create-qa-architect 5.12.1 → 5.13.2

package/lib/commands/maturity-check.js

@@ -10,11 +10,29 @@
  */
 function handleMaturityCheck() {
   const { ProjectMaturityDetector } = require('../project-maturity')
+  const githubActions = process.argv.includes('--github-actions')
   const detector = new ProjectMaturityDetector({
     projectPath: process.cwd(),
-    verbose: true,
+    verbose: !githubActions,
   })
-  detector.printReport()
+
+  if (githubActions) {
+    const output = detector.generateGitHubActionsOutput()
+    console.log(`maturity=${output.maturity}`)
+    console.log(`source-count=${output.sourceCount}`)
+    console.log(`test-count=${output.testCount}`)
+    console.log(`has-deps=${output.hasDeps}`)
+    console.log(`has-docs=${output.hasDocs}`)
+    console.log(`has-css=${output.hasCss}`)
+    console.log(`has-shell=${output.hasShell}`)
+    console.log(`shell-count=${output.shellCount}`)
+    console.log(`is-shell-project=${output.isShellProject}`)
+    console.log(`required-checks=${output.requiredChecks}`)
+    console.log(`optional-checks=${output.optionalChecks}`)
+    console.log(`disabled-checks=${output.disabledChecks}`)
+  } else {
+    detector.printReport()
+  }
   process.exit(0)
 }
 

package/lib/dependency-monitoring-basic.js

@@ -22,7 +22,7 @@ function hasNpmProject(projectPath) {
 function generateBasicDependabotConfig(options = {}) {
   const {
     projectPath = '.',
-    schedule = 'weekly',
+    schedule = 'monthly',
     day = 'monday',
     time = '09:00',
     monorepoInfo = null, // Optional monorepo detection result
@@ -50,7 +50,7 @@ function generateBasicDependabotConfig(options = {}) {
         day: day,
         time: time,
       },
-      'open-pull-requests-limit': 5,
+      'open-pull-requests-limit': 2,
       labels: ['dependencies', 'root'],
       'commit-message': {
         prefix: 'deps(root)',
@@ -69,7 +69,7 @@ function generateBasicDependabotConfig(options = {}) {
           day: day,
           time: time,
         },
-        'open-pull-requests-limit': 3,
+        'open-pull-requests-limit': 2,
         labels: ['dependencies', pkg.name],
         'commit-message': {
           prefix: `deps(${pkg.name})`,
@@ -87,7 +87,7 @@ function generateBasicDependabotConfig(options = {}) {
         day: day,
         time: time,
       },
-      'open-pull-requests-limit': 5,
+      'open-pull-requests-limit': 2,
       labels: ['dependencies'],
       'commit-message': {
         prefix: 'deps',

package/lib/dependency-monitoring-premium.js

@@ -1294,7 +1294,7 @@ function generatePremiumDependabotConfig(options = {}) {
 
   const {
     projectPath = '.',
-    schedule = 'weekly',
+    schedule = 'monthly',
     day = 'monday',
     time = '09:00',
   } = options
@@ -1316,7 +1316,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'npm',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'npm'],
       'commit-message': { prefix: 'deps(npm)', include: 'scope' },
       ...(Object.keys(npmGroups).length > 0 && { groups: npmGroups }),
@@ -1330,7 +1330,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'pip',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'python'],
       'commit-message': { prefix: 'deps(python)' },
       ...(Object.keys(pipGroups).length > 0 && { groups: pipGroups }),
@@ -1344,7 +1344,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'cargo',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'rust'],
       'commit-message': { prefix: 'deps(rust)' },
       ...(Object.keys(cargoGroups).length > 0 && { groups: cargoGroups }),
@@ -1358,7 +1358,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'bundler',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'ruby'],
       'commit-message': { prefix: 'deps(ruby)' },
       ...(Object.keys(bundlerGroups).length > 0 && { groups: bundlerGroups }),

