create-qa-architect 5.11.2 → 5.12.1

package/.github/workflows/auto-release.yml

@@ -0,0 +1,39 @@
+name: Auto Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get previous tag
+        id: prev_tag
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          echo "tag=$PREV_TAG" >> $GITHUB_OUTPUT
+
+      - name: Generate release notes
+        run: |
+          TAG=${GITHUB_REF#refs/tags/}
+          PREV_TAG=${{ steps.prev_tag.outputs.tag }}
+          if [ -n "$PREV_TAG" ]; then
+            echo "## Changes since $PREV_TAG" > notes.md
+            git log ${PREV_TAG}..${TAG} --pretty=format:"- %s" >> notes.md
+            echo -e "\n\n**Full Changelog**: https://github.com/${{ github.repository }}/compare/${PREV_TAG}...${TAG}" >> notes.md
+          else
+            echo "Initial release" > notes.md
+          fi
+
+      - uses: softprops/action-gh-release@v2
+        with:
+          body_path: notes.md

package/.github/workflows/quality.yml

@@ -341,7 +341,7 @@ jobs:
             gitleaks-8.28.0-linux-x64-
 
       - name: Run real gitleaks binary verification test
-        if: runner.os == 'Linux'
+        if: runner.os == 'Linux' && hashFiles('tests/gitleaks-real-binary-test.js') != ''
         run: |
           echo "🔐 Running real gitleaks binary verification test..."
           QAA_DEVELOPER=true RUN_REAL_BINARY_TEST=1 node tests/gitleaks-real-binary-test.js

package/config/defaults.js

@@ -75,6 +75,9 @@ const baseDevDependencies = {
   '@lhci/cli': '^0.14.0',
   vitest: '^2.1.8',
   '@vitest/coverage-v8': '^2.1.8',
+  commitlint: '^20.4.1',
+  '@commitlint/cli': '^20.4.1',
+  '@commitlint/config-conventional': '^20.4.1',
 }
 
 const typeScriptDevDependencies = {

package/config/quality-config.schema.json

@@ -91,6 +91,81 @@
         },
         "additionalProperties": false
       }
+    },
+    "performance": {
+      "type": "object",
+      "description": "Performance budget configuration",
+      "properties": {
+        "lighthouse": {
+          "type": "object",
+          "description": "Lighthouse CI performance thresholds",
+          "properties": {
+            "performance": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum performance score (0-1)"
+            },
+            "accessibility": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum accessibility score (0-1)"
+            },
+            "bestPractices": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum best practices score (0-1)"
+            },
+            "seo": {
+              "type": "number",
+              "minimum": 0,
+              "maximum": 1,
+              "description": "Minimum SEO score (0-1)"
+            },
+            "maxFCP": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max First Contentful Paint in ms"
+            },
+            "maxLCP": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max Largest Contentful Paint in ms"
+            },
+            "maxCLS": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max Cumulative Layout Shift"
+            },
+            "maxTBT": {
+              "type": "number",
+              "minimum": 0,
+              "description": "Max Total Blocking Time in ms"
+            }
+          },
+          "additionalProperties": false
+        },
+        "bundleSize": {
+          "type": "object",
+          "description": "Bundle size limits",
+          "properties": {
+            "maxJs": {
+              "type": "string",
+              "pattern": "^[0-9]+ [kKmM][bB]$",
+              "description": "Max JS bundle size (e.g., '250 kB')"
+            },
+            "maxCss": {
+              "type": "string",
+              "pattern": "^[0-9]+ [kKmM][bB]$",
+              "description": "Max CSS bundle size (e.g., '50 kB')"
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
     }
   },
   "additionalProperties": false

package/lib/project-maturity.js

@@ -119,6 +119,11 @@ class ProjectMaturityDetector {
       stats.testFiles === 0
     ) {
       maturity = 'bootstrap'
+    } else if (
+      stats.totalSourceFiles < MATURITY_THRESHOLDS.MIN_BOOTSTRAP_FILES &&
+      stats.testFiles > 0
+    ) {
+      maturity = 'bootstrap'
     } else if (
       stats.testFiles > 0 &&
       stats.totalSourceFiles >= MATURITY_THRESHOLDS.MIN_BOOTSTRAP_FILES &&

package/lib/quality-tools-generator.js

@@ -25,6 +25,7 @@ function generateLighthouseConfig(options = {}) {
     hasThresholds = false,
     collectUrl = 'http://localhost:3000',
     staticDistDir = null,
+    budgets = null,
   } = options
 
   const collectConfig = staticDistDir
@@ -34,29 +35,42 @@ function generateLighthouseConfig(options = {}) {
       startServerReadyPattern: 'ready|listening|started',
       startServerReadyTimeout: 30000,`
 
