create-qa-architect 5.6.1 → 5.8.0

package/.github/workflows/quality.yml

@@ -70,7 +70,7 @@ jobs:
         id: detect
         run: |
           # Use the project maturity detector
-          node node_modules/create-qa-architect/lib/project-maturity.js --github-actions >> $GITHUB_OUTPUT
+          node lib/project-maturity.js --github-actions >> $GITHUB_OUTPUT
 
       - name: Display Detection Report
         run: |
@@ -402,11 +402,33 @@ jobs:
 
       - name: Lighthouse CI
         if: hashFiles('.lighthouserc.js', '.lighthouserc.json', 'lighthouserc.js') != ''
+        id: lighthouse
         run: |
           echo "🚢 Running Lighthouse CI..."
           npx lhci autorun
         continue-on-error: true
 
+      - name: Report Lighthouse Failures
+        if: steps.lighthouse.outcome == 'failure'
+        env:
+          MATURITY: ${{ needs.detect-maturity.outputs.maturity }}
+        run: |
+          echo "::error::Lighthouse CI failed - performance budgets or quality thresholds violated"
+          echo "Review the Lighthouse report to see which metrics failed."
+          echo "Common failures: performance score, accessibility issues, SEO problems"
+
+          # Add to job summary for visibility
+          echo "## ⚠️ Lighthouse CI Failed" >> $GITHUB_STEP_SUMMARY
+          echo "Performance budgets or quality thresholds were violated." >> $GITHUB_STEP_SUMMARY
+          echo "This is currently a soft failure (continue-on-error: true)." >> $GITHUB_STEP_SUMMARY
+          echo "Review the Lighthouse report in the Actions logs above." >> $GITHUB_STEP_SUMMARY
+
+          # Fail build for production-ready projects
+          if [ "$MATURITY" == "production-ready" ]; then
+            echo "::error::Production-ready projects must pass Lighthouse CI checks"
+            exit 1
+          fi
+
   # Step 7: Summary - report what checks ran
   summary:
     runs-on: ubuntu-latest
@@ -421,6 +443,12 @@ jobs:
 