package/lib/license-validator.js

@@ -85,7 +85,7 @@ class LicenseValidator {
     // Allow enterprises to host their own registry
     this.licenseDbUrl =
       process.env.QAA_LICENSE_DB_URL ||
-      'https://vibebuildlab.com/api/licenses/qa-architect.json'
+      'https://buildproven.ai/api/licenses/qa-architect.json'
 
     this.licensePublicKey = loadKeyFromEnv(
       process.env.QAA_LICENSE_PUBLIC_KEY,

package/lib/licensing.js

@@ -399,7 +399,7 @@ function showUpgradeMessage(feature) {
     console.log('')
     console.log('   🎁 Start 14-day free trial - no credit card required')
     console.log('')
-    console.log('🚀 Upgrade: https://vibebuildlab.com/qa-architect')
+    console.log('🚀 Upgrade: https://buildproven.ai/qa-architect')
     console.log(
       '🔑 Activate: npx create-qa-architect@latest --activate-license'
     )
@@ -745,7 +745,7 @@ async function promptLicenseActivation() {
       console.log(
         '   If you purchased this license, please contact support at:'
       )
-      console.log('   Email: support@vibebuildlab.com')
+      console.log('   Email: support@buildproven.ai')
       console.log(
         '   Include your license key and purchase email for verification.'
       )
@@ -1140,7 +1140,7 @@ function showLicenseStatus() {
   // Show upgrade path
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n💡 Upgrade to PRO for unlimited access + security scanning')
-    console.log('   → https://vibebuildlab.com/qa-architect')
+    console.log('   → https://buildproven.ai/qa-architect')
   }
 }
 

package/lib/smart-strategy-generator.js

@@ -255,7 +255,7 @@ function generateSmartStrategy(options = {}) {
         `Troubleshooting steps:\n` +
         `1. Reinstall the package: npm install -g create-qa-architect@latest\n` +
         `2. Check file permissions: ls -la ${path.dirname(templatePath)}\n` +
-        `3. Report issue if problem persists: https://github.com/vibebuildlab/qa-architect/issues/new`
+        `3. Report issue if problem persists: https://github.com/buildproven/qa-architect/issues/new`
     )
   }
 

package/lib/validation/documentation.js

@@ -267,6 +267,8 @@ class DocumentationValidator {
         'quality-python.yml',
         'ci.yml', // Common workflow name users might have
         'test.yml', // Common workflow name users might have
+        'tests.yml', // Common workflow name users might have
+        'quality-legacy.yml', // Legacy workflow name referenced in cleanup docs
         // Optional tooling configs
         '.lighthouserc.js',
         'vercel.json',

