create-qa-architect 5.11.1 → 5.12.0

package/.github/workflows/auto-release.yml

@@ -0,0 +1,39 @@
+name: Auto Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get previous tag
+        id: prev_tag
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          echo "tag=$PREV_TAG" >> $GITHUB_OUTPUT
+
+      - name: Generate release notes
+        run: |
+          TAG=${GITHUB_REF#refs/tags/}
+          PREV_TAG=${{ steps.prev_tag.outputs.tag }}
+          if [ -n "$PREV_TAG" ]; then
+            echo "## Changes since $PREV_TAG" > notes.md
+            git log ${PREV_TAG}..${TAG} --pretty=format:"- %s" >> notes.md
+            echo -e "\n\n**Full Changelog**: https://github.com/${{ github.repository }}/compare/${PREV_TAG}...${TAG}" >> notes.md
+          else
+            echo "Initial release" > notes.md
+          fi
+
+      - uses: softprops/action-gh-release@v2
+        with:
+          body_path: notes.md

package/.github/workflows/quality.yml

@@ -32,8 +32,11 @@ concurrency:
 
 jobs:
   # Step 1: Detect project maturity level and package manager
+  # Skip for Dependabot PRs - they auto-merge based on their own checks
+  # This reduces GitHub Actions minutes by ~50% on active repos
   detect-maturity:
     runs-on: ubuntu-latest
+    if: github.actor != 'dependabot[bot]' || github.event_name == 'schedule'
     outputs:
       maturity: ${{ steps.detect.outputs.maturity }}
       source-count: ${{ steps.detect.outputs.source-count }}
@@ -338,7 +341,7 @@ jobs:
             gitleaks-8.28.0-linux-x64-
 
       - name: Run real gitleaks binary verification test
-        if: runner.os == 'Linux'
+        if: runner.os == 'Linux' && hashFiles('tests/gitleaks-real-binary-test.js') != ''
         run: |
           echo "🔐 Running real gitleaks binary verification test..."
           QAA_DEVELOPER=true RUN_REAL_BINARY_TEST=1 node tests/gitleaks-real-binary-test.js

package/config/defaults.js

@@ -75,6 +75,9 @@ const baseDevDependencies = {
   '@lhci/cli': '^0.14.0',
   vitest: '^2.1.8',
   '@vitest/coverage-v8': '^2.1.8',
+  commitlint: '^20.4.1',
+  '@commitlint/cli': '^20.4.1',
+  '@commitlint/config-conventional': '^20.4.1',
 }
 
 const typeScriptDevDependencies = {

package/config/quality-config.schema.json

@@ -91,6 +91,81 @@
         },
         "additionalProperties": false
       }
+    },
+    "performance": {
+      "type": "object",
+      "description": "Performance budget configuration",
+      "properties": {
+        "lighthouse": {
+          "type": "object",
+          "description": "Lighthouse CI performance thresholds",
+          "properties": {
+            "performance": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum performance score (0-1)"
+            },
+            "accessibility": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum accessibility score (0-1)"
+            },
+            "bestPractices": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum best practices score (0-1)"
+            },
+            "seo": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum SEO score (0-1)"
+            },
+            "maxFCP": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max First Contentful Paint in ms"
+            },
+            "maxLCP": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max Largest Contentful Paint in ms"
+            },
+            "maxCLS": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max Cumulative Layout Shift"
+            },
+            "maxTBT": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max Total Blocking Time in ms"
+            }
+          },
+          "additionalProperties": false
+        },
+        "bundleSize": {
+          "type": "object",
+          "description": "Bundle size limits",
+          "properties": {
+            "maxJs": {
+              "type": "string",
+              "pattern": "^[0-9]+ [kKmM][bB]$",
+              "description": "Max JS bundle size (e.g., '250 kB')"
+            },
+            "maxCss": {
+              "type": "string",
+              "pattern": "^[0-9]+ [kKmM][bB]$",
+              "description": "Max CSS bundle size (e.g., '50 kB')"
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
     }
   },
   "additionalProperties": false

package/docs/CI-COST-ANALYSIS.md

@@ -1,323 +1,123 @@
-# GitHub Actions Cost Analysis: Is qa-architect Over-Engineering CI/CD?
+# GitHub Actions Cost Analysis
 
