qa360 2.2.18 → 2.2.20

package/cli/CHANGELOG.md

@@ -0,0 +1,84 @@
+# Changelog
+
+All notable changes to QA360 Proof CLI will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.1.0] - 2025-10-26
+
+### Added
+- **AJV 2020-12 Support**: Full JSON Schema Draft 2020-12 validation (RFC-compliant)
+- **CI Matrix**: 9-job validation matrix (3 OS × 3 Node versions)
+- **Comprehensive Tests**: 11 unit tests + 3 smoke tests
+- **Cross-platform Build**: Automated build script with OS detection
+- **Dependency Lock**: Frozen AJV versions (anti-regression)
+- **CI Badges**: Status badges in README
+
+### Changed
+- **Schema Validation**: Migrated from draft-07 to draft-2020-12
+- **Build System**: Idempotent cross-platform build script
+- **prepublishOnly**: Added doctor --strict validation before publish
+
+### Fixed
+- **ESM Imports**: Fixed AJV 2020 import for Node.js ESM compatibility
+- **Schema Path**: Corrected import paths in test files
+
+### Security
+- **Provenance**: Added npm provenance for supply chain security
+- **Dependency Freeze**: Locked ajv@8.17.1, ajv-formats@2.1.1, ajv-draft-04@1.0.0
+
+## [1.1.0-rc] - 2025-10-25
+
+### Added
+- **Initial Release Candidate**: First public release
+- **Commands**: `doctor`, `verify`
+- **Flags**: `--json`, `--strict`, `--verbose`
+- **Documentation**: Complete guides and examples
+
+### Features
+- 🔒 **Local-first**: 100% offline, no network dependencies
+- 🔐 **Cryptographic trust**: Ed25519 signatures, SHA-256 hashing
+- 🌍 **Cross-OS**: Windows, macOS, Linux validated
+- ⚡ **Zero friction**: Auto-generates keys
+- 
+
+## [Unreleased]
+
+### Planned
+- RFC 3161 TSA timestamp support (Phase 6)
+- W3C DID / Sigstore identity (Phase 6)
+- Revocation mechanism (Phase 6)
+- Compliance metadata (Phase 6)
+
+---
+
+## Version History
+
+- **1.1.0** (2025-10-26): Stable release with AJV 2020-12 + CI lockdown
+- **1.1.0-rc** (2025-10-25): Release candidate
+- **0.9.0-core** (2025-10-24): Internal development version
+
+---
+
+## Quick Validation
+
+```bash
+# Install
+npm i -g @qa360/cli@1.1.0
+
+# Verify version
+qa360 --version
+
+# System check
+qa360 doctor --strict
+
+# Verify proof
+qa360 verify examples/proofs/httpbin-proof.json --json
+```
+
+**Expected**: All commands succeed, proof validates correctly.
+
+---
+
+For detailed changes, see [GitHub Releases](https://github.com/qa360/qa360/releases).

package/cli/LICENSE

@@ -0,0 +1,24 @@
+Business Source License 1.1
+
+Licensor: XyqoTech
+Licensed Work: QA360 Cloud Preview
+Change Date: 2027-10-01
+Change License: MIT
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.
+
+If your use of the Licensed Work does not comply with the requirements currently in effect as described in this License, you must purchase a commercial license from the Licensor, its affiliated entities, or authorized resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of the Licensed Work, are subject to this License. This License applies separately for each version of the Licensed Work and the Change Date may vary for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy of the Licensed Work. If you receive the Licensed Work in original or modified form from a third party, the terms and conditions set forth in this License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically terminate your rights under this License for the current and all other versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor or its affiliates (provided that you may use a trademark or logo of Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.

