create-qa-architect 5.12.1 → 5.13.3

package/.github/dependabot.yml

@@ -1,50 +1,30 @@
-# Dependabot configuration for automated dependency updates
-# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+# Dependabot configuration — optimized to reduce CI minutes
+# Monthly updates, grouped aggressively, limited PRs
 
 version: 2
 updates:
-  # npm dependencies
   - package-ecosystem: 'npm'
     directory: '/'
     schedule:
-      interval: 'weekly'
-      day: 'monday'
-      time: '09:00'
-    open-pull-requests-limit: 5
-    reviewers:
-      - 'brettstark73'
-    # Group non-security updates for easier review
-    groups:
-      development-dependencies:
-        dependency-type: 'development'
-        update-types: ['patch', 'minor']
-      production-dependencies:
-        dependency-type: 'production'
-        update-types: ['patch', 'minor']
-    # Separate security updates (always create individual PRs)
+      interval: 'monthly'
+    open-pull-requests-limit: 2
     labels:
       - 'dependencies'
-      - 'automated'
     commit-message:
       prefix: 'chore(deps)'
       include: 'scope'
-    # Only update to latest release (not pre-release)
-    versioning-strategy: increase
+    groups:
+      all-dependencies:
+        patterns:
+          - '*'
 
-  # GitHub Actions
   - package-ecosystem: 'github-actions'
     directory: '/'
     schedule:
-      interval: 'weekly'
-      day: 'monday'
-      time: '10:00'
-    open-pull-requests-limit: 3
-    reviewers:
-      - 'brettstark73'
+      interval: 'monthly'
+    open-pull-requests-limit: 1
     labels:
       - 'dependencies'
       - 'github-actions'
-      - 'automated'
     commit-message:
       prefix: 'ci'
-      include: 'scope'

package/.github/workflows/claude-md-validation.yml

@@ -1,13 +1,6 @@
 name: CLAUDE.md Validation
 
 on:
-  push:
-    branches: [main, master, develop]
-    paths:
-      - 'CLAUDE.md'
-      - 'package.json'
-      - 'scripts/validate-claude-md.js'
-      - '.github/workflows/claude-md-validation.yml'
   pull_request:
     branches: [main, master, develop]
     paths:
@@ -20,6 +13,11 @@ on:
 jobs:
   validate-claude-md:
     runs-on: ubuntu-latest
+<<<<<<< HEAD
+    if: github.actor != 'dependabot[bot]' || github.event_name != 'pull_request'
+=======
+    timeout-minutes: 10
+>>>>>>> 5fbc311 (chore: optimize CI — monthly crons, timeouts, deduplicate)
     name: Validate CLAUDE.md Consistency
 
     steps:

package/.github/workflows/dependabot-auto-merge.yml

@@ -9,6 +9,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: github.actor == 'dependabot[bot]'
     steps:
       - name: Dependabot metadata

package/.github/workflows/quality.yml

@@ -10,7 +10,7 @@ name: Quality Checks
 # This avoids redundant work and reduces CI costs
 
 on:
-  push:
+  push: # Kept: catches direct pushes and scheduled scans
     branches: [main, master, develop]
     paths-ignore:
       - '**.md'
@@ -20,8 +20,14 @@ on:
       - '.editorconfig'
   pull_request:
     branches: [main, master, develop]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.gitignore'
+      - '.editorconfig'
   schedule:
-    - cron: '0 0 * * 0' # Weekly on Sunday (security scans)
+    - cron: '0 0 1 * *' # Monthly on 1st (security scans)
   workflow_dispatch: # Manual trigger
 
 # Prevent duplicate runs - cancel in-progress when new commit pushed
@@ -36,6 +42,7 @@ jobs:
   # This reduces GitHub Actions minutes by ~50% on active repos
   detect-maturity:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: github.actor != 'dependabot[bot]' || github.event_name == 'schedule'
     outputs:
       maturity: ${{ steps.detect.outputs.maturity }}
@@ -101,19 +108,18 @@ jobs:
         with:
           bun-version: '1.0.0'
 
