create-qa-architect 5.12.1 → 5.13.3

package/scripts/run-semgrep.sh

@@ -0,0 +1,244 @@
+#!/bin/bash
+# =============================================================================
+# Run Semgrep - Defensive Pattern Security Scan
+# =============================================================================
+# Runs Semgrep with defensive pattern rules. Falls back to LLM analysis
+# if Semgrep is not installed.
+#
+# Part of CS-090: Semgrep Integration for Patterns
+#
+# USAGE:
+#   ./scripts/run-semgrep.sh              # Scan current directory
+#   ./scripts/run-semgrep.sh --install    # Install semgrep
+#   ./scripts/run-semgrep.sh --ci         # CI mode (exit codes)
+#   ./scripts/run-semgrep.sh src/         # Scan specific directory
+# =============================================================================
+
+set -euo pipefail
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+# Configuration
+SEMGREP_CONFIG=".semgrep/defensive-patterns.yaml"
+CI_MODE=false
+INSTALL_MODE=false
+SCAN_DIR="."
+OUTPUT_FORMAT="text"
+OUTPUT_FILE=""
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --install)
+      INSTALL_MODE=true
+      shift
+      ;;
+    --ci)
+      CI_MODE=true
+      OUTPUT_FORMAT="json"
+      shift
+      ;;
+    --json)
+      OUTPUT_FORMAT="json"
+      shift
+      ;;
+    --sarif)
+      OUTPUT_FORMAT="sarif"
+      shift
+      ;;
+    --output|-o)
+      OUTPUT_FILE="$2"
+      shift 2
+      ;;
+    --config|-c)
+      SEMGREP_CONFIG="$2"
+      shift 2
+      ;;
+    --help|-h)
+      echo "Usage: run-semgrep.sh [OPTIONS] [DIRECTORY]"
+      echo ""
+      echo "Options:"
+      echo "  --install    Install semgrep via pip"
+      echo "  --ci         CI mode (json output, proper exit codes)"
+      echo "  --json       Output as JSON"
+      echo "  --sarif      Output as SARIF (for GitHub Security)"
+      echo "  --output     Write output to file"
+      echo "  --config     Custom semgrep config (default: .semgrep/defensive-patterns.yaml)"
+      echo "  --help       Show this help message"
+      echo ""
+      echo "Examples:"
+      echo "  run-semgrep.sh                     # Scan current dir"
+      echo "  run-semgrep.sh --install           # Install semgrep"
+      echo "  run-semgrep.sh --ci --output report.json"
+      exit 0
+      ;;
+    -*)
+      echo -e "${RED}Unknown option: $1${NC}"
+      exit 1
+      ;;
+    *)
+      SCAN_DIR="$1"
+      shift
+      ;;
+  esac
+done
+
+# Install semgrep if requested
+if [[ "$INSTALL_MODE" == "true" ]]; then
+  echo -e "${BLUE}Installing Semgrep...${NC}"
+
+  if command -v pip3 &> /dev/null; then
+    pip3 install semgrep
+  elif command -v pip &> /dev/null; then
+    pip install semgrep
+  elif command -v brew &> /dev/null; then
+    brew install semgrep
+  else
+    echo -e "${RED}Error: No package manager found (pip3, pip, or brew)${NC}"
+    echo "Install manually: https://semgrep.dev/docs/getting-started/"
+    exit 1
+  fi
+
+  echo -e "${GREEN}✓ Semgrep installed${NC}"
+  exit 0
+fi
+
+# Check if semgrep is installed
+check_semgrep() {
+  if ! command -v semgrep &> /dev/null; then
+    return 1
+  fi
+  return 0
+}
+
+# Find the config file
+find_config() {
+  # Check local project first
+  if [[ -f "$SEMGREP_CONFIG" ]]; then
+    echo "$SEMGREP_CONFIG"
+    return 0
+  fi
+
+  # Check claude-setup
+  local setup_config="$PROJECT_ROOT/.semgrep/defensive-patterns.yaml"
+  if [[ -f "$setup_config" ]]; then
+    echo "$setup_config"
+    return 0
+  fi
+
+  # Check home directory
+  local home_config="$HOME/.claude/.semgrep/defensive-patterns.yaml"
+  if [[ -f "$home_config" ]]; then
+    echo "$home_config"
+    return 0
+  fi
+
+  return 1
+}
+
+# Run semgrep scan
+run_semgrep() {
+  local config_path="$1"
+  local scan_path="$2"
+
+  echo -e "${BLUE}🔍 Running Semgrep Security Scan${NC}"
+  echo "═══════════════════════════════════════════════════════════"
+  echo ""
+  echo "Config: $config_path"
+  echo "Scanning: $scan_path"
+  echo ""
+
+  local semgrep_args=(
+    "--config" "$config_path"
+    "--exclude" "node_modules"
+    "--exclude" "dist"
+    "--exclude" "build"
+    "--exclude" ".next"
+    "--exclude" "coverage"
+    "--exclude" "*.min.js"
+    "--exclude" "*.bundle.js"
+  )
+
+  # Add output format
+  case "$OUTPUT_FORMAT" in
+    json)
+      semgrep_args+=("--json")
+      ;;
+    sarif)
+      semgrep_args+=("--sarif")
+      ;;
+  esac
+
+  # Add output file
+  if [[ -n "$OUTPUT_FILE" ]]; then
+    semgrep_args+=("--output" "$OUTPUT_FILE")
+  fi
+
+  # Run semgrep
+  local exit_code=0
+  semgrep "${semgrep_args[@]}" "$scan_path" || exit_code=$?
+
+  echo ""
+
+  if [[ $exit_code -eq 0 ]]; then
+    echo -e "${GREEN}✅ No security issues found${NC}"
+  elif [[ $exit_code -eq 1 ]]; then
+    echo -e "${YELLOW}⚠️  Security findings detected${NC}"
+    if [[ "$CI_MODE" == "true" ]]; then
+      echo "Review findings above and fix before merging."
+    fi
+  else
+    echo -e "${RED}❌ Semgrep scan failed (exit code: $exit_code)${NC}"
+  fi
+
+  return $exit_code
+}
+
+# Fallback LLM analysis when semgrep not available
+fallback_llm_analysis() {
+  echo -e "${YELLOW}⚠️  Semgrep not installed - using LLM-based analysis${NC}"
+  echo ""
+  echo "For faster, more reliable scans, install Semgrep:"
+  echo "  ./scripts/run-semgrep.sh --install"
+  echo ""
+  echo "Falling back to pattern-check.sh..."
+  echo ""
+
+  # Run the grep-based pattern checker
+  if [[ -f "$SCRIPT_DIR/pattern-check.sh" ]]; then
+    bash "$SCRIPT_DIR/pattern-check.sh" --all
+    return $?
+  else
+    echo -e "${RED}Error: pattern-check.sh not found${NC}"
+    return 1
+  fi
+}
+
+# Main
+main() {
+  if ! check_semgrep; then
+    fallback_llm_analysis
+    return $?
+  fi
+
+  local config_path
+  if ! config_path=$(find_config); then
+    echo -e "${RED}Error: Semgrep config not found at $SEMGREP_CONFIG${NC}"
+    echo ""
+    echo "Create .semgrep/defensive-patterns.yaml or specify with --config"
+    exit 1
+  fi
+
+  run_semgrep "$config_path" "$SCAN_DIR"
+}
+
+main

