create-qa-architect 5.13.6 → 5.14.0

package/lib/license-validator.js

@@ -1,7 +1,7 @@
 /**
  * License Validator (user-side)
  *
- * - No Stripe dependencies (secrets stay server-side)
+ * - No payment provider dependencies (provider secrets stay server-side)
  * - Fetches a signed license registry from a configurable HTTPS endpoint
  * - Caches locally for offline use with graceful fallback
  */
@@ -22,6 +22,41 @@ const {
   verifyRegistryMetadata,
 } = require('@buildproven/license-core')
 
+function loadBundledPublicKey() {
+  try {
+    const keyPath = path.join(__dirname, '..', 'public-key.pem')
+    if (fs.existsSync(keyPath)) {
+      return fs.readFileSync(keyPath, 'utf8')
+    }
+  } catch {
+    // bundled key unavailable; caller will warn
+  }
+  return null
+}
+
+/**
+ * Minimal semver compare for the major.minor.patch core (ignores pre-release
+ * tags). Returns 1 if a > b, -1 if a < b, 0 if equal. Avoids depending on the
+ * transitive `semver` package for a single comparison. Unparseable input → 0
+ * (treated as equal, so a malformed recommended version never triggers a warn).
+ */
+function compareSemver(a, b) {
+  const parse = v =>
+    String(v)
+      .split('-')[0]
+      .split('.')
+      .map(n => Number.parseInt(n, 10))
+  const pa = parse(a)
+  const pb = parse(b)
+  for (let i = 0; i < 3; i++) {
+    const x = Number.isFinite(pa[i]) ? pa[i] : 0
+    const y = Number.isFinite(pb[i]) ? pb[i] : 0
+    if (x > y) return 1
+    if (x < y) return -1
+  }
+  return 0
+}
+
 /**
  * TD10 fix: Timing-safe string comparison to prevent timing attacks
  * on hash/signature verification.
@@ -90,15 +125,24 @@ class LicenseValidator {
       process.env.QAA_LICENSE_DB_URL ||
       'https://licenses.buildproven.ai/api/licenses/qa-architect.json'
 
-    this.licensePublicKey = loadKeyFromEnv(
-      process.env.QAA_LICENSE_PUBLIC_KEY,
-      process.env.QAA_LICENSE_PUBLIC_KEY_PATH
-    )
+    this.licensePublicKey =
+      loadKeyFromEnv(
+        process.env.QAA_LICENSE_PUBLIC_KEY,
+        process.env.QAA_LICENSE_PUBLIC_KEY_PATH
+      ) || loadBundledPublicKey()
 
     // DR14 fix: Add in-memory cache with 5-minute TTL
     this.dbCache = null
     this.dbCacheTime = 0
     this.cacheTTL = 5 * 60 * 1000 // 5 minutes
+
+    // Periodic re-validation: an activated license is re-checked against the
+    // signed registry on this cadence so a cancelled/revoked subscription stops
+    // unlocking Pro. Offline runs fail OPEN (keep access) so we never lock out
+    // a paying user without network; only a successful fresh fetch can downgrade.
+    const days = Number(process.env.QAA_LICENSE_REVALIDATE_DAYS)
+    this.revalidateIntervalMs =
+      (Number.isFinite(days) && days > 0 ? days : 7) * 24 * 60 * 60 * 1000
   }
 
   normalizeLicenseKey(key) {
@@ -286,6 +330,155 @@ class LicenseValidator {
     }
   }
 
