create-qa-architect 5.3.1 → 5.4.3

package/setup.js

@@ -65,6 +65,7 @@
 
 const fs = require('fs')
 const path = require('path')
+const crypto = require('crypto')
 const { execSync } = require('child_process')
 const {
   mergeScripts,
@@ -189,6 +190,31 @@ const STYLELINT_EXTENSION_GLOB = `*.{${STYLELINT_EXTENSIONS.join(',')}}`
 const STYLELINT_SCAN_EXCLUDES = new Set(EXCLUDE_DIRECTORIES.STYLELINT)
 const MAX_STYLELINT_SCAN_DEPTH = SCAN_LIMITS.STYLELINT_MAX_DEPTH
 
+function normalizeRepoIdentifier(remoteUrl) {
+  if (!remoteUrl || typeof remoteUrl !== 'string') return null
+
+  const scpMatch = remoteUrl.match(/^[^@]+@([^:]+):(.+?)(\.git)?$/)
+  if (scpMatch) {
+    const host = scpMatch[1]
+    const repoPath = scpMatch[2].replace(/^\/+/, '').replace(/\.git$/, '')
+    return `${host}/${repoPath}`
+  }
+
+  try {
+    const parsed = new URL(remoteUrl)
+    const host = parsed.hostname
+    const repoPath = parsed.pathname.replace(/^\/+/, '').replace(/\.git$/, '')
+    if (!host || !repoPath) return null
+    return `${host}/${repoPath}`
+  } catch (_error) {
+    return null
+  }
+}
+
+function hashRepoIdentifier(value) {
+  return crypto.createHash('sha256').update(value).digest('hex')
+}
+
 function injectCollaborationSteps(workflowContent, options = {}) {
   const { enableSlackAlerts = false, enablePrComments = false } = options
   let updated = workflowContent
@@ -228,11 +254,43 @@ const safeReadDir = dir => {
   try {
     return fs.readdirSync(dir, { withFileTypes: true })
   } catch (error) {
-    // Silent failure fix: Log non-ENOENT errors in DEBUG mode
-    // ENOENT is expected (dir doesn't exist), other errors may indicate issues
-    if (process.env.DEBUG && error?.code !== 'ENOENT') {
-      console.warn(`⚠️  Could not read directory ${dir}: ${error.message}`)
+    // ENOENT is expected (dir doesn't exist) - return empty silently
+    if (error?.code === 'ENOENT') {
+      if (process.env.DEBUG) {
+        console.warn(
+          `   Debug: safeReadDir(${dir}) returned empty (directory not found)`
+        )
+      }
+      return []
+    }
+
+    // All other errors are unexpected and should be logged with context
+    console.error(`❌ Failed to read directory: ${dir}`)
+    console.error(`   Error: ${error.message} (${error.code || 'unknown'})`)
+    console.error(`   This may indicate a permission or filesystem issue`)
+
+    // Report to error tracking in production
+    if (process.env.NODE_ENV === 'production') {
+      try {
+        const errorReporter = new ErrorReporter()
+        errorReporter.captureException(error, {
+          context: 'safeReadDir',
+          directory: dir,
+          errorCode: error.code,
+        })
+      } catch (_error) {
+        // Don't fail if error reporting fails
+      }
+    }
+
+    // Re-throw for critical errors instead of silently returning []
+    if (['EACCES', 'EIO', 'ELOOP', 'EMFILE'].includes(error.code)) {
+      throw new Error(
+        `Cannot read directory ${dir}: ${error.message}. ` +
+          `This may indicate a serious filesystem or permission issue.`
+      )
     }
+
     return []
   }
 }
@@ -413,8 +471,14 @@ function parseArguments(rawArgs) {
   const isCheckMaturityMode = sanitizedArgs.includes('--check-maturity')
   const isValidateConfigMode = sanitizedArgs.includes('--validate-config')
   const isActivateLicenseMode = sanitizedArgs.includes('--activate-license')
+  const isAnalyzeCiMode = sanitizedArgs.includes('--analyze-ci')
   const isPrelaunchMode = sanitizedArgs.includes('--prelaunch')
   const isDryRun = sanitizedArgs.includes('--dry-run')
+  const isWorkflowMinimal = sanitizedArgs.includes('--workflow-minimal')
+  const isWorkflowStandard = sanitizedArgs.includes('--workflow-standard')
+  const isWorkflowComprehensive = sanitizedArgs.includes(
+    '--workflow-comprehensive'
+  )
   const ciProviderIndex = sanitizedArgs.findIndex(arg => arg === '--ci')
   const ciProvider =
     ciProviderIndex !== -1 && sanitizedArgs[ciProviderIndex + 1]
@@ -426,11 +490,39 @@ function parseArguments(rawArgs) {
   // Custom template directory - use raw args to preserve valid path characters (&, <, >, etc.)
   // Normalize path to prevent traversal attacks and make absolute
   const templateFlagIndex = sanitizedArgs.findIndex(arg => arg === '--template')
-  const customTemplatePath =
+  let customTemplatePath =
     templateFlagIndex !== -1 && rawArgs[templateFlagIndex + 1]
       ? path.resolve(rawArgs[templateFlagIndex + 1])
       : null
 
