create-qa-architect 5.0.7 → 5.4.3

package/setup.js

@@ -1,7 +1,71 @@
 #!/usr/bin/env node
 
+/**
+ * DR26 fix: Architectural Refactoring Plan for setup.js (2201 lines)
+ *
+ * PRIORITY: This file should be split into focused modules to improve
+ * maintainability, testability, and reduce cognitive load.
+ *
+ * PROPOSED MODULE STRUCTURE (target: < 500 lines per module):
+ *
+ * 1. lib/commands/validate.js (~300 lines)
+ *    - Validation command logic
+ *    - Config validation workflows
+ *    - Prelaunch validation integration
+ *
+ * 2. lib/commands/deps.js (~200 lines)
+ *    - Dependency monitoring setup
+ *    - Dependabot configuration
+ *    - GitHub API integration calls
+ *
+ * 3. lib/commands/activate.js (~150 lines)
+ *    - License activation flow
+ *    - Interactive license prompts
+ *    - License validation integration
+ *
+ * 4. lib/commands/setup-main.js (~800 lines)
+ *    - Main setup orchestration
+ *    - Template generation
+ *    - File writing operations
+ *    - Husky/lint-staged configuration
+ *
+ * 5. lib/setup-config.js (~200 lines)
+ *    - Configuration merging logic
+ *    - Package.json updates
+ *    - Workflow injection helpers
+ *
+ * 6. setup.js (core CLI, ~200 lines)
+ *    - Argument parsing
+ *    - Command routing
+ *    - Help/version display
+ *    - Exit code handling
+ *
+ * MIGRATION CHECKLIST:
+ * - [ ] Extract validation command to lib/commands/validate.js
+ * - [ ] Extract deps command to lib/commands/deps.js
+ * - [ ] Extract license activation to lib/commands/activate.js
+ * - [ ] Extract main setup flow to lib/commands/setup-main.js
+ * - [ ] Extract config helpers to lib/setup-config.js
+ * - [ ] Update all tests to use new module structure
+ * - [ ] Verify all CLI commands still work (--help, --deps, --validate, etc.)
+ * - [ ] Update integration tests
+ * - [ ] Run full test suite and ensure 100% pass rate
+ *
+ * BENEFITS:
+ * - Easier to test individual commands
+ * - Reduced cognitive load when modifying specific features
+ * - Better code organization and discoverability
+ * - Easier to add new commands in the future
+ * - Faster development cycles (smaller files to navigate)
+ *
+ * BLOCKED BY: None (can be done incrementally)
+ * ESTIMATED EFFORT: 2-3 days with full test coverage
+ * RISK: Medium (need to ensure no regressions in CLI behavior)
+ */
+
 const fs = require('fs')
 const path = require('path')
+const crypto = require('crypto')
 const { execSync } = require('child_process')
 const {
   mergeScripts,
@@ -49,29 +113,23 @@ const {
 } = require('./config/defaults')
 
 // Enhanced validation capabilities
-const { ValidationRunner } = require('./lib/validation')
 const { validateQualityConfig } = require('./lib/config-validator')
 
 // Interactive mode capabilities
 const { InteractivePrompt } = require('./lib/interactive/prompt')
 const { runInteractiveFlow } = require('./lib/interactive/questions')
 
-// Basic dependency monitoring (Free Tier)
-const {
-  hasNpmProject,
-  generateBasicDependabotConfig,
-  writeBasicDependabotConfig,
-} = require('./lib/dependency-monitoring-basic')
-
-// Premium dependency monitoring (Pro/Team/Enterprise Tiers)
-const {
-  generatePremiumDependabotConfig,
-  writePremiumDependabotConfig,
-} = require('./lib/dependency-monitoring-premium')
+// Note: Dependency monitoring imports moved to ./lib/commands/deps.js
 
 // Custom template loading
 const { TemplateLoader } = require('./lib/template-loader')
 
+// Command handlers (extracted for maintainability)
+const {
+  handleValidationCommands,
+  handleDependencyMonitoring,
+} = require('./lib/commands')
+
 // Licensing system
 const {
   getLicenseInfo,
@@ -91,6 +149,26 @@ const {
   getTestTierScripts,
 } = require('./lib/smart-strategy-generator')
 
+// Quality Tools Generator (Lighthouse, size-limit, axe-core, commitlint, coverage)
+const {
+  writeLighthouseConfig,
+  writeSizeLimitConfig,
+  writeCommitlintConfig,
+  writeCommitMsgHook,
+  writeAxeTestSetup,
+  getQualityToolsDependencies,
+  getQualityToolsScripts,
+} = require('./lib/quality-tools-generator')
+
+// Pre-Launch Validation (SEO, links, a11y, docs, env)
+const {
+  writeValidationScripts,
+  writeEnvValidator,
+  writePa11yConfig,
+  getPrelaunchScripts,
+  getPrelaunchDependencies,
+} = require('./lib/prelaunch-validator')
+
 // Telemetry (opt-in usage tracking)
 const { TelemetrySession, showTelemetryStatus } = require('./lib/telemetry')
 
@@ -103,7 +181,6 @@ const {
 // Critical setup enhancements (fixes production quality gaps)
 const {
   applyProductionQualityFixes,
-  // generateEnhancedPreCommitHook,
   validateProjectSetup,
 } = require('./lib/setup-enhancements')
 
@@ -113,6 +190,31 @@ const STYLELINT_EXTENSION_GLOB = `*.{${STYLELINT_EXTENSIONS.join(',')}}`
 const STYLELINT_SCAN_EXCLUDES = new Set(EXCLUDE_DIRECTORIES.STYLELINT)
 const MAX_STYLELINT_SCAN_DEPTH = SCAN_LIMITS.STYLELINT_MAX_DEPTH
 