-**Date**: 2026-01-06
-**Finding**: YES - qa-architect's default setup is 3-5x more expensive than industry standards for solo/small projects.
+**Updated**: 2026-02-03
+**Budget**: 2,000 mins/month (GitHub Free tier)
 
 ---
 
-## The Problem
+## Current Status: Within Budget (with fixes)
 
-Your projects are costing **$469/month** in GitHub Actions CI when they should cost **$0-50/month**.
+### Actual January 2026 Usage (vibebuildlab org)
 
-| Project                    | Commits/Day | Minutes/Month | Cost/Month | Status      |
-| -------------------------- | ----------- | ------------- | ---------- | ----------- |
-| vibebuildlab               | 7.4         | 46,852 min    | $358       | 🔴 CRITICAL |
-| qa-architect               | 1.7         | 15,810 min    | $110       | 🔴 HIGH     |
-| stark-program-intelligence | 1.6         | 2,160 min     | $1.28      | 🟢 OK       |
-| vibelab-claude-setup       | 2.0         | 531 min       | $0         | ✅ OPTIMAL  |
+| Repo                    | Minutes    | Runs  | Avg/Run |
+| ----------------------- | ---------- | ----- | ------- |
+| qa-architect            | 340        | 349   | 1.0 min |
+| postrail                | 1,769      | 295   | 6.0 min |
+| vibebuildlab            | 89         | 282   | 0.3 min |
+| keyflash                | 74         | 187   | 0.4 min |
+| wfhroulette             | 56         | 138   | 0.4 min |
+| jobrecon                | 56         | 44    | 1.3 min |
+| ai-second-act           | 4          | 33    | 0.1 min |
+| vibebuildlab-newsletter | 1          | 22    | 0.0 min |
+| **TOTAL**               | **~2,400** | 1,350 | 1.8 min |
 
----
-
-## Root Cause Analysis
-
-### What qa-architect Is Doing (vibebuildlab example)
-
-**Current quality.yml**: 161 minutes per commit, runs 221 times/month
-
-```yaml
-Jobs running on EVERY push:
-1. detect-maturity (1 job) ~ 2 min
-2. core-checks (2 jobs) ~ 10 min  # Node 20 + 22 matrix
-3. linting (1 job) ~ 8 min
-4. security (1 job) ~ 25 min       # Gitleaks + Semgrep + 3× npm audit
-5. tests (2 jobs) ~ 30 min         # Node 20 + 22 matrix
-6. documentation (1 job) ~ 15 min  # Only if production-ready
-7. summary (1 job) ~ 1 min
-
-TOTAL: ~90-100 minutes per push (when all jobs run)
-```
-
-**Problems identified**:
-
-1. ❌ **No path filters** - Runs full CI on docs/README commits
-2. ❌ **Duplicate matrix testing** - Both core-checks AND tests run Node 20/22
-3. ❌ **Security overkill** - Gitleaks + Semgrep + npm audit (3 variants) on EVERY push
-4. ❌ **No job concurrency limits** - Rapid commits queue up expensive builds
-5. ❌ **Production checks on every commit** - Documentation validation should be release-only
-
----
-
-## Industry Standards (Successful Projects)
-
-### Vite (Major Framework, 1000+ contributors)
-
-- **Runtime**: 50-60 min/commit
-- **Path filters**: ✅ Skips tests on docs-only changes
-- **Matrix**: Node 20, 22, 24 (3 versions)
-- **Cross-platform**: Only on latest Node, not all versions
-- **Security**: Runs on schedule, not every commit
+### February Projection (Pre-Fix)
 
-### Ky (Popular Library, Sindre Sorhus)
+Based on Feb 1-3 data extrapolated:
 
-- **Runtime**: 10-15 min/commit
-- **Matrix**: Node 20, 22, 24, latest (4 versions)
-- **Platform**: macOS only (assumes Linux/Windows compatibility)
-- **Security**: Separate workflow
+- **Projected**: 3,425 mins/month
+- **Budget**: 2,000 mins/month
+- **Overage**: 71%
 
