create-qa-architect 5.0.1 → 5.0.6

package/.github/RELEASE_CHECKLIST.md

@@ -27,14 +27,12 @@ Use this checklist before any version bump or npm publication.
 
 ### Security Audit Compliance
 
-- [ ] `KEYFLASH_INSPIRED_SECURITY_AUDIT.md` findings remain resolved
+- [ ] `npm audit` shows no high/critical vulnerabilities
+- [ ] `gitleaks detect --source . --redact` passes (no secrets)
 - [ ] **CRITICAL**: Gitleaks checksums are real SHA256 values, not placeholders
 - [ ] `lib/validation/config-security.js` GITLEAKS_CHECKSUMS contains verified hashes
 - [ ] No "PLACEHOLDER_CHECKSUM" strings exist in security validation code
 - [ ] Gitleaks pinned version in code matches documented security version
-- [ ] No new security vulnerabilities introduced since audit
-- [ ] All security fixes from audit still in place
-- [ ] Security audit document references current version (or base version for pre-releases like `4.0.1-rc.1`)
 
 ### Real Binary Verification
 

package/.github/workflows/daily-deploy-check.yml

@@ -0,0 +1,136 @@
+# Daily Deploy Check Workflow
+# Copy this to .github/workflows/daily-deploy-check.yml in each project
+#
+# Required secrets:
+#   AUDIT_WEBHOOK_SECRET - shared secret for authenticating with vibebuildlab API
+#
+# Required variables (set in repo settings):
+#   PRODUCTION_URL - the production URL to check (e.g., https://saas.vibebuildlab.com)
+#
+# This workflow:
+# 1. Runs daily at 6am UTC
+# 2. Checks if production URL responds and SSL is valid
+# 3. Reports deploy stage status to vibebuildlab dashboard
+
+name: Daily Deploy Check
+
+on:
+  schedule:
+    # Every day at 6am UTC
+    - cron: '0 6 * * *'
+  workflow_dispatch: # Manual trigger
+
+env:
+  VIBEBUILDLAB_API: https://dash.vibebuildlab.com/api/audit-results
+
+jobs:
+  deploy-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Check URL responds
+        id: url_check
+        run: |
+          URL="${{ vars.PRODUCTION_URL }}"
+
+          if [ -z "$URL" ]; then
+            echo "::error::PRODUCTION_URL variable not set"
+            echo "responds=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$URL" --max-time 30 || echo "000")
+
+          echo "status_code=$STATUS" >> $GITHUB_OUTPUT
+
+          if [ "$STATUS" = "200" ] || [ "$STATUS" = "301" ] || [ "$STATUS" = "302" ]; then
+            echo "responds=true" >> $GITHUB_OUTPUT
+          else
+            echo "responds=false" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Check SSL certificate
+        id: ssl_check
+        run: |
+          URL="${{ vars.PRODUCTION_URL }}"
+
+          if [ -z "$URL" ]; then
+            echo "valid=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Extract domain from URL
+          DOMAIN=$(echo "$URL" | sed -E 's|https?://([^/]+).*|\1|')
+
+          # Check SSL expiry
+          EXPIRY=$(echo | openssl s_client -servername "$DOMAIN" -connect "$DOMAIN:443" 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2 || echo "")
+
+          if [ -n "$EXPIRY" ]; then
+            echo "valid=true" >> $GITHUB_OUTPUT
+            echo "expiry=$EXPIRY" >> $GITHUB_OUTPUT
+
+            # Check if expiring within 7 days
+            EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || date -j -f "%b %d %H:%M:%S %Y %Z" "$EXPIRY" +%s 2>/dev/null || echo "0")
+            NOW_EPOCH=$(date +%s)
+            DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
+
+            echo "days_left=$DAYS_LEFT" >> $GITHUB_OUTPUT
+
+            if [ "$DAYS_LEFT" -lt 7 ]; then
+              echo "::warning::SSL certificate expires in $DAYS_LEFT days!"
+            fi
+          else
+            echo "valid=false" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Determine deploy status
+        id: result
+        run: |
+          if [ "${{ steps.url_check.outputs.responds }}" = "true" ]; then
+            echo "deploy=pass" >> $GITHUB_OUTPUT
+          else
+            echo "deploy=fail" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Report to vibebuildlab
+        if: always()
+        run: |
+          # Get project slug from repo name
+          PROJECT_SLUG="${{ github.event.repository.name }}"
+
+          curl -X POST "$VIBEBUILDLAB_API" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer ${{ secrets.AUDIT_WEBHOOK_SECRET }}" \
+            -d "{
+              \"project\": \"${PROJECT_SLUG}\",
+              \"stages\": {
+                \"deploy\": \"${{ steps.result.outputs.deploy }}\"
+              },
+              \"details\": {
+                \"url_responds\": ${{ steps.url_check.outputs.responds }},
+                \"ssl_valid\": ${{ steps.ssl_check.outputs.valid || false }},
+                \"status_code\": ${{ steps.url_check.outputs.status_code || 0 }}
+              },
+              \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
+            }"
+        continue-on-error: true
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Deploy Check Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**URL:** ${{ vars.PRODUCTION_URL }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| URL Responds | ${{ steps.url_check.outputs.responds == 'true' && '✅' || '❌' }} (HTTP ${{ steps.url_check.outputs.status_code }}) |" >> $GITHUB_STEP_SUMMARY
+          echo "| SSL Valid | ${{ steps.ssl_check.outputs.valid == 'true' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
+          if [ -n "${{ steps.ssl_check.outputs.expiry }}" ]; then
+            echo "| SSL Expiry | ${{ steps.ssl_check.outputs.expiry }} (${{ steps.ssl_check.outputs.days_left }} days) |" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Deploy Stage:** ${{ steps.result.outputs.deploy }}" >> $GITHUB_STEP_SUMMARY

