create-qa-architect 5.0.7 → 5.3.1

package/docs/test-trace-matrix.md

@@ -0,0 +1,28 @@
+# qa-architect - Test Traceability Matrix
+
+**Generated:** 2025-12-27
+**Coverage Target:** 50%
+
+## Coverage Summary
+
+| Metric       | Value |
+| ------------ | ----- |
+| Requirements | 0     |
+| Covered      | 0     |
+| Coverage     | 0%    |
+
+## Requirement → Test Mapping
+
+| REQ-ID      | Description   | Test File | Status     |
+| ----------- | ------------- | --------- | ---------- |
+| REQ-F.01.01 | [Description] | -         | ⚠️ Missing |
+
+## Test → Requirement Mapping
+
+| Test File | Tests | REQ-IDs | Status |
+| --------- | ----- | ------- | ------ |
+| -         | -     | -       | -      |
+
+---
+
+_Run `vbl qa` to regenerate this matrix_

package/lib/commands/deps.js

@@ -0,0 +1,245 @@
+/**
+ * Dependency monitoring command handler
+ *
+ * Extracted from setup.js to improve maintainability.
+ * Handles --deps, --dependency-monitoring commands.
+ */
+
+const fs = require('fs')
+const path = require('path')
+
+const {
+  hasNpmProject,
+  generateBasicDependabotConfig,
+  writeBasicDependabotConfig,
+} = require('../dependency-monitoring-basic')
+
+const {
+  generatePremiumDependabotConfig,
+  writePremiumDependabotConfig,
+} = require('../dependency-monitoring-premium')
+
+const {
+  getLicenseInfo,
+  showUpgradeMessage,
+  checkUsageCaps,
+  incrementUsage,
+} = require('../licensing')
+
+/**
+ * Detect Python project
+ * @param {string} projectPath - Path to project
+ * @returns {boolean} True if Python project detected
+ */
+function detectPythonProject(projectPath) {
+  const pythonFiles = [
+    'pyproject.toml',
+    'requirements.txt',
+    'setup.py',
+    'Pipfile',
+  ]
+  return pythonFiles.some(file => fs.existsSync(path.join(projectPath, file)))
+}
+
+/**
+ * Detect Rust project
+ * @param {string} projectPath - Path to project
+ * @returns {boolean} True if Rust project detected
+ */
+function detectRustProject(projectPath) {
+  return fs.existsSync(path.join(projectPath, 'Cargo.toml'))
+}
+
+/**
+ * Detect Ruby project
+ * @param {string} projectPath - Path to project
+ * @returns {boolean} True if Ruby project detected
+ */
+function detectRubyProject(projectPath) {
+  return fs.existsSync(path.join(projectPath, 'Gemfile'))
+}
+
+/**
+ * Handle dependency monitoring command (Free/Pro/Team/Enterprise)
+ */
+async function handleDependencyMonitoring() {
+  const projectPath = process.cwd()
+  const license = getLicenseInfo()
+
+  // Detect all supported ecosystems (npm, Python, Ruby, Rust, etc.)
+  const hasNpm = hasNpmProject(projectPath)
+  const hasPython = detectPythonProject(projectPath)
+  const hasRust = detectRustProject(projectPath)
+  const hasRuby = detectRubyProject(projectPath)
+
+  if (!hasNpm && !hasPython && !hasRust && !hasRuby) {
+    console.error(
+      '❌ No supported dependency file found (package.json, pyproject.toml, requirements.txt, Gemfile, Cargo.toml).'
+    )
+    console.log("💡 Make sure you're in a directory with dependency files.")