package/lib/workflow-config.js

@@ -65,8 +65,80 @@ function detectExistingWorkflowMode(projectPath) {
   }
 }
 
+/**
+ * Strip a named section from workflow content.
+ * Removes everything between # {{NAME_BEGIN}} and # {{NAME_END}} markers (inclusive).
+ * Leaves a single newline to avoid collapsing adjacent YAML blocks.
+ * @param {string} content - Workflow content
+ * @param {string} sectionName - Section name (e.g. 'QA_ARCHITECT_ONLY', 'FULL_DETECTION')
+ * @returns {string} Content with section removed
+ */
+function stripSection(content, sectionName) {
+  if (!/^[A-Z_]+$/.test(sectionName)) {
+    throw new Error(`Invalid section name: ${sectionName}`)
+  }
+  // eslint-disable-next-line security/detect-non-literal-regexp -- sectionName validated above
+  const pattern = new RegExp(
+    `[^\\S\\n]*# \\{\\{${sectionName}_BEGIN\\}\\}[\\s\\S]*?# \\{\\{${sectionName}_END\\}\\}\\n?`,
+    'g'
+  )
+  return content.replace(pattern, '')
+}
+
+/**
+ * Remove a paths-ignore block from a top-level workflow trigger.
+ * @param {string} content - Workflow content
+ * @param {string} triggerName - Trigger key (e.g. push, pull_request)
+ * @returns {string} Updated content
+ */
+function removeTriggerPathsIgnore(content, triggerName) {
+  const lines = content.split('\n')
+  const output = []
+
+  for (let index = 0; index < lines.length; index += 1) {
+    const line = lines[index]
+    output.push(line)
+
+    if (
+      line !== `  ${triggerName}:` &&
+      !line.startsWith(`  ${triggerName}: `)
+    ) {
+      continue
+    }
+
+    let scanIndex = index + 1
+    while (scanIndex < lines.length) {
+      const nextLine = lines[scanIndex]
+
+      if (nextLine.startsWith('  ') && !nextLine.startsWith('    ')) {
+        break
+      }
+
+      if (nextLine === '    paths-ignore:') {
+        scanIndex += 1
+        while (
+          scanIndex < lines.length &&
+          lines[scanIndex].startsWith('      - ')
+        ) {
+          scanIndex += 1
+        }
+        index = scanIndex - 1
+        break
+      }
+
+      output.push(nextLine)
+      index = scanIndex
+      scanIndex += 1
+    }
+  }
+
+  return output.join('\n')
+}
+
 /**
  * Inject workflow mode-specific configuration into quality.yml
+ * Uses section markers (# {{SECTION_BEGIN/END}}) for reliable content removal
+ * instead of fragile structural regex patterns.
  * @param {string} workflowContent - Template content
  * @param {'minimal'|'standard'|'comprehensive'} mode - Selected mode
  * @returns {string} Modified workflow content
@@ -74,101 +146,72 @@ function detectExistingWorkflowMode(projectPath) {
 function injectWorkflowMode(workflowContent, mode) {
   let updated = workflowContent
 
+  // Set workflow mode marker
   const versionMarker = `# WORKFLOW_MODE: ${mode}`
   if (updated.includes('# WORKFLOW_MODE:')) {
-    // Replace existing marker with new mode
     updated = updated.replace(
       /# WORKFLOW_MODE: (minimal|standard|comprehensive)/,
       versionMarker
     )
   } else {
-    // Add marker before jobs:
     updated = updated.replace(/(\n\njobs:)/, `\n${versionMarker}\n$1`)
   }
 
-  // Controlled regexes for YAML workflow template matching - these patterns match static
-  // template content, not user input. Safe from ReDoS as they match known structure.
+  // All consumer workflows: strip qa-architect-only content
+  updated = stripSection(updated, 'QA_ARCHITECT_ONLY')
 