package/.github/workflows/nightly-gitleaks-verification.yml

@@ -42,7 +42,7 @@ jobs:
         run: |
           echo "🔐 Running REAL gitleaks download and verification test..."
           echo "Platform: $(uname -s)-$(uname -m)"
-          echo "Expected checksum: a65b5253807a68ac0cafa4414031fd740aeb55f54fb7e55f386acb52e6a840eb"
+          echo "Expected checksum: 5fd1b3b0073269484d40078662e921d07427340ab9e6ed526ccd215a565b3298"
 
           # Create a test script that downloads and verifies gitleaks
           cat > test-real-download.js << 'EOF'

package/.github/workflows/release.yml

@@ -4,6 +4,10 @@ on:
   push:
     tags: ['v*']
 
+permissions:
+  id-token: write # Required for OIDC trusted publishing to npm
+  contents: write # Required for creating GitHub releases
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -14,27 +18,25 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Upgrade npm for OIDC trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: npm ci
 
       - name: Run pre-release checks
         run: npm run prerelease
 
-      - name: Publish to npm
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Publish to npm with provenance
+        run: npm publish --provenance
 
       - name: Create GitHub Release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@v2
         with:
-          tag_name: ${{ github.ref_name }}
-          release_name: Release ${{ github.ref_name }}
+          name: Release ${{ github.ref_name }}
           body: |
             ## Changes in ${{ github.ref_name }}
 

