mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
8a83aed9b18cbf477d99650a7e4cdb1cf901669e
stack/packages/mosaic/framework/tools/quality/README.md
Jason Woltje b38cfac760
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
feat: integrate framework files into monorepo under packages/mosaic/framework/ 
Moves all Mosaic framework runtime files from the separate bootstrap repo
into the monorepo as canonical source. The @mosaic/mosaic npm package now
ships the complete framework — bin scripts, runtime configs, tools, and
templates — enabling standalone installation via npm install.

Structure:
  packages/mosaic/framework/
  ├── bin/          28 CLI scripts (mosaic, mosaic-doctor, mosaic-sync-skills, etc.)
  ├── runtime/      Runtime adapters (claude, codex, opencode, pi, mcp)
  ├── tools/        Shell tooling (git, prdy, orchestrator, quality, etc.)
  ├── templates/    Agent and repo templates
  ├── defaults/     Default identity files (AGENTS.md, STANDARDS.md, SOUL.md, etc.)
  ├── install.sh    Legacy bash installer
  └── remote-install.sh  One-liner remote installer

Key files with Pi support and recent fixes:
- bin/mosaic: launch_pi() with skills-local loop
- bin/mosaic-doctor: --fix auto-wiring for all 4 harnesses
- bin/mosaic-sync-skills: Pi as 4th link target, symlink-aware find
- bin/mosaic-link-runtime-assets: Pi settings.json patching
- bin/mosaic-migrate-local-skills: Pi skill roots, symlink find
- runtime/pi/RUNTIME.md + mosaic-extension.ts

Package ships 251 framework files in the npm tarball (278KB compressed).
2026-04-01 21:19:21 -05:00

174 lines
5.2 KiB
Markdown
Raw Blame History

# Quality Rails
Portable quality enforcement for TypeScript, Python, and Node.js projects.
## 🎯 What This Prevents
Based on real-world validation of 50 issues in a production codebase:
- ❌ Hardcoded passwords
- ❌ SQL injection vulnerabilities
- ❌ Type safety violations (`any` types)
- ❌ Missing test coverage
- ❌ Build failures
- ❌ Dependency vulnerabilities
**70% of these issues are prevented mechanically with quality-rails.**
## ⚡ Quick Start (Mosaic)
### New Project
```bash
# Apply template from Mosaic
~/.config/mosaic/bin/mosaic-quality-apply --template typescript-node --target /path/to/project
# Install dependencies
cd /path/to/project
npm install
# Initialize git hooks
npx husky install
# Verify enforcement is working
~/.config/mosaic/bin/mosaic-quality-verify --target /path/to/project
```
### Existing Project
```bash
# Same as above - works for new or existing projects
~/.config/mosaic/bin/mosaic-quality-apply --template typescript-node --target /path/to/existing-project
```
## 🛡️ What You Get
**TypeScript strict mode** - All type checks enabled
**ESLint blocking `any` types** - no-explicit-any: error
**Pre-commit hooks** - Type check + lint + format before commit
**Secret scanning (gitleaks)** - Block hardcoded passwords/API keys (pre-commit + CI)
**CI/CD templates** - Woodpecker, GitHub Actions, GitLab
**Test coverage enforcement** - 80% threshold
**Security scanning** - npm audit, OWASP checks
## 📦 Available Templates
| Template | Language | Framework | Status |
| ------------------- | ---------- | ---------------- | -------------- |
| `typescript-node` | TypeScript | Node.js | ✅ Ready |
| `typescript-nextjs` | TypeScript | Next.js | ✅ Ready |
| `monorepo` | TypeScript | TurboRepo + pnpm | ✅ Ready |
| `python` | Python | - | 🚧 Coming Soon |
### Monorepo Template
Perfect for projects combining **Next.js frontend** + **NestJS backend** in one repository.
Features:
- 🎯 **Multi-package aware** - lint-staged only checks changed packages
-**TurboRepo caching** - Faster builds and tests
- 🔀 **Parallel dev servers** - Run web + API simultaneously
- 📦 **pnpm workspaces** - Efficient dependency management
- 🛡️ **Package-specific rules** - Next.js and NestJS get appropriate ESLint configs
Example structure:
```
monorepo/
├── apps/
│ ├── web/ # Next.js frontend
│ └── api/ # NestJS backend
└── packages/
├── shared-types/
├── ui/
└── config/
```
## 🧪 How It Works
### Pre-Commit (Local Enforcement)
```bash
# You try to commit code with a type error
git commit -m "Add feature"
# Quality rails blocks it:
❌ Type error: Type 'number' is not assignable to type 'string'
❌ ESLint: Unexpected any. Specify a different type.
✋ Commit blocked - fix errors and try again
```
### CI/CD (Remote Enforcement)
```yaml
# Woodpecker pipeline runs:
✓ gitleaks (secret scanning — parallel, no deps)
✓ npm audit (dependency security)
✓ eslint (code quality)
✓ tsc --noEmit (type checking)
✓ jest --coverage (tests + coverage)
✓ npm run build (compilation — gates on all above)
# If any step fails, merge is blocked
```
## 🎓 Philosophy
**Process compliance doesn't work.**
Instructing AI agents to "do code review" or "run tests" fails. They claim to follow processes but output quality doesn't match claims.
**Mechanical enforcement works.**
Quality rails don't ask agents to follow processes. They **block commits** that don't pass automated checks.
- Type errors? → **Commit blocked**
- Hardcoded secrets? → **Commit blocked**
- Test failures? → **Commit blocked**
- Missing coverage? → **Commit blocked**
This works for **any agent runtime** (Codex, Claude, OpenCode, Gemini, etc.) because enforcement is mechanical, not instructional.
[Read more: PHILOSOPHY.md](./PHILOSOPHY.md)
## 📖 Documentation
- [TypeScript Setup Guide](./docs/TYPESCRIPT-SETUP.md)
- [CI/CD Configuration](./docs/CI-SETUP.md)
## 🔧 Scripts
| Script | Purpose |
| --------------------- | ----------------------------------------- |
| `scripts/install.sh` | Install template to project (Linux/Mac) |
| `scripts/install.ps1` | Install template to project (Windows) |
| `scripts/verify.sh` | Verify enforcement is working (Linux/Mac) |
| `scripts/verify.ps1` | Verify enforcement is working (Windows) |
## 🚀 Roadmap
- [x] TypeScript/Node template
- [x] Pre-commit enforcement (husky + lint-staged)
- [x] CI/CD templates (Woodpecker, GitHub Actions)
- [x] Installation scripts
- [x] Verification testing
- [x] Next.js template
- [x] Monorepo template
- [ ] Python template
- [ ] Coverage visualization
- [ ] IDE integration (VSCode extension)
## 🤝 Contributing
Quality Rails is based on lessons learned from real production codebases. Contributions welcome!
## 📝 License
MIT License - See LICENSE file for details
## 🙏 Credits
Built to solve real problems discovered in AI-assisted development workflows.
Based on validation findings from a production patch milestone.
Reference in New Issue View Git Blame Copy Permalink