create-qa-architect 5.13.2 → 5.13.3

package/LICENSE

@@ -1,11 +1,11 @@
 VIBE BUILD LAB COMMERCIAL LICENSE
 
-Copyright (c) 2025 Vibe Build Lab LLC. All rights reserved.
+Copyright (c) 2025 BuildProven. All rights reserved.
 
 COMMERCIAL SOFTWARE - FREEMIUM MODEL
 
 This software and associated documentation files (the "Software") are
-proprietary commercial products of Vibe Build Lab LLC.
+proprietary commercial products of BuildProven.
 
 TERMS OF USE:
 
@@ -62,5 +62,5 @@ For licensing inquiries: support@buildproven.ai
 
 ---
 
-Vibe Build Lab LLC (d/b/a BuildProven)
+BuildProven
 https://buildproven.ai

package/README.md

@@ -7,7 +7,7 @@ Quality automation CLI for JavaScript/TypeScript, Python, and shell script proje
 ---
 
 > **Maintainer & Ownership**
-> This project is maintained by **Vibe Build Lab LLC (d/b/a BuildProven)**, a studio focused on AI-assisted product development, micro-SaaS, and "vibe coding" workflows for solo founders and small teams.
+> This project is maintained by **BuildProven**, a studio focused on AI-assisted product development, micro-SaaS, and "vibe coding" workflows for solo founders and small teams.
 > Learn more at **https://buildproven.ai**.
 
 ---
@@ -158,7 +158,7 @@ npx create-qa-architect@latest --workflow-minimal
 
 **Best for:** Small teams, client projects, production apps
 
-- Matrix testing (Node 20 + 22) **only on main branch**
+- Single Node 22 testing **only on main branch**
 - Security scans run monthly
 - Path filters enabled
 - **Runtime:** ~15-20 min/commit
@@ -276,6 +276,8 @@ npm install
 npm run lint
 ```
 
+`--update` refreshes the existing `quality.yml` from the latest template while preserving the detected workflow tier and existing matrix setting unless you explicitly override the tier with `--workflow-minimal`, `--workflow-standard`, or `--workflow-comprehensive`.
+
 ### Dependency Monitoring (Free)
 
 ```bash
@@ -453,4 +455,4 @@ Commercial freemium license — the base CLI is free to use; Pro features requir
 
 ---
 
-> **Vibe Build Lab LLC (d/b/a BuildProven)** · [buildproven.ai](https://buildproven.ai)
+> **BuildProven** · [buildproven.ai](https://buildproven.ai)

package/config/defaults.js

@@ -19,7 +19,7 @@ const baseScripts = {
   'test:coverage': 'vitest run --coverage',
   'test:changed': 'vitest run --changed HEAD~1 --passWithNoTests',
   'security:audit':
-    '[ -f pnpm-lock.yaml ] && pnpm audit --audit-level high || [ -f yarn.lock ] && yarn audit || npm audit --audit-level high',
+    'if [ -f pnpm-lock.yaml ]; then pnpm audit --audit-level high; elif [ -f yarn.lock ]; then yarn audit; else npm audit --audit-level high; fi',
   'security:secrets':
     "node -e \"const fs=require('fs');const content=fs.readFileSync('package.json','utf8');if(/[\\\"\\'][a-zA-Z0-9+/]{20,}[\\\"\\']/.test(content)){console.error('❌ Potential hardcoded secrets in package.json');process.exit(1)}else{console.log('✅ No secrets detected in package.json')}\"",
   'security:config': 'npx create-qa-architect@latest --security-config',
@@ -28,8 +28,7 @@ const baseScripts = {
   'validate:docs': 'npx create-qa-architect@latest --validate-docs',
   'validate:comprehensive': 'npx create-qa-architect@latest --comprehensive',
   'validate:all': 'npm run validate:comprehensive && npm run security:audit',
-  'validate:pre-push':
-    'npm run test:patterns --if-present && npm run test:commands --if-present && npm run test:changed --if-present || npm test --if-present',
+  'validate:pre-push': `npm run test:patterns --if-present && npm run test:commands --if-present && if node -e "const pkg=require('./package.json');process.exit(pkg.scripts&&pkg.scripts['test:changed']?0:1)" 2>/dev/null; then npm run test:changed; else npm test --if-present; fi`,
 }
 
 const normalizeStylelintTargets = stylelintTargets => {

package/lib/license-validator.js

@@ -691,4 +691,4 @@ class LicenseValidator {
   }
 }
 
-module.exports = { LicenseValidator }
+module.exports = { LicenseValidator, validateLicenseDir }

package/lib/licensing.js

@@ -16,15 +16,16 @@ const {
   verifyPayload,
   loadKeyFromEnv,
 } = require('./license-signing')
+const { validateLicenseDir } = require('./license-validator')
 