-      - name: Install dependencies for maturity detection
-        run: ${{ steps.detect-pm.outputs.install-cmd }}
-
+      # {{FULL_DETECTION_BEGIN}}
       - name: Detect Project Maturity
         id: detect
         run: |
-          # Use the project maturity detector (local for qa-architect itself, node_modules for other projects)
+          # Use the project maturity detector (local for qa-architect itself, npx for consumer projects)
           if [ -f lib/project-maturity.js ]; then
             node lib/project-maturity.js --github-actions >> $GITHUB_OUTPUT
           else
-            node node_modules/create-qa-architect/lib/project-maturity.js --github-actions >> $GITHUB_OUTPUT
+            npx create-qa-architect@latest --check-maturity --github-actions >> $GITHUB_OUTPUT
           fi
-
+      # {{FULL_DETECTION_END}}
+      # {{FULL_REPORT_BEGIN}}
       - name: Display Detection Report
         run: |
           echo "📊 Project Detection Results"
@@ -126,6 +132,7 @@ jobs:
           echo "Has dependencies: ${{ steps.detect.outputs.has-deps }}"
           echo "Has documentation: ${{ steps.detect.outputs.has-docs }}"
           echo "Has CSS files: ${{ steps.detect.outputs.has-css }}"
+      # {{FULL_REPORT_END}}
 
   # Note: Lint/format jobs REMOVED - pre-commit already does this locally
   # This follows industry best practice: "Each layer does unique work"
@@ -143,6 +150,7 @@ jobs:
   # provide better reliability on GHES/self-hosted and unlock premium features
   security:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: detect-maturity
     if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.detect-maturity.outputs.has-deps == 'true'
 
@@ -251,7 +259,7 @@ jobs:
           if [ -f setup.js ]; then
             node setup.js --security-config
           else
-            node node_modules/create-qa-architect/setup.js --security-config
+            npx create-qa-architect@latest --security-config
           fi
 
       - name: Security pattern detection
@@ -274,6 +282,7 @@ jobs:
   # Smart skip: Draft PRs skip tests (saves CI costs during WIP)
   tests:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: detect-maturity
     if: |
       fromJSON(needs.detect-maturity.outputs.test-count) > 0 &&
@@ -330,6 +339,7 @@ jobs:
             exit 1
           }
 
+      # {{QA_ARCHITECT_ONLY_BEGIN}}
       - name: Cache gitleaks binary for real download test
         if: runner.os == 'Linux'
         uses: actions/cache@v5
@@ -345,10 +355,12 @@ jobs:
         run: |
           echo "🔐 Running real gitleaks binary verification test..."
           QAA_DEVELOPER=true RUN_REAL_BINARY_TEST=1 node tests/gitleaks-real-binary-test.js
+      # {{QA_ARCHITECT_ONLY_END}}
 
   # Step 4: Documentation - run for production-ready projects
   documentation:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: detect-maturity
     if: needs.detect-maturity.outputs.maturity == 'production-ready'
 
@@ -383,7 +395,7 @@ jobs:
           if [ -f setup.js ]; then
             node setup.js --security-config
           else
-            node node_modules/create-qa-architect/setup.js --security-config
+            npx create-qa-architect@latest --security-config
           fi
 
       - name: Documentation validation
@@ -392,17 +404,18 @@ jobs:
           if [ -f setup.js ]; then
             node setup.js --validate-docs
           else
-            node node_modules/create-qa-architect/setup.js --validate-docs
+            npx create-qa-architect@latest --validate-docs
           fi
 
       - name: Documentation consistency and security audit freshness
+        continue-on-error: true
         run: |
           echo "🔐 Running comprehensive documentation validation..."
           # This includes security audit freshness check with proper git-based validation
           if [ -f scripts/check-docs.sh ]; then
             bash scripts/check-docs.sh
           else
-            bash node_modules/create-qa-architect/scripts/check-docs.sh
+            echo "No check-docs.sh found - skipping documentation consistency check"
           fi
 