-  // Handle mode-specific transformations
+  // Mode-specific transformations
   if (mode === 'standard') {
     // Standard: Add main branch condition to tests job
-    // Handle both single-line and multi-line if: formats
-
-    // First try multi-line format (if: | block)
     if (
       updated.includes('tests:') &&
       updated.includes('fromJSON(needs.detect-maturity.outputs.test-count)')
     ) {
-      // Multi-line if: | block - add main branch check at the start
       updated = updated.replace(
         /(tests:\s+runs-on:[^\n]+\s+needs:[^\n]+\s+if: \|\s*\n\s+)fromJSON\(needs\.detect-maturity\.outputs\.test-count\)/,
         "$1github.ref == 'refs/heads/main' &&\n      fromJSON(needs.detect-maturity.outputs.test-count)"
       )
-
-      // Also try single-line format as fallback
       updated = updated.replace(
         /(\s+tests:\s+runs-on:[^\n]+\s+needs:[^\n]+\s+)if: fromJSON\(needs\.detect-maturity\.outputs\.test-count\) > 0/,
         "$1if: github.ref == 'refs/heads/main' && fromJSON(needs.detect-maturity.outputs.test-count) > 0"
       )
     }
-
-    // Standard: Change matrix to [20, 22]
-    updated = updated.replace(/node-version: \[22\]/g, 'node-version: [20, 22]')
   } else if (mode === 'comprehensive') {
-    // Comprehensive: Remove paths-ignore blocks from push and pull_request
-    updated = updated.replace(
-      /(\s+push:\s+branches:[^\n]+)\s+paths-ignore:\s+- '\*\*\.md'\s+- 'docs\/\*\*'\s+- 'LICENSE'\s+- '\.gitignore'\s+- '\.editorconfig'/g,
-      '$1'
-    )
-    updated = updated.replace(
-      /(\s+pull_request:\s+branches:[^\n]+)\s+paths-ignore:\s+- '\*\*\.md'\s+- 'docs\/\*\*'\s+- 'LICENSE'\s+- '\.gitignore'\s+- '\.editorconfig'/g,
-      '$1'
-    )
-
+    // Comprehensive: Remove paths-ignore blocks
+    updated = removeTriggerPathsIgnore(updated, 'push')
+    updated = removeTriggerPathsIgnore(updated, 'pull_request')
     // Comprehensive: Remove schedule trigger (security runs inline)
     updated = updated.replace(/\s+schedule:\s+- cron:[^\n]+[^\n]*\n?/g, '\n')
-
     // Comprehensive: Remove schedule condition from security job
     updated = updated.replace(
       /if: \(github\.event_name == 'schedule' \|\| github\.event_name == 'workflow_dispatch'\) && /g,
       'if: '
     )
-
-    // Comprehensive: Change matrix to [20, 22]
     updated = updated.replace(/node-version: \[22\]/g, 'node-version: [20, 22]')
   }
-  // Minimal mode: Remove expensive dependency install and maturity detection steps
-  // Keep only: checkout, setup-node, detect-pm, setup-pnpm/bun, simplified report
-  if (mode === 'minimal') {
-    // 1. Remove "Install dependencies for maturity detection" step
-    updated = updated.replace(
-      /\s+- name: Install dependencies for maturity detection\s+run: \$\{\{ steps\.detect-pm\.outputs\.install-cmd \}\}\s*\n/,
-      '\n'
-    )
 
-    // 2. Remove "Detect Project Maturity" step (multiline)
-    updated = updated.replace(
-      /\s+- name: Detect Project Maturity\s+id: detect\s+run: \|[\s\S]*?fi\s*\n/,
-      '\n'
-    )
+  // Minimal mode: use section markers to strip detection, hardcode outputs
+  if (mode === 'minimal') {
+    // Strip full detection and report sections via markers
+    updated = stripSection(updated, 'FULL_DETECTION')
+    updated = stripSection(updated, 'FULL_REPORT')
 
-    // 3. Hardcode maturity outputs (since we skip detection)
-    // These sensible defaults allow basic checks to run without expensive detection
+    // Hardcode maturity outputs (since we skip detection)
     updated = updated.replace(
       /maturity: \$\{\{ steps\.detect\.outputs\.maturity \}\}/,
       "maturity: 'minimal'"
     )
     updated = updated.replace(
       /source-count: \$\{\{ steps\.detect\.outputs\.source-count \}\}/,
-      "source-count: '10'"
+      "source-count: '0'"
     )
     updated = updated.replace(
       /test-count: \$\{\{ steps\.detect\.outputs\.test-count \}\}/,
-      "test-count: '1'"
+      "test-count: '0'"
     )
     updated = updated.replace(
       /has-deps: \$\{\{ steps\.detect\.outputs\.has-deps \}\}/,
-      "has-deps: 'true'"
+      "has-deps: 'false'"
     )
     updated = updated.replace(
       /has-docs: \$\{\{ steps\.detect\.outputs\.has-docs \}\}/,
@@ -179,30 +222,30 @@ function injectWorkflowMode(workflowContent, mode) {
       "has-css: 'false'"
     )
 