+  // Validate custom template path early to prevent path traversal attacks
+  if (customTemplatePath) {
+    const inputPath = rawArgs[templateFlagIndex + 1]
+    // Check for suspicious patterns (path traversal attempts)
+    if (inputPath.includes('..') || inputPath.includes('~')) {
+      console.error(
+        `❌ Invalid template path: "${inputPath}". Path traversal patterns not allowed.`
+      )
+      console.error('   Use absolute paths only (e.g., /Users/you/templates)')
+      process.exit(1)
+    }
+
+    // Verify the resolved path exists and is a directory
+    try {
+      const stats = fs.statSync(customTemplatePath)
+      if (!stats.isDirectory()) {
+        console.error(
+          `❌ Template path is not a directory: ${customTemplatePath}`
+        )
+        process.exit(1)
+      }
+    } catch (error) {
+      console.error(`❌ Template path does not exist: ${customTemplatePath}`)
+      console.error(`   Error: ${error.message}`)
+      process.exit(1)
+    }
+  }
+
   // Granular tool disable options
   const disableNpmAudit = sanitizedArgs.includes('--no-npm-audit')
   const disableGitleaks = sanitizedArgs.includes('--no-gitleaks')
@@ -454,6 +546,7 @@ function parseArguments(rawArgs) {
     isCheckMaturityMode,
     isValidateConfigMode,
     isActivateLicenseMode,
+    isAnalyzeCiMode,
     isPrelaunchMode,
     isDryRun,
     ciProvider,
@@ -466,6 +559,9 @@ function parseArguments(rawArgs) {
     disableMarkdownlint,
     disableEslintSecurity,
     allowLatestGitleaks,
+    isWorkflowMinimal,
+    isWorkflowStandard,
+    isWorkflowComprehensive,
   }
 }
 
@@ -494,6 +590,7 @@ function parseArguments(rawArgs) {
     isValidateConfigMode,
     isActivateLicenseMode,
     isPrelaunchMode,
+    isAnalyzeCiMode,
     isDryRun,
     ciProvider,
     enableSlackAlerts,
@@ -505,6 +602,9 @@ function parseArguments(rawArgs) {
     disableMarkdownlint,
     disableEslintSecurity,
     allowLatestGitleaks,
+    isWorkflowMinimal,
+    isWorkflowStandard,
+    isWorkflowComprehensive,
   } = parsedConfig
 
   // Initialize telemetry session (opt-in only, fails silently)
@@ -567,6 +667,8 @@ function parseArguments(rawArgs) {
       isCheckMaturityMode,
       isValidateConfigMode,
       isActivateLicenseMode,
+      isPrelaunchMode,
+      isAnalyzeCiMode,
       isDryRun,
       ciProvider,
       enableSlackAlerts,
@@ -578,6 +680,9 @@ function parseArguments(rawArgs) {
       disableMarkdownlint,
       disableEslintSecurity,
       allowLatestGitleaks,
+      isWorkflowMinimal,
+      isWorkflowStandard,
+      isWorkflowComprehensive,
     } = parsedConfig)
 
     console.log('📋 Configuration after interactive selections applied\n')
@@ -612,6 +717,15 @@ SETUP OPTIONS:
   --template <path> Use custom templates from specified directory
   --dry-run         Preview changes without modifying files
 
