.json'
+      - 'scripts/validate-claude-md.js'
+      - '.github/workflows/claude-md-validation.yml'
+  pull_request:
+    branches: [main, master, develop]
+    paths:
+      - 'CLAUDE.md'
+      - 'package.json'
+      - 'scripts/validate-claude-md.js'
+      - '.github/workflows/claude-md-validation.yml'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  validate-claude-md:
+    runs-on: ubuntu-latest
+    name: Validate CLAUDE.md Consistency
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+
+      - name: Validate CLAUDE.md
+        run: |
+          echo "🔍 Running CLAUDE.md validation..."
+          node scripts/validate-claude-md.js
+
+      - name: Check CLAUDE.md formatting
+        run: |
+          echo "📝 Checking CLAUDE.md formatting with Prettier..."
+          npx prettier --check CLAUDE.md
+
+      - name: Validate against package.json
+        run: |
+          echo "🔗 Cross-checking CLAUDE.md with package.json..."
+
+          # Extract package name from package.json
+          PACKAGE_NAME=$(node -e "console.log(require('./package.json').name)")
+
+          # Check if package name is mentioned in CLAUDE.md
+          if ! grep -q "$PACKAGE_NAME" CLAUDE.md; then
+            echo "❌ Package name '$PACKAGE_NAME' not found in CLAUDE.md"
+            exit 1
+          fi
+
+          echo "✅ Package name reference validated"
+
+      - name: Check for TODO markers
+        run: |
+          echo "🔍 Checking for unresolved TODO markers..."
+
+          if grep -i "TODO\|FIXME\|XXX" CLAUDE.md; then
+            echo "⚠️ Found TODO markers in CLAUDE.md - consider resolving them"
+            exit 1
+          else
+            echo "✅ No TODO markers found"
+          fi
+
+      - name: Validation summary
+        if: success()
+        run: |
+          echo ""
+          echo "✅ CLAUDE.md validation successful!"
+          echo ""
+          echo "All checks passed:"
+          echo "  ✓ Structure and required sections"
+          echo "  ✓ Package references"
+          echo "  ✓ Script documentation"
+          echo "  ✓ Formatting"
+          echo "  ✓ No TODO markers"
+          echo ""