-### Common Patterns
+### Root Cause: Dependabot PR Spam
 
-1. **Minimal on push** - Lint + test current Node only
-2. **Matrix testing** - Only on main branch or scheduled
-3. **Security scans** - Weekly/nightly, not per commit
-4. **Documentation** - Only on release branches
-5. **Path filters** - Skip CI for docs/README/LICENSE changes
-
-**Sources**:
-
-- [GitHub Actions alternatives for modern CI/CD](https://northflank.com/blog/github-actions-alternatives)
-- [Ultimate free CI/CD for open-source projects](https://dev.to/itnext/the-ultimate-free-ci-cd-for-your-open-source-projects-3bkd)
+| Repo         | Dependabot % of Runs |
+| ------------ | -------------------- |
+| jobrecon     | 91%                  |
+| postrail     | 63%                  |
+| keyflash     | 53%                  |
+| qa-architect | 8%                   |
+| vibebuildlab | 0%                   |
 
 ---
 
-## Recommended Changes
-
-### Phase 1: Quick Wins (Reduce by 60-70%)
-
-#### 1. Add Path Filters
-
-```yaml
-on:
-  push:
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'LICENSE'
-      - '.gitignore'
-      - '.editorconfig'
-```
-
-**Savings**: ~20% of commits are docs-only
-**vibebuildlab**: 7,117 min/month saved ($57/mo)
+## Fixes Applied (v5.11.2)
 
-#### 2. Reduce Matrix Redundancy
+### 1. Skip Quality Checks for Dependabot PRs
 
 ```yaml
-# BEFORE: 2 matrix jobs (core-checks + tests)
-core-checks:
-  matrix:
-    node-version: [20, 22]  # Runs twice
-
-tests:
-  matrix:
-    node-version: [20, 22]  # Runs twice again!
-
-# AFTER: 1 matrix job only
-tests:
-  matrix:
-    node-version: [20, 22]  # Runs once
+detect-maturity:
+  if: github.actor != 'dependabot[bot]' || github.event_name == 'schedule'
 ```
 
-**Savings**: 50% reduction in matrix jobs
-**vibebuildlab**: ~18,000 min/month saved ($144/mo)
-
-#### 3. Move Security to Scheduled Workflow
+**Savings**: ~50% reduction in runs (~1,400 mins/month)
 
-```yaml
-# New file: .github/workflows/security-weekly.yml
-on:
-  schedule:
-    - cron: '0 0 * * 0' # Weekly on Sunday
-  workflow_dispatch: # Manual trigger
-
-jobs:
-  security:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Gitleaks
-      - name: Semgrep
-      - name: npm audit
-```
+### 2. Minimal Workflow Mode (v5.11.1)
 
-**Savings**: From 221 runs/month → 4 runs/month
-**vibebuildlab**: ~5,400 min/month saved ($43/mo)
+- Security scans: Weekly only (not every push)
+- Test matrix: Node 22 only (not [20, 22])
+- Path filters: Skip docs-only changes
+- Concurrency: Cancel in-progress runs
 
-### Phase 2: Industry-Standard Setup (Get under $50/mo total)
-
-```yaml
-# .github/workflows/ci.yml
-name: CI
-
-on:
-  push:
-    branches: [main, develop]
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-      - 'LICENSE'
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true # Cancel old runs
-
-jobs:
-  # Quick checks on every commit (current Node only)
-  quick-check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 22
-          cache: npm
-      - run: npm ci
-      - run: npm run lint
-      - run: npm run format:check
-      - run: npm test
-
-  # Matrix testing only on main branch
-  cross-version:
-    if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [20, 22]
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: npm
-      - run: npm ci
-      - run: npm test
-```
+### Expected February Usage (Post-Fix)
 
-**Estimated runtime**:
-
-- Pull requests: 5-10 min (quick-check only)
-- Main branch: 15-20 min (quick-check + cross-version)
-
-**Estimated cost for vibebuildlab**:
-
-- Current: 46,852 min/month ($358/mo)
-- After changes: ~3,500 min/month ($12/mo)
-- **Savings: $346/month (97% reduction)**
+| Metric             | Before | After        | Savings |
+| ------------------ | ------ | ------------ | ------- |
+| Minutes/Month      | 3,425  | ~1,200-1,500 | 55-65%  |
+| Budget Utilization | 171%   | 60-75%       | ✅      |
 
 ---
 
-## Strategic Recommendations
-
-### For Solo Developers / Small Teams
-
-**Make all repos public** → GitHub Actions is FREE
-
-- If code can be public, this is the best option
-- vibebuildlab, qa-architect could potentially be public
-
-### For Private Repos
+## Workflow Tiers
 
-**Option A: Minimal CI** (Recommended)
+qa-architect supports three workflow modes:
 