+WORKFLOW TIERS (GitHub Actions optimization):
+  --workflow-minimal        Minimal CI (default) - Single Node version, weekly security
+                            ~5-10 min/commit, ~$0-5/mo for typical projects
+  --workflow-standard       Standard CI - Matrix testing on main, weekly security
+                            ~15-20 min/commit, ~$5-20/mo for typical projects
+  --workflow-comprehensive  Comprehensive CI - Matrix on every push, security inline
+                            ~50-100 min/commit, ~$100-350/mo for typical projects
+  --analyze-ci             Analyze GitHub Actions usage and get optimization tips (Pro)
+
 VALIDATION OPTIONS:
   --validate        Run comprehensive validation (same as --comprehensive)
   --comprehensive   Run all validation checks
@@ -679,6 +793,18 @@ EXAMPLES:
   npx create-qa-architect@latest --dry-run
     → Preview what files and configurations would be created/modified
 
+  npx create-qa-architect@latest --workflow-minimal
+    → Set up with minimal CI (default) - fastest, cheapest, ideal for solo devs
+
+  npx create-qa-architect@latest --workflow-standard
+    → Set up with standard CI - balanced quality/cost for small teams
+
+  npx create-qa-architect@latest --update --workflow-minimal
+    → Convert existing comprehensive workflow to minimal (reduce CI costs)
+
+  npx create-qa-architect@latest --analyze-ci
+    → Analyze your GitHub Actions usage and get cost optimization recommendations (Pro)
+
 PRIVACY & TELEMETRY:
   Telemetry and error reporting are OPT-IN only (disabled by default). To enable:
     export QAA_TELEMETRY=true           # Usage tracking (local only)
@@ -786,6 +912,20 @@ HELP:
     process.exit(0)
   }
 
+  // Handle CI cost analysis command
+  if (isAnalyzeCiMode) {
+    return (async () => {
+      try {
+        const { handleAnalyzeCi } = require('./lib/commands/analyze-ci')
+        await handleAnalyzeCi()
+        process.exit(0)
+      } catch (error) {
+        console.error('CI cost analysis error:', error.message)
+        process.exit(1)
+      }
+    })()
+  }
+
   // Handle validate config command
   if (isValidateConfigMode) {
     const { validateAndReport } = require('./lib/config-validator')
@@ -939,47 +1079,84 @@ HELP:
 
         // 1. Lighthouse CI - available to all, thresholds for Pro+
         if (hasLighthouse) {
-          const lighthousePath = path.join(projectPath, 'lighthouserc.js')
-          if (!fs.existsSync(lighthousePath)) {
-            writeLighthouseConfig(projectPath, {
-              hasThresholds: hasLighthouseThresholds,
-            })
-            addedTools.push(
-              hasLighthouseThresholds
-                ? 'Lighthouse CI (with thresholds)'
-                : 'Lighthouse CI (basic)'
-            )
+          try {
+            const lighthousePath = path.join(projectPath, 'lighthouserc.js')
+            if (!fs.existsSync(lighthousePath)) {
+              writeLighthouseConfig(projectPath, {
+                hasThresholds: hasLighthouseThresholds,
+              })
+              addedTools.push(
+                hasLighthouseThresholds
+                  ? 'Lighthouse CI (with thresholds)'
+                  : 'Lighthouse CI (basic)'
+              )
+            }
+          } catch (error) {
+            console.warn('⚠️ Failed to configure Lighthouse CI:', error.message)
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
           }
         }
 
         // 2. Bundle size limits - Pro only
         if (hasBundleSizeLimits) {
-          if (!pkgJson.content['size-limit']) {
-            writeSizeLimitConfig(projectPath)
-            addedTools.push('Bundle size limits (size-limit)')
+          try {
+            if (!pkgJson.content['size-limit']) {
+              writeSizeLimitConfig(projectPath)
+              addedTools.push('Bundle size limits (size-limit)')
+            }
+          } catch (error) {
+            console.warn(
+              '⚠️ Failed to configure bundle size limits:',
+              error.message
+            )
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
           }
         }
 
