create-qa-architect 5.12.1 → 5.13.3

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "create-qa-architect",
-  "version": "5.12.1",
+  "version": "5.13.3",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
-    "create-qa-architect": "./setup.js"
+    "create-qa-architect": "setup.js"
   },
   "scripts": {
     "prepare": "[ \"$CI\" = \"true\" ] && echo 'Skipping Husky in CI' || husky",
@@ -20,7 +20,7 @@
     "validate:comprehensive": "node setup.js --comprehensive --no-markdownlint",
     "validate:all": "npm run validate:comprehensive && npm run security:audit",
     "validate:pre-push": "npm run test:patterns --if-present && npm run lint && npm run format:check && npm run test:commands --if-present && npm test --if-present",
-    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js",
+    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js",
     "test:unit": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js",
     "test:fast": "npm run test:unit",
     "test:medium": "npm run test:fast && npm run test:patterns && npm run test:commands",
@@ -28,7 +28,7 @@
     "test:comprehensive": "npm run test:patterns && npm test && npm run test:commands && npm run test:e2e && npm run security:audit",
     "test:real-binary": "RUN_REAL_BINARY_TEST=1 node tests/gitleaks-real-binary-test.js",
     "test:commands": "export QAA_DEVELOPER=true && node tests/command-execution.test.js",
-    "test:patterns": "node scripts/validate-command-patterns.js",
+    "test:patterns": "bash scripts/pattern-check.sh --all",
     "test:coverage": "c8 --reporter=html --reporter=text --reporter=lcov npm test",
     "test:e2e": "export QAA_DEVELOPER=true && bash scripts/test-e2e-package.sh",
     "test:all": "npm run test:patterns && npm test && npm run test:commands && npm run test:e2e",
@@ -52,7 +52,13 @@
     "size:why": "size-limit --why",
     "test:a11y": "vitest run tests/accessibility.test.js",
     "test:coverage:check": "vitest run --coverage --coverage.thresholds.lines=70 --coverage.thresholds.functions=70",
-    "test:changed": "vitest run --changed HEAD~1 --passWithNoTests"
+    "test:changed": "vitest run --changed HEAD~1 --passWithNoTests",
+    "dead-code": "knip --no-exit-code || echo \"Dead code found (non-blocking)\"",
+    "dead-code:strict": "knip",
+    "pattern-check": "bash scripts/pattern-check.sh",
+    "security:scan": "bash scripts/run-semgrep.sh",
+    "security:scan:ci": "bash scripts/run-semgrep.sh --ci",
+    "license:check": "license-checker --onlyAllow \"MIT;ISC;BSD-2-Clause;BSD-3-Clause;Apache-2.0;0BSD;BlueOak-1.0.0;CC0-1.0;CC-BY-3.0;CC-BY-4.0;Unlicense;Python-2.0;MPL-2.0\" --excludePrivatePackages"
   },
   "keywords": [
     "qa-architect",
@@ -74,7 +80,7 @@
     "dependency-monitoring",
     "security-audit"
   ],
-  "author": "Brett Stark",
+  "author": "BuildProven",
   "license": "SEE LICENSE IN LICENSE",
   "files": [
     "setup.js",
@@ -98,12 +104,12 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/vibebuildlab/qa-architect.git"
+    "url": "git+https://github.com/buildproven/qa-architect.git"
   },
   "bugs": {
-    "url": "https://github.com/vibebuildlab/qa-architect/issues"
+    "url": "https://github.com/buildproven/qa-architect/issues"
   },
-  "homepage": "https://vibebuildlab.com/qa-architect",