+  /**
+   * Fetch + verify the signed registry from the network, reporting whether the
+   * result is genuinely fresh. Unlike fetchLegitimateDatabase (which silently
+   * falls back to cache on network failure), this distinguishes a live fetch
+   * from a stale cache so revocation logic never downgrades on stale data.
+   * Returns { fresh: boolean, registry: object|null }.
+   */
+  async fetchRegistryStrict() {
+    try {
+      const parsedUrl = new URL(this.licenseDbUrl)
+      const isTest = process.argv.join(' ').includes('test')
+      if (
+        parsedUrl.protocol !== 'https:' &&
+        !process.env.QAA_ALLOW_INSECURE_LICENSE_DB &&
+        !isTest
+      ) {
+        throw new Error('license database URL must use HTTPS')
+      }
+
+      const controller = new AbortController()
+      const timeout = setTimeout(() => controller.abort(), 10000)
+      const response = await fetch(this.licenseDbUrl, {
+        signal: controller.signal,
+        headers: { 'User-Agent': 'create-qa-architect-cli' },
+      })
+      clearTimeout(timeout)
+
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`)
+      }
+
+      const database = await response.json()
+      if (!database || typeof database !== 'object' || !database._metadata) {
+        throw new Error('invalid database format')
+      }
+
+      // Throws if the signed registry fails verification.
+      this.verifyRegistrySignature(database)
+
+      // Refresh the local cache so offline runs use the latest known-good copy.
+      this.ensureLicenseDir()
+      fs.writeFileSync(this.legitimateDBFile, JSON.stringify(database, null, 2))
+
+      return { fresh: true, registry: database }
+    } catch (error) {
+      // Network/verification failure → not fresh. Caller fails open (offline).
+      if (process.env.DEBUG) {
+        console.warn(`⚠️  Registry re-check skipped: ${error.message}`)
+      }
+      return { fresh: false, registry: null }
+    }
+  }
+
+  /**
+   * Whether an activated license is due for a server re-check.
+   * Uses the verifiedAt timestamp persisted by saveLicense().
+   */
+  needsRevalidation(localLicense) {
+    if (!localLicense) return false
+    const last = Date.parse(
+      localLicense.verifiedAt || localLicense.activated || ''
+    )
+    if (!Number.isFinite(last)) return true // unknown age → re-check
+    return Date.now() - last > this.revalidateIntervalMs
+  }
+
+  /**
+   * Re-confirm an already-activated license against the signed registry.
+   * Only ever downgrades on a genuinely fresh fetch; offline → keeps access.
+   * Returns { active: boolean, reason?: string, registry?: object }.
+   */
+  async revalidateLocalLicense(localLicense) {
+    const { fresh, registry } = await this.fetchRegistryStrict()
+    if (!fresh) {
+      // Offline or registry unreachable — fail open, do not lock out.
+      return { active: true, reason: 'offline-kept' }
+    }
+
+    const { _metadata: _meta, ...entries } = registry
+    void _meta
+    const key = this.normalizeLicenseKey(
+      localLicense.licenseKey || localLicense.key
+    )
+    const entry = entries[key]
+
+    if (!entry || entry.status === 'revoked') {
+      // Clear the local file so every later getLicenseInfo()/hasFeature() read
+      // resolves to FREE — the downgrade must persist, not be in-memory only.
+      this.removeLicense()
+      return { active: false, reason: 'revoked-or-removed', registry }
+    }
+
+    // Re-verify the signed entry (catches tier tampering / key rotation).
+    const verification = validateRegistryEntry({
+      licenseKey: key,
+      entry,
+      publicKeyPem: this.licensePublicKey,
+      userEmailHash: localLicense.payload?.emailHash || undefined,
+    })
+    if (!verification.valid) {
+      this.removeLicense()
+      return { active: false, reason: 'verification-failed', registry }
+    }
+
+    // Still valid — stamp a fresh verifiedAt so we don't re-check every run.
+    this.refreshVerifiedAt()
+
+    // Non-fatal: nudge Pro users onto the latest CLI. The server controls the
+    // recommended floor via signed registry metadata; we never block on it.
+    this.warnIfOutdated(registry?._metadata?.minRecommendedVersion)
+
+    return { active: true, reason: 'confirmed', registry }
+  }
+
+  /**
+   * Print a loud but non-fatal warning if the installed CLI is older than the
+   * server-recommended minimum. No-op when the field is absent or unparseable.
+   */
+  warnIfOutdated(minRecommendedVersion) {
+    if (!minRecommendedVersion) return
+    const current = require('../package.json').version
+    if (compareSemver(current, minRecommendedVersion) >= 0) return
+    console.warn('')
+    console.warn(
+      `⚠️  A newer QA Architect is available (recommended: ${minRecommendedVersion}, you have ${current}).`
+    )
+    console.warn(
+      '   Pro licensing and expiry handling improve with each release.'
+    )
+    console.warn('   Update: npx create-qa-architect@latest')
+    console.warn('')
+  }
+
+  /**
+   * Update only the verifiedAt timestamp on the persisted license file.
+   */
+  refreshVerifiedAt() {
+    try {
+      if (!fs.existsSync(this.licenseFile)) return
+      const record = JSON.parse(fs.readFileSync(this.licenseFile, 'utf8'))
+      record.verifiedAt = new Date().toISOString()
+      fs.writeFileSync(this.licenseFile, JSON.stringify(record, null, 2))
+    } catch (error) {
+      if (process.env.DEBUG) {
+        console.warn(`⚠️  Could not refresh verifiedAt: ${error.message}`)
+      }
+    }
+  }
+
   /**
    * Validate license key (fetches latest database, then validates locally)
    */
@@ -677,7 +870,8 @@ class LicenseValidator {
   }
 
