create-qa-architect 5.3.1 → 5.4.3

package/lib/commands/deps.js

@@ -86,25 +86,18 @@ async function handleDependencyMonitoring() {
   if (hasRuby) console.log('💎 Detected: Ruby project')
   console.log(`📋 License tier: ${license.tier.toUpperCase()}`)
 
-  // Enforce Free tier caps for dependency monitoring (counted as dependency PRs)
-  if (license.tier === 'FREE') {
-    const capCheck = checkUsageCaps('dependency-pr')
-    if (!capCheck.allowed) {
-      console.error(`❌ ${capCheck.reason}`)
-      console.error(
-        '   Upgrade to Pro, Team, or Enterprise for unlimited runs: https://vibebuildlab.com/qa-architect'
-      )
-      process.exit(1)
-    }
-
-    const increment = incrementUsage('dependency-pr')
-    const usage = increment.usage || capCheck.usage
-    const caps = capCheck.caps
-    if (usage && caps && caps.maxDependencyPRsPerMonth !== undefined) {
-      console.log(
-        `🧮 Usage: ${usage.dependencyPRs}/${caps.maxDependencyPRsPerMonth} dependency monitoring runs used this month`
-      )
-    }
+  // Use sentinel value instead of null for consistent access patterns
+  const capCheck =
+    license.tier === 'FREE'
+      ? checkUsageCaps('dependency-pr')
+      : { allowed: true, usage: {}, caps: {} }
+
+  if (!capCheck.allowed) {
+    console.error(`❌ ${capCheck.reason}`)
+    console.error(
+      '   Upgrade to Pro, Team, or Enterprise for unlimited runs: https://vibebuildlab.com/qa-architect'
+    )
+    process.exit(1)
   }
 
   const dependabotPath = path.join(projectPath, '.github', 'dependabot.yml')
@@ -207,6 +200,17 @@ async function handleDependencyMonitoring() {
     showUpgradeMessage('Framework-Aware Dependency Grouping')
   }
 
+  if (license.tier === 'FREE') {
+    const increment = incrementUsage('dependency-pr')
+    const usage = increment.usage || capCheck.usage
+    const caps = capCheck.caps
+    if (usage && caps && caps.maxDependencyPRsPerMonth !== undefined) {
+      console.log(
+        `🧮 Usage: ${usage.dependencyPRs}/${caps.maxDependencyPRsPerMonth} dependency monitoring runs used this month`
+      )
+    }
+  }
+
   // Auto-enable Dependabot on GitHub if token available
   console.log('\n🔧 Attempting to enable Dependabot on GitHub...')
   try {
@@ -225,9 +229,53 @@ async function handleDependencyMonitoring() {
       )
     }
   } catch (error) {
-    console.log('⚠️  Could not auto-enable Dependabot:', error.message)
-    console.log('\n💡 Manual steps:')
-    console.log('   • Enable Dependabot in GitHub repo settings')
+    const errorId = 'DEPENDABOT_AUTO_ENABLE_FAILED'
+
+    // Diagnose specific error types
+    let diagnosis = 'Unknown error'
+    let remedy = 'Check the error message for details'
+
+    if (
+      error.message.includes('401') ||
+      error.message.includes('authentication')
+    ) {
+      diagnosis = 'GitHub token is invalid or missing'
+      remedy = 'Set GITHUB_TOKEN environment variable with a valid token'
+    } else if (error.message.includes('404')) {
+      diagnosis = 'Repository not found or insufficient permissions'
+      remedy = 'Ensure token has repo:write access to this repository'
+    } else if (error.message.includes('rate limit')) {
+      diagnosis = 'GitHub API rate limit exceeded'
+      remedy = 'Wait 1 hour or use authenticated token for higher limits'
+    } else if (
+      error.code === 'ENOTFOUND' ||
+      error.message.includes('network')
+    ) {
+      diagnosis = 'Network connectivity issue'
+      remedy = 'Check internet connection and GitHub API status'
+    } else if (error.message.includes('timeout')) {
+      diagnosis = 'Request timed out'
+      remedy = 'Retry the operation or check network connectivity'
+    }
+
+    console.error(`\n❌ [${errorId}] Could not auto-enable Dependabot`)
+    console.error(`   Diagnosis: ${diagnosis}`)
+    console.error(`   Error: ${error.message}`)
+    console.error(`\n   🔧 Recommended fix: ${remedy}`)
+
+    if (process.env.DEBUG) {
+      console.error(`\n   Debug info:`)
+      console.error(`   • Error code: ${error.code || 'N/A'}`)
+      console.error(`   • Stack: ${error.stack}`)
+    }
+
+    console.log('\n💡 Alternative: Enable manually:')
+    console.log('   1. Go to GitHub repo → Settings → Code security')
+    console.log('   2. Enable "Dependabot alerts"')
+    console.log('   3. Enable "Dependabot security updates"')
+    console.log(
+      `\n   • Report issue: https://github.com/vibebuildlab/qa-architect/issues/new?title=${errorId}`
+    )
   }
 
