create-qa-architect 5.0.1 → 5.0.6

package/docs/PREFLIGHT_REPORT.md

@@ -0,0 +1,108 @@
+# Preflight Review: QA Architect (create-qa-architect)
+
+**Depth**: standard
+**Date**: 2025-12-09
+**Version**: 5.0.2
+
+---
+
+## Overall Status: ✅ PASS
+
+All critical launch blockers pass. Minor issues documented below are acceptable for npm package release.
+
+---
+
+## Critical Issues (P0) - Must Fix
+
+| Issue | Category | Location | Fix |
+| ----- | -------- | -------- | --- |
+| None  | -        | -        | -   |
+
+---
+
+## Important Issues (P1) - Should Fix
+
+| Issue                    | Category | Location         | Recommendation                                                                                                                 |
+| ------------------------ | -------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------ |
+| Gitleaks false positives | Security | tests/\*.test.js | Test fixtures use fake API key patterns (QAA-XXXX format); not real secrets. Consider adding `.gitleaksignore` for test files. |
+| npm version mismatch     | Release  | package.json     | Local 5.0.2, npm shows 5.0.1. Publish pending or recently published.                                                           |
+
+---
+
+## P0 Functional Checks
+
+| Check             | Status | Notes                  |
+| ----------------- | ------ | ---------------------- |
+| All tests passing | ✅     | Full test suite passes |
+| npm audit         | ✅     | 0 vulnerabilities      |
+| ESLint            | ✅     | No errors              |
+| Build/validation  | ✅     | Core validation passes |
+
+---
+
+## P0 Security Checks
+
+| Check                     | Status | Notes                                                                |
+| ------------------------- | ------ | -------------------------------------------------------------------- |
+| npm audit (high/critical) | ✅     | 0 vulnerabilities found                                              |
+| Hardcoded secrets scan    | ⚠️     | 4 findings - all in test files with fake keys (QAA-1234-XXXX format) |
+| No production secrets     | ✅     | No `.env` files, no real API keys                                    |
+
+---
+
+## Product Packaging
+
+| Item         | Status | Notes                   |
+| ------------ | ------ | ----------------------- |
+| CHANGELOG.md | ✅     | Present                 |
+| LICENSE      | ✅     | Present                 |
+| README.md    | ✅     | Present                 |
+| .env.example | N/A    | Not needed for CLI tool |
+| Version tags | ✅     | v4.3.0 - v5.0.2         |
+| Git status   | ✅     | Clean working tree      |
+
+---
+
+## Quality Violations
+
+| Type                    | Count | Assessment                                                   |
+| ----------------------- | ----- | ------------------------------------------------------------ |
+| eslint-disable comments | 24    | All have security justification comments explaining why safe |
+| any types               | 0     | JavaScript project, N/A                                      |
+
+**Note**: The `eslint-disable` comments are all for security-related ESLint rules (detect-unsafe-regex, detect-non-literal-fs-filename, detect-object-injection) and each includes a detailed safety justification explaining why the pattern is safe in context.
+
+---
+
+## Silent Killer Check (N/A for npm package)
+
+| Integration     | Status | Notes                 |
+| --------------- | ------ | --------------------- |
+| Stripe webhooks | N/A    | CLI tool, no webhooks |
+| OAuth redirects | N/A    | CLI tool              |
+| API keys        | N/A    | CLI tool              |
+| CORS config     | N/A    | CLI tool              |
+
+---
+
+## Next Steps
+
+1. **Optional**: Add `.gitleaksignore` to exclude test files with fake license keys
+2. **Verify**: Confirm npm publish completed for 5.0.2 (may be propagating)
+3. **Ready**: Proceed with launch/release announcement
+
+---
+
+## Recommendation
+
+**✅ CLEARED FOR LAUNCH**
+
+This is an npm CLI package, not a web application. All critical checks pass:
+
+- Tests passing
+- No security vulnerabilities
+- No real secrets
+- Clean git state
+- Proper versioning and packaging
+
+The gitleaks findings are false positives on intentional test fixtures using fake license key formats.

