Merge pull request #117 from ProvarTesting/develop

Develop

Author: mrdailey99

.github/workflows/CI_Execution.yml

@@ -124,7 +124,9 @@ jobs:
           sf plugins link .
           yarn run test:nuts
       - name: Archive NUTS results
+        if: always()
         uses: actions/upload-artifact@v4
         with:
           name: nuts-report-${{ matrix.os }}
           path: mochawesome-report
+          if-no-files-found: warn

.gitignore

@@ -56,5 +56,11 @@ mochawesome-report
 .env.*.local
 
 # Claude
-.claude/skills
-CLAUDE.md
+.claude/
+
+# NitroX schema files — do not commit until IP/licensing confirmed with Provar team
+# See: src/mcp/tools/nitroXTools.ts and plan notes
+src/mcp/rules/FactComponent.schema.json
+src/mcp/rules/FactPackage.schema.json
+FactComponent.schema
+FactPackage.schema

CLAUDE.md

@@ -0,0 +1,94 @@
+# Claude Code — Project Instructions
+
+This file is read automatically by Claude Code at the start of every session. Follow these rules when working in this repo.
+
+---
+
+## Documentation Requirements
+
+**Every PR that adds, modifies, or removes an MCP tool must update documentation.** The full set of places to update:
+
+| What changed | Where to update |
+|---|---|
+| New MCP tool | `docs/mcp.md` (add tool entry with schema + example), `docs/mcp-pilot-guide.md` (add evaluation scenario if user-facing), `README.md` (update tool count if referenced) |
+| Modified tool description / parameters / errors | `docs/mcp.md` (update the relevant tool section) |
+| Removed tool | `docs/mcp.md`, `docs/mcp-pilot-guide.md`, `README.md` |
+| New error code or suggestion field | `docs/mcp.md` (Troubleshooting or Error Codes section) |
+| Security model change (path policy, licence, transport) | `docs/mcp.md` (Security Model section), `docs/mcp-pilot-guide.md` (Security Model section) |
+| New NitroX tool or schema rule | `docs/mcp.md` (NitroX section), `docs/mcp-pilot-guide.md` (Scenario 7) |
+| Smoke test count change | Update `TOTAL_EXPECTED` in `scripts/mcp-smoke.cjs` |
+
+**External / customer-facing docs** (`docs/provar-mcp-public-docs.md`, `docs/university-of-provar-mcp-course.md`) are maintained separately by the Provar team — flag changes that affect public-facing behaviour in your PR description so those can be updated manually.
+
+---
+
+## Test Coverage Requirements
+
+Every PR must include tests for new or changed behaviour:
+
+- **New MCP tool** → unit tests in `test/unit/mcp/<toolGroup>Tools.test.ts` covering: happy path, path policy rejection, missing required fields, and any tool-specific error codes
+- **Modified error handling** → at least one positive test (error path fires) and one negative test (does not fire for non-matching input)
+- **New validation rule** → test that the rule fires correctly and that a valid input passes
+- **Smoke test** → add an entry in `scripts/mcp-smoke.cjs` for each new tool; update `TOTAL_EXPECTED`
+
+Run before every commit:
+```sh
+yarn test:only          # unit tests — must all pass
+node scripts/mcp-smoke.cjs 2>/dev/null   # smoke — must show all PASS
+yarn compile            # TypeScript — must be clean
+```
+
+---
+
+## MCP Tool Authoring Standards
+
+### Tool description quality
+
+Every tool description must answer these questions for an AI agent reading it cold:
+
+1. **What does it do?** (one sentence)
+2. **What prerequisite tools must run first?** (e.g. `config.load` before `metadata.download`)
+3. **What are the correct flags / parameters?** Include a concrete example in the `flags` field description when flags are free-form
+4. **What does a failure mean?** If a known error pattern exists (e.g. `[DOWNLOAD_ERROR]` = auth failure), say so in the description or return a `details.suggestion`
+
+### Field descriptions
+
+- Fields that accept a **string key or password** must say "string value, NOT a file path" if there is any risk of confusion with a path
+- Fields that accept a **file path** must note if the path must be within `--allowed-paths`
+- Optional fields that have a dangerous default (e.g. overwriting existing files) must call that out
+
+### Error responses
+
+- Return `details: { suggestion: '...' }` when a known error pattern maps to a common root cause and there is an actionable fix
+- Never pass `details: {}` — omit `details` entirely when there is nothing extra to say (keeps the response shape stable)
+- Error codes follow `SCREAMING_SNAKE_CASE`; document new codes in `docs/mcp.md`
+
+### Path safety
+
+- Call `assertPathAllowed(path, config.allowedPaths)` on **every** path input before any file operation — not just the output path
+- Use `path.resolve()` before `fs.existsSync` / `fs.readFileSync` / `fs.writeFileSync`
+- Never construct shell commands from user input; use `spawnSync` with an args array
+
+---
+
+## Branch and PR Conventions
+
+- Feature branches off `develop`: `feature/<description>`
+- Bug/fix branches off `develop`: `fix/<description>`
+- Release branches off `develop`: `release-v<semver>`
+- PRs target `develop`; releases are merged develop → main
+- Version in `package.json` follows `<major>.<minor>.<patch>-beta.<n>` on develop
+- Bump the beta suffix (`beta.N → beta.N+1`) on any PR that triggers a publish
+
+---
+
+## Lint
+
+The project uses ESLint with `@typescript-eslint` strict rules. Common gotchas:
+
+- `complexity` max is **20** — extract helpers if a function grows past that
+- `no-unsafe-assignment` / `no-unsafe-call` — cast through `unknown` not `any`
+- `no-unnecessary-type-assertion` — TypeScript narrows after `typeof x === 'string'` checks; remove the redundant cast
+- `camelcase` — `nitroX` is valid camelCase (capital X starts the next word)
+
+CI runs lint as part of `sf-prepack` — do not skip with `--no-verify` on the final merge commit.