+function normalizeRepoIdentifier(remoteUrl) {
+  if (!remoteUrl || typeof remoteUrl !== 'string') return null
+
+  const scpMatch = remoteUrl.match(/^[^@]+@([^:]+):(.+?)(\.git)?$/)
+  if (scpMatch) {
+    const host = scpMatch[1]
+    const repoPath = scpMatch[2].replace(/^\/+/, '').replace(/\.git$/, '')
+    return `${host}/${repoPath}`
+  }
+
+  try {
+    const parsed = new URL(remoteUrl)
+    const host = parsed.hostname
+    const repoPath = parsed.pathname.replace(/^\/+/, '').replace(/\.git$/, '')
+    if (!host || !repoPath) return null
+    return `${host}/${repoPath}`
+  } catch (_error) {
+    return null
+  }
+}
+
+function hashRepoIdentifier(value) {
+  return crypto.createHash('sha256').update(value).digest('hex')
+}
+
 function injectCollaborationSteps(workflowContent, options = {}) {
   const { enableSlackAlerts = false, enablePrComments = false } = options
   let updated = workflowContent
@@ -151,7 +253,44 @@ function injectCollaborationSteps(workflowContent, options = {}) {
 const safeReadDir = dir => {
   try {
     return fs.readdirSync(dir, { withFileTypes: true })
-  } catch {
+  } catch (error) {
+    // ENOENT is expected (dir doesn't exist) - return empty silently
+    if (error?.code === 'ENOENT') {
+      if (process.env.DEBUG) {
+        console.warn(
+          `   Debug: safeReadDir(${dir}) returned empty (directory not found)`
+        )
+      }
+      return []
+    }
+
+    // All other errors are unexpected and should be logged with context
+    console.error(`❌ Failed to read directory: ${dir}`)
+    console.error(`   Error: ${error.message} (${error.code || 'unknown'})`)
+    console.error(`   This may indicate a permission or filesystem issue`)
+
+    // Report to error tracking in production
+    if (process.env.NODE_ENV === 'production') {
+      try {
+        const errorReporter = new ErrorReporter()
+        errorReporter.captureException(error, {
+          context: 'safeReadDir',
+          directory: dir,
+          errorCode: error.code,
+        })
+      } catch (_error) {
+        // Don't fail if error reporting fails
+      }
+    }
+
+    // Re-throw for critical errors instead of silently returning []
+    if (['EACCES', 'EIO', 'ELOOP', 'EMFILE'].includes(error.code)) {
+      throw new Error(
+        `Cannot read directory ${dir}: ${error.message}. ` +
+          `This may indicate a serious filesystem or permission issue.`
+      )
+    }
+
     return []
   }
 }
@@ -332,7 +471,14 @@ function parseArguments(rawArgs) {
   const isCheckMaturityMode = sanitizedArgs.includes('--check-maturity')
   const isValidateConfigMode = sanitizedArgs.includes('--validate-config')
   const isActivateLicenseMode = sanitizedArgs.includes('--activate-license')
+  const isAnalyzeCiMode = sanitizedArgs.includes('--analyze-ci')
+  const isPrelaunchMode = sanitizedArgs.includes('--prelaunch')
   const isDryRun = sanitizedArgs.includes('--dry-run')
+  const isWorkflowMinimal = sanitizedArgs.includes('--workflow-minimal')
+  const isWorkflowStandard = sanitizedArgs.includes('--workflow-standard')
+  const isWorkflowComprehensive = sanitizedArgs.includes(
+    '--workflow-comprehensive'
+  )
   const ciProviderIndex = sanitizedArgs.findIndex(arg => arg === '--ci')
   const ciProvider =
     ciProviderIndex !== -1 && sanitizedArgs[ciProviderIndex + 1]
@@ -344,11 +490,39 @@ function parseArguments(rawArgs) {
   // Custom template directory - use raw args to preserve valid path characters (&, <, >, etc.)
   // Normalize path to prevent traversal attacks and make absolute
   const templateFlagIndex = sanitizedArgs.findIndex(arg => arg === '--template')
-  const customTemplatePath =
+  let customTemplatePath =
     templateFlagIndex !== -1 && rawArgs[templateFlagIndex + 1]
       ? path.resolve(rawArgs[templateFlagIndex + 1])
       : null
 
+  // Validate custom template path early to prevent path traversal attacks
+  if (customTemplatePath) {
+    const inputPath = rawArgs[templateFlagIndex + 1]
+    // Check for suspicious patterns (path traversal attempts)
+    if (inputPath.includes('..') || inputPath.includes('~')) {
+      console.error(
+        `❌ Invalid template path: "${inputPath}". Path traversal patterns not allowed.`
+      )
+      console.error('   Use absolute paths only (e.g., /Users/you/templates)')
+      process.exit(1)
+    }
+
+    // Verify the resolved path exists and is a directory
+    try {
+      const stats = fs.statSync(customTemplatePath)
+      if (!stats.isDirectory()) {
+        console.error(
+          `❌ Template path is not a directory: ${customTemplatePath}`
+        )
+        process.exit(1)
+      }
+    } catch (error) {
+      console.error(`❌ Template path does not exist: ${customTemplatePath}`)
+      console.error(`   Error: ${error.message}`)
+      process.exit(1)
+    }
+  }
+
   // Granular tool disable options
   const disableNpmAudit = sanitizedArgs.includes('--no-npm-audit')
   const disableGitleaks = sanitizedArgs.includes('--no-gitleaks')
@@ -372,6 +546,8 @@ function parseArguments(rawArgs) {
     isCheckMaturityMode,
     isValidateConfigMode,
     isActivateLicenseMode,
+    isAnalyzeCiMode,
+    isPrelaunchMode,
     isDryRun,
     ciProvider,
     enableSlackAlerts,
@@ -383,6 +559,9 @@ function parseArguments(rawArgs) {
     disableMarkdownlint,
     disableEslintSecurity,
     allowLatestGitleaks,
+    isWorkflowMinimal,
+    isWorkflowStandard,
+    isWorkflowComprehensive,
   }
 }
 
@@ -410,6 +589,8 @@ function parseArguments(rawArgs) {
     isCheckMaturityMode,
     isValidateConfigMode,
     isActivateLicenseMode,
+    isPrelaunchMode,
+    isAnalyzeCiMode,
     isDryRun,
     ciProvider,
     enableSlackAlerts,
@@ -421,6 +602,9 @@ function parseArguments(rawArgs) {
     disableMarkdownlint,
     disableEslintSecurity,
     allowLatestGitleaks,
+    isWorkflowMinimal,
+    isWorkflowStandard,
+    isWorkflowComprehensive,
   } = parsedConfig
 
   // Initialize telemetry session (opt-in only, fails silently)
@@ -483,6 +667,8 @@ function parseArguments(rawArgs) {
       isCheckMaturityMode,
       isValidateConfigMode,
       isActivateLicenseMode,
+      isPrelaunchMode,
+      isAnalyzeCiMode,
       isDryRun,
       ciProvider,
       enableSlackAlerts,
@@ -494,6 +680,9 @@ function parseArguments(rawArgs) {
       disableMarkdownlint,
       disableEslintSecurity,
       allowLatestGitleaks,
+      isWorkflowMinimal,
+      isWorkflowStandard,
+      isWorkflowComprehensive,
     } = parsedConfig)
 
     console.log('📋 Configuration after interactive selections applied\n')
@@ -528,6 +717,15 @@ SETUP OPTIONS:
   --template <path> Use custom templates from specified directory
   --dry-run         Preview changes without modifying files
 
+WORKFLOW TIERS (GitHub Actions optimization):
+  --workflow-minimal        Minimal CI (default) - Single Node version, weekly security
+                            ~5-10 min/commit, ~$0-5/mo for typical projects
+  --workflow-standard       Standard CI - Matrix testing on main, weekly security
+                            ~15-20 min/commit, ~$5-20/mo for typical projects
+  --workflow-comprehensive  Comprehensive CI - Matrix on every push, security inline
+                            ~50-100 min/commit, ~$100-350/mo for typical projects
+  --analyze-ci             Analyze GitHub Actions usage and get optimization tips (Pro)
+
 VALIDATION OPTIONS:
   --validate        Run comprehensive validation (same as --comprehensive)
   --comprehensive   Run all validation checks
@@ -535,6 +733,7 @@ VALIDATION OPTIONS:
   --validate-docs   Run documentation validation only
   --validate-config Validate .qualityrc.json configuration file
   --check-maturity  Detect and display project maturity level
+  --prelaunch       Add pre-launch validation suite (SEO, links, a11y, docs)
 