+  "homepage": "https://buildproven.ai/qa-architect",
   "engines": {
     "node": ">=20"
   },
@@ -118,28 +124,33 @@
     }
   },
   "devDependencies": {
+    "@commitlint/cli": "^19.0.0",
+    "@commitlint/config-conventional": "^19.0.0",
+    "@lhci/cli": "^0.15.1",
+    "@size-limit/file": "^11.0.0",
     "@types/node": "^25",
+    "@typescript-eslint/eslint-plugin": "^8.9.0",
+    "@typescript-eslint/parser": "^8.9.0",
+    "@vercel/blob": "^2.2.0",
+    "@vitest/coverage-v8": "^2.1.8",
     "actionlint": "^2.0.6",
-    "typescript": "^5",
+    "axe-core": "^4.10.0",
     "c8": "^10.1.2",
+    "commitlint": "^20.4.1",
     "eslint": "^9.39.2",
+    "eslint-plugin-n": "^17.24.0",
     "eslint-plugin-security": "^3.0.1",
     "globals": "^15.9.0",
     "husky": "^9.1.4",
+    "knip": "^6.0.1",
+    "license-checker": "^25.0.1",
     "lint-staged": "^15.2.10",
     "prettier": "^3.8.0",
+    "size-limit": "^11.0.0",
     "stylelint": "^16.26.1",
     "stylelint-config-standard": "^37.0.0",
-    "@lhci/cli": "^0.15.1",
-    "vitest": "^2.1.8",
-    "@vitest/coverage-v8": "^2.1.8",
-    "@typescript-eslint/eslint-plugin": "^8.9.0",
-    "@typescript-eslint/parser": "^8.9.0",
-    "size-limit": "^11.0.0",
-    "@size-limit/file": "^11.0.0",
-    "@commitlint/cli": "^19.0.0",
-    "@commitlint/config-conventional": "^19.0.0",
-    "axe-core": "^4.10.0"
+    "typescript": "^5",
+    "vitest": "^2.1.8"
   },
   "volta": {
     "node": "20.11.1",
@@ -185,11 +196,20 @@
     ],
     "**/*.{ts,tsx}": [
       "eslint --fix",
-      "prettier --write"
+      "prettier --write",
+      "tsc --noEmit --skipLibCheck"
     ],
     "tests/**/*.{ts,tsx,js,jsx}": [
       "eslint --fix",
       "prettier --write"
+    ],
+    "**/*.{js,jsx,ts,tsx,mjs,cjs,html}": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "**/*.{js,jsx,mjs,cjs,html}": [
+      "eslint --fix",
+      "prettier --write"
     ]
   },
   "dependencies": {
@@ -197,8 +217,18 @@
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli2": "^0.20.0",
+    "markdownlint-cli2": "^0.21.0",
     "ora": "^8.1.1",
     "tar": "^7.5.7"
-  }
+  },
+  "size-limit": [
+    {
+      "path": "dist/**/*.js",
+      "limit": "250 kB"
+    },
+    {
+      "path": "dist/**/*.css",
+      "limit": "50 kB"
+    }
+  ]
 }

package/scripts/deploy-consumers.sh

@@ -0,0 +1,369 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# deploy-consumers.sh — Auto-discover and update ALL consumer repos with staged rollout
+#
+# Usage:
+#   ./scripts/deploy-consumers.sh                      # Dry run (validate only)
+#   ./scripts/deploy-consumers.sh --canary-only --push # Deploy ONLY to canary, wait for CI
+#   ./scripts/deploy-consumers.sh --push               # Full rollout: canary first, then rest
+#   ./scripts/deploy-consumers.sh --skip-canary --push # Emergency: bypass canary (use with caution)
+#
+# Staged Rollout Process:
+#   1. Deploy to canary repo (buildproven) first
+#   2. Wait for CI to complete on canary (up to 10 minutes)
+#   3. If CI passes, deploy to remaining repos
+#   4. If CI fails, abort rollout (prevents cascading failures)
+#
+# Auto-discovers repos by scanning ~/Projects for .github/workflows/quality.yml
+# files that contain the WORKFLOW_MODE marker from qa-architect.