   console.log('\n💡 Next steps:')

package/lib/commands/index.js

@@ -12,6 +12,7 @@ const {
   detectRustProject,
   detectRubyProject,
 } = require('./deps')
+const { handleAnalyzeCi } = require('./analyze-ci')
 
 module.exports = {
   // Validation commands
@@ -22,4 +23,7 @@ module.exports = {
   detectPythonProject,
   detectRustProject,
   detectRubyProject,
+
+  // CI/CD optimization commands
+  handleAnalyzeCi,
 }

package/lib/config-validator.js

@@ -11,6 +11,33 @@ const addFormats = /** @type {(ajv: any) => void} */ (
   addFormatsImport.default || addFormatsImport
 )
 
+/**
+ * Format a single AJV validation error into a human-readable message
+ */
+function formatValidationError(error) {
+  const errorPath = error.instancePath || '(root)'
+  const message = error.message || 'validation failed'
+
+  const errorFormatters = {
+    required: () =>
+      `Missing required field: ${error.params?.missingProperty || 'unknown'}`,
+    enum: () =>
+      `Invalid value at ${errorPath}: must be one of ${error.params?.allowedValues?.join(', ') || 'unknown values'}`,
+    type: () =>
+      `Invalid type at ${errorPath}: expected ${error.params?.type || 'unknown'}`,
+    pattern: () => `Invalid format at ${errorPath}: ${message}`,
+    minimum: () =>
+      `Invalid value at ${errorPath}: must be >= ${error.params?.limit ?? 'unknown'}`,
+    additionalProperties: () =>
+      `Unknown property at ${errorPath}: ${error.params?.additionalProperty || 'unknown'}`,
+  }
+
+  const formatter = errorFormatters[error.keyword]
+  return formatter
+    ? formatter()
+    : `Validation error at ${errorPath}: ${message}`
+}
+
 function validateQualityConfig(configPath) {
   const result = {
     valid: false,
@@ -61,51 +88,7 @@ function validateQualityConfig(configPath) {
 
   if (!valid) {
     if (validate.errors) {
-      validate.errors.forEach(error => {
-        const errorPath = error.instancePath || '(root)'
-        const message = error.message || 'validation failed'
-
-        if (error.keyword === 'required') {
-          result.errors.push(
-            'Missing required field: ' +
-              (error.params?.missingProperty || 'unknown')
-          )
-        } else if (error.keyword === 'enum') {
-          result.errors.push(
-            'Invalid value at ' +
-              errorPath +
-              ': must be one of ' +
-              (error.params?.allowedValues?.join(', ') || 'unknown values')
-          )
-        } else if (error.keyword === 'type') {
-          result.errors.push(
-            'Invalid type at ' +
-              errorPath +
-              ': expected ' +
-              (error.params?.type || 'unknown')
-          )
-        } else if (error.keyword === 'pattern') {
-          result.errors.push('Invalid format at ' + errorPath + ': ' + message)
-        } else if (error.keyword === 'minimum') {
-          result.errors.push(
-            'Invalid value at ' +
-              errorPath +
-              ': must be >= ' +
-              (error.params?.limit ?? 'unknown')
-          )
-        } else if (error.keyword === 'additionalProperties') {
-          result.errors.push(
-            'Unknown property at ' +
-              errorPath +
-              ': ' +
-              (error.params?.additionalProperty || 'unknown')
-          )
-        } else {
-          result.errors.push(
-            'Validation error at ' + errorPath + ': ' + message
-          )
-        }
-      })
+      result.errors = validate.errors.map(formatValidationError)
     }
   } else {
     result.valid = true