   /**
-   * Remove license (for testing)
+   * Remove the persisted local license file (used on confirmed revocation and
+   * by tests). After this, getLicenseInfo() resolves to FREE.
    */
   removeLicense() {
     try {

package/lib/licensing.js

@@ -48,7 +48,7 @@ Object.defineProperty(exports, 'LICENSE_FILE', {
  *
  * Pricing:
  * - FREE: $0 (Hobby/OSS - capped)
- * - PRO: $49/mo or $490/yr (Solo Devs/Small Teams)
+ * - PRO: $29/mo or $290/yr (Solo Devs/Small Teams)
  */
 // DR23 fix: Freeze object to prevent accidental or malicious mutation
 const LICENSE_TIERS = Object.freeze({
@@ -119,6 +119,14 @@ const FEATURES = deepFreeze({
     envValidation: false, // ❌ PRO feature - env vars audit
     // CI/CD optimization
     ciCostAnalysis: false, // ❌ PRO feature - GitHub Actions cost analysis
+    ciDoctor: false, // ❌ PRO feature - flaky test + waste detection
+    // Release confidence (AI-assisted dev gates)
+    shipCheck: false, // ❌ PRO feature - unified release readiness report
+    prCheck: false, // ❌ PRO feature - diff-aware risk classifier
+    historicalSecretsScan: false, // ❌ PRO feature - full-history secrets audit
+    // Vibe-code audit
+    auditBasic: true, // ✅ FREE - semgrep SAST + npm audit (5/7 categories)
+    auditPro: false, // ❌ PRO - hallucination check + --fix Claude Code prompts
     roadmap: [
       '✅ ESLint, Prettier, Stylelint configuration',
       '✅ Basic Husky pre-commit hooks',
@@ -126,9 +134,15 @@ const FEATURES = deepFreeze({
       '✅ Lighthouse CI (basic, no thresholds)',
       '✅ axe-core accessibility testing',
       '✅ Conventional commits (commitlint)',
+      '✅ Security audit (semgrep SAST + npm CVEs) — qa-architect --audit',
       '⚠️ Limited: 1 private repo, JS/TS only',
-      '❌ No security scanning (Gitleaks, ESLint security)',
+      '❌ No Gitleaks secrets scanning (Pro)',
+      '❌ No hallucinated package detection (Pro)',
+      '❌ No --fix Claude Code prompts (Pro)',
       '❌ No Smart Test Strategy',
+      '❌ No release readiness gate (--ship-check)',
+      '❌ No diff risk review (--pr-check)',
+      '❌ No CI doctor or historical secrets scan',
     ],
   },
   [LICENSE_TIERS.PRO]: {
@@ -164,10 +178,21 @@ const FEATURES = deepFreeze({
     envValidation: true, // ✅ Env vars audit
     // CI/CD optimization
     ciCostAnalysis: true, // ✅ GitHub Actions cost analysis
+    ciDoctor: true, // ✅ Flaky test + waste detection
+    // Release confidence (AI-assisted dev gates)
+    shipCheck: true, // ✅ Unified release readiness report
+    prCheck: true, // ✅ Diff-aware risk classifier
+    historicalSecretsScan: true, // ✅ Full-history secrets audit
+    // Vibe-code audit
+    auditBasic: true, // ✅ semgrep SAST + npm audit
+    auditPro: true, // ✅ hallucination check + --fix Claude Code prompts
     roadmap: [
       '✅ Unlimited repos and runs',
+      '✅ Security audit — semgrep SAST + npm CVEs + hallucination detection',
+      '✅ --fix flag: Claude Code prompts for every Critical/High finding',
       '✅ Smart Test Strategy (70% faster pre-push validation)',
       '✅ Security scanning (Gitleaks + ESLint security rules)',
+      '✅ Historical secrets scan (full git history audit)',
       '✅ TypeScript production protection',
       '✅ Multi-language (Python, Rust, Ruby)',
       '✅ Framework-aware dependency grouping',
@@ -175,6 +200,9 @@ const FEATURES = deepFreeze({
       '✅ Bundle size limits (size-limit)',
       '✅ Coverage threshold enforcement',
       '✅ Pre-launch validation with env vars audit',
+      '✅ Release readiness report (--ship-check)',
+      '✅ Diff risk review (--pr-check) for AI-assisted dev',
+      '✅ CI doctor (flaky tests + workflow waste detection)',
       '✅ Email support (24-48h response)',
     ],
   },
@@ -221,7 +249,7 @@ function isDeveloperMode() {
 }
 