package/cli/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "qa360",
+  "version": "2.2.15",
+  "description": "QA360 Proof CLI - Quality as Cryptographic Proof",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "qa360": "bin/qa360.js"
+  },
+  "files": [
+    "dist",
+    "bin",
+    "README.md",
+    "LICENSE",
+    "examples"
+  ],
+  "scripts": {
+    "build": "tsc --project tsconfig.bundle.json",
+    "build:pkg": "tsc",
+    "build:bundle": "bash scripts/bundle-for-npm.sh",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    "dev": "tsx watch src/index.ts",
+    "clean": "rimraf dist src/core",
+    "prepack": "node scripts/validate-package.js",
+    "prepublishOnly": "npm run build:bundle && sed -i.bak 's/\"qa360-core\": \"workspace:\\*\",//g' package.json && rm -f package.json.bak",
+    "postpublish": "git checkout package.json 2>/dev/null || true",
+    "publish:dry": "npm run build:bundle && sed -i.bak 's/\"qa360-core\": \"workspace:\\*\",//g' package.json && npm publish --dry-run; git checkout package.json",
+    "publish:real": "npm run build:bundle && npm publish --access public --provenance"
+  },
+  "dependencies": {
+    "@playwright/test": "^1.49.0",
+    "adm-zip": "^0.5.16",
+    "ajv": "^8.17.1",
+    "ajv-draft-04": "^1.0.0",
+    "ajv-formats": "^2.1.1",
+    "chalk": "^4.1.2",
+    "cli-table3": "^0.6.5",
+    "commander": "^11.0.0",
+    "glob": "^10.4.5",
+    "inquirer": "^8.2.7",
+    "js-yaml": "^4.1.0",
+    "ollama": "^0.5.1",
+    "ora": "^5.4.1",
+    "playwright": "^1.57.0",
+    "qa360-core": "workspace:*",
+    "sqlite3": "^5.1.6",
+    "tweetnacl": "^1.0.3"
+  },
+  "devDependencies": {
+    "@types/adm-zip": "^0.5.7",
+    "@types/inquirer": "^9.0.9",
+    "@vitest/coverage-v8": "1.6.0",
+    "tsx": "^4.0.0",
+    "vitest": "1.6.0"
+  },
+  "keywords": [
+    "qa360",
+    "cli",
+    "testing",
+    "proof"
+  ],
+  "author": "QA360 Core Team",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/xyqotech/qa360.git",
+    "directory": "cli"
+  },
+  "homepage": "https://github.com/xyqotech/qa360",
+  "bugs": {
+    "url": "https://github.com/xyqotech/qa360/issues"
+  }
+}

package/core/LICENSE

@@ -0,0 +1,24 @@
+Business Source License 1.1
+
+Licensor: XyqoTech
+Licensed Work: QA360 Cloud Preview
+Change Date: 2027-10-01
+Change License: MIT
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly available distribution of a specific version of the Licensed Work under this License, whichever comes first, the Licensor hereby grants you rights under the terms of the Change License, and the rights granted in the paragraph above terminate.
+
+If your use of the Licensed Work does not comply with the requirements currently in effect as described in this License, you must purchase a commercial license from the Licensor, its affiliated entities, or authorized resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of the Licensed Work, are subject to this License. This License applies separately for each version of the Licensed Work and the Change Date may vary for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy of the Licensed Work. If you receive the Licensed Work in original or modified form from a third party, the terms and conditions set forth in this License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically terminate your rights under this License for the current and all other versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor or its affiliates (provided that you may use a trademark or logo of Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE.

package/core/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "qa360-core",
+  "version": "2.2.6",
+  "description": "QA360 Core Engine - Proof generation, signatures, and evidence vault",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./proof": {
+      "types": "./dist/proof/index.d.ts",
+      "import": "./dist/proof/index.js"
+    },
+    "./pack/validator": {
+      "types": "./dist/pack/validator.d.ts",
+      "import": "./dist/pack/validator.js"
+    },
+    "./pack/migrator": {
+      "types": "./dist/pack/migrator.d.ts",
+      "import": "./dist/pack/migrator.js"
+    },
+    "./types/pack-v1": {
+      "types": "./dist/types/pack-v1.d.ts",
+      "import": "./dist/types/pack-v1.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc -b",
+    "build:pkg": "tsc",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    "test:schema": "node src/proof/__tests__/schema-validation-manual.mjs",
+    "clean": "rimraf dist"
+  },
+  "dependencies": {
+    "ajv": "^8.17.1",
+    "ajv-draft-04": "^1.0.0",
+    "ajv-formats": "^2.1.1",
+    "chalk": "^4.1.2",
+    "glob": "^10.4.5",
+    "js-yaml": "^4.1.0",
+    "ollama": "^0.5.1",
+    "sqlite3": "^5.1.6",
+    "tweetnacl": "^1.0.3"
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^20.0.0",
+    "@vitest/coverage-v8": "1.6.0",
+    "msw": "1",
+    "playwright": "^1.57.0",
+    "vitest": "1.6.0"
+  },
+  "keywords": [
+    "qa360",
+    "core",
+    "proof",
+    "signature",
+    "vault"
+  ],
+  "author": "QA360 Core Team",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/xyqotech/qa360.git",
+    "directory": "core"
+  },
+  "homepage": "https://github.com/xyqotech/qa360",
+  "bugs": {
+    "url": "https://github.com/xyqotech/qa360/issues"
+  }
+}