+    process.exit(1)
+  }
+
+  if (hasNpm) console.log('📦 Detected: npm project')
+  if (hasPython) console.log('🐍 Detected: Python project')
+  if (hasRust) console.log('🦀 Detected: Rust project')
+  if (hasRuby) console.log('💎 Detected: Ruby project')
+  console.log(`📋 License tier: ${license.tier.toUpperCase()}`)
+
+  // Enforce Free tier caps for dependency monitoring (counted as dependency PRs)
+  if (license.tier === 'FREE') {
+    const capCheck = checkUsageCaps('dependency-pr')
+    if (!capCheck.allowed) {
+      console.error(`❌ ${capCheck.reason}`)
+      console.error(
+        '   Upgrade to Pro, Team, or Enterprise for unlimited runs: https://vibebuildlab.com/qa-architect'
+      )
+      process.exit(1)
+    }
+
+    const increment = incrementUsage('dependency-pr')
+    const usage = increment.usage || capCheck.usage
+    const caps = capCheck.caps
+    if (usage && caps && caps.maxDependencyPRsPerMonth !== undefined) {
+      console.log(
+        `🧮 Usage: ${usage.dependencyPRs}/${caps.maxDependencyPRsPerMonth} dependency monitoring runs used this month`
+      )
+    }
+  }
+
+  const dependabotPath = path.join(projectPath, '.github', 'dependabot.yml')
+
+  // Use premium or basic config based on license tier
+  const shouldUsePremium =
+    license.tier === 'PRO' ||
+    license.tier === 'TEAM' ||
+    license.tier === 'ENTERPRISE'
+
+  // Free tier only supports npm projects. Fail fast with a clear message.
+  if (!shouldUsePremium && !hasNpm && (hasPython || hasRust || hasRuby)) {
+    console.error(
+      '❌ Dependency monitoring for this project requires a Pro, Team, or Enterprise license.'
+    )
+    console.error(
+      '   Free tier supports npm projects only. Detected non-npm ecosystems.'
+    )
+    console.error(
+      '   Options: add npm/package.json, or upgrade and re-run: npx create-qa-architect@latest --deps after activation.'
+    )
+    process.exit(1)
+  }
+
+  if (shouldUsePremium) {
+    console.log(
+      '\n🚀 Setting up framework-aware dependency monitoring (Premium)...\n'
+    )
+
+    const configData = generatePremiumDependabotConfig({
+      projectPath,
+      schedule: 'weekly',
+    })
+
+    if (configData) {
+      const { ecosystems } = configData
+      const ecosystemNames = Object.keys(ecosystems)
+
+      if (ecosystemNames.length > 0) {
+        console.log('🔍 Detected ecosystems:')
+
+        let primaryEcosystem = null
+        ecosystemNames.forEach(ecoName => {
+          const eco = ecosystems[ecoName]
+          const frameworks = Object.keys(eco.detected || {})
+          const totalPackages = frameworks.reduce((sum, fw) => {
+            return sum + (eco.detected[fw]?.count || 0)
+          }, 0)
+
+          console.log(`   • ${ecoName}: ${totalPackages} packages`)
+
+          if (eco.primary) {
+            primaryEcosystem = ecoName
+          }
+        })
+
+        if (primaryEcosystem) {
+          console.log(`\n🎯 Primary ecosystem: ${primaryEcosystem}`)
+        }
+      }
+
+      writePremiumDependabotConfig(configData, dependabotPath)