package/lib/error-reporter.js

@@ -190,7 +190,7 @@ function loadErrorReports() {
       const data = fs.readFileSync(ERROR_REPORTS_FILE, 'utf8')
       return JSON.parse(data)
     }
-  } catch {
+  } catch (_error) {
     // If corrupted, start fresh
     console.warn('⚠️  Error reports data corrupted, starting fresh')
   }

package/lib/github-api.js

@@ -127,9 +127,30 @@ function getRepoInfo(projectPath = '.') {
   }
 }
 
+/**
+ * Sanitize error messages to remove sensitive tokens
+ * DR29 fix: Prevent token exposure in error messages
+ */
+function sanitizeError(error, token) {
+  if (!error || !token) return error
+
+  const message = error.message || String(error)
+  // Use string replace with global flag instead of RegExp to avoid security warning
+  const sanitized = message.split(token).join('***REDACTED***')
+
+  if (error instanceof Error) {
+    const sanitizedError = new Error(sanitized)
+    sanitizedError.stack = error.stack?.split(token).join('***REDACTED***')
+    return sanitizedError
+  }
+
+  return new Error(sanitized)
+}
+
 /**
  * Make GitHub API request with rate limiting
  * TD5 fix: Added rate limiting to prevent hitting GitHub's API limits
+ * DR29 fix: Sanitize errors to prevent token exposure
  */
 async function githubRequest(method, path, token, data = null) {
   // TD5 fix: Acquire rate limit token before making request
@@ -163,9 +184,13 @@ async function githubRequest(method, path, token, data = null) {
             const data = body ? JSON.parse(body) : null
             resolve({ status: res.statusCode, data })
           } catch (_error) {
+            // DR29 fix: Sanitize error before rejecting
             reject(
-              new Error(
-                `GitHub API returned invalid JSON (status ${res.statusCode}): ${body.slice(0, 100)}`
+              sanitizeError(
+                new Error(
+                  `GitHub API returned invalid JSON (status ${res.statusCode}): ${body.slice(0, 100)}`
+                ),
+                token
               )
             )
           }
@@ -181,14 +206,19 @@ async function githubRequest(method, path, token, data = null) {
             // Use raw body if JSON parse fails
           }
 
+          // DR29 fix: Sanitize error before rejecting
           reject(
-            new Error(`GitHub API error: ${res.statusCode} - ${errorBody}`)
+            sanitizeError(
+              new Error(`GitHub API error: ${res.statusCode} - ${errorBody}`),
+              token
+            )
           )
         }
       })
     })
 
-    req.on('error', reject)
+    // DR29 fix: Sanitize network errors
+    req.on('error', error => reject(sanitizeError(error, token)))
 
     if (data) {
       req.write(JSON.stringify(data))

package/lib/license-signing.js

@@ -30,9 +30,24 @@ function stableStringify(value, seen = new WeakSet()) {
   return `{${entries.join(',')}}`
 }
 
+/**
+ * Normalize and validate email format
+ * DR21 fix: Added email format validation before hashing
+ * @param {string} email - Email address to normalize
+ * @returns {string|null} - Normalized email or null if invalid
+ */
 function normalizeEmail(email) {
   if (!email || typeof email !== 'string') return null
   const normalized = email.trim().toLowerCase()
+
+  // Basic email format validation (RFC 5322 simplified)
+  // Must have: local@domain.tld format
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
+
+  if (!emailRegex.test(normalized)) {
+    return null
+  }
+
   return normalized.length > 0 ? normalized : null
 }
 

