create-qa-architect 5.12.1 → 5.13.3

package/lib/commands/maturity-check.js

@@ -10,11 +10,29 @@
  */
 function handleMaturityCheck() {
   const { ProjectMaturityDetector } = require('../project-maturity')
+  const githubActions = process.argv.includes('--github-actions')
   const detector = new ProjectMaturityDetector({
     projectPath: process.cwd(),
-    verbose: true,
+    verbose: !githubActions,
   })
-  detector.printReport()
+
+  if (githubActions) {
+    const output = detector.generateGitHubActionsOutput()
+    console.log(`maturity=${output.maturity}`)
+    console.log(`source-count=${output.sourceCount}`)
+    console.log(`test-count=${output.testCount}`)
+    console.log(`has-deps=${output.hasDeps}`)
+    console.log(`has-docs=${output.hasDocs}`)
+    console.log(`has-css=${output.hasCss}`)
+    console.log(`has-shell=${output.hasShell}`)
+    console.log(`shell-count=${output.shellCount}`)
+    console.log(`is-shell-project=${output.isShellProject}`)
+    console.log(`required-checks=${output.requiredChecks}`)
+    console.log(`optional-checks=${output.optionalChecks}`)
+    console.log(`disabled-checks=${output.disabledChecks}`)
+  } else {
+    detector.printReport()
+  }
   process.exit(0)
 }
 

package/lib/dependency-monitoring-basic.js

@@ -22,7 +22,7 @@ function hasNpmProject(projectPath) {
 function generateBasicDependabotConfig(options = {}) {
   const {
     projectPath = '.',
-    schedule = 'weekly',
+    schedule = 'monthly',
     day = 'monday',
     time = '09:00',
     monorepoInfo = null, // Optional monorepo detection result
@@ -50,7 +50,7 @@ function generateBasicDependabotConfig(options = {}) {
         day: day,
         time: time,
       },
-      'open-pull-requests-limit': 5,
+      'open-pull-requests-limit': 2,
       labels: ['dependencies', 'root'],
       'commit-message': {
         prefix: 'deps(root)',
@@ -69,7 +69,7 @@ function generateBasicDependabotConfig(options = {}) {
           day: day,
           time: time,
         },
-        'open-pull-requests-limit': 3,
+        'open-pull-requests-limit': 2,
         labels: ['dependencies', pkg.name],
         'commit-message': {
           prefix: `deps(${pkg.name})`,
@@ -87,7 +87,7 @@ function generateBasicDependabotConfig(options = {}) {
         day: day,
         time: time,
       },
-      'open-pull-requests-limit': 5,
+      'open-pull-requests-limit': 2,
       labels: ['dependencies'],
       'commit-message': {
         prefix: 'deps',

package/lib/dependency-monitoring-premium.js

@@ -1294,7 +1294,7 @@ function generatePremiumDependabotConfig(options = {}) {
 
   const {
     projectPath = '.',
-    schedule = 'weekly',
+    schedule = 'monthly',
     day = 'monday',
     time = '09:00',
   } = options
@@ -1316,7 +1316,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'npm',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'npm'],
       'commit-message': { prefix: 'deps(npm)', include: 'scope' },
       ...(Object.keys(npmGroups).length > 0 && { groups: npmGroups }),
@@ -1330,7 +1330,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'pip',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'python'],
       'commit-message': { prefix: 'deps(python)' },
       ...(Object.keys(pipGroups).length > 0 && { groups: pipGroups }),
@@ -1344,7 +1344,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'cargo',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'rust'],
       'commit-message': { prefix: 'deps(rust)' },
       ...(Object.keys(cargoGroups).length > 0 && { groups: cargoGroups }),
@@ -1358,7 +1358,7 @@ function generatePremiumDependabotConfig(options = {}) {
       'package-ecosystem': 'bundler',
       directory: '/',
       schedule: { interval: schedule, day, time },
-      'open-pull-requests-limit': 10,
+      'open-pull-requests-limit': 3,
       labels: ['dependencies', 'ruby'],
       'commit-message': { prefix: 'deps(ruby)' },
       ...(Object.keys(bundlerGroups).length > 0 && { groups: bundlerGroups }),

package/lib/license-validator.js

@@ -85,7 +85,7 @@ class LicenseValidator {
     // Allow enterprises to host their own registry
     this.licenseDbUrl =
       process.env.QAA_LICENSE_DB_URL ||
-      'https://vibebuildlab.com/api/licenses/qa-architect.json'
+      'https://buildproven.ai/api/licenses/qa-architect.json'
 
     this.licensePublicKey = loadKeyFromEnv(
       process.env.QAA_LICENSE_PUBLIC_KEY,
@@ -691,4 +691,4 @@ class LicenseValidator {
   }
 }
 