     steps:
       - name: Generate Check Summary
+        env:
+          CORE_RESULT: ${{ needs.core-checks.result }}
+          LINTING_RESULT: ${{ needs.linting.result }}
+          SECURITY_RESULT: ${{ needs.security.result }}
+          TESTS_RESULT: ${{ needs.tests.result }}
+          DOCS_RESULT: ${{ needs.documentation.result }}
         run: |
           echo "## Quality Checks Summary 📊" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -433,11 +461,59 @@ jobs:
           echo "- Has documentation: ${{ needs.detect-maturity.outputs.has-docs }}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Checks Executed" >> $GITHUB_STEP_SUMMARY
-          echo "- ✅ Core checks: Always run" >> $GITHUB_STEP_SUMMARY
-          echo "- ${{ needs.detect-maturity.outputs.source-count > 0 && '✅' || '⏭️' }} Linting: ${{ needs.detect-maturity.outputs.source-count > 0 && 'Enabled' || 'Skipped (no source files)' }}" >> $GITHUB_STEP_SUMMARY
-          echo "- ${{ needs.detect-maturity.outputs.has-deps == 'true' && '✅' || '⏭️' }} Security: ${{ needs.detect-maturity.outputs.has-deps == 'true' && 'Enabled' || 'Skipped (no dependencies)' }}" >> $GITHUB_STEP_SUMMARY
-          echo "- ${{ needs.detect-maturity.outputs.test-count > 0 && '✅' || '⏭️' }} Tests: ${{ needs.detect-maturity.outputs.test-count > 0 && 'Enabled' || 'Skipped (no test files)' }}" >> $GITHUB_STEP_SUMMARY
-          echo "- ${{ needs.detect-maturity.outputs.maturity == 'production-ready' && '✅' || '⏭️' }} Documentation: ${{ needs.detect-maturity.outputs.maturity == 'production-ready' && 'Enabled' || 'Skipped (not production-ready)' }}" >> $GITHUB_STEP_SUMMARY
+
+          # Core checks
+          if [ "$CORE_RESULT" == "success" ]; then
+            echo "- ✅ Core checks: Passed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$CORE_RESULT" == "failure" ]; then
+            echo "- ❌ Core checks: Failed" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Core checks: $CORE_RESULT" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Linting
+          if [ "$LINTING_RESULT" == "success" ]; then
+            echo "- ✅ Linting: Passed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$LINTING_RESULT" == "failure" ]; then
+            echo "- ❌ Linting: Failed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$LINTING_RESULT" == "skipped" ]; then
+            echo "- ⏭️ Linting: Skipped (no source files)" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Linting: $LINTING_RESULT" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Security
+          if [ "$SECURITY_RESULT" == "success" ]; then
+            echo "- ✅ Security: Passed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$SECURITY_RESULT" == "failure" ]; then
+            echo "- ❌ Security: Failed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$SECURITY_RESULT" == "skipped" ]; then
+            echo "- ⏭️ Security: Skipped (no dependencies)" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Security: $SECURITY_RESULT" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Tests
+          if [ "$TESTS_RESULT" == "success" ]; then
+            echo "- ✅ Tests: Passed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$TESTS_RESULT" == "failure" ]; then
+            echo "- ❌ Tests: Failed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$TESTS_RESULT" == "skipped" ]; then
+            echo "- ⏭️ Tests: Skipped (no test files)" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Tests: $TESTS_RESULT" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Documentation
+          if [ "$DOCS_RESULT" == "success" ]; then
+            echo "- ✅ Documentation: Passed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$DOCS_RESULT" == "failure" ]; then
+            echo "- ❌ Documentation: Failed" >> $GITHUB_STEP_SUMMARY
+          elif [ "$DOCS_RESULT" == "skipped" ]; then
+            echo "- ⏭️ Documentation: Skipped (not production-ready)" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- ⚠️ Documentation: $DOCS_RESULT" >> $GITHUB_STEP_SUMMARY
+          fi
       # PR_COMMENTS_PLACEHOLDER
 