-    // 4. Remove dev-only gitleaks binary test steps (only relevant for qa-architect itself)
-    // The restore-keys block has 3 lines after `|`, match all of them to avoid stray lines
-    updated = updated.replace(
-      /\s+- name: Cache gitleaks binary for real download test[\s\S]*?restore-keys: \|[^\n]*\n[^\n]*\n[^\n]*\n/,
-      '\n'
-    )
-    updated = updated.replace(
-      /\s+- name: Run real gitleaks binary verification test[\s\S]*?node tests\/gitleaks-real-binary-test\.js\n/,
-      '\n'
-    )
-
-    // 5. Simplify "Display Detection Report" to show only package manager info
-    updated = updated.replace(
-      /- name: Display Detection Report\s+run: \|[\s\S]*?echo "Has CSS files:[^"]*"/,
-      `- name: Display Detection Report
+    // Insert simplified detection report after the last setup step
+    const minimalReport = `      - name: Display Detection Report
         run: |
           echo "📊 Project Detection Results (Minimal Mode)"
           echo "Package Manager: \${{ steps.detect-pm.outputs.manager }}"
           echo "Install Command: \${{ steps.detect-pm.outputs.install-cmd }}"
           echo "Turborepo: \${{ steps.detect-pm.outputs.is-turborepo }}"
-          echo "Note: Maturity detection skipped in minimal mode for faster CI"`
-    )
+          echo "Mode goal: keep GitHub Actions usage under ~1000 min/month by default"
+          echo "Checks: detection-only in CI (tests/security/docs disabled in minimal mode)"
+          echo "Use --workflow-standard or --workflow-comprehensive to enable heavier CI checks"`
+
+    // Insert report before the "Note: Lint/format" comment that follows detect-maturity job
+    if (!updated.includes('Display Detection Report')) {
+      updated = updated.replace(
+        /(\n {2}# Note: Lint\/format jobs REMOVED)/,
+        `\n${minimalReport}\n$1`
+      )
+    }
   }
 
+  // Strip any remaining section markers from output (belt-and-suspenders)
+  // Use [ \t]* (horizontal whitespace only) — \s* would eat newlines and collapse YAML lines
+  updated = updated.replace(/[ \t]*# \{\{[A-Z_]+_(BEGIN|END)\}\}\n?/g, '')
+
   return updated
 }
 
