create-qa-architect 5.0.7 → 5.4.3

package/lib/result-types.js

@@ -0,0 +1,112 @@
+/**
+ * DR25 fix: Standard result type helpers for consistent API across modules
+ *
+ * This module provides standard result builders to ensure consistency across
+ * all modules in the codebase. Use these instead of ad-hoc result objects.
+ *
+ * STANDARD PATTERNS:
+ *
+ * 1. Success/failure operations (file I/O, validation, etc.):
+ *    { success: true, data?: any }
+ *    { success: false, error: string, details?: any }
+ *
+ * 2. Validation results:
+ *    { valid: true, data?: any }
+ *    { valid: false, error: string, details?: any }
+ *
+ * 3. Query results:
+ *    - Found: return data directly or { found: true, data }
+ *    - Not found: return null or { found: false }
+ *
+ * MIGRATION STATUS:
+ * - lib/licensing.js: Uses mixed patterns (being migrated)
+ * - lib/license-validator.js: Uses valid/error pattern
+ * - webhook-handler.js: Uses success/error pattern
+ * - lib/error-reporter.js: Uses success/error pattern
+ * - lib/template-loader.js: Uses success/errors array pattern
+ *
+ * @module result-types
+ */
+
+'use strict'
+
+/**
+ * Create a successful operation result
+ * @param {any} data - Optional data to include
+ * @returns {{ success: true, data?: any }}
+ */
+function success(data = null) {
+  const result = { success: true }
+  if (data !== null && data !== undefined) {
+    result.data = data
+  }
+  return result
+}
+
+/**
+ * Create a failed operation result
+ * @param {string} error - Error message
+ * @param {any} details - Optional error details
+ * @returns {{ success: false, error: string, details?: any }}
+ */
+function failure(error, details = null) {
+  const result = { success: false, error }
+  if (details !== null && details !== undefined) {
+    result.details = details
+  }
+  return result
+}
+
+/**
+ * Create a successful validation result
+ * @param {any} data - Optional validated data
+ * @returns {{ valid: true, data?: any }}
+ */
+function valid(data = null) {
+  const result = { valid: true }
+  if (data !== null && data !== undefined) {
+    result.data = data
+  }
+  return result
+}
+
+/**
+ * Create a failed validation result
+ * @param {string} error - Validation error message
+ * @param {any} details - Optional error details
+ * @returns {{ valid: false, error: string, details?: any }}
+ */
+function invalid(error, details = null) {
+  const result = { valid: false, error }
+  if (details !== null && details !== undefined) {
+    result.details = details
+  }
+  return result
+}
+
+/**
+ * Check if a result indicates success (works with both patterns)
+ * @param {object} result - Result object to check
+ * @returns {boolean} True if successful or valid
+ */
+function isSuccess(result) {
+  return result && (result.success === true || result.valid === true)
+}
+
+/**
+ * Check if a result indicates failure (works with both patterns)
+ * @param {object} result - Result object to check
+ * @returns {boolean} True if failed or invalid
+ */
+function isFailure(result) {
+  return result && (result.success === false || result.valid === false)
+}
+
+module.exports = {
+  success,
+  failure,
+  valid,
+  invalid,
+  isSuccess,
+  isFailure,
+}

package/lib/security-enhancements.js

@@ -10,7 +10,7 @@ const path = require('path')
  * Generate enhanced security configuration
  * Makes security scanning the default, not optional
  */
-function generateSecurityFirstConfig(_projectPath = '.') {
+function generateSecurityFirstConfig() {
   const securityConfig = {
     // Secret scanning configuration
     gitleaks: {