+      console.log('\n✅ Created .github/dependabot.yml with framework grouping')
+
+      console.log('\n🎉 Premium dependency monitoring setup complete!')
+      console.log('\n📋 What was added (Pro Tier):')
+      console.log('   • Framework-aware dependency grouping')
+      console.log(
+        `   • ${Object.keys(configData.config.updates[0].groups || {}).length} dependency groups created`
+      )
+      console.log('   • Intelligent update batching (reduces PRs by 60%+)')
+      console.log('   • GitHub Actions dependency monitoring')
+    }
+  } else {
+    console.log('\n🔍 Setting up basic dependency monitoring (Free Tier)...\n')
+
+    const dependabotConfig = generateBasicDependabotConfig({
+      projectPath,
+      schedule: 'weekly',
+    })
+
+    if (dependabotConfig) {
+      writeBasicDependabotConfig(dependabotConfig, dependabotPath)
+      console.log('✅ Created .github/dependabot.yml')
+    }
+
+    console.log('\n🎉 Basic dependency monitoring setup complete!')
+    console.log('\n📋 What was added (Free Tier):')
+    console.log('   • Basic Dependabot configuration for npm packages')
+    console.log('   • Weekly dependency updates on Monday 9am')
+    console.log('   • GitHub Actions dependency monitoring')
+
+    // Show upgrade message for premium features
+    console.log('\n🔒 Premium features now available:')
+    console.log('   ✅ Framework-aware package grouping (React, Vue, Angular)')
+    console.log('   • Coming soon: Multi-language support (Python, Rust, Go)')
+    console.log('   • Planned: Advanced security audit workflows')
+    console.log('   • Planned: Custom update schedules and notifications')
+
+    showUpgradeMessage('Framework-Aware Dependency Grouping')
+  }
+
+  // Auto-enable Dependabot on GitHub if token available
+  console.log('\n🔧 Attempting to enable Dependabot on GitHub...')
+  try {
+    const { setupDependabot } = require('../github-api')
+    const result = await setupDependabot(projectPath, { verbose: true })
+
+    if (result.success) {
+      console.log('✅ Dependabot alerts and security updates enabled!')
+    } else if (result.errors.length > 0) {
+      console.log('⚠️  Could not auto-enable Dependabot:')
+      result.errors.forEach(err => console.log(`   • ${err}`))
+      console.log('\n💡 Manual steps needed:')
+      console.log('   • Go to GitHub repo → Settings → Code security')
+      console.log(
+        '   • Enable "Dependabot alerts" and "Dependabot security updates"'
+      )
+    }
+  } catch (error) {
+    console.log('⚠️  Could not auto-enable Dependabot:', error.message)
+    console.log('\n💡 Manual steps:')
+    console.log('   • Enable Dependabot in GitHub repo settings')
+  }
+
+  console.log('\n💡 Next steps:')
+  console.log('   • Review and commit .github/dependabot.yml')
+  console.log(
+    '   • Dependabot will start monitoring weekly for dependency updates'
+  )
+}
+
+module.exports = {
+  handleDependencyMonitoring,
+  detectPythonProject,
+  detectRustProject,
+  detectRubyProject,
+}