       - name: Package size and contents validation
@@ -489,6 +502,7 @@ jobs:
   # Step 5: Summary - report what checks ran
   summary:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs:
       - detect-maturity
       - security

package/.github/workflows/release.yml

@@ -11,6 +11,7 @@ permissions:
 jobs:
   release:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -35,7 +36,7 @@ jobs:
           CI: 'true'
 
       - name: Publish to npm with provenance
-        run: npm publish --provenance
+        run: npm publish --provenance --access public
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2

package/.github/workflows/stale-prs.yml

@@ -0,0 +1,42 @@
+name: Stale PR Cleanup
+
+on:
+  schedule:
+    # Daily at 6am CT (11:00 UTC)
+    - cron: '0 11 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  stale:
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          # PRs only — skip issues entirely
+          days-before-issue-stale: -1
+          days-before-issue-close: -1
+
+          # Warn at 24h, close at 48h
+          days-before-pr-stale: 1
+          days-before-pr-close: 1
+
+          stale-pr-label: stale
+          stale-pr-message: >
+            This PR is 24h old. Please merge or close to avoid merge conflicts.
+          close-pr-message: >
+            Auto-closed: PR exceeded 48h without merge. Re-open and rebase if still needed.
+
+          # Exemptions
+          exempt-pr-labels: 'do-not-close,wip'
+          exempt-all-pr-assignees: false
+
+          # Exempt dependabot PRs (author filter)
+          exempt-pr-authors: 'dependabot[bot],dependabot'
+
+          # CI minutes budget: process max 10 PRs per run
+          operations-per-run: 10

package/.github/workflows/weekly-gitleaks-verification.yml

@@ -1,17 +1,18 @@
-name: Weekly Gitleaks Real Download Verification
+name: Monthly Gitleaks Real Download Verification
 
-# Run weekly to verify real gitleaks download and checksum verification
+# Run monthly to verify real gitleaks download and checksum verification
 # This catches upstream asset changes, checksum drift, and download issues
 on:
   schedule:
-    # Run at 2 AM UTC every Sunday (weekly)
-    - cron: '0 2 * * 0'
+    # Run at 2 AM UTC on the 1st of each month (monthly)
+    - cron: '0 2 1 * *'
   workflow_dispatch: # Allow manual trigger
 
 jobs:
   real-download-verification:
     name: Real Gitleaks Download Test (Linux x64)
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - name: Checkout code
@@ -136,6 +137,7 @@ jobs:
   alert-on-failure:
     name: Alert on Verification Failure
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: real-download-verification
     if: failure()
 

package/LICENSE

@@ -1,11 +1,11 @@
 VIBE BUILD LAB COMMERCIAL LICENSE
 
-Copyright (c) 2025 Vibe Build Lab LLC. All rights reserved.
+Copyright (c) 2025 BuildProven. All rights reserved.
 
 COMMERCIAL SOFTWARE - FREEMIUM MODEL
 
 This software and associated documentation files (the "Software") are
-proprietary commercial products of Vibe Build Lab LLC.
+proprietary commercial products of BuildProven.
 
 TERMS OF USE:
 
@@ -58,9 +58,9 @@ TERMS OF USE:
    IN NO EVENT SHALL VIBE BUILD LAB LLC BE LIABLE FOR ANY CLAIM, DAMAGES OR
    OTHER LIABILITY ARISING FROM THE USE OF THE SOFTWARE.
 
-For licensing inquiries: support@vibebuildlab.com
+For licensing inquiries: support@buildproven.ai
 
 ---
 
-Vibe Build Lab LLC
-https://vibebuildlab.com
+BuildProven
+https://buildproven.ai

package/README.md

@@ -2,13 +2,13 @@
 
 Quality automation CLI for JavaScript/TypeScript, Python, and shell script projects. One command adds ESLint, Prettier, Husky, lint-staged, and GitHub Actions. Pro tiers add security scanning (Gitleaks), Smart Test Strategy, and multi-language support.
 