package/lib/smart-strategy-generator.js

@@ -154,17 +154,48 @@ const PROJECT_CONFIGS = {
 
 /**
  * Read package.json from project path
+ * DR22 fix: Differentiate between missing file vs. read/parse errors
  */
 function readPackageJson(projectPath) {
+  const pkgPath = path.join(projectPath, 'package.json')
+
+  // File doesn't exist - expected for non-JS projects
+  if (!fs.existsSync(pkgPath)) {
+    return null
+  }
+
   try {
-    const pkgPath = path.join(projectPath, 'package.json')
-    if (fs.existsSync(pkgPath)) {
-      return JSON.parse(fs.readFileSync(pkgPath, 'utf8'))
+    const content = fs.readFileSync(pkgPath, 'utf8')
+    return JSON.parse(content)
+  } catch (error) {
+    // DR22 fix: Provide specific error messages for different failure types
+    if (error instanceof SyntaxError) {
+      const errorId = 'PKG_JSON_INVALID_SYNTAX'
+      console.error(`❌ [${errorId}] package.json has invalid JSON syntax:`)
+      console.error(`   File: ${pkgPath}`)
+      console.error(`   Error: ${error.message}`)
+      console.error(`\n   Recovery steps:`)
+      console.error(`   1. Validate JSON: cat ${pkgPath} | jq .`)
+      console.error(
+        `   2. Common issues: trailing commas, missing quotes, unclosed brackets`
+      )
+      console.error(`   3. Use a JSON validator: https://jsonlint.com`)
+      console.error(
+        `\n   ⚠️  Smart Test Strategy will use generic fallback until this is fixed\n`
+      )
+    } else if (error.code === 'EACCES') {
+      console.error(`❌ Permission denied reading package.json: ${pkgPath}`)
+      console.error('   Check file permissions and try again')
+    } else {
+      console.error(
+        `❌ Unexpected error reading package.json: ${error.message}`
+      )
+      if (process.env.DEBUG) {
+        console.error(error.stack)
+      }
     }
-  } catch {
-    // Ignore errors
+    return null
   }
-  return null
 }
 
 /**
@@ -214,7 +245,14 @@ function generateSmartStrategy(options = {}) {
   )
 
   if (!fs.existsSync(templatePath)) {
-    throw new Error(`Smart strategy template not found at ${templatePath}`)
+    throw new Error(
+      `Smart strategy template not found at ${templatePath}\n` +
+        `This indicates a package installation issue.\n\n` +
+        `Troubleshooting steps:\n` +
+        `1. Reinstall the package: npm install -g create-qa-architect@latest\n` +
+        `2. Check file permissions: ls -la ${path.dirname(templatePath)}\n` +
+        `3. Report issue if problem persists: https://github.com/vibebuildlab/qa-architect/issues/new`
+    )
   }
 
   let template = fs.readFileSync(templatePath, 'utf8')
@@ -321,9 +359,7 @@ fi
 /**
  * Add test tier scripts to package.json
  */
-function getTestTierScripts(_projectType) {
-  // const config = PROJECT_CONFIGS[projectType] || PROJECT_CONFIGS.default
-
+function getTestTierScripts() {
   return {
     'test:fast': 'vitest run --reporter=basic --coverage=false',
     'test:medium':

package/lib/telemetry.js

@@ -75,7 +75,7 @@ function loadTelemetryData() {
       const data = fs.readFileSync(file, 'utf8')
       return JSON.parse(data)
     }
-  } catch {
+  } catch (_error) {
     // If corrupted, start fresh
     console.warn('⚠️  Telemetry data corrupted, starting fresh')
   }

package/lib/template-loader.js

@@ -34,7 +34,11 @@ class TemplateLoader {
     try {
       const stats = fs.statSync(templatePath)
       return stats.isDirectory()
-    } catch {
+    } catch (error) {
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(`⚠️  Template path check failed: ${error.message}`)
+      }
       return false
     }
   }
@@ -51,7 +55,13 @@ class TemplateLoader {
 
       const stats = fs.statSync(templateDir)
       return stats.isDirectory()
-    } catch {
+    } catch (error) {
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(
+          `⚠️  Template structure validation failed: ${error.message}`
+        )
+      }
       return false
     }
   }
@@ -128,6 +138,7 @@ class TemplateLoader {
   async loadTemplates(dir, baseDir = dir, isPackageDir = false) {
     /** @type {Record<string, string>} */
     const templates = {}
+    const errors = []
 
     try {
       const entries = fs.readdirSync(dir, { withFileTypes: true })
@@ -144,29 +155,51 @@ class TemplateLoader {
         const fullPath = path.join(dir, entry.name)
         const relativePath = path.relative(baseDir, fullPath)
 