-module.exports = { LicenseValidator }
+module.exports = { LicenseValidator, validateLicenseDir }

package/lib/licensing.js

@@ -16,15 +16,16 @@ const {
   verifyPayload,
   loadKeyFromEnv,
 } = require('./license-signing')
+const { validateLicenseDir } = require('./license-validator')
 
 // License storage locations
 // Support environment variable override for testing (like telemetry/error-reporter)
 // Use getter functions to allow env override before module load
 function getLicenseDir() {
-  return (
+  const requestedDir =
     process.env.QAA_LICENSE_DIR ||
     path.join(os.homedir(), '.create-qa-architect')
-  )
+  return validateLicenseDir(requestedDir)
 }
 
 function getLicenseFile() {
@@ -399,7 +400,7 @@ function showUpgradeMessage(feature) {
     console.log('')
     console.log('   🎁 Start 14-day free trial - no credit card required')
     console.log('')
-    console.log('🚀 Upgrade: https://vibebuildlab.com/qa-architect')
+    console.log('🚀 Upgrade: https://buildproven.ai/qa-architect')
     console.log(
       '🔑 Activate: npx create-qa-architect@latest --activate-license'
     )
@@ -586,10 +587,7 @@ async function addLegitimateKey(
     }
 
     const normalizedKey = normalizeLicenseKey(licenseKey)
-    // Use the same license directory as the CLI
-    const licenseDir =
-      process.env.QAA_LICENSE_DIR ||
-      path.join(os.homedir(), '.create-qa-architect')
+    const licenseDir = getLicenseDir()
     const legitimateDBFile = path.join(licenseDir, 'legitimate-licenses.json')
     const privateKey = loadKeyFromEnv(
       process.env.LICENSE_REGISTRY_PRIVATE_KEY,
@@ -745,7 +743,7 @@ async function promptLicenseActivation() {
       console.log(
         '   If you purchased this license, please contact support at:'
       )
-      console.log('   Email: support@vibebuildlab.com')
+      console.log('   Email: support@buildproven.ai')
       console.log(
         '   Include your license key and purchase email for verification.'
       )
@@ -1140,7 +1138,7 @@ function showLicenseStatus() {
   // Show upgrade path
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n💡 Upgrade to PRO for unlimited access + security scanning')
-    console.log('   → https://vibebuildlab.com/qa-architect')
+    console.log('   → https://buildproven.ai/qa-architect')
   }
 }
 

package/lib/smart-strategy-generator.js

@@ -255,7 +255,7 @@ function generateSmartStrategy(options = {}) {
         `Troubleshooting steps:\n` +
         `1. Reinstall the package: npm install -g create-qa-architect@latest\n` +
         `2. Check file permissions: ls -la ${path.dirname(templatePath)}\n` +
-        `3. Report issue if problem persists: https://github.com/vibebuildlab/qa-architect/issues/new`
+        `3. Report issue if problem persists: https://github.com/buildproven/qa-architect/issues/new`
     )
   }
 

package/lib/validation/documentation.js

@@ -267,6 +267,8 @@ class DocumentationValidator {
         'quality-python.yml',
         'ci.yml', // Common workflow name users might have
         'test.yml', // Common workflow name users might have
+        'tests.yml', // Common workflow name users might have
+        'quality-legacy.yml', // Legacy workflow name referenced in cleanup docs
         // Optional tooling configs
         '.lighthouserc.js',
         'vercel.json',