 // License storage locations
 // Support environment variable override for testing (like telemetry/error-reporter)
 // Use getter functions to allow env override before module load
 function getLicenseDir() {
-  return (
+  const requestedDir =
     process.env.QAA_LICENSE_DIR ||
     path.join(os.homedir(), '.create-qa-architect')
-  )
+  return validateLicenseDir(requestedDir)
 }
 
 function getLicenseFile() {
@@ -586,10 +587,7 @@ async function addLegitimateKey(
     }
 
     const normalizedKey = normalizeLicenseKey(licenseKey)
-    // Use the same license directory as the CLI
-    const licenseDir =
-      process.env.QAA_LICENSE_DIR ||
-      path.join(os.homedir(), '.create-qa-architect')
+    const licenseDir = getLicenseDir()
     const legitimateDBFile = path.join(licenseDir, 'legitimate-licenses.json')
     const privateKey = loadKeyFromEnv(
       process.env.LICENSE_REGISTRY_PRIVATE_KEY,

package/lib/workflow-config.js

@@ -65,6 +65,37 @@ function detectExistingWorkflowMode(projectPath) {
   }
 }
 
+/**
+ * Detect whether matrix testing is enabled in an existing workflow.
+ * @param {string} projectPath - Path to project
+ * @returns {boolean} True when matrix testing is enabled
+ */
+function detectExistingMatrix(projectPath) {
+  const workflowPath = path.join(
+    projectPath,
+    '.github',
+    'workflows',
+    'quality.yml'
+  )
+
+  if (!fs.existsSync(workflowPath)) {
+    return false
+  }
+
+  try {
+    const content = fs.readFileSync(workflowPath, 'utf8')
+    return (
+      content.includes('# MATRIX_ENABLED: true') ||
+      content.includes('node-version: [20, 22]')
+    )
+  } catch (error) {
+    console.warn(
+      `⚠️  Could not detect existing matrix configuration: ${error.message}`
+    )
+    return false
+  }
+}
+
 /**
  * Strip a named section from workflow content.
  * Removes everything between # {{NAME_BEGIN}} and # {{NAME_END}} markers (inclusive).
@@ -135,6 +166,39 @@ function removeTriggerPathsIgnore(content, triggerName) {
   return output.join('\n')
 }
 
+/**
+ * Restrict the tests job to main branch pushes in standard mode.
+ * @param {string} content - Workflow content
+ * @returns {string} Updated content
+ */
+function addStandardTestsBranchGate(content) {
+  const lines = content.split('\n')
+  const output = []
+  let inTestsJob = false
+  let branchGateInserted = false
+
+  for (const line of lines) {
+    if (line === '  tests:') {
+      inTestsJob = true
+    } else if (
+      inTestsJob &&
+      line.startsWith('  ') &&
+      !line.startsWith('    ')
+    ) {
+      inTestsJob = false
+    }
+
+    output.push(line)
+
+    if (inTestsJob && line === '    if: |' && !branchGateInserted) {
+      output.push("      github.ref == 'refs/heads/main' &&")
+      branchGateInserted = true
+    }
+  }
+
+  return output.join('\n')
+}
+
 /**
  * Inject workflow mode-specific configuration into quality.yml
  * Uses section markers (# {{SECTION_BEGIN/END}}) for reliable content removal
@@ -162,19 +226,13 @@ function injectWorkflowMode(workflowContent, mode) {
 
   // Mode-specific transformations
   if (mode === 'standard') {
-    // Standard: Add main branch condition to tests job
+    // Standard: run tests on main only to keep CI costs bounded.
     if (
-      updated.includes('tests:') &&
-      updated.includes('fromJSON(needs.detect-maturity.outputs.test-count)')
+      updated.includes('  tests:') &&
+      updated.includes('    if: |') &&
+      !updated.includes("github.ref == 'refs/heads/main'")
     ) {
-      updated = updated.replace(
-        /(tests:\s+runs-on:[^\n]+\s+needs:[^\n]+\s+if: \|\s*\n\s+)fromJSON\(needs\.detect-maturity\.outputs\.test-count\)/,
-        "$1github.ref == 'refs/heads/main' &&\n      fromJSON(needs.detect-maturity.outputs.test-count)"
-      )
-      updated = updated.replace(
-        /(\s+tests:\s+runs-on:[^\n]+\s+needs:[^\n]+\s+)if: fromJSON\(needs\.detect-maturity\.outputs\.test-count\) > 0/,
-        "$1if: github.ref == 'refs/heads/main' && fromJSON(needs.detect-maturity.outputs.test-count) > 0"
-      )
+      updated = addStandardTestsBranchGate(updated)
     }
   } else if (mode === 'comprehensive') {
     // Comprehensive: Remove paths-ignore blocks
@@ -284,6 +342,7 @@ function injectMatrix(workflowContent, enableMatrix) {
 
