create-qa-architect 5.13.3 → 5.13.5

package/.github/workflows/release.yml

@@ -22,8 +22,12 @@ jobs:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Upgrade npm for OIDC trusted publishing
-        run: npm install -g npm@latest
+      # OIDC trusted publishing requires npm >= 11.5. We pin to 11.5.2 (the
+      # first OIDC-stable release) instead of `npm@latest` to avoid the
+      # MODULE_NOT_FOUND (promise-retry) regression hit when self-upgrading
+      # over the setup-node-provided npm on top of the newest 11.x.
+      - name: Pin npm for OIDC trusted publishing
+        run: npm install -g npm@11.5.2
 
       - name: Install dependencies
         run: npm ci --no-audit

package/LICENSE

@@ -22,21 +22,9 @@ TERMS OF USE:
      - Smart Test Strategy
      - Multi-language support
      - Unlimited repos
-   - Team: Contact us (coming soon)
-     - All Pro features
-     - RBAC and team policies
-     - Slack alerts
-     - Multi-repo dashboard
-   - Enterprise: Contact us (coming soon)
-     - All Team features
-     - SSO/SAML integration
-     - Custom policies
-     - Compliance pack
-     - Dedicated TAM
 
 3. VIBE LAB PRO BUNDLE
    Pro tier is included in the Vibe Lab Pro subscription.
-   Team and Enterprise tiers are standalone purchases.
 
 4. PERMITTED USES
    - Use the free tier without restriction

package/config/defaults.js

@@ -1,5 +1,7 @@
 'use strict'
 
+const { detectDepMajor } = require('../lib/project-module-type')
+
 const STYLELINT_EXTENSIONS = ['css', 'scss', 'sass', 'less', 'pcss']
 const DEFAULT_STYLELINT_TARGET = `**/*.{${STYLELINT_EXTENSIONS.join(',')}}`
 
@@ -123,13 +125,27 @@ function getDefaultScripts({ stylelintTargets } = {}) {
 }
 
 /**
- * @param {DefaultsOptions} [options]
+ * @param {DefaultsOptions & {projectPath?: string}} [options]
  */
-function getDefaultDevDependencies({ typescript } = {}) {
+function getDefaultDevDependencies({ typescript, projectPath } = {}) {
   const devDeps = { ...clone(baseDevDependencies) }
   if (typescript) {
     Object.assign(devDeps, typeScriptDevDependencies)
   }
+
+  // Align @vitest/coverage-v8 with the target project's installed vitest
+  // major. vitest and its coverage adapter must share a major or npm install
+  // fails with ERESOLVE. Without this, a project already on vitest@4 gets
+  // our @vitest/coverage-v8@^2.x injected and breaks.
+  if (projectPath) {
+    const vitestMajor = detectDepMajor(projectPath, 'vitest')
+    if (vitestMajor && vitestMajor >= 3) {
+      devDeps['@vitest/coverage-v8'] = `^${vitestMajor}.0.0`
+      // Also drop our pinned vitest so we don't downgrade the project
+      delete devDeps.vitest
+    }
+  }
+
   return devDeps
 }
 

