create-qa-architect 5.0.1 → 5.0.7

package/lib/github-api.js

@@ -0,0 +1,249 @@
+/**
+ * GitHub API Integration for QA Architect
+ * Enables Dependabot alerts and security features via GitHub API
+ */
+
+const https = require('https')
+const { execSync } = require('child_process')
+
+/**
+ * Get GitHub token from environment or gh CLI
+ */
+function getGitHubToken() {
+  // Check environment variable first
+  if (process.env.GITHUB_TOKEN) {
+    return process.env.GITHUB_TOKEN
+  }
+
+  // Try to get from gh CLI
+  try {
+    const token = execSync('gh auth token', { encoding: 'utf8' }).trim()
+    if (token) return token
+  } catch {
+    // gh CLI not available or not authenticated
+  }
+
+  return null
+}
+
+/**
+ * Get repository info from git remote
+ */
+function getRepoInfo(projectPath = '.') {
+  try {
+    const remoteUrl = execSync('git remote get-url origin', {
+      cwd: projectPath,
+      encoding: 'utf8',
+    }).trim()
+
+    // Parse GitHub URL (https or ssh format)
+    const httpsMatch = remoteUrl.match(
+      /github\.com[/:]([^/]+)\/([^/.]+)(\.git)?$/
+    )
+    if (httpsMatch) {
+      return { owner: httpsMatch[1], repo: httpsMatch[2] }
+    }
+
+    return null
+  } catch {
+    return null
+  }
+}
+
+/**
+ * Make GitHub API request
+ */
+function githubRequest(method, path, token, data = null) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: 'api.github.com',
+      port: 443,
+      path: path,
+      method: method,
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: 'application/vnd.github+json',
+        'User-Agent': 'qa-architect',
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    }
+
+    if (data) {
+      options.headers['Content-Type'] = 'application/json'
+    }
+
+    const req = https.request(options, res => {
+      let body = ''
+      res.on('data', chunk => (body += chunk))
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          resolve({
+            status: res.statusCode,
+            data: body ? JSON.parse(body) : null,
+          })
+        } else if (res.statusCode === 204) {
+          resolve({ status: 204, data: null })
+        } else {
+          reject(
+            new Error(
+              `GitHub API error: ${res.statusCode} - ${body || res.statusMessage}`
+            )
+          )
+        }
+      })
+    })
+
+    req.on('error', reject)
+
+    if (data) {
+      req.write(JSON.stringify(data))
+    }
+    req.end()
+  })
+}
+
+/**
+ * Check if Dependabot alerts are enabled
+ */
+async function checkDependabotStatus(owner, repo, token) {
+  try {
+    await githubRequest(
+      'GET',
+      `/repos/${owner}/${repo}/vulnerability-alerts`,
+      token
+    )
+    return true // 204 means enabled
+  } catch (error) {
+    if (error.message.includes('404')) {
+      return false // Not enabled
+    }
+    throw error
+  }
+}
+
+/**
+ * Enable Dependabot alerts for a repository
+ */
+async function enableDependabotAlerts(owner, repo, token) {
+  try {
+    await githubRequest(
+      'PUT',
+      `/repos/${owner}/${repo}/vulnerability-alerts`,
+      token
+    )
+    return { success: true, message: 'Dependabot alerts enabled' }
+  } catch (error) {
+    return { success: false, message: error.message }
+  }
+}
+
+/**
+ * Enable Dependabot security updates
+ */
+async function enableDependabotSecurityUpdates(owner, repo, token) {
+  try {
+    await githubRequest(
+      'PUT',
+      `/repos/${owner}/${repo}/automated-security-fixes`,
+      token
+    )
+    return { success: true, message: 'Dependabot security updates enabled' }
+  } catch (error) {
+    return { success: false, message: error.message }
+  }
+}
+
+/**
+ * Full setup: Enable all Dependabot features
+ */
+async function setupDependabot(projectPath = '.', options = {}) {
+  const { verbose = false } = options
+  const results = {
+    success: false,
+    repoInfo: null,
+    alerts: null,
+    securityUpdates: null,
+    errors: [],
+  }
+
+  // Get token
+  const token = getGitHubToken()
+  if (!token) {
+    results.errors.push(
+      'No GitHub token found. Set GITHUB_TOKEN env var or run `gh auth login`'
+    )
+    return results
+  }
+
+  // Get repo info
+  const repoInfo = getRepoInfo(projectPath)
+  if (!repoInfo) {
+    results.errors.push('Could not determine GitHub repository from git remote')
+    return results
+  }
+  results.repoInfo = repoInfo
+
+  if (verbose) {
+    console.log(`📦 Repository: ${repoInfo.owner}/${repoInfo.repo}`)
+  }
+
+  // Check current status
+  try {
+    const isEnabled = await checkDependabotStatus(
+      repoInfo.owner,
+      repoInfo.repo,
+      token
+    )
+    if (isEnabled) {
+      if (verbose) console.log('✅ Dependabot alerts already enabled')
+      results.alerts = { success: true, message: 'Already enabled' }
+    } else {
+      // Enable alerts
+      results.alerts = await enableDependabotAlerts(
+        repoInfo.owner,
+        repoInfo.repo,
+        token
+      )
+      if (verbose) {
+        console.log(
+          results.alerts.success
+            ? '✅ Dependabot alerts enabled'
+            : `❌ Failed to enable alerts: ${results.alerts.message}`
+        )
+      }
+    }
+  } catch (error) {
+    results.errors.push(`Alerts check failed: ${error.message}`)
+  }
+
+  // Enable security updates
+  try {
+    results.securityUpdates = await enableDependabotSecurityUpdates(
+      repoInfo.owner,
+      repoInfo.repo,
+      token
+    )
+    if (verbose) {
+      console.log(
+        results.securityUpdates.success
+          ? '✅ Dependabot security updates enabled'
+          : `⚠️ Security updates: ${results.securityUpdates.message}`
+      )
+    }
+  } catch (error) {
+    results.errors.push(`Security updates failed: ${error.message}`)
+  }
+
+  results.success = results.alerts?.success && results.errors.length === 0
+
+  return results
+}
+
+module.exports = {
+  getGitHubToken,
+  getRepoInfo,
+  checkDependabotStatus,
+  enableDependabotAlerts,
+  enableDependabotSecurityUpdates,
+  setupDependabot,
+}

