qa-boot 0.1.0

package/dist/domains/repo-quality-facts.js

@@ -0,0 +1,34 @@
+import { makeFact } from "../core/fact.js";
+export function repoQualityFacts(results, today) {
+    const rq = results.find((r) => r.domain === "repo_quality");
+    if (!rq)
+        return [];
+    const facts = [
+        makeFact({
+            id: "repo_quality.high-churn-untested",
+            domain: "repo_quality",
+            statement: rq.statement,
+            provenance: "observed",
+            confidence: rq.confidence,
+            evidence_provider: rq.provider,
+            evidence_command: "qaradar analyze . --json-output",
+            evidence: rq.evidence,
+            value: rq.value,
+            limitations: rq.limitations ?? [],
+            risk_if_wrong: "The agent may prioritize technically risky files that are not the most business-critical.",
+        }, today),
+        makeFact({
+            id: "business_priority.vs-repo-risk",
+            domain: "business_priority",
+            statement: "Repo risk is known technically, but business criticality of those files is unknown.",
+            provenance: "unknown",
+            confidence: 0,
+            evidence_provider: "qaradar",
+            evidence: [],
+            value: { question: "Which of the technically risky files are business-critical or customer-facing?" },
+            risk_if_wrong: "The agent may treat technical risk as business priority.",
+            needs_human_confirmation: true,
+        }, today),
+    ];
+    return facts;
+}

package/dist/domains/test-facts.js

@@ -0,0 +1,65 @@
+import { makeFact } from "../core/fact.js";
+const PROVIDER = "test-scanner";
+export function testFacts(ev, today) {
+    const facts = [];
+    for (const e of ev.filter((x) => x.kind === "test-framework")) {
+        const name = String(e.detail?.name);
+        const observed = e.detail?.source === "config";
+        facts.push(makeFact({
+            id: `test.framework.${name}`,
+            domain: "test",
+            statement: `Test framework ${name} detected.`,
+            provenance: observed ? "observed" : "inferred",
+            confidence: observed ? 0.8 : 0.5,
+            evidence_provider: PROVIDER,
+            evidence: e.path ? [e.path] : [],
+            limitations: observed ? [] : ["Detected via dependency only; not confirmed running."],
+        }, today));
+    }
+    const dirs = ev.filter((x) => x.kind === "test-dir");
+    if (dirs.length) {
+        facts.push(makeFact({
+            id: "test.directory",
+            domain: "test",
+            statement: "Test directories are present.",
+            provenance: "observed",
+            confidence: 0.8,
+            evidence_provider: PROVIDER,
+            evidence: dirs.map((d) => d.path).filter(Boolean),
+        }, today));
+    }
+    const cov = ev.filter((x) => x.kind === "coverage-tool");
+    if (cov.length) {
+        facts.push(makeFact({
+            id: "test.coverage-tool",
+            domain: "test",
+            statement: "A coverage tool/artifact was detected.",
+            provenance: "observed",
+            confidence: 0.8,
+            evidence_provider: PROVIDER,
+            evidence: cov.map((c) => String(c.detail?.name)),
+            limitations: ["Coverage freshness is unknown."],
+        }, today));
+    }
+    return facts;
+}
+export function qaradarTestFacts(results, today) {
+    const t = results.find((r) => r.domain === "test");
+    if (!t)
+        return [];
+    const v = t.value;
+    return [
+        makeFact({
+            id: "test.coverage-shape",
+            domain: "test",
+            statement: `QA Radar: ${v.files_with_tests}/${v.source_files} source files have mapped tests (ratio ${v.test_to_source_ratio}).`,
+            provenance: "observed",
+            confidence: t.confidence,
+            evidence_provider: t.provider,
+            evidence_command: "qaradar analyze . --json-output",
+            evidence: t.evidence,
+            value: t.value,
+            limitations: t.limitations ?? [],
+        }, today),
+    ];
+}