-  const assertConfig = hasThresholds
-    ? `
+  let assertConfig
+  if (hasThresholds) {
+    // Use custom budgets from .qualityrc.json if provided, otherwise defaults
+    const b = budgets || {}
+    const fcp = b.maxFCP || 2000
+    const lcp = b.maxLCP || 2500
+    const cls = b.maxCLS || 0.1
+    const tbt = b.maxTBT || 300
+    const perf = b.performance || 0.8
+    const a11y = b.accessibility || 0.9
+    const bp = b.bestPractices || 0.9
+    const seo = b.seo || 0.9
+
+    assertConfig = `
     assert: {
       preset: 'lighthouse:recommended',
       assertions: {
         // Performance
-        'first-contentful-paint': ['warn', { maxNumericValue: 2000 }],
-        'largest-contentful-paint': ['error', { maxNumericValue: 2500 }],
-        'cumulative-layout-shift': ['error', { maxNumericValue: 0.1 }],
-        'total-blocking-time': ['warn', { maxNumericValue: 300 }],
+        'first-contentful-paint': ['warn', { maxNumericValue: ${fcp} }],
+        'largest-contentful-paint': ['error', { maxNumericValue: ${lcp} }],
+        'cumulative-layout-shift': ['error', { maxNumericValue: ${cls} }],
+        'total-blocking-time': ['warn', { maxNumericValue: ${tbt} }],
 
         // Categories (0-1 scale)
-        'categories:performance': ['warn', { minScore: 0.8 }],
-        'categories:accessibility': ['error', { minScore: 0.9 }],
-        'categories:best-practices': ['warn', { minScore: 0.9 }],
-        'categories:seo': ['warn', { minScore: 0.9 }],
+        'categories:performance': ['warn', { minScore: ${perf} }],
+        'categories:accessibility': ['error', { minScore: ${a11y} }],
+        'categories:best-practices': ['warn', { minScore: ${bp} }],
+        'categories:seo': ['warn', { minScore: ${seo} }],
 
         // Allow some common warnings
         'unsized-images': 'off',
         'uses-responsive-images': 'off',
       },
     },`
-    : `
+  } else {
+    assertConfig = `
     assert: {
       // Basic assertions for Free tier - just warnings, no failures
       assertions: {
@@ -64,6 +78,7 @@ function generateLighthouseConfig(options = {}) {
         'categories:best-practices': ['warn', { minScore: 0.7 }],
       },
     },`
+  }
 
   return `module.exports = {
   ci: {
@@ -86,7 +101,7 @@ function generateLighthouseConfig(options = {}) {
  * @returns {Array} size-limit config array
  */
 function generateSizeLimitConfig(options = {}) {
-  const { projectPath = process.cwd() } = options
+  const { projectPath = process.cwd(), budgets = null } = options
 
   // Detect build output paths
   const possibleDists = ['dist', 'build', '.next', 'out', 'public']
@@ -99,6 +114,10 @@ function generateSizeLimitConfig(options = {}) {
     }
   }
 