@@ -243,4 +286,5 @@ module.exports = {
   detectExistingWorkflowMode,
   injectWorkflowMode,
   injectMatrix,
+  stripSection,
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-qa-architect",
-  "version": "5.12.1",
+  "version": "5.13.2",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
@@ -20,7 +20,7 @@
     "validate:comprehensive": "node setup.js --comprehensive --no-markdownlint",
     "validate:all": "npm run validate:comprehensive && npm run security:audit",
     "validate:pre-push": "npm run test:patterns --if-present && npm run lint && npm run format:check && npm run test:commands --if-present && npm test --if-present",
-    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js",
+    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js",
     "test:unit": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js",
     "test:fast": "npm run test:unit",
     "test:medium": "npm run test:fast && npm run test:patterns && npm run test:commands",
@@ -28,7 +28,7 @@
     "test:comprehensive": "npm run test:patterns && npm test && npm run test:commands && npm run test:e2e && npm run security:audit",
     "test:real-binary": "RUN_REAL_BINARY_TEST=1 node tests/gitleaks-real-binary-test.js",
     "test:commands": "export QAA_DEVELOPER=true && node tests/command-execution.test.js",
-    "test:patterns": "node scripts/validate-command-patterns.js",
+    "test:patterns": "bash scripts/pattern-check.sh --all",
     "test:coverage": "c8 --reporter=html --reporter=text --reporter=lcov npm test",
     "test:e2e": "export QAA_DEVELOPER=true && bash scripts/test-e2e-package.sh",
     "test:all": "npm run test:patterns && npm test && npm run test:commands && npm run test:e2e",
@@ -52,7 +52,13 @@
     "size:why": "size-limit --why",
     "test:a11y": "vitest run tests/accessibility.test.js",
     "test:coverage:check": "vitest run --coverage --coverage.thresholds.lines=70 --coverage.thresholds.functions=70",
-    "test:changed": "vitest run --changed HEAD~1 --passWithNoTests"
+    "test:changed": "vitest run --changed HEAD~1 --passWithNoTests",
+    "dead-code": "knip --no-exit-code || echo \"Dead code found (non-blocking)\"",
+    "dead-code:strict": "knip",
+    "pattern-check": "bash scripts/pattern-check.sh",
+    "security:scan": "bash scripts/run-semgrep.sh",
+    "security:scan:ci": "bash scripts/run-semgrep.sh --ci",
+    "license:check": "license-checker --onlyAllow \"MIT;ISC;BSD-2-Clause;BSD-3-Clause;Apache-2.0;0BSD;BlueOak-1.0.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Unlicense;Python-2.0;MPL-2.0\" --excludePrivatePackages"
   },
   "keywords": [
     "qa-architect",
@@ -98,12 +104,12 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/vibebuildlab/qa-architect.git"
+    "url": "git+https://github.com/buildproven/qa-architect.git"
   },
   "bugs": {
-    "url": "https://github.com/vibebuildlab/qa-architect/issues"
+    "url": "https://github.com/buildproven/qa-architect/issues"
   },
-  "homepage": "https://vibebuildlab.com/qa-architect",
+  "homepage": "https://buildproven.ai/qa-architect",
   "engines": {
     "node": ">=20"
   },
@@ -118,28 +124,33 @@
     }
   },
   "devDependencies": {
+    "@commitlint/cli": "^19.0.0",
+    "@commitlint/config-conventional": "^19.0.0",
+    "@lhci/cli": "^0.15.1",
+    "@size-limit/file": "^11.0.0",
     "@types/node": "^25",
+    "@typescript-eslint/eslint-plugin": "^8.9.0",
+    "@typescript-eslint/parser": "^8.9.0",
+    "@vercel/blob": "^2.2.0",
+    "@vitest/coverage-v8": "^2.1.8",
     "actionlint": "^2.0.6",
-    "typescript": "^5",
+    "axe-core": "^4.10.0",
     "c8": "^10.1.2",
+    "commitlint": "^20.4.1",
     "eslint": "^9.39.2",
+    "eslint-plugin-n": "^17.24.0",
     "eslint-plugin-security": "^3.0.1",
     "globals": "^15.9.0",
     "husky": "^9.1.4",
+    "knip": "^6.0.1",
+    "license-checker": "^25.0.1",
     "lint-staged": "^15.2.10",
     "prettier": "^3.8.0",
+    "size-limit": "^11.0.0",
     "stylelint": "^16.26.1",
     "stylelint-config-standard": "^37.0.0",
-    "@lhci/cli": "^0.15.1",
-    "vitest": "^2.1.8",
-    "@vitest/coverage-v8": "^2.1.8",
-    "@typescript-eslint/eslint-plugin": "^8.9.0",
-    "@typescript-eslint/parser": "^8.9.0",
-    "size-limit": "^11.0.0",
-    "@size-limit/file": "^11.0.0",
-    "@commitlint/cli": "^19.0.0",
-    "@commitlint/config-conventional": "^19.0.0",
-    "axe-core": "^4.10.0"
+    "typescript": "^5",
+    "vitest": "^2.1.8"
   },
   "volta": {
     "node": "20.11.1",
@@ -185,11 +196,20 @@
     ],
     "**/*.{ts,tsx}": [
       "eslint --fix",
-      "prettier --write"
+      "prettier --write",
+      "tsc --noEmit --skipLibCheck"
     ],
     "tests/**/*.{ts,tsx,js,jsx}": [
       "eslint --fix",
       "prettier --write"
+    ],
+    "**/*.{js,jsx,ts,tsx,mjs,cjs,html}": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "**/*.{js,jsx,mjs,cjs,html}": [
+      "eslint --fix",
+      "prettier --write"
     ]
   },
   "dependencies": {
@@ -197,8 +217,18 @@
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli2": "^0.20.0",
+    "markdownlint-cli2": "^0.21.0",
     "ora": "^8.1.1",
     "tar": "^7.5.7"
-  }
+  },
+  "size-limit": [
+    {
+      "path": "dist/**/*.js",
+      "limit": "250 kB"
+    },
+    {
+      "path": "dist/**/*.css",
+      "limit": "50 kB"
+    }
+  ]
 }