package/lib/commands/index.js

@@ -0,0 +1,25 @@
+/**
+ * Command handlers index
+ *
+ * Centralizes CLI command handlers for better maintainability.
+ * Each command has its own module with focused functionality.
+ */
+
+const { handleValidationCommands } = require('./validate')
+const {
+  handleDependencyMonitoring,
+  detectPythonProject,
+  detectRustProject,
+  detectRubyProject,
+} = require('./deps')
+
+module.exports = {
+  // Validation commands
+  handleValidationCommands,
+
+  // Dependency monitoring commands
+  handleDependencyMonitoring,
+  detectPythonProject,
+  detectRustProject,
+  detectRubyProject,
+}

package/lib/commands/validate.js

@@ -0,0 +1,85 @@
+/**
+ * Validation command handlers
+ *
+ * Extracted from setup.js to improve maintainability.
+ * Handles --validate, --comprehensive, --security-config, --validate-docs commands.
+ */
+
+const { ValidationRunner } = require('../validation')
+
+/**
+ * Handle validation-only commands
+ *
+ * @param {Object} options - Validation options
+ * @param {boolean} options.isConfigSecurityMode - Run config security check only
+ * @param {boolean} options.isDocsValidationMode - Run docs validation only
+ * @param {boolean} options.isComprehensiveMode - Run comprehensive validation
+ * @param {boolean} options.isValidationMode - Run validation mode
+ * @param {boolean} options.disableNpmAudit - Skip npm audit
+ * @param {boolean} options.disableGitleaks - Skip gitleaks
+ * @param {boolean} options.disableActionlint - Skip actionlint
+ * @param {boolean} options.disableMarkdownlint - Skip markdownlint
+ * @param {boolean} options.disableEslintSecurity - Skip ESLint security
+ * @param {boolean} options.allowLatestGitleaks - Allow latest gitleaks version
+ */
+async function handleValidationCommands(options) {
+  const {
+    isConfigSecurityMode,
+    isDocsValidationMode,
+    isComprehensiveMode,
+    isValidationMode,
+    disableNpmAudit,
+    disableGitleaks,
+    disableActionlint,
+    disableMarkdownlint,
+    disableEslintSecurity,
+    allowLatestGitleaks,
+  } = options
+
+  const validationOptions = {
+    disableNpmAudit,
+    disableGitleaks,
+    disableActionlint,
+    disableMarkdownlint,
+    disableEslintSecurity,
+    allowLatestGitleaks,
+  }
+  const validator = new ValidationRunner(validationOptions)
+
+  if (isConfigSecurityMode) {
+    try {
+      await validator.runConfigSecurity()
+      process.exit(0)
+    } catch (error) {
+      console.error(
+        `\n❌ Configuration security validation failed:\n${error.message}`
+      )
+      process.exit(1)
+    }
+  }
+
+  if (isDocsValidationMode) {
+    try {
+      await validator.runDocumentationValidation()
+      process.exit(0)
+    } catch (error) {
+      console.error(`\n❌ Documentation validation failed:\n${error.message}`)
+      process.exit(1)
+    }
+  }
+
+  if (isComprehensiveMode || isValidationMode) {
+    try {
+      // Use parallel validation for 3-5x speedup (runs checks concurrently)
+      await validator.runComprehensiveCheckParallel()
+      process.exit(0)
+    } catch (error) {
+      console.error(`\n❌ Comprehensive validation failed:\n${error.message}`)
+      process.exit(1)
+    }
+  }
+}
+
+module.exports = {
+  handleValidationCommands,
+}

package/lib/error-reporter.js

@@ -253,13 +253,25 @@ class ErrorReporter {
       const category = categorizeError(error)
       const reportId = generateReportId()
 
+      // DR20 fix: Limit stack trace exposure in production mode
+      const isProduction = process.env.NODE_ENV === 'production'
+      const fullStack = sanitizeStackTrace(error?.stack || '')
+
+      // In production: only include first 3 lines of stack (error + top 2 frames)
+      // In dev/test: include full sanitized stack for debugging
+      const stackToInclude =
+        isProduction && fullStack
+          ? fullStack.split('\n').slice(0, 3).join('\n')
+          : fullStack
+
       const report = {
         id: reportId,
         timestamp: new Date().toISOString(),
         category,
         errorType: error?.constructor?.name || 'Error',
         message: sanitizeMessage(error?.message || 'Unknown error'),
-        sanitizedStack: sanitizeStackTrace(error?.stack || ''),
+        sanitizedStack: stackToInclude,
+        stackTruncated: isProduction && fullStack.split('\n').length > 3,
         operation: this.operation,
         context: {
           nodeVersion: process.version,

package/lib/github-api.js

@@ -6,6 +6,63 @@
 const https = require('https')
 const { execSync } = require('child_process')
 