+  // Use custom budgets from .qualityrc.json if provided
+  const jsLimit = (budgets && budgets.maxJs) || null
+  const cssLimit = (budgets && budgets.maxCss) || null
+
   // Detect if it's a Next.js app
   const isNextJS =
     fs.existsSync(path.join(projectPath, 'next.config.js')) ||
@@ -108,7 +127,7 @@ function generateSizeLimitConfig(options = {}) {
     return [
       {
         path: '.next/static/**/*.js',
-        limit: '300 kB',
+        limit: jsLimit || '300 kB',
         webpack: false,
       },
     ]
@@ -117,11 +136,11 @@ function generateSizeLimitConfig(options = {}) {
   return [
     {
       path: `${distDir}/**/*.js`,
-      limit: '250 kB',
+      limit: jsLimit || '250 kB',
     },
     {
       path: `${distDir}/**/*.css`,
-      limit: '50 kB',
+      limit: cssLimit || '50 kB',
     },
   ]
 }
@@ -525,8 +544,8 @@ function getQualityToolsDependencies(features = {}) {
   }
 
   if (features.commitlint) {
-    deps['@commitlint/cli'] = '^19.0.0'
-    deps['@commitlint/config-conventional'] = '^19.0.0'
+    deps['@commitlint/cli'] = '^20.4.1'
+    deps['@commitlint/config-conventional'] = '^20.4.1'
   }
 
   if (features.axeCore) {

package/lib/security-enhancements.js

@@ -109,46 +109,17 @@ id = "jwt-token"
 regex = '''eyJ[A-Za-z0-9_/+-]{10,}={0,2}'''
 tags = ["key", "JWT"]
 
-[[rules]]
-description = "Base64 encoded secrets (long)"
-id = "base64-secret"
-regex = '''[A-Za-z0-9+/]{40,}={0,2}'''
-tags = ["secret", "base64"]
-keywords = ["secret", "key", "token", "password"]
-
 [[rules]]
 description = "Environment variable secrets"
 id = "env-secret"
 regex = '''(?i)(api_key|secret|password|token)\\s*=\\s*['""][^'"\\s]{10,}['""]'''
 tags = ["env", "secret"]
 
-# Allowlist for test files and examples
-[[rules.allowlist]]
-description = "Test secrets and examples"
-regexes = [
-  '''test_secret_.*''',
-  '''example_.*''',
-  '''dummy_.*''',
-  '''fake_.*'''
-]
-paths = [
-  '''tests/''',
-  '''test/''',
-  '''__tests__/''',
-  '''examples/''',
-  '''docs/''',
-  '''.md$'''
-]
-
-# Global allowlist for common false positives
-[[allowlist]]
-description = "Common false positives"
-regexes = [
-  '''EXAMPLE_.*''',
-  '''your_.*_here''',
-  '''replace_with_.*''',
-  '''TODO:.*'''
-]
+# Allowlist for test/example files (broad exclusion)
+[allowlist]
+description = "Test and example files"
+regexes = ['''test_secret_.*|example_.*|dummy_.*|fake_.*|EXAMPLE_.*|your_.*_here|replace_with_.*|TODO:.*''']
+paths = ['''(tests/|test/|__tests__/|examples/|docs/|\\.md$|\\.gitleaksignore$|node_modules/|dist/|build/|\\.next/|coverage/)''']
 `
 }
 

package/lib/workflow-config.js

@@ -179,7 +179,18 @@ function injectWorkflowMode(workflowContent, mode) {
       "has-css: 'false'"
     )
 
-    // 4. Simplify "Display Detection Report" to show only package manager info
+    // 4. Remove dev-only gitleaks binary test steps (only relevant for qa-architect itself)
+    // The restore-keys block has 3 lines after `|`, match all of them to avoid stray lines
+    updated = updated.replace(
+      /\s+- name: Cache gitleaks binary for real download test[\s\S]*?restore-keys: \|[^\n]*\n[^\n]*\n[^\n]*\n/,
+      '\n'
+    )
+    updated = updated.replace(
+      /\s+- name: Run real gitleaks binary verification test[\s\S]*?node tests\/gitleaks-real-binary-test\.js\n/,
+      '\n'
+    )
+
+    // 5. Simplify "Display Detection Report" to show only package manager info
     updated = updated.replace(
       /- name: Display Detection Report\s+run: \|[\s\S]*?echo "Has CSS files:[^"]*"/,
       `- name: Display Detection Report