package/docs/TESTING.md

@@ -48,7 +48,7 @@ Use real packages from the ecosystem, not toy examples:
 const TOP_PYTHON_PACKAGES = [
   'django-cors-headers',
   'scikit-learn',
-  'pytest-cov'
+  'pytest-cov',
 ]
 ```
 
@@ -59,4 +59,3 @@ Always run before release:
 ```bash
 npm run prerelease  # Runs docs:check + all tests
 ```
-

package/lib/config-validator.js

@@ -1,10 +1,16 @@
 'use strict'
 
-const Ajv = require('ajv')
-const addFormats = require('ajv-formats')
+const AjvImport = require('ajv')
+const addFormatsImport = require('ajv-formats')
 const fs = require('fs')
 const path = require('path')
 
+// Handle CJS/ESM interop for Ajv and ajv-formats in JS type-checking
+const Ajv = /** @type {any} */ (AjvImport.default || AjvImport)
+const addFormats = /** @type {(ajv: any) => void} */ (
+  addFormatsImport.default || addFormatsImport
+)
+
 function validateQualityConfig(configPath) {
   const result = {
     valid: false,

package/lib/dependency-monitoring-premium.js

@@ -289,7 +289,7 @@ function matchesPattern(depName, pattern) {
     if (!regex) {
       // Cache miss - compile and store
       const regexPattern = pattern.replace(/\*/g, '.*')
-      // eslint-disable-next-line security/detect-non-literal-regexp
+      // eslint-disable-next-line security/detect-non-literal-regexp -- Safe: pattern from internal config, only allows * wildcards replaced with .*, anchored with ^$
       regex = new RegExp(`^${regexPattern}$`)
 
       // Implement size-limited cache with FIFO eviction
@@ -348,7 +348,7 @@ function generateReactGroups(_frameworkInfo) {
 /**
  * Generate dependency groups for Vue ecosystem
  *
- * @param {Object} frameworkInfo - Vue detection results
+ * @param {Object} _frameworkInfo - Vue detection results
  * @returns {Object} Dependabot groups configuration
  */
 function generateVueGroups(_frameworkInfo) {
@@ -376,7 +376,7 @@ function generateVueGroups(_frameworkInfo) {
 /**
  * Generate dependency groups for Angular ecosystem
  *
- * @param {Object} frameworkInfo - Angular detection results
+ * @param {Object} _frameworkInfo - Angular detection results
  * @returns {Object} Dependabot groups configuration
  */
 function generateAngularGroups(_frameworkInfo) {
@@ -404,7 +404,7 @@ function generateAngularGroups(_frameworkInfo) {
 /**
  * Generate dependency groups for testing frameworks
  *
- * @param {Object} frameworkInfo - Testing framework detection results
+ * @param {Object} _frameworkInfo - Testing framework detection results
  * @returns {Object} Dependabot groups configuration
  */
 function generateTestingGroups(_frameworkInfo) {
@@ -428,7 +428,7 @@ function generateTestingGroups(_frameworkInfo) {
 /**
  * Generate dependency groups for build tools
  *
- * @param {Object} frameworkInfo - Build tool detection results
+ * @param {Object} _frameworkInfo - Build tool detection results
  * @returns {Object} Dependabot groups configuration
  */
 function generateBuildToolGroups(_frameworkInfo) {
@@ -446,7 +446,7 @@ function generateBuildToolGroups(_frameworkInfo) {
 /**
  * Generate Storybook dependency groups
  *
- * @param {Object} frameworkInfo - Storybook detection results
+ * @param {Object} _frameworkInfo - Storybook detection results
  * @returns {Object} Dependabot groups configuration
  */
 function generateStorybookGroups(_frameworkInfo) {
@@ -490,7 +490,7 @@ function hasPythonProject(projectPath) {
  * attacks with maliciously large requirements files.