package/dist/generate/claude-qa.js

@@ -0,0 +1,20 @@
+export function renderClaudeQa(opts) {
+    const lines = [
+        "# QA Context Instructions",
+        "",
+        "Before answering QA/testing/release questions, check the files in `qa-context/`.",
+        "",
+        "Important:",
+        "- Do not assume missing build, release, environment, or ownership knowledge.",
+        "- If a required fact is marked unknown in `qa-context/unknowns.md`, say so and ask the human question listed there.",
+        "- Do not treat technical repo risk as business priority unless confirmed in `qa-context/product-risk-map.md`.",
+        "- Do not suggest external writes (PR comments, tickets, CI triggers) unless explicitly approved by the user.",
+        "- Facts marked _told_ were stated by a human (see `qa-context/qa-interview-log.md`). Prefer them over inferred facts; if marked stale, re-confirm via the question in `unknowns.md` instead of assuming.",
+    ];
+    if (opts.hasRepoRisk) {
+        lines.push("- Use `qa-context/repo-risk.md` for technical repo risk when asked what to test first.");
+    }
+    lines.push("", "Getting started (new QA or automation engineers):", "- If the user asks how or where to start with QA in this repo, walk them through `qa-context/` (start with `maturity.md`, then `unknowns.md`, then `test-stack.md`) before giving generic advice.", "- If `qa-context/unknowns.md` has open questions, offer the `qa-onboard` skill to capture answers. Only do this when the user asks how to get started or an unknown blocks the current task. Do not start onboarding proactively in every session.");
+    lines.push("", "These files are generated by `qa-boot` from `qa-context/facts.json`. Do not hand-edit them.", "");
+    return lines.join("\n");
+}

package/dist/generate/domain-summaries.js

@@ -0,0 +1,20 @@
+import { renderKnownUnknown } from "./known-unknown.js";
+const SPECS = [
+    { file: "qa-context/test-stack.md", title: "Test Stack", purpose: "What testing tooling this repo uses.", domains: ["test", "test_trust"] },
+    { file: "qa-context/build-and-run.md", title: "Build and Run", purpose: "How to build and run this project.", domains: ["build"] },
+    { file: "qa-context/ci-and-release.md", title: "CI and Release", purpose: "Continuous integration and release signals.", domains: ["ci", "release"] },
+    { file: "qa-context/environments.md", title: "Environments", purpose: "Test environments and their stability.", domains: ["environment"] },
+    { file: "qa-context/test-data.md", title: "Test Data", purpose: "How test data is created and reset.", domains: ["test_data"] },
+    { file: "qa-context/knowledge-sources.md", title: "Knowledge Sources", purpose: "Where project knowledge lives.", domains: ["knowledge_sources"] },
+    { file: "qa-context/product-risk-map.md", title: "Product Risk Map", purpose: "Business priority of repo areas (usually unknown in V0).", domains: ["business_priority"] },
+    { file: "qa-context/ownership.md", title: "Ownership", purpose: "Who owns and approves quality-relevant changes.", domains: ["ownership"] },
+    { file: "qa-context/agent-permissions.md", title: "Agent Permissions", purpose: "What an AI agent is allowed to do in this repo.", domains: ["agent_permissions"] },
+];
+export function renderDomainSummaries(facts) {
+    const out = {};
+    for (const spec of SPECS) {
+        const subset = facts.filter((f) => spec.domains.includes(f.domain));
+        out[spec.file] = renderKnownUnknown(spec.title, spec.purpose, subset);
+    }
+    return out;
+}