 # ALERTS_PLACEHOLDER

package/docs/MIGRATION-5.8.0.md

@@ -0,0 +1,157 @@
+# Migration Guide: v5.8.0
+
+## Overview
+
+Version 5.8.0 fixes critical silent failure bugs in the GitHub Actions workflow template that could allow broken code to merge:
+
+1. **Lighthouse CI failures** were silently ignored (now fails production builds)
+2. **Job summaries** always showed ✅ even when checks failed (now shows actual results)
+
+## Who Should Upgrade?
+
+**All projects using qa-architect** - especially production-ready projects that rely on Lighthouse CI for performance gates.
+
+## Quick Migration (Recommended)
+
+Update your workflow in one command:
+
+```bash
+npx create-qa-architect@latest
+```
+
+This will:
+
+- Detect your existing workflow mode (minimal/standard/comprehensive)
+- Preserve your current configuration
+- Apply the bug fixes to `.github/workflows/quality.yml`
+
+## What Changes?
+
+### 1. Lighthouse CI - Now Fails Production Builds
+
+**Before (v5.7.0):**
+
+```yaml
+- name: Lighthouse CI
+  run: npx lhci autorun
+  continue-on-error: true # ⚠️ Failures silently ignored
+```
+
+**After (v5.8.0):**
+
+```yaml
+- name: Lighthouse CI
+  id: lighthouse
+  run: npx lhci autorun
+  continue-on-error: true
+
+- name: Report Lighthouse Failures
+  if: steps.lighthouse.outcome == 'failure'
+  env:
+    MATURITY: ${{ needs.detect-maturity.outputs.maturity }}
+  run: |
+    echo "::error::Lighthouse CI failed"
+    # Fail build for production-ready projects
+    if [ "$MATURITY" == "production-ready" ]; then
+      exit 1
+    fi
+```
+
+**Impact:**
+
+- **Production-ready projects**: Lighthouse failures now block merges (hard gate)
+- **Other projects**: Lighthouse failures show warnings but don't block (soft gate)
+
+### 2. Job Summary - Shows Actual Results
+
+**Before (v5.7.0):**
+
+```yaml
+# Always showed ✅ if enabled, regardless of pass/fail
+echo "- ✅ Tests: Enabled" >> $GITHUB_STEP_SUMMARY
+```
+
+**After (v5.8.0):**
+
+```yaml
+# Shows actual result: ✅ success, ❌ failure, ⏭️ skipped
+if [ "$TESTS_RESULT" == "success" ]; then
+  echo "- ✅ Tests: Passed" >> $GITHUB_STEP_SUMMARY
+elif [ "$TESTS_RESULT" == "failure" ]; then
+  echo "- ❌ Tests: Failed" >> $GITHUB_STEP_SUMMARY
+fi
+```
+
+**Impact:**
+
+- Summaries now accurately reflect job outcomes
+- Failures are immediately visible in PR checks
+
+## Verification
+
+After upgrading, verify the changes:
+
+```bash
+# Check workflow mode marker
+grep "WORKFLOW_MODE:" .github/workflows/quality.yml
+
+# Verify Lighthouse failure handler exists
+grep -A 10 "Report Lighthouse Failures" .github/workflows/quality.yml
+
+# Verify summary uses actual results
+grep "CORE_RESULT" .github/workflows/quality.yml
+```
+
+## Rollback (If Needed)
+
+If you need to rollback to v5.7.0:
+
+```bash
+npx create-qa-architect@5.7.0
+```
+
+## Breaking Changes
+
+None - these are backwards-compatible bug fixes.
+
+**Exception:** If you have production-ready maturity and currently have Lighthouse failures that are being ignored, they will now block your builds. This is the intended behavior to prevent quality regressions.
+
+## FAQ
+
+### Q: Will this affect my CI minutes?
+
+No - the changes only add a conditional failure reporting step. No new jobs or scans.
+
+### Q: What if I want to keep Lighthouse as a soft failure?
+
+Remove the production-ready check from the "Report Lighthouse Failures" step:
+
+```yaml
+# Remove this block:
+if [ "$MATURITY" == "production-ready" ]; then
+exit 1
+fi
+```
+
+### Q: How do I know my maturity level?
+
+Check your workflow or run:
+
+```bash
+npx create-qa-architect --check-maturity
+```
+
+Maturity levels: minimal → bootstrap → development → production-ready
+
+### Q: Can I update manually instead of re-running the tool?
+
+Yes, but not recommended. The template changes are extensive. If you must:
+
+1. Copy the new steps from `.github/workflows/quality.yml` in this repo
+2. Add Lighthouse failure handler (lines 411-430)
+3. Update summary step to use `needs.<job>.result` (lines 445-516)
+
+## Support
+
+- Issues: https://github.com/anthropics/qa-architect/issues
+- Docs: https://github.com/anthropics/qa-architect/blob/main/README.md

