create-qa-architect 5.0.1 → 5.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-qa-architect",
-  "version": "5.0.1",
+  "version": "5.0.7",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
@@ -12,17 +12,17 @@
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "lint": "eslint . && stylelint \"**/*.{css,scss,sass,less,pcss}\" --allow-empty-input",
+    "type-check": "tsc --noEmit",
     "lint:fix": "eslint . --fix && stylelint \"**/*.{css,scss,sass,less,pcss}\" --fix --allow-empty-input",
     "security:audit": "npm audit --audit-level high",
     "security:secrets": "node -e \"const fs=require('fs');const content=fs.readFileSync('package.json','utf8');if(/[\\\"\\'][a-zA-Z0-9+/]{20,}[\\\"\\']/.test(content)){console.error('❌ Potential hardcoded secrets in package.json');process.exit(1)}else{console.log('✅ No secrets detected in package.json')}\"",
     "security:config": "node setup.js --security-config",
     "validate:docs": "node setup.js --validate-docs",
-    "validate:claude": "node scripts/validate-claude-md.js",
     "validate:comprehensive": "node setup.js --comprehensive --no-markdownlint",
-    "validate:all": "npm run validate:comprehensive && npm run security:audit && npm run validate:claude",
+    "validate:all": "npm run validate:comprehensive && npm run security:audit",
     "validate:pre-push": "npm run test:patterns --if-present && npm run lint && npm run format:check && npm run test:commands --if-present && npm test --if-present",
-    "test": "export QAA_DEVELOPER=true && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-claude-md.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js",
-    "test:unit": "export QAA_DEVELOPER=true && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-claude-md.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js",
+    "test": "export QAA_DEVELOPER=true && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js",
+    "test:unit": "export QAA_DEVELOPER=true && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js",
     "test:fast": "npm run test:unit",
     "test:medium": "npm run test:fast && npm run test:patterns && npm run test:commands",
     "test:slow": "export QAA_DEVELOPER=true && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/real-world-packages.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/real-purchase-flow.test.js && node tests/project-maturity-cli.test.js && node tests/gitleaks-real-binary-test.js && npm run test:e2e",
@@ -73,6 +73,8 @@
     "legal/",
     "marketing/",
     "templates/",
+    "scripts/",
+    "LICENSE",
     ".github/",
     ".prettierrc",
     ".prettierignore",
@@ -84,12 +86,12 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/brettstark73/qa-architect.git"
+    "url": "git+https://github.com/vibebuildlab/qa-architect.git"
   },
   "bugs": {
-    "url": "https://github.com/brettstark73/qa-architect/issues"
+    "url": "https://github.com/vibebuildlab/qa-architect/issues"
   },
-  "homepage": "https://github.com/brettstark73/qa-architect#readme",
+  "homepage": "https://vibebuildlab.com/qa-architect",
   "engines": {
     "node": ">=20"
   },
@@ -104,15 +106,17 @@
     }
   },
   "devDependencies": {
+    "@types/node": "^20",
     "actionlint": "^2.0.6",
+    "typescript": "^5",
     "c8": "^10.1.2",
-    "eslint": "^9.12.0",
+    "eslint": "^9.39.2",
     "eslint-plugin-security": "^3.0.1",
     "globals": "^15.9.0",
     "husky": "^9.1.4",
     "lint-staged": "^15.2.10",
-    "prettier": "^3.3.3",
-    "stylelint": "^16.8.0",
+    "prettier": "^3.7.4",
+    "stylelint": "^16.26.1",
     "stylelint-config-standard": "^37.0.0"
   },
   "volta": {
@@ -121,7 +125,6 @@
   },
   "lint-staged": {
     "CLAUDE.md": [
-      "node scripts/validate-claude-md.js",
       "prettier --write"
     ],
     "config/defaults.js": [
@@ -156,11 +159,11 @@
     ]
   },
   "dependencies": {
-    "@npmcli/package-json": "^7.0.1",
+    "@npmcli/package-json": "^7.0.4",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli2": "^0.19.0",
+    "markdownlint-cli2": "^0.20.0",
     "ora": "^8.1.1",
     "tar": "^7.4.3"
   }

package/scripts/check-docs.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# Documentation consistency checker
+# Run before any release to catch documentation gaps
+
+set -e
+
+echo "🔍 Checking documentation consistency..."