-        if (entry.isDirectory()) {
-          // Recursively load from subdirectories
-          // After first level, we're no longer in package root
-          const subTemplates = await this.loadTemplates(
-            fullPath,
-            baseDir,
-            false
-          )
-          Object.assign(templates, subTemplates)
-        } else if (entry.isFile()) {
-          // Load file content asynchronously for better performance
-          const content = await fs.promises.readFile(fullPath, 'utf8')
-          templates[relativePath] = content
+        try {
+          if (entry.isDirectory()) {
+            // Recursively load from subdirectories
+            const subTemplates = await this.loadTemplates(
+              fullPath,
+              baseDir,
+              false
+            )
+            Object.assign(templates, subTemplates)
+          } else if (entry.isFile()) {
+            // DR6 fix: Handle individual file errors separately
+            const content = await fs.promises.readFile(fullPath, 'utf8')
+            templates[relativePath] = content
+          }
+        } catch (fileError) {
+          // Track individual file errors
+          errors.push({ file: relativePath, error: fileError.message })
+
+          if (this.strict) {
+            throw new Error(
+              `Failed to load template ${relativePath}: ${fileError.message}`
+            )
+          } else if (this.verbose) {
+            console.warn(
+              `⚠️  Skipping template ${relativePath}: ${fileError.message}`
+            )
+          }
         }
       }
     } catch (error) {
-      if (this.verbose) {
-        console.warn(
-          `⚠️ Warning: Could not load templates from ${dir}: ${error.message}`
-        )
+      const message = `Could not load templates from ${dir}: ${error.message}`
+
+      if (this.strict) {
+        throw new Error(message)
+      } else if (this.verbose) {
+        console.warn(`⚠️ ${message}`)
       }
     }
 
+    // DR6 fix: Alert if critical templates are missing
+    if (errors.length > 0 && this.verbose) {
+      console.warn(`⚠️  ${errors.length} template file(s) failed to load`)
+      console.warn('   This may result in incomplete configuration')
+    }
+
     return templates
   }
 

package/lib/ui-helpers.js

@@ -58,7 +58,7 @@ function showProgress(message) {
     const oraImport = require('ora')
     const ora = /** @type {any} */ (oraImport.default || oraImport)
     return ora(message).start()
-  } catch {
+  } catch (_error) {
     // Fallback if ora not installed (graceful degradation)
     console.log(formatMessage('working', message))
     return {

package/lib/validation/cache-manager.js

@@ -40,8 +40,14 @@ class CacheManager {
     try {
       const content = fs.readFileSync(filePath, 'utf8')
       return crypto.createHash('sha256').update(content).digest('hex')
-    } catch {
+    } catch (error) {
       // If file doesn't exist or can't be read, return timestamp-based key
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(
+          `⚠️  Cache key generation failed for ${filePath}: ${error.message}`
+        )
+      }
       return crypto
         .createHash('sha256')
         .update(`${filePath}-${Date.now()}`)
@@ -89,8 +95,12 @@ class CacheManager {
       }
 
       return cached.result
-    } catch {
+    } catch (error) {
       // If cache file is corrupted or unreadable, treat as cache miss
+      // Silent failure fix: Log unexpected errors in debug mode
+      if (process.env.DEBUG && error.code !== 'ENOENT') {
+        console.warn(`⚠️  Cache read failed: ${error.message}`)
+      }
       return null
     }
   }
@@ -127,24 +137,44 @@ class CacheManager {
    */
   clear() {
     if (!this.enabled) {
-      return
+      return { success: true, cleared: 0 }
     }
 
+    const results = { success: true, cleared: 0, errors: [] }
+
     try {
       if (fs.existsSync(this.cacheDir)) {
         const files = fs.readdirSync(this.cacheDir)
         files.forEach(file => {
           if (file.endsWith('.json')) {
-            fs.unlinkSync(path.join(this.cacheDir, file))
+            try {
+              fs.unlinkSync(path.join(this.cacheDir, file))
+              results.cleared++
+            } catch (error) {
+              // DR11 fix: Track individual file errors
+              results.errors.push({ file, error: error.message })
+              results.success = false
+            }
           }
         })
       }
     } catch (error) {
-      // Silently fail if cache clear fails
+      // DR11 fix: Report directory-level failures
+      results.success = false
+      results.errors.push({ directory: this.cacheDir, error: error.message })
+
       if (this.verbose) {
-        console.warn(`Cache clear failed: ${error.message}`)
+        console.warn(`❌ Cache clear failed: ${error.message}`)
       }
     }
+
+    // DR11 fix: Warn if any failures occurred
+    if (!results.success && this.verbose) {
+      console.warn(`⚠️  Failed to clear ${results.errors.length} cache file(s)`)
+      console.warn('   Some cached validation results may be stale')
+    }
+
+    return results
   }
 
   /**

package/lib/validation/config-security.js

@@ -5,7 +5,7 @@ const path = require('path')
 const os = require('os')
 const crypto = require('crypto')
 const https = require('https')
-const { execSync } = require('child_process')
+const { execSync, spawnSync } = require('child_process')
 const { showProgress } = require('../ui-helpers')
 