         // 3. axe-core accessibility testing - available to all
         if (hasAxeAccessibility) {
-          const axeTestPath = path.join(
-            projectPath,
-            'tests',
-            'accessibility.test.js'
-          )
-          if (!fs.existsSync(axeTestPath)) {
-            writeAxeTestSetup(projectPath)
-            addedTools.push('axe-core accessibility tests')
+          try {
+            const axeTestPath = path.join(
+              projectPath,
+              'tests',
+              'accessibility.test.js'
+            )
+            if (!fs.existsSync(axeTestPath)) {
+              writeAxeTestSetup(projectPath)
+              addedTools.push('axe-core accessibility tests')
+            }
+          } catch (error) {
+            console.warn(
+              '⚠️ Failed to configure axe-core tests:',
+              error.message
+            )
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
           }
         }
 
         // 4. Conventional commits (commitlint) - available to all
         if (hasConventionalCommits) {
-          const commitlintPath = path.join(projectPath, 'commitlint.config.js')
-          if (!fs.existsSync(commitlintPath)) {
-            writeCommitlintConfig(projectPath)
-            writeCommitMsgHook(projectPath)
-            addedTools.push('Conventional commits (commitlint)')
+          try {
+            const commitlintPath = path.join(
+              projectPath,
+              'commitlint.config.js'
+            )
+            if (!fs.existsSync(commitlintPath)) {
+              writeCommitlintConfig(projectPath)
+              writeCommitMsgHook(projectPath)
+              addedTools.push('Conventional commits (commitlint)')
+            }
+          } catch (error) {
+            console.warn('⚠️ Failed to configure commitlint:', error.message)
+            if (process.env.DEBUG) {
+              console.error('   Stack:', error.stack)
+            }
           }
         }
 