+
+# Check version consistency
+PACKAGE_VERSION=$(node -p "require('./package.json').version")
+if ! grep -q "## \[$PACKAGE_VERSION\]" CHANGELOG.md; then
+    echo "❌ CHANGELOG.md missing entry for version $PACKAGE_VERSION"
+    exit 1
+fi
+
+# Check that setup.js file creation matches README documentation
+echo "📁 Verifying file inventory..."
+
+# Extract files created by setup.js
+SETUP_FILES=$(grep -E "writeFileSync.*Path" setup.js | sed -E 's/.*writeFileSync\([^,]+, [^)]+\)//' | wc -l)
+echo "Setup script creates approximately $SETUP_FILES files"
+
+# Check for common missing files in README
+MISSING_FILES=()
+
+if grep -q "\.nvmrc" setup.js && ! grep -q "\.nvmrc" README.md; then
+    MISSING_FILES+=(".nvmrc")
+fi
+
+if grep -q "\.npmrc" setup.js && ! grep -q "\.npmrc" README.md; then
+    MISSING_FILES+=(".npmrc")
+fi
+
+if grep -q "stylelintrc" setup.js && ! grep -q "stylelintrc" README.md; then
+    MISSING_FILES+=(".stylelintrc.json")
+fi
+
+if grep -q "lighthouserc" setup.js && ! grep -q "lighthouserc" README.md; then
+    MISSING_FILES+=(".lighthouserc.js")
+fi
+
+if [ ${#MISSING_FILES[@]} -gt 0 ]; then
+    echo "❌ README.md missing documentation for files:"
+    printf '   - %s\n' "${MISSING_FILES[@]}"
+    exit 1
+fi
+
+# Check for Python features if implemented
+if grep -q "Python" setup.js; then
+    if ! grep -q "Python" README.md; then
+        echo "❌ Python features implemented but not documented in README.md"
+        exit 1
+    fi
+fi
+
+# Security validation is now handled by:
+# - /bs:audit --security command
+# - security-auditor agent
+# - npm audit in CI workflows
+# - gitleaks in pre-push hooks
+echo "🔐 Security validation handled by automated tooling (npm audit, gitleaks, CI workflows)"
+
+echo "✅ Documentation consistency checks passed!"

package/scripts/smart-test-strategy.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+# Smart Test Strategy - QA Architect
+set -e
+
+echo "🧠 Analyzing changes for optimal test strategy..."
+
+# =============================================================================
+# SECURITY: Always run npm audit for critical vulnerabilities (fast, ~2 seconds)
+# =============================================================================
+echo ""
+echo "🔒 Running security audit (critical vulnerabilities only)..."
+if npm audit --audit-level=critical --omit=dev 2>/dev/null; then
+  echo "✅ No critical vulnerabilities found"
+else
+  echo "❌ CRITICAL vulnerabilities detected! Fix before pushing."