package/lib/licensing.js

@@ -122,6 +122,8 @@ const FEATURES = deepFreeze({
     linkValidation: true, // ✅ Broken link detection
     docsValidation: true, // ✅ Documentation completeness
     envValidation: false, // ❌ PRO feature - env vars audit
+    // CI/CD optimization
+    ciCostAnalysis: false, // ❌ PRO feature - GitHub Actions cost analysis
     roadmap: [
       '✅ ESLint, Prettier, Stylelint configuration',
       '✅ Basic Husky pre-commit hooks',
@@ -165,6 +167,8 @@ const FEATURES = deepFreeze({
     linkValidation: true, // ✅ Broken link detection
     docsValidation: true, // ✅ Documentation completeness
     envValidation: true, // ✅ Env vars audit
+    // CI/CD optimization
+    ciCostAnalysis: true, // ✅ GitHub Actions cost analysis
     roadmap: [
       '✅ Unlimited repos and runs',
       '✅ Smart Test Strategy (70% faster pre-push validation)',
@@ -218,6 +222,8 @@ const FEATURES = deepFreeze({
     linkValidation: true,
     docsValidation: true,
     envValidation: true,
+    // CI/CD optimization - inherited from PRO
+    ciCostAnalysis: true,
     roadmap: [
       '✅ All PRO features included',
       '✅ Per-seat licensing (5-seat minimum)',
@@ -267,6 +273,8 @@ const FEATURES = deepFreeze({
     linkValidation: true,
     docsValidation: true,
     envValidation: true,
+    // CI/CD optimization - inherited from TEAM
+    ciCostAnalysis: true,
     // Enterprise-specific
     ssoIntegration: true, // SSO/SAML
     scimReady: true,
@@ -556,6 +564,17 @@ function saveLicense(tier, key, email, expires = null) {
       }
     }
 
+    // DR21 fix: Validate email format before hashing
+    if (email) {
+      const normalizedEmail = require('./license-signing').normalizeEmail(email)
+      if (!normalizedEmail) {
+        return {
+          success: false,
+          error: `Invalid email format: "${email}". Must be valid email address (e.g., user@example.com)`,
+        }
+      }
+    }
+
     const licenseDir = getLicenseDir()
     const licenseFile = getLicenseFile()
     const normalizedKey = normalizeLicenseKey(key)
@@ -565,7 +584,7 @@ function saveLicense(tier, key, email, expires = null) {
     )
 
     if (!fs.existsSync(licenseDir)) {
-      fs.mkdirSync(licenseDir, { recursive: true })
+      fs.mkdirSync(licenseDir, { recursive: true, mode: 0o700 })
     }
 
     if (!privateKey) {
@@ -595,7 +614,9 @@ function saveLicense(tier, key, email, expires = null) {
       signature,
     }
 
-    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2))
+    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2), {
+      mode: 0o600,
+    })
     return { success: true }
   } catch (error) {
     return { success: false, error: error.message }
@@ -621,7 +642,7 @@ function saveLicenseWithSignature(tier, key, email, validation) {
     const normalizedKey = normalizeLicenseKey(key)
 
     if (!fs.existsSync(licenseDir)) {
-      fs.mkdirSync(licenseDir, { recursive: true })
+      fs.mkdirSync(licenseDir, { recursive: true, mode: 0o700 })
     }
 
     const licenseData = {
@@ -638,7 +659,9 @@ function saveLicenseWithSignature(tier, key, email, validation) {
       issued: validation.issued,
     }
 
-    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2))
+    fs.writeFileSync(licenseFile, JSON.stringify(licenseData, null, 2), {
+      mode: 0o600,
+    })
     return { success: true }
   } catch (error) {
     return { success: false, error: error.message }
@@ -694,6 +717,18 @@ async function addLegitimateKey(
   purchaseEmail = null
 ) {
   try {
+    // DR21 fix: Validate email format before hashing
+    if (purchaseEmail) {
+      const normalizedEmail =
+        require('./license-signing').normalizeEmail(purchaseEmail)
+      if (!normalizedEmail) {
+        return {
+          success: false,
+          error: `Invalid email format: "${purchaseEmail}". Must be valid email address (e.g., user@example.com)`,
+        }
+      }
+    }
+
     const normalizedKey = normalizeLicenseKey(licenseKey)
     // Use the same license directory as the CLI
     const licenseDir =
@@ -716,19 +751,29 @@ async function addLegitimateKey(
       try {
         database = JSON.parse(fs.readFileSync(legitimateDBFile, 'utf8'))
       } catch (parseError) {
-        // Silent failure fix: Backup corrupt file before overwriting
+        // DR8 fix: Return error instead of continuing with corrupted database
         const backupPath = `${legitimateDBFile}.corrupted.${Date.now()}`
+        let backupSucceeded = false
+
         try {
           fs.copyFileSync(legitimateDBFile, backupPath)
+          backupSucceeded = true
           console.error(
-            `Warning: Could not parse existing database. Backed up to ${backupPath}`
+            `⚠️  Database corruption detected. Backed up to ${backupPath}`
           )
-        } catch {
+        } catch (backupError) {
           console.error(
-            'Warning: Could not parse or backup existing database, creating new one'
+            `❌ CRITICAL: Could not backup corrupted database: ${backupError.message}`
           )
         }
-        console.error(`Parse error: ${parseError.message}`)
+
+        // Always return error on corruption - forces investigation
+        return {
+          success: false,
+          error: backupSucceeded
+            ? `License database corrupted (backup saved to ${backupPath}). Manual review required before adding keys.`
+            : `License database corrupted AND backup failed. Cannot proceed without data loss risk. Parse error: ${parseError.message}`,
+        }
       }
     }
 