package/dist/generate/generate.js

@@ -0,0 +1,68 @@
+import { writeFileSync, mkdirSync, existsSync, readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { renderDomainSummaries } from "./domain-summaries.js";
+import { renderUnknowns, renderRepoRisk, renderMaturity, renderQualityRisks, renderRefreshPolicy } from "./special-renderers.js";
+import { renderClaudeQa } from "./claude-qa.js";
+import { renderSkills } from "./skills.js";
+function writeFile(repoPath, rel, content) {
+    const abs = join(repoPath, rel);
+    mkdirSync(dirname(abs), { recursive: true });
+    writeFileSync(abs, content, "utf8");
+}
+export function loadFacts(repoPath) {
+    const path = join(repoPath, "qa-context", "facts.json");
+    if (!existsSync(path)) {
+        throw new Error("qa-context/facts.json not found. Run `qa-boot scan` first.");
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(readFileSync(path, "utf8"));
+    }
+    catch {
+        throw new Error("qa-context/facts.json is malformed. Re-run `qa-boot scan` to regenerate it.");
+    }
+    return parsed.facts ?? [];
+}
+export function runGenerate(opts) {
+    const facts = loadFacts(opts.repoPath);
+    const written = [];
+    const emit = (rel, content) => {
+        writeFile(opts.repoPath, rel, content);
+        written.push(rel);
+    };
+    for (const [rel, content] of Object.entries(renderDomainSummaries(facts)))
+        emit(rel, content);
+    emit("qa-context/unknowns.md", renderUnknowns(facts));
+    emit("qa-context/maturity.md", renderMaturity(facts));
+    emit("qa-context/quality-risks.md", renderQualityRisks(facts));
+    emit("qa-context/refresh-policy.md", renderRefreshPolicy(opts.config));
+    const repoRisk = renderRepoRisk(facts);
+    const hasRepoRisk = repoRisk !== null;
+    if (repoRisk)
+        emit("qa-context/repo-risk.md", repoRisk);
+    if (opts.claude && opts.config.claude.enabled) {
+        emit("CLAUDE.qa.md", renderClaudeQa({ hasRepoRisk }));
+        ensureClaudeMdImport(opts.repoPath, written);
+        if (opts.config.claude.generate_skills) {
+            for (const [rel, content] of Object.entries(renderSkills({ hasRepoRisk })))
+                emit(rel, content);
+        }
+    }
+    return written;
+}
+const CLAUDE_QA_IMPORT = "@CLAUDE.qa.md";
+/** Claude Code only auto-loads CLAUDE.md (and its @imports), so the generated
+ *  CLAUDE.qa.md must be referenced from there to enter agent context. */
+function ensureClaudeMdImport(repoPath, written) {
+    const path = join(repoPath, "CLAUDE.md");
+    if (!existsSync(path)) {
+        writeFileSync(path, `# Project instructions\n\n${CLAUDE_QA_IMPORT}\n`, "utf8");
+        written.push("CLAUDE.md");
+        return;
+    }
+    const current = readFileSync(path, "utf8");
+    if (!current.includes(CLAUDE_QA_IMPORT)) {
+        writeFileSync(path, current.trimEnd() + `\n\n${CLAUDE_QA_IMPORT}\n`, "utf8");
+        written.push("CLAUDE.md");
+    }
+}

package/dist/generate/known-unknown.js

@@ -0,0 +1,33 @@
+export function renderKnownUnknown(title, purpose, facts) {
+    const known = facts.filter((f) => f.provenance !== "unknown");
+    const unknown = facts.filter((f) => f.provenance === "unknown");
+    const lines = [`# ${title}`, "", purpose, ""];
+    if (known.length === 0 && unknown.length > 0) {
+        lines.push("## Unknown", "");
+        for (const f of unknown)
+            lines.push(...unknownLines(f));
+        return lines.join("\n").trimEnd() + "\n";
+    }
+    if (known.length) {
+        lines.push("## Known", "");
+        for (const f of known) {
+            const ev = f.evidence.length ? ` (evidence: ${f.evidence.map((e) => `\`${e}\``).join(", ")})` : "";
+            const stale = f.stale ? " _[stale]_" : "";
+            lines.push(`- ${f.statement} — _${f.provenance}, confidence ${f.confidence}_${ev}${stale}`);
+        }
+        lines.push("");
+    }
+    if (unknown.length) {
+        lines.push("## Unknown", "");
+        for (const f of unknown)
+            lines.push(...unknownLines(f));
+    }
+    return lines.join("\n").trimEnd() + "\n";
+}
+function unknownLines(f) {
+    const q = f.value?.question;
+    const out = [`- ${f.statement}`];
+    if (q)
+        out.push(`  - **Ask a human:** ${q}`);
+    return out;
+}

