create-qa-architect 5.13.5 → 5.14.0

package/scripts/risk-policy-gate.js

@@ -0,0 +1,410 @@
+#!/usr/bin/env node
+
+/**
+ * Risk Policy Gate - Carson's Code Factory Pattern
+ *
+ * Validates PR changes against risk-aware merge policy before expensive CI.
+ * Implements Carson's "gate preflight before expensive CI" pattern.
+ */
+
+const fs = require('fs')
+const path = require('path')
+const { execFileSync } = require('child_process')
+const picomatch = require('picomatch')
+
+// Load harness configuration
+const CONFIG_PATH = path.join(__dirname, '..', 'harness-config.json')
+
+function loadConfig() {
+  if (!fs.existsSync(CONFIG_PATH)) {
+    console.error('❌ harness-config.json not found')
+    process.exit(1)
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf8'))
+  } catch (error) {
+    console.error('❌ Invalid harness-config.json:', error.message)
+    process.exit(1)
+  }
+}
+
+/**
+ * Default git runner — uses execFileSync (no shell, no concat). Returns trimmed
+ * stdout, throws with `.failed=true` on non-zero exit. Tests inject their own.
+ */
+function defaultGitRunner(args) {
+  try {
+    return execFileSync('git', args, {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+    }).trim()
+  } catch (error) {
+    const err = new Error(`git ${args.join(' ')} failed: ${error.message}`)
+    err.failed = true
+    throw err
+  }
+}
+
+/**
+ * Resolve the base ref for diffing against HEAD.
+ *
+ * Algorithm (pure — only the injected runner touches git):
+ *   1. CI path: GITHUB_BASE_REF + GITHUB_HEAD_REF set → `origin/<base>`
+ *   2. CLI: --base <ref> → use it; fail closed if not resolvable
+ *   3. HEAD detached → fail closed
+ *   4. Try in order: origin/main, origin/master, main, master
+ *   5. None resolvable → fail closed
+ *
+ * Returns { mode: 'ci'|'local', base: '<ref>' }
+ * Throws Error with `.reason` for any fail-closed condition.
+ */
+function resolveBase({
+  env = process.env,
+  baseArg = null,
+  gitRunner = defaultGitRunner,
+} = {}) {
+  // Step 1: CI path
+  if (env.GITHUB_BASE_REF && env.GITHUB_HEAD_REF) {
+    return { mode: 'ci', base: `origin/${env.GITHUB_BASE_REF}` }
+  }
+
+  // Step 2: explicit --base
+  if (baseArg) {
+    if (!refExists(baseArg, gitRunner)) {
+      const err = new Error(`--base ${baseArg} is not resolvable in this repo`)
+      err.reason = 'base-not-resolvable'
+      throw err
+    }
+    return { mode: 'local', base: baseArg }
+  }
+
+  // Step 3: detached HEAD
+  if (isHeadDetached(gitRunner)) {
+    const err = new Error('HEAD is detached; pass --base <ref> explicitly')
+    err.reason = 'detached-head'
+    throw err
+  }
+
+  // Step 4: candidate base order
+  const candidates = ['origin/main', 'origin/master', 'main', 'master']
+  for (const ref of candidates) {
+    if (refExists(ref, gitRunner)) {
+      return { mode: 'local', base: ref }
+    }
+  }
+
+  // Step 5: nothing resolved
+  const err = new Error(
+    'No base ref found (tried origin/main, origin/master, main, master); pass --base explicitly'
+  )
+  err.reason = 'no-base'
+  throw err
+}
+
+function refExists(ref, gitRunner) {
+  try {
+    gitRunner(['rev-parse', '--verify', '--quiet', `${ref}^{commit}`])
+    return true
+  } catch {
+    return false
+  }
+}
+
+function isHeadDetached(gitRunner) {
+  try {
+    gitRunner(['symbolic-ref', '--quiet', 'HEAD'])
+    return false
+  } catch {
+    return true
+  }
+}
+
+/**
+ * Step 6: merge-base + Step 7: union of branch diff + staged + unstaged.
+ * Throws with `.reason='no-merge-base'` when merge-base cannot be computed
+ * (unrelated history or shallow clone too short).
+ */
+function getChangedFilesForBase(base, gitRunner = defaultGitRunner) {
+  let mergeBase
+  try {
+    mergeBase = gitRunner(['merge-base', 'HEAD', base])
+  } catch {
+    const err = new Error(
+      `Could not compute merge-base between HEAD and ${base} ` +
+        '(unrelated history or shallow clone too short); deepen clone or pass --base explicitly'