 LICENSE, TELEMETRY & ERROR REPORTING:
   --license-status          Show current license tier and available features
@@ -576,6 +775,9 @@ EXAMPLES:
   npx create-qa-architect@latest --check-maturity
     → Detect project maturity level (minimal, bootstrap, development, production-ready)
 
+  npx create-qa-architect@latest --prelaunch
+    → Add pre-launch validation: SEO (sitemap, robots, meta), links, a11y, docs
+
   npx create-qa-architect@latest --validate-config
     → Validate .qualityrc.json configuration file against JSON Schema
 
@@ -591,6 +793,18 @@ EXAMPLES:
   npx create-qa-architect@latest --dry-run
     → Preview what files and configurations would be created/modified
 
+  npx create-qa-architect@latest --workflow-minimal
+    → Set up with minimal CI (default) - fastest, cheapest, ideal for solo devs
+
+  npx create-qa-architect@latest --workflow-standard
+    → Set up with standard CI - balanced quality/cost for small teams
+
+  npx create-qa-architect@latest --update --workflow-minimal
+    → Convert existing comprehensive workflow to minimal (reduce CI costs)
+
+  npx create-qa-architect@latest --analyze-ci
+    → Analyze your GitHub Actions usage and get cost optimization recommendations (Pro)
+
 PRIVACY & TELEMETRY:
   Telemetry and error reporting are OPT-IN only (disabled by default). To enable:
     export QAA_TELEMETRY=true           # Usage tracking (local only)
@@ -648,258 +862,8 @@ HELP:
     process.exit(0)
   }
 
-  // Handle validation-only commands
-  async function handleValidationCommands() {
-    const validationOptions = {
-      disableNpmAudit,
-      disableGitleaks,
-      disableActionlint,
-      disableMarkdownlint,
-      disableEslintSecurity,
-      allowLatestGitleaks,
-    }
-    const validator = new ValidationRunner(validationOptions)
-
-    if (isConfigSecurityMode) {
-      try {
-        await validator.runConfigSecurity()
-        process.exit(0)
-      } catch (error) {
-        console.error(
-          `\n❌ Configuration security validation failed:\n${error.message}`
-        )
-        process.exit(1)
-      }
-    }
-
-    if (isDocsValidationMode) {
-      try {
-        await validator.runDocumentationValidation()
-        process.exit(0)
-      } catch (error) {
-        console.error(`\n❌ Documentation validation failed:\n${error.message}`)
-        process.exit(1)
-      }
-    }
-
-    if (isComprehensiveMode || isValidationMode) {
-      try {
-        // Use parallel validation for 3-5x speedup (runs checks concurrently)
-        await validator.runComprehensiveCheckParallel()
-        process.exit(0)
-      } catch (error) {
-        console.error(`\n❌ Comprehensive validation failed:\n${error.message}`)
-        process.exit(1)
-      }
-    }
-  }
-
-  // Detect Python project
-  function detectPythonProject(projectPath) {
-    const pythonFiles = [
-      'pyproject.toml',
-      'requirements.txt',
-      'setup.py',
-      'Pipfile',
-    ]
-    return pythonFiles.some(file => fs.existsSync(path.join(projectPath, file)))
-  }
-
-  // Detect Rust project
-  function detectRustProject(projectPath) {
-    return fs.existsSync(path.join(projectPath, 'Cargo.toml'))
-  }
-
-  // Detect Ruby project
-  function detectRubyProject(projectPath) {
-    return fs.existsSync(path.join(projectPath, 'Gemfile'))
-  }
-
-  // Handle dependency monitoring (Free/Pro/Team/Enterprise)
-  async function handleDependencyMonitoring() {
-    const projectPath = process.cwd()
-    const license = getLicenseInfo()
-
-    // Detect all supported ecosystems (npm, Python, Ruby, Rust, etc.)
-    const hasNpm = hasNpmProject(projectPath)
-    const hasPython = detectPythonProject(projectPath)
-    const hasRust = detectRustProject(projectPath)
-    const hasRuby = detectRubyProject(projectPath)
-
-    if (!hasNpm && !hasPython && !hasRust && !hasRuby) {
-      console.error(
-        '❌ No supported dependency file found (package.json, pyproject.toml, requirements.txt, Gemfile, Cargo.toml).'
-      )
-      console.log("💡 Make sure you're in a directory with dependency files.")
-      process.exit(1)
-    }
-
-    if (hasNpm) console.log('📦 Detected: npm project')
-    if (hasPython) console.log('🐍 Detected: Python project')
-    if (hasRust) console.log('🦀 Detected: Rust project')
-    if (hasRuby) console.log('💎 Detected: Ruby project')
-    console.log(`📋 License tier: ${license.tier.toUpperCase()}`)
-
-    // Enforce Free tier caps for dependency monitoring (counted as dependency PRs)
-    if (license.tier === 'FREE') {
-      const capCheck = checkUsageCaps('dependency-pr')
-      if (!capCheck.allowed) {
-        console.error(`❌ ${capCheck.reason}`)
-        console.error(
-          '   Upgrade to Pro, Team, or Enterprise for unlimited runs: https://vibebuildlab.com/qa-architect'
-        )
-        process.exit(1)
-      }
-
-      const increment = incrementUsage('dependency-pr')
-      const usage = increment.usage || capCheck.usage
-      const caps = capCheck.caps
-      if (usage && caps && caps.maxDependencyPRsPerMonth !== undefined) {
-        console.log(
-          `🧮 Usage: ${usage.dependencyPRs}/${caps.maxDependencyPRsPerMonth} dependency monitoring runs used this month`
-        )
-      }
-    }
-
-    const dependabotPath = path.join(projectPath, '.github', 'dependabot.yml')
-
-    // Use premium or basic config based on license tier
-    // Free beta ended with v4.1.1 - Premium features now require Pro/Team/Enterprise tier
-    // Pro/Team/Enterprise: Framework-aware dependency monitoring with grouping
-    // Free: Basic npm-only dependency monitoring
-    const shouldUsePremium =
-      license.tier === 'PRO' ||
-      license.tier === 'TEAM' ||
-      license.tier === 'ENTERPRISE'
-
-    // Free tier only supports npm projects. Fail fast with a clear message.
-    if (!shouldUsePremium && !hasNpm && (hasPython || hasRust || hasRuby)) {
-      console.error(
-        '❌ Dependency monitoring for this project requires a Pro, Team, or Enterprise license.'
-      )
-      console.error(
-        '   Free tier supports npm projects only. Detected non-npm ecosystems.'
-      )
-      console.error(
-        '   Options: add npm/package.json, or upgrade and re-run: npx create-qa-architect@latest --deps after activation.'
-      )
-      process.exit(1)
-    }
-
-    if (shouldUsePremium) {
-      console.log(
-        '\n🚀 Setting up framework-aware dependency monitoring (Premium)...\n'
-      )
-
-      const configData = generatePremiumDependabotConfig({
-        projectPath,
-        schedule: 'weekly',
-      })
-
-      if (configData) {
-        const { ecosystems } = configData
-        const ecosystemNames = Object.keys(ecosystems)
-
-        if (ecosystemNames.length > 0) {
-          console.log('🔍 Detected ecosystems:')
-
-          // Find primary ecosystem and total package count
-          let primaryEcosystem = null
-          ecosystemNames.forEach(ecoName => {
-            const eco = ecosystems[ecoName]
-            const frameworks = Object.keys(eco.detected || {})
-            const totalPackages = frameworks.reduce((sum, fw) => {
-              return sum + (eco.detected[fw]?.count || 0)
-            }, 0)
-
-            console.log(`   • ${ecoName}: ${totalPackages} packages`)
-
-            if (eco.primary) {
-              primaryEcosystem = ecoName
-            }
-          })
-
-          if (primaryEcosystem) {
-            console.log(`\n🎯 Primary ecosystem: ${primaryEcosystem}`)
-          }
-        }
-
-        writePremiumDependabotConfig(configData, dependabotPath)
-        console.log(
-          '\n✅ Created .github/dependabot.yml with framework grouping'
-        )
-
-        console.log('\n🎉 Premium dependency monitoring setup complete!')
-        console.log('\n📋 What was added (Pro Tier):')
-        console.log('   • Framework-aware dependency grouping')
-        console.log(
-          `   • ${Object.keys(configData.config.updates[0].groups || {}).length} dependency groups created`
-        )
-        console.log('   • Intelligent update batching (reduces PRs by 60%+)')
-        console.log('   • GitHub Actions dependency monitoring')
-      }
-    } else {
-      console.log(
-        '\n🔍 Setting up basic dependency monitoring (Free Tier)...\n'
-      )
-
-      const dependabotConfig = generateBasicDependabotConfig({
-        projectPath,
-        schedule: 'weekly',
-      })
-
-      if (dependabotConfig) {
-        writeBasicDependabotConfig(dependabotConfig, dependabotPath)
-        console.log('✅ Created .github/dependabot.yml')
-      }
-
-      console.log('\n🎉 Basic dependency monitoring setup complete!')
-      console.log('\n📋 What was added (Free Tier):')
-      console.log('   • Basic Dependabot configuration for npm packages')
-      console.log('   • Weekly dependency updates on Monday 9am')
-      console.log('   • GitHub Actions dependency monitoring')
-
-      // Show upgrade message for premium features
-      console.log('\n🔒 Premium features now available:')
-      console.log(
-        '   ✅ Framework-aware package grouping (React, Vue, Angular)'
-      )
-      console.log('   • Coming soon: Multi-language support (Python, Rust, Go)')
-      console.log('   • Planned: Advanced security audit workflows')
-      console.log('   • Planned: Custom update schedules and notifications')
-
-      showUpgradeMessage('Framework-Aware Dependency Grouping')
-    }
-
-    // Auto-enable Dependabot on GitHub if token available
-    console.log('\n🔧 Attempting to enable Dependabot on GitHub...')
-    try {
-      const { setupDependabot } = require('./lib/github-api')
-      const result = await setupDependabot(projectPath, { verbose: true })
-
-      if (result.success) {
-        console.log('✅ Dependabot alerts and security updates enabled!')
-      } else if (result.errors.length > 0) {
-        console.log('⚠️  Could not auto-enable Dependabot:')
-        result.errors.forEach(err => console.log(`   • ${err}`))
-        console.log('\n💡 Manual steps needed:')
-        console.log('   • Go to GitHub repo → Settings → Code security')
-        console.log(
-          '   • Enable "Dependabot alerts" and "Dependabot security updates"'
-        )
-      }
-    } catch (error) {
-      console.log('⚠️  Could not auto-enable Dependabot:', error.message)
-      console.log('\n💡 Manual steps:')
-      console.log('   • Enable Dependabot in GitHub repo settings')
-    }
-
-    console.log('\n💡 Next steps:')
-    console.log('   • Review and commit .github/dependabot.yml')
-    console.log(
-      '   • Dependabot will start monitoring weekly for dependency updates'
-    )
-  }
+  // Note: handleValidationCommands, handleDependencyMonitoring, detectPythonProject,
+  // detectRustProject, detectRubyProject are now imported from ./lib/commands
 