  *
  * @param {string} requirementsPath - Path to requirements.txt file
- * @returns {Object<string, string>} Map of package names to version specifiers
+ * @returns {Record<string, string>} Map of package names to version specifiers
  * @throws {Error} If file exceeds MAX_REQUIREMENTS_FILE_SIZE
  *
  * @example
@@ -512,6 +512,7 @@ function parsePipRequirements(requirementsPath) {
   }
 
   const content = fs.readFileSync(requirementsPath, 'utf8')
+  /** @type {Record<string, string>} */
   const dependencies = {}
 
   content.split('\n').forEach(line => {
@@ -529,7 +530,7 @@ function parsePipRequirements(requirementsPath) {
     // Support dotted names (zope.interface), hyphens (pytest-cov), underscores (google_cloud)
     // Also handle extras like fastapi[all] by capturing everything before the bracket
     // Fixed: Replaced (.*) with ([^\s]*) to prevent catastrophic backtracking
-    // eslint-disable-next-line security/detect-unsafe-regex
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded character classes [\w.-], [\w,\s-], [^\s], anchored ^$, no nested quantifiers
     const match = line.match(/^([\w.-]+)(\[[\w,\s-]+\])?([><=!~]+)?([^\s]*)$/)
     if (match) {
       const [, name, _extras, operator, version] = match
@@ -552,12 +553,13 @@ function parsePipRequirements(requirementsPath) {
  */
 function parsePyprojectToml(pyprojectPath) {
   const content = fs.readFileSync(pyprojectPath, 'utf8')
+  /** @type {Record<string, string>} */
   const dependencies = {}
 
   // Parse PEP 621 list-style dependencies: dependencies = ["package>=1.0.0", ...]
   // Match main dependencies array: dependencies = [...]
   // Allow optional whitespace/comments after ] to handle: ]  # end of deps
-  // eslint-disable-next-line security/detect-unsafe-regex
+  // eslint-disable-next-line security/detect-unsafe-regex -- Safe: lazy quantifier *? prevents backtracking, anchored ^$, bounded alternation
   const mainDepPattern = /^dependencies\s*=\s*\[([\s\S]*?)\]\s*(?:#.*)?$/m
   const mainMatch = mainDepPattern.exec(content)
 
@@ -574,7 +576,7 @@ function parsePyprojectToml(pyprojectPath) {
       // Support dotted names, hyphens, underscores, and extras
       // Fixed: Replaced ($|.*) with ([^\s]*) to prevent catastrophic backtracking
       const match = depString.match(
-        /^([\w.-]+)(\[[\w,\s-]+\])?([><=!~]+)?([^\s]*)$/ // eslint-disable-line security/detect-unsafe-regex
+        /^([\w.-]+)(\[[\w,\s-]+\])?([><=!~]+)?([^\s]*)$/ // eslint-disable-line security/detect-unsafe-regex -- Safe: bounded character classes, anchored ^$, no nested quantifiers
       )
       if (match) {
         const [, name, _extras, operator, version] = match
@@ -606,7 +608,7 @@ function parsePyprojectToml(pyprojectPath) {
         const depString = pkgMatch[1].trim()
 
         const match = depString.match(
-          /^([\w.-]+)(\[[\w,\s-]+\])?([><=!~]+)?($|.*)$/ // eslint-disable-line security/detect-unsafe-regex
+          /^([\w.-]+)(\[[\w,\s-]+\])?([><=!~]+)?([^\s]*)$/ // eslint-disable-line security/detect-unsafe-regex -- Safe: bounded character classes, anchored ^$, no nested quantifiers
         )
         if (match) {
           const [, name, _extras, operator, version] = match
@@ -829,7 +831,7 @@ function parseCargoToml(cargoPath) {
     if (!trimmed || trimmed.startsWith('#')) continue
 
     // Match simple pattern: name = "version"
-    // eslint-disable-next-line security/detect-unsafe-regex
+    // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded groups \w+, [^"']+, anchored ^, no nested quantifiers
     const simpleMatch = trimmed.match(/^(\w+(?:-\w+)*)\s*=\s*["']([^"']+)["']/)
     if (simpleMatch) {
       const [, name, version] = simpleMatch
@@ -840,7 +842,7 @@ function parseCargoToml(cargoPath) {
 
     // Match complex pattern: name = { version = "...", ... }
     const complexMatch = trimmed.match(
-      // eslint-disable-next-line security/detect-unsafe-regex
+      // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded negated class [^}]*, anchored ^, no nested quantifiers
       /^(\w+(?:-\w+)*)\s*=\s*\{[^}]*version\s*=\s*["']([^"']+)["']/
     )
     if (complexMatch) {
@@ -970,7 +972,7 @@ function parseGemfile(gemfilePath) {
 
     // Match: gem 'rails', '~> 7.0' or gem 'rails'
