create-qa-architect 5.0.7 → 5.3.1

package/lib/template-loader.js

@@ -34,7 +34,11 @@ class TemplateLoader {
     try {
       const stats = fs.statSync(templatePath)
       return stats.isDirectory()
-    } catch {
+    } catch (error) {
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(`⚠️  Template path check failed: ${error.message}`)
+      }
       return false
     }
   }
@@ -51,7 +55,13 @@ class TemplateLoader {
 
       const stats = fs.statSync(templateDir)
       return stats.isDirectory()
-    } catch {
+    } catch (error) {
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(
+          `⚠️  Template structure validation failed: ${error.message}`
+        )
+      }
       return false
     }
   }
@@ -128,6 +138,7 @@ class TemplateLoader {
   async loadTemplates(dir, baseDir = dir, isPackageDir = false) {
     /** @type {Record<string, string>} */
     const templates = {}
+    const errors = []
 
     try {
       const entries = fs.readdirSync(dir, { withFileTypes: true })
@@ -144,29 +155,51 @@ class TemplateLoader {
         const fullPath = path.join(dir, entry.name)
         const relativePath = path.relative(baseDir, fullPath)
 
-        if (entry.isDirectory()) {
-          // Recursively load from subdirectories
-          // After first level, we're no longer in package root
-          const subTemplates = await this.loadTemplates(
-            fullPath,
-            baseDir,
-            false
-          )
-          Object.assign(templates, subTemplates)
-        } else if (entry.isFile()) {
-          // Load file content asynchronously for better performance
-          const content = await fs.promises.readFile(fullPath, 'utf8')
-          templates[relativePath] = content
+        try {
+          if (entry.isDirectory()) {
+            // Recursively load from subdirectories
+            const subTemplates = await this.loadTemplates(
+              fullPath,
+              baseDir,
+              false
+            )
+            Object.assign(templates, subTemplates)
+          } else if (entry.isFile()) {
+            // DR6 fix: Handle individual file errors separately
+            const content = await fs.promises.readFile(fullPath, 'utf8')
+            templates[relativePath] = content
+          }
+        } catch (fileError) {
+          // Track individual file errors
+          errors.push({ file: relativePath, error: fileError.message })
+
+          if (this.strict) {
+            throw new Error(
+              `Failed to load template ${relativePath}: ${fileError.message}`
+            )
+          } else if (this.verbose) {
+            console.warn(
+              `⚠️  Skipping template ${relativePath}: ${fileError.message}`
+            )
+          }
         }
       }
     } catch (error) {
-      if (this.verbose) {
-        console.warn(
-          `⚠️ Warning: Could not load templates from ${dir}: ${error.message}`
-        )
+      const message = `Could not load templates from ${dir}: ${error.message}`
+
+      if (this.strict) {
+        throw new Error(message)
+      } else if (this.verbose) {
+        console.warn(`⚠️ ${message}`)
       }
     }
 
+    // DR6 fix: Alert if critical templates are missing
+    if (errors.length > 0 && this.verbose) {
+      console.warn(`⚠️  ${errors.length} template file(s) failed to load`)
+      console.warn('   This may result in incomplete configuration')
+    }
+
     return templates
   }
 

package/lib/validation/cache-manager.js

@@ -40,8 +40,14 @@ class CacheManager {
     try {
       const content = fs.readFileSync(filePath, 'utf8')
       return crypto.createHash('sha256').update(content).digest('hex')
-    } catch {
+    } catch (error) {
       // If file doesn't exist or can't be read, return timestamp-based key
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(
+          `⚠️  Cache key generation failed for ${filePath}: ${error.message}`
+        )
+      }
       return crypto
         .createHash('sha256')
         .update(`${filePath}-${Date.now()}`)
@@ -89,8 +95,12 @@ class CacheManager {
       }
 
       return cached.result
-    } catch {
+    } catch (error) {
       // If cache file is corrupted or unreadable, treat as cache miss
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(`⚠️  Cache read failed: ${error.message}`)
+      }
       return null
     }
   }
@@ -127,24 +137,44 @@ class CacheManager {
    */
   clear() {
     if (!this.enabled) {
-      return
+      return { success: true, cleared: 0 }
     }
 