   // Handle license status command
   if (isLicenseStatusMode) {
@@ -948,6 +912,20 @@ HELP:
     process.exit(0)
   }
 
+  // Handle CI cost analysis command
+  if (isAnalyzeCiMode) {
+    return (async () => {
+      try {
+        const { handleAnalyzeCi } = require('./lib/commands/analyze-ci')
+        await handleAnalyzeCi()
+        process.exit(0)
+      } catch (error) {
+        console.error('CI cost analysis error:', error.message)
+        process.exit(1)
+      }
+    })()
+  }
+
   // Handle validate config command
   if (isValidateConfigMode) {
     const { validateAndReport } = require('./lib/config-validator')
@@ -969,6 +947,83 @@ HELP:
     })()
   }
 
+  // Handle pre-launch validation setup command
+  if (isPrelaunchMode) {
+    return (async () => {
+      try {
+        const projectPath = process.cwd()
+        const PackageJson = checkNodeVersionAndLoadPackageJson()
+        const pkgJson = await PackageJson.load(projectPath)
+        const license = getLicenseInfo()
+        const isPro =
+          license.tier === 'PRO' ||
+          license.tier === 'TEAM' ||
+          license.tier === 'ENTERPRISE'
+
+        console.log('\n📋 Setting up pre-launch validation suite...\n')
+        console.log(`   License tier: ${license.tier.toUpperCase()}`)
+
+        // Check feature availability
+        if (!hasFeature('prelaunchValidation')) {
+          console.error('❌ Pre-launch validation requires a valid license.')
+          showUpgradeMessage('Pre-launch validation')
+          process.exit(1)
+        }
+
+        // Write validation scripts
+        const scriptsWritten = writeValidationScripts(projectPath)
+        console.log(`   ✅ Created ${scriptsWritten.length} validation scripts`)
+
+        // Write pa11y config
+        writePa11yConfig(projectPath)
+        console.log('   ✅ Created .pa11yci config')
+
+        // Write env validator for Pro+
+        if (isPro && hasFeature('envValidation')) {
+          writeEnvValidator(projectPath)
+          console.log('   ✅ Created env vars validator (Pro)')
+        }
+
+        // Add scripts to package.json
+        const prelaunchScripts = getPrelaunchScripts(isPro)
+        const prelaunchDeps = getPrelaunchDependencies(isPro)
+
+        // Merge scripts
+        const existingScripts = pkgJson.content.scripts || {}
+        pkgJson.update({
+          scripts: { ...existingScripts, ...prelaunchScripts },
+        })
+
+        // Merge devDependencies
+        const existingDevDeps = pkgJson.content.devDependencies || {}
+        pkgJson.update({
+          devDependencies: { ...existingDevDeps, ...prelaunchDeps },
+        })
+
+        await pkgJson.save()
+
+        console.log('\n✅ Pre-launch validation setup complete!\n')
+        console.log('Available scripts:')
+        console.log('  npm run validate:sitemap   - Check sitemap.xml')
+        console.log('  npm run validate:robots    - Check robots.txt')
+        console.log('  npm run validate:meta      - Check meta tags')
+        console.log('  npm run validate:links     - Check for broken links')
+        console.log('  npm run validate:a11y      - Run accessibility audit')
+        console.log('  npm run validate:docs      - Check documentation')
+        if (isPro) {
+          console.log('  npm run validate:env       - Audit env vars (Pro)')
+        }
+        console.log('  npm run validate:prelaunch - Run all checks')
+        console.log('\n💡 Run: npm install && npm run validate:prelaunch')
+
+        process.exit(0)
+      } catch (error) {
+        console.error('Pre-launch validation setup error:', error.message)
+        process.exit(1)
+      }
+    })()
+  }
+
   // Run validation commands if requested
   if (
     isValidationMode ||
@@ -979,13 +1034,392 @@ HELP:
     // Handle validation commands and exit
     return (async () => {
       try {
-        await handleValidationCommands()
+        await handleValidationCommands({
+          isConfigSecurityMode,
+          isDocsValidationMode,
+          isComprehensiveMode,
+          isValidationMode,
+          disableNpmAudit,
+          disableGitleaks,
+          disableActionlint,
+          disableMarkdownlint,
+          disableEslintSecurity,
+          allowLatestGitleaks,
+        })
       } catch (error) {
         console.error('Validation error:', error.message)
         process.exit(1)
       }
     })()
   } else {
+    /**
+     * Setup quality tools based on license tier
+     * - Lighthouse CI (Free: basic, Pro: with thresholds)
+     * - Bundle size limits (Pro only)
+     * - axe-core accessibility (Free)
+     * - Conventional commits (Free)
+     * - Coverage thresholds (Pro only)
+     */
+    async function setupQualityTools(_usesTypeScript, _packageJson) {
+      const qualitySpinner = showProgress('Setting up quality tools...')
+
+      try {
+        const projectPath = process.cwd()
+        const PackageJson = checkNodeVersionAndLoadPackageJson()
+        const pkgJson = await PackageJson.load(projectPath)
+        const addedTools = []
+
+        // Determine which features are available
+        const hasLighthouse = hasFeature('lighthouseCI')
+        const hasLighthouseThresholds = hasFeature('lighthouseThresholds')
+        const hasBundleSizeLimits = hasFeature('bundleSizeLimits')
+        const hasAxeAccessibility = hasFeature('axeAccessibility')
+        const hasConventionalCommits = hasFeature('conventionalCommits')
+        const hasCoverageThresholds = hasFeature('coverageThresholds')
+
+        // 1. Lighthouse CI - available to all, thresholds for Pro+
+        if (hasLighthouse) {
+          try {
+            const lighthousePath = path.join(projectPath, 'lighthouserc.js')
+            if (!fs.existsSync(lighthousePath)) {
+              writeLighthouseConfig(projectPath, {
+                hasThresholds: hasLighthouseThresholds,
+              })
+              addedTools.push(
+                hasLighthouseThresholds
+                  ? 'Lighthouse CI (with thresholds)'
+                  : 'Lighthouse CI (basic)'
+              )
+            }
+          } catch (error) {
+            console.warn('⚠️ Failed to configure Lighthouse CI:', error.message)
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
+          }
+        }
+