package/.github/workflows/weekly-audit.yml

@@ -0,0 +1,173 @@
+# Weekly Audit Workflow
+# Copy this to .github/workflows/weekly-audit.yml in each project
+#
+# Required secrets:
+#   AUDIT_WEBHOOK_SECRET - shared secret for authenticating with vibebuildlab API
+#
+# This workflow:
+# 1. Runs weekly (Sunday 2am UTC) and on manual trigger
+# 2. Checks build, tests, lint, typecheck, security
+# 3. Reports results to vibebuildlab dashboard
+
+name: Weekly Audit
+
+on:
+  schedule:
+    # Every Sunday at 2am UTC
+    - cron: '0 2 * * 0'
+  workflow_dispatch: # Manual trigger
+
+env:
+  VIBEBUILDLAB_API: https://dash.vibebuildlab.com/api/audit-results
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run build
+        id: build
+        run: |
+          if npm run build; then
+            echo "success=true" >> $GITHUB_OUTPUT
+          else
+            echo "success=false" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Run tests
+        id: tests
+        run: |
+          # Run tests and capture output
+          TEST_OUTPUT=$(npm test 2>&1) || true
+          echo "$TEST_OUTPUT"
+
+          # Parse results
+          PASSED=$(echo "$TEST_OUTPUT" | grep -oE '[0-9]+ passed' | tail -1 | awk '{print $1}' || echo "0")
+          FAILED=$(echo "$TEST_OUTPUT" | grep -oE '[0-9]+ failed' | tail -1 | awk '{print $1}' || echo "0")
+
+          echo "passed=${PASSED:-0}" >> $GITHUB_OUTPUT
+          echo "failed=${FAILED:-0}" >> $GITHUB_OUTPUT
+
+          if [ "${FAILED:-0}" = "0" ] && [ "${PASSED:-0}" != "0" ]; then
+            echo "success=true" >> $GITHUB_OUTPUT
+          else
+            echo "success=false" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Run lint
+        id: lint
+        run: |
+          LINT_OUTPUT=$(npm run lint 2>&1) || true
+          ERRORS=$(echo "$LINT_OUTPUT" | grep -cE '^\s+[0-9]+:[0-9]+\s+error' || echo "0")
+          echo "errors=${ERRORS:-0}" >> $GITHUB_OUTPUT
+
+          if [ "${ERRORS:-0}" = "0" ]; then
+            echo "success=true" >> $GITHUB_OUTPUT
+          else
+            echo "success=false" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Run typecheck
+        id: typecheck
+        run: |
+          if npm run typecheck 2>/dev/null || npx tsc --noEmit 2>/dev/null; then
+            echo "success=true" >> $GITHUB_OUTPUT
+            echo "errors=0" >> $GITHUB_OUTPUT
+          else
+            echo "success=false" >> $GITHUB_OUTPUT
+            echo "errors=1" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Security audit
+        id: security
+        run: |
+          AUDIT_OUTPUT=$(npm audit 2>&1) || true
+
+          if echo "$AUDIT_OUTPUT" | grep -qiE '[0-9]+ (high|critical)'; then
+            echo "vulnerabilities=1" >> $GITHUB_OUTPUT
+            echo "success=false" >> $GITHUB_OUTPUT
+          else
+            echo "vulnerabilities=0" >> $GITHUB_OUTPUT
+            echo "success=true" >> $GITHUB_OUTPUT
+          fi
+        continue-on-error: true
+
+      - name: Determine audit result
+        id: result
+        run: |
+          # execute stage: build must pass
+          if [ "${{ steps.build.outputs.success }}" = "true" ]; then
+            echo "execute=pass" >> $GITHUB_OUTPUT
+          else
+            echo "execute=fail" >> $GITHUB_OUTPUT
+          fi
+
+          # audit stage: tests + lint + typecheck + security
+          if [ "${{ steps.tests.outputs.success }}" = "true" ] && \
+             [ "${{ steps.lint.outputs.success }}" = "true" ] && \
+             [ "${{ steps.typecheck.outputs.success }}" = "true" ] && \
+             [ "${{ steps.security.outputs.success }}" = "true" ]; then
+            echo "audit=pass" >> $GITHUB_OUTPUT
+          else
+            echo "audit=fail" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Report to vibebuildlab
+        if: always()
+        run: |
+          # Get project slug from package.json name or repo name
+          PROJECT_SLUG=$(node -e "console.log(require('./package.json').name)" 2>/dev/null || echo "${{ github.event.repository.name }}")
+
+          curl -X POST "$VIBEBUILDLAB_API" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer ${{ secrets.AUDIT_WEBHOOK_SECRET }}" \
+            -d "{
+              \"project\": \"${PROJECT_SLUG}\",
+              \"stages\": {
+                \"execute\": \"${{ steps.result.outputs.execute }}\",
+                \"audit\": \"${{ steps.result.outputs.audit }}\"
+              },
+              \"details\": {
+                \"tests_passed\": ${{ steps.tests.outputs.passed || 0 }},
+                \"tests_failed\": ${{ steps.tests.outputs.failed || 0 }},
+                \"lint_errors\": ${{ steps.lint.outputs.errors || 0 }},
+                \"type_errors\": ${{ steps.typecheck.outputs.errors || 0 }},
+                \"vulnerabilities\": ${{ steps.security.outputs.vulnerabilities || 0 }},
+                \"build_success\": ${{ steps.build.outputs.success }}
+              },
+              \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
+            }"
+        continue-on-error: true
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Audit Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Build | ${{ steps.build.outputs.success == 'true' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Tests | ${{ steps.tests.outputs.success == 'true' && '✅' || '❌' }} (${{ steps.tests.outputs.passed }} passed, ${{ steps.tests.outputs.failed }} failed) |" >> $GITHUB_STEP_SUMMARY
+          echo "| Lint | ${{ steps.lint.outputs.success == 'true' && '✅' || '❌' }} (${{ steps.lint.outputs.errors }} errors) |" >> $GITHUB_STEP_SUMMARY
+          echo "| TypeScript | ${{ steps.typecheck.outputs.success == 'true' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Security | ${{ steps.security.outputs.success == 'true' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Execute Stage:** ${{ steps.result.outputs.execute }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Audit Stage:** ${{ steps.result.outputs.audit }}" >> $GITHUB_STEP_SUMMARY