 module.exports = {
   detectExistingWorkflowMode,
+  detectExistingMatrix,
   injectWorkflowMode,
   injectMatrix,
   stripSection,

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "create-qa-architect",
-  "version": "5.13.2",
+  "version": "5.13.3",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
-    "create-qa-architect": "./setup.js"
+    "create-qa-architect": "setup.js"
   },
   "scripts": {
     "prepare": "[ \"$CI\" = \"true\" ] && echo 'Skipping Husky in CI' || husky",
@@ -80,7 +80,7 @@
     "dependency-monitoring",
     "security-audit"
   ],
-  "author": "Brett Stark",
+  "author": "BuildProven",
   "license": "SEE LICENSE IN LICENSE",
   "files": [
     "setup.js",

package/setup.js

@@ -125,6 +125,7 @@ const { runInteractiveFlow } = require('./lib/interactive/questions')
 const { TemplateLoader } = require('./lib/template-loader')
 const {
   detectExistingWorkflowMode,
+  detectExistingMatrix,
   injectWorkflowMode,
   injectMatrix,
 } = require('./lib/workflow-config')
@@ -693,7 +694,7 @@ Usage: npx create-qa-architect@latest [options]
 SETUP OPTIONS:
   (no args)         Run complete quality automation setup
   --interactive     Interactive mode with guided configuration prompts
-  --update          Update existing configuration
+  --update          Update existing configuration (refreshes quality.yml, preserves detected workflow tier)
   --deps            Add basic dependency monitoring (Free Tier)
   --dependency-monitoring  Same as --deps
   --ci <provider>   Select CI provider: github (default) | gitlab | circleci
@@ -703,7 +704,7 @@ SETUP OPTIONS:
 WORKFLOW TIERS (GitHub Actions optimization):
   --workflow-minimal        Minimal CI (default) - Single Node version, monthly security
                             Budget-first mode: detection-only CI (target <1000 min/month)
-  --workflow-standard       Standard CI - Matrix testing on main, monthly security
+  --workflow-standard       Standard CI - Main-branch tests, monthly security
                             ~15-20 min/commit, ~$5-20/mo for typical projects
   --workflow-comprehensive  Comprehensive CI - Matrix on every push, security inline
                             ~50-100 min/commit, ~$100-350/mo for typical projects
@@ -1651,6 +1652,16 @@ HELP:
           }
         }
 
+        const hasExplicitWorkflowMode =
+          isWorkflowMinimal || isWorkflowStandard || isWorkflowComprehensive
+        const existingMatrixEnabled =
+          fs.existsSync(workflowFile) &&
+          !isMatrixEnabled &&
+          !hasExplicitWorkflowMode
+            ? detectExistingMatrix(process.cwd())
+            : false
+        const matrixEnabled = isMatrixEnabled || existingMatrixEnabled
+
         if (!fs.existsSync(workflowFile)) {
           let templateWorkflow =
             templateLoader.getTemplate(
@@ -1666,7 +1677,7 @@ HELP:
           templateWorkflow = injectWorkflowMode(templateWorkflow, workflowMode)
 
           // Inject matrix testing if enabled (for library authors)
-          templateWorkflow = injectMatrix(templateWorkflow, isMatrixEnabled)
+          templateWorkflow = injectMatrix(templateWorkflow, matrixEnabled)
 