package/lib/workflow-config.js

@@ -65,8 +65,144 @@ function detectExistingWorkflowMode(projectPath) {
   }
 }
 
+/**
+ * Detect whether matrix testing is enabled in an existing workflow.
+ * @param {string} projectPath - Path to project
+ * @returns {boolean} True when matrix testing is enabled
+ */
+function detectExistingMatrix(projectPath) {
+  const workflowPath = path.join(
+    projectPath,
+    '.github',
+    'workflows',
+    'quality.yml'
+  )
+
+  if (!fs.existsSync(workflowPath)) {
+    return false
+  }
+
+  try {
+    const content = fs.readFileSync(workflowPath, 'utf8')
+    return (
+      content.includes('# MATRIX_ENABLED: true') ||
+      content.includes('node-version: [20, 22]')
+    )
+  } catch (error) {
+    console.warn(
+      `⚠️  Could not detect existing matrix configuration: ${error.message}`
+    )
+    return false
+  }
+}
+
+/**
+ * Strip a named section from workflow content.
+ * Removes everything between # {{NAME_BEGIN}} and # {{NAME_END}} markers (inclusive).
+ * Leaves a single newline to avoid collapsing adjacent YAML blocks.
+ * @param {string} content - Workflow content
+ * @param {string} sectionName - Section name (e.g. 'QA_ARCHITECT_ONLY', 'FULL_DETECTION')
+ * @returns {string} Content with section removed
+ */
+function stripSection(content, sectionName) {
+  if (!/^[A-Z_]+$/.test(sectionName)) {
+    throw new Error(`Invalid section name: ${sectionName}`)
+  }
+  // eslint-disable-next-line security/detect-non-literal-regexp -- sectionName validated above
+  const pattern = new RegExp(
+    `[^\\S\\n]*# \\{\\{${sectionName}_BEGIN\\}\\}[\\s\\S]*?# \\{\\{${sectionName}_END\\}\\}\\n?`,
+    'g'
+  )
+  return content.replace(pattern, '')
+}
+
+/**
+ * Remove a paths-ignore block from a top-level workflow trigger.
+ * @param {string} content - Workflow content
+ * @param {string} triggerName - Trigger key (e.g. push, pull_request)
+ * @returns {string} Updated content
+ */
+function removeTriggerPathsIgnore(content, triggerName) {
+  const lines = content.split('\n')
+  const output = []
+
+  for (let index = 0; index < lines.length; index += 1) {
+    const line = lines[index]
+    output.push(line)
+
+    if (
+      line !== `  ${triggerName}:` &&
+      !line.startsWith(`  ${triggerName}: `)
+    ) {
+      continue
+    }
+
+    let scanIndex = index + 1
+    while (scanIndex < lines.length) {
+      const nextLine = lines[scanIndex]
+
+      if (nextLine.startsWith('  ') && !nextLine.startsWith('    ')) {
+        break
+      }
+
+      if (nextLine === '    paths-ignore:') {
+        scanIndex += 1
+        while (
+          scanIndex < lines.length &&
+          lines[scanIndex].startsWith('      - ')
+        ) {
+          scanIndex += 1
+        }
+        index = scanIndex - 1
+        break
+      }
+
+      output.push(nextLine)
+      index = scanIndex
+      scanIndex += 1
+    }
+  }
+
+  return output.join('\n')
+}
+
+/**
+ * Restrict the tests job to main branch pushes in standard mode.
+ * @param {string} content - Workflow content
+ * @returns {string} Updated content
+ */
+function addStandardTestsBranchGate(content) {
+  const lines = content.split('\n')
+  const output = []
+  let inTestsJob = false
+  let branchGateInserted = false
+
+  for (const line of lines) {
+    if (line === '  tests:') {
+      inTestsJob = true
+    } else if (
+      inTestsJob &&
+      line.startsWith('  ') &&
+      !line.startsWith('    ')
+    ) {
+      inTestsJob = false
+    }
+
+    output.push(line)
+
+    if (inTestsJob && line === '    if: |' && !branchGateInserted) {
+      output.push("      github.ref == 'refs/heads/main' &&")
+      branchGateInserted = true
+    }
+  }
+
+  return output.join('\n')
+}
+
 /**
  * Inject workflow mode-specific configuration into quality.yml
+ * Uses section markers (# {{SECTION_BEGIN/END}}) for reliable content removal
+ * instead of fragile structural regex patterns.
  * @param {string} workflowContent - Template content
  * @param {'minimal'|'standard'|'comprehensive'} mode - Selected mode
  * @returns {string} Modified workflow content
@@ -74,101 +210,66 @@ function detectExistingWorkflowMode(projectPath) {
 function injectWorkflowMode(workflowContent, mode) {
   let updated = workflowContent
 