@@ -1035,9 +1212,212 @@ HELP:
           qualitySpinner.succeed('Quality tools already configured')
         }
       } catch (error) {
-        qualitySpinner.warn('Could not set up some quality tools')
-        console.warn('⚠️ Quality tools setup error:', error.message)
+        qualitySpinner.fail('Quality tools setup failed')
+        console.error(
+          `❌ Unexpected error during quality tools setup: ${error.message}`
+        )
+        if (process.env.DEBUG) {
+          console.error('   Stack:', error.stack)
+        }
+        console.error(
+          '   Please report this issue at https://github.com/your-repo/issues'
+        )
+        throw error // Re-throw to prevent silent continuation
+      }
+    }
+
+    /**
+     * Detect existing workflow mode from quality.yml
+     * @param {string} projectPath - Path to the project
+     * @returns {'minimal'|'standard'|'comprehensive'|null} Detected mode
+     */
+    function detectExistingWorkflowMode(projectPath) {
+      const workflowPath = path.join(
+        projectPath,
+        '.github',
+        'workflows',
+        'quality.yml'
+      )
+
+      if (!fs.existsSync(workflowPath)) {
+        return null
+      }
+
+      try {
+        const content = fs.readFileSync(workflowPath, 'utf8')
+
+        // Check for version markers (new format)
+        if (content.includes('# WORKFLOW_MODE: minimal')) {
+          return 'minimal'
+        }
+        if (content.includes('# WORKFLOW_MODE: standard')) {
+          return 'standard'
+        }
+        if (content.includes('# WORKFLOW_MODE: comprehensive')) {
+          return 'comprehensive'
+        }
+
+        // Legacy detection (no version marker)
+        // Comprehensive: has security job + matrix testing on every push
+        // Standard: has matrix testing but security is scheduled
+        // Minimal: no matrix, single node version
+        const hasSecurityJob = /jobs:\s*\n\s*security:/m.test(content)
+        const hasMatrixInTests = /tests:[\s\S]*?strategy:[\s\S]*?matrix:/m.test(
+          content
+        )
+        const hasScheduledSecurity =
+          /on:\s*\n\s*schedule:[\s\S]*?- cron:/m.test(content)
+
+        if (hasSecurityJob && hasMatrixInTests && !hasScheduledSecurity) {
+          return 'comprehensive'
+        }
+        if (hasMatrixInTests && hasScheduledSecurity) {
+          return 'standard'
+        }
+        if (!hasMatrixInTests) {
+          return 'minimal'
+        }
+
+        // Default to comprehensive for unknown patterns
+        return 'comprehensive'
+      } catch (error) {
+        console.warn(
+          `⚠️  Could not detect existing workflow mode: ${error.message}`
+        )
+        return null
+      }
+    }
+
+    /**
+     * Inject workflow mode-specific configuration into quality.yml
+     * @param {string} workflowContent - Template content
+     * @param {'minimal'|'standard'|'comprehensive'} mode - Selected mode
+     * @returns {string} Modified workflow content
+     */
+    function injectWorkflowMode(workflowContent, mode) {
+      let updated = workflowContent
+
+      // Add version marker at the top (after name section)
+      const versionMarker = `# WORKFLOW_MODE: ${mode}`
+      if (!updated.includes('# WORKFLOW_MODE:')) {
+        // Insert after the comment block and before jobs
+        updated = updated.replace(/(\n\njobs:)/, `\n${versionMarker}\n$1`)
+      }
+
+      // Replace PATH_FILTERS_PLACEHOLDER
+      if (updated.includes('# PATH_FILTERS_PLACEHOLDER')) {
+        if (mode === 'minimal' || mode === 'standard') {
+          const pathsIgnore = `paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'LICENSE'
+      - '.gitignore'
+      - '.editorconfig'`
+          updated = updated.replace('# PATH_FILTERS_PLACEHOLDER', pathsIgnore)
+        } else {
+          // comprehensive: Remove placeholder
+          updated = updated.replace(/\s*# PATH_FILTERS_PLACEHOLDER\n?/, '')
+        }
+      }
+
+      // Replace SECURITY_SCHEDULE_PLACEHOLDER
+      if (updated.includes('# SECURITY_SCHEDULE_PLACEHOLDER')) {
+        if (mode === 'minimal' || mode === 'standard') {
+          // Add weekly schedule for security scans
+          const scheduleConfig = `schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sunday (security scans)
+  workflow_dispatch:       # Manual trigger`
+          updated = updated.replace(
+            '# SECURITY_SCHEDULE_PLACEHOLDER',
+            scheduleConfig
+          )
+        } else {
+          // comprehensive: Remove placeholder
+          updated = updated.replace(/\s*# SECURITY_SCHEDULE_PLACEHOLDER\n?/, '')
+        }
+      }
+
+      // Replace SECURITY_CONDITION_PLACEHOLDER
+      if (updated.includes('# SECURITY_CONDITION_PLACEHOLDER')) {
+        if (mode === 'minimal' || mode === 'standard') {
+          // Only run security on schedule events (not on every push)
+          // Replace both the placeholder comment AND the existing if line
+          updated = updated.replace(
+            /# SECURITY_CONDITION_PLACEHOLDER\n\s*if: needs\.detect-maturity\.outputs\.has-deps == 'true'/,
+            `if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.detect-maturity.outputs.has-deps == 'true'`
+          )
+        } else {
+          // comprehensive: Remove placeholder, keep the existing if condition
+          updated = updated.replace(
+            /\s*# SECURITY_CONDITION_PLACEHOLDER\n?/,
+            ''
+          )
+        }
+      }
+
+      // Replace MATRIX_PLACEHOLDER
+      if (updated.includes('# MATRIX_PLACEHOLDER')) {
+        if (mode === 'minimal') {
+          // Single Node version, no matrix
+          // Replace both the placeholder comment AND the existing strategy block
+          updated = updated.replace(
+            /# MATRIX_PLACEHOLDER\n\s*strategy:\n\s*fail-fast: false/,
+            `strategy:
+      fail-fast: false
+      matrix:
+        node-version: [22]`
+          )
+        } else if (mode === 'standard') {
+          // Matrix testing only on main branch
+          // 1. Modify the job-level if condition to add branch check
+          updated = updated.replace(
+            /if: fromJSON\(needs\.detect-maturity\.outputs\.test-count\) > 0\n\s*# TESTS_CONDITION_PLACEHOLDER/,
+            `if: github.ref == 'refs/heads/main' && fromJSON(needs.detect-maturity.outputs.test-count) > 0
+    # TESTS_CONDITION_PLACEHOLDER`
+          )
+          // 2. Replace matrix placeholder and existing strategy block
+          updated = updated.replace(
+            /# MATRIX_PLACEHOLDER\n\s*strategy:\n\s*fail-fast: false/,
+            `strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20, 22]`
+          )
+        } else {
+          // comprehensive: Matrix on every push
+          // Replace placeholder, merge with existing strategy
+          updated = updated.replace(
+            /# MATRIX_PLACEHOLDER\n\s*strategy:\n\s*fail-fast: false/,
+            `strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20, 22]`
+          )
+        }
+      }
+
+      // Replace TESTS_CONDITION_PLACEHOLDER
+      if (updated.includes('# TESTS_CONDITION_PLACEHOLDER')) {
+        let testsCondition = ''
+
+        if (mode === 'minimal') {
+          // No matrix, always run
+          testsCondition = '# Runs on every push (single Node version)'
+        } else if (mode === 'standard') {
+          // Matrix only on main
+          testsCondition = '# Matrix testing only on main branch'
+        } else {
+          // comprehensive: Matrix on every push
+          testsCondition = '# Matrix testing on every push'
+        }
+
+        updated = updated.replace(
+          '# TESTS_CONDITION_PLACEHOLDER',
+          testsCondition
+        )
       }
+
+      return updated
     }
 