package/dist/generate/skills.js

@@ -0,0 +1,83 @@
+function skillFile(def) {
+    return `---\nname: ${def.name}\ndescription: ${def.description}\n---\n\n${def.body}\n`;
+}
+export function renderSkills(opts) {
+    const qaRiskBody = opts.hasRepoRisk
+        ? [
+            "Answer repo-risk questions using deterministic evidence from QA Radar.",
+            "",
+            "Rules:",
+            "- Use `qa-context/repo-risk.md`.",
+            "- Do not recalculate churn or coverage manually unless data is missing.",
+            "- Do not confuse technical risk with business priority.",
+            "- Mention limitations explicitly.",
+        ].join("\n")
+        : [
+            "Answer repo-risk questions from deterministic evidence.",
+            "",
+            "QA Radar data is **not available** in this repo's context (`repo-risk.md` was not generated).",
+            "Say so plainly and suggest running `qa-boot scan --with-qaradar`. Do not invent risk rankings.",
+        ].join("\n");
+    const defs = [
+        {
+            name: "qa-context",
+            description: "Load and summarize the current QA context for this repo.",
+            body: [
+                "Load and summarize the QA context QA Boot generated.",
+                "",
+                "Rules:",
+                "- Read `qa-context/`.",
+                "- Separate observed, inferred, and unknown facts.",
+                "- Mention any facts marked stale.",
+            ].join("\n"),
+        },
+        {
+            name: "qa-unknowns",
+            description: "Prevent guessing — surface the exact question to ask a human.",
+            body: [
+                "Prevent the agent from guessing about QA/build/release/ownership.",
+                "",
+                "Rules:",
+                "- Check `qa-context/unknowns.md`.",
+                "- If required knowledge is unknown, say so clearly.",
+                "- Surface the exact 'Ask a human' question rather than inventing an answer.",
+            ].join("\n"),
+        },
+        {
+            name: "qa-risk",
+            description: "Answer 'what should I test first' from deterministic repo risk.",
+            body: qaRiskBody,
+        },
+        {
+            name: "qa-release-readiness",
+            description: "Draft release-readiness guidance from known CI/release facts.",
+            body: [
+                "Draft release-readiness guidance based on known facts.",
+                "",
+                "Rules:",
+                "- Use known CI/test/release facts from `qa-context/ci-and-release.md`.",
+                "- Mention unknown release blockers from `qa-context/unknowns.md`.",
+                "- Do not approve a release. Do not invent release gates.",
+            ].join("\n"),
+        },
+        {
+            name: "qa-onboard",
+            description: "Interview a human to capture QA knowledge as told facts via qa-boot tell.",
+            body: [
+                "Interview the human to convert QA unknowns into recorded told facts.",
+                "",
+                "Phases:",
+                "1. Precondition: if `qa-context/` or `qa-context/unknowns.md` is missing, say so and suggest `qa-boot scan`. Do not improvise context.",
+                "2. Gather: if you lack baseline understanding of this repo, build it first — README, docs, repo structure, `qa-context/*.md`, `repo-risk.md` if present. Do not interview from ignorance.",
+                "3. Play back: summarize your understanding to the human and let them correct it. Corrections are capturable answers.",
+                "4. Interview: ask the open unknowns from `qa-context/unknowns.md` one question at a time, anchored in specifics you gathered. Then invite domain knowledge (environments, ownership, release, test data, business priority).",
+                '5. Capture: after each human answer run `qa-boot tell <unknown-id> "<answer>" --by <name>` (or `qa-boot tell "<statement>" --domain <domain> --by <name>` for knowledge with no matching unknown). Record only what the human said or explicitly confirmed — never your own inference.',
+                "6. Wrap: summarize what was captured, list remaining unknowns, and suggest `qa-boot scan` to refresh the generated context files.",
+            ].join("\n"),
+        },
+    ];
+    const out = {};
+    for (const def of defs)
+        out[`.claude/skills/${def.name}/SKILL.md`] = skillFile(def);
+    return out;
+}