 // Pinned gitleaks version for reproducible security scanning
@@ -37,11 +37,19 @@ class ConfigSecurityScanner {
     // checksumMap dependency injection - FOR TESTING ONLY
     // WARNING: Do not use in production CLI - this bypasses security verification!
     if (options.checksumMap) {
-      if (process.env.NODE_ENV === 'production') {
+      // Security fix: Block checksumMap override in production
+      // Only allow in explicit test/development mode
+      const isTestMode = process.env.NODE_ENV === 'test'
+      const isDeveloperMode = process.env.QAA_DEVELOPER === 'true'
+      const isProduction = process.env.NODE_ENV === 'production'
+
+      if (isProduction || (!isTestMode && !isDeveloperMode)) {
         throw new Error(
-          'checksumMap override not allowed in production environment'
+          'checksumMap override not allowed in production. ' +
+            'Only permitted when NODE_ENV=test or QAA_DEVELOPER=true'
         )
       }
+
       if (!options.quiet) {
         console.warn(
           '⚠️ WARNING: Using custom checksum map - FOR TESTING ONLY!'
@@ -118,23 +126,14 @@ class ConfigSecurityScanner {
         )
       }
 
-      // Check if fallback to unpinned gitleaks is explicitly allowed
-      if (this.options.allowLatestGitleaks) {
-        console.warn(
-          '🚨 WARNING: Using npx gitleaks (supply chain risk - downloads latest version)'
-        )
-        console.warn(
-          '📌 Consider: brew install gitleaks (macOS) or choco install gitleaks (Windows)'
-        )
-        return 'npx gitleaks'
-      }
-
-      // Security-first: fail hard instead of silent fallback
+      // Security-first: fail hard instead of any fallback
+      // SECURITY: Removed npx gitleaks fallback to prevent command injection
       throw new Error(
         `Cannot resolve secure gitleaks binary. Options:\n` +
           `1. Install globally: brew install gitleaks (macOS) or choco install gitleaks (Windows)\n` +
           `2. Set GITLEAKS_PATH to your preferred binary\n` +
-          `3. Use --allow-latest-gitleaks flag (NOT RECOMMENDED - supply chain risk)`
+          `Note: --allow-latest-gitleaks flag is deprecated and no longer supported.\n` +
+          `npx gitleaks has been intentionally removed due to supply chain security risk.`
       )
     }
   }
@@ -213,20 +212,37 @@ class ConfigSecurityScanner {
   /**
    * Download file from URL to target path
    */
-  downloadFile(url, targetPath) {
-    return new Promise((resolve, reject) => {
-      const file = fs.createWriteStream(targetPath)
+  downloadFile(url, targetPath, redirectCount = 0) {
+    const MAX_REDIRECTS = 5
 
+    return new Promise((resolve, reject) => {
       https
         .get(url, response => {
-          if (response.statusCode === 302 || response.statusCode === 301) {
-            // Follow redirect
-            return this.downloadFile(response.headers.location, targetPath)
+          if (
+            response.statusCode === 302 ||
+            response.statusCode === 301 ||
+            response.statusCode === 303 ||
+            response.statusCode === 307 ||
+            response.statusCode === 308
+          ) {
+            if (redirectCount >= MAX_REDIRECTS) {
+              reject(new Error('Too many redirects while downloading gitleaks'))
+              return
+            }
+            const nextUrl = response.headers.location
+            if (!nextUrl) {
+              reject(new Error('Redirect without location header'))
+              return
+            }
+            response.resume()
+            this.downloadFile(nextUrl, targetPath, redirectCount + 1)
               .then(resolve)
               .catch(reject)
+            return
           }
 
           if (response.statusCode !== 200) {
+            response.resume()
             reject(
               new Error(
                 `HTTP ${response.statusCode}: ${response.statusMessage}`
@@ -235,6 +251,7 @@ class ConfigSecurityScanner {
             return
           }
 