+
+PROJECTS_DIR="$HOME/Projects"
+QA_ARCHITECT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+CANARY_REPO="buildproven"
+PUSH=false
+TIER="minimal"
+VERBOSE=false
+CANARY_ONLY=false
+SKIP_CANARY=false
+CI_TIMEOUT=600  # 10 minutes in seconds
+CI_POLL_INTERVAL=15  # Check every 15 seconds
+
+# Parse args
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --push) PUSH=true; shift ;;
+    --tier) TIER="$2"; shift 2 ;;
+    --verbose) VERBOSE=true; shift ;;
+    --canary-only) CANARY_ONLY=true; shift ;;
+    --skip-canary) SKIP_CANARY=true; shift ;;
+    --help|-h)
+      cat <<EOF
+Usage: deploy-consumers.sh [OPTIONS]
+
+OPTIONS:
+  --push            Commit and push changes (default: dry run)
+  --canary-only     Deploy ONLY to canary repo, wait for CI green
+  --skip-canary     Skip canary validation (emergency use only)
+  --tier <tier>     Workflow tier to apply (default: minimal)
+  --verbose         Show detailed output
+  --help, -h        Show this help
+
+STAGED ROLLOUT:
+  Default behavior (--push):
+    1. Deploy to canary (buildproven)
+    2. Wait for CI to pass (up to 10 minutes)
+    3. Deploy to remaining repos
+
+  Canary-only mode (--canary-only --push):
+    Deploy to canary only, validate CI passes
+
+  Skip canary (--skip-canary --push):
+    Deploy to all repos simultaneously (emergency only)
+
+EXAMPLES:
+  # Dry run (no changes)
+  ./scripts/deploy-consumers.sh
+
+  # Canary validation
+  ./scripts/deploy-consumers.sh --canary-only --push
+
+  # Full rollout (staged)
+  ./scripts/deploy-consumers.sh --push
+
+  # Emergency bypass (use with caution)
+  ./scripts/deploy-consumers.sh --skip-canary --push
+EOF
+      exit 0
+      ;;
+    *) echo "Unknown option: $1"; exit 1 ;;
+  esac
+done
+
+echo "=== QA Architect Consumer Deployment ==="
+echo "Mode: $([ "$PUSH" = true ] && echo "PUSH (will commit + push)" || echo "DRY RUN (validate only)")"
+echo "Tier: $TIER"
+echo "Canary repo: $CANARY_REPO"
+if [ "$CANARY_ONLY" = true ]; then
+  echo "⚠️  CANARY-ONLY mode: will deploy to $CANARY_REPO only"
+elif [ "$SKIP_CANARY" = true ]; then
+  echo "⚠️  SKIP-CANARY mode: bypassing canary validation (emergency use)"
+else
+  echo "Staged rollout: canary first, then remaining repos"
+fi
+echo ""
+
+# Discover consumer repos: any repo with quality.yml containing WORKFLOW_MODE marker
+# Excludes qa-architect itself
+CONSUMERS=()
+CANARY_DIR=""
+for workflow in "$PROJECTS_DIR"/*/".github/workflows/quality.yml"; do
+  [ -f "$workflow" ] || continue
+  repo_dir="$(dirname "$(dirname "$(dirname "$workflow")")")"
+  repo_name="$(basename "$repo_dir")"
+
+  # Skip qa-architect itself (compare basenames to avoid case/symlink issues)
+  [ "$(basename "$repo_dir")" = "$(basename "$QA_ARCHITECT_DIR")" ] && continue
+
+  # Check for WORKFLOW_MODE marker (proves it was generated by qa-architect)
+  if grep -q "WORKFLOW_MODE:" "$workflow" 2>/dev/null; then
+    if [ "$repo_name" = "$CANARY_REPO" ]; then
+      CANARY_DIR="$repo_dir"
+    else
+      CONSUMERS+=("$repo_dir")
+    fi
+  fi
+done
+
+# Ensure canary was found
+if [ -z "$CANARY_DIR" ]; then
+  echo "❌ ERROR: Canary repo '$CANARY_REPO' not found or doesn't have WORKFLOW_MODE marker"
+  exit 1
+fi
+
+# In canary-only mode, only process canary
+if [ "$CANARY_ONLY" = true ]; then
+  echo "Canary-only mode: processing $CANARY_REPO only"
+  CONSUMERS=()
+else
+  echo "Discovered canary repo: $CANARY_REPO"
+  echo "Discovered ${#CONSUMERS[@]} additional consumer repos:"
+  for dir in "${CONSUMERS[@]}"; do
+    echo "  - $(basename "$dir")"
+  done
+fi
+echo ""
+
+# Function to wait for CI to complete on a repo
+# Args: $1 = repo_dir, $2 = repo_name
+wait_for_ci() {
+  local repo_dir="$1"
+  local repo_name="$2"
+
+  echo "  Waiting for CI to complete on $repo_name..."
+
+  # Check if gh CLI is installed
+  if ! command -v gh &>/dev/null; then
+    echo "  ⚠️  WARNING: gh CLI not installed, cannot check CI status"
+    echo "  Install with: brew install gh"
+    echo "  Proceeding without CI validation..."