+    const results = { success: true, cleared: 0, errors: [] }
+
     try {
       if (fs.existsSync(this.cacheDir)) {
         const files = fs.readdirSync(this.cacheDir)
         files.forEach(file => {
           if (file.endsWith('.json')) {
-            fs.unlinkSync(path.join(this.cacheDir, file))
+            try {
+              fs.unlinkSync(path.join(this.cacheDir, file))
+              results.cleared++
+            } catch (error) {
+              // DR11 fix: Track individual file errors
+              results.errors.push({ file, error: error.message })
+              results.success = false
+            }
           }
         })
       }
     } catch (error) {
-      // Silently fail if cache clear fails
+      // DR11 fix: Report directory-level failures
+      results.success = false
+      results.errors.push({ directory: this.cacheDir, error: error.message })
+
       if (this.verbose) {
-        console.warn(`Cache clear failed: ${error.message}`)
+        console.warn(`❌ Cache clear failed: ${error.message}`)
       }
     }
+
+    // DR11 fix: Warn if any failures occurred
+    if (!results.success && this.verbose) {
+      console.warn(`⚠️  Failed to clear ${results.errors.length} cache file(s)`)
+      console.warn('   Some cached validation results may be stale')
+    }
+
+    return results
   }
 
   /**

package/lib/validation/config-security.js

@@ -5,7 +5,7 @@ const path = require('path')
 const os = require('os')
 const crypto = require('crypto')
 const https = require('https')
-const { execSync } = require('child_process')
+const { execSync, spawnSync } = require('child_process')
 const { showProgress } = require('../ui-helpers')
 
 // Pinned gitleaks version for reproducible security scanning
@@ -213,20 +213,37 @@ class ConfigSecurityScanner {
   /**
    * Download file from URL to target path
    */
-  downloadFile(url, targetPath) {
-    return new Promise((resolve, reject) => {
-      const file = fs.createWriteStream(targetPath)
+  downloadFile(url, targetPath, redirectCount = 0) {
+    const MAX_REDIRECTS = 5
 
+    return new Promise((resolve, reject) => {
       https
         .get(url, response => {
-          if (response.statusCode === 302 || response.statusCode === 301) {
-            // Follow redirect
-            return this.downloadFile(response.headers.location, targetPath)
+          if (
+            response.statusCode === 302 ||
+            response.statusCode === 301 ||
+            response.statusCode === 303 ||
+            response.statusCode === 307 ||
+            response.statusCode === 308
+          ) {
+            if (redirectCount >= MAX_REDIRECTS) {
+              reject(new Error('Too many redirects while downloading gitleaks'))
+              return
+            }
+            const nextUrl = response.headers.location
+            if (!nextUrl) {
+              reject(new Error('Redirect without location header'))
+              return
+            }
+            response.resume()
+            this.downloadFile(nextUrl, targetPath, redirectCount + 1)
               .then(resolve)
               .catch(reject)
+            return
           }
 
           if (response.statusCode !== 200) {
+            response.resume()
             reject(
               new Error(
                 `HTTP ${response.statusCode}: ${response.statusMessage}`
@@ -235,6 +252,7 @@ class ConfigSecurityScanner {
             return
           }
 