package/docs/STRIPE-LIVE-MODE-DEPLOYMENT.md

@@ -0,0 +1,208 @@
+# Stripe Live Mode Deployment Guide
+
+Deploy the `webhook-handler.js` server to process real Stripe payments and issue signed Pro licenses automatically.
+
+## Overview
+
+The payment flow:
+1. Customer purchases Pro at `buildproven.ai/qa-architect`
+2. Stripe fires a `checkout.session.completed` webhook to your server
+3. `webhook-handler.js` validates the event, generates a signed license key, and saves it to Vercel Blob
+4. Customer runs `npx create-qa-architect@latest --activate-license` and enters their key
+
+---
+
+## Prerequisites
+
+- A [Stripe](https://stripe.com) account with live mode enabled
+- A [Vercel](https://vercel.com) account (for Blob storage and hosting)
+- Node.js >=20
+- The ED25519 private key used to sign licenses (in `public-key.pem` + your private key)
+
+---
+
+## Step 1: Create Stripe Products and Prices
+
+In the [Stripe Dashboard](https://dashboard.stripe.com/products) → Products → Add product:
+
+| Product | Price | Billing | Price ID (example) |
+|---|---|---|---|
+| QA Architect Pro | $49.00 | Monthly | `price_1St9K2Gv7Su9XNJbdYoH3K32` |
+| QA Architect Pro | $490.00 | Yearly | `price_1St9KGGv7Su9XNJbrwKMsh1R` |
+
+The price IDs above are already mapped in `webhook-handler.js:315-318`. If your actual Stripe price IDs differ, update `mapPriceToTier()` in `webhook-handler.js`.
+
+---
+
+## Step 2: Set Up Vercel Blob Storage
+
+```bash
+# Install Vercel CLI
+npm install -g vercel
+
+# Link your project
+vercel link
+
+# Create a Blob store in the Vercel dashboard
+# Dashboard → Storage → Create → Blob → name it "qa-architect-licenses"
+# Copy the BLOB_READ_WRITE_TOKEN
+```
+
+---
+
+## Step 3: Deploy to Vercel
+
+`webhook-handler.js` exports an Express app compatible with Vercel serverless.
+
+Create `vercel.json` in the project root (do not commit secrets):
+
+```json
+{
+  "version": 2,
+  "builds": [{ "src": "webhook-handler.js", "use": "@vercel/node" }],
+  "routes": [{ "src": "/(.*)", "dest": "/webhook-handler.js" }]
+}
+```
+
+Deploy:
+
+```bash
+vercel --prod
+```
+
+Your webhook URL will be: `https://your-project.vercel.app/webhook`
+
+---
+
+## Step 4: Set Environment Variables
+
+In the Vercel dashboard → Project → Settings → Environment Variables, add:
+
+| Variable | Value | Notes |
+|---|---|---|
+| `STRIPE_SECRET_KEY` | `sk_live_...` | From Stripe Dashboard → Developers → API keys |
+| `STRIPE_WEBHOOK_SECRET` | `whsec_...` | Generated in Step 5 below |
+| `LICENSE_REGISTRY_PRIVATE_KEY` | Base64-encoded ED25519 private key | See note below |
+| `LICENSE_REGISTRY_KEY_ID` | `default` | Or a versioned ID like `v1` |
+| `BLOB_READ_WRITE_TOKEN` | `vercel_blob_...` | From Vercel Blob store settings |
+| `STATUS_API_TOKEN` | A strong random string | Protects the `/status` endpoint |
+| `NODE_ENV` | `production` | Enables HSTS and production error handling |
+
+**Private key format:** The key must be a PEM-encoded ED25519 private key, base64-encoded as a single line (no newlines):
+
+```bash
+# Encode your private key for the env var
+base64 -w 0 < your-private-key.pem
+```
+
+The `loadKeyFromEnv()` function in `lib/license-signing.js` decodes it automatically.
+
+---
+
+## Step 5: Register the Stripe Webhook
+
+In the [Stripe Dashboard](https://dashboard.stripe.com/webhooks) → Webhooks → Add endpoint:
+
+- **URL:** `https://your-project.vercel.app/webhook`
+- **Events to listen for:**
+  - `checkout.session.completed`
+  - `invoice.payment_succeeded`
+  - `customer.subscription.deleted`
+
+Copy the **Signing secret** (`whsec_...`) and add it as `STRIPE_WEBHOOK_SECRET` in Vercel.
+
+---
+
+## Step 6: Verify the Deployment
+
+```bash
+# Health check
+curl https://your-project.vercel.app/health
+
+# Expected response:
+# {"status":"ok","timestamp":"...","database":"missing"}
+# (missing is fine before any licenses are issued)
+
+# Test license database endpoint (used by CLI)
+curl https://your-project.vercel.app/legitimate-licenses.json
+
+# Test status endpoint (replace TOKEN with your STATUS_API_TOKEN)
+curl -H "Authorization: Bearer TOKEN" https://your-project.vercel.app/status
+```
+
+---
+
+## Step 7: Test with Stripe Test Mode First
+
+Before going live, test the full flow:
+
+```bash
+# Install Stripe CLI
+brew install stripe/stripe-cli/stripe
+
+# Forward webhooks to your local server
+stripe listen --forward-to localhost:3000/webhook
+
+# Trigger a test checkout event
+stripe trigger checkout.session.completed
+
+# Verify a license was created
+curl http://localhost:3000/legitimate-licenses.json
+```
+
+Switch to live mode keys once the test flow works end-to-end.
+
+---
+
+## Step 8: Connect Your Checkout Page
+
+Your Stripe Checkout session must:
+- Use one of the two price IDs mapped in `mapPriceToTier()`
+- Be a **subscription** mode checkout (not one-time payment)
+- Collect a customer email
+
+Example Stripe Checkout session creation (server-side):
+
+```javascript
+const session = await stripe.checkout.sessions.create({
+  mode: 'subscription',
+  payment_method_types: ['card'],
+  line_items: [{ price: 'price_1St9K2Gv7Su9XNJbdYoH3K32', quantity: 1 }],
+  success_url: 'https://buildproven.ai/qa-architect/success?session_id={CHECKOUT_SESSION_ID}',
+  cancel_url: 'https://buildproven.ai/qa-architect',
+})
+```
+
+---
+
+## License Key Delivery
+
+After a successful checkout, the license key is stored in Vercel Blob. The customer retrieves it by running:
+
+```bash
+npx create-qa-architect@latest --activate-license
+```
+
+They enter their email and the license key format `QAA-XXXX-XXXX-XXXX-XXXX`.
+
+The key is deterministic from the Stripe customer ID — you can regenerate it at any time using `admin-license.js` or `scripts/generate-license-keys.js`.
+
+> **Note:** The current flow requires customers to manually enter their key. Consider adding an email delivery step in `handleCheckoutCompleted()` in `webhook-handler.js` (the comment at line 511 marks where to add this).
+
+---
+
+## Cancellation Handling
+
+When a subscription is canceled in Stripe, the `customer.subscription.deleted` event fires and `handleSubscriptionCanceled()` marks the license as `status: "canceled"` in the database. The CLI checks this status during `getLicenseInfo()` and downgrades the user to FREE tier automatically.
+
+---
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---|---|---|
+| Webhook returns 400 | Wrong `STRIPE_WEBHOOK_SECRET` | Re-copy the signing secret from Stripe Dashboard |
+| License not created after payment | Unknown price ID | Update `mapPriceToTier()` with your actual Stripe price IDs |
+| CLI can't find license | Wrong blob URL | Check `BLOB_PATHS` in `lib/blob-storage.js` matches your Vercel Blob store |
+| `sk_test_` warning in logs | Test key in production | Replace with `sk_live_...` key |
+| `/status` returns 503 | `STATUS_API_TOKEN` not set | Add the env var in Vercel settings |