-```
-✅ Lint + format on every commit (5 min)
-✅ Test on current Node only (10 min)
-✅ Matrix testing on main branch only
-✅ Security scans weekly, not per commit
-✅ Documentation checks on releases only
-
-Total: ~500-1,000 min/month ($0-8/mo)
-```
-
-**Option B: Self-Hosted Runner**
+| Mode                  | When to Use             | Estimated Cost |
+| --------------------- | ----------------------- | -------------- |
+| **Minimal** (default) | Solo dev, private repos | ~$0-10/mo      |
+| **Standard**          | Team projects, PRs      | ~$10-30/mo     |
+| **Comprehensive**     | Enterprise, compliance  | ~$50-100/mo    |
 
-- Rent $10-20/mo VPS (Hetzner, DigitalOcean)
-- Install GitHub self-hosted runner
-- Total cost: $20/mo for UNLIMITED minutes
-- **Best if you have 5+ active private repos**
+### Minimal Mode (Default)
 
-**Option C: Strategic Testing**
-
-```yaml
-# Only test what matters
-on:
-  pull_request: # Test on PRs
-  push:
-    branches: [main] # Test on main
-    paths-ignore:
-      - '**.md'
-      - 'docs/**'
-
-# Skip matrix on draft PRs
-if: github.event.pull_request.draft == false
-```
+- Single Node.js version (22)
+- Security scans weekly only
+- Path filters enabled
+- Skip Dependabot PRs
+- Concurrency limits
 
-### For qa-architect Product
+### Standard Mode (`--workflow-standard`)
 
-**Current Default** (what qa-architect creates):
+- Matrix on main only (20, 22)
+- Security on PR + weekly
+- Full test coverage
 
-- ❌ Comprehensive CI for solo devs
-- ❌ Costs $100-350/mo for typical projects
-- ❌ Over-engineering: Gitleaks + Semgrep on every commit
+### Comprehensive Mode (`--workflow-comprehensive`)
 
-**Recommended Default**:
-
-```yaml
-Basic (Free tier friendly):
-✅ Lint + format + test (current Node only)
-✅ Security scans weekly
-✅ Matrix testing opt-in only
-✅ Path filters enabled by default
-
-Pro tier enhancements:
-✅ Add matrix testing (if needed)
-✅ Add cross-platform testing (if needed)
-✅ Add comprehensive security (scheduled)
-```
+- Matrix every commit
+- Inline security scans
+- E2E tests on every PR
 
 ---
 
-## Action Items
-
-### Immediate (This Week)
-
-1. Add path filters to all repos → Save 20% instantly
-2. Move security scans to weekly schedule → Save 95% of security costs
-3. Remove duplicate matrix jobs → Save 50% of test costs
-
-### Short Term (This Month)
-
-1. Redesign qa-architect default template (minimal-first approach)
-2. Create three tiers:
-   - `--minimal`: Lint + test (current Node), FREE tier friendly
-   - `--standard`: + matrix testing (main branch only)
-   - `--comprehensive`: Current setup (for large teams)
-3. Add `--public` flag that optimizes for unlimited minutes
+## Optimization Tips
 
-### Long Term (Q1 2026)
-
-1. Add cost analyzer to `npx create-qa-architect` (show estimated costs)
-2. Default to minimal setup, prompt for upgrades
-3. Document self-hosted runner setup guide
-4. Create cost monitoring dashboard (track actual usage)
+1. **Make repos public** → Unlimited free minutes
+2. **Group Dependabot updates** → Fewer PRs/week
+3. **Use path filters** → Skip docs-only changes
+4. **Disable CI on inactive repos** → Zero cost
 
 ---
 
-## Conclusion
-
-**YES, you're right to question this.**
-
-qa-architect is creating **enterprise-grade CI for solo developers**, resulting in:
+## Commands
 
-- 3-5x longer CI times than industry standards
-- 10-20x higher costs than necessary
-- Excessive testing that doesn't add proportional value
+```bash
+# Check workflow mode
+npx create-qa-architect --check-maturity
 
-**The fix**: Shift to "minimal by default, comprehensive on demand."
+# Analyze CI costs
+npx create-qa-architect --analyze-ci
 