+        // 2. Bundle size limits - Pro only
+        if (hasBundleSizeLimits) {
+          try {
+            if (!pkgJson.content['size-limit']) {
+              writeSizeLimitConfig(projectPath)
+              addedTools.push('Bundle size limits (size-limit)')
+            }
+          } catch (error) {
+            console.warn(
+              '⚠️ Failed to configure bundle size limits:',
+              error.message
+            )
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
+          }
+        }
+
+        // 3. axe-core accessibility testing - available to all
+        if (hasAxeAccessibility) {
+          try {
+            const axeTestPath = path.join(
+              projectPath,
+              'tests',
+              'accessibility.test.js'
+            )
+            if (!fs.existsSync(axeTestPath)) {
+              writeAxeTestSetup(projectPath)
+              addedTools.push('axe-core accessibility tests')
+            }
+          } catch (error) {
+            console.warn(
+              '⚠️ Failed to configure axe-core tests:',
+              error.message
+            )
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
+          }
+        }
+
+        // 4. Conventional commits (commitlint) - available to all
+        if (hasConventionalCommits) {
+          try {
+            const commitlintPath = path.join(
+              projectPath,
+              'commitlint.config.js'
+            )
+            if (!fs.existsSync(commitlintPath)) {
+              writeCommitlintConfig(projectPath)
+              writeCommitMsgHook(projectPath)
+              addedTools.push('Conventional commits (commitlint)')
+            }
+          } catch (error) {
+            console.warn('⚠️ Failed to configure commitlint:', error.message)
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
+          }
+        }
+
+        // 5. Coverage thresholds - Pro only (info message handled elsewhere)
+        if (hasCoverageThresholds) {
+          addedTools.push('Coverage thresholds (70% lines, 70% functions)')
+        }
+
+        // Add dependencies for enabled features
+        const deps = getQualityToolsDependencies({
+          lighthouse: hasLighthouse,
+          sizeLimit: hasBundleSizeLimits,
+          commitlint: hasConventionalCommits,
+          axeCore: hasAxeAccessibility,
+        })
+
+        // Add scripts for enabled features
+        const scripts = getQualityToolsScripts({
+          lighthouse: hasLighthouse,
+          sizeLimit: hasBundleSizeLimits,
+          axeCore: hasAxeAccessibility,
+          coverage: hasCoverageThresholds,
+        })
+
+        // Merge dependencies and scripts
+        pkgJson.content.devDependencies = mergeDevDependencies(
+          pkgJson.content.devDependencies || {},
+          deps
+        )
+        pkgJson.content.scripts = mergeScripts(
+          pkgJson.content.scripts || {},
+          scripts
+        )
+        await pkgJson.save()
+
+        if (addedTools.length > 0) {
+          qualitySpinner.succeed(
+            `Quality tools configured: ${addedTools.length} tools`
+          )
+          addedTools.forEach(tool => console.log(`   ✅ ${tool}`))
+
+          // Show Pro upsell for missing features
+          if (!hasBundleSizeLimits || !hasCoverageThresholds) {
+            console.log('\n💎 Upgrade to Pro for additional quality tools:')
+            if (!hasBundleSizeLimits) {
+              console.log('   • Bundle size limits (size-limit)')
+            }
+            if (!hasCoverageThresholds) {
+              console.log('   • Coverage threshold enforcement')
+            }
+          }
+        } else {
+          qualitySpinner.succeed('Quality tools already configured')
+        }
+      } catch (error) {
+        qualitySpinner.fail('Quality tools setup failed')
+        console.error(
+          `❌ Unexpected error during quality tools setup: ${error.message}`
+        )
+        if (process.env.DEBUG) {
+          console.error('   Stack:', error.stack)
+        }
+        console.error(
+          '   Please report this issue at https://github.com/your-repo/issues'
+        )
+        throw error // Re-throw to prevent silent continuation
+      }
+    }
+
+    /**
+     * Detect existing workflow mode from quality.yml
+     * @param {string} projectPath - Path to the project
+     * @returns {'minimal'|'standard'|'comprehensive'|null} Detected mode
+     */
+    function detectExistingWorkflowMode(projectPath) {
+      const workflowPath = path.join(
+        projectPath,
+        '.github',
+        'workflows',
+        'quality.yml'
+      )
+
+      if (!fs.existsSync(workflowPath)) {
+        return null
+      }
+
+      try {
+        const content = fs.readFileSync(workflowPath, 'utf8')
+
+        // Check for version markers (new format)
+        if (content.includes('# WORKFLOW_MODE: minimal')) {
+          return 'minimal'
+        }
+        if (content.includes('# WORKFLOW_MODE: standard')) {
+          return 'standard'
+        }
+        if (content.includes('# WORKFLOW_MODE: comprehensive')) {
+          return 'comprehensive'
+        }
+
+        // Legacy detection (no version marker)
+        // Comprehensive: has security job + matrix testing on every push
+        // Standard: has matrix testing but security is scheduled
+        // Minimal: no matrix, single node version
+        const hasSecurityJob = /jobs:\s*\n\s*security:/m.test(content)
+        const hasMatrixInTests = /tests:[\s\S]*?strategy:[\s\S]*?matrix:/m.test(
+          content
+        )
+        const hasScheduledSecurity =
+          /on:\s*\n\s*schedule:[\s\S]*?- cron:/m.test(content)
+
+        if (hasSecurityJob && hasMatrixInTests && !hasScheduledSecurity) {
+          return 'comprehensive'
+        }
+        if (hasMatrixInTests && hasScheduledSecurity) {
+          return 'standard'
+        }
+        if (!hasMatrixInTests) {
+          return 'minimal'
+        }
+
+        // Default to comprehensive for unknown patterns
+        return 'comprehensive'
+      } catch (error) {
+        console.warn(
+          `⚠️  Could not detect existing workflow mode: ${error.message}`
+        )
+        return null
+      }
+    }
+
+    /**
+     * Inject workflow mode-specific configuration into quality.yml