package/docs/OPTIMAL_QUALITY_STRATEGY.md

@@ -0,0 +1,421 @@
+# Optimal Quality Strategy - Universal & Cost-Effective
+
+**Date:** 2026-01-14
+**Goal:** Maintain high quality while getting under 2,000 GH Actions min/month
+
+## Key Insights
+
+1. **/bs:quality already exists** - Comprehensive autonomous quality loop using Claude Code agents
+2. **qa-architect should work for everyone** - Not everyone has Claude Code MAX
+3. **60-80% of CI checks are redundant** - Already running in pre-push hooks
+4. **Security scans CAN run locally** - gitleaks, npm audit are free
+
+---
+
+## Three-Tier Quality Approach
+
+### Tier 1: Pre-Push (Universal - Works for Everyone)
+
+**Time:** 45-150 seconds
+**Cost:** Free (runs locally)
+**Who:** Everyone using qa-architect
+
+```bash
+✅ ESLint + Prettier + Stylelint (already in place)
+✅ TypeScript type-check (already in place)
+✅ Unit tests - smart strategy (already in place)
++ 🔐 Gitleaks (secret scanning) - ADD THIS
++ 🔐 npm audit (dependency vulnerabilities) - ADD THIS
++ 🔐 XSS pattern detection (grep-based) - ADD THIS
+```
+
+**Result:** Catch 95% of issues before push, including security issues
+
+---
+
+### Tier 2: On-Demand /bs:quality (Claude Code Users)
+
+**Time:** 2-5 min (quick) to 1-3 hours (level 98)
+**Cost:** Free with Claude Code MAX, usage-based on other tiers
+**Who:** Claude Code users (any tier)
+
+```bash
+/bs:quality --scope changed      # Quick: 2-5 min, uncommitted changes
+/bs:quality                      # Default: 30-60 min, branch scope, 95%
+/bs:quality --level 98           # Comprehensive: 1-3 hours, 98% quality
+/bs:quality --merge              # + auto-merge and deploy
+```
+
+**Agents:**
+
+- code-reviewer
+- silent-failure-hunter
+- type-design-analyzer
+- code-simplifier
+- security-auditor (level 98)
+- accessibility-tester (level 98)
+- performance-engineer (level 98)
+- architect-reviewer (level 98)
+
+**Result:** Comprehensive AI-powered review before PR
+
+---
+
+### Tier 3: Minimal GitHub Actions (Safety Net Only)
+
+**Time:** 1-3 minutes
+**Cost:** Minimized to essential checks only
+**Who:** Runs automatically on push to main
+
+**REMOVE redundant checks:**
+
+- ❌ ESLint (redundant with pre-push)
+- ❌ Prettier (redundant with pre-push)
+- ❌ Stylelint (redundant with pre-push)
+- ❌ Unit tests (redundant with pre-push)
+- ❌ TypeScript type-check (redundant with pre-push)
+- ❌ Gitleaks (moving to pre-push)
+- ❌ npm audit (moving to pre-push)
+- ❌ XSS detection (moving to pre-push)
+- ❌ Smoke tests (redundant, covered by unit tests)
+
+**KEEP minimal checks:**
+
+- ✅ Package signature verification (needs npm registry)
+- ✅ E2E smoke test (optional, main branch only)
+- ✅ Build verification (quick, ensures deployability)
+
+**Optional scheduled scan:**
+
+- 🗓️ Weekly security audit (gitleaks + npm audit) - runs once/week
+- **Cost:** ~10 min/week = 40 min/month per repo
+
+---
+
+## Implementation for qa-architect
+
+### Phase 1: Add Local Security Scans (Everyone Benefits)
+
+**Timeline:** v5.7.0 release
+
+Add to pre-push hook (`.husky/pre-push`):
+
+```bash
+#!/bin/sh
+echo "🔍 Running pre-push validation..."
+
+# Existing checks
+npm run lint || exit 1
+npm run format:check || exit 1
+npm test || exit 1
+
+# NEW: Security scans
+echo "🔐 Scanning for secrets..."
+if command -v gitleaks &> /dev/null; then
+  gitleaks detect --no-git --verbose || exit 1
+else
+  echo "⚠️  gitleaks not installed - skipping secret scan"
+  echo "   Install: brew install gitleaks (Mac) or see https://github.com/gitleaks/gitleaks"
+fi
+
+echo "🔐 Checking dependencies..."
+npm audit --audit-level=high || exit 1
+
+echo "🔐 Scanning for XSS patterns..."
+# Check for dangerous patterns