     const gemMatch = trimmed.match(
-      // eslint-disable-next-line security/detect-unsafe-regex
+      // eslint-disable-next-line security/detect-unsafe-regex -- Safe: bounded negated class [^'"]+, no nested quantifiers, processed line-by-line
       /gem\s+['"]([^'"]+)['"]\s*(?:,\s*['"]([^'"]+)['"])?/
     )
     if (gemMatch) {
@@ -1270,11 +1272,11 @@ function generateBundlerGroups(bundlerFrameworks) {
 /**
  * Generate premium Dependabot configuration with multi-language framework-aware grouping
  *
- * @param {Object} options - Configuration options
- * @param {string} options.projectPath - Path to project directory
- * @param {string} options.schedule - Update schedule (daily, weekly, monthly)
- * @param {string} options.day - Day of week for updates
- * @param {string} options.time - Time for updates
+ * @param {Object} [options] - Configuration options
+ * @param {string} [options.projectPath='.'] - Path to project directory
+ * @param {string} [options.schedule='weekly'] - Update schedule (daily, weekly, monthly)
+ * @param {string} [options.day='monday'] - Day of week for updates
+ * @param {string} [options.time='09:00'] - Time for updates
  * @returns {Object|null} Dependabot configuration object or null if not licensed
  */
 function generatePremiumDependabotConfig(options = {}) {

package/lib/github-api.js

@@ -0,0 +1,249 @@
+/**
+ * GitHub API Integration for QA Architect
+ * Enables Dependabot alerts and security features via GitHub API
+ */
+
+const https = require('https')
+const { execSync } = require('child_process')
+
+/**
+ * Get GitHub token from environment or gh CLI
+ */
+function getGitHubToken() {
+  // Check environment variable first
+  if (process.env.GITHUB_TOKEN) {
+    return process.env.GITHUB_TOKEN
+  }
+
+  // Try to get from gh CLI
+  try {
+    const token = execSync('gh auth token', { encoding: 'utf8' }).trim()
+    if (token) return token
+  } catch {
+    // gh CLI not available or not authenticated
+  }
+
+  return null
+}
+
+/**
+ * Get repository info from git remote
+ */
+function getRepoInfo(projectPath = '.') {
+  try {
+    const remoteUrl = execSync('git remote get-url origin', {
+      cwd: projectPath,
+      encoding: 'utf8',
+    }).trim()
+
+    // Parse GitHub URL (https or ssh format)
+    const httpsMatch = remoteUrl.match(
+      /github\.com[/:]([^/]+)\/([^/.]+)(\.git)?$/
+    )
+    if (httpsMatch) {
+      return { owner: httpsMatch[1], repo: httpsMatch[2] }
+    }
+
+    return null
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Make GitHub API request
+ */
+function githubRequest(method, path, token, data = null) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: 'api.github.com',
+      port: 443,
+      path: path,
+      method: method,
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/vnd.github+json',
+        'User-Agent': 'qa-architect',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    }
+
+    if (data) {
+      options.headers['Content-Type'] = 'application/json'
+    }
+
+    const req = https.request(options, res => {
+      let body = ''
+      res.on('data', chunk => (body += chunk))
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          resolve({
+            status: res.statusCode,
+            data: body ? JSON.parse(body) : null,
+          })
+        } else if (res.statusCode === 204) {
+          resolve({ status: 204, data: null })
+        } else {
+          reject(
+            new Error(
+              `GitHub API error: ${res.statusCode} - ${body || res.statusMessage}`
+            )
+          )
+        }
+      })
+    })
+
+    req.on('error', reject)
+
+    if (data) {
+      req.write(JSON.stringify(data))
+    }
+    req.end()
+  })
+}
+
+/**
+ * Check if Dependabot alerts are enabled
+ */
+async function checkDependabotStatus(owner, repo, token) {
+  try {
+    await githubRequest(
+      'GET',
+      `/repos/${owner}/${repo}/vulnerability-alerts`,
+      token
+    )
+    return true // 204 means enabled
+  } catch (error) {
+    if (error.message.includes('404')) {
+      return false // Not enabled
+    }
+    throw error
+  }
+}
+
+/**
+ * Enable Dependabot alerts for a repository
+ */
+async function enableDependabotAlerts(owner, repo, token) {
+  try {