+  // Set workflow mode marker
   const versionMarker = `# WORKFLOW_MODE: ${mode}`
   if (updated.includes('# WORKFLOW_MODE:')) {
-    // Replace existing marker with new mode
     updated = updated.replace(
       /# WORKFLOW_MODE: (minimal|standard|comprehensive)/,
       versionMarker
     )
   } else {
-    // Add marker before jobs:
     updated = updated.replace(/(\n\njobs:)/, `\n${versionMarker}\n$1`)
   }
 
-  // Controlled regexes for YAML workflow template matching - these patterns match static
-  // template content, not user input. Safe from ReDoS as they match known structure.
+  // All consumer workflows: strip qa-architect-only content
+  updated = stripSection(updated, 'QA_ARCHITECT_ONLY')
 
-  // Handle mode-specific transformations
+  // Mode-specific transformations
   if (mode === 'standard') {
-    // Standard: Add main branch condition to tests job
-    // Handle both single-line and multi-line if: formats
-
-    // First try multi-line format (if: | block)
+    // Standard: run tests on main only to keep CI costs bounded.
     if (
-      updated.includes('tests:') &&
-      updated.includes('fromJSON(needs.detect-maturity.outputs.test-count)')
+      updated.includes('  tests:') &&
+      updated.includes('    if: |') &&
+      !updated.includes("github.ref == 'refs/heads/main'")
     ) {
-      // Multi-line if: | block - add main branch check at the start
-      updated = updated.replace(
-        /(tests:\s+runs-on:[^\n]+\s+needs:[^\n]+\s+if: \|\s*\n\s+)fromJSON\(needs\.detect-maturity\.outputs\.test-count\)/,
-        "$1github.ref == 'refs/heads/main' &&\n      fromJSON(needs.detect-maturity.outputs.test-count)"
-      )
-
-      // Also try single-line format as fallback
-      updated = updated.replace(
-        /(\s+tests:\s+runs-on:[^\n]+\s+needs:[^\n]+\s+)if: fromJSON\(needs\.detect-maturity\.outputs\.test-count\) > 0/,
-        "$1if: github.ref == 'refs/heads/main' && fromJSON(needs.detect-maturity.outputs.test-count) > 0"
-      )
+      updated = addStandardTestsBranchGate(updated)
     }
-
-    // Standard: Change matrix to [20, 22]
-    updated = updated.replace(/node-version: \[22\]/g, 'node-version: [20, 22]')
   } else if (mode === 'comprehensive') {
-    // Comprehensive: Remove paths-ignore blocks from push and pull_request
-    updated = updated.replace(
-      /(\s+push:\s+branches:[^\n]+)\s+paths-ignore:\s+- '\*\*\.md'\s+- 'docs\/\*\*'\s+- 'LICENSE'\s+- '\.gitignore'\s+- '\.editorconfig'/g,
-      '$1'
-    )
-    updated = updated.replace(
-      /(\s+pull_request:\s+branches:[^\n]+)\s+paths-ignore:\s+- '\*\*\.md'\s+- 'docs\/\*\*'\s+- 'LICENSE'\s+- '\.gitignore'\s+- '\.editorconfig'/g,
-      '$1'
-    )
-
+    // Comprehensive: Remove paths-ignore blocks
+    updated = removeTriggerPathsIgnore(updated, 'push')
+    updated = removeTriggerPathsIgnore(updated, 'pull_request')
     // Comprehensive: Remove schedule trigger (security runs inline)
     updated = updated.replace(/\s+schedule:\s+- cron:[^\n]+[^\n]*\n?/g, '\n')
-
     // Comprehensive: Remove schedule condition from security job
     updated = updated.replace(
       /if: \(github\.event_name == 'schedule' \|\| github\.event_name == 'workflow_dispatch'\) && /g,
       'if: '
     )
-
-    // Comprehensive: Change matrix to [20, 22]
     updated = updated.replace(/node-version: \[22\]/g, 'node-version: [20, 22]')
   }
-  // Minimal mode: Remove expensive dependency install and maturity detection steps
-  // Keep only: checkout, setup-node, detect-pm, setup-pnpm/bun, simplified report
-  if (mode === 'minimal') {
-    // 1. Remove "Install dependencies for maturity detection" step
-    updated = updated.replace(
-      /\s+- name: Install dependencies for maturity detection\s+run: \$\{\{ steps\.detect-pm\.outputs\.install-cmd \}\}\s*\n/,
-      '\n'
-    )
 