package/.github/workflows/nightly-gitleaks-verification.yml

@@ -0,0 +1,176 @@
+name: Nightly Gitleaks Real Download Verification
+
+# Run nightly to verify real gitleaks download and checksum verification
+# This catches upstream asset changes, checksum drift, and download issues
+on:
+  schedule:
+    # Run at 2 AM UTC daily
+    - cron: '0 2 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  real-download-verification:
+    name: Real Gitleaks Download Test (Linux x64)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Cache gitleaks binary
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/create-qa-architect/gitleaks
+          key: gitleaks-8.28.0-linux-x64-${{ hashFiles('lib/validation/config-security.js') }}
+          restore-keys: |
+            gitleaks-8.28.0-linux-x64-
+
+      - name: Clear any existing cache for fresh download test
+        run: |
+          echo "🧹 Clearing gitleaks cache for fresh download test..."
+          rm -rf ~/.cache/create-qa-architect/gitleaks || true
+
+      - name: Run real download verification test
+        run: |
+          echo "🔐 Running REAL gitleaks download and verification test..."
+          echo "Platform: $(uname -s)-$(uname -m)"
+          echo "Expected checksum: a65b5253807a68ac0cafa4414031fd740aeb55f54fb7e55f386acb52e6a840eb"
+
+          # Create a test script that downloads and verifies gitleaks
+          cat > test-real-download.js << 'EOF'
+          const { ConfigSecurityScanner } = require('./lib/validation/config-security');
+          const { execSync } = require('child_process');
+          const path = require('path');
+          const os = require('os');
+
+          async function testRealDownload() {
+            console.log('🧪 Testing real gitleaks download and verification...');
+
+            const scanner = new ConfigSecurityScanner();
+            const cacheDir = path.join(os.homedir(), '.cache', 'create-qa-architect');
+            const gitleaksBinary = path.join(cacheDir, 'gitleaks', '8.28.0', 'gitleaks');
+
+            try {
+              // This should download, extract, and verify the real gitleaks binary
+              const binaryPath = await scanner.resolveGitleaksBinary();
+              console.log('✅ Binary resolved to:', binaryPath);
+
+              // Verify the binary is executable and works
+              const output = execSync(`${binaryPath} version`, { encoding: 'utf8' });
+              console.log('✅ Gitleaks version output:', output.trim());
+
+              if (!output.includes('8.28.0')) {
+                throw new Error(`Expected version 8.28.0, got: ${output}`);
+              }
+
+              // Verify checksum again
+              const isValid = await scanner.verifyBinaryChecksum(binaryPath);
+              if (!isValid) {
+                throw new Error('Checksum verification failed');
+              }
+
+              console.log('✅ Real download verification test passed!');
+              console.log('🔒 Binary downloaded, verified, and functional');
+
+            } catch (error) {
+              console.error('❌ Real download verification failed:', error.message);
+              throw error;
+            }
+          }
+
+          testRealDownload();
+          EOF
+
+          # Run the real download test
+          node test-real-download.js
+
+      - name: Verify production checksums match expected values
+        run: |
+          echo "🧪 Running production checksum validation..."
+          node tests/gitleaks-production-checksums.test.js
+
+      - name: Test real binary with security config
+        run: |
+          echo "🔐 Testing downloaded binary with security configuration..."
+
+          # Create a minimal test to verify the real binary works with our security config
+          echo "console.log('test file')" > test-file.js
+          echo "API_KEY=secret123" > .env.test
+
+          # Run security config with the real binary (should detect the secret)
+          if node setup.js --security-config --no-markdownlint 2>&1 | grep -q "secret"; then
+            echo "✅ Real gitleaks binary correctly detected secrets"
+          else
+            echo "❌ Real gitleaks binary failed to detect secrets"
+            exit 1
+          fi
+
+          # Cleanup test files
+          rm -f test-file.js .env.test
+
+      - name: Report success
+        run: |
+          echo "✅ Nightly gitleaks verification completed successfully!"
+          echo "📊 Verification report:"
+          echo "  - Real download: ✅ Successful"
+          echo "  - Checksum verification: ✅ Passed"
+          echo "  - Version check: ✅ 8.28.0"
+          echo "  - Functionality test: ✅ Working"
+          echo "  - Production checksums: ✅ Valid"
+
+      - name: Cache verification result
+        if: success()
+        run: |
+          # Cache remains in place for faster regular CI runs
+          echo "🎯 Real binary cached for regular CI performance"
+          ls -la ~/.cache/create-qa-architect/gitleaks/8.28.0/ || true
+
+  alert-on-failure:
+    name: Alert on Verification Failure
+    runs-on: ubuntu-latest
+    needs: real-download-verification
+    if: failure()
+
+    steps:
+      - name: Create Issue on Failure
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const title = '🚨 Nightly Gitleaks Verification Failed';
+            const body = `
+            ## Nightly Gitleaks Real Download Verification Failed
+
+            **Date**: ${new Date().toISOString()}
+            **Workflow**: ${context.workflow}
+            **Run**: ${context.runNumber}
+
+            ### Possible Issues
+            - Gitleaks release assets changed unexpectedly
+            - Network/download issues
+            - Checksum mismatch (potential security concern)
+            - Binary execution problems
+
+            ### Next Steps
+            1. Check the [workflow run](${context.payload.repository.html_url}/actions/runs/${context.runId}) for details
+            2. Verify gitleaks v8.28.0 release hasn't been modified
+            3. Update checksums if legitimate release change
+            4. Investigate if potential supply chain attack
+
+            **Priority**: High - affects security scanning functionality
+            `;
+
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title,
+              body,
+              labels: ['security', 'bug', 'high-priority']
+            });

