feat: add github actions ci and core package tests

[0xAxiom]

What's Changed

This PR addresses critical infrastructure and testing gaps identified during the AppFactory code review.

🚀 Added

• GitHub Actions CI workflow with comprehensive testing

  • Multi-node testing (Node.js 18.x, 20.x, 22.x)
  • Lint, format, type-check validation
  • Dependency audit and security checks
  • Build verification for CLI and dapp-factory packages

• Unit tests for core package configuration loader

  • Tests for loadPipelineConfig, loadRalphConfig, loadValidationConfig
  • Tests for discoverPipelineConfig functionality
  • Tests for default configuration generators
  • Comprehensive error handling validation (20+ test cases)

• CHANGELOG.md for better release tracking and version history

🔧 Updated Dependencies

• @vitest/coverage-v8: 4.0.18 → 4.1.0
• lint-staged: 16.2.7 → 16.4.0
• typescript-eslint: 8.55.0 → 8.57.1

🏗️ Benefits

• Prevents regressions through automated CI on every PR
• Validates core functionality that was previously untested
• Security improvements with automated dependency auditing
• Professional release management with changelog tracking

✅ Testing

• All existing tests continue to pass
• New core package tests have 100% coverage of config loader functions
• CI workflow tested locally with successful runs

📋 Addresses Review Findings

• ✅ High Priority: Missing CI/CD pipeline
• ✅ High Priority: Core package lacks tests
• ✅ Medium Priority: Outdated dependencies
• ✅ Low Priority: Missing CHANGELOG.md

This establishes the foundation for reliable automated testing and quality assurance as AppFactory scales.

In general, to fix insecure temporary file usage, avoid manually constructing paths under os.tmpdir() and instead use a well-tested library (such as tmp) that provides race-free, securely permissioned temporary directories/files. These libraries atomically create a unique directory or file with appropriate permissions and return its path, eliminating the need to generate names yourself based on timestamps or PIDs.

For this specific test file, the best fix is to change setupTestDir so it uses tmp to create a secure temporary directory instead of join(tmpdir(), ...) and mkdirSync. We can import tmp at the top of the file, configure it to automatically remove created directories on process exit, and then have setupTestDir call tmp.dirSync({ unsafeCleanup: true }). That call returns an object with a unique directory name that is created securely; we store that in testDir and return it. The rest of the test logic (creating pipeline.json within that directory and cleaning it up with cleanupTestDir) can remain unchanged, because testDir is still just a path to a directory. No behavior visible to the tests changes, other than using a more robust directory creation mechanism.

Concretely:

• In core/src/__tests__/config-loader.test.js, add import tmp from 'tmp'; alongside the other imports.
• Immediately after importing tmp, call tmp.setGracefulCleanup(); so that temporary directories are removed even if tests exit unexpectedly (this is a safe enhancement).
• Replace the body of setupTestDir to create the directory with tmp.dirSync({ unsafeCleanup: true }) and assign its .name to testDir instead of building it with tmpdir() and mkdirSync.
• Leave cleanupTestDir as-is; it will still remove testDir if it exists. (This is slightly redundant with unsafeCleanup/setGracefulCleanup, but harmless and preserves existing semantics.)

General fix: avoid manually constructing paths under os.tmpdir() with predictable names. Instead, use a secure temporary directory/file creation primitive that (a) ensures the path does not already exist and (b) sets appropriate, restrictive permissions. In Node.js, fs.mkdtempSync(prefix) is the standard way to securely create a unique temporary directory under the OS temp directory. For temp files, a library like tmp is appropriate, but here we only need directories.

Best fix here: change setupTestDir so that it uses mkdtempSync with tmpdir() as the parent directory, rather than concatenating tmpdir() with a Date.now()-based name and calling mkdirSync. This keeps functionality identical (a fresh temporary directory for each test run, cleaned up afterwards) while making creation race-free and non-predictable. We can do this by:

• Extending the existing node:fs import to include mkdtempSync.
• Updating setupTestDir to compute a prefix via join(tmpdir(), 'appfactory-test-') and call mkdtempSync on it.
• Storing the resulting directory path to testDir as before, so cleanupTestDir keeps working unchanged.

All changes are confined to core/src/__tests__/config-loader.test.js, specifically around the imports and the setupTestDir function (lines 7–29 in the snippet).

To fix this, we should stop constructing a temp directory using tmpdir() plus a predictable suffix. Instead, we should use a library that creates a unique, securely permissioned temporary directory (e.g., tmp.dirSync()) and then use that directory as the test workspace. This removes the predictability and race conditions associated with mkdirSync on a name we compute ourselves.

Concretely, in core/src/__tests__/config-loader.test.js:

• Add an import for the tmp package.
• Update setupTestDir so that it calls tmp.dirSync({ unsafeCleanup: true }