package/docs/TURBOREPO-SUPPORT.md

@@ -149,7 +149,7 @@ Turborepo caches and parallelizes tasks based on `turbo.json`:
 
 ### Issue: "package.json not found" in subdirectory
 
-This is expected in monorepos. qa-architect gracefully handles missing package.json in workspace subdirectories (see `docs/MONOREPO-COMPATIBILITY-FIX.md`).
+This is expected in monorepos. qa-architect gracefully handles missing package.json in workspace subdirectories.
 
 ## Testing
 
@@ -165,7 +165,6 @@ npx create-qa-architect@latest --dry-run
 
 ## Related Documentation
 
-- [Monorepo Compatibility Fix](./MONOREPO-COMPATIBILITY-FIX.md) - Handling workspaces
 - [CI Cost Analysis](./CI-COST-ANALYSIS.md) - Workflow tier pricing
 - [pnpm CI Example](../.github/workflows/pnpm-ci.yml.example) - Complete example
 

package/docs/dev_guide/CONVENTIONS.md

@@ -11,7 +11,7 @@ QA Architect (`create-qa-architect`) is a CLI tool that bootstraps quality autom
 
 **Entry point:** `setup.js` — CLI argument parsing and orchestration. Run as `npx create-qa-architect` or `node setup.js`.
 
-**npm package:** `create-qa-architect` v5.13.2 (published via GitHub trusted publishing)
+**npm package:** `create-qa-architect` v5.13.4 (published via GitHub trusted publishing)
 
 ## Directory Structure
 

package/lib/billing-dashboard.html

@@ -442,15 +442,9 @@
           )
         } finally {
           checkoutBtn.disabled = false
-          if (selectedTier === 'pro') {
-            checkoutBtn.textContent = isFounder
-              ? 'Start Pro Subscription - $24.50/month (Founder Price)'
-              : 'Start Pro Subscription - $49/month'
-          } else {
-            checkoutBtn.textContent = isFounder
-              ? 'Start Enterprise Subscription - $74.50/month (Founder Price)'
-              : 'Start Enterprise Subscription - $149/month'
-          }
+          checkoutBtn.textContent = isFounder
+            ? 'Start Pro Subscription - $24.50/month (Founder Price)'
+            : 'Start Pro Subscription - $49/month'
         }
       }
 

package/lib/commands/analyze-ci.js

@@ -12,6 +12,7 @@ const path = require('path')
 const { execSync } = require('child_process')
 const yaml = require('js-yaml')
 const { showProgress } = require('../ui-helpers')
+const { hasFeature, showUpgradeMessage } = require('../licensing')
 
 const DAYS_PER_MONTH = 30
 const DEFAULT_PULL_REQUEST_FACTOR = 0.8
@@ -383,17 +384,20 @@ function calculateMonthlyCosts(workflows, commitsPerDay, options = {}) {
   const workflowRunsPerDay = totalWorkflowRunsPerMonth / DAYS_PER_MONTH
 