+  echo "   Run: npm audit fix"
+  exit 1
+fi
+echo ""
+
+# Collect metrics
+CHANGED_FILES=$(git diff --name-only HEAD~1..HEAD 2>/dev/null | wc -l | tr -d ' ')
+CHANGED_LINES=$(git diff --stat HEAD~1..HEAD 2>/dev/null | tail -1 | grep -o '[0-9]* insertions' | grep -o '[0-9]*' || echo "0")
+CURRENT_BRANCH=$(git branch --show-current)
+HOUR=$(date +%H)
+DAY_OF_WEEK=$(date +%u)
+
+# Project-specific high-risk patterns
+HIGH_RISK_FILES=$(git diff --name-only HEAD~1..HEAD 2>/dev/null | grep -E "(setup\.js|lib/.*|templates/.*|config/.*)" || true)
+API_FILES=$(git diff --name-only HEAD~1..HEAD 2>/dev/null | grep -E "api/" || true)
+CONFIG_FILES=$(git diff --name-only HEAD~1..HEAD 2>/dev/null | grep -E "(package\.json|\.env|config)" || true)
+TEST_FILES=$(git diff --name-only HEAD~1..HEAD 2>/dev/null | grep -E "test|spec" || true)
+
+# Calculate risk score (0-10)
+RISK_SCORE=0
+
+# File-based risk
+[[ -n "$HIGH_RISK_FILES" ]] && RISK_SCORE=$((RISK_SCORE + 4))
+[[ -n "$API_FILES" ]] && RISK_SCORE=$((RISK_SCORE + 2))
+[[ -n "$CONFIG_FILES" ]] && RISK_SCORE=$((RISK_SCORE + 2))
+
+# Size-based risk
+[[ $CHANGED_FILES -gt 10 ]] && RISK_SCORE=$((RISK_SCORE + 2))
+[[ $CHANGED_FILES -gt 20 ]] && RISK_SCORE=$((RISK_SCORE + 3))
+[[ $CHANGED_LINES -gt 200 ]] && RISK_SCORE=$((RISK_SCORE + 2))
+
+# Branch-based risk
+case $CURRENT_BRANCH in
+  main|master|production) RISK_SCORE=$((RISK_SCORE + 3)) ;;
+  hotfix/*) RISK_SCORE=$((RISK_SCORE + 4)) ;;
+  release/*) RISK_SCORE=$((RISK_SCORE + 2)) ;;
+  develop) RISK_SCORE=$((RISK_SCORE + 1)) ;;
+esac
+
+# Time pressure adjustment (strip leading zeros)
+HOUR_NUM=$((10#$HOUR))
+if [[ $HOUR_NUM -ge 9 && $HOUR_NUM -le 17 && $DAY_OF_WEEK -le 5 ]]; then
+  SPEED_BONUS=true
+else
+  SPEED_BONUS=false
+fi
+
+# Display analysis
+echo "📊 Analysis Results:"
+echo "   📁 Files: $CHANGED_FILES"
+echo "   📏 Lines: $CHANGED_LINES"
+echo "   🌿 Branch: $CURRENT_BRANCH"
+echo "   🎯 Risk Score: $RISK_SCORE/10"
+echo "   ⚡ Speed Bonus: $SPEED_BONUS"
+echo ""
+
+# Decision logic
+# NOTE: test:commands and test:e2e are ALWAYS excluded from pre-push (run in CI only)
+# - test:commands: Takes 60+ seconds, verifies npm scripts work in isolated env
+# - test:e2e: Requires browser/package build, CI has better infrastructure
+# These run in GitHub Actions on every PR and push to main
+
+if [[ $RISK_SCORE -ge 7 ]]; then
+  echo "🔴 HIGH RISK - Comprehensive validation (pre-push)"
+  echo "   • Patterns + unit tests + security audit"
+  echo "   • (command + e2e tests run in CI only)"
+  npm run test:patterns && npm test && npm run security:audit
+elif [[ $RISK_SCORE -ge 4 ]]; then
+  echo "🟡 MEDIUM RISK - Standard validation"
+  echo "   • Fast tests + patterns"
+  npm run test:patterns && npm run test:fast
+elif [[ $RISK_SCORE -ge 2 || "$SPEED_BONUS" == "false" ]]; then
+  echo "🟢 LOW RISK - Fast validation"
+  echo "   • Unit tests only"
+  npm run test:fast
+else
+  echo "⚪ MINIMAL RISK - Quality checks only"
+  echo "   • Lint + format check"
+  npm run lint && npm run format:check
+fi
+
+echo ""
+echo "💡 Tip: Run 'npm run test:comprehensive' locally for full validation"

package/scripts/test-e2e-package.sh

@@ -0,0 +1,283 @@
+#!/bin/bash
+# E2E Package Test - Validates the package works for consumers
+# Catches issues like Codex findings before release
+
+set -e
+
+# Use isolated npm cache to avoid permission issues on shared caches
+export npm_config_cache="${npm_config_cache:-$(mktemp -d)}"
+export NPM_CONFIG_CACHE="$npm_config_cache"
+# Disable husky during packaging so pack works in CI/sandboxed environments
+export HUSKY=0
+
+echo "🧪 E2E Package Validation Test"
+echo "================================"
+echo ""
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Track failures
+FAILURES=0
+
+fail() {
+  echo -e "${RED}❌ $1${NC}"
+  FAILURES=$((FAILURES + 1))
+}
+
+pass() {
+  echo -e "${GREEN}✅ $1${NC}"
+}
+
+warn() {
+  echo -e "${YELLOW}⚠️  $1${NC}"
+}
+
+# 1. Package Contents Validation
+echo "📦 Step 1: Validating package contents..."