README.md

@@ -3,17 +3,20 @@
 [![Version](https://img.shields.io/npm/v/@provartesting/provardx-cli.svg)](https://npmjs.org/package/@provartesting/provardx-cli)
 [![Downloads/week](https://img.shields.io/npm/dw/@provartesting/provardx-cli.svg)](https://npmjs.org/package/@provartesting/provardx-cli)
 [![License](https://img.shields.io/npm/l/@provartesting/provardx-cli.svg)](https://github.com/ProvarTesting/provardx-cli/blob/main/LICENSE.md)
+[![Get Access](https://img.shields.io/badge/Quality%20Hub%20API-Get%20Access-blue)](https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access)
 
 # What is the ProvarDX CLI?
 
 The Provar DX CLI is a Salesforce CLI plugin for Provar customers who want to automate the execution of tests using Provar Automation, and the reporting of test results and other quality-related metrics to Provar Quality Hub.
 
 # Installation, Update, and Uninstall
 
+**Requires Node.js 18–24 (LTS 22 recommended).** Node 25+ is not yet supported due to a breaking change in a transitive dependency. Check with `node --version`.
+
 Install the plugin
 
 ```sh-session
-$ sf plugins install @provartesting/provardx-cli
+$ sf plugins install @provartesting/provardx-cli@beta
 ```
 
 Update plugins
@@ -30,33 +33,56 @@ $ sf plugins uninstall @provartesting/provardx-cli
 
 # MCP Server (AI-Assisted Quality)
 
-The Provar DX CLI includes a built-in **Model Context Protocol (MCP) server** that connects AI assistants (Claude Desktop, Claude Code, Cursor) directly to your Provar project. Once connected, an AI agent can inspect your project structure, generate Page Objects and test cases, and validate every level of the test hierarchy with quality scores that match the Provar Quality Hub API.
+The Provar DX CLI includes a built-in **Model Context Protocol (MCP) server** that connects AI assistants (Claude Desktop, Claude Code, Cursor) directly to your Provar project. Once connected, an AI agent can inspect your project structure, generate Page Objects and test cases, validate every level of the test hierarchy with quality scores, and work with NitroX (Hybrid Model) component page objects for LWC, Screen Flow, Industry Components, Experience Cloud, and HTML5.
+
+Validation runs in two modes: **local only** (structural rules, no key required) or **Quality Hub API** (170+ rules, quality scoring — requires a `pv_k_` API key). Don't have an account? **[Request access](https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access)**.
+
+## Quick setup
+
+**Requires:** Provar Automation IDE installed with an activated license.
 
 ```sh
-sf provar mcp start --allowed-paths /path/to/your/provar/project
+# 1. Install the plugin (if not already installed)
+sf plugins install @provartesting/provardx-cli@beta
+
+# 2. (Optional) Authenticate for full 170+ rule validation
+sf provar auth login
 ```
 
-📖 **See [docs/mcp.md](https://github.com/ProvarTesting/provardx-cli/blob/main/docs/mcp.md) for full setup and tool documentation.**
+**Claude Code** — run once to register the server:
 
-## License Validation
+```sh
+claude mcp add provar -s user -- sf provar mcp start --allowed-paths /path/to/your/provar/project
+```
 
-The MCP server verifies your Provar license before accepting any connections. Validation is automatic — no extra flags are required for standard usage.
+**Claude Desktop** — add to your config file and restart the app:
 
-**How it works:**
+- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
+- Windows: `%APPDATA%\Claude\claude_desktop_config.json`
 
-1. **Auto-detection** — the server reads `~/Provar/.licenses/*.properties` (the same files written by Provar's IDE plugins). If a valid, activated license is found the server starts immediately.
-2. **Cache** — successful validations are cached at `~/Provar/.licenses/.mcp-license-cache.json` (2 h TTL). Subsequent starts within the TTL window skip the disk scan.
-3. **Grace fallback** — if the IDE license files cannot be found or read and the cache is stale (but ≤ 48 h old), the server starts with a warning on stderr using the cached result so CI pipelines are not broken by transient local file-access issues.
-4. **Fail closed** — if no valid license is detected the command exits with a non-zero exit code and a clear error message.
+```json
+{
+  "mcpServers": {
+    "provar": {
+      "command": "sf",
+      "args": ["provar", "mcp", "start", "--allowed-paths", "/path/to/your/provar/project"]
+    }
+  }
+}
+```
 
-**`NODE_ENV=test` fast-path:**
+> **Windows (Claude Desktop):** Use `sf.cmd` instead of `sf` if the server fails to start.
 