+    await githubRequest(
+      'PUT',
+      `/repos/${owner}/${repo}/vulnerability-alerts`,
+      token
+    )
+    return { success: true, message: 'Dependabot alerts enabled' }
+  } catch (error) {
+    return { success: false, message: error.message }
+  }
+}
+
+/**
+ * Enable Dependabot security updates
+ */
+async function enableDependabotSecurityUpdates(owner, repo, token) {
+  try {
+    await githubRequest(
+      'PUT',
+      `/repos/${owner}/${repo}/automated-security-fixes`,
+      token
+    )
+    return { success: true, message: 'Dependabot security updates enabled' }
+  } catch (error) {
+    return { success: false, message: error.message }
+  }
+}
+
+/**
+ * Full setup: Enable all Dependabot features
+ */
+async function setupDependabot(projectPath = '.', options = {}) {
+  const { verbose = false } = options
+  const results = {
+    success: false,
+    repoInfo: null,
+    alerts: null,
+    securityUpdates: null,
+    errors: [],
+  }
+
+  // Get token
+  const token = getGitHubToken()
+  if (!token) {
+    results.errors.push(
+      'No GitHub token found. Set GITHUB_TOKEN env var or run `gh auth login`'
+    )
+    return results
+  }
+
+  // Get repo info
+  const repoInfo = getRepoInfo(projectPath)
+  if (!repoInfo) {
+    results.errors.push('Could not determine GitHub repository from git remote')
+    return results
+  }
+  results.repoInfo = repoInfo
+
+  if (verbose) {
+    console.log(`📦 Repository: ${repoInfo.owner}/${repoInfo.repo}`)
+  }
+
+  // Check current status
+  try {
+    const isEnabled = await checkDependabotStatus(
+      repoInfo.owner,
+      repoInfo.repo,
+      token
+    )
+    if (isEnabled) {
+      if (verbose) console.log('✅ Dependabot alerts already enabled')
+      results.alerts = { success: true, message: 'Already enabled' }
+    } else {
+      // Enable alerts
+      results.alerts = await enableDependabotAlerts(
+        repoInfo.owner,
+        repoInfo.repo,
+        token
+      )
+      if (verbose) {
+        console.log(
+          results.alerts.success
+            ? '✅ Dependabot alerts enabled'
+            : `❌ Failed to enable alerts: ${results.alerts.message}`
+        )
+      }
+    }
+  } catch (error) {
+    results.errors.push(`Alerts check failed: ${error.message}`)
+  }
+
+  // Enable security updates
+  try {
+    results.securityUpdates = await enableDependabotSecurityUpdates(
+      repoInfo.owner,
+      repoInfo.repo,
+      token
+    )
+    if (verbose) {
+      console.log(
+        results.securityUpdates.success
+          ? '✅ Dependabot security updates enabled'
+          : `⚠️ Security updates: ${results.securityUpdates.message}`
+      )
+    }
+  } catch (error) {
+    results.errors.push(`Security updates failed: ${error.message}`)
+  }
+
+  results.success = results.alerts?.success && results.errors.length === 0
+
+  return results
+}
+
+module.exports = {
+  getGitHubToken,
+  getRepoInfo,
+  checkDependabotStatus,
+  enableDependabotAlerts,
+  enableDependabotSecurityUpdates,
+  setupDependabot,
+}

package/lib/interactive/questions.js

@@ -1,5 +1,9 @@
 'use strict'
 
+/**
+ * @typedef {import('./prompt').InteractivePrompt} InteractivePrompt
+ */
+
 /**
  * Question definitions and answer parsing for interactive mode
  */

package/lib/license-validator.js

@@ -26,7 +26,7 @@ class LicenseValidator {
     // Allow enterprises to host their own registry
     this.licenseDbUrl =
       process.env.QAA_LICENSE_DB_URL ||
-      'https://license.aibuilderlab.com/qaa/legitimate-licenses.json'
+      'https://vibebuildlab.com/api/licenses/qa-architect.json'
   }
 
   ensureLicenseDir() {

package/lib/licensing.js

@@ -216,7 +216,7 @@ function isDeveloperMode() {
     if (fs.existsSync(developerMarkerFile)) {
       return true
     }
-  } catch (_error) {
+  } catch {
     // Ignore errors checking for marker file
   }
 
@@ -338,7 +338,7 @@ function verifyLicenseSignature(payload, signature) {
       Buffer.from(signature),
       Buffer.from(expectedSignature)
     )
-  } catch (_error) {
+  } catch {
     // If signature verification fails, treat as invalid
     return false
   }
@@ -396,7 +396,7 @@ function showUpgradeMessage(feature) {
     console.log('')