package/lib/interactive/questions.js

@@ -1,5 +1,9 @@
 'use strict'
 
+/**
+ * @typedef {import('./prompt').InteractivePrompt} InteractivePrompt
+ */
+
 /**
  * Question definitions and answer parsing for interactive mode
  */

package/lib/license-validator.js

@@ -26,7 +26,7 @@ class LicenseValidator {
     // Allow enterprises to host their own registry
     this.licenseDbUrl =
       process.env.QAA_LICENSE_DB_URL ||
-      'https://license.aibuilderlab.com/qaa/legitimate-licenses.json'
+      'https://vibebuildlab.com/api/licenses/qa-architect.json'
   }
 
   ensureLicenseDir() {

package/lib/licensing.js

@@ -36,11 +36,11 @@ Object.defineProperty(exports, 'LICENSE_FILE', {
  * Standardized to use SCREAMING_SNAKE_CASE for both keys and values
  * for consistency with ErrorCategory and other enums in the codebase.
  *
- * Pricing (effective Jan 15, 2026 - founder pricing retired):
+ * Pricing:
  * - FREE: $0 (Hobby/OSS - capped)
- * - PRO: $59/mo or $590/yr (Solo Devs/Small Teams)
- * - TEAM: $15/user/mo, 5-seat minimum (Organizations)
- * - ENTERPRISE: $249/mo annual + $499 onboarding (Large Orgs)
+ * - PRO: $19/mo or $190/yr (Solo Devs/Small Teams)
+ * - TEAM: Contact us (Organizations) - coming soon
+ * - ENTERPRISE: Contact us (Large Orgs) - coming soon
  */
 const LICENSE_TIERS = {
   FREE: 'FREE',
@@ -216,7 +216,7 @@ function isDeveloperMode() {
     if (fs.existsSync(developerMarkerFile)) {
       return true
     }
-  } catch (_error) {
+  } catch {
     // Ignore errors checking for marker file
   }
 