package/scripts/smart-test-strategy.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # Smart Test Strategy - create-qa-architect
 # Generated by create-qa-architect (Pro/Team/Enterprise feature)
-# https://vibebuildlab.com/qa-architect
+# https://buildproven.ai/qa-architect
 set -e
 
 echo "🧠 Analyzing changes for optimal test strategy..."

package/setup.js

@@ -125,6 +125,7 @@ const { runInteractiveFlow } = require('./lib/interactive/questions')
 const { TemplateLoader } = require('./lib/template-loader')
 const {
   detectExistingWorkflowMode,
+  detectExistingMatrix,
   injectWorkflowMode,
   injectMatrix,
 } = require('./lib/workflow-config')
@@ -693,7 +694,7 @@ Usage: npx create-qa-architect@latest [options]
 SETUP OPTIONS:
   (no args)         Run complete quality automation setup
   --interactive     Interactive mode with guided configuration prompts
-  --update          Update existing configuration
+  --update          Update existing configuration (refreshes quality.yml, preserves detected workflow tier)
   --deps            Add basic dependency monitoring (Free Tier)
   --dependency-monitoring  Same as --deps
   --ci <provider>   Select CI provider: github (default) | gitlab | circleci
@@ -701,9 +702,9 @@ SETUP OPTIONS:
   --dry-run         Preview changes without modifying files
 