           // Inject collaboration steps
           templateWorkflow = injectCollaborationSteps(templateWorkflow, {
@@ -1677,58 +1688,47 @@ HELP:
           fs.writeFileSync(workflowFile, templateWorkflow)
           console.log(`✅ Added GitHub Actions workflow (${workflowMode} mode)`)
         } else if (isUpdateMode) {
-          // Update existing workflow with new mode if explicitly specified
-          if (
-            isWorkflowMinimal ||
-            isWorkflowStandard ||
-            isWorkflowComprehensive
-          ) {
-            // Load fresh template and re-inject
-            let templateWorkflow =
-              templateLoader.getTemplate(
-                templates,
-                path.join('.github', 'workflows', 'quality.yml')
-              ) ||
-              fs.readFileSync(
-                path.join(__dirname, '.github/workflows/quality.yml'),
-                'utf8'
-              )
-
-            // Inject workflow mode configuration
-            templateWorkflow = injectWorkflowMode(
-              templateWorkflow,
-              workflowMode
+          // Refresh existing workflow from the current template.
+          let templateWorkflow =
+            templateLoader.getTemplate(
+              templates,
+              path.join('.github', 'workflows', 'quality.yml')
+            ) ||
+            fs.readFileSync(
+              path.join(__dirname, '.github/workflows/quality.yml'),
+              'utf8'
             )
 
-            // Inject matrix testing if enabled (for library authors)
-            templateWorkflow = injectMatrix(templateWorkflow, isMatrixEnabled)
+          // Inject workflow mode configuration
+          templateWorkflow = injectWorkflowMode(templateWorkflow, workflowMode)
+
+          // Inject matrix testing if enabled (for library authors)
+          templateWorkflow = injectMatrix(templateWorkflow, matrixEnabled)
 
-            // Inject collaboration steps (preserve from existing if present)
-            const existingWorkflow = fs.readFileSync(workflowFile, 'utf8')
-            const hasSlackAlerts =
-              existingWorkflow.includes('SLACK_WEBHOOK_URL')
-            const hasPrComments = existingWorkflow.includes(
-              'PR_COMMENT_PLACEHOLDER'
-            )
+          // Inject collaboration steps (preserve from existing if present)
+          const existingWorkflow = fs.readFileSync(workflowFile, 'utf8')
+          const hasSlackAlerts = existingWorkflow.includes('SLACK_WEBHOOK_URL')
+          const hasPrComments = existingWorkflow.includes(
+            'PR_COMMENT_PLACEHOLDER'
+          )
 
-            templateWorkflow = injectCollaborationSteps(templateWorkflow, {
-              enableSlackAlerts: hasSlackAlerts,
-              enablePrComments: hasPrComments,
-            })
+          templateWorkflow = injectCollaborationSteps(templateWorkflow, {
+            enableSlackAlerts: hasSlackAlerts,
+            enablePrComments: hasPrComments,
+          })
 
-            fs.writeFileSync(workflowFile, templateWorkflow)
-            if (workflowMode === 'minimal') {
-              console.log(
-                '⚠️  Minimal mode disables tests and security scans in CI (detection-only).'
-              )
-              console.log(
-                '   Use --workflow-standard to re-enable full CI checks.'
-              )
-            }
+          fs.writeFileSync(workflowFile, templateWorkflow)
+          if (workflowMode === 'minimal') {
             console.log(
-              `♻️  Updated GitHub Actions workflow to ${workflowMode} mode`
+              '⚠️  Minimal mode disables tests and security scans in CI (detection-only).'
+            )
+            console.log(
+              '   Use --workflow-standard to re-enable full CI checks.'
             )
           }
+          console.log(
+            `♻️  Updated GitHub Actions workflow to ${workflowMode} mode`
+          )
         }
       }
 
@@ -1918,8 +1918,26 @@ const fs = require('fs')
 const path = require('path')
 const os = require('os')
 
-const licenseDir =
+function validateLicenseDir(dirPath) {
+  const resolved = path.resolve(dirPath)
+  const home = os.homedir()
+  const tmp = os.tmpdir()
+  const isInHome = resolved.startsWith(home + path.sep) || resolved === home
+  const isInTmp = resolved.startsWith(tmp + path.sep) || resolved === tmp
+
+  if (!isInHome && !isInTmp) {
+    console.warn(
+      '⚠️  QAA_LICENSE_DIR must be within home or temp directory, ignoring: ' + dirPath
+    )
+    return path.join(home, '.create-qa-architect')
+  }
+
+  return resolved
+}
+
+const requestedLicenseDir =
   process.env.QAA_LICENSE_DIR || path.join(os.homedir(), '.create-qa-architect')
+const licenseDir = validateLicenseDir(requestedLicenseDir)
 const licenseFile = path.join(licenseDir, 'license.json')
 const usageFile = path.join(licenseDir, 'usage.json')
 const now = new Date()