@@ -338,7 +338,7 @@ function verifyLicenseSignature(payload, signature) {
       Buffer.from(signature),
       Buffer.from(expectedSignature)
     )
-  } catch (_error) {
+  } catch {
     // If signature verification fails, treat as invalid
     return false
   }
@@ -384,7 +384,7 @@ function showUpgradeMessage(feature) {
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n🚀 Upgrade to PRO')
     console.log('')
-    console.log('   💰 $59/month  or  $590/year (save $118)')
+    console.log('   💰 $19/month  or  $190/year (save $38)')
     console.log('')
     console.log('   ✅ Unlimited repos, LOC, and runs')
     console.log('   ✅ Smart Test Strategy (70% faster pre-push)')
@@ -396,16 +396,14 @@ function showUpgradeMessage(feature) {
     console.log('')
     console.log('   🎁 Start 14-day free trial - no credit card required')
     console.log('')
-    console.log('🚀 Upgrade: https://vibebuildlab.com/qaa')
+    console.log('🚀 Upgrade: https://vibebuildlab.com/qa-architect')
     console.log(
       '🔑 Activate: npx create-qa-architect@latest --activate-license'
     )
   } else if (license.tier === LICENSE_TIERS.PRO) {
     console.log('\n👥 Upgrade to TEAM')
     console.log('')
-    console.log(
-      '   💰 $15/user/month (5-seat min)  or  $150/user/year (save $30/user)'
-    )
+    console.log('   💰 Contact us for Team pricing')
     console.log('')
     console.log('   ✅ All PRO features included')
     console.log('   ✅ Per-seat licensing for your org')
@@ -414,9 +412,9 @@ function showUpgradeMessage(feature) {
     console.log('   ✅ Slack/email alerts for failures')
     console.log('   ✅ Priority support (business hours)')
     console.log('')
-    console.log('👥 Upgrade: https://vibebuildlab.com/qaa/team')
+    console.log('👥 Upgrade: https://vibebuildlab.com/qa-architect')
   } else if (license.tier === LICENSE_TIERS.TEAM) {
-    console.log('\n🏢 Upgrade to ENTERPRISE - $249/month (annual) + onboarding')
+    console.log('\n🏢 Upgrade to ENTERPRISE - Contact us for pricing')
     console.log('')
     console.log('   ✅ All TEAM features included')
     console.log('   ✅ SSO/SAML integration')
@@ -553,7 +551,7 @@ async function addLegitimateKey(
     if (fs.existsSync(legitimateDBFile)) {
       try {
         database = JSON.parse(fs.readFileSync(legitimateDBFile, 'utf8'))
-      } catch (_error) {
+      } catch {
         console.error(
           'Warning: Could not parse existing database, creating new one'
         )
@@ -654,7 +652,7 @@ async function promptLicenseActivation() {
           console.log(
             '   If you purchased this license, please contact support at:'
           )
-          console.log('   Email: support@aibuilderlab.com')
+          console.log('   Email: support@vibebuildlab.com')
           console.log(
             '   Include your license key and purchase email for verification.'
           )
@@ -745,7 +743,7 @@ function loadUsage() {
 
       return data
     }
-  } catch (_error) {
+  } catch {
     // Ignore errors reading usage file
   }
 
@@ -770,7 +768,7 @@ function saveUsage(usage) {
     }
     fs.writeFileSync(getUsageFile(), JSON.stringify(usage, null, 2))
     return true
-  } catch (_error) {
+  } catch {
     return false
   }
 }
@@ -958,7 +956,7 @@ function showLicenseStatus() {
   // Show upgrade path
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n💡 Upgrade to PRO for unlimited access + security scanning')
-    console.log('   → https://vibebuildlab.com/qaa')
+    console.log('   → https://vibebuildlab.com/qa-architect')
   }
 }
 

package/lib/package-utils.js

@@ -50,17 +50,17 @@ function mergeDevDependencies(initialDevDeps = {}, defaultDevDeps) {
 
 /**
  * Merge lint-staged configuration, preserving existing patterns
- * @param {Object} existing - Existing lint-staged config
- * @param {Object} defaults - Default lint-staged config
- * @param {Object} options - Merge options
- * @param {Function} patternChecker - Function to check if a pattern matches certain criteria
- * @returns {Object} Merged lint-staged config
+ * @param {Record<string, string|string[]>} [existing] - Existing lint-staged config
+ * @param {Record<string, string|string[]>} defaults - Default lint-staged config
+ * @param {{stylelintTargets?: string[]}} [options] - Merge options
+ * @param {(pattern: string) => boolean} [patternChecker] - Function to check if a pattern matches certain criteria
+ * @returns {Record<string, string|string[]>} Merged lint-staged config
  */
 function mergeLintStaged(
+  defaults = {},
   existing = {},
-  defaults,
   options = {},
-  patternChecker = null
+  patternChecker = _pattern => false
 ) {
   const merged = { ...existing }
   const stylelintTargets = options.stylelintTargets || []
@@ -88,7 +88,8 @@ function mergeLintStaged(
       : [merged[pattern]]
 
     const newCommands = [...existingCommands]
-    commands.forEach(command => {
+    const commandList = Array.isArray(commands) ? commands : [commands]
+    commandList.forEach(command => {
       if (!newCommands.includes(command)) {
         newCommands.push(command)
       }