+// TD5 fix: Simple rate limiter for GitHub API
+// GitHub allows 5000 requests/hour for authenticated requests
+const rateLimiter = {
+  tokens: 100, // Start with 100 tokens
+  maxTokens: 100,
+  refillRate: 100 / 3600, // Refill ~100 tokens per hour
+  lastRefill: Date.now(),
+  minDelayMs: 100, // Minimum delay between requests
+
+  async acquire() {
+    try {
+      // Refill tokens based on time elapsed
+      const now = Date.now()
+      const elapsed = (now - this.lastRefill) / 1000
+      const refilled = elapsed * this.refillRate
+
+      // DR5 fix: Validate math to prevent NaN/Infinity
+      if (!Number.isFinite(refilled) || refilled < 0) {
+        console.warn('⚠️  Rate limiter math error, resetting')
+        this.tokens = this.maxTokens
+        this.lastRefill = now
+        return
+      }
+
+      this.tokens = Math.min(this.maxTokens, this.tokens + refilled)
+      this.lastRefill = now
+
+      // If we have tokens, use one
+      if (this.tokens >= 1) {
+        this.tokens -= 1
+        return
+      }
+
+      // Wait before allowing request
+      const waitTime = Math.max(
+        this.minDelayMs,
+        ((1 - this.tokens) / this.refillRate) * 1000
+      )
+
+      // DR5 fix: Validate waitTime before setTimeout
+      if (!Number.isFinite(waitTime) || waitTime < 0 || waitTime > 60000) {
+        console.warn(
+          `⚠️  Rate limiter computed invalid wait time: ${waitTime}ms, using minimum`
+        )
+        await new Promise(resolve => setTimeout(resolve, this.minDelayMs))
+      } else {
+        await new Promise(resolve => setTimeout(resolve, waitTime))
+      }
+
+      this.tokens = 0
+    } catch (error) {
+      // DR5 fix: Don't block on rate limiter errors, just log and proceed
+      console.error(`❌ Rate limiter error: ${error.message}`)
+    }
+  },
+}
+
 /**
  * Get GitHub token from environment or gh CLI
  */
@@ -15,12 +72,21 @@ function getGitHubToken() {
     return process.env.GITHUB_TOKEN
   }
 
-  // Try to get from gh CLI
+  // Try to get from gh CLI (hardcoded command - no injection risk)
   try {
     const token = execSync('gh auth token', { encoding: 'utf8' }).trim()
     if (token) return token
-  } catch {
-    // gh CLI not available or not authenticated
+  } catch (error) {
+    // Silent failure fix: Log unexpected errors for debugging
+    // ENOENT = gh not installed (expected), other errors should be visible in DEBUG mode
+    if (
+      error?.code !== 'ENOENT' &&
+      !error?.message?.includes('command not found')
+    ) {
+      if (process.env.DEBUG) {
+        console.warn(`⚠️  gh auth token failed: ${error.message}`)
+      }
+    }
   }
 
   return null
@@ -28,6 +94,7 @@ function getGitHubToken() {
 
 /**
  * Get repository info from git remote
+ * Uses hardcoded git command - no injection risk
  */
 function getRepoInfo(projectPath = '.') {
   try {
@@ -45,15 +112,29 @@ function getRepoInfo(projectPath = '.') {
     }
 
     return null
-  } catch {
+  } catch (error) {
+    // Silent failure fix: Log unexpected errors for debugging
+    // "No such remote" is expected when origin isn't configured
+    if (
+      !error?.stderr?.includes('No such remote') &&
+      error?.code !== 'ENOENT'
+    ) {
+      if (process.env.DEBUG) {
+        console.warn(`⚠️  git remote get-url failed: ${error.message}`)
+      }
+    }
     return null
   }
 }
 
 /**
- * Make GitHub API request
+ * Make GitHub API request with rate limiting
+ * TD5 fix: Added rate limiting to prevent hitting GitHub's API limits
  */
-function githubRequest(method, path, token, data = null) {
+async function githubRequest(method, path, token, data = null) {
+  // TD5 fix: Acquire rate limit token before making request
+  await rateLimiter.acquire()
+
   return new Promise((resolve, reject) => {
     const options = {
       hostname: 'api.github.com',
@@ -77,17 +158,31 @@ function githubRequest(method, path, token, data = null) {
       res.on('data', chunk => (body += chunk))
       res.on('end', () => {
         if (res.statusCode >= 200 && res.statusCode < 300) {
-          resolve({
-            status: res.statusCode,
-            data: body ? JSON.parse(body) : null,
-          })
+          // DR12 fix: Handle JSON parse errors gracefully
+          try {
+            const data = body ? JSON.parse(body) : null
+            resolve({ status: res.statusCode, data })
+          } catch (_error) {
+            reject(
+              new Error(
+                `GitHub API returned invalid JSON (status ${res.statusCode}): ${body.slice(0, 100)}`
+              )
+            )
+          }
         } else if (res.statusCode === 204) {
           resolve({ status: 204, data: null })
         } else {
+          // DR12 fix: GitHub errors are usually JSON, but handle parse failures
+          let errorBody = body || res.statusMessage
+          try {
+            const errorData = JSON.parse(body)
+            errorBody = errorData.message || errorBody
+          } catch (_error) {
+            // Use raw body if JSON parse fails
+          }
+
           reject(
-            new Error(
-              `GitHub API error: ${res.statusCode} - ${body || res.statusMessage}`
-            )
+            new Error(`GitHub API error: ${res.statusCode} - ${errorBody}`)
           )
         }
       })