package/dist/generate/special-renderers.js

@@ -0,0 +1,99 @@
+export function renderUnknowns(facts) {
+    const unknowns = facts.filter((f) => f.provenance === "unknown");
+    const lines = ["# Unknowns", "", "Knowledge QA Boot could not determine. Ask a human before assuming.", ""];
+    const staleAnswers = new Map(facts
+        .filter((f) => f.provenance === "told" && f.stale && f.answers_unknown)
+        .map((f) => [f.answers_unknown, f]));
+    const byDomain = new Map();
+    for (const f of unknowns) {
+        const list = byDomain.get(f.domain) ?? [];
+        list.push(f);
+        byDomain.set(f.domain, list);
+    }
+    for (const domain of [...byDomain.keys()].sort()) {
+        lines.push(`## ${domain}`, "");
+        for (const f of byDomain.get(domain)) {
+            lines.push(`- ${f.statement}`);
+            const q = f.value?.question;
+            if (q)
+                lines.push(`  - Ask a human: ${q}`);
+            const prev = staleAnswers.get(f.id);
+            if (prev) {
+                lines.push(`  - Previously answered ${prev.last_verified} by ${prev.told_by ?? "unknown"}: "${prev.statement}" — please re-confirm or update via \`qa-boot tell\`.`);
+            }
+        }
+        lines.push("");
+    }
+    return lines.join("\n").trimEnd() + "\n";
+}
+export function renderRepoRisk(facts) {
+    const rq = facts.find((f) => f.id === "repo_quality.high-churn-untested");
+    if (!rq)
+        return null;
+    const v = rq.value;
+    const lines = [
+        "# Repository Risk Summary",
+        "",
+        "Generated from deterministic repo analysis (QA Radar).",
+        "",
+        `Critical: ${v.critical_count} · High: ${v.high_count}`,
+        "",
+        "## Highest-risk areas",
+        "",
+    ];
+    v.top_risky.forEach((m, i) => {
+        lines.push(`${i + 1}. \`${m.path}\` (${m.risk})`);
+        for (const r of m.reasons)
+            lines.push(`   - ${r}`);
+    });
+    lines.push("", "## Important limitation", "", "This is a technical risk view. It does not know business priority, customer impact, ownership, or release criticality unless captured elsewhere in QA context.");
+    return lines.join("\n").trimEnd() + "\n";
+}
+const TITLE = {
+    discoverability: "Discoverability",
+    test_signal: "Test Signal",
+    trust: "Trust",
+    release_readiness: "Release Readiness",
+    quality_ownership: "Quality Ownership",
+    agent_readiness: "Agent Readiness",
+};
+export function renderMaturity(facts) {
+    const dims = facts.filter((f) => f.domain === "maturity");
+    const lines = ["# Maturity", "", "Deterministic rubric scores (0–5).", ""];
+    for (const f of dims) {
+        const v = f.value;
+        const key = f.id.split(".")[1];
+        lines.push(`## ${TITLE[key] ?? key}: ${v.score}/5`, "", v.explanation, "");
+        if (v.evidence.length)
+            lines.push("Evidence:", ...v.evidence.map((e) => `- \`${e}\``), "");
+        if (v.unknowns.length)
+            lines.push("Unknowns:", ...v.unknowns.map((u) => `- ${u}`), "");
+        lines.push(`Next step:`, v.next_step, "");
+    }
+    return lines.join("\n").trimEnd() + "\n";
+}
+export function renderQualityRisks(facts) {
+    const lines = ["# Quality Risks", "", "Synthesis of technical repo risk and explicit unknowns.", ""];
+    const rq = facts.find((f) => f.id === "repo_quality.high-churn-untested");
+    if (rq)
+        lines.push("- Technical repo risk is available — see `repo-risk.md`.");
+    else
+        lines.push("- No QA Radar data; technical repo risk is unknown.");
+    for (const f of facts.filter((x) => x.domain === "repo_quality" && x.provenance === "told")) {
+        lines.push(`- ${f.statement} — _told by ${f.told_by ?? "unknown"}_`);
+    }
+    const unknownCount = facts.filter((f) => f.provenance === "unknown").length;
+    lines.push(`- ${unknownCount} important unknowns recorded — see \`unknowns.md\`.`, "");
+    return lines.join("\n").trimEnd() + "\n";
+}
+export function renderRefreshPolicy(config) {
+    return [
+        "# Refresh Policy",
+        "",
+        `Facts expire after ${config.refresh.default_days} days and are then marked stale.`,
+        "",
+        "Re-run `qa-boot scan` to refresh facts. (V0 marks time-expired facts stale; the",
+        "refresh diff and drop-on-absence rules arrive in V1.)",
+        "",
+    ].join("\n");
+}