 /**
- * Check if user has a valid license file (USER-FACING - NO STRIPE DEPENDENCIES)
+ * Check if user has a valid license file (USER-FACING — no payment provider dependencies)
  */
 function getLicenseInfo() {
   try {
@@ -303,14 +331,73 @@ function getLicenseInfo() {
 }
 
 /**
- * License key validation with Stripe integration
- * Supports both legacy format and new Stripe-generated keys
+ * Periodic online re-check for an already-activated license.
+ *
+ * getLicenseInfo() is synchronous and trusts the locally-signed license file.
+ * That alone cannot notice a cancelled/revoked subscription, because the signed
+ * payload carries no expiry. This async gate, awaited at the top of every Pro
+ * command handler, re-confirms the key against the signed registry on a cadence
+ * and downgrades to FREE if it has been revoked or removed.
+ *
+ * Fails OPEN when offline (keeps Pro) so a paying user is never locked out
+ * without network. Only a genuinely fresh, verified registry fetch downgrades.
+ */
+async function ensureLicenseFresh() {
+  const license = getLicenseInfo()
+
+  // Nothing to re-check for FREE, developer mode, or an already-invalid file.
+  if (
+    license.isDeveloper ||
+    license.tier === LICENSE_TIERS.FREE ||
+    !license.valid
+  ) {
+    return license
+  }
+
+  try {
+    const { LicenseValidator } = require('./license-validator')
+    const validator = new LicenseValidator()
+    const localLicense = validator.getLocalLicense()
+
+    if (!validator.needsRevalidation(localLicense)) {
+      return license // checked recently — fast path
+    }
+
+    const result = await validator.revalidateLocalLicense(localLicense)
+    if (!result.active) {
+      console.warn('')
+      console.warn(
+        '⚠️  Your Pro license is no longer active (subscription cancelled or revoked).'
+      )
+      console.warn(
+        '   Reactivate: npx create-qa-architect@latest --activate-license'
+      )
+      console.warn('')
+      return {
+        tier: LICENSE_TIERS.FREE,
+        valid: true,
+        error: `License no longer active: ${result.reason}`,
+      }
+    }
+  } catch (error) {
+    // Never let a re-check error block a paying user — fail open, but surface it.
+    if (process.env.DEBUG) {
+      console.warn(`⚠️  License re-check error: ${error.message}`)
+    }
+  }
+
+  return license
+}
+
+/**
+ * License key validation.
+ * Supports both legacy format and webhook-issued keys.
  */
 function validateLicenseKey(key, tier) {
   const normalizedKey = normalizeLicenseKey(key)
   // TD15 fix: Use shared constant for license key pattern
   if (LICENSE_KEY_PATTERN.test(normalizedKey)) {
-    // Stripe-generated key - always valid if properly formatted
+    // Webhook-issued key — valid if properly formatted
     return true
   }
 