package/lib/project-maturity.js

@@ -435,7 +435,7 @@ class ProjectMaturityDetector {
 
   /**
    * Generate GitHub Actions outputs for maturity detection
-   * @returns {string} GitHub Actions output format
+   * @returns {{maturity: string, sourceCount: number, testCount: number, hasDeps: boolean, hasDocs: boolean, hasCss: boolean, requiredChecks: string, optionalChecks: string, disabledChecks: string}} GitHub Actions output format
    */
   generateGitHubActionsOutput() {
     const maturity = this.detect()

package/lib/template-loader.js

@@ -126,6 +126,7 @@ class TemplateLoader {
    * // Only loads from whitelisted dirs: config/, .github/, lib/
    */
   async loadTemplates(dir, baseDir = dir, isPackageDir = false) {
+    /** @type {Record<string, string>} */
     const templates = {}
 
     try {
@@ -177,6 +178,7 @@ class TemplateLoader {
    * @returns {Promise<Object>} Merged template map
    */
   async mergeTemplates(customDir, defaultsDir) {
+    /** @type {Record<string, string>} */
     const merged = {}
 
     // Load defaults first (from package directory - restrict to known template dirs)

package/lib/ui-helpers.js

@@ -55,7 +55,8 @@ function showProgress(message) {
 
   // Try to use ora for interactive terminals
   try {
-    const ora = require('ora')
+    const oraImport = require('ora')
+    const ora = /** @type {any} */ (oraImport.default || oraImport)
     return ora(message).start()
   } catch {
     // Fallback if ora not installed (graceful degradation)

package/lib/validation/base-validator.js

@@ -1,5 +1,9 @@
 'use strict'
 
+/**
+ * @typedef {Error & {code?: string}} ErrWithCode
+ */
+
 /**
  * Base Validator Class
  * Provides common error handling, state management, and validation patterns
@@ -81,7 +85,7 @@ class BaseValidator {
 
   /**
    * Format error message for user
-   * @param {Error} error - The error object
+   * @param {ErrWithCode} error - The error object
    * @param {string} context - The context
    * @returns {string} Formatted error message
    */

package/lib/validation/cache-manager.js

@@ -14,6 +14,7 @@ class CacheManager {
       options.cacheDir || path.join(process.cwd(), '.create-qa-architect-cache')
     this.ttl = options.ttl || 24 * 60 * 60 * 1000 // Default: 24 hours in milliseconds
     this.enabled = options.enabled !== false // Enable by default
+    this.verbose = Boolean(options.verbose)
 
     // Ensure cache directory exists
     if (this.enabled) {

package/lib/validation/config-security.js

@@ -10,16 +10,19 @@ const { showProgress } = require('../ui-helpers')
 
 // Pinned gitleaks version for reproducible security scanning
 const GITLEAKS_VERSION = '8.28.0'
-// Real SHA256 checksums from https://github.com/gitleaks/gitleaks/releases/tag/v8.28.0
+// SHA256 checksums of EXTRACTED BINARIES from gitleaks v8.28.0 release
+// Note: These are checksums of the binary itself, not the tarball/zip archives
 const GITLEAKS_CHECKSUMS = {
   'linux-x64':
-    'a65b5253807a68ac0cafa4414031fd740aeb55f54fb7e55f386acb52e6a840eb',
+    '5fd1b3b0073269484d40078662e921d07427340ab9e6ed526ccd215a565b3298',
+  'linux-arm64':
+    '3770c7ebeb625e3e96c183525ca18285a01aedef2d75a2c41ceb3e141af2e8b7',
   'darwin-x64':
-    'edf5a507008b0d2ef4959575772772770586409c1f6f74dabf19cbe7ec341ced',
+    'cf09ad7a85683d90221db8324f036f23c8c29107145e1fc4a0dffbfa9e89c09a',
   'darwin-arm64':
     '5588b5d942dffa048720f7e6e1d274283219fb5722a2c7564d22e83ba39087d7',
   'win32-x64':
-    'da6458e8864af553807de1c46a7a8eac0880bd6b99ba56288e87e86a45af884f',
+    '54230c22688d19939f316cd3e2e040cd067ece40a3a8c5b684e5110c62ecbf52',
 }
 
 /**
@@ -199,6 +202,7 @@ class ConfigSecurityScanner {
       'darwin-x64': 'darwin_x64',
       'darwin-arm64': 'darwin_arm64',
       'linux-x64': 'linux_x64',
+      'linux-arm64': 'linux_arm64',
       'win32-x64': 'windows_x64',
     }
 