+    )
+    err.reason = 'no-merge-base'
+    throw err
+  }
+
+  if (!mergeBase) {
+    const err = new Error(`merge-base HEAD ${base} returned empty`)
+    err.reason = 'no-merge-base'
+    throw err
+  }
+
+  const branch = gitRunner(['diff', '--name-only', `${mergeBase}...HEAD`])
+  const staged = gitRunner(['diff', '--cached', '--name-only'])
+  const unstaged = gitRunner(['diff', '--name-only'])
+
+  return [
+    ...new Set(
+      [branch, staged, unstaged]
+        .flatMap(out => out.split('\n'))
+        .filter(f => f.length > 0)
+    ),
+  ]
+}
+
+/**
+ * Top-level wrapper used by main(). Resolves base + diffs in one call.
+ * Any failure throws an Error with `.reason` — caller decides exit message.
+ */
+function getChangedFiles({
+  env = process.env,
+  baseArg = null,
+  gitRunner = defaultGitRunner,
+} = {}) {
+  const resolved = resolveBase({ env, baseArg, gitRunner })
+  const files = getChangedFilesForBase(resolved.base, gitRunner)
+  return { files, resolved }
+}
+
+function parseCliArgs(argv) {
+  const result = { baseArg: null }
+  for (let i = 0; i < argv.length; i++) {
+    if (argv[i] === '--base' && i + 1 < argv.length) {
+      result.baseArg = argv[i + 1]
+      i++
+    } else if (argv[i].startsWith('--base=')) {
+      result.baseArg = argv[i].slice('--base='.length)
+    }
+  }
+  return result
+}
+
+const matcherCache = new Map()
+function getMatcher(pattern) {
+  let matcher = matcherCache.get(pattern)
+  if (!matcher) {
+    try {
+      matcher = picomatch(pattern, { dot: true })
+    } catch {
+      console.warn(`Invalid pattern: ${pattern}`)
+      matcher = () => false
+    }
+    matcherCache.set(pattern, matcher)
+  }
+  return matcher
+}
+
+function matchesPattern(filepath, patterns) {
+  return patterns.some(pattern => getMatcher(pattern)(filepath))
+}
+
+function calculateRiskTier(filepath, config) {
+  const { riskTierRules } = config
+
+  if (!riskTierRules || typeof riskTierRules !== 'object') {
+    return 'low'
+  }
+
+  // Check in order of decreasing risk - use allowlist of known tiers
+  const validTiers = ['critical', 'high', 'medium', 'low']
+  for (const tier of validTiers) {
+    if (riskTierRules[tier] && Array.isArray(riskTierRules[tier])) {
+      if (matchesPattern(filepath, riskTierRules[tier])) {
+        return tier
+      }
+    }
+  }
+
+  return 'low' // default
+}
+
+function validateRequiredChecks(riskTier, config) {
+  if (!config.mergePolicy) {
+    return {
+      valid: false,
+      error: 'No mergePolicy defined in config',
+    }
+  }
+
+  const policy = config.mergePolicy[riskTier]
+  if (!policy) {
+    return {
+      valid: false,
+      error: `No merge policy defined for risk tier: ${riskTier}`,
+    }
+  }
+
+  const { requiredChecks } = policy
+  const missingChecks = []
+
+  for (const check of requiredChecks) {
+    if (!config.checkDefinitions[check]) {
+      missingChecks.push(check)
+    }
+  }
+
+  if (missingChecks.length > 0) {
+    return {
+      valid: false,
+      error: `Missing check definitions: ${missingChecks.join(', ')}`,
+    }
+  }
+
+  return { valid: true }
+}
+
+function analyzeRisks(changedFiles, config) {
+  const riskOrder = ['low', 'medium', 'high', 'critical']
+  const riskAnalysis = {}
+  let highestRisk = 'low'
+
+  for (const file of changedFiles) {
+    const risk = calculateRiskTier(file, config)
+    if (!riskAnalysis[risk]) riskAnalysis[risk] = []
+    riskAnalysis[risk].push(file)
+
+    if (riskOrder.indexOf(risk) > riskOrder.indexOf(highestRisk)) {
+      highestRisk = risk
+    }
+  }
+
+  return { riskAnalysis, highestRisk }
+}
+
+function printRiskAnalysis(riskAnalysis) {
+  const TIER_EMOJI = { critical: '🔴', high: '🟠', medium: '🟡', low: '🟢' }
+  console.log('📊 Risk Analysis:')
+  for (const tier of ['critical', 'high', 'medium', 'low']) {
+    const files = riskAnalysis[tier]
+    if (!files || files.length === 0) continue