package/dist/maturity/rubric.js

@@ -0,0 +1,114 @@
+import { makeFact } from "../core/fact.js";
+const PROVIDER = "maturity-rubric";
+export function scoreMaturity(facts, today) {
+    const ids = facts.map((f) => f.id);
+    const toldAnswers = new Set(facts
+        .filter((f) => f.provenance === "told" && f.answers_unknown && !f.stale)
+        .map((f) => f.answers_unknown));
+    const boost = (score, unknownId) => toldAnswers.has(unknownId) ? Math.min(5, score + 2) : score;
+    const dims = [];
+    // Discoverability
+    {
+        const signals = [
+            ids.includes("repo.readme"),
+            ids.some((i) => i.startsWith("build.command.") || i.startsWith("build.tool.")),
+            ids.some((i) => i.startsWith("ci.system.")),
+            ids.some((i) => i.startsWith("knowledge_sources.docs-dir") || i.startsWith("knowledge_sources.contributing")),
+            ids.some((i) => i.startsWith("agent_permissions.config.")),
+        ];
+        const n = signals.filter(Boolean).length;
+        const score = signals[0] && signals[1] && signals[2] ? (n >= 5 ? 5 : 3) : signals[0] ? 1 : 0;
+        dims.push({
+            id: "maturity.discoverability",
+            score,
+            explanation: "Based on README, build files, CI config, docs, and agent config presence.",
+            evidence: ids.filter((i) => i === "repo.readme" || i.startsWith("build.command.") || i.startsWith("build.tool.") || i.startsWith("ci.system.")),
+            unknowns: n >= 5 ? [] : ["Onboarding docs and/or agent config may be missing."],
+            next_step: "Ensure a README, build instructions, and CI are discoverable.",
+        });
+    }
+    // Test signal
+    {
+        const shape = facts.find((f) => f.id === "test.coverage-shape")?.value;
+        const hasTests = ids.some((i) => i.startsWith("test.framework.")) ||
+            ids.includes("test.directory") ||
+            (shape?.files_with_tests ?? 0) > 0;
+        const runsTests = ids.includes("ci.runs-tests");
+        const coverage = ids.includes("test.coverage-tool") || shape?.coverage_status === "ok";
+        const score = !hasTests ? 0 : coverage && runsTests ? 5 : runsTests ? 3 : 2;
+        dims.push({
+            id: "maturity.test_signal",
+            score,
+            explanation: "Based on test presence, CI running tests, and coverage artifacts.",
+            evidence: ids.filter((i) => i.startsWith("test.")),
+            unknowns: coverage ? [] : ["Coverage freshness is unknown."],
+            next_step: "Confirm tests run in CI and whether coverage is current.",
+        });
+    }
+    // Trust (capped at 2 in V0 — freshness is told knowledge)
+    {
+        // test.coverage-shape is presence, not freshness — excluded from trust by design
+        const coverage = ids.includes("test.coverage-tool");
+        const score = boost(coverage ? 2 : 0, "test_trust.confidence");
+        dims.push({
+            id: "maturity.trust",
+            score,
+            explanation: "Trust depends on coverage freshness and flake handling, which are unknown in V0.",