+     * @param {string} workflowContent - Template content
+     * @param {'minimal'|'standard'|'comprehensive'} mode - Selected mode
+     * @returns {string} Modified workflow content
+     */
+    function injectWorkflowMode(workflowContent, mode) {
+      let updated = workflowContent
+
+      // Add version marker at the top (after name section)
+      const versionMarker = `# WORKFLOW_MODE: ${mode}`
+      if (!updated.includes('# WORKFLOW_MODE:')) {
+        // Insert after the comment block and before jobs
+        updated = updated.replace(/(\n\njobs:)/, `\n${versionMarker}\n$1`)
+      }
+
+      // Replace PATH_FILTERS_PLACEHOLDER
+      if (updated.includes('# PATH_FILTERS_PLACEHOLDER')) {
+        if (mode === 'minimal' || mode === 'standard') {
+          const pathsIgnore = `paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.gitignore'
+      - '.editorconfig'`
+          updated = updated.replace('# PATH_FILTERS_PLACEHOLDER', pathsIgnore)
+        } else {
+          // comprehensive: Remove placeholder
+          updated = updated.replace(/\s*# PATH_FILTERS_PLACEHOLDER\n?/, '')
+        }
+      }
+
+      // Replace SECURITY_SCHEDULE_PLACEHOLDER
+      if (updated.includes('# SECURITY_SCHEDULE_PLACEHOLDER')) {
+        if (mode === 'minimal' || mode === 'standard') {
+          // Add weekly schedule for security scans
+          const scheduleConfig = `schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sunday (security scans)
+  workflow_dispatch:       # Manual trigger`
+          updated = updated.replace(
+            '# SECURITY_SCHEDULE_PLACEHOLDER',
+            scheduleConfig
+          )
+        } else {
+          // comprehensive: Remove placeholder
+          updated = updated.replace(/\s*# SECURITY_SCHEDULE_PLACEHOLDER\n?/, '')
+        }
+      }
+
+      // Replace SECURITY_CONDITION_PLACEHOLDER
+      if (updated.includes('# SECURITY_CONDITION_PLACEHOLDER')) {
+        if (mode === 'minimal' || mode === 'standard') {
+          // Only run security on schedule events (not on every push)
+          // Replace both the placeholder comment AND the existing if line
+          updated = updated.replace(
+            /# SECURITY_CONDITION_PLACEHOLDER\n\s*if: needs\.detect-maturity\.outputs\.has-deps == 'true'/,
+            `if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.detect-maturity.outputs.has-deps == 'true'`
+          )
+        } else {
+          // comprehensive: Remove placeholder, keep the existing if condition
+          updated = updated.replace(
+            /\s*# SECURITY_CONDITION_PLACEHOLDER\n?/,
+            ''
+          )
+        }
+      }
+
+      // Replace MATRIX_PLACEHOLDER
+      if (updated.includes('# MATRIX_PLACEHOLDER')) {
+        if (mode === 'minimal') {
+          // Single Node version, no matrix
+          // Replace both the placeholder comment AND the existing strategy block
+          updated = updated.replace(
+            /# MATRIX_PLACEHOLDER\n\s*strategy:\n\s*fail-fast: false/,
+            `strategy:
+      fail-fast: false
+      matrix:
+        node-version: [22]`
+          )
+        } else if (mode === 'standard') {
+          // Matrix testing only on main branch
+          // 1. Modify the job-level if condition to add branch check
+          updated = updated.replace(
+            /if: fromJSON\(needs\.detect-maturity\.outputs\.test-count\) > 0\n\s*# TESTS_CONDITION_PLACEHOLDER/,
+            `if: github.ref == 'refs/heads/main' && fromJSON(needs.detect-maturity.outputs.test-count) > 0
+    # TESTS_CONDITION_PLACEHOLDER`
+          )
+          // 2. Replace matrix placeholder and existing strategy block
+          updated = updated.replace(
+            /# MATRIX_PLACEHOLDER\n\s*strategy:\n\s*fail-fast: false/,
+            `strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20, 22]`
+          )
+        } else {
+          // comprehensive: Matrix on every push
+          // Replace placeholder, merge with existing strategy
+          updated = updated.replace(
+            /# MATRIX_PLACEHOLDER\n\s*strategy:\n\s*fail-fast: false/,
+            `strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20, 22]`
+          )
+        }
+      }
+
+      // Replace TESTS_CONDITION_PLACEHOLDER
+      if (updated.includes('# TESTS_CONDITION_PLACEHOLDER')) {
+        let testsCondition = ''
+
+        if (mode === 'minimal') {
+          // No matrix, always run
+          testsCondition = '# Runs on every push (single Node version)'
+        } else if (mode === 'standard') {
+          // Matrix only on main
+          testsCondition = '# Matrix testing only on main branch'
+        } else {
+          // comprehensive: Matrix on every push
+          testsCondition = '# Matrix testing on every push'
+        }
+
+        updated = updated.replace(
+          '# TESTS_CONDITION_PLACEHOLDER',
+          testsCondition
+        )
+      }
+
+      return updated
+    }
+
     // Normal setup flow
     async function runMainSetup() {
       // Record telemetry start event (opt-in only, fails silently)
@@ -1000,7 +1434,7 @@ HELP:
       try {
         execSync('git status', { stdio: 'ignore' })
         gitSpinner.succeed('Git repository verified')
-      } catch {
+      } catch (_error) {
         gitSpinner.fail('Not a git repository')
         console.error('❌ This must be run in a git repository')
         console.log('Run "git init" first, then try again.')
@@ -1010,6 +1444,8 @@ HELP:
       // Enforce FREE tier repo limit (1 private repo)
       // Must happen before any file modifications
       const license = getLicenseInfo()
+      let pendingRepoRegistration = null
+      let pendingRepoUsageSnapshot = null
       if (license.tier === 'FREE') {
         // Generate unique repo ID from git remote or directory name
         let repoId
@@ -1018,10 +1454,11 @@ HELP:
             encoding: 'utf8',
             stdio: ['pipe', 'pipe', 'ignore'],
           }).trim()
-          repoId = remoteUrl
-        } catch {
+          const normalized = normalizeRepoIdentifier(remoteUrl)
+          repoId = hashRepoIdentifier(normalized || remoteUrl)
+        } catch (_error) {
           // No remote - use absolute path as fallback
-          repoId = process.cwd()
+          repoId = hashRepoIdentifier(process.cwd())
         }
 