 WORKFLOW TIERS (GitHub Actions optimization):
-  --workflow-minimal        Minimal CI (default) - Single Node version, weekly security
-                            ~5-10 min/commit, ~$0-5/mo for typical projects
-  --workflow-standard       Standard CI - Matrix testing on main, weekly security
+  --workflow-minimal        Minimal CI (default) - Single Node version, monthly security
+                            Budget-first mode: detection-only CI (target <1000 min/month)
+  --workflow-standard       Standard CI - Main-branch tests, monthly security
                             ~15-20 min/commit, ~$5-20/mo for typical projects
   --workflow-comprehensive  Comprehensive CI - Matrix on every push, security inline
                             ~50-100 min/commit, ~$100-350/mo for typical projects
@@ -1161,7 +1162,7 @@ HELP:
           if (!repoCheck.allowed) {
             console.error(`\n❌ ${repoCheck.reason}`)
             console.error(
-              '   Upgrade to Pro for unlimited repos: https://vibebuildlab.com/qa-architect'
+              '   Upgrade to Pro for unlimited repos: https://buildproven.ai/qa-architect'
             )
             process.exit(1)
           }
@@ -1531,7 +1532,7 @@ HELP:
           console.error(`   • Detected maturity: ${detectedMaturity}`)
           console.error(`   • Error count: ${validationResult.errors.length}`)
           console.error(
-            `   • https://github.com/vibebuildlab/qa-architect/issues/new\n`
+            `   • https://github.com/buildproven/qa-architect/issues/new\n`
           )
 
           // Don't continue - this is a bug in the tool itself
@@ -1651,6 +1652,16 @@ HELP:
           }
         }
 
+        const hasExplicitWorkflowMode =
+          isWorkflowMinimal || isWorkflowStandard || isWorkflowComprehensive
+        const existingMatrixEnabled =
+          fs.existsSync(workflowFile) &&
+          !isMatrixEnabled &&
+          !hasExplicitWorkflowMode
+            ? detectExistingMatrix(process.cwd())
+            : false
+        const matrixEnabled = isMatrixEnabled || existingMatrixEnabled
+
         if (!fs.existsSync(workflowFile)) {
           let templateWorkflow =
             templateLoader.getTemplate(
@@ -1666,7 +1677,7 @@ HELP:
           templateWorkflow = injectWorkflowMode(templateWorkflow, workflowMode)
 
           // Inject matrix testing if enabled (for library authors)
-          templateWorkflow = injectMatrix(templateWorkflow, isMatrixEnabled)
+          templateWorkflow = injectMatrix(templateWorkflow, matrixEnabled)
 
           // Inject collaboration steps
           templateWorkflow = injectCollaborationSteps(templateWorkflow, {
@@ -1677,50 +1688,47 @@ HELP:
           fs.writeFileSync(workflowFile, templateWorkflow)
           console.log(`✅ Added GitHub Actions workflow (${workflowMode} mode)`)
         } else if (isUpdateMode) {
-          // Update existing workflow with new mode if explicitly specified
-          if (
-            isWorkflowMinimal ||
-            isWorkflowStandard ||
-            isWorkflowComprehensive
-          ) {
-            // Load fresh template and re-inject
-            let templateWorkflow =
-              templateLoader.getTemplate(
-                templates,
-                path.join('.github', 'workflows', 'quality.yml')
-              ) ||
-              fs.readFileSync(
-                path.join(__dirname, '.github/workflows/quality.yml'),
-                'utf8'
-              )
-
-            // Inject workflow mode configuration
-            templateWorkflow = injectWorkflowMode(
-              templateWorkflow,
-              workflowMode
+          // Refresh existing workflow from the current template.
+          let templateWorkflow =
+            templateLoader.getTemplate(
+              templates,
+              path.join('.github', 'workflows', 'quality.yml')
+            ) ||
+            fs.readFileSync(
+              path.join(__dirname, '.github/workflows/quality.yml'),
+              'utf8'
             )
 
-            // Inject matrix testing if enabled (for library authors)
-            templateWorkflow = injectMatrix(templateWorkflow, isMatrixEnabled)
+          // Inject workflow mode configuration
+          templateWorkflow = injectWorkflowMode(templateWorkflow, workflowMode)
 
-            // Inject collaboration steps (preserve from existing if present)
-            const existingWorkflow = fs.readFileSync(workflowFile, 'utf8')
-            const hasSlackAlerts =
-              existingWorkflow.includes('SLACK_WEBHOOK_URL')
-            const hasPrComments = existingWorkflow.includes(
-              'PR_COMMENT_PLACEHOLDER'
-            )
+          // Inject matrix testing if enabled (for library authors)
+          templateWorkflow = injectMatrix(templateWorkflow, matrixEnabled)
 