+echo "Running: npm pack (scripts disabled)"
+TARBALL=$(npm pack --ignore-scripts 2>&1 | tail -1)
+
+if [ ! -f "$TARBALL" ]; then
+  fail "npm pack failed to create tarball"
+  exit 1
+fi
+
+pass "Created tarball: $TARBALL"
+
+# Extract tarball and check files
+EXTRACT_DIR=$(mktemp -d)
+tar -xzf "$TARBALL" -C "$EXTRACT_DIR"
+PKG_DIR="$EXTRACT_DIR/package"
+
+echo "  Checking required files in package..."
+REQUIRED_FILES=(
+  "setup.js"
+  ".prettierrc"
+  ".prettierignore"
+  "eslint.config.cjs"
+  "eslint.config.ts.cjs"
+  ".stylelintrc.json"
+  ".editorconfig"
+  ".nvmrc"
+  "config/defaults.js"
+  "lib/validation/index.js"
+  ".github/workflows/quality.yml"
+)
+# Note: .npmrc is intentionally excluded - npm won't package it anyway (local config only)
+
+for file in "${REQUIRED_FILES[@]}"; do
+  if [ -f "$PKG_DIR/$file" ] || [ -d "$PKG_DIR/$file" ]; then
+    pass "  $file"
+  else
+    fail "  Missing required file: $file"
+  fi
+done
+
+# 2. Consumer Installation Simulation
+echo ""
+echo "🏗️  Step 2: Simulating consumer installation..."
+TEST_DIR=$(mktemp -d)
+cd "$TEST_DIR"
+
+echo "  Creating test project..."
+git init -q
+git config user.email "test@example.com"
+git config user.name "Test User"
+
+cat > package.json <<'EOF'
+{
+  "name": "e2e-test-consumer",
+  "version": "1.0.0",
+  "description": "E2E test consumer",
+  "keywords": ["test"],
+  "license": "MIT"
+}
+EOF
+
+pass "Test project created"
+
+echo "  Installing from tarball..."
+npm install "$OLDPWD/$TARBALL" --silent 2>&1 > /dev/null || {
+  fail "npm install from tarball failed"
+  cd "$OLDPWD"
+  rm -rf "$TEST_DIR" "$EXTRACT_DIR"
+  rm -f "$TARBALL"
+  exit 1
+}
+
+pass "Package installed"
+
+# 3. Run setup
+echo ""
+echo "🚀 Step 3: Running setup..."
+SETUP_OUTPUT=$(QAA_DEVELOPER=true node ./node_modules/create-qa-architect/setup.js 2>&1)
+echo "$SETUP_OUTPUT" | grep -q "Setting up Quality Automation" && pass "Setup executed" || fail "Setup failed"
+echo "  Setup output:"
+echo "$SETUP_OUTPUT" | head -20
+
+# 4. Verify generated files
+echo ""
+echo "📋 Step 4: Verifying generated files..."
+EXPECTED_FILES=(
+  ".prettierrc"
+  ".prettierignore"
+  "eslint.config.cjs"
+  ".stylelintrc.json"
+  ".editorconfig"
+  ".nvmrc"
+  ".npmrc"
+  ".github/workflows/quality.yml"
+)
+
+for file in "${EXPECTED_FILES[@]}"; do
+  if [ -f "$file" ]; then
+    pass "  Generated: $file"
+  else
+    fail "  Missing generated file: $file"
+  fi
+done
+
+# 5. Validate package.json modifications
+echo ""
+echo "📝 Step 5: Validating package.json modifications..."