   // GitHub Actions pricing (as of 2024)
-  const FREE_TIER_MINUTES = 2000 // Free tier monthly limit
-  const TEAM_TIER_MINUTES = 3000 // Team tier monthly limit
+  const FREE_TIER_MINUTES = 2000 // GitHub Free plan monthly limit
+  const GITHUB_TEAM_PLAN_MINUTES = 3000 // GitHub Team plan monthly limit ($4/user/month)
   const COST_PER_MINUTE = 0.008 // $0.008/min for private repos
   const TARGET_BUDGET_MINUTES = 1000
   const STRETCH_BUDGET_MINUTES = 1500
 
   const freeOverage = Math.max(0, minutesPerMonth - FREE_TIER_MINUTES)
-  const teamOverage = Math.max(0, minutesPerMonth - TEAM_TIER_MINUTES)
+  const githubTeamOverage = Math.max(
+    0,
+    minutesPerMonth - GITHUB_TEAM_PLAN_MINUTES
+  )
 
   const freeOverageCost = freeOverage * COST_PER_MINUTE
-  const teamOverageCost = teamOverage * COST_PER_MINUTE
+  const githubTeamOverageCost = githubTeamOverage * COST_PER_MINUTE
 
   return {
     minutesPerMonth,
@@ -419,11 +423,11 @@ function calculateMonthlyCosts(workflows, commitsPerDay, options = {}) {
         withinLimit: minutesPerMonth <= FREE_TIER_MINUTES,
       },
       team: {
-        limit: TEAM_TIER_MINUTES,
-        overage: teamOverage,
-        cost: teamOverageCost,
-        withinLimit: minutesPerMonth <= TEAM_TIER_MINUTES,
-        monthlyCost: 4, // $4/user/month
+        limit: GITHUB_TEAM_PLAN_MINUTES,
+        overage: githubTeamOverage,
+        cost: githubTeamOverageCost,
+        withinLimit: minutesPerMonth <= GITHUB_TEAM_PLAN_MINUTES,
+        monthlyCost: 4, // $4/user/month (GitHub Team plan price)
       },
     },
   }
@@ -672,10 +676,10 @@ function generateReport(analysis) {
     console.log('')
     console.log('Alternative options:')
 
-    // Team tier comparison
+    // GitHub Team plan comparison (GitHub's billing tier, not QA Architect tier)
     if (costs.tiers.team.withinLimit) {
       console.log(
-        `  Team plan ($${costs.tiers.team.monthlyCost}/user/month): ✅ Stays within ${costs.tiers.team.limit.toLocaleString()} min limit`
+        `  GitHub Team plan ($${costs.tiers.team.monthlyCost}/user/month): ✅ Stays within ${costs.tiers.team.limit.toLocaleString()} min limit`
       )
       const savings = costs.tiers.free.cost - costs.tiers.team.monthlyCost
       if (savings > 0) {
@@ -683,7 +687,7 @@ function generateReport(analysis) {
       }
     } else {
       console.log(
-        `  Team plan ($${costs.tiers.team.monthlyCost}/user/month): Still exceeds (${costs.tiers.team.overage.toLocaleString()} min overage)`
+        `  GitHub Team plan ($${costs.tiers.team.monthlyCost}/user/month): Still exceeds (${costs.tiers.team.overage.toLocaleString()} min overage)`
       )
       console.log(
         `    Total cost: $${(costs.tiers.team.monthlyCost + costs.tiers.team.cost).toFixed(2)}/month`
@@ -772,13 +776,10 @@ function generateReport(analysis) {
 async function handleAnalyzeCi() {
   const projectPath = process.cwd()
 
-  // Check if Pro feature (FREE tier for now during development)
-  // TODO: Enable Pro gating after testing
-  // const license = getLicenseInfo()
-  // if (!hasFeature('ciCostAnalysis')) {
-  //   showUpgradeMessage('GitHub Actions cost analysis')
-  //   process.exit(1)
-  // }
+  if (!hasFeature('ciCostAnalysis')) {
+    showUpgradeMessage('GitHub Actions cost analysis')
+    process.exit(1)
+  }
 
   const spinner = showProgress('Analyzing GitHub Actions workflows...')
 