@@ -940,30 +985,51 @@ function loadUsage() {
     // DR8 fix: Prevent quota bypass through file corruption
     if (error instanceof SyntaxError) {
       const usageFile = getUsageFile()
-      console.warn('⚠️  Usage tracking file corrupted')
-      console.warn('   Creating backup and resetting to current month start')
+      console.error(`\n❌ CRITICAL: Usage tracking file is corrupted`)
+      console.error(`   File: ${usageFile}`)
+      console.error(`   Parse error: ${error.message}\n`)
 
       // Backup corrupted file for forensics
       const backupPath = `${usageFile}.corrupted.${Date.now()}`
       try {
         fs.copyFileSync(usageFile, backupPath)
-        console.warn(`   Backup saved: ${backupPath}`)
+        console.log(`   ✅ Backup saved: ${backupPath}`)
       } catch (_backupError) {
-        // Ignore backup failures
+        console.error(`   ❌ Could not create backup`)
       }
 
-      // DR8 fix: For FREE tier, reset to max usage to prevent quota bypass
       const license = getLicenseInfo()
+
       if (license.tier === LICENSE_TIERS.FREE) {
-        console.warn(
-          '   ⚠️  FREE tier: Starting with maximum usage for security'
+        console.error(`\n⚠️  FREE TIER CORRUPTION POLICY:`)
+        console.error(
+          `   To prevent quota bypass, your usage has been reset to maximum.`
+        )
+        console.error(`   This is a security measure, not a penalty.\n`)
+        console.error(`   To restore your usage:`)
+        console.error(`   1. Review the backup file: ${backupPath}`)
+        console.error(`   2. If data looks correct, manually fix JSON syntax`)
+        console.error(`   3. Copy corrected JSON back to: ${usageFile}`)
+        console.error(
+          `   4. Or delete ${usageFile} to start fresh this month\n`
         )
+        console.error(`   If this keeps happening, please report the issue.`)
+
+        // Provide clear recovery path
+        console.error(`\n🔧 Quick fix: rm ${usageFile}`)
+        console.error(
+          `   This will reset your usage to 0 for the current month.\n`
+        )
+
         const caps = FEATURES[LICENSE_TIERS.FREE]
         return {
           month: getCurrentMonth(),
           prePushRuns: caps.maxPrePushRunsPerMonth,
           dependencyPRs: caps.maxDependencyPRsPerMonth,
-          repos: [],
+          repos: Array.from(
+            { length: caps.maxPrivateRepos },
+            (_item, index) => `corrupted-${index + 1}`
+          ),
         }
       }
     } else if (process.env.DEBUG && error?.code !== 'ENOENT') {
@@ -996,14 +1062,42 @@ function saveUsage(usage) {
   try {
     const licenseDir = getLicenseDir()
     if (!fs.existsSync(licenseDir)) {
-      fs.mkdirSync(licenseDir, { recursive: true })
+      fs.mkdirSync(licenseDir, { recursive: true, mode: 0o700 })
     }
-    fs.writeFileSync(getUsageFile(), JSON.stringify(usage, null, 2))
+    fs.writeFileSync(getUsageFile(), JSON.stringify(usage, null, 2), {
+      mode: 0o600,
+    })
     return true
   } catch (error) {
-    // TD12 fix: Log errors saving usage data instead of silently failing
-    console.warn(`⚠️  Failed to save usage data: ${error.message}`)
-    return false
+    const license = getLicenseInfo()
+    const usageFile = getUsageFile()
+
+    // For FREE tier, this is critical - can't track quota
+    if (license.tier === LICENSE_TIERS.FREE) {
+      console.error(`\n❌ CRITICAL: Cannot save usage tracking data`)
+      console.error(`   File: ${usageFile}`)
+      console.error(`   Error: ${error.message} (${error.code})`)
+      console.error(`\n   FREE tier quota enforcement requires usage tracking.`)
+      console.error(`   Please fix this filesystem issue:\n`)
+
+      if (error.code === 'ENOSPC') {
+        console.error(`   • Disk full - free up space`)
+      } else if (error.code === 'EACCES') {
+        console.error(`   • Permission denied - check directory permissions`)
+        console.error(`   • Try: chmod 700 ${getLicenseDir()}`)
+      } else if (error.code === 'EROFS') {
+        console.error(`   • Filesystem is readonly - remount as read-write`)
+      } else {
+        console.error(`   • Unexpected error - please report this issue`)
+      }
+
+      throw error // Don't allow FREE tier to continue without tracking
+    } else {
+      // Pro/Team/Enterprise - warn but don't fail
+      console.warn(`⚠️  Failed to save usage data: ${error.message}`)
+      console.warn(`   This won't affect Pro/Team/Enterprise functionality`)
+      return false
+    }
   }
 }
 