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-qa-architect",
-  "version": "5.11.2",
+  "version": "5.12.1",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
@@ -51,7 +51,8 @@
     "size": "size-limit",
     "size:why": "size-limit --why",
     "test:a11y": "vitest run tests/accessibility.test.js",
-    "test:coverage:check": "vitest run --coverage --coverage.thresholds.lines=70 --coverage.thresholds.functions=70"
+    "test:coverage:check": "vitest run --coverage --coverage.thresholds.lines=70 --coverage.thresholds.functions=70",
+    "test:changed": "vitest run --changed HEAD~1 --passWithNoTests"
   },
   "keywords": [
     "qa-architect",

package/scripts/smart-test-strategy.sh

@@ -82,11 +82,17 @@ echo "   ⚡ Speed Bonus: $SPEED_BONUS"
 echo ""
 
 # Test tier selection based on risk score
+# NOTE: E2E tests and slow command tests are ALWAYS excluded from pre-push
+# - E2E tests: Require dev server, browsers, proper infrastructure (run in CI only)
+# - Command tests: Take 60+ seconds, verify npm scripts work (run in CI only)
+# These run in GitHub Actions on every PR and push to main
+
 if [[ $RISK_SCORE -ge 7 ]]; then
-  echo "🔴 HIGH RISK - Comprehensive validation"
-  echo "   • All tests + security audit"
-  # Runs: npm run test:comprehensive 2>/dev/null || npm run test 2>/dev/null || npm test
-  npm run test:comprehensive 2>/dev/null || npm run test 2>/dev/null || npm test
+  echo "🔴 HIGH RISK - Comprehensive validation (pre-push)"
+  echo "   • Unit + integration tests + security audit"
+  echo "   • (E2E and command tests run in CI only)"
+  # Runs: npm run test:medium 2>/dev/null || npm run test:fast 2>/dev/null || npm test
+  npm run test:medium 2>/dev/null || npm run test:fast 2>/dev/null || npm test
 elif [[ $RISK_SCORE -ge 4 ]]; then
   echo "🟡 MEDIUM RISK - Standard validation"
   echo "   • Fast tests + integration (excludes slow tests)"

package/setup.js

@@ -927,13 +927,44 @@ HELP:
         const hasConventionalCommits = hasFeature('conventionalCommits')
         const hasCoverageThresholds = hasFeature('coverageThresholds')
 
+        // Load .qualityrc.json for performance budgets and check overrides
+        let performanceBudgets = null
+        let qualityChecks = {}
+        const qualityrcPath = path.join(projectPath, '.qualityrc.json')
+        if (fs.existsSync(qualityrcPath)) {
+          try {
+            const qualityrc = JSON.parse(fs.readFileSync(qualityrcPath, 'utf8'))
+            if (qualityrc.performance) {
+              performanceBudgets = qualityrc.performance
+            }
+            if (qualityrc.checks) {
+              qualityChecks = qualityrc.checks
+            }
+          } catch {
+            // Ignore parse errors - config validation handles this elsewhere
+          }
+        }
+
+        // Helper: check if a quality check is enabled (respects .qualityrc.json overrides)
+        function isCheckEnabled(checkName, licenseDefault) {
+          const override = qualityChecks[checkName]
+          if (override && override.enabled === false) return false
+          if (override && override.enabled === true) return true
+          // "auto" or missing: use license-based default
+          return licenseDefault
+        }
+
         // 1. Lighthouse CI - available to all, thresholds for Pro+
-        if (hasLighthouse) {
+        if (isCheckEnabled('lighthouse', hasLighthouse)) {
           try {
             const lighthousePath = path.join(projectPath, 'lighthouserc.js')
             if (!fs.existsSync(lighthousePath)) {
               writeLighthouseConfig(projectPath, {
                 hasThresholds: hasLighthouseThresholds,
+                budgets:
+                  performanceBudgets && performanceBudgets.lighthouse
+                    ? performanceBudgets.lighthouse
+                    : null,
               })
               addedTools.push(
                 hasLighthouseThresholds
@@ -953,7 +984,12 @@ HELP:
         if (hasBundleSizeLimits) {
           try {
             if (!pkgJson.content['size-limit']) {
-              writeSizeLimitConfig(projectPath)
+              writeSizeLimitConfig(projectPath, {
+                budgets:
+                  performanceBudgets && performanceBudgets.bundleSize
+                    ? performanceBudgets.bundleSize
+                    : null,
+              })
               addedTools.push('Bundle size limits (size-limit)')
             }
           } catch (error) {