     // Normal setup flow
@@ -1054,7 +1434,7 @@ HELP:
       try {
         execSync('git status', { stdio: 'ignore' })
         gitSpinner.succeed('Git repository verified')
-      } catch {
+      } catch (_error) {
         gitSpinner.fail('Not a git repository')
         console.error('❌ This must be run in a git repository')
         console.log('Run "git init" first, then try again.')
@@ -1064,6 +1444,8 @@ HELP:
       // Enforce FREE tier repo limit (1 private repo)
       // Must happen before any file modifications
       const license = getLicenseInfo()
+      let pendingRepoRegistration = null
+      let pendingRepoUsageSnapshot = null
       if (license.tier === 'FREE') {
         // Generate unique repo ID from git remote or directory name
         let repoId
@@ -1072,10 +1454,11 @@ HELP:
             encoding: 'utf8',
             stdio: ['pipe', 'pipe', 'ignore'],
           }).trim()
-          repoId = remoteUrl
-        } catch {
+          const normalized = normalizeRepoIdentifier(remoteUrl)
+          repoId = hashRepoIdentifier(normalized || remoteUrl)
+        } catch (_error) {
           // No remote - use absolute path as fallback
-          repoId = process.cwd()
+          repoId = hashRepoIdentifier(process.cwd())
         }
 
         const repoCheck = checkUsageCaps('repo')
@@ -1091,11 +1474,8 @@ HELP:
             process.exit(1)
           }
 
-          // Register this repo
-          incrementUsage('repo', 1, repoId)
-          console.log(
-            `✅ Registered repo (FREE tier: ${(repoCheck.usage?.repoCount || 0) + 1}/1 repos used)`
-          )
+          pendingRepoRegistration = repoId
+          pendingRepoUsageSnapshot = repoCheck.usage
         }
       }
 