+          const file = fs.createWriteStream(targetPath)
           response.pipe(file)
 
           file.on('finish', () => {
@@ -351,6 +369,7 @@ class ConfigSecurityScanner {
       execSync(auditCmd, {
         stdio: 'pipe',
         timeout: 60000, // 60 second timeout for audit operations
+        maxBuffer: 10 * 1024 * 1024,
         encoding: 'utf8',
       })
       spinner.succeed('npm audit completed - no high/critical vulnerabilities')
@@ -368,11 +387,13 @@ class ConfigSecurityScanner {
           const auditResult = JSON.parse(error.stdout.toString())
           if (auditResult.metadata && auditResult.metadata.vulnerabilities) {
             const vulns = auditResult.metadata.vulnerabilities
-            const total = vulns.high + vulns.critical + vulns.moderate
+            const total = vulns.high + vulns.critical
             if (total > 0) {
-              spinner.fail(`npm audit found ${total} vulnerabilities`)
+              spinner.fail(
+                `npm audit found ${total} high/critical vulnerabilities`
+              )
               this.issues.push(
-                `${packageManager} audit: ${total} vulnerabilities found (${vulns.high} high, ${vulns.critical} critical). Run '${packageManager} audit fix' to resolve.`
+                `${packageManager} audit: ${total} high/critical vulnerabilities found (${vulns.high} high, ${vulns.critical} critical). Run '${packageManager} audit fix' to resolve.`
               )
             } else {
               spinner.succeed(
@@ -405,16 +426,34 @@ class ConfigSecurityScanner {
 
       // Build command - handle npx vs direct binary execution
       const isNpxCommand = gitleaksBinary.startsWith('npx ')
-      const command = isNpxCommand
-        ? `${gitleaksBinary} detect --source . --redact`
-        : `"${gitleaksBinary}" detect --source . --redact`
+      const args = ['detect', '--source', '.', '--redact']
+      const command = isNpxCommand ? 'npx' : gitleaksBinary
+      const commandArgs = isNpxCommand ? ['gitleaks', ...args] : args
 
       // Run gitleaks with --redact to prevent secret exposure and timeout for safety
-      execSync(command, {
+      const result = spawnSync(command, commandArgs, {
         stdio: 'pipe',
         timeout: 30000, // 30 second timeout to prevent hangs
         encoding: 'utf8',
       })
+
+      if (result.error) {
+        const error = result.error
+        error.stdout = result.stdout
+        error.stderr = result.stderr
+        error.status = result.status
+        error.signal = result.signal
+        throw error
+      }
+
+      if (result.status !== 0) {
+        const error = new Error('gitleaks exited with non-zero status')
+        error.status = result.status
+        error.stdout = result.stdout
+        error.stderr = result.stderr
+        error.signal = result.signal
+        throw error
+      }
       spinner.succeed('gitleaks scan completed - no secrets detected')
     } catch (error) {
       if (error.signal === 'SIGTERM') {
@@ -676,14 +715,38 @@ class ConfigSecurityScanner {
         const secretPattern =
           /(?:SECRET|PASSWORD|KEY|TOKEN)\s*=\s*["']?[^"\s']+/gi
         if (secretPattern.test(envStatement)) {
+          const redacted = this.redactDockerEnv(envStatement)
           this.issues.push(
-            `Dockerfile: Hardcoded secret in ENV statement: ${envStatement.trim()}`
+            `Dockerfile: Hardcoded secret in ENV statement: ${redacted}`
           )
         }
       }
     }
   }
 
+  redactDockerEnv(statement) {
+    const trimmed = statement.trim()
+    const match = trimmed.match(/^ENV\s+(.+)$/i)
+    if (!match) return trimmed
+
+    const body = match[1].trim()
+    if (body.includes('=')) {
+      const redactedBody = body.replace(
+        /=\s*(?:'[^']*'|"[^"]*"|[^ \t\r\n]+)/g,
+        '=[REDACTED]'
+      )
+      return `ENV ${redactedBody}`
+    }
+
+    const parts = body.split(/\s+/)
+    if (parts.length >= 2) {
+      parts[1] = '[REDACTED]'
+      return `ENV ${parts.join(' ')}`
+    }
+
+    return `ENV ${body}`
+  }
+
   /**
    * Check .gitignore for security-sensitive files
    */

package/lib/validation/workflow-validation.js

@@ -95,15 +95,36 @@ class WorkflowValidator {
       for (const file of workflowFiles) {
         const filePath = path.join(workflowDir, file)
         const content = fs.readFileSync(filePath, 'utf8')
-        const results = linter(content, filePath) || []
 