package/lib/commands/deps.js

@@ -60,7 +60,7 @@ function detectRubyProject(projectPath) {
 }
 
 /**
- * Handle dependency monitoring command (Free/Pro/Team/Enterprise)
+ * Handle dependency monitoring command (Free/Pro)
  */
 async function handleDependencyMonitoring() {
   const projectPath = process.cwd()
@@ -95,7 +95,7 @@ async function handleDependencyMonitoring() {
   if (!capCheck.allowed) {
     console.error(`❌ ${capCheck.reason}`)
     console.error(
-      '   Upgrade to Pro, Team, or Enterprise for unlimited runs: https://buildproven.ai/qa-architect'
+      '   Upgrade to Pro for unlimited runs: https://buildproven.ai/qa-architect'
     )
     process.exit(1)
   }
@@ -108,7 +108,7 @@ async function handleDependencyMonitoring() {
   // Free tier only supports npm projects. Fail fast with a clear message.
   if (!shouldUsePremium && !hasNpm && (hasPython || hasRust || hasRuby)) {
     console.error(
-      '❌ Dependency monitoring for this project requires a Pro, Team, or Enterprise license.'
+      '❌ Dependency monitoring for this project requires a Pro license.'
     )
     console.error(
       '   Free tier supports npm projects only. Detected non-npm ecosystems.'

package/lib/dependency-monitoring-premium.js

@@ -1,5 +1,5 @@
 /**
- * Premium Dependency Monitoring Library (Pro/Team/Enterprise Tiers)
+ * Premium Dependency Monitoring Library (Pro Tier)
  * Framework-aware dependency grouping with intelligent batching
  *
  * @module dependency-monitoring-premium

package/lib/license-signing.js

@@ -1,107 +1,28 @@
 'use strict'
 
-const crypto = require('crypto')
-
-// TD15 fix: Single source of truth for license key format validation
-const LICENSE_KEY_PATTERN =
-  /^QAA-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/
-
 /**
- * Deterministic JSON stringify with sorted keys for signature verification.
- * TD13 fix: Added circular reference protection using WeakSet.
+ * License signing primitives — thin adapter over @buildproven/license-core.
+ *
+ * The package is the single source of truth for the signing/verification
+ * algorithm. This file exists for backward compatibility with existing
+ * `require('./license-signing')` callers in licensing.js, license-validator.js,
+ * admin-license.js, and tests. The bit-for-bit format is locked by the
+ * package's golden-vector tests against this exact file's prior behavior.
+ *
+ * QAA-specific bits (loadKeyFromEnv, LICENSE_KEY_PATTERN) stay here because
+ * they're not generic to all BuildProven products.
  */
-function stableStringify(value, seen = new WeakSet()) {
-  if (value === null || typeof value !== 'object') {
-    return JSON.stringify(value)
-  }
-  // TD13 fix: Detect circular references to prevent stack overflow
-  if (seen.has(value)) {
-    throw new Error('Circular reference detected in payload - cannot serialize')
-  }
-  seen.add(value)
 
-  if (Array.isArray(value)) {
-    return `[${value.map(item => stableStringify(item, seen)).join(',')}]`
-  }
-  const keys = Object.keys(value).sort()
-  const entries = keys.map(
-    key => `${JSON.stringify(key)}:${stableStringify(value[key], seen)}`
-  )
-  return `{${entries.join(',')}}`
-}
+const core = require('@buildproven/license-core')
 
-/**
- * Normalize and validate email format
- * DR21 fix: Added email format validation before hashing
- * @param {string} email - Email address to normalize
- * @returns {string|null} - Normalized email or null if invalid
- */
-function normalizeEmail(email) {
-  if (!email || typeof email !== 'string') return null
-  const normalized = email.trim().toLowerCase()
-
-  // Basic email format validation (RFC 5322 simplified)
-  // Must have: local@domain.tld format
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
-
-  if (!emailRegex.test(normalized)) {
-    return null
-  }
-
-  return normalized.length > 0 ? normalized : null
-}
-
-function hashEmail(email) {
-  const normalized = normalizeEmail(email)
-  if (!normalized) return null
-  return crypto.createHash('sha256').update(normalized).digest('hex')
-}
-
-/**
- * Build a license payload for signing/verification.
- * TD14 fix: Added input validation to prevent signature mismatches from invalid data.
- */
-function buildLicensePayload({
-  licenseKey,
-  tier,
-  isFounder,
-  emailHash,
-  issued,
-}) {
-  // TD14 fix: Validate required fields to catch issues early
-  if (!licenseKey || typeof licenseKey !== 'string') {
-    throw new Error('licenseKey is required and must be a string')
-  }
-  if (!tier || typeof tier !== 'string') {
-    throw new Error('tier is required and must be a string')
-  }
-  if (!issued || typeof issued !== 'string') {
-    throw new Error('issued is required and must be a string')
-  }
-
-  const payload = {
-    licenseKey,
-    tier,
-    isFounder: Boolean(isFounder),
-    issued,
-  }
-  if (emailHash) {
-    payload.emailHash = emailHash
-  }
-  return payload
-}
-
-function signPayload(payload, privateKey) {
-  const data = Buffer.from(stableStringify(payload))
-  const signature = crypto.sign(null, data, privateKey)
-  return signature.toString('base64')
-}
-
-function verifyPayload(payload, signature, publicKey) {
-  const data = Buffer.from(stableStringify(payload))
-  return crypto.verify(null, data, publicKey, Buffer.from(signature, 'base64'))
-}
+// QAA license key format — kept here, not in the shared package, because
+// each product has its own prefix.
+const LICENSE_KEY_PATTERN =
+  /^QAA-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/
 