@@ -1282,6 +1662,19 @@ HELP:
         )
       }
 
+      // Shell project detection
+      const { ProjectMaturityDetector } = require('./lib/project-maturity')
+      const maturityDetector = new ProjectMaturityDetector({
+        projectPath: process.cwd(),
+      })
+      const projectStats = maturityDetector.analyzeProject()
+      const usesShell = projectStats.isShellProject
+      if (usesShell) {
+        console.log(
+          '🐚 Detected shell script project; enabling shell quality automation'
+        )
+      }
+
       const stylelintTargets = findStylelintTargets(process.cwd())
       const usingDefaultStylelintTarget =
         stylelintTargets.length === 1 &&
@@ -1435,12 +1828,28 @@ HELP:
         // Validate the generated config
         const validationResult = validateQualityConfig(qualityrcPath)
         if (!validationResult.valid) {
-          console.warn(
-            '⚠️  Warning: Generated config has validation issues (this should not happen):'
+          console.error(
+            '\n❌ CRITICAL: Generated .qualityrc.json failed validation'
           )
-          validationResult.errors.forEach(error => {
-            console.warn(`   - ${error}`)
+          console.error(
+            '   This should never happen. Please report this bug.\n'
+          )
+
+          console.error('Validation errors:')
+          validationResult.errors.forEach((error, index) => {
+            console.error(`   ${index + 1}. ${error}`)
           })
+
+          console.error(`\n🐛 Report issue with this info:`)
+          console.error(`   • File: ${qualityrcPath}`)
+          console.error(`   • Detected maturity: ${detectedMaturity}`)
+          console.error(`   • Error count: ${validationResult.errors.length}`)
+          console.error(
+            `   • https://github.com/vibebuildlab/qa-architect/issues/new\n`
+          )
+
+          // Don't continue - this is a bug in the tool itself
+          throw new Error('Invalid quality config generated - cannot continue')
         }
       } else {
         // TD8 fix: Re-enabled validation (was disabled for debugging)
@@ -1534,6 +1943,23 @@ HELP:
         }
 
         const workflowFile = path.join(githubWorkflowDir, 'quality.yml')
+
+        // Determine workflow mode
+        let workflowMode = 'minimal' // Default to minimal
+        if (isWorkflowMinimal) {
+          workflowMode = 'minimal'
+        } else if (isWorkflowStandard) {
+          workflowMode = 'standard'
+        } else if (isWorkflowComprehensive) {
+          workflowMode = 'comprehensive'
+        } else if (fs.existsSync(workflowFile)) {
+          // Detect existing mode when updating
+          const existingMode = detectExistingWorkflowMode(process.cwd())
+          if (existingMode) {
+            workflowMode = existingMode
+          }
+        }
+
         if (!fs.existsSync(workflowFile)) {
           let templateWorkflow =
             templateLoader.getTemplate(
@@ -1545,13 +1971,59 @@ HELP:
               'utf8'
             )
 
+          // Inject workflow mode configuration
+          templateWorkflow = injectWorkflowMode(templateWorkflow, workflowMode)
+
+          // Inject collaboration steps
           templateWorkflow = injectCollaborationSteps(templateWorkflow, {
             enableSlackAlerts,
             enablePrComments,
           })
 
           fs.writeFileSync(workflowFile, templateWorkflow)
-          console.log('✅ Added GitHub Actions workflow')
+          console.log(`✅ Added GitHub Actions workflow (${workflowMode} mode)`)
+        } else if (isUpdateMode) {
+          // Update existing workflow with new mode if explicitly specified
+          if (
+            isWorkflowMinimal ||
+            isWorkflowStandard ||
+            isWorkflowComprehensive
+          ) {
+            // Load fresh template and re-inject
+            let templateWorkflow =
+              templateLoader.getTemplate(
+                templates,
+                path.join('.github', 'workflows', 'quality.yml')
+              ) ||
+              fs.readFileSync(
+                path.join(__dirname, '.github/workflows/quality.yml'),
+                'utf8'
+              )
+
+            // Inject workflow mode configuration
+            templateWorkflow = injectWorkflowMode(
+              templateWorkflow,
+              workflowMode
+            )
+
+            // Inject collaboration steps (preserve from existing if present)
+            const existingWorkflow = fs.readFileSync(workflowFile, 'utf8')
+            const hasSlackAlerts =
+              existingWorkflow.includes('SLACK_WEBHOOK_URL')
+            const hasPrComments = existingWorkflow.includes(
+              'PR_COMMENT_PLACEHOLDER'
+            )
+
+            templateWorkflow = injectCollaborationSteps(templateWorkflow, {
+              enableSlackAlerts: hasSlackAlerts,
+              enablePrComments: hasPrComments,
+            })
+
+            fs.writeFileSync(workflowFile, templateWorkflow)
+            console.log(
+              `♻️  Updated GitHub Actions workflow to ${workflowMode} mode`
+            )
+          }
         }
       }
 