package/lib/package-utils.js

@@ -136,7 +136,7 @@ function detectPackageManager(projectPath = process.cwd()) {
           return pmName
         }
       }
-    } catch {
+    } catch (_error) {
       // Ignore parse errors
     }
   }
@@ -204,7 +204,7 @@ function detectMonorepoType(projectPath = process.cwd()) {
     try {
       const nxJson = JSON.parse(fs.readFileSync(nxJsonPath, 'utf8'))
       result.config = nxJson
-    } catch {
+    } catch (_error) {
       // Ignore parse errors
     }
   }
@@ -218,7 +218,7 @@ function detectMonorepoType(projectPath = process.cwd()) {
     try {
       const turboJson = JSON.parse(fs.readFileSync(turboJsonPath, 'utf8'))
       result.config = turboJson
-    } catch {
+    } catch (_error) {
       // Ignore parse errors
     }
   }
@@ -240,7 +240,7 @@ function detectMonorepoType(projectPath = process.cwd()) {
     try {
       const lernaJson = JSON.parse(fs.readFileSync(lernaJsonPath, 'utf8'))
       result.packages = lernaJson.packages || ['packages/*']
-    } catch {
+    } catch (_error) {
       result.packages = ['packages/*']
     }
   }
@@ -280,7 +280,7 @@ function detectMonorepoType(projectPath = process.cwd()) {
       if (packages.length > 0) {
         result.packages = packages
       }
-    } catch {
+    } catch (_error) {
       // Ignore parse errors
     }
   }
@@ -303,7 +303,7 @@ function detectMonorepoType(projectPath = process.cwd()) {
             result.packageManager === 'yarn' ? 'yarn' : result.packageManager
         }
       }
-    } catch {
+    } catch (_error) {
       // Ignore parse errors
     }
   }
@@ -351,7 +351,7 @@ function resolveWorkspacePackages(projectPath, patterns) {
                     path: pkgPath,
                     relativePath: path.relative(projectPath, pkgPath),
                   })
-                } catch {
+                } catch (_error) {
                   packages.push({
                     name: entry.name,
                     path: pkgPath,
@@ -361,7 +361,7 @@ function resolveWorkspacePackages(projectPath, patterns) {
               }
             }
           }
-        } catch {
+        } catch (_error) {
           // Ignore read errors
         }
       }
@@ -377,7 +377,7 @@ function resolveWorkspacePackages(projectPath, patterns) {
             path: pkgPath,
             relativePath: pattern,
           })
-        } catch {
+        } catch (_error) {
           packages.push({
             name: path.basename(pkgPath),
             path: pkgPath,