+    return 0
+  fi
+
+  # Get the repo owner/name for gh CLI
+  local remote_url
+  remote_url=$(cd "$repo_dir" && git remote get-url origin 2>/dev/null || echo "")
+  if [ -z "$remote_url" ]; then
+    echo "  ⚠️  WARNING: No git remote found, cannot check CI status"
+    return 0
+  fi
+
+  # Extract owner/repo from URL (handles both HTTPS and SSH)
+  local repo_slug
+  repo_slug=$(echo "$remote_url" | sed -E 's|^.*[:/]([^/]+/[^/]+)(\.git)?$|\1|')
+
+  # Get the current branch
+  local branch
+  branch=$(cd "$repo_dir" && git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "main")
+
+  echo "  Checking CI status for $repo_slug on branch $branch..."
+
+  local elapsed=0
+  local status=""
+
+  while [ $elapsed -lt $CI_TIMEOUT ]; do
+    # Get latest workflow run status for quality.yml on this branch
+    status=$(gh run list --repo "$repo_slug" --workflow quality.yml --branch "$branch" --limit 1 --json status,conclusion --jq '.[0].status + ":" + (.[0].conclusion // "")' 2>/dev/null || echo "")
+
+    if [ -z "$status" ]; then
+      echo "  ⚠️  No CI runs found yet (elapsed: ${elapsed}s)"
+    elif [[ "$status" == "completed:success" ]]; then
+      echo "  ✅ CI PASSED on $repo_name (elapsed: ${elapsed}s)"
+      return 0
+    elif [[ "$status" == "completed:failure" ]] || [[ "$status" == "completed:cancelled" ]]; then
+      echo "  ❌ CI FAILED on $repo_name (status: $status)"
+      return 1
+    else
+      echo "  ⏳ CI in progress on $repo_name (status: $status, elapsed: ${elapsed}s)"
+    fi
+
+    sleep $CI_POLL_INTERVAL
+    elapsed=$((elapsed + CI_POLL_INTERVAL))
+  done
+
+  echo "  ⏰ TIMEOUT: CI did not complete within ${CI_TIMEOUT}s"
+  return 1
+}
+
+# Function to deploy to a single repo
+# Args: $1 = repo_dir, $2 = is_canary (true/false)
+deploy_to_repo() {
+  local repo_dir="$1"
+  local is_canary="${2:-false}"
+  local repo_name="$(basename "$repo_dir")"
+
+  echo "--- $repo_name $([ "$is_canary" = true ] && echo "(CANARY)" || echo "") ---"
+
+  # Check if repo has package.json (needed for npx)
+  if [ ! -f "$repo_dir/package.json" ]; then
+    echo "  SKIP: No package.json"
+    return 2  # Return code 2 = skipped
+  fi
+
+  # Detect the existing tier from the workflow
+  local existing_tier="$TIER"
+  if grep -q "WORKFLOW_MODE: standard" "$repo_dir/.github/workflows/quality.yml" 2>/dev/null; then
+    existing_tier="standard"
+  elif grep -q "WORKFLOW_MODE: comprehensive" "$repo_dir/.github/workflows/quality.yml" 2>/dev/null; then
+    existing_tier="comprehensive"
+  elif grep -q "WORKFLOW_MODE: minimal" "$repo_dir/.github/workflows/quality.yml" 2>/dev/null; then
+    existing_tier="minimal"
+  fi
+
+  # Regenerate workflow (must cd to consumer dir — setup.js uses process.cwd())
+  echo "  Regenerating workflow (tier: $existing_tier)..."
+  if (cd "$repo_dir" && QAA_DEVELOPER=true node "$QA_ARCHITECT_DIR/setup.js" --update "--workflow-${existing_tier}" \
+    2>&1 | { [ "$VERBOSE" = true ] && cat || tail -1; }); then
+    :
+  else
+    echo "  FAIL: Workflow generation failed"
+    return 1
+  fi
+
+  local workflow_file="$repo_dir/.github/workflows/quality.yml"
+
+  # Validate: no node_modules/create-qa-architect references
+  if grep -q "node_modules/create-qa-architect" "$workflow_file"; then
+    echo "  FAIL: Contains node_modules/create-qa-architect references"
+    return 1
+  fi
+
+  # Validate: no section markers leaked
+  if grep -qE '\{\{(QA_ARCHITECT_ONLY|FULL_DETECTION|FULL_REPORT)_(BEGIN|END)\}\}' "$workflow_file"; then
+    echo "  FAIL: Contains section markers"
+    return 1
+  fi
+
+  # Validate: valid YAML (requires node + js-yaml)
+  if ! node -e "require('$QA_ARCHITECT_DIR/node_modules/js-yaml').load(require('fs').readFileSync('$workflow_file','utf8'))" 2>/dev/null; then
+    echo "  FAIL: Invalid YAML"
+    return 1
+  fi
+
+  # Remove stale devDep if present
+  if grep -q '"create-qa-architect"' "$repo_dir/package.json" 2>/dev/null; then
+    echo "  Removing stale create-qa-architect devDependency..."