package/README.md

@@ -2,7 +2,7 @@
 
 Quality automation CLI for JavaScript/TypeScript and Python projects. One command adds ESLint, Prettier, Husky, lint-staged, and GitHub Actions. Pro tiers add security scanning (Gitleaks), Smart Test Strategy, and multi-language support.
 
-**This repo = the free CLI.** For the Pro dashboard with repo analytics, CI integration, and automation workflows, see [QA Architect Pro](https://vibebuildlab.com/qa-architect-pro) (included in Vibe Lab Pro).
+**This repo = the free CLI.** For the Pro dashboard with repo analytics, CI integration, and automation workflows, see [QA Architect Pro](https://vibebuildlab.com/tools/qa-architect) (included in VBL Starter Kit).
 
 ---
 
@@ -48,7 +48,7 @@ npx create-qa-architect@latest
 | **Team**       | $15/user/mo (5-seat min)  | + RBAC, Slack alerts, multi-repo dashboard, team audit log                                         |
 | **Enterprise** | $249/mo + $499 onboarding | + SSO/SAML, custom policies, compliance pack, dedicated TAM                                        |
 
-> **Pro included in [Vibe Lab Pro](https://vibebuildlab.com/pro)** — Team/Enterprise are standalone purchases.
+> **Pro included in [VBL Starter Kit](https://vibebuildlab.com/starter-kit)** — Team/Enterprise are standalone purchases.
 
 ### Security Features by Tier
 
@@ -60,7 +60,7 @@ npx create-qa-architect@latest
 
 ### License
 
-**MIT License** for the CLI (this repository). Pro features require a paid subscription or Vibe Lab Pro membership. See [LICENSE](LICENSE).
+**Commercial License (freemium)** — free tier covers the basic CLI; Pro/Team/Enterprise features require a paid subscription. See [LICENSE](LICENSE).
 
 ## Tech Stack
 
@@ -214,7 +214,7 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
 ## License
 
-MIT License - the CLI is free to use in any project. Pro/Team/Enterprise features require a paid subscription. See [LICENSE](LICENSE) for details.
+Commercial freemium license — the base CLI is free to use; Pro/Team/Enterprise features require a paid subscription. See [LICENSE](LICENSE) for details.
 
 ## Legal
 

package/config/defaults.js

@@ -4,6 +4,13 @@
 const STYLELINT_EXTENSIONS = ['css', 'scss', 'sass', 'less', 'pcss']
 const DEFAULT_STYLELINT_TARGET = `**/*.{${STYLELINT_EXTENSIONS.join(',')}}`
 
+/**
+ * @typedef {Object} DefaultsOptions
+ * @property {string[]=} stylelintTargets
+ * @property {boolean=} typescript
+ * @property {boolean=} python
+ */
+
 const baseScripts = {
   format: 'prettier --write .',
   'format:check': 'prettier --check .',
@@ -41,7 +48,12 @@ const stylelintBraceGroup = stylelintTargets => {
   return `{${targets.join(',')}}`
 }
 
-const baseLintScripts = ({ stylelintTargets }) => {
+/**
+ * @param {DefaultsOptions} [options]
+ * @returns {Record<string, string>}
+ */
+const baseLintScripts = (options = {}) => {
+  const { stylelintTargets } = options
   const stylelintTarget = stylelintBraceGroup(stylelintTargets)
   return {
     lint: `eslint . && stylelint "${stylelintTarget}" --allow-empty-input`,
@@ -96,6 +108,9 @@ const TS_LINT_STAGED_PATTERN = '**/*.{js,jsx,ts,tsx,mjs,cjs,html}'
 
 const clone = value => JSON.parse(JSON.stringify(value))
 