+    console.log(
+      `   ${TIER_EMOJI[tier]} ${tier.toUpperCase()}: ${files.length} files`
+    )
+    const preview = files.length <= 3 ? files : files.slice(0, 2)
+    preview.forEach(f => console.log(`      - ${f}`))
+    if (files.length > 3) console.log(`      ... and ${files.length - 2} more`)
+  }
+  console.log('')
+}
+
+function printPolicyRequirements(highestRisk, policy, config) {
+  console.log(`🎯 Merge Policy: ${highestRisk.toUpperCase()} tier requirements`)
+  console.log('   Required checks:')
+  policy.requiredChecks.forEach(check => {
+    const def = config.checkDefinitions[check]
+    console.log(`      ✓ ${check} (${def.description})`)
+  })
+  console.log(`   Review requirement: ${policy.reviewRequirement}`)
+  console.log(`   Evidence requirement: ${policy.evidenceRequirement}`)
+  console.log('')
+}
+
+function checkDocsDrift(changedFiles, config) {
+  if (!config.docsDriftRules?.enabled) return
+  const affected = changedFiles.filter(file =>
+    config.docsDriftRules.watchPaths.some(pattern =>
+      matchesPattern(file, [pattern])
+    )
+  )
+  if (affected.length === 0) return
+  console.log('📝 Docs drift check:')
+  console.log('   Changed files that may require doc updates:')
+  affected.forEach(file => console.log(`      - ${file}`))
+  console.log('   Required updates:')
+  config.docsDriftRules.requiredUpdates.forEach(path =>
+    console.log(`      - ${path}`)
+  )
+  console.log('')
+}
+
+function writeGithubOutput(summary) {
+  const outputPath = process.env.GITHUB_OUTPUT
+  if (!outputPath || typeof outputPath !== 'string' || outputPath.length === 0)
+    return
+  try {
+    Object.entries(summary).forEach(([key, value]) => {
+      fs.appendFileSync(outputPath, `${key}=${value}\n`, { encoding: 'utf8' })
+    })
+  } catch (error) {
+    console.warn('Failed to write GitHub Actions output:', error.message)
+  }
+}
+
+function main() {
+  console.log('🔍 Risk Policy Gate - Validating PR changes...\n')
+
+  const config = loadConfig()
+  const { baseArg } = parseCliArgs(process.argv.slice(2))
+
+  let changedFiles
+  let resolved
+  try {
+    ;({ files: changedFiles, resolved } = getChangedFiles({ baseArg }))
+  } catch (error) {
+    // Fail-closed for any base-resolution / merge-base failure.
+    console.error(`❌ Failed to determine changed files: ${error.message}`)
+    if (error.reason) {
+      console.error(`   Reason: ${error.reason}`)
+    }
+    process.exit(1)
+  }
+
+  console.log(`🔎 Base resolution: mode=${resolved.mode} base=${resolved.base}`)
+
+  if (changedFiles.length === 0) {
+    console.log('✅ No changed files detected - policy gate passed')
+    return
+  }
+
+  console.log(`📁 Changed files (${changedFiles.length}):`)
+  changedFiles.forEach(file => console.log(`   ${file}`))
+  console.log('')
+
+  const { riskAnalysis, highestRisk } = analyzeRisks(changedFiles, config)
+  printRiskAnalysis(riskAnalysis)
+
+  const validation = validateRequiredChecks(highestRisk, config)
+  if (!validation.valid) {
+    console.error(`❌ Policy validation failed: ${validation.error}`)
+    process.exit(1)
+  }
+
+  const policy = config.mergePolicy[highestRisk]
+  printPolicyRequirements(highestRisk, policy, config)
+  checkDocsDrift(changedFiles, config)
+
+  if (process.env.GITHUB_OUTPUT) {
+    writeGithubOutput({
+      highestRisk,
+      requiredChecks: policy.requiredChecks.join(','),
+      reviewRequired: policy.reviewRequirement !== 'none',
+      changedFileCount: changedFiles.length,
+      resolvedBase: resolved.base,
+      resolutionMode: resolved.mode,
+    })
+  }
+
+  console.log('✅ Risk policy gate passed')
+  console.log(
+    `📈 Proceeding with ${highestRisk.toUpperCase()} tier requirements`
+  )
+}
+
+if (require.main === module) {
+  main()
+}
+
+module.exports = {
+  calculateRiskTier,
+  validateRequiredChecks,
+  matchesPattern,
+  resolveBase,
+  getChangedFilesForBase,
+  getChangedFiles,
+  parseCliArgs,
+}