+
+if grep -q "\"format\":" package.json; then
+  pass "  npm scripts added"
+else
+  fail "  npm scripts not added"
+fi
+
+if grep -q "husky" package.json; then
+  pass "  devDependencies added"
+else
+  fail "  devDependencies not added"
+fi
+
+if grep -q "lint-staged" package.json; then
+  pass "  lint-staged config added"
+else
+  fail "  lint-staged config not added"
+fi
+
+# 6. Test npm scripts use npx (not node setup.js)
+echo ""
+echo "🔍 Step 6: Validating npm scripts use npx..."
+
+if grep -q "\"security:config.*npx create-qa-architect" package.json; then
+  pass "  security:config uses npx"
+else
+  fail "  security:config doesn't use npx (Codex finding regression!)"
+fi
+
+if grep -q "\"validate:docs.*npx create-qa-architect" package.json; then
+  pass "  validate:docs uses npx"
+else
+  fail "  validate:docs doesn't use npx (Codex finding regression!)"
+fi
+
+# 7. Validate workflow doesn't have UNCONDITIONAL setup.js references
+echo ""
+echo "🔧 Step 7: Validating generated workflow..."
+
+# The workflow can have conditional references like:
+#   if [ -f "setup.js" ]; then
+#     node setup.js --something
+#   fi
+# But should NOT have unconditional references like the old:
+#   node "$GITHUB_WORKSPACE/setup.js"
+#
+# Check for the specific bad pattern we fixed (Codex finding)
+if grep -q 'node "$GITHUB_WORKSPACE/setup.js"' .github/workflows/quality.yml; then
+  fail "  Workflow has unconditional GITHUB_WORKSPACE setup.js reference (Codex finding regression!)"
+else
+  pass "  Workflow doesn't have unconditional setup.js references"
+fi
+
+# Conditional references with guards are OK (will fallback in consumer repos)
+
+# 8. NEW: Actually run the generated commands (catches broken CLI flags!)
+echo ""
+echo "🚀 Step 8: Testing generated commands actually work..."
+echo "  This step would have caught the ESLint --ext bug!"
+
+# Install devDependencies first
+echo "  Installing devDependencies..."
+npm install --silent > /dev/null 2>&1 || {
+  fail "  npm install failed"
+}
+
+# Create test files for commands to process
+# Use valid code that won't trigger linting errors
+echo "module.exports = { name: 'test' };" > test.js
+echo "body { color: red; }" > test.css
+
+# Test format:check - should work (even if files need formatting)
+echo "  Testing: npm run format:check"
+# Format the files first so format:check passes
+npm run format >/dev/null 2>&1
+if npm run format:check 2>&1 >/dev/null; then
+  pass "  format:check works"
+else
+  fail "  format:check failed (check Prettier flags!)"
+fi
+
+# Test lint (CRITICAL: this would have caught --ext bug!)
+echo "  Testing: npm run lint"
+LINT_OUTPUT=$(npm run lint 2>&1)
+if echo "$LINT_OUTPUT" | grep -q "error"; then
+  fail "  lint failed (check for deprecated flags like --ext!)"
+  echo "  ESLint error output:"
+  echo "$LINT_OUTPUT" | grep -A 5 "error" | head -10
+else
+  pass "  lint works"
+fi
+
+# Test direct ESLint
+echo "  Testing: npx eslint test.js"
+if npx eslint test.js 2>&1 >/dev/null; then
+  pass "  Direct ESLint works"
+else
+  fail "  Direct ESLint failed"
+fi
+
+# Test stylelint
+echo "  Testing: npx stylelint test.css"
+if npx stylelint test.css 2>&1 >/dev/null; then
+  pass "  Stylelint works"
+else
+  fail "  Stylelint failed"
+fi
+
+# 9. Test --dry-run mode
+echo ""
+echo "🧪 Step 9: Testing --dry-run mode..."