         const repoCheck = checkUsageCaps('repo')
@@ -1037,11 +1474,8 @@ HELP:
             process.exit(1)
           }
 
-          // Register this repo
-          incrementUsage('repo', 1, repoId)
-          console.log(
-            `✅ Registered repo (FREE tier: ${(repoCheck.usage?.repoCount || 0) + 1}/1 repos used)`
-          )
+          pendingRepoRegistration = repoId
+          pendingRepoUsageSnapshot = repoCheck.usage
         }
       }
 
@@ -1133,7 +1567,7 @@ HELP:
       const hasTypeScriptDependency = Boolean(
         (packageJson.devDependencies &&
           packageJson.devDependencies.typescript) ||
-          (packageJson.dependencies && packageJson.dependencies.typescript)
+        (packageJson.dependencies && packageJson.dependencies.typescript)
       )
 
       const tsconfigCandidates = ['tsconfig.json', 'tsconfig.base.json']
@@ -1204,7 +1638,17 @@ HELP:
           }
 
           return false
-        } catch {
+        } catch (error) {
+          // Silent failure fix: Log unexpected errors in debug mode
+          if (
+            process.env.DEBUG &&
+            error.code !== 'ENOENT' &&
+            error.code !== 'EACCES'
+          ) {
+            console.warn(
+              `⚠️  Could not scan ${dir} for Python files: ${error.message}`
+            )
+          }
           return false
         }
       }
@@ -1218,6 +1662,19 @@ HELP:
         )
       }
 
+      // Shell project detection
+      const { ProjectMaturityDetector } = require('./lib/project-maturity')
+      const maturityDetector = new ProjectMaturityDetector({
+        projectPath: process.cwd(),
+      })
+      const projectStats = maturityDetector.analyzeProject()
+      const usesShell = projectStats.isShellProject
+      if (usesShell) {
+        console.log(
+          '🐚 Detected shell script project; enabling shell quality automation'
+        )
+      }
+
       const stylelintTargets = findStylelintTargets(process.cwd())
       const usingDefaultStylelintTarget =
         stylelintTargets.length === 1 &&
@@ -1370,29 +1827,44 @@ HELP:
 
         // Validate the generated config
         const validationResult = validateQualityConfig(qualityrcPath)
+        if (!validationResult.valid) {
+          console.error(
+            '\n❌ CRITICAL: Generated .qualityrc.json failed validation'
+          )
+          console.error(
+            '   This should never happen. Please report this bug.\n'
+          )
+
+          console.error('Validation errors:')
+          validationResult.errors.forEach((error, index) => {
+            console.error(`   ${index + 1}. ${error}`)
+          })
+
+          console.error(`\n🐛 Report issue with this info:`)
+          console.error(`   • File: ${qualityrcPath}`)
+          console.error(`   • Detected maturity: ${detectedMaturity}`)
+          console.error(`   • Error count: ${validationResult.errors.length}`)
+          console.error(
+            `   • https://github.com/vibebuildlab/qa-architect/issues/new\n`
+          )
+
+          // Don't continue - this is a bug in the tool itself
+          throw new Error('Invalid quality config generated - cannot continue')
+        }
+      } else {
+        // TD8 fix: Re-enabled validation (was disabled for debugging)
+        const validationResult = validateQualityConfig(qualityrcPath)
         if (!validationResult.valid) {
           console.warn(
-            '⚠️  Warning: Generated config has validation issues (this should not happen):'
+            '⚠️  Warning: Existing .qualityrc.json has validation issues:'
           )
           validationResult.errors.forEach(error => {
             console.warn(`   - ${error}`)
           })
+          console.warn(
+            '   Setup will continue, but you may want to fix these issues.\n'
+          )
         }
-      } else {
-        // Config exists, validate it
-        // Temporarily disabled - debugging
-        // const validationResult = validateQualityConfig(qualityrcPath)
-        // if (!validationResult.valid) {
-        //   console.warn(
-        //     '⚠️  Warning: Existing .qualityrc.json has validation issues:'
-        //   )
-        //   validationResult.errors.forEach(error => {
-        //     console.warn(`   - ${error}`)
-        //   })
-        //   console.warn(
-        //     '   Setup will continue, but you may want to fix these issues.\n'
-        //   )
-        // }
       }
 