-            templateWorkflow = injectCollaborationSteps(templateWorkflow, {
-              enableSlackAlerts: hasSlackAlerts,
-              enablePrComments: hasPrComments,
-            })
+          // Inject collaboration steps (preserve from existing if present)
+          const existingWorkflow = fs.readFileSync(workflowFile, 'utf8')
+          const hasSlackAlerts = existingWorkflow.includes('SLACK_WEBHOOK_URL')
+          const hasPrComments = existingWorkflow.includes(
+            'PR_COMMENT_PLACEHOLDER'
+          )
 
-            fs.writeFileSync(workflowFile, templateWorkflow)
+          templateWorkflow = injectCollaborationSteps(templateWorkflow, {
+            enableSlackAlerts: hasSlackAlerts,
+            enablePrComments: hasPrComments,
+          })
+
+          fs.writeFileSync(workflowFile, templateWorkflow)
+          if (workflowMode === 'minimal') {
             console.log(
-              `♻️  Updated GitHub Actions workflow to ${workflowMode} mode`
+              '⚠️  Minimal mode disables tests and security scans in CI (detection-only).'
+            )
+            console.log(
+              '   Use --workflow-standard to re-enable full CI checks.'
             )
           }
+          console.log(
+            `♻️  Updated GitHub Actions workflow to ${workflowMode} mode`
+          )
         }
       }
 
@@ -1910,8 +1918,26 @@ const fs = require('fs')
 const path = require('path')
 const os = require('os')
 
-const licenseDir =
+function validateLicenseDir(dirPath) {
+  const resolved = path.resolve(dirPath)
+  const home = os.homedir()
+  const tmp = os.tmpdir()
+  const isInHome = resolved.startsWith(home + path.sep) || resolved === home
+  const isInTmp = resolved.startsWith(tmp + path.sep) || resolved === tmp
+
+  if (!isInHome && !isInTmp) {
+    console.warn(
+      '⚠️  QAA_LICENSE_DIR must be within home or temp directory, ignoring: ' + dirPath
+    )
+    return path.join(home, '.create-qa-architect')
+  }
+
+  return resolved
+}
+
+const requestedLicenseDir =
   process.env.QAA_LICENSE_DIR || path.join(os.homedir(), '.create-qa-architect')
+const licenseDir = validateLicenseDir(requestedLicenseDir)
 const licenseFile = path.join(licenseDir, 'license.json')
 const usageFile = path.join(licenseDir, 'usage.json')
 const now = new Date()
@@ -1948,7 +1974,7 @@ try {
 const CAP = 50
 if (usage.prePushRuns >= CAP) {
 console.error('❌ Free tier limit reached: ' + usage.prePushRuns + '/' + CAP + ' pre-push runs this month')
-  console.error('   Upgrade to Pro, Team, or Enterprise: https://vibebuildlab.com/qa-architect')
+  console.error('   Upgrade to Pro, Team, or Enterprise: https://buildproven.ai/qa-architect')
   process.exit(1)
 }
 
@@ -2167,32 +2193,6 @@ echo "✅ Pre-push validation passed!"
                 : '✅ Added Shell CI GitHub Actions workflow'
             )
           }
-
-          // Copy/update Shell Quality workflow
-          const shellQualityWorkflowFile = path.join(
-            githubWorkflowDir,
-            'shell-quality.yml'
-          )
-          if (!fs.existsSync(shellQualityWorkflowFile) || isUpdateMode) {
-            const templateShellQualityWorkflow =
-              templateLoader.getTemplate(
-                templates,
-                path.join('config', 'shell-quality.yml')
-              ) ||
-              fs.readFileSync(
-                path.join(__dirname, 'config/shell-quality.yml'),
-                'utf8'
-              )
-            fs.writeFileSync(
-              shellQualityWorkflowFile,
-              templateShellQualityWorkflow
-            )
-            console.log(
-              isUpdateMode
-                ? '🔄 Updated Shell Quality GitHub Actions workflow'
-                : '✅ Added Shell Quality GitHub Actions workflow'
-            )
-          }
         }
 