package/package.json

@@ -1,8 +1,9 @@
 {
   "name": "qa360",
-  "version": "2.2.18",
+  "version": "2.2.20",
   "description": "Transform software testing into verifiable, signed, and traceable proofs",
   "type": "module",
+  "packageManager": "pnpm@9.12.2",
   "engines": {
     "node": ">=18.20.0"
   },
@@ -23,11 +24,37 @@
     "QUICK_START.md",
     "package.json"
   ],
+  "scripts": {
+    "build": "tsc --build tsconfig.build.json",
+    "build:pkg": "tsc",
+    "docs": "typedoc --skipErrorChecking",
+    "docs:serve": "typedoc --skipErrorChecking --serve",
+    "test": "pnpm -r run test",
+    "test:core": "cd core && pnpm test",
+    "test:cli": "cd cli && pnpm test",
+    "test:e2e": "vitest run --config e2e/vitest.config.ts",
+    "test:examples": "node scripts/validate-examples.mjs",
+    "test:all": "npm run type-check && npm run test && npm run test:examples",
+    "lint": "eslint . --ext .ts,.js",
+    "lint:fix": "eslint . --ext .ts,.js --fix",
+    "type-check": "tsc --build tsconfig.build.json --force",
+    "dev": "tsx watch cli/src/index.ts",
+    "clean": "rm -rf dist/ */dist/ **/dist/",
+    "clean:all": "pnpm clean && find . -name '.tmp-test-*' -type d -exec rm -rf {} + 2>/dev/null; find . -name '.qa360' -type d -exec rm -rf {} + 2>/dev/null; find . -name '*.tsbuildinfo' -delete 2>/dev/null; echo 'All artifacts cleaned'",
+    "version:sync": "node scripts/sync-version.mjs",
+    "prepare": "husky install",
+    "install:mcp": "bash scripts/install-mcp.sh"
+  },
   "workspaces": [
     "cli",
     "core",
     "packages/*"
   ],
+  "pnpm": {
+    "overrides": {
+      "ajv": "^8.17.1"
+    }
+  },
   "dependencies": {
     "@playwright/test": "^1.49.0",
     "adm-zip": "^0.5.16",
@@ -46,7 +73,7 @@
     "sqlite3": "^5.1.6",
     "table": "^6.9.0",
     "tweetnacl": "^1.0.3",
-    "qa360-core": "^2.2.4"
+    "qa360-core": "^2.2.6"
   },
   "devDependencies": {
     "@playwright/test": "^1.56.1",
@@ -81,25 +108,5 @@
   "homepage": "https://qa360.dev",
   "bugs": {
     "url": "https://github.com/xyqotech/qa360/issues"
-  },
-  "scripts": {
-    "build": "tsc --build tsconfig.build.json",
-    "build:pkg": "tsc",
-    "docs": "typedoc --skipErrorChecking",
-    "docs:serve": "typedoc --skipErrorChecking --serve",
-    "test": "pnpm -r run test",
-    "test:core": "cd core && pnpm test",
-    "test:cli": "cd cli && pnpm test",
-    "test:e2e": "vitest run --config e2e/vitest.config.ts",
-    "test:examples": "node scripts/validate-examples.mjs",
-    "test:all": "npm run type-check && npm run test && npm run test:examples",
-    "lint": "eslint . --ext .ts,.js",
-    "lint:fix": "eslint . --ext .ts,.js --fix",
-    "type-check": "tsc --build tsconfig.build.json --force",
-    "dev": "tsx watch cli/src/index.ts",
-    "clean": "rm -rf dist/ */dist/ **/dist/",
-    "clean:all": "pnpm clean && find . -name '.tmp-test-*' -type d -exec rm -rf {} + 2>/dev/null; find . -name '.qa360' -type d -exec rm -rf {} + 2>/dev/null; find . -name '*.tsbuildinfo' -delete 2>/dev/null; echo 'All artifacts cleaned'",
-    "version:sync": "node scripts/sync-version.mjs",
-    "install:mcp": "bash scripts/install-mcp.sh"
   }
-}
+}