     console.log('   🎁 Start 14-day free trial - no credit card required')
     console.log('')
-    console.log('🚀 Upgrade: https://vibebuildlab.com/qaa')
+    console.log('🚀 Upgrade: https://vibebuildlab.com/tools/qa-architect')
     console.log(
       '🔑 Activate: npx create-qa-architect@latest --activate-license'
     )
@@ -414,7 +414,7 @@ function showUpgradeMessage(feature) {
     console.log('   ✅ Slack/email alerts for failures')
     console.log('   ✅ Priority support (business hours)')
     console.log('')
-    console.log('👥 Upgrade: https://vibebuildlab.com/qaa/team')
+    console.log('👥 Upgrade: https://vibebuildlab.com/tools/qa-architect')
   } else if (license.tier === LICENSE_TIERS.TEAM) {
     console.log('\n🏢 Upgrade to ENTERPRISE - $249/month (annual) + onboarding')
     console.log('')
@@ -553,7 +553,7 @@ async function addLegitimateKey(
     if (fs.existsSync(legitimateDBFile)) {
       try {
         database = JSON.parse(fs.readFileSync(legitimateDBFile, 'utf8'))
-      } catch (_error) {
+      } catch {
         console.error(
           'Warning: Could not parse existing database, creating new one'
         )
@@ -654,7 +654,7 @@ async function promptLicenseActivation() {
           console.log(
             '   If you purchased this license, please contact support at:'
           )
-          console.log('   Email: support@aibuilderlab.com')
+          console.log('   Email: support@vibebuildlab.com')
           console.log(
             '   Include your license key and purchase email for verification.'
           )
@@ -745,7 +745,7 @@ function loadUsage() {
 
       return data
     }
-  } catch (_error) {
+  } catch {
     // Ignore errors reading usage file
   }
 
@@ -770,7 +770,7 @@ function saveUsage(usage) {
     }
     fs.writeFileSync(getUsageFile(), JSON.stringify(usage, null, 2))
     return true
-  } catch (_error) {
+  } catch {
     return false
   }
 }
@@ -958,7 +958,7 @@ function showLicenseStatus() {
   // Show upgrade path
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n💡 Upgrade to PRO for unlimited access + security scanning')
-    console.log('   → https://vibebuildlab.com/qaa')
+    console.log('   → https://vibebuildlab.com/tools/qa-architect')
   }
 }
 

package/lib/package-utils.js

@@ -50,17 +50,17 @@ function mergeDevDependencies(initialDevDeps = {}, defaultDevDeps) {
 
 /**
  * Merge lint-staged configuration, preserving existing patterns
- * @param {Object} existing - Existing lint-staged config
- * @param {Object} defaults - Default lint-staged config
- * @param {Object} options - Merge options
- * @param {Function} patternChecker - Function to check if a pattern matches certain criteria
- * @returns {Object} Merged lint-staged config
+ * @param {Record<string, string|string[]>} [existing] - Existing lint-staged config
+ * @param {Record<string, string|string[]>} defaults - Default lint-staged config
+ * @param {{stylelintTargets?: string[]}} [options] - Merge options
+ * @param {(pattern: string) => boolean} [patternChecker] - Function to check if a pattern matches certain criteria
+ * @returns {Record<string, string|string[]>} Merged lint-staged config
  */
 function mergeLintStaged(
+  defaults = {},
   existing = {},
-  defaults,
   options = {},
-  patternChecker = null
+  patternChecker = _pattern => false
 ) {
   const merged = { ...existing }
   const stylelintTargets = options.stylelintTargets || []
@@ -88,7 +88,8 @@ function mergeLintStaged(
       : [merged[pattern]]
 
     const newCommands = [...existingCommands]
-    commands.forEach(command => {
+    const commandList = Array.isArray(commands) ? commands : [commands]
+    commandList.forEach(command => {
       if (!newCommands.includes(command)) {
         newCommands.push(command)
       }

package/lib/project-maturity.js

@@ -435,7 +435,7 @@ class ProjectMaturityDetector {
 
   /**
    * Generate GitHub Actions outputs for maturity detection
-   * @returns {string} GitHub Actions output format
+   * @returns {{maturity: string, sourceCount: number, testCount: number, hasDeps: boolean, hasDocs: boolean, hasCss: boolean, requiredChecks: string, optionalChecks: string, disabledChecks: string}} GitHub Actions output format
    */
   generateGitHubActionsOutput() {
     const maturity = this.detect()