package/.github/workflows/pnpm-ci.yml.example

@@ -0,0 +1,53 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  quality:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # CRITICAL: Install pnpm BEFORE Node.js setup
+      # pnpm/action-setup must come before actions/setup-node
+      # Otherwise setup-node won't detect pnpm and caching will fail
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm' # Now works because pnpm was installed first
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      # For monorepos: Build packages before running tests
+      # This ensures dependent packages are built before tests run
+      - name: Build packages
+        run: pnpm run build --if-present
+
+      - name: Lint
+        run: pnpm run lint
+
+      - name: Format check
+        run: pnpm run format:check
+
+      - name: Type check
+        run: pnpm run type-check --if-present
+
+      - name: Run tests
+        run: pnpm test --if-present
+
+      - name: Security audit
+        run: pnpm audit --audit-level high
+        continue-on-error: true # Don't fail CI on dev dependency vulnerabilities

package/.github/workflows/python-ci.yml.example

@@ -0,0 +1,69 @@
+name: Python CI
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  quality:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ['3.9', '3.10', '3.11', '3.12']
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip' # Cache pip dependencies
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r requirements-dev.txt
+
+      - name: Lint with Ruff
+        run: |
+          pip install ruff
+          ruff check .
+
+      - name: Format check with Black
+        run: |
+          pip install black
+          black --check --diff .
+
+      - name: Import sorting check with isort
+        run: |
+          pip install isort
+          isort --check-only --diff .
+
+      - name: Type check with mypy
+        run: |
+          pip install mypy
+          mypy .
+        continue-on-error: true # mypy can be strict, don't fail CI initially
+
+      - name: Security check with Bandit
+        run: |
+          pip install bandit
+          bandit -r . -ll
+        continue-on-error: true
+
+      - name: Run tests with pytest
+        run: |
+          pip install pytest pytest-cov
+          pytest --cov=. --cov-report=xml --cov-report=term
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./coverage.xml
+          fail_ci_if_error: false