-For your specific projects:
-
-- **vibebuildlab**: $358/mo → $12/mo (implement Phase 1 + 2)
-- **qa-architect**: $110/mo → $5/mo (same changes)
-- **Total savings**: $451/month ($5,412/year)
-
-Or just make repos public → **$0/month**.
+# Switch to minimal mode
+npx create-qa-architect --workflow-minimal --force
+```

package/lib/project-maturity.js

@@ -119,6 +119,11 @@ class ProjectMaturityDetector {
       stats.testFiles === 0
     ) {
       maturity = 'bootstrap'
+    } else if (
+      stats.totalSourceFiles < MATURITY_THRESHOLDS.MIN_BOOTSTRAP_FILES &&
+      stats.testFiles > 0
+    ) {
+      maturity = 'bootstrap'
     } else if (
       stats.testFiles > 0 &&
       stats.totalSourceFiles >= MATURITY_THRESHOLDS.MIN_BOOTSTRAP_FILES &&

package/lib/quality-tools-generator.js

@@ -25,6 +25,7 @@ function generateLighthouseConfig(options = {}) {
     hasThresholds = false,
     collectUrl = 'http://localhost:3000',
     staticDistDir = null,
+    budgets = null,
   } = options
 
   const collectConfig = staticDistDir
@@ -34,29 +35,42 @@ function generateLighthouseConfig(options = {}) {
       startServerReadyPattern: 'ready|listening|started',
       startServerReadyTimeout: 30000,`
 
-  const assertConfig = hasThresholds
-    ? `
+  let assertConfig
+  if (hasThresholds) {
+    // Use custom budgets from .qualityrc.json if provided, otherwise defaults
+    const b = budgets || {}
+    const fcp = b.maxFCP || 2000
+    const lcp = b.maxLCP || 2500
+    const cls = b.maxCLS || 0.1
+    const tbt = b.maxTBT || 300
+    const perf = b.performance || 0.8
+    const a11y = b.accessibility || 0.9
+    const bp = b.bestPractices || 0.9
+    const seo = b.seo || 0.9
+
+    assertConfig = `
     assert: {
       preset: 'lighthouse:recommended',
       assertions: {
         // Performance
-        'first-contentful-paint': ['warn', { maxNumericValue: 2000 }],
-        'largest-contentful-paint': ['error', { maxNumericValue: 2500 }],
-        'cumulative-layout-shift': ['error', { maxNumericValue: 0.1 }],
-        'total-blocking-time': ['warn', { maxNumericValue: 300 }],
+        'first-contentful-paint': ['warn', { maxNumericValue: ${fcp} }],
+        'largest-contentful-paint': ['error', { maxNumericValue: ${lcp} }],
+        'cumulative-layout-shift': ['error', { maxNumericValue: ${cls} }],
+        'total-blocking-time': ['warn', { maxNumericValue: ${tbt} }],
 
         // Categories (0-1 scale)
-        'categories:performance': ['warn', { minScore: 0.8 }],
-        'categories:accessibility': ['error', { minScore: 0.9 }],
-        'categories:best-practices': ['warn', { minScore: 0.9 }],
-        'categories:seo': ['warn', { minScore: 0.9 }],
+        'categories:performance': ['warn', { minScore: ${perf} }],
+        'categories:accessibility': ['error', { minScore: ${a11y} }],
+        'categories:best-practices': ['warn', { minScore: ${bp} }],
+        'categories:seo': ['warn', { minScore: ${seo} }],
 
         // Allow some common warnings
         'unsized-images': 'off',
         'uses-responsive-images': 'off',
       },
     },`
-    : `
+  } else {
+    assertConfig = `
     assert: {
       // Basic assertions for Free tier - just warnings, no failures
       assertions: {
@@ -64,6 +78,7 @@ function generateLighthouseConfig(options = {}) {
         'categories:best-practices': ['warn', { minScore: 0.7 }],
       },
     },`
+  }
 
   return `module.exports = {
   ci: {
@@ -86,7 +101,7 @@ function generateLighthouseConfig(options = {}) {
  * @returns {Array} size-limit config array
  */
 function generateSizeLimitConfig(options = {}) {
-  const { projectPath = process.cwd() } = options
+  const { projectPath = process.cwd(), budgets = null } = options
 
   // Detect build output paths
   const possibleDists = ['dist', 'build', '.next', 'out', 'public']
@@ -99,6 +114,10 @@ function generateSizeLimitConfig(options = {}) {
     }
   }
 