+            evidence: coverage ? ["test.coverage-tool"] : [],
+            unknowns: ["Coverage freshness unknown.", "Flake handling unknown.", ...(toldAnswers.has("test_trust.confidence") ? [] : ["Team trust in tests unknown."])],
+            next_step: "Capture whether the team trusts the suite and whether coverage is fresh.",
+        });
+    }
+    // Release readiness
+    {
+        const deploy = ids.includes("ci.has-deploy-job");
+        const releaseDocs = ids.some((i) => i.startsWith("knowledge_sources.changelog"));
+        const score = boost(deploy && releaseDocs ? 3 : deploy ? 1 : 0, "release.blocking-gates");
+        dims.push({
+            id: "maturity.release_readiness",
+            score,
+            explanation: "Based on deploy/release jobs and release docs. Blocking gates are unknown in V0.",
+            evidence: ids.filter((i) => i === "ci.has-deploy-job" || i.startsWith("knowledge_sources.changelog")),
+            unknowns: ["Release-blocking rules unknown."],
+            next_step: "Document what blocks a release and who approves it.",
+        });
+    }
+    // Quality ownership
+    {
+        const codeowners = ids.includes("knowledge_sources.codeowners");
+        const template = ids.includes("knowledge_sources.pr-template") || ids.includes("knowledge_sources.issue-template");
+        const score = boost(codeowners && template ? 3 : codeowners || template ? 2 : 0, "ownership.approvers");
+        dims.push({
+            id: "maturity.quality_ownership",
+            score,
+            explanation: "Based on CODEOWNERS and PR/issue templates. Explicit ownership facts are V1.5+.",
+            evidence: ids.filter((i) => i.startsWith("knowledge_sources.codeowners") || i.includes("template")),
+            unknowns: codeowners ? [] : ["Code ownership is unknown."],
+            next_step: "Add CODEOWNERS and confirm approvers for risky areas.",
+        });
+    }
+    // Agent readiness
+    {
+        const config = ids.some((i) => i.startsWith("agent_permissions.config."));
+        const skills = ids.includes("agent_permissions.skills");
+        const score = boost(config && skills ? 3 : config ? 2 : 0, "agent_permissions.boundaries");
+        dims.push({
+            id: "maturity.agent_readiness",
+            score,
+            explanation: "Based on agent config and existing skills. Permission boundaries are told knowledge (V1.5+).",
+            evidence: ids.filter((i) => i.startsWith("agent_permissions.")),
+            unknowns: ["Agent permission boundaries unknown."],
+            next_step: "Define what an AI agent may do in this repo.",
+        });
+    }
+    return dims.map((d) => makeFact({
+        id: d.id,
+        domain: "maturity",
+        statement: `${d.id.split(".")[1]}: ${d.score}/5`,
+        provenance: "inferred",
+        confidence: 0.5,
+        evidence_provider: PROVIDER,
+        evidence: d.evidence,
+        value: { score: d.score, max: 5, explanation: d.explanation, evidence: d.evidence, unknowns: d.unknowns, next_step: d.next_step },
+    }, today));
+}