@@ -320,7 +407,7 @@ function validateLicenseKey(key, tier) {
 }
 
 /**
- * Verify license signature using the same algorithm as StripeIntegration
+ * Verify license signature against the public registry key.
  */
 function verifyLicenseSignature(payload, signature) {
   try {
@@ -388,7 +475,7 @@ function showUpgradeMessage(feature) {
   if (license.tier === LICENSE_TIERS.FREE) {
     console.log('\n🚀 Upgrade to PRO')
     console.log('')
-    console.log('   💰 $49/month  or  $490/year (save $98)')
+    console.log('   💰 $29/month  or  $290/year (save $58)')
     console.log('')
     console.log('   ✅ Unlimited repos, LOC, and runs')
     console.log('   ✅ Smart Test Strategy (70% faster pre-push)')
@@ -504,7 +591,7 @@ function saveLicenseWithSignature(tier, key, email, validation) {
 
     const licenseData = {
       tier,
-      licenseKey: normalizedKey, // ✅ Changed from 'key' to 'licenseKey' to match StripeIntegration
+      licenseKey: normalizedKey,
       email,
       expires: validation.expires,
       activated: new Date().toISOString(),
@@ -542,11 +629,11 @@ function removeLicense() {
 }
 
 /**
- * Activate license (USER-FACING - NO STRIPE DEPENDENCIES)
+ * Activate license (USER-FACING — no payment provider dependencies)
  */
 async function activateLicense(licenseKey, email) {
   try {
-    // Use pure license validator (no Stripe dependencies)
+    // Use pure license validator (no payment provider dependencies)
     const { LicenseValidator } = require('./license-validator')
     const validator = new LicenseValidator()
 
@@ -1146,6 +1233,7 @@ module.exports = {
   LICENSE_TIERS,
   FEATURES,
   getLicenseInfo,
+  ensureLicenseFresh,
   hasFeature,
   getDependencyMonitoringLevel,
   getSupportedLanguages,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "create-qa-architect",
-  "version": "5.13.6",
-  "description": "QA Architect - Bootstrap quality automation for JavaScript/TypeScript and Python projects with GitHub Actions, pre-commit hooks, linting, formatting, and smart test strategy",
+  "version": "5.14.0",
+  "description": "QA Architect - Security audit and quality automation for AI-generated codebases. Scans for OWASP Top-10 vulnerabilities, CVEs, and common vibe-coding mistakes.",
   "main": "setup.js",
   "bin": {
     "create-qa-architect": "setup.js"
@@ -20,8 +20,8 @@
     "validate:comprehensive": "node setup.js --comprehensive --no-markdownlint",
     "validate:all": "npm run validate:comprehensive && npm run security:audit",
     "validate:pre-push": "npm run test:patterns --if-present && npm run lint && npm run format:check && npm run test:commands --if-present && npm test --if-present",
-    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js && node tests/esm-project-support.test.js && node tests/blob-storage.test.js",
-    "test:unit": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/esm-project-support.test.js && node tests/blob-storage.test.js",
+    "test": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/integration.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/parallel-validation.test.js && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/template-loader.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/deps-edge-cases.test.js && node tests/real-world-packages.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/real-purchase-flow.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/analyze-ci-integration.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/project-maturity-cli.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/gitleaks-real-binary-test.js && node tests/tier-enforcement.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/consumer-workflow-integration.test.js && node tests/esm-project-support.test.js && node tests/blob-storage.test.js && node tests/audit.test.js && node tests/audit-packaging.test.js && node tests/ship-check.test.js && node tests/pr-check.test.js && node tests/ci-doctor.test.js && node tests/history-scan.test.js && node tests/risk-policy-gate.test.js && node tests/license-revalidation.test.js",
+    "test:unit": "export QAA_DEVELOPER=true && node tests/result-types.test.js && node tests/setup.test.js && node tests/error-paths.test.js && node tests/error-messages.test.js && node tests/cache-manager.test.js && node tests/template-loader.test.js && node tests/telemetry.test.js && node tests/error-reporter.test.js && node tests/validation-factory.test.js && node tests/setup-error-coverage.test.js && node tests/licensing.test.js && node tests/security-licensing.test.js && node tests/base-validator.test.js && node tests/dependency-monitoring-basic.test.js && node tests/workflow-validation.test.js && node tests/workflow-tiers.test.js && node tests/analyze-ci.test.js && node tests/setup-critical-paths.test.js && node tests/project-maturity.test.js && node tests/package-manager-detection.test.js && node tests/check-docs.test.js && node tests/validate-command-patterns.test.js && node tests/gitleaks-binary-resolution.test.js && node tests/gitleaks-production-checksums.test.js && node tests/gitleaks-checksum-verification.test.js && node tests/lazy-loader.test.js && node tests/template-content-validation.test.js && node tests/ci-environment.test.js && node tests/turborepo-detection.test.js && node tests/esm-project-support.test.js && node tests/blob-storage.test.js && node tests/audit.test.js && node tests/audit-packaging.test.js && node tests/risk-policy-gate.test.js && node tests/license-revalidation.test.js",
     "test:fast": "npm run test:unit",
     "test:medium": "npm run test:fast && npm run test:patterns && npm run test:commands",
     "test:slow": "export QAA_DEVELOPER=true && node tests/python-integration.test.js && node tests/interactive.test.js && node tests/monorepo.test.js && node tests/critical-fixes.test.js && node tests/interactive-routing-fix.test.js && node tests/premium-dependency-monitoring.test.js && node tests/multi-language-dependency-monitoring.test.js && node tests/cli-deps-integration.test.js && node tests/real-world-packages.test.js && node tests/python-detection-sensitivity.test.js && node tests/python-parser-fixes.test.js && node tests/real-purchase-flow.test.js && node tests/project-maturity-cli.test.js && node tests/gitleaks-real-binary-test.js && npm run test:e2e",
@@ -81,7 +81,7 @@
     "security-audit"
   ],
   "author": "BuildProven",
-  "license": "SEE LICENSE IN LICENSE",
+  "license": "Apache-2.0",
   "files": [
     "setup.js",
     "config/",
@@ -91,6 +91,7 @@
     "marketing/",
     "templates/",
     "scripts/",
+    ".semgrep/",
     "LICENSE",
     ".github/",
     ".prettierrc",
@@ -124,7 +125,7 @@
     },
     "picomatch": "^2.3.2",
     "basic-ftp": "^5.3.0",
-    "tmp": "^0.2.5",
+    "tmp": "^0.2.7",
     "external-editor": "^3.1.0",
     "inquirer": "^13.4.1",
     "esbuild": "^0.25.0"