+  // Use custom budgets from .qualityrc.json if provided
+  const jsLimit = (budgets && budgets.maxJs) || null
+  const cssLimit = (budgets && budgets.maxCss) || null
+
   // Detect if it's a Next.js app
   const isNextJS =
     fs.existsSync(path.join(projectPath, 'next.config.js')) ||
@@ -108,7 +127,7 @@ function generateSizeLimitConfig(options = {}) {
     return [
       {
         path: '.next/static/**/*.js',
-        limit: '300 kB',
+        limit: jsLimit || '300 kB',
         webpack: false,
       },
     ]
@@ -117,11 +136,11 @@ function generateSizeLimitConfig(options = {}) {
   return [
     {
       path: `${distDir}/**/*.js`,
-      limit: '250 kB',
+      limit: jsLimit || '250 kB',
     },
     {
       path: `${distDir}/**/*.css`,
-      limit: '50 kB',
+      limit: cssLimit || '50 kB',
     },
   ]
 }
@@ -525,8 +544,8 @@ function getQualityToolsDependencies(features = {}) {
   }
 
   if (features.commitlint) {
-    deps['@commitlint/cli'] = '^19.0.0'
-    deps['@commitlint/config-conventional'] = '^19.0.0'
+    deps['@commitlint/cli'] = '^20.4.1'
+    deps['@commitlint/config-conventional'] = '^20.4.1'
   }
 
   if (features.axeCore) {

package/lib/security-enhancements.js

@@ -109,46 +109,17 @@ id = "jwt-token"
 regex = '''eyJ[A-Za-z0-9_/+-]{10,}={0,2}'''
 tags = ["key", "JWT"]
 
-[[rules]]
-description = "Base64 encoded secrets (long)"
-id = "base64-secret"
-regex = '''[A-Za-z0-9+/]{40,}={0,2}'''
-tags = ["secret", "base64"]
-keywords = ["secret", "key", "token", "password"]
-
 [[rules]]
 description = "Environment variable secrets"
 id = "env-secret"
 regex = '''(?i)(api_key|secret|password|token)\\s*=\\s*['""][^'"\\s]{10,}['""]'''
 tags = ["env", "secret"]
 
-# Allowlist for test files and examples
-[[rules.allowlist]]
-description = "Test secrets and examples"
-regexes = [
-  '''test_secret_.*''',
-  '''example_.*''',
-  '''dummy_.*''',
-  '''fake_.*'''
-]
-paths = [
-  '''tests/''',
-  '''test/''',
-  '''__tests__/''',
-  '''examples/''',
-  '''docs/''',
-  '''.md$'''
-]
-
-# Global allowlist for common false positives
-[[allowlist]]
-description = "Common false positives"
-regexes = [
-  '''EXAMPLE_.*''',
-  '''your_.*_here''',
-  '''replace_with_.*''',
-  '''TODO:.*'''
-]
+# Allowlist for test/example files (broad exclusion)
+[allowlist]
+description = "Test and example files"
+regexes = ['''test_secret_.*|example_.*|dummy_.*|fake_.*|EXAMPLE_.*|your_.*_here|replace_with_.*|TODO:.*''']
+paths = ['''(tests/|test/|__tests__/|examples/|docs/|\\.md$|\\.gitleaksignore$|node_modules/|dist/|build/|\\.next/|coverage/)''']
 `
 }
 

package/lib/workflow-config.js

@@ -179,7 +179,17 @@ function injectWorkflowMode(workflowContent, mode) {
       "has-css: 'false'"
     )
 
-    // 4. Simplify "Display Detection Report" to show only package manager info
+    // 4. Remove dev-only gitleaks binary test steps (only relevant for qa-architect itself)
+    updated = updated.replace(
+      /\s+- name: Cache gitleaks binary for real download test[\s\S]*?restore-keys: \|[^\n]*\n[^\n]*\n/,
+      '\n'
+    )
+    updated = updated.replace(
+      /\s+- name: Run real gitleaks binary verification test[\s\S]*?node tests\/gitleaks-real-binary-test\.js\n/,
+      '\n'
+    )
+
+    // 5. Simplify "Display Detection Report" to show only package manager info
     updated = updated.replace(
       /- name: Display Detection Report\s+run: \|[\s\S]*?echo "Has CSS files:[^"]*"/,
       `- name: Display Detection Report