+if grep -rE "innerHTML.*\\\$\{" src/ --include="*.js" --include="*.jsx" --include="*.ts" --include="*.tsx" 2>/dev/null; then
+  echo "❌ Potential XSS: innerHTML with interpolation found"
+  exit 1
+fi
+
+echo "✅ All pre-push checks passed!"
+```
+
+**Add gitleaks to devDependencies** (or recommend global install):
+
+```json
+{
+  "devDependencies": {
+    "gitleaks": "^8.18.0" // or global install instructions
+  }
+}
+```
+
+**Benefits:**
+
+- ✅ Works for everyone (not just MAX tier)
+- ✅ Catches secrets before they reach GitHub
+- ✅ Catches vulnerable dependencies early
+- ✅ Catches XSS patterns locally
+- ✅ Still fast enough (adds ~10-15s to pre-push)
+
+---
+
+### Phase 2: Slim Down GitHub Actions Template
+
+**Timeline:** v5.7.0 release
+
+New `.github/workflows/quality.yml` template:
+
+```yaml
+name: Quality Checks
+
+on:
+  push:
+    branches: [main, master]
+    # Only run on main - feature branches rely on pre-push hooks
+  schedule:
+    # Weekly security audit as safety net
+    - cron: '0 2 * * 0' # Sunday 2 AM
+
+concurrency:
+  group: quality-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  minimal-verification:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      # Only essential checks that can't run locally
+      - name: Verify build
+        run: npm run build
+
+      - name: Package signature verification
+        run: npm audit signatures || echo "⚠️ Signature verification failed"
+
+      # Optional: E2E smoke test (only on main)
+      - name: E2E smoke test
+        if: github.ref == 'refs/heads/main'
+        run: |
+          npx playwright install --with-deps chromium
+          npm run test:e2e || echo "⚠️ E2E tests failed"
+        continue-on-error: true
+
+  # Weekly security audit (safety net)
+  weekly-security:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # Full history for gitleaks
+
+      - name: Gitleaks scan
+        uses: gitleaks/gitleaks-action@v2
+
+      - name: Dependency audit
+        run: npm audit --audit-level=high
+```
+
+**Result:**
+
+- Main branch push: ~2-3 minutes (build + signatures + optional E2E)
+- Weekly security: ~3-5 minutes once/week
+- **Total per repo:** ~10-15 min/week = 40-60 min/month
+
+---
+
+## Cost Calculation
+
+### Before (Current State)
+
+**Per repo per day:**
+
+- Every push: 5 min (redundant checks)
+- Average 5 pushes/day = 25 min/day
+- **Monthly:** 25 × 30 = 750 min/month per repo
+
+**11 repos:**
+
+- 750 × 11 = 8,250 min/month
+- **Cost:** ~$49/month
+
+### After (Optimized)
+
+**Per repo per day:**
+
+- Main branch push: 2-3 min (1-2 times/day max)
+- Average 2 min/day (most work on feature branches uses local hooks)
+- **Monthly:** 2 × 30 = 60 min/month per repo
+
+**11 repos:**
+
+- 60 × 11 = 660 min/month
+- **Cost:** ~$4/month
+
+**Savings: $45/month (92% reduction)**
+
+---
+
+## For Users Without Claude Code
+
+**They still get:**
+
+- ✅ Pre-push security scans (gitleaks, npm audit, XSS detection)
+- ✅ Full lint/format/test automation
+- ✅ Minimal CI as safety net
+- ✅ All core qa-architect features
+
+**They miss:**
+
+- ❌ /bs:quality autonomous agents (need Claude Code)
+
+**But they can:**
+
+- ✅ Use /pr-review-toolkit:review-pr skill (if they have Claude Code on any tier)
+- ✅ Manual PR reviews with Claude Code
+- ✅ Still maintain high quality with automated tooling
+
+---
+
+## For Users With Claude Code MAX
+
+**They get everything above PLUS:**
+
+- ✅ /bs:quality autonomous loops (unlimited)
+- ✅ On-demand comprehensive reviews
+- ✅ AI-powered architecture guidance
+- ✅ Cost-free comprehensive testing
+
+**Workflow:**
+
+```bash
+# 1. Work on feature
+git checkout -b feature/new-auth
+
+# 2. Small commits with quick checks