@@ -1762,7 +2234,7 @@ let tier = 'FREE'
 try {
   const data = JSON.parse(fs.readFileSync(licenseFile, 'utf8'))
   tier = (data && data.tier) || 'FREE'
-} catch {
+} catch (error) {
   tier = 'FREE'
 }
 
@@ -1775,7 +2247,7 @@ try {
   if (data.month === currentMonth) {
     usage = { ...usage, ...data }
   }
-} catch {
+} catch (error) {
   // First run or corrupt file – start fresh
 }
 
@@ -1963,6 +2435,86 @@ echo "✅ Pre-push validation passed!"
           }
         }
 
+        pythonSpinner.succeed('Python quality tools configured')
+      }
+
+      // Shell project setup
+      if (usesShell) {
+        // Copy Shell CI workflow (GitHub Actions only)
+        if (ciProvider === 'github') {
+          const shellCiWorkflowFile = path.join(
+            githubWorkflowDir,
+            'shell-ci.yml'
+          )
+          if (!fs.existsSync(shellCiWorkflowFile)) {
+            const templateShellCiWorkflow =
+              templateLoader.getTemplate(
+                templates,
+                path.join('config', 'shell-ci.yml')
+              ) ||
+              fs.readFileSync(
+                path.join(__dirname, 'config/shell-ci.yml'),
+                'utf8'
+              )
+            fs.writeFileSync(shellCiWorkflowFile, templateShellCiWorkflow)
+            console.log('✅ Added Shell CI GitHub Actions workflow')
+          }
+
+          // Copy Shell Quality workflow
+          const shellQualityWorkflowFile = path.join(
+            githubWorkflowDir,
+            'shell-quality.yml'
+          )
+          if (!fs.existsSync(shellQualityWorkflowFile)) {
+            const templateShellQualityWorkflow =
+              templateLoader.getTemplate(
+                templates,
+                path.join('config', 'shell-quality.yml')
+              ) ||
+              fs.readFileSync(
+                path.join(__dirname, 'config/shell-quality.yml'),
+                'utf8'
+              )
+            fs.writeFileSync(
+              shellQualityWorkflowFile,
+              templateShellQualityWorkflow
+            )
+            console.log('✅ Added Shell Quality GitHub Actions workflow')
+          }
+        }
+
+        // Create a basic README if it doesn't exist
+        const readmePath = path.join(process.cwd(), 'README.md')
+        if (!fs.existsSync(readmePath)) {
+          const projectName = path.basename(process.cwd())
+          const basicReadme = `# ${projectName}
+
+Shell script collection for ${projectName}.
+
+## Usage
+
+\`\`\`bash
+# Make scripts executable
+chmod +x *.sh
+
+# Run a script
+./script-name.sh
+\`\`\`
+
+## Development
+
+Quality checks are automated via GitHub Actions:
+- ShellCheck linting
+- Syntax validation
+- Permission checks
+- Best practices analysis
+`
+          fs.writeFileSync(readmePath, basicReadme)
+          console.log('✅ Created basic README.md')
+        }
+      }
+
+      if (usesPython) {
         // Create tests directory if it doesn't exist
         const testsDir = path.join(process.cwd(), 'tests')
         if (!fs.existsSync(testsDir)) {
@@ -2005,8 +2557,6 @@ echo "✅ Pre-push validation passed!"
             )
           }
         }
-
-        pythonSpinner.succeed('Python quality tools configured')
       }
 
       // Smart Test Strategy (Pro/Team/Enterprise feature)
@@ -2172,6 +2722,12 @@ describe('Test framework validation', () => {
 
       console.log('\n🎉 Quality automation setup complete!')
 
+      if (pendingRepoRegistration) {
+        incrementUsage('repo', 1, pendingRepoRegistration)
+        const repoCount = (pendingRepoUsageSnapshot?.repoCount || 0) + 1
+        console.log(`✅ Registered repo (FREE tier: ${repoCount}/1 repos used)`)
+      }
+
       // Record telemetry completion event (opt-in only, fails silently)
       telemetry.recordComplete({
         usesPython,