Files
stack/packages/mosaic/framework/tools/quality
Hermes Agent af627e7583
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
fix(fleet): harden #791 upgrade rollback against find/reset failures
Second- and third-round independent-review reliability fixes on the keep-mode
upgrade rollback path, plus accurate abort messaging. All fixed red-first with
self-verifying controls in the rollback gate.

Round 2 (blockers A/B, should-fix C):
- install.sh: `trap 'restore_snapshot; exit 1' ERR INT TERM` so an INT/TERM
  mid-sync terminates instead of resuming past the interrupt and reporting
  success (a bash signal handler that only returns does not terminate).
- manifest.{ts,sh}: reject a degenerate [framework] section whose entries are
  all empty or bare-dot (`/`, `./`, `.`, `..`) — it passed the non-empty guard
  yet yielded zero usable globs, silently resolving everything to operator.
  Parity via a shared `[^/.]` usable-glob test; TS throws ManifestError.
- finalize.ts: classify the sync-abort message — a ManifestError is a pre-sync
  validation abort ("no files were changed"); any other error may be partial.

Round 3 (blockers D1, D2):
- install.sh: enumerate framework files with a checked temp file (_scan_or_die)
  instead of `< <(find …)` — process substitution discards find's exit status,
  so an EACCES/I/O failure mid-scan would truncate the file list yet leave the
  loop exiting 0, committing a partial upgrade as success (ERR trap never fires).
- install.sh: guard the `rm -rf; mkdir -p` target reset inside restore_snapshot
  — a bare reset failing under set -e exits silently after partial deletion,
  never printing the snapshot-recovery pointer. Now checked like the cp -a
  restore: on failure it preserves the snapshot and tells the operator where.

Tests: rollback gate 14→28 (Parts C/D/E with disabled-guard controls);
new finalize-sync-abort.spec.ts (3). No secret value is ever emitted; snapshots
stay 0700. Gates green: typecheck, lint, format:check, full mosaic vitest 1094,
HARD GATE 193, rollback 28, migration 21.

Refs #791

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-16 17:30:19 -05:00
..

Quality Rails

Portable quality enforcement for TypeScript, Python, and Node.js projects.

🎯 What This Prevents

Based on real-world validation of 50 issues in a production codebase:

  • Hardcoded passwords
  • SQL injection vulnerabilities
  • Type safety violations (any types)
  • Missing test coverage
  • Build failures
  • Dependency vulnerabilities

70% of these issues are prevented mechanically with quality-rails.

Quick Start (Mosaic)

New Project

# Apply template from Mosaic
~/.config/mosaic/bin/mosaic-quality-apply --template typescript-node --target /path/to/project

# Install dependencies
cd /path/to/project
npm install

# Initialize git hooks
npx husky install

# Verify enforcement is working
~/.config/mosaic/bin/mosaic-quality-verify --target /path/to/project

Existing Project

# Same as above - works for new or existing projects
~/.config/mosaic/bin/mosaic-quality-apply --template typescript-node --target /path/to/existing-project

🛡️ What You Get

TypeScript strict mode - All type checks enabled ESLint blocking any types - no-explicit-any: error Pre-commit hooks - Type check + lint + format before commit Secret scanning (gitleaks) - Block hardcoded passwords/API keys (pre-commit + CI) CI/CD templates - Woodpecker, GitHub Actions, GitLab Test coverage enforcement - 80% threshold Security scanning - npm audit, OWASP checks

📦 Available Templates

Template Language Framework Status
typescript-node TypeScript Node.js Ready
typescript-nextjs TypeScript Next.js Ready
monorepo TypeScript TurboRepo + pnpm Ready
python Python - 🚧 Coming Soon

Monorepo Template

Perfect for projects combining Next.js frontend + NestJS backend in one repository.

Features:

  • 🎯 Multi-package aware - lint-staged only checks changed packages
  • TurboRepo caching - Faster builds and tests
  • 🔀 Parallel dev servers - Run web + API simultaneously
  • 📦 pnpm workspaces - Efficient dependency management
  • 🛡️ Package-specific rules - Next.js and NestJS get appropriate ESLint configs

Example structure:

monorepo/
├── apps/
│   ├── web/    # Next.js frontend
│   └── api/    # NestJS backend
└── packages/
    ├── shared-types/
    ├── ui/
    └── config/

🧪 How It Works

Pre-Commit (Local Enforcement)

# You try to commit code with a type error
git commit -m "Add feature"

# Quality rails blocks it:
❌ Type error: Type 'number' is not assignable to type 'string'
❌ ESLint: Unexpected any. Specify a different type.
✋ Commit blocked - fix errors and try again

CI/CD (Remote Enforcement)

# Woodpecker pipeline runs:
✓ gitleaks (secret scanning — parallel, no deps)
✓ npm audit (dependency security)
✓ eslint (code quality)
✓ tsc --noEmit (type checking)
✓ jest --coverage (tests + coverage)
✓ npm run build (compilation — gates on all above)
# If any step fails, merge is blocked

🎓 Philosophy

Process compliance doesn't work.

Instructing AI agents to "do code review" or "run tests" fails. They claim to follow processes but output quality doesn't match claims.

Mechanical enforcement works.

Quality rails don't ask agents to follow processes. They block commits that don't pass automated checks.

  • Type errors? → Commit blocked
  • Hardcoded secrets? → Commit blocked
  • Test failures? → Commit blocked
  • Missing coverage? → Commit blocked

This works for any agent runtime (Codex, Claude, OpenCode, Gemini, etc.) because enforcement is mechanical, not instructional.

Read more: PHILOSOPHY.md

📖 Documentation

🔧 Scripts

Script Purpose
scripts/install.sh Install template to project (Linux/Mac)
scripts/install.ps1 Install template to project (Windows)
scripts/verify.sh Verify enforcement is working (Linux/Mac)
scripts/verify.ps1 Verify enforcement is working (Windows)

🚀 Roadmap

  • TypeScript/Node template
  • Pre-commit enforcement (husky + lint-staged)
  • CI/CD templates (Woodpecker, GitHub Actions)
  • Installation scripts
  • Verification testing
  • Next.js template
  • Monorepo template
  • Python template
  • Coverage visualization
  • IDE integration (VSCode extension)

🤝 Contributing

Quality Rails is based on lessons learned from real production codebases. Contributions welcome!

📝 License

MIT License - See LICENSE file for details

🙏 Credits

Built to solve real problems discovered in AI-assisted development workflows.

Based on validation findings from a production patch milestone.