package/setup.js

@@ -151,6 +151,7 @@ const {
   showUpgradeMessage,
   checkUsageCaps,
   incrementUsage,
+  ensureLicenseFresh,
 } = require('./lib/licensing')
 
 // Smart Test Strategy Generator (Pro/Team/Enterprise feature)
@@ -455,6 +456,77 @@ const validateAndSanitizeInput = input => {
   return sanitized
 }
 
+/**
+ * Detect which (if any) Pro release-confidence command was invoked.
+ * Returns the command name, or null if none.
+ */
+function detectProCommand(sanitizedArgs) {
+  if (sanitizedArgs.includes('--ship-check')) return 'ship-check'
+  if (sanitizedArgs.includes('--pr-check')) return 'pr-check'
+  if (sanitizedArgs.includes('--history-scan')) return 'history-scan'
+  if (sanitizedArgs.includes('--audit')) return 'audit'
+  return null
+}
+
+/**
+ * Dispatch to the matching Pro command handler. Always exits the process
+ * (the handlers manage their own exit codes).
+ */
+async function runProCommand(command, sanitizedArgs, rawArgs) {
+  try {
+    const cmdOptions = parseProCommandOptions(sanitizedArgs, rawArgs)
+    if (command === 'ship-check') {
+      const { handleShipCheck } = require('./lib/commands/ship-check')
+      await handleShipCheck(cmdOptions)
+    } else if (command === 'pr-check') {
+      const { handlePrCheck } = require('./lib/commands/pr-check')
+      await handlePrCheck(cmdOptions)
+    } else if (command === 'audit') {
+      const { handleAudit } = require('./lib/commands/audit')
+      await handleAudit(cmdOptions)
+    } else {
+      const { handleHistoryScan } = require('./lib/commands/history-scan')
+      await handleHistoryScan(cmdOptions)
+    }
+    process.exit(0)
+  } catch (error) {
+    console.error(`Command error: ${error.message}`)
+    process.exit(1)
+  }
+}
+
+/**
+ * Extract options for Pro release-confidence commands (ship-check, pr-check,
+ * history-scan). Kept separate from parseArguments() to avoid bloating the
+ * main parser's cyclomatic complexity.
+ *
+ * @param {string[]} sanitizedArgs - Args after validateAndSanitizeInput
+ * @param {string[]} rawArgs - Original args (for path values that may include `..`)
+ * @returns {{json:boolean, skipTests:boolean, noFail:boolean, base:string|null, depth:string|null, outPath:string|null}}
+ */
+function parseProCommandOptions(sanitizedArgs, rawArgs) {
+  const pickValue = (flag, source) => {
+    const idx = source.findIndex(arg => arg === flag)
+    if (idx === -1) return null
+    return source[idx + 1] || null
+  }
+
+  const baseValue = pickValue('--base', sanitizedArgs)
+  const depthValue = pickValue('--depth', sanitizedArgs)
+  const outValue = pickValue('--out', rawArgs)
+
+  return {
+    json: sanitizedArgs.includes('--json'),
+    skipTests: sanitizedArgs.includes('--skip-tests'),
+    noFail: sanitizedArgs.includes('--no-fail'),
+    fix: sanitizedArgs.includes('--fix'),
+    base: baseValue,
+    depth: depthValue,
+    outPath: outValue ? path.resolve(outValue) : null,
+    projectPath: process.cwd(),
+  }
+}
+
 /**
  * Parse CLI arguments and return configuration object
  * @param {string[]} rawArgs - Raw command line arguments
@@ -711,6 +783,35 @@ WORKFLOW TIERS (GitHub Actions optimization):
   --matrix                 Enable Node.js version matrix testing (20 + 22)
                             Use for npm libraries/CLI tools that support multiple Node versions
   --analyze-ci             Analyze GitHub Actions usage and get optimization tips (Pro)
+  --analyze-ci --doctor    Add CI Doctor: flaky tests, duplicated jobs, waste detection (Pro)
+
+VIBE-CODE SECURITY AUDIT (Free):
+  --audit                  Scan codebase for security vulnerabilities in AI-generated code
+                           Runs semgrep SAST (injection, auth, XSS, misconfigs) + npm CVE audit
+                           Output: Critical/High/Medium/Low findings with file:line + fix guidance
+  --audit --json           Emit JSON output (for CI integration)
+  --audit --out <path>     Write markdown report to file (PR-comment-ready)
+  --audit --no-fail        Always exit 0 (report-only, don't block CI)
+
+AUDIT PRO (Pro):
+  --audit --fix            Generate Claude Code prompts for each Critical/High finding
+                           (paste directly into Claude Code to fix issues one by one)
+
+  Requires: semgrep (pip install semgrep / brew install semgrep)
+  Pro also adds: hallucinated package detection (npm registry check)
+
+RELEASE CONFIDENCE (Pro):
+  --ship-check             Unified release-readiness report (lint, tests, security,
+                           coverage, bundle, env, CI cost, docs) with SHIP/REVIEW/BLOCK verdict
+  --pr-check               Diff-aware risk classifier — flags high-risk file changes and
+                           missing tests, emits PR-comment-ready markdown
+  --history-scan           Full git-history secrets audit (gitleaks --log-opts=--all)
+  --base <branch>          Base branch for --pr-check (default: main, falls back to master)
+  --depth <N>              Limit --history-scan to last N commits (default: full history)
+  --skip-tests             Skip running tests in --ship-check (e.g. when slow)
+  --json                   Emit JSON output for --ship-check/--pr-check/--history-scan
+  --out <path>             Write markdown report to <path> (PR-comment-ready)
+  --no-fail                Always exit 0 from --pr-check (report-only mode)
 