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-qa-architect",
-  "version": "5.11.1",
+  "version": "5.12.0",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
@@ -51,7 +51,8 @@
     "size": "size-limit",
     "size:why": "size-limit --why",
     "test:a11y": "vitest run tests/accessibility.test.js",
-    "test:coverage:check": "vitest run --coverage --coverage.thresholds.lines=70 --coverage.thresholds.functions=70"
+    "test:coverage:check": "vitest run --coverage --coverage.thresholds.lines=70 --coverage.thresholds.functions=70",
+    "test:changed": "vitest run --changed HEAD~1 --passWithNoTests"
   },
   "keywords": [
     "qa-architect",

package/scripts/smart-test-strategy.sh

@@ -82,11 +82,17 @@ echo "   ⚡ Speed Bonus: $SPEED_BONUS"
 echo ""
 
 # Test tier selection based on risk score
+# NOTE: E2E tests and slow command tests are ALWAYS excluded from pre-push
+# - E2E tests: Require dev server, browsers, proper infrastructure (run in CI only)
+# - Command tests: Take 60+ seconds, verify npm scripts work (run in CI only)
+# These run in GitHub Actions on every PR and push to main
+
 if [[ $RISK_SCORE -ge 7 ]]; then
-  echo "🔴 HIGH RISK - Comprehensive validation"
-  echo "   • All tests + security audit"
-  # Runs: npm run test:comprehensive 2>/dev/null || npm run test 2>/dev/null || npm test
-  npm run test:comprehensive 2>/dev/null || npm run test 2>/dev/null || npm test
+  echo "🔴 HIGH RISK - Comprehensive validation (pre-push)"
+  echo "   • Unit + integration tests + security audit"
+  echo "   • (E2E and command tests run in CI only)"
+  # Runs: npm run test:medium 2>/dev/null || npm run test:fast 2>/dev/null || npm test
+  npm run test:medium 2>/dev/null || npm run test:fast 2>/dev/null || npm test
 elif [[ $RISK_SCORE -ge 4 ]]; then
   echo "🟡 MEDIUM RISK - Standard validation"
   echo "   • Fast tests + integration (excludes slow tests)"

package/setup.js

@@ -927,13 +927,44 @@ HELP:
         const hasConventionalCommits = hasFeature('conventionalCommits')
         const hasCoverageThresholds = hasFeature('coverageThresholds')
 
+        // Load .qualityrc.json for performance budgets and check overrides
+        let performanceBudgets = null
+        let qualityChecks = {}
+        const qualityrcPath = path.join(projectPath, '.qualityrc.json')
+        if (fs.existsSync(qualityrcPath)) {
+          try {
+            const qualityrc = JSON.parse(fs.readFileSync(qualityrcPath, 'utf8'))
+            if (qualityrc.performance) {
+              performanceBudgets = qualityrc.performance
+            }
+            if (qualityrc.checks) {
+              qualityChecks = qualityrc.checks
+            }
+          } catch {
+            // Ignore parse errors - config validation handles this elsewhere
+          }
+        }
+
+        // Helper: check if a quality check is enabled (respects .qualityrc.json overrides)
+        function isCheckEnabled(checkName, licenseDefault) {
+          const override = qualityChecks[checkName]
+          if (override && override.enabled === false) return false
+          if (override && override.enabled === true) return true
+          // "auto" or missing: use license-based default
+          return licenseDefault
+        }
+
         // 1. Lighthouse CI - available to all, thresholds for Pro+
-        if (hasLighthouse) {
+        if (isCheckEnabled('lighthouse', hasLighthouse)) {
           try {
             const lighthousePath = path.join(projectPath, 'lighthouserc.js')
             if (!fs.existsSync(lighthousePath)) {
               writeLighthouseConfig(projectPath, {
                 hasThresholds: hasLighthouseThresholds,
+                budgets:
+                  performanceBudgets && performanceBudgets.lighthouse
+                    ? performanceBudgets.lighthouse
+                    : null,
               })
               addedTools.push(
                 hasLighthouseThresholds
@@ -953,7 +984,12 @@ HELP:
         if (hasBundleSizeLimits) {
           try {
             if (!pkgJson.content['size-limit']) {
-              writeSizeLimitConfig(projectPath)
+              writeSizeLimitConfig(projectPath, {
+                budgets:
+                  performanceBudgets && performanceBudgets.bundleSize
+                    ? performanceBudgets.bundleSize
+                    : null,
+              })
               addedTools.push('Bundle size limits (size-limit)')
             }
           } catch (error) {