+# ... code ...
+/bs:quality --scope changed    # 2-5 min
+git commit -m "feat: add login"
+
+# 3. Feature complete
+/bs:quality                    # 30-60 min, comprehensive
+/bs:quality --merge            # Auto-merge and deploy
+
+# Total GH Actions cost: $0 (only runs on main after merge)
+```
+
+---
+
+## Migration Path
+
+### Week 1: Update qa-architect (v5.7.0)
+
+- [ ] Add gitleaks to pre-push hook
+- [ ] Add npm audit to pre-push hook
+- [ ] Add XSS pattern detection to pre-push hook
+- [ ] Update GH Actions template (minimal)
+- [ ] Update documentation
+- [ ] Release v5.7.0
+
+### Week 2: Update All Repos
+
+- [ ] Run `npx create-qa-architect@latest` on all 11 repos
+- [ ] Test pre-push hooks work (try to commit a secret, should fail)
+- [ ] Verify CI runs only on main
+- [ ] Commit and push
+
+### Week 3: Monitor
+
+- [ ] Check GH Actions usage dashboard
+- [ ] Verify under 2,000 min/month
+- [ ] Collect feedback on pre-push speed
+
+---
+
+## FAQ
+
+### "Won't pre-push be too slow with security scans?"
+
+**A:** Gitleaks is fast (~3-5s), npm audit is ~5-10s, XSS grep is ~2s. Total addition: ~10-15s max.
+
+**Before:** 30-120s
+**After:** 45-150s
+**Still acceptable** for catching security issues before they hit GitHub.
+
+### "What if I don't have gitleaks installed?"
+
+**A:** Pre-push hook shows warning but doesn't fail. User can install with `brew install gitleaks` or continue without it (CI weekly scan still catches issues).
+
+### "What about repos I'm not actively working on?"
+
+**A:** They still get weekly security scans (40-60 min/month). If inactive for >3 months, consider disabling CI entirely and re-enabling when active.
+
+### "Can I still use comprehensive CI if I want?"
+
+**A:** Yes! Add `--workflow-comprehensive` flag when running qa-architect. Good for critical production apps or open-source projects with external contributors.
+
+---
+
+## Decision Matrix: Which Repos Need What?
+
+### Minimal CI (Default - Recommended for 9/11 repos)
+
+**Use for:** Side projects, internal tools, personal sites
+**Cost:** 40-60 min/month per repo
+**Safety:** Weekly security scan + local pre-push
+
+- brettstark-about
+- ai-learning-companion
+- retireabroad
+- stark-program-intelligence
+- project-starter-guide
+- jobrecon
+- vibebuildlab
+- postrail
+- brettstark
+
+### Standard CI (Active Projects - 2 repos)
+
+**Use for:** Active development, moderate traffic
+**Cost:** 100-150 min/month per repo
+**Safety:** Main branch checks + weekly security
+
+- keyflash
+- qa-architect (your product)
+
+### Comprehensive CI (Critical Only - 0 repos currently)
+
+**Use for:** Open source with external PRs, production critical
+**Cost:** 300-500 min/month per repo
+**Safety:** Every commit checked
+
+- (None currently - can enable per-project if needed)
+
+**Total with this approach:**
+
+- 9 minimal repos: 9 × 50 = 450 min/month
+- 2 standard repos: 2 × 125 = 250 min/month
+- **Total: 700 min/month (~$4.20/month)**
+
+✅ **Well under 2,000 min/month limit**
+
+---
+
+## Recommendation
+
+**Best strategy:**
+
+1. **Update qa-architect v5.7.0** with local security scans (benefits everyone)
+2. **Use minimal CI template** for 9/11 repos (weekly scans only)
+3. **Use standard CI** for qa-architect and keyflash (active development)
+4. **Keep /bs:quality** for on-demand comprehensive reviews (MAX tier users)
+5. **Don't disable CI completely** - weekly scans are valuable safety net
+
+**Result:**
+
+- ✅ Under 2,000 min/month (~700 min/month)
+- ✅ Better security (local scans catch issues earlier)
+- ✅ Works for everyone (not just MAX tier)
+- ✅ Maintains quality (pre-push + weekly scans + /bs:quality)
+- ✅ Cost-effective ($4/month vs $49/month)