-        if (Array.isArray(results) && results.length > 0) {
-          issueCount += results.length
-          results.forEach(result => {
-            this.issues.push(
-              `actionlint: ${result.file}:${result.line}:${result.column} ${result.kind} - ${result.message}`
+        try {
+          const results = linter(content, filePath) || []
+
+          if (Array.isArray(results) && results.length > 0) {
+            // Filter out false positives for 'vars' context (valid GitHub feature, not recognized by actionlint WASM)
+            const filteredResults = results.filter(
+              result =>
+                !(
+                  result.kind === 'expression' &&
+                  result.message?.includes('undefined variable "vars"')
+                )
             )
-          })
+            issueCount += filteredResults.length
+            filteredResults.forEach(result => {
+              this.issues.push(
+                `actionlint: ${result.file}:${result.line}:${result.column} ${result.kind} - ${result.message}`
+              )
+            })
+          }
+        } catch (lintError) {
+          // WASM actionlint has limits on file complexity - skip silently for large files
+          if (
+            lintError.message?.includes('unreachable') &&
+            content.length > 10000
+          ) {
+            // Large file exceeded WASM limits - not a validation failure
+            continue
+          }
+          throw lintError
         }
       }
 

package/package.json

@@ -1,11 +1,10 @@
 {
   "name": "create-qa-architect",
-  "version": "5.0.7",
+  "version": "5.3.1",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
-    "create-qa-architect": "./setup.js",
-    "create-saas-monetization": "./create-saas-monetization.js"
+    "create-qa-architect": "./setup.js"
   },
   "scripts": {
     "prepare": "husky",
@@ -66,7 +65,6 @@
   "license": "SEE LICENSE IN LICENSE",
   "files": [
     "setup.js",
-    "create-saas-monetization.js",
     "config/",
     "docs/",
     "lib/",

package/scripts/check-test-coverage.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# Check test coverage for new features
+# Run manually or via pre-commit hook (warning only)
+
+set -e
+
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+warnings=0
+
+echo "🔍 Checking test coverage..."
+
+# Find source files without corresponding test files
+for file in $(find src -name "*.ts" -o -name "*.tsx" 2>/dev/null | grep -v "\.test\." | grep -v "\.d\.ts" || true); do
+  # Skip layout, page, and config files (Next.js conventions)
+  if [[ "$file" == *"/layout."* ]] || [[ "$file" == *"/page."* ]] || [[ "$file" == *".config."* ]]; then
+    continue
+  fi
+
+  # Skip API routes (tested via integration tests)
+  if [[ "$file" == *"/api/"* ]]; then
+    continue
+  fi
+
+  # Check for corresponding test file
+  test_file="${file%.*}.test.${file##*.}"
+
+  if [ ! -f "$test_file" ] && [ ! -f "tests/unit/$(basename ${file%.*}).test.ts" ]; then
+    # Only warn for lib/ and components/ (core business logic)
+    if [[ "$file" == *"/lib/"* ]] || [[ "$file" == *"/components/"* ]]; then
+      echo -e "${YELLOW}⚠️  May need test: $file${NC}"
+      ((warnings++)) || true
+    fi
+  fi
+done
+
+if [ $warnings -gt 0 ]; then
+  echo ""
+  echo -e "${YELLOW}⚠️  $warnings file(s) in lib/ or components/ may need tests${NC}"
+  echo "   Run: pnpm test:coverage to check actual coverage"
+else
+  echo "✅ All core files appear to have tests"
+fi
+
+exit 0