+/**
+ * @param {DefaultsOptions} [options]
+ */
 function getDefaultScripts({ stylelintTargets } = {}) {
   return {
     ...clone(baseScripts),
@@ -103,6 +118,9 @@ function getDefaultScripts({ stylelintTargets } = {}) {
   }
 }
 
+/**
+ * @param {DefaultsOptions} [options]
+ */
 function getDefaultDevDependencies({ typescript } = {}) {
   const devDeps = { ...clone(baseDevDependencies) }
   if (typescript) {
@@ -111,6 +129,9 @@ function getDefaultDevDependencies({ typescript } = {}) {
   return devDeps
 }
 
+/**
+ * @param {DefaultsOptions} [options]
+ */
 function getDefaultLintStaged({ typescript, stylelintTargets, python } = {}) {
   const pattern = typescript ? TS_LINT_STAGED_PATTERN : JS_LINT_STAGED_PATTERN
   return clone(baseLintStaged(pattern, stylelintTargets, python))

package/config/quality-config.schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "https://github.com/brettstark73/create-qa-architect/blob/main/config/quality-config.schema.json",
+  "$id": "https://github.com/vibebuildlab/qa-architect/blob/main/config/quality-config.schema.json",
   "title": "Quality Automation Configuration",
   "description": "Configuration for create-qa-architect progressive quality checks",
   "type": "object",

package/create-saas-monetization.js

@@ -39,7 +39,7 @@ const FOUNDER_ENTERPRISE_PRICE = '74.50'
 
 class SaaSMonetizationBootstrap {
   constructor() {
-    this.projectRoot = process.cwd()
+    this.projectRoot = path.resolve(process.cwd())
     this.config = {}
     this.templates = {
       stripe: this.getStripeTemplate(),
@@ -50,6 +50,56 @@ class SaaSMonetizationBootstrap {
     }
   }
 
+  resolveProjectPath(relativePath) {
+    const normalizedRoot = this.projectRoot.endsWith(path.sep)
+      ? this.projectRoot
+      : `${this.projectRoot}${path.sep}`
+    const resolvedPath = path.resolve(this.projectRoot, relativePath)
+
+    if (
+      resolvedPath !== this.projectRoot &&
+      !resolvedPath.startsWith(normalizedRoot)
+    ) {
+      throw new Error(
+        `Refusing to access path outside project root: ${relativePath}`
+      )
+    }
+
+    return resolvedPath
+  }
+
+  ensureDir(relativePath) {
+    const target = this.resolveProjectPath(relativePath)
+    // Path is constrained to the project root before touching the filesystem
+    // eslint-disable-next-line security/detect-non-literal-fs-filename
+    if (!fs.existsSync(target)) {
+      // eslint-disable-next-line security/detect-non-literal-fs-filename
+      fs.mkdirSync(target, { recursive: true })
+    }
+    return target
+  }
+
+  writeProjectFile(relativePath, content) {
+    const target = this.resolveProjectPath(relativePath)
+    // Path is constrained to the project root before touching the filesystem
+    // eslint-disable-next-line security/detect-non-literal-fs-filename
+    fs.writeFileSync(target, content)
+  }
+
+  readProjectFile(relativePath) {
+    const target = this.resolveProjectPath(relativePath)
+    // Path is constrained to the project root before touching the filesystem
+    // eslint-disable-next-line security/detect-non-literal-fs-filename
+    return fs.readFileSync(target, 'utf8')
+  }
+
+  projectFileExists(relativePath) {
+    const target = this.resolveProjectPath(relativePath)
+    // Path is constrained to the project root before touching the filesystem
+    // eslint-disable-next-line security/detect-non-literal-fs-filename
+    return fs.existsSync(target)
+  }
+
   async run() {
     console.log('🚀 Create SaaS Monetization')
     console.log('═══════════════════════════════════')
@@ -159,10 +209,7 @@ class SaaSMonetizationBootstrap {
     const dirs = ['lib/monetization', 'legal', 'marketing', 'billing']
 
     dirs.forEach(dir => {
-      const fullPath = path.join(this.projectRoot, dir)
-      if (!fs.existsSync(fullPath)) {
-        fs.mkdirSync(fullPath, { recursive: true })
-      }
+      this.ensureDir(dir)
     })
   }
 
@@ -172,8 +219,8 @@ class SaaSMonetizationBootstrap {
       .replace(/{{PRO_PRICE}}/g, this.config.proPrice)
       .replace(/{{ENTERPRISE_PRICE}}/g, this.config.enterprisePrice)
 