package/dist/pipeline/run-scan.js

@@ -0,0 +1,53 @@
+import { scanRepo } from "../scanners/repo-scanner.js";
+import { scanTests } from "../scanners/test-scanner.js";
+import { scanCi } from "../scanners/ci-scanner.js";
+import { scanDocs } from "../scanners/docs-scanner.js";
+import { scanBuild } from "../scanners/build-scanner.js";
+import { scanAgentConfig } from "../scanners/agent-config-scanner.js";
+import { repoFacts } from "../domains/repo-facts.js";
+import { testFacts, qaradarTestFacts } from "../domains/test-facts.js";
+import { ciFacts } from "../domains/ci-facts.js";
+import { docsFacts } from "../domains/docs-facts.js";
+import { buildFacts } from "../domains/build-facts.js";
+import { agentFacts } from "../domains/agent-facts.js";
+import { repoQualityFacts } from "../domains/repo-quality-facts.js";
+import { deriveUnknownFacts } from "../unknowns/unknowns.js";
+import { scoreMaturity } from "../maturity/rubric.js";
+import { qaradarProvider } from "../providers/qaradar-provider.js";
+export async function runScan(ctx, today, log = () => { }, priorFacts = []) {
+    const result = await runScanDetailed(ctx, today, log, priorFacts);
+    return result.facts;
+}
+export async function runScanDetailed(ctx, today, log = () => { }, priorFacts = []) {
+    const deterministic = [
+        ...repoFacts(scanRepo(ctx), today),
+        ...testFacts(scanTests(ctx), today),
+        ...ciFacts(scanCi(ctx), today),
+        ...docsFacts(scanDocs(ctx), today),
+        ...buildFacts(scanBuild(ctx), today),
+        ...agentFacts(scanAgentConfig(ctx), today),
+    ];
+    let qaradarRan = false;
+    let qaFacts = [];
+    try {
+        if (await qaradarProvider.isAvailable(ctx)) {
+            const results = await qaradarProvider.collect(ctx);
+            qaFacts = [...repoQualityFacts(results, today), ...qaradarTestFacts(results, today)];
+            qaradarRan = results.length > 0;
+            if (results.length === 0) {
+                log("QA Radar ran but found no usable data (e.g. no commits or no risk signals). Continuing with built-in scanners.");
+            }
+        }
+        else {
+            log("QA Radar not available. Continuing with built-in scanners.");
+        }
+    }
+    catch {
+        log("QA Radar run failed. Continuing with built-in scanners.");
+    }
+    const base = [...deterministic, ...qaFacts, ...priorFacts];
+    const unknowns = deriveUnknownFacts(base, today);
+    const withUnknowns = [...base, ...unknowns];
+    const maturity = scoreMaturity(withUnknowns, today);
+    return { facts: [...withUnknowns, ...maturity], qaradarRan };
+}

package/dist/providers/evidence-provider.js

@@ -0,0 +1 @@
+export {};

package/dist/providers/qaradar-contract.js

@@ -0,0 +1 @@
+export {};

package/dist/providers/qaradar-parse.js

@@ -0,0 +1,51 @@
+export function parseQaradar(report) {
+    const s = report.summary;
+    const results = [];
+    if (report.risky_modules.length || report.untested_files.length) {
+        const topRisky = report.risky_modules
+            .slice()
+            .sort((a, b) => b.risk_score - a.risk_score)
+            .slice(0, 5)
+            .map((m) => ({ path: m.path, risk: m.risk_level, score: m.risk_score, reasons: m.reasons }));
+        results.push({
+            provider: "qaradar",
+            domain: "repo_quality",
+            statement: "QA Radar flagged high-risk and/or untested files.",
+            value: {
+                critical_count: s.critical_risk_count,
+                high_count: s.high_risk_count,
+                files_without_tests: s.files_without_tests,
+                coverage_status: s.coverage_status,
+                top_risky: topRisky,
+                untested_files: report.untested_files.slice(0, 20),
+            },
+            evidence: ["git history", "test-to-source mapping", report.summary.coverage_status === "ok" ? "coverage report" : "no coverage report"],
+            confidence: 0.82,
+            limitations: [
+                "Business criticality is unknown.",
+                "Risk is based on repository signals, not production impact.",
+            ],
+            needsHumanConfirmation: false,
+        });
+    }
+    if (s.source_files > 0) {
+        results.push({
+            provider: "qaradar",
+            domain: "test",
+            statement: "QA Radar mapped tests to source files.",
+            value: {
+                test_to_source_ratio: s.test_to_source_ratio,
+                files_with_tests: s.files_with_tests,
+                files_without_tests: s.files_without_tests,
+                source_files: s.source_files,
+                test_files: s.test_files,
+                coverage_status: s.coverage_status,
+            },
+            evidence: ["qaradar test-to-source mapping"],
+            confidence: 0.8,
+            limitations: ["Mapping is name/convention based, not execution-verified."],
+            needsHumanConfirmation: false,
+        });
+    }
+    return results;
+}