-**This repo = the free CLI.** For the Pro dashboard with repo analytics, CI integration, and automation workflows, see [QA Architect Pro](https://vibebuildlab.com/qa-architect) (included in VBL Starter Kit).
+**This repo = the free CLI.** For the Pro dashboard with repo analytics, CI integration, and automation workflows, see [QA Architect Pro](https://buildproven.ai/qa-architect) (included in BuildProven Starter Kit).
 
 ---
 
 > **Maintainer & Ownership**
-> This project is maintained by **Vibe Build Lab LLC**, a studio focused on AI-assisted product development, micro-SaaS, and "vibe coding" workflows for solo founders and small teams.
-> Learn more at **https://vibebuildlab.com**.
+> This project is maintained by **BuildProven**, a studio focused on AI-assisted product development, micro-SaaS, and "vibe coding" workflows for solo founders and small teams.
+> Learn more at **https://buildproven.ai**.
 
 ---
 
@@ -63,7 +63,7 @@ npx create-qa-architect@latest
 | **Free** | $0                | CLI tool, basic linting/formatting, npm audit (capped: 1 private repo, 50 runs/mo)                 |
 | **Pro**  | $49/mo or $490/yr | **Security scanning (Gitleaks + ESLint security)**, Smart Test Strategy, multi-language, unlimited |
 
-> **Pro included in [VBL Starter Kit](https://vibebuildlab.com/starter-kit)**
+> **Pro included in [BuildProven Starter Kit](https://buildproven.ai/starter-kit)**
 
 ### Security Features by Tier
 
@@ -102,7 +102,7 @@ npx create-qa-architect@latest
 
 ### Get Pro
 
-**Purchase:** [vibebuildlab.com/qa-architect](https://vibebuildlab.com/qa-architect)
+**Purchase:** [buildproven.ai/qa-architect](https://buildproven.ai/qa-architect)
 
 After purchase, you'll receive a license key via email (QAA-XXXX-XXXX-XXXX-XXXX).
 
@@ -137,15 +137,16 @@ Note: CI does NOT re-run lint/format (pre-commit already did it). This avoids re
 
 qa-architect defaults to **minimal CI** to avoid unexpected GitHub Actions bills. Choose the tier that matches your needs:
 
-### Minimal (Default) - $0-5/month
+### Minimal (Default) - Budget-First (<1000 min/month target)
 
 **Best for:** Solo developers, side projects, open source
 
-- Single Node version (22) testing
-- Security scans run weekly (not on every commit)
+- Single Node version (22) detection workflow
+- CI defaults to detection-only (tests/security/docs disabled in minimal mode)
+- Security scans run monthly (not on every commit)
 - Path filters skip CI for docs/README changes
-- **Runtime:** ~5-10 min/commit
-- **Est. cost:** ~$0-5/mo for typical projects (2-5 commits/day)
+- **Runtime:** ~1-2 min/run
+- **Est. usage target:** under ~1000 minutes/month by default
 
 ```bash
 npx create-qa-architect@latest
@@ -157,8 +158,8 @@ npx create-qa-architect@latest --workflow-minimal
 
 **Best for:** Small teams, client projects, production apps
 
-- Matrix testing (Node 20 + 22) **only on main branch**
-- Security scans run weekly
+- Single Node 22 testing **only on main branch**
+- Security scans run monthly
 - Path filters enabled
 - **Runtime:** ~15-20 min/commit
 - **Est. cost:** ~$5-20/mo for typical projects
@@ -207,16 +208,14 @@ npx create-qa-architect@latest --update --workflow-minimal
 - **Duplicate checks** (ESLint, tests, security scans run twice)
 - **Unexpected billing** (easily exceeds GitHub's 2,000 min/month free tier)
 
-**If you have both `ci.yml` and `quality.yml`:**
+**If you have both `ci.yml` and `quality.yml`, run:**
 