       // Load and merge templates (custom + defaults)
@@ -1471,6 +1943,23 @@ HELP:
         }
 
         const workflowFile = path.join(githubWorkflowDir, 'quality.yml')
+
+        // Determine workflow mode
+        let workflowMode = 'minimal' // Default to minimal
+        if (isWorkflowMinimal) {
+          workflowMode = 'minimal'
+        } else if (isWorkflowStandard) {
+          workflowMode = 'standard'
+        } else if (isWorkflowComprehensive) {
+          workflowMode = 'comprehensive'
+        } else if (fs.existsSync(workflowFile)) {
+          // Detect existing mode when updating
+          const existingMode = detectExistingWorkflowMode(process.cwd())
+          if (existingMode) {
+            workflowMode = existingMode
+          }
+        }
+
         if (!fs.existsSync(workflowFile)) {
           let templateWorkflow =
             templateLoader.getTemplate(
@@ -1482,13 +1971,59 @@ HELP:
               'utf8'
             )
 
+          // Inject workflow mode configuration
+          templateWorkflow = injectWorkflowMode(templateWorkflow, workflowMode)
+
+          // Inject collaboration steps
           templateWorkflow = injectCollaborationSteps(templateWorkflow, {
             enableSlackAlerts,
             enablePrComments,
           })
 
           fs.writeFileSync(workflowFile, templateWorkflow)
-          console.log('✅ Added GitHub Actions workflow')
+          console.log(`✅ Added GitHub Actions workflow (${workflowMode} mode)`)
+        } else if (isUpdateMode) {
+          // Update existing workflow with new mode if explicitly specified
+          if (
+            isWorkflowMinimal ||
+            isWorkflowStandard ||
+            isWorkflowComprehensive
+          ) {
+            // Load fresh template and re-inject
+            let templateWorkflow =
+              templateLoader.getTemplate(
+                templates,
+                path.join('.github', 'workflows', 'quality.yml')
+              ) ||
+              fs.readFileSync(
+                path.join(__dirname, '.github/workflows/quality.yml'),
+                'utf8'
+              )
+
+            // Inject workflow mode configuration
+            templateWorkflow = injectWorkflowMode(
+              templateWorkflow,
+              workflowMode
+            )
+
+            // Inject collaboration steps (preserve from existing if present)
+            const existingWorkflow = fs.readFileSync(workflowFile, 'utf8')
+            const hasSlackAlerts =
+              existingWorkflow.includes('SLACK_WEBHOOK_URL')
+            const hasPrComments = existingWorkflow.includes(
+              'PR_COMMENT_PLACEHOLDER'
+            )
+
+            templateWorkflow = injectCollaborationSteps(templateWorkflow, {
+              enableSlackAlerts: hasSlackAlerts,
+              enablePrComments: hasPrComments,
+            })
+
+            fs.writeFileSync(workflowFile, templateWorkflow)
+            console.log(
+              `♻️  Updated GitHub Actions workflow to ${workflowMode} mode`
+            )
+          }
         }
       }
 
@@ -1699,7 +2234,7 @@ let tier = 'FREE'
 try {
   const data = JSON.parse(fs.readFileSync(licenseFile, 'utf8'))
   tier = (data && data.tier) || 'FREE'
-} catch {
+} catch (error) {
   tier = 'FREE'
 }
 
@@ -1712,7 +2247,7 @@ try {
   if (data.month === currentMonth) {
     usage = { ...usage, ...data }
   }
-} catch {
+} catch (error) {
   // First run or corrupt file – start fresh
 }
 
@@ -1900,6 +2435,86 @@ echo "✅ Pre-push validation passed!"
           }
         }
 
+        pythonSpinner.succeed('Python quality tools configured')
+      }
+
+      // Shell project setup
+      if (usesShell) {
+        // Copy Shell CI workflow (GitHub Actions only)
+        if (ciProvider === 'github') {
+          const shellCiWorkflowFile = path.join(
+            githubWorkflowDir,
+            'shell-ci.yml'
+          )
+          if (!fs.existsSync(shellCiWorkflowFile)) {
+            const templateShellCiWorkflow =
+              templateLoader.getTemplate(
+                templates,
+                path.join('config', 'shell-ci.yml')
+              ) ||
+              fs.readFileSync(
+                path.join(__dirname, 'config/shell-ci.yml'),
+                'utf8'
+              )
+            fs.writeFileSync(shellCiWorkflowFile, templateShellCiWorkflow)
+            console.log('✅ Added Shell CI GitHub Actions workflow')
+          }
+
+          // Copy Shell Quality workflow
+          const shellQualityWorkflowFile = path.join(
+            githubWorkflowDir,
+            'shell-quality.yml'
+          )
+          if (!fs.existsSync(shellQualityWorkflowFile)) {
+            const templateShellQualityWorkflow =
+              templateLoader.getTemplate(
+                templates,
+                path.join('config', 'shell-quality.yml')
+              ) ||
+              fs.readFileSync(
+                path.join(__dirname, 'config/shell-quality.yml'),
+                'utf8'
+              )
+            fs.writeFileSync(
+              shellQualityWorkflowFile,
+              templateShellQualityWorkflow
+            )
+            console.log('✅ Added Shell Quality GitHub Actions workflow')
+          }
+        }
+
+        // Create a basic README if it doesn't exist
+        const readmePath = path.join(process.cwd(), 'README.md')
+        if (!fs.existsSync(readmePath)) {
+          const projectName = path.basename(process.cwd())
+          const basicReadme = `# ${projectName}
+
+Shell script collection for ${projectName}.
+
+## Usage
+
+\`\`\`bash
+# Make scripts executable
+chmod +x *.sh
+
+# Run a script
+./script-name.sh
+\`\`\`
+
+## Development
+
+Quality checks are automated via GitHub Actions:
+- ShellCheck linting
+- Syntax validation
+- Permission checks
+- Best practices analysis
+`
+          fs.writeFileSync(readmePath, basicReadme)
+          console.log('✅ Created basic README.md')
+        }
+      }
+
+      if (usesPython) {
         // Create tests directory if it doesn't exist
         const testsDir = path.join(process.cwd(), 'tests')
         if (!fs.existsSync(testsDir)) {
@@ -1942,8 +2557,6 @@ echo "✅ Pre-push validation passed!"
             )
           }
         }
-
-        pythonSpinner.succeed('Python quality tools configured')
       }
 
       // Smart Test Strategy (Pro/Team/Enterprise feature)
@@ -2007,6 +2620,9 @@ echo "✅ Pre-push validation passed!"
         showUpgradeMessage('Smart Test Strategy')
       }
 
+      // Quality Tools Integration
+      await setupQualityTools(usesTypeScript, packageJson)
+
       // Generate placeholder test file with helpful documentation
       const testsDir = path.join(process.cwd(), 'tests')
       const testExtension = usesTypeScript ? 'ts' : 'js'
@@ -2106,6 +2722,12 @@ describe('Test framework validation', () => {
 
       console.log('\n🎉 Quality automation setup complete!')
 
+      if (pendingRepoRegistration) {
+        incrementUsage('repo', 1, pendingRepoRegistration)
+        const repoCount = (pendingRepoUsageSnapshot?.repoCount || 0) + 1
+        console.log(`✅ Registered repo (FREE tier: ${repoCount}/1 repos used)`)
+      }
+
       // Record telemetry completion event (opt-in only, fails silently)
       telemetry.recordComplete({
         usesPython,