@@ -349,6 +353,7 @@ class ConfigSecurityScanner {
         timeout: 60000, // 60 second timeout for audit operations
         encoding: 'utf8',
       })
+      spinner.succeed('npm audit completed - no high/critical vulnerabilities')
     } catch (error) {
       if (error.signal === 'SIGTERM') {
         // Timeout occurred

package/lib/validation/validation-factory.js

@@ -75,7 +75,7 @@ class ValidationFactory {
 
   /**
    * Run all validators
-   * @returns {object} Validation results
+   * @returns {Promise<object>} Validation results
    */
   async validateAll() {
     const results = {

package/lib/validation/workflow-validation.js

@@ -2,7 +2,6 @@
 
 const fs = require('fs')
 const path = require('path')
-const { execSync } = require('child_process')
 const { showProgress } = require('../ui-helpers')
 
 /**
@@ -85,32 +84,38 @@ class WorkflowValidator {
     const spinner = showProgress('Running actionlint on workflow files...')
 
     try {
-      // Run actionlint via npx (works with local and global installs, cross-platform)
-      execSync('npx actionlint', { stdio: 'pipe', cwd: process.cwd() })
-      spinner.succeed('actionlint validation passed')
-    } catch (error) {
-      if (error.stdout || error.stderr) {
-        const output = error.stdout
-          ? error.stdout.toString()
-          : error.stderr.toString()
-        const lines = output
-          .trim()
-          .split('\n')
-          .filter(line => line.trim())
-
-        if (lines.length > 0) {
-          spinner.fail(`actionlint found ${lines.length} issue(s)`)
-          lines.forEach(line => {
-            if (line.trim()) {
-              this.issues.push(`actionlint: ${line.trim()}`)
-            }
+      const { createLinter } = require('actionlint')
+      const workflowFiles = fs
+        .readdirSync(workflowDir)
+        .filter(file => file.endsWith('.yml') || file.endsWith('.yaml'))
+
+      const linter = await createLinter()
+      let issueCount = 0
+
+      for (const file of workflowFiles) {
+        const filePath = path.join(workflowDir, file)
+        const content = fs.readFileSync(filePath, 'utf8')
+        const results = linter(content, filePath) || []
+
+        if (Array.isArray(results) && results.length > 0) {
+          issueCount += results.length
+          results.forEach(result => {
+            this.issues.push(
+              `actionlint: ${result.file}:${result.line}:${result.column} ${result.kind} - ${result.message}`
+            )
           })
-        } else {
-          spinner.succeed('actionlint validation passed')
         }
+      }
+
+      if (issueCount > 0) {
+        spinner.fail(`actionlint found ${issueCount} issue(s)`)
       } else {
         spinner.succeed('actionlint validation passed')
       }
+    } catch (error) {
+      spinner.fail('actionlint failed to run')
+      const reason = error?.message || 'Unknown error'
+      this.issues.push(`actionlint: Failed to run - ${reason}`)
     }
   }
 

package/lib/yaml-utils.js

@@ -82,17 +82,22 @@ function convertToYaml(obj, indent = 0) {
   if (Array.isArray(obj)) {
     obj.forEach(item => {
       if (typeof item === 'object' && item !== null) {
-        // For objects in arrays, handle first property inline with dash, rest indented
-        const itemYaml = convertToYaml(item, indent + 2)
-        const lines = itemYaml.split('\n').filter(line => line.trim())
-        if (lines.length > 0) {
-          // First property goes inline with the dash
-          yaml += `${spaces}- ${lines[0].trim()}\n`
-          // Additional properties are properly indented
-          for (let i = 1; i < lines.length; i++) {
-            yaml += `${spaces}  ${lines[i].trim()}\n`
+        // For objects in arrays, prefix first line with "- " and indent rest
+        const entries = Object.entries(item)
+        entries.forEach(([key, value], idx) => {
+          const safeKey = formatYamlValue(key)
+          const prefix = idx === 0 ? `${spaces}- ` : `${spaces}  `
+
+          if (Array.isArray(value)) {
+            yaml += `${prefix}${safeKey}:\n`
+            yaml += convertToYaml(value, indent + 4)
+          } else if (typeof value === 'object' && value !== null) {
+            yaml += `${prefix}${safeKey}:\n`
+            yaml += convertToYaml(value, indent + 4)
+          } else {
+            yaml += `${prefix}${safeKey}: ${formatYamlValue(value)}\n`
           }
-        }
+        })
       } else {
         yaml += `${spaces}- ${formatYamlValue(item)}\n`
       }