 ```bash
-# Remove the duplicate ci.yml
-rm .github/workflows/ci.yml
-
-# Ensure quality.yml uses minimal mode
 npx create-qa-architect@latest --update --workflow-minimal
 ```
 
+`--update` now automatically removes known duplicate workflow names (`ci.yml`, `test.yml`, `tests.yml`, `quality-legacy.yml`) while preserving `quality.yml`.
+
 The `quality.yml` workflow is adaptive - it runs appropriate checks based on your project's maturity level, so a separate `ci.yml` is unnecessary.
 
 ### Analyzing Your Costs (Pro Feature)
@@ -277,6 +276,8 @@ npm install
 npm run lint
 ```
 
+`--update` refreshes the existing `quality.yml` from the latest template while preserving the detected workflow tier and existing matrix setting unless you explicitly override the tier with `--workflow-minimal`, `--workflow-standard`, or `--workflow-comprehensive`.
+
 ### Dependency Monitoring (Free)
 
 ```bash
@@ -426,7 +427,7 @@ Pro tier ($49/mo or $490/yr) includes:
 - Multi-language support (Python, Shell scripts)
 - Unlimited private repos and runs
 
-Purchase at [vibebuildlab.com/qa-architect](https://vibebuildlab.com/qa-architect)
+Purchase at [buildproven.ai/qa-architect](https://buildproven.ai/qa-architect)
 
 ### Server-Side Setup (Maintainers Only)
 
@@ -449,9 +450,9 @@ Commercial freemium license — the base CLI is free to use; Pro features requir
 
 ## Legal
 
-- [Privacy Policy](https://vibebuildlab.com/privacy-policy)
-- [Terms of Service](https://vibebuildlab.com/terms)
+- [Privacy Policy](https://buildproven.ai/privacy-policy)
+- [Terms of Service](https://buildproven.ai/terms)
 
 ---
 
-> **Vibe Build Lab LLC** · [vibebuildlab.com](https://vibebuildlab.com)
+> **BuildProven** · [buildproven.ai](https://buildproven.ai)

package/config/defaults.js

@@ -19,7 +19,7 @@ const baseScripts = {
   'test:coverage': 'vitest run --coverage',
   'test:changed': 'vitest run --changed HEAD~1 --passWithNoTests',
   'security:audit':
-    '[ -f pnpm-lock.yaml ] && pnpm audit --audit-level high || [ -f yarn.lock ] && yarn audit || npm audit --audit-level high',
+    'if [ -f pnpm-lock.yaml ]; then pnpm audit --audit-level high; elif [ -f yarn.lock ]; then yarn audit; else npm audit --audit-level high; fi',
   'security:secrets':
     "node -e \"const fs=require('fs');const content=fs.readFileSync('package.json','utf8');if(/[\\\"\\'][a-zA-Z0-9+/]{20,}[\\\"\\']/.test(content)){console.error('❌ Potential hardcoded secrets in package.json');process.exit(1)}else{console.log('✅ No secrets detected in package.json')}\"",
   'security:config': 'npx create-qa-architect@latest --security-config',
@@ -28,8 +28,7 @@ const baseScripts = {
   'validate:docs': 'npx create-qa-architect@latest --validate-docs',
   'validate:comprehensive': 'npx create-qa-architect@latest --comprehensive',
   'validate:all': 'npm run validate:comprehensive && npm run security:audit',
-  'validate:pre-push':
-    'npm run test:patterns --if-present && npm run test:commands --if-present && npm run test:changed --if-present || npm test --if-present',
+  'validate:pre-push': `npm run test:patterns --if-present && npm run test:commands --if-present && if node -e "const pkg=require('./package.json');process.exit(pkg.scripts&&pkg.scripts['test:changed']?0:1)" 2>/dev/null; then npm run test:changed; else npm test --if-present; fi`,
 }
 
 const normalizeStylelintTargets = stylelintTargets => {

package/config/quality-config.schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "https://github.com/vibebuildlab/qa-architect/blob/main/config/quality-config.schema.json",
+  "$id": "https://github.com/buildproven/qa-architect/blob/main/config/quality-config.schema.json",