+cd "$OLDPWD"
+if node ./setup.js --dry-run 2>&1 | grep -q "DRY RUN MODE"; then
+  pass "--dry-run mode works"
+else
+  fail "--dry-run mode doesn't work"
+fi
+
+# Cleanup
+cd "$OLDPWD"
+rm -rf "$TEST_DIR" "$EXTRACT_DIR"
+rm -f "$TARBALL"
+
+# Report
+echo ""
+echo "================================"
+if [ $FAILURES -eq 0 ]; then
+  echo -e "${GREEN}✅ All E2E tests passed!${NC}"
+  echo ""
+  echo "Package is ready for release."
+  exit 0
+else
+  echo -e "${RED}❌ $FAILURES test(s) failed${NC}"
+  echo ""
+  echo "Fix these issues before releasing."
+  exit 1
+fi

package/scripts/validate-command-patterns.js

@@ -0,0 +1,112 @@
+#!/usr/bin/env node
+'use strict'
+
+/**
+ * Validates that command patterns in config/defaults.js
+ * don't contain known deprecated patterns
+ *
+ * This prevents issues like the ESLint --ext bug from being committed
+ */
+
+const fs = require('fs')
+const path = require('path')
+
+const DEPRECATED_PATTERNS = [
+  {
+    pattern: /eslint.*--ext\s+\S+/,
+    message: 'ESLint --ext flag is deprecated in ESLint 9 flat config',
+    file: 'config/defaults.js',
+    suggestion: 'Use "eslint ." - file selection is in eslint.config.js',
+  },
+  {
+    pattern: /husky install/,
+    message: 'husky install is deprecated in Husky 9+',
+    file: 'config/defaults.js',
+    suggestion: 'Use just "husky" as the prepare script',
+  },
+  {
+    pattern: /prettier.*--no-semi/,
+    message: '--no-semi is deprecated in Prettier 3+',
+    file: 'config/defaults.js',
+    suggestion: 'Use .prettierrc configuration file',
+  },
+  {
+    pattern: /stylelint.*--config\s+\S+/,
+    message: 'Stylelint --config flag should use config file',
+    file: 'config/defaults.js',
+    suggestion: 'Use .stylelintrc.json instead',
+  },
+]
+
+const FILES_TO_CHECK = [
+  'config/defaults.js',
+  'setup.js',
+  'lib/package-utils.js',
+]
+
+function validateFile(filePath, patterns) {
+  const fullPath = path.join(__dirname, '..', filePath)
+
+  if (!fs.existsSync(fullPath)) {
+    console.warn(`⚠️  File not found: ${filePath} (skipping)`)
+    return []
+  }
+
+  const content = fs.readFileSync(fullPath, 'utf8')
+  const errors = []
+
+  patterns.forEach(({ pattern, message, file, suggestion }) => {
+    // Only check patterns for this file
+    if (file && file !== filePath) {
+      return
+    }
+
+    if (pattern.test(content)) {
+      errors.push({
+        file: filePath,
+        message,
+        suggestion,
+        pattern: pattern.toString(),
+      })
+    }
+  })
+
+  return errors
+}
+
+function main() {
+  console.log('🔍 Validating command patterns...\n')
+
+  let totalErrors = 0
+  const allErrors = []
+
+  FILES_TO_CHECK.forEach(filePath => {
+    const errors = validateFile(filePath, DEPRECATED_PATTERNS)
+    totalErrors += errors.length
+    allErrors.push(...errors)
+  })
+
+  if (totalErrors > 0) {
+    console.error(`❌ Found ${totalErrors} deprecated pattern(s):\n`)
+
+    allErrors.forEach(({ file, message, suggestion, pattern }) => {
+      console.error(`  ${file}:`)
+      console.error(`    ❌ ${message}`)
+      console.error(`    💡 ${suggestion}`)
+      console.error(`    🔎 Pattern: ${pattern}`)
+      console.error('')
+    })
+
+    console.error('Fix these before committing!\n')
+    process.exit(1)
+  }
+
+  console.log('✅ No deprecated command patterns found')
+  process.exit(0)
+}
+
+if (require.main === module) {
+  main()
+}
+
+module.exports = { validateFile, DEPRECATED_PATTERNS }