-When `NODE_ENV=test` the validation step is skipped entirely. This is intended only for the plugin's own unit-test suite.
+📖 **[docs/mcp.md](https://github.com/ProvarTesting/provardx-cli/blob/main/docs/mcp.md) — full setup, all 35+ tools, troubleshooting.**
 
 ---
 
 # Commands
 
+- [`sf provar auth login`](#sf-provar-auth-login)
+- [`sf provar auth rotate`](#sf-provar-auth-rotate)
+- [`sf provar auth status`](#sf-provar-auth-status)
+- [`sf provar auth clear`](#sf-provar-auth-clear)
 - [`sf provar mcp start`](#sf-provar-mcp-start)
 - [`sf provar config get`](#sf-provar-config-get)
 - [`sf provar config set`](#sf-provar-config-set)
@@ -84,6 +110,99 @@ When `NODE_ENV=test` the validation step is skipped entirely. This is intended o
 - [`sf provar manager test run report`](#sf-provar-manager-test-run-report) _(deprecated — use `sf provar quality-hub test run report`)_
 - [`sf provar manager test run abort`](#sf-provar-manager-test-run-abort) _(deprecated — use `sf provar quality-hub test run abort`)_
 
+## `sf provar auth login`
+
+Log in to Provar Quality Hub and store your API key.
+
+```
+USAGE
+  $ sf provar auth login [--url <value>]
+
+FLAGS
+  --url=<value>  Override the Quality Hub API base URL (for non-production environments).
+
+DESCRIPTION
+  Opens a browser to the Provar login page. After you authenticate, your API key is
+  stored at ~/.provar/credentials.json and used automatically by the Provar MCP tools
+  and CI/CD integrations. The key is valid for approximately 90 days.
+
+  For CI/CD pipelines (GitHub Actions, Jenkins, etc.) where a browser cannot open:
+  run sf provar auth login once on your local machine, copy the api_key value from
+  ~/.provar/credentials.json, and store it as the PROVAR_API_KEY environment variable
+  or secret in your pipeline. Rotate the secret every ~90 days when the key expires.
+
+  Don't have an account? Request access at:
+  https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access
+
+EXAMPLES
+  Log in interactively:
+
+    $ sf provar auth login
+
+  Log in against a staging environment:
+
+    $ sf provar auth login --url https://dev.api.example.com
+```
+
+## `sf provar auth rotate`
+
+Rotate your stored API key without re-authenticating via browser.
+
+```
+USAGE
+  $ sf provar auth rotate
+
+DESCRIPTION
+  Exchanges your current pv_k_ key for a new one atomically. The old key is
+  invalidated immediately. The new key is written to ~/.provar/credentials.json.
+
+  Use this to rotate your key on a regular schedule (~every 90 days) without
+  going through the browser login flow. If your current key is already expired,
+  run sf provar auth login instead.
+
+EXAMPLES
+  Rotate the stored API key:
+
+    $ sf provar auth rotate
+```
+
+## `sf provar auth status`
+
+Show the current API key configuration and validate it against Quality Hub.
+
+```
+USAGE
+  $ sf provar auth status
+
+DESCRIPTION
+  Reports whether an API key is configured, where it came from (environment variable
+  or credentials file), and performs a live check against the Quality Hub API to
+  confirm the key is still valid.
+
+EXAMPLES
+  Check auth status:
+
+    $ sf provar auth status
+```
+
+## `sf provar auth clear`
+
+Remove the stored API key.
+
+```
+USAGE
+  $ sf provar auth clear
+
+DESCRIPTION
+  Deletes ~/.provar/credentials.json and revokes the key server-side. After clearing,
+  the MCP tools fall back to local validation mode. Has no effect if no key is stored.
+
+EXAMPLES
+  Remove the stored key:
+
+    $ sf provar auth clear
+```
+
 ## `sf provar mcp start`
 
 Start a local MCP server for Provar tools over stdio transport.
@@ -136,6 +255,11 @@ TOOLS EXPOSED
   provar.testplan.add-instance         — wire a test case into a plan suite by writing a .testinstance file
   provar.testplan.create-suite         — create a new test suite directory with .planitem inside a plan
   provar.testplan.remove-instance      — remove a .testinstance file from a plan suite
+  provar.nitrox.discover               — discover projects containing NitroX (Hybrid Model) page objects
+  provar.nitrox.read                   — read NitroX .po.json files and return parsed content
+  provar.nitrox.validate               — validate a NitroX .po.json against schema rules
+  provar.nitrox.generate               — generate a new NitroX .po.json from a component description
+  provar.nitrox.patch                  — apply a JSON merge-patch to an existing NitroX .po.json file
 
 EXAMPLES
   Start MCP server (accepts stdio connections from Claude Desktop / Cursor):