   "title": "Quality Automation Configuration",
   "description": "Configuration for create-qa-architect progressive quality checks",
   "type": "object",

package/docs/CI-COST-ANALYSIS.md

@@ -7,18 +7,18 @@
 
 ## Current Status: Within Budget (with fixes)
 
-### Actual January 2026 Usage (vibebuildlab org)
+### Actual January 2026 Usage (buildproven org)
 
 | Repo                    | Minutes    | Runs  | Avg/Run |
 | ----------------------- | ---------- | ----- | ------- |
 | qa-architect            | 340        | 349   | 1.0 min |
 | postrail                | 1,769      | 295   | 6.0 min |
-| vibebuildlab            | 89         | 282   | 0.3 min |
+| buildproven            | 89         | 282   | 0.3 min |
 | keyflash                | 74         | 187   | 0.4 min |
 | wfhroulette             | 56         | 138   | 0.4 min |
 | jobrecon                | 56         | 44    | 1.3 min |
-| ai-second-act           | 4          | 33    | 0.1 min |
-| vibebuildlab-newsletter | 1          | 22    | 0.0 min |
+| buildproven             | 4          | 33    | 0.1 min |
+| buildproven-newsletter | 1          | 22    | 0.0 min |
 | **TOTAL**               | **~2,400** | 1,350 | 1.8 min |
 
 ### February Projection (Pre-Fix)
@@ -37,7 +37,7 @@ Based on Feb 1-3 data extrapolated:
 | postrail     | 63%                  |
 | keyflash     | 53%                  |
 | qa-architect | 8%                   |
-| vibebuildlab | 0%                   |
+| buildproven | 0%                   |
 
 ---
 
@@ -81,15 +81,15 @@ qa-architect supports three workflow modes:
 ### Minimal Mode (Default)
 
 - Single Node.js version (22)
-- Security scans weekly only
+- Security scans monthly only
 - Path filters enabled
 - Skip Dependabot PRs
 - Concurrency limits
 
 ### Standard Mode (`--workflow-standard`)
 
-- Matrix on main only (20, 22)
-- Security on PR + weekly
+- Single Node 22 (no matrix), tests restricted to main branch only
+- Security on manual/monthly schedule
 - Full test coverage
 
 ### Comprehensive Mode (`--workflow-comprehensive`)

package/docs/DEPLOYMENT.md

@@ -59,4 +59,4 @@ npm deprecate create-qa-architect@VERSION "Critical bug, use VERSION instead"
 ## npm Registry
 
 - Package: https://www.npmjs.com/package/create-qa-architect
-- Documentation: https://github.com/vibebuildlab/qa-architect
+- Documentation: https://github.com/buildproven/qa-architect

package/docs/DEVELOPMENT-WORKFLOW.md

@@ -150,8 +150,8 @@ npm run validate:all      # Full validation
 qa-architect's `quality.yml` is designed to be your **single CI workflow**. Don't use it alongside a separate `ci.yml`:
 
 ```bash
-# If you have both, remove the duplicate
-rm .github/workflows/ci.yml
+# Update and auto-clean duplicate workflow names
+npx create-qa-architect@latest --update --workflow-minimal
 ```
 
 ### Analyze Your Costs (Pro)

package/docs/TURBOREPO-SUPPORT.md

@@ -75,7 +75,7 @@ See `.github/workflows/pnpm-ci.yml.example` for a complete Turborepo CI workflow
 Typical Turborepo monorepo:
 
 ```
-vibebuildlab/
+buildproven/
 ├── turbo.json              # Turborepo config (triggers detection)
 ├── package.json            # Root package with workspaces
 ├── pnpm-lock.yaml         # pnpm lockfile
@@ -156,7 +156,7 @@ This is expected in monorepos. qa-architect gracefully handles missing package.j
 Test Turborepo detection:
 
 ```bash
-cd ~/Projects/vibebuildlab
+cd ~/Projects/internal/buildproven
 npx create-qa-architect@latest --dry-run
 
 # Should show:
@@ -171,4 +171,4 @@ npx create-qa-architect@latest --dry-run
 
 ---
 
-**Status**: Production-ready, tested with vibebuildlab monorepo
+**Status**: Production-ready, tested with buildproven monorepo