 VALIDATION OPTIONS:
   --validate        Run comprehensive validation (same as --comprehensive)
@@ -723,7 +824,7 @@ VALIDATION OPTIONS:
 
 LICENSE, TELEMETRY & ERROR REPORTING:
   --license-status          Show current license tier and available features
-  --activate-license        Activate Pro license key from Stripe purchase
+  --activate-license        Activate Pro license key from purchase
   --telemetry-status        Show telemetry status and opt-in instructions
   --error-reporting-status  Show error reporting status and privacy information
 
@@ -750,7 +851,7 @@ EXAMPLES:
     → Show current license tier and upgrade options
 
   npx create-qa-architect@latest --activate-license
-    → Activate Pro license after Stripe purchase
+    → Activate Pro license after purchase
 
   npx create-qa-architect@latest --telemetry-status
     → Show telemetry status and privacy information
@@ -788,6 +889,19 @@ EXAMPLES:
   npx create-qa-architect@latest --update --workflow-minimal
     → Convert existing comprehensive workflow to minimal (reduce CI costs)
 
+  npx create-qa-architect@latest --audit
+    → Scan for security vulnerabilities in AI-generated code (free)
+    → Requires: semgrep (pip install semgrep)
+
+  npx create-qa-architect@latest --audit --out audit-report.md
+    → Run audit and write markdown report to file (for PR comments or docs)
+
+  npx create-qa-architect@latest --audit --json
+    → Emit JSON output for CI integration or tooling
+
+  npx create-qa-architect@latest --audit --fix
+    → Run audit + generate Claude Code prompts for each finding (Pro)
+
   npx create-qa-architect@latest --analyze-ci
     → Analyze your GitHub Actions usage and get cost optimization recommendations (Pro)
 
@@ -805,6 +919,13 @@ HELP:
     process.exit(0)
   }
 
+  // Pro release-confidence commands must run BEFORE handleDryRun() so they
+  // don't get a "🚀 Setting up Quality Automation..." banner in their output.
+  const proCommand = detectProCommand(sanitizedArgs)
+  if (proCommand) {
+    return runProCommand(proCommand, sanitizedArgs, args)
+  }
+
   // Handle dry-run mode and show mode banner
   handleDryRun({ isDryRun, isUpdateMode, isDependencyMonitoringMode })
 
@@ -826,12 +947,13 @@ HELP:
     handleMaturityCheck()
   }
 
-  // Handle CI cost analysis command
+  // Handle CI cost analysis command (with optional --doctor expansion)
   if (isAnalyzeCiMode) {
     return (async () => {
       try {
         const { handleAnalyzeCi } = require('./lib/commands/analyze-ci')
-        await handleAnalyzeCi()
+        const doctor = sanitizedArgs.includes('--doctor')
+        await handleAnalyzeCi({ doctor })
         process.exit(0)
       } catch (error) {
         console.error('CI cost analysis error:', error.message)
@@ -1134,6 +1256,12 @@ HELP:
         process.exit(1)
       }
 
+      // Re-check the signed registry before any Pro feature lookup (quality
+      // tooling, Smart Test Strategy, etc.) so a revoked/cancelled subscription
+      // stops unlocking Pro here too — not only on the standalone Pro commands.
+      // Fails open offline; only a fresh, signature-verified fetch downgrades.
+      await ensureLicenseFresh()
+
       // Enforce FREE tier repo limit (1 private repo)
       // Must happen before any file modifications
       const license = getLicenseInfo()