package/scripts/deploy-consumers.sh

@@ -15,10 +15,12 @@ set -euo pipefail
 #   3. If CI passes, deploy to remaining repos
 #   4. If CI fails, abort rollout (prevents cascading failures)
 #
-# Auto-discovers repos by scanning ~/Projects for .github/workflows/quality.yml
-# files that contain the WORKFLOW_MODE marker from qa-architect.
+# Auto-discovers repos by scanning ~/Projects, ~/Projects/internal, ~/Projects/products,
+# and ~/Projects/personal for .github/workflows/quality.yml files containing the
+# WORKFLOW_MODE marker from qa-architect.
 
-PROJECTS_DIR="$HOME/Projects"
+# Scan these directories for consumer repos (space-separated)
+PROJECTS_DIRS=("$HOME/Projects" "$HOME/Projects/internal" "$HOME/Projects/products" "$HOME/Projects/personal")
 QA_ARCHITECT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 CANARY_REPO="buildproven"
 PUSH=false
@@ -97,7 +99,9 @@ echo ""
 # Excludes qa-architect itself
 CONSUMERS=()
 CANARY_DIR=""
-for workflow in "$PROJECTS_DIR"/*/".github/workflows/quality.yml"; do
+for projects_dir in "${PROJECTS_DIRS[@]}"; do
+  [ -d "$projects_dir" ] || continue
+  for workflow in "$projects_dir"/*/".github/workflows/quality.yml"; do
   [ -f "$workflow" ] || continue
   repo_dir="$(dirname "$(dirname "$(dirname "$workflow")")")"
   repo_name="$(basename "$repo_dir")"
@@ -113,6 +117,7 @@ for workflow in "$PROJECTS_DIR"/*/".github/workflows/quality.yml"; do
       CONSUMERS+=("$repo_dir")
     fi
   fi
+  done
 done
 
 # Ensure canary was found
@@ -160,7 +165,7 @@ wait_for_ci() {
 
   # Extract owner/repo from URL (handles both HTTPS and SSH)
   local repo_slug
-  repo_slug=$(echo "$remote_url" | sed -E 's|^.*[:/]([^/]+/[^/]+)(\.git)?$|\1|')
+  repo_slug=$(echo "$remote_url" | sed -E 's|\.git$||' | sed -E 's|^.*[:/]([^/]+/[^/]+)$|\1|')
 
   # Get the current branch
   local branch