+          const file = fs.createWriteStream(targetPath)
           response.pipe(file)
 
           file.on('finish', () => {
@@ -351,6 +368,7 @@ class ConfigSecurityScanner {
       execSync(auditCmd, {
         stdio: 'pipe',
         timeout: 60000, // 60 second timeout for audit operations
+        maxBuffer: 10 * 1024 * 1024,
         encoding: 'utf8',
       })
       spinner.succeed('npm audit completed - no high/critical vulnerabilities')
@@ -368,11 +386,13 @@ class ConfigSecurityScanner {
           const auditResult = JSON.parse(error.stdout.toString())
           if (auditResult.metadata && auditResult.metadata.vulnerabilities) {
             const vulns = auditResult.metadata.vulnerabilities
-            const total = vulns.high + vulns.critical + vulns.moderate
+            const total = vulns.high + vulns.critical
             if (total > 0) {
-              spinner.fail(`npm audit found ${total} vulnerabilities`)
+              spinner.fail(
+                `npm audit found ${total} high/critical vulnerabilities`
+              )
               this.issues.push(
-                `${packageManager} audit: ${total} vulnerabilities found (${vulns.high} high, ${vulns.critical} critical). Run '${packageManager} audit fix' to resolve.`
+                `${packageManager} audit: ${total} high/critical vulnerabilities found (${vulns.high} high, ${vulns.critical} critical). Run '${packageManager} audit fix' to resolve.`
               )
             } else {
               spinner.succeed(
@@ -383,11 +403,16 @@ class ConfigSecurityScanner {
             spinner.succeed('npm audit completed')
           }
         } catch {
-          spinner.warn(`Could not parse ${packageManager} audit output`)
-          console.warn(`Could not parse ${packageManager} audit output`)
+          spinner.fail(`Could not parse ${packageManager} audit output`)
+          this.issues.push(
+            `${packageManager} audit: Unable to parse audit output. Run '${packageManager} audit --json' manually to inspect vulnerabilities.`
+          )
         }
       } else {
-        spinner.succeed('npm audit completed')
+        spinner.fail('npm audit returned an error with no output')
+        this.issues.push(
+          `${packageManager} audit: Failed with no output. Run '${packageManager} audit --json' manually to inspect vulnerabilities.`
+        )
       }
     }
   }
@@ -405,16 +430,34 @@ class ConfigSecurityScanner {
 
       // Build command - handle npx vs direct binary execution
       const isNpxCommand = gitleaksBinary.startsWith('npx ')
-      const command = isNpxCommand
-        ? `${gitleaksBinary} detect --source . --redact`
-        : `"${gitleaksBinary}" detect --source . --redact`
+      const args = ['detect', '--source', '.', '--redact']
+      const command = isNpxCommand ? 'npx' : gitleaksBinary
+      const commandArgs = isNpxCommand ? ['gitleaks', ...args] : args
 
       // Run gitleaks with --redact to prevent secret exposure and timeout for safety
-      execSync(command, {
+      const result = spawnSync(command, commandArgs, {
         stdio: 'pipe',
         timeout: 30000, // 30 second timeout to prevent hangs
         encoding: 'utf8',
       })
+
+      if (result.error) {
+        const error = result.error
+        error.stdout = result.stdout
+        error.stderr = result.stderr
+        error.status = result.status
+        error.signal = result.signal
+        throw error
+      }
+
+      if (result.status !== 0) {
+        const error = new Error('gitleaks exited with non-zero status')
+        error.status = result.status
+        error.stdout = result.stdout
+        error.stderr = result.stderr
+        error.signal = result.signal
+        throw error
+      }
       spinner.succeed('gitleaks scan completed - no secrets detected')
     } catch (error) {
       if (error.signal === 'SIGTERM') {
@@ -676,14 +719,38 @@ class ConfigSecurityScanner {
         const secretPattern =
           /(?:SECRET|PASSWORD|KEY|TOKEN)\s*=\s*["']?[^"\s']+/gi
         if (secretPattern.test(envStatement)) {
+          const redacted = this.redactDockerEnv(envStatement)
           this.issues.push(
-            `Dockerfile: Hardcoded secret in ENV statement: ${envStatement.trim()}`
+            `Dockerfile: Hardcoded secret in ENV statement: ${redacted}`
           )
         }
       }
     }
   }
 
+  redactDockerEnv(statement) {
+    const trimmed = statement.trim()
+    const match = trimmed.match(/^ENV\s+(.+)$/i)
+    if (!match) return trimmed
+
+    const body = match[1].trim()
+    if (body.includes('=')) {
+      const redactedBody = body.replace(
+        /=\s*(?:'[^']*'|"[^"]*"|[^ \t\r\n]+)/g,
+        '=[REDACTED]'
+      )
+      return `ENV ${redactedBody}`
+    }
+
+    const parts = body.split(/\s+/)
+    if (parts.length >= 2) {
+      parts[1] = '[REDACTED]'
+      return `ENV ${parts.join(' ')}`
+    }
+
+    return `ENV ${body}`
+  }
+
   /**
    * Check .gitignore for security-sensitive files
    */