package/lib/license-signing.js

@@ -0,0 +1,110 @@
+'use strict'
+
+const crypto = require('crypto')
+
+// TD15 fix: Single source of truth for license key format validation
+const LICENSE_KEY_PATTERN =
+  /^QAA-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/
+
+/**
+ * Deterministic JSON stringify with sorted keys for signature verification.
+ * TD13 fix: Added circular reference protection using WeakSet.
+ */
+function stableStringify(value, seen = new WeakSet()) {
+  if (value === null || typeof value !== 'object') {
+    return JSON.stringify(value)
+  }
+  // TD13 fix: Detect circular references to prevent stack overflow
+  if (seen.has(value)) {
+    throw new Error('Circular reference detected in payload - cannot serialize')
+  }
+  seen.add(value)
+
+  if (Array.isArray(value)) {
+    return `[${value.map(item => stableStringify(item, seen)).join(',')}]`
+  }
+  const keys = Object.keys(value).sort()
+  const entries = keys.map(
+    key => `${JSON.stringify(key)}:${stableStringify(value[key], seen)}`
+  )
+  return `{${entries.join(',')}}`
+}
+
+function normalizeEmail(email) {
+  if (!email || typeof email !== 'string') return null
+  const normalized = email.trim().toLowerCase()
+  return normalized.length > 0 ? normalized : null
+}
+
+function hashEmail(email) {
+  const normalized = normalizeEmail(email)
+  if (!normalized) return null
+  return crypto.createHash('sha256').update(normalized).digest('hex')
+}
+
+/**
+ * Build a license payload for signing/verification.
+ * TD14 fix: Added input validation to prevent signature mismatches from invalid data.
+ */
+function buildLicensePayload({
+  licenseKey,
+  tier,
+  isFounder,
+  emailHash,
+  issued,
+}) {
+  // TD14 fix: Validate required fields to catch issues early
+  if (!licenseKey || typeof licenseKey !== 'string') {
+    throw new Error('licenseKey is required and must be a string')
+  }
+  if (!tier || typeof tier !== 'string') {
+    throw new Error('tier is required and must be a string')
+  }
+  if (!issued || typeof issued !== 'string') {
+    throw new Error('issued is required and must be a string')
+  }
+
+  const payload = {
+    licenseKey,
+    tier,
+    isFounder: Boolean(isFounder),
+    issued,
+  }
+  if (emailHash) {
+    payload.emailHash = emailHash
+  }
+  return payload
+}
+
+function signPayload(payload, privateKey) {
+  const data = Buffer.from(stableStringify(payload))
+  const signature = crypto.sign(null, data, privateKey)
+  return signature.toString('base64')
+}
+
+function verifyPayload(payload, signature, publicKey) {
+  const data = Buffer.from(stableStringify(payload))
+  return crypto.verify(null, data, publicKey, Buffer.from(signature, 'base64'))
+}
+
+function loadKeyFromEnv(envValue, envPathValue) {
+  if (envValue) return envValue
+  if (envPathValue) {
+    const fs = require('fs')
+    if (fs.existsSync(envPathValue)) {
+      return fs.readFileSync(envPathValue, 'utf8')
+    }
+  }
+  return null
+}
+
+module.exports = {
+  LICENSE_KEY_PATTERN,
+  stableStringify,
+  normalizeEmail,
+  hashEmail,
+  buildLicensePayload,
+  signPayload,
+  verifyPayload,
+  loadKeyFromEnv,
+}