-    // 2. Remove "Detect Project Maturity" step (multiline)
-    updated = updated.replace(
-      /\s+- name: Detect Project Maturity\s+id: detect\s+run: \|[\s\S]*?fi\s*\n/,
-      '\n'
-    )
+  // Minimal mode: use section markers to strip detection, hardcode outputs
+  if (mode === 'minimal') {
+    // Strip full detection and report sections via markers
+    updated = stripSection(updated, 'FULL_DETECTION')
+    updated = stripSection(updated, 'FULL_REPORT')
 
-    // 3. Hardcode maturity outputs (since we skip detection)
-    // These sensible defaults allow basic checks to run without expensive detection
+    // Hardcode maturity outputs (since we skip detection)
     updated = updated.replace(
       /maturity: \$\{\{ steps\.detect\.outputs\.maturity \}\}/,
       "maturity: 'minimal'"
     )
     updated = updated.replace(
       /source-count: \$\{\{ steps\.detect\.outputs\.source-count \}\}/,
-      "source-count: '10'"
+      "source-count: '0'"
     )
     updated = updated.replace(
       /test-count: \$\{\{ steps\.detect\.outputs\.test-count \}\}/,
-      "test-count: '1'"
+      "test-count: '0'"
     )
     updated = updated.replace(
       /has-deps: \$\{\{ steps\.detect\.outputs\.has-deps \}\}/,
-      "has-deps: 'true'"
+      "has-deps: 'false'"
     )
     updated = updated.replace(
       /has-docs: \$\{\{ steps\.detect\.outputs\.has-docs \}\}/,
@@ -179,30 +280,30 @@ function injectWorkflowMode(workflowContent, mode) {
       "has-css: 'false'"
     )
 
-    // 4. Remove dev-only gitleaks binary test steps (only relevant for qa-architect itself)
-    // The restore-keys block has 3 lines after `|`, match all of them to avoid stray lines
-    updated = updated.replace(
-      /\s+- name: Cache gitleaks binary for real download test[\s\S]*?restore-keys: \|[^\n]*\n[^\n]*\n[^\n]*\n/,
-      '\n'
-    )
-    updated = updated.replace(
-      /\s+- name: Run real gitleaks binary verification test[\s\S]*?node tests\/gitleaks-real-binary-test\.js\n/,
-      '\n'
-    )
-
-    // 5. Simplify "Display Detection Report" to show only package manager info
-    updated = updated.replace(
-      /- name: Display Detection Report\s+run: \|[\s\S]*?echo "Has CSS files:[^"]*"/,
-      `- name: Display Detection Report
+    // Insert simplified detection report after the last setup step
+    const minimalReport = `      - name: Display Detection Report
         run: |
           echo "📊 Project Detection Results (Minimal Mode)"
           echo "Package Manager: \${{ steps.detect-pm.outputs.manager }}"
           echo "Install Command: \${{ steps.detect-pm.outputs.install-cmd }}"
           echo "Turborepo: \${{ steps.detect-pm.outputs.is-turborepo }}"
-          echo "Note: Maturity detection skipped in minimal mode for faster CI"`
-    )
+          echo "Mode goal: keep GitHub Actions usage under ~1000 min/month by default"
+          echo "Checks: detection-only in CI (tests/security/docs disabled in minimal mode)"
+          echo "Use --workflow-standard or --workflow-comprehensive to enable heavier CI checks"`
+
+    // Insert report before the "Note: Lint/format" comment that follows detect-maturity job
+    if (!updated.includes('Display Detection Report')) {
+      updated = updated.replace(
+        /(\n {2}# Note: Lint\/format jobs REMOVED)/,
+        `\n${minimalReport}\n$1`
+      )
+    }
   }
 
+  // Strip any remaining section markers from output (belt-and-suspenders)
+  // Use [ \t]* (horizontal whitespace only) — \s* would eat newlines and collapse YAML lines
+  updated = updated.replace(/[ \t]*# \{\{[A-Z_]+_(BEGIN|END)\}\}\n?/g, '')
+
   return updated
 }
 
@@ -241,6 +342,8 @@ function injectMatrix(workflowContent, enableMatrix) {
 
 module.exports = {
   detectExistingWorkflowMode,
+  detectExistingMatrix,
   injectWorkflowMode,
   injectMatrix,
+  stripSection,
 }