         // Create a basic README if it doesn't exist
@@ -2250,6 +2250,54 @@ Quality checks are automated via GitHub Actions:
             fs.unlinkSync(shellQualityWf)
             staleWorkflows.push('shell-quality.yml')
           }
+        } else {
+          // Consolidate shell CI into a single workflow to avoid duplicate runs.
+          const shellQualityWf = path.join(
+            githubWorkflowDir,
+            'shell-quality.yml'
+          )
+          if (fs.existsSync(shellQualityWf)) {
+            fs.unlinkSync(shellQualityWf)
+            staleWorkflows.push('shell-quality.yml')
+          }
+        }
+
+        // Remove known duplicate CI workflow names that overlap quality.yml,
+        // but ONLY if they were generated by qa-architect (contain a marker).
+        const duplicateCiWorkflows = [
+          'ci.yml',
+          'ci.yaml',
+          'test.yml',
+          'test.yaml',
+          'tests.yml',
+          'tests.yaml',
+          'quality-legacy.yml',
+          'quality-legacy.yaml',
+        ]
+        const skippedWorkflows = []
+        for (const duplicateName of duplicateCiWorkflows) {
+          const duplicatePath = path.join(githubWorkflowDir, duplicateName)
+          if (fs.existsSync(duplicatePath)) {
+            const content = fs.readFileSync(duplicatePath, 'utf8')
+            const isQaaGenerated =
+              content.includes('create-qa-architect') ||
+              content.includes('qa-architect') ||
+              content.includes('WORKFLOW_MODE:')
+            if (isQaaGenerated) {
+              fs.unlinkSync(duplicatePath)
+              staleWorkflows.push(duplicateName)
+            } else {
+              skippedWorkflows.push(duplicateName)
+            }
+          }
+        }
+        if (skippedWorkflows.length > 0) {
+          console.log(
+            `⚠️  Found potential duplicate workflows: ${skippedWorkflows.join(', ')}`
+          )
+          console.log(
+            '   These were not created by qa-architect — review manually and remove if redundant with quality.yml'
+          )
         }
         if (staleWorkflows.length > 0) {
           console.log(

package/templates/CLAUDE_WORKFLOW_POLICY.md

@@ -2,7 +2,7 @@
 
 ## ⚠️ CRITICAL: Do Not Create Additional Workflows
 
-This project uses **qa-architect** for quality automation with **minimal workflow mode** (~$0-5/mo).
+This project uses **qa-architect** for quality automation with **minimal workflow mode** (budget-first: <1000 min/month target).
 
 ### What This Means for AI Assistants (Claude, Copilot, etc.)
 
@@ -25,13 +25,13 @@ This project uses **qa-architect** for quality automation with **minimal workflo
 
 - **Mode:** Minimal (~$0-5/mo per project)
 - **Path filters:** Skip docs/config changes (60% fewer runs)
-- **Security:** Weekly schedule (not every commit)
+- **Security:** Monthly schedule (not every commit)
 - **Node version:** Single version (22)
 
 ### Why This Matters
 
 - **Cost control:** Prevents $20-350/mo per-project bloat
-- **Efficiency:** Path filters + weekly security = 60-90% CI savings
+- **Efficiency:** Path filters + monthly security = 60-90% CI savings
 - **Standards:** Consistent automation across all projects
 
 ### Upgrading CI (User Decision Only)

package/templates/scripts/smart-test-strategy.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # Smart Test Strategy - {{PROJECT_NAME}}
 # Generated by create-qa-architect (Pro/Team/Enterprise feature)
-# https://vibebuildlab.com/qa-architect
+# https://buildproven.ai/qa-architect
 set -e
 
 echo "🧠 Analyzing changes for optimal test strategy..."

package/.github/workflows/auto-release.yml

@@ -1,39 +0,0 @@
-name: Auto Release
-
-on:
-  push:
-    tags:
-      - 'v*'
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Get previous tag
-        id: prev_tag
-        run: |
-          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
-          echo "tag=$PREV_TAG" >> $GITHUB_OUTPUT
-
-      - name: Generate release notes
-        run: |
-          TAG=${GITHUB_REF#refs/tags/}
-          PREV_TAG=${{ steps.prev_tag.outputs.tag }}
-          if [ -n "$PREV_TAG" ]; then
-            echo "## Changes since $PREV_TAG" > notes.md
-            git log ${PREV_TAG}..${TAG} --pretty=format:"- %s" >> notes.md
-            echo -e "\n\n**Full Changelog**: https://github.com/${{ github.repository }}/compare/${PREV_TAG}...${TAG}" >> notes.md
-          else
-            echo "Initial release" > notes.md
-          fi
-
-      - uses: softprops/action-gh-release@v2
-        with:
-          body_path: notes.md