package/.github/workflows/quality-legacy.yml.backup

@@ -0,0 +1,165 @@
+name: Quality Checks
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  quality:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: |
+          if [ -f package-lock.json ]; then
+            npm ci
+          else
+            echo "No package-lock.json found; running npm install"
+            npm install
+          fi
+
+      - name: Verify dependency integrity
+        run: |
+          echo "🔐 Verifying dependency integrity..."
+          # Verify package-lock.json integrity hashes
+          if [ -f package-lock.json ]; then
+            npm ci --dry-run --prefer-offline
+            echo "✅ Dependency integrity verified"
+          else
+            echo "⚠️ No package-lock.json found - skipping integrity verification"
+          fi
+
+          # Check for known vulnerabilities in dependencies
+          echo "🔍 Checking for vulnerable dependencies..."
+          npm audit --audit-level=moderate || true
+
+          # Verify npm package signatures (Node.js 16+)
+          if command -v npm &> /dev/null; then
+            echo "✍️ Verifying npm package signatures..."
+            npm audit signatures || echo "⚠️ Signature verification not available or failed"
+          fi
+
+      - name: Prettier check
+        run: npm run format:check
+
+      - name: ESLint
+        run: npx eslint . --max-warnings=0
+
+      - name: Stylelint
+        run: npx stylelint "**/*.{css,scss,sass,less,pcss}" --allow-empty-input
+
+      - name: Security audit
+        run: npm audit --audit-level high
+
+      - name: Check for hardcoded secrets
+        run: |
+          # Check for common secret patterns (excluding docs, tests, and workflow files)
+          if grep -r -E "(password|secret|key|token).*[=:].*['\"][^'\"]{8,}" . \
+               --exclude-dir=node_modules \
+               --exclude-dir=.git \
+               --exclude-dir=.github \
+               --exclude-dir=tests \
+               --exclude="*.md" \
+               --exclude="package.json" || \
+             grep -r -E "-----BEGIN.*KEY-----" . \
+               --exclude-dir=node_modules \
+               --exclude-dir=.git \
+               --exclude-dir=.github \
+               --exclude-dir=tests; then
+            echo "❌ Potential hardcoded secrets found"
+            exit 1
+          else
+            echo "✅ No hardcoded secrets detected"
+          fi
+
+      - name: Security pattern detection
+        run: |
+          # Check for XSS vulnerability patterns from WFHroulette
+          echo "🔍 Scanning for XSS vulnerability patterns..."
+
+          # Check for innerHTML with interpolation (dangerous pattern)
+          if grep -r -E "innerHTML.*\\\$\{" . --include="*.js" --include="*.jsx" --include="*.ts" --include="*.tsx" --exclude-dir=node_modules; then
+            echo "❌ Potential XSS: innerHTML with template literal interpolation found"
+            exit 1
+          fi
+
+          # Check for eval with interpolation
+          if grep -r -E "eval\\\(.*\\\$\{" . --include="*.js" --include="*.jsx" --include="*.ts" --include="*.tsx" --exclude-dir=node_modules; then
+            echo "❌ Potential code injection: eval with interpolation found"
+            exit 1
+          fi
+
+          # Check for document.write with interpolation
+          if grep -r -E "document\\\\.write.*\\\$\{" . --include="*.js" --include="*.jsx" --include="*.ts" --include="*.tsx" --exclude-dir=node_modules; then
+            echo "❌ Potential XSS: document.write with interpolation found"
+            exit 1
+          fi
+
+          # Check for onclick handlers with interpolation
+          if grep -r -E "onclick.*=.*['\"].*\\\$\{" . --include="*.js" --include="*.jsx" --include="*.ts" --include="*.tsx" --include="*.html" --exclude-dir=node_modules; then
+            echo "❌ Potential XSS: onclick handler with interpolation found"
+            exit 1
+          fi
+
+          echo "✅ No XSS vulnerability patterns detected"
+
+      - name: Input validation check
+        run: |
+          # Check for proper input validation patterns
+          echo "🔍 Checking for input validation patterns..."
+
+          # Set pipefail to catch grep failures properly
+          set -o pipefail
+
+          # Look for unvalidated user inputs in common patterns
+          if grep -r -E "(req\\.query|req\\.params|req\\.body)\\.[a-zA-Z_][a-zA-Z0-9_]*[^\\.]" . --include="*.js" --include="*.ts" --exclude-dir=node_modules | grep -v -E "(trim|toLowerCase|toUpperCase|parseInt|parseFloat|Number\\.isNaN|String|Boolean)" > /tmp/unvalidated_inputs.txt 2>/dev/null && [ -s /tmp/unvalidated_inputs.txt ]; then
+            echo "⚠️ Found potential unvalidated user inputs (review manually):"
+            head -5 /tmp/unvalidated_inputs.txt
+            echo "This is a warning, not a failure. Review these patterns manually."
+          else
+            echo "✅ No unvalidated user inputs detected"
+          fi
+
+          # Clean up temp file
+          rm -f /tmp/unvalidated_inputs.txt
+
+      - name: Configuration security check
+        run: |
+          # Run comprehensive configuration security validation
+          echo "🔍 Running configuration security validation..."
+          npx create-quality-automation@latest --security-config
+
+      - name: Documentation validation
+        run: |
+          # Run comprehensive documentation validation
+          echo "📖 Running documentation validation..."
+          npx create-quality-automation@latest --validate-docs
+
+      - name: Lighthouse CI
+        run: |
+          # Only run Lighthouse CI if configuration exists
+          if [ -f ".lighthouserc.js" ] || [ -f ".lighthouserc.json" ] || [ -f "lighthouserc.js" ]; then
+            echo "🚢 Running Lighthouse CI..."
+            npx lhci autorun
+          else
+            echo "⏭️ No Lighthouse CI configuration found, skipping"
+          fi
+        continue-on-error: true
+
+      # NOTE: The "Test README Quick Start Instructions" step has been removed
+      # because it relies on setup.js which only exists in the create-quality-automation
+      # package itself, not in consumer repositories that copy this workflow.
+      #
+      # Consumer projects get the quality checks above (prettier, eslint, stylelint, etc.)
+      # but don't need to test the installation process.