-    fs.writeFileSync(
-      path.join(this.projectRoot, 'lib/monetization/stripe-integration.js'),
+    this.writeProjectFile(
+      path.join('lib/monetization', 'stripe-integration.js'),
       stripeCode
     )
   }
@@ -188,8 +235,8 @@ class SaaSMonetizationBootstrap {
       .replace(/{{FOUNDER_PRO_PRICE}}/g, this.config.founderProPrice)
       .replace(/{{DOMAIN}}/g, this.config.domain)
 
-    fs.writeFileSync(
-      path.join(this.projectRoot, 'lib/monetization/licensing.js'),
+    this.writeProjectFile(
+      path.join('lib/monetization', 'licensing.js'),
       licensingCode
     )
   }
@@ -204,7 +251,7 @@ class SaaSMonetizationBootstrap {
         .replace(/{{DESCRIPTION}}/g, this.config.description)
         .replace(/{{DATE}}/g, new Date().toISOString().split('T')[0])
 
-      fs.writeFileSync(path.join(this.projectRoot, 'legal', filename), content)
+      this.writeProjectFile(path.join('legal', filename), content)
     }
   }
 
@@ -233,10 +280,7 @@ class SaaSMonetizationBootstrap {
         )
         .replace(/{{SUPPORT_EMAIL}}/g, this.config.supportEmail)
 
-      fs.writeFileSync(
-        path.join(this.projectRoot, 'marketing', filename),
-        content
-      )
+      this.writeProjectFile(path.join('marketing', filename), content)
     }
   }
 
@@ -252,17 +296,14 @@ class SaaSMonetizationBootstrap {
       )
       .replace(/{{PREMIUM_FEATURES}}/g, this.config.premiumFeatures)
 
-    fs.writeFileSync(
-      path.join(this.projectRoot, 'billing/dashboard.html'),
-      billingCode
-    )
+    this.writeProjectFile(path.join('billing', 'dashboard.html'), billingCode)
   }
 
   async updatePackageJson() {
-    const packagePath = path.join(this.projectRoot, 'package.json')
+    const packagePath = 'package.json'
 
-    if (fs.existsSync(packagePath)) {
-      const pkg = JSON.parse(fs.readFileSync(packagePath, 'utf8'))
+    if (this.projectFileExists(packagePath)) {
+      const pkg = JSON.parse(this.readProjectFile(packagePath))
 
       // Add monetization scripts
       pkg.scripts = pkg.scripts || {}
@@ -276,7 +317,7 @@ class SaaSMonetizationBootstrap {
       pkg.dependencies.stripe = '^14.15.0'
       pkg.dependencies.crypto = '^1.0.1'
 
-      fs.writeFileSync(packagePath, JSON.stringify(pkg, null, 2))
+      this.writeProjectFile(packagePath, JSON.stringify(pkg, null, 2))
     }
   }
 
@@ -307,7 +348,7 @@ COMPANY_NAME=${this.config.companyName}
 # STRIPE_PUBLISHABLE_KEY=pk_live_your_live_key_here
 `
 
-    fs.writeFileSync(path.join(this.projectRoot, '.env.template'), envTemplate)
+    this.writeProjectFile('.env.template', envTemplate)
   }
 
   async generateDeploymentGuide() {
@@ -483,10 +524,7 @@ For implementation questions:
 **Revenue Potential**: $1,500-5,000/month recurring
 `
 
-    fs.writeFileSync(
-      path.join(this.projectRoot, 'MONETIZATION_GUIDE.md'),
-      guide
-    )
+    this.writeProjectFile('MONETIZATION_GUIDE.md', guide)
   }
 
   // Template methods (condensed versions of our implementations)

package/docs/ARCHITECTURE.md

@@ -51,4 +51,3 @@ Risk-based pre-push validation that adapts to change context:
 - `--security-config` - Security validation
 - `--check-maturity` - Project maturity report
 - `--comprehensive` - Full validation suite
-

package/docs/DEPLOYMENT.md

@@ -59,5 +59,4 @@ npm deprecate create-qa-architect@VERSION "Critical bug, use VERSION instead"
 ## npm Registry
 
 - Package: https://www.npmjs.com/package/create-qa-architect
-- Documentation: https://github.com/vibebuildlab/create-qa-architect
-
+- Documentation: https://github.com/vibebuildlab/qa-architect