+    if [ "$PUSH" = true ]; then
+      (cd "$repo_dir" && npm uninstall create-qa-architect 2>/dev/null || true)
+    else
+      echo "  (dry run - would remove devDep)"
+    fi
+  fi
+
+  echo "  PASS: Validated"
+
+  # Commit and push if --push
+  if [ "$PUSH" = true ]; then
+    (
+      cd "$repo_dir"
+      if git diff --quiet .github/workflows/quality.yml package.json 2>/dev/null; then
+        echo "  No changes to commit"
+      else
+        git add .github/workflows/quality.yml package.json package-lock.json 2>/dev/null || true
+        git commit -m "chore: regenerate qa-architect workflow (${existing_tier} tier)
+
+Staged rollout: $([ "$is_canary" = true ] && echo "canary deployment" || echo "validated via canary")
+Fixes node_modules/create-qa-architect fallback paths.
+Consumers use npx create-qa-architect@latest instead of devDep." 2>/dev/null || true
+        git push 2>/dev/null && echo "  Pushed" || echo "  Push failed (check remote)"
+      fi
+    )
+  fi
+
+  echo ""
+  return 0
+}
+
+# Validation counters
+PASS=0
+FAIL=0
+SKIPPED=0
+
+# STAGE 1: Deploy to canary (unless --skip-canary)
+if [ "$SKIP_CANARY" = false ]; then
+  echo "=== STAGE 1: Canary Deployment ==="
+  echo ""
+
+  if deploy_to_repo "$CANARY_DIR" true; then
+    PASS=$((PASS + 1))
+
+    # Wait for CI if in push mode
+    if [ "$PUSH" = true ]; then
+      if ! wait_for_ci "$CANARY_DIR" "$CANARY_REPO"; then
+        echo ""
+        echo "❌ ROLLOUT ABORTED: Canary CI failed or timed out"
+        echo "   Fix the issue on $CANARY_REPO before rolling out to other repos"
+        exit 1
+      fi
+    fi
+  else
+    ret=$?
+    if [ $ret -eq 2 ]; then
+      SKIPPED=$((SKIPPED + 1))
+    else
+      FAIL=$((FAIL + 1))
+      echo ""
+      echo "❌ ROLLOUT ABORTED: Canary deployment failed"
+      exit 1
+    fi
+  fi
+
+  echo ""
+  echo "✅ Canary deployment successful"
+  echo ""
+fi
+
+# Exit early if canary-only mode
+if [ "$CANARY_ONLY" = true ]; then
+  echo "=== Summary (Canary-Only) ==="
+  echo "  Pass: $PASS"
+  echo "  Fail: $FAIL"
+  echo "  Skipped: $SKIPPED"
+  echo ""
+  echo "✅ Canary deployment complete. Review CI results before full rollout."
+  exit 0
+fi
+
+# STAGE 2: Deploy to remaining repos
+if [ ${#CONSUMERS[@]} -gt 0 ]; then
+  echo "=== STAGE 2: Remaining Repos Deployment ==="
+  echo ""
+
+  for repo_dir in "${CONSUMERS[@]}"; do
+    if deploy_to_repo "$repo_dir" false; then
+      PASS=$((PASS + 1))
+    else
+      ret=$?
+      if [ $ret -eq 2 ]; then
+        SKIPPED=$((SKIPPED + 1))
+      else
+        FAIL=$((FAIL + 1))
+      fi
+    fi
+  done
+fi
+
+echo "=== Summary ==="
+echo "  Pass: $PASS"
+echo "  Fail: $FAIL"
+echo "  Skipped: $SKIPPED"
+echo "  Total: $((${#CONSUMERS[@]} + 1))"  # +1 for canary
+
+if [ "$FAIL" -gt 0 ]; then
+  echo ""
+  echo "⚠️  Some repos failed validation. Review output above."
+  exit 1
+fi
+
+echo ""
+echo "✅ Deployment complete!"