+// QAA-specific helper: load a PEM key from either an env var (raw value)
+// or a path env var (file contents). Not in the shared package because
+// other consumers (Vercel functions) read keys differently.
 function loadKeyFromEnv(envValue, envPathValue) {
   if (envValue) return envValue
   if (envPathValue) {
@@ -115,11 +36,12 @@ function loadKeyFromEnv(envValue, envPathValue) {
 
 module.exports = {
   LICENSE_KEY_PATTERN,
-  stableStringify,
-  normalizeEmail,
-  hashEmail,
-  buildLicensePayload,
-  signPayload,
-  verifyPayload,
   loadKeyFromEnv,
+  // Re-exports — single source of truth in @buildproven/license-core
+  stableStringify: core.stableStringify,
+  normalizeEmail: core.normalizeEmail,
+  hashEmail: core.hashEmail,
+  buildLicensePayload: core.buildLicensePayload,
+  signPayload: core.signPayload,
+  verifyPayload: core.verifyPayload,
 }

package/lib/license-validator.js

@@ -15,9 +15,12 @@ const {
   buildLicensePayload,
   hashEmail,
   verifyPayload,
-  stableStringify,
   loadKeyFromEnv,
 } = require('./license-signing')
+const {
+  validateRegistryEntry,
+  verifyRegistryMetadata,
+} = require('@buildproven/license-core')
 
 /**
  * TD10 fix: Timing-safe string comparison to prevent timing attacks
@@ -85,7 +88,7 @@ class LicenseValidator {
     // Allow enterprises to host their own registry
     this.licenseDbUrl =
       process.env.QAA_LICENSE_DB_URL ||
-      'https://buildproven.ai/api/licenses/qa-architect.json'
+      'https://licenses.buildproven.ai/api/licenses/qa-architect.json'
 
     this.licensePublicKey = loadKeyFromEnv(
       process.env.QAA_LICENSE_PUBLIC_KEY,
@@ -351,14 +354,6 @@ class LicenseValidator {
         }
       }
 
-      const payload = buildLicensePayload({
-        licenseKey: normalizedKey,
-        tier: licenseInfo.tier,
-        isFounder: licenseInfo.isFounder,
-        emailHash: licenseInfo.emailHash,
-        issued: licenseInfo.issued,
-      })
-
       if (!licenseInfo.signature) {
         return {
           valid: false,
@@ -366,7 +361,18 @@ class LicenseValidator {
         }
       }
 
-      if (!this.verifySignature(payload, licenseInfo.signature)) {
+      // Delegate signature verification to @buildproven/license-core so
+      // every BuildProven product validates against the same code path.
+      // Email hash check is duplicated above (with QAA-specific error message);
+      // pass userEmailHash here as defense-in-depth.
+      const verification = validateRegistryEntry({
+        licenseKey: normalizedKey,
+        entry: licenseInfo,
+        publicKeyPem: this.licensePublicKey,
+        userEmailHash: emailHash || undefined,
+      })
+
+      if (!verification.valid) {
         return {
           valid: false,
           error:
@@ -374,6 +380,15 @@ class LicenseValidator {
         }
       }
 
+      // saveLicense() reads .payload off the result — rebuild for persistence.
+      const payload = buildLicensePayload({
+        licenseKey: normalizedKey,
+        tier: licenseInfo.tier,
+        isFounder: licenseInfo.isFounder,
+        emailHash: licenseInfo.emailHash,
+        issued: licenseInfo.issued,
+      })
+
       // License is valid
       console.log(
         `✅ License validated: ${licenseInfo.tier} ${licenseInfo.isFounder ? '(Founder)' : ''}`
@@ -563,12 +578,11 @@ class LicenseValidator {
   }
 
   verifyRegistrySignature(database) {
-    // DR17 fix: Dev mode should still verify signatures if present, only bypass when missing
+    // DR17 fix: Dev mode bypasses ONLY when signature or key is missing.
+    // When both are present, always verify (no bypass).
     const isDevMode = this.isDevBypassAllowed()
-    const signature = database?._metadata?.registrySignature
 
-    // Missing signature handling
-    if (!signature) {
+    if (!database?._metadata?.registrySignature) {
       if (isDevMode) {
         console.warn(
           '⚠️  DEV MODE: License database signature missing (bypassed)'
@@ -578,7 +592,6 @@ class LicenseValidator {
       throw new Error('license database missing registry signature')
     }
 
-    // Missing public key handling
     if (!this.licensePublicKey) {
       if (isDevMode) {
         console.warn(
@@ -589,22 +602,9 @@ class LicenseValidator {
       throw new Error('license public key not configured')
     }
 
-    // Always verify signature if both signature and key are present (destructure to exclude metadata)
-    const { _metadata: _unused3, ...licenses } = database
-    void _unused3
-    const isValid = verifyPayload(licenses, signature, this.licensePublicKey)
-    if (!isValid) {
-      throw new Error('license database signature verification failed')
-    }
-
-    // TD10 fix: Use timing-safe comparison for hash verification
-    const expectedHash = database?._metadata?.hash
-    if (expectedHash) {
-      const computed = this.computeSha256(stableStringify(licenses))
-      if (!timingSafeEqual(computed, expectedHash)) {
-        throw new Error('license database hash mismatch')
-      }
-    }
+    // Delegate to @buildproven/license-core. Throws on signature or hash
+    // mismatch. Single source of truth shared with fulfillment + claude-kit-pro.
+    verifyRegistryMetadata(database, this.licensePublicKey)
     return true
   }
 

package/lib/licensing.js

@@ -947,9 +947,9 @@ function saveUsage(usage) {
 
       throw error // Don't allow FREE tier to continue without tracking
     } else {
-      // Pro/Team/Enterprise - warn but don't fail
+      // Pro - warn but don't fail
       console.warn(`⚠️  Failed to save usage data: ${error.message}`)
-      console.warn(`   This won't affect Pro/Team/Enterprise functionality`)
+      console.warn(`   This won't affect Pro functionality`)
       return false
     }
   }

package/lib/project-module-type.js

@@ -0,0 +1,66 @@
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+/**
+ * Detect the target project's module system.
+ *
+ * Returns 'esm' if package.json has `"type": "module"`, otherwise 'cjs'.
+ * Missing or unreadable package.json falls back to 'cjs' (Node's default).
+ *
+ * @param {string} projectPath - Path to project root
+ * @returns {'esm'|'cjs'}
+ */
+function detectModuleType(projectPath) {
+  const packageJsonPath = path.join(projectPath, 'package.json')
+  if (!fs.existsSync(packageJsonPath)) {
+    return 'cjs'
+  }
+  try {
+    const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'))
+    return pkg.type === 'module' ? 'esm' : 'cjs'
+  } catch {
+    return 'cjs'
+  }
+}
+
+/**
+ * Convenience: true when the target project is ESM.
+ * @param {string} projectPath
+ * @returns {boolean}
+ */
+function isESMProject(projectPath) {
+  return detectModuleType(projectPath) === 'esm'
+}
+
+/**
+ * Detect the major version of an installed dep in the target project's
+ * package.json (checks dependencies + devDependencies). Returns null if
+ * not present or unparseable.
+ *
+ * @param {string} projectPath
+ * @param {string} depName
+ * @returns {number|null}
+ */
+function detectDepMajor(projectPath, depName) {
+  const packageJsonPath = path.join(projectPath, 'package.json')
+  if (!fs.existsSync(packageJsonPath)) return null
+  try {
+    const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'))
+    const range =
+      (pkg.dependencies && pkg.dependencies[depName]) ||
+      (pkg.devDependencies && pkg.devDependencies[depName])
+    if (!range) return null
+    const match = String(range).match(/(\d+)\./)
+    return match ? parseInt(match[1], 10) : null
+  } catch {
+    return null
+  }
+}
+
+module.exports = {
+  detectModuleType,
+  isESMProject,
+  detectDepMajor,
+}

package/lib/quality-tools-generator.js

@@ -10,6 +10,7 @@
 
 const fs = require('fs')
 const path = require('path')
+const { isESMProject } = require('./project-module-type')
 
 /**
  * Generate Lighthouse CI configuration
@@ -435,11 +436,17 @@ function writeSizeLimitConfig(projectPath, options = {}) {
 }
 
 /**
- * Write commitlint config to project
+ * Write commitlint config to project.
+ * ESM projects ("type": "module" in package.json) need `.cjs` so Node
+ * loads our CommonJS `module.exports` template without throwing
+ * "module is not defined in ES module scope".
  * @param {string} projectPath - Path to project
  */
 function writeCommitlintConfig(projectPath) {
-  const configPath = path.join(projectPath, 'commitlint.config.js')
+  const filename = isESMProject(projectPath)
+    ? 'commitlint.config.cjs'
+    : 'commitlint.config.js'
+  const configPath = path.join(projectPath, filename)
   const config = generateCommitlintConfig()
 
   try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-qa-architect",
-  "version": "5.13.3",
+  "version": "5.13.5",
   "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
   "main": "setup.js",
   "bin": {
@@ -20,8 +20,8 @@
     "validate:comprehensive": "node setup.js --comprehensive --no-markdownlint",
     "validate:all": "npm run validate:comprehensive && npm run security:audit",
     "validate:pre-push": "npm run test:patterns --if-present && npm run lint && npm run format:check && npm run test:commands --if-present && npm test --if-present",
-    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js",
-    "test:unit": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js",
+    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js && node tests/esm-project-support.test.js",
+    "test:unit": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/esm-project-support.test.js",
     "test:fast": "npm run test:unit",
     "test:medium": "npm run test:fast && npm run test:patterns && npm run test:commands",
     "test:slow": "export QAA_DEVELOPER=true && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/real-world-packages.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/real-purchase-flow.test.js && node tests/project-maturity-cli.test.js && node tests/gitleaks-real-binary-test.js && npm run test:e2e",
@@ -121,7 +121,13 @@
       "table": {
         "ajv": "$ajv"
       }
-    }
+    },
+    "picomatch": "^2.3.2",
+    "basic-ftp": "^5.3.0",
+    "tmp": "^0.2.5",
+    "external-editor": "^3.1.0",
+    "inquirer": "^13.4.1",
+    "esbuild": "^0.25.0"
   },
   "devDependencies": {
     "@commitlint/cli": "^19.0.0",
@@ -213,6 +219,7 @@
     ]
   },
   "dependencies": {
+    "@buildproven/license-core": "^1.0.2",
     "@npmcli/package-json": "^7.0.4",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",

package/setup.js

@@ -723,7 +723,7 @@ VALIDATION OPTIONS:
 
 LICENSE, TELEMETRY & ERROR REPORTING:
   --license-status          Show current license tier and available features
-  --activate-license        Activate Pro/Team/Enterprise license key from Stripe purchase
+  --activate-license        Activate Pro license key from Stripe purchase
   --telemetry-status        Show telemetry status and opt-in instructions
   --error-reporting-status  Show error reporting status and privacy information
 
@@ -750,7 +750,7 @@ EXAMPLES:
     → Show current license tier and upgrade options
 
   npx create-qa-architect@latest --activate-license
-    → Activate Pro/Team/Enterprise license after Stripe purchase
+    → Activate Pro license after Stripe purchase
 
   npx create-qa-architect@latest --telemetry-status
     → Show telemetry status and privacy information
@@ -1398,6 +1398,7 @@ HELP:
       console.log('📦 Adding devDependencies...')
       const defaultDevDependencies = getDefaultDevDependencies({
         typescript: usesTypeScript,
+        projectPath: process.cwd(),
       })
       packageJson.devDependencies = mergeDevDependencies(
         packageJson.devDependencies || {},
@@ -1974,7 +1975,7 @@ try {
 const CAP = 50
 if (usage.prePushRuns >= CAP) {
 console.error('❌ Free tier limit reached: ' + usage.prePushRuns + '/' + CAP + ' pre-push runs this month')
-  console.error('   Upgrade to Pro, Team, or Enterprise: https://buildproven.ai/qa-architect')
+  console.error('   Upgrade to Pro: https://buildproven.ai/qa-architect')
   process.exit(1)
 }
 

package/templates/scripts/smart-test-strategy.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Smart Test Strategy - {{PROJECT_NAME}}
-# Generated by create-qa-architect (Pro/Team/Enterprise feature)
+# Generated by create-qa-architect (Pro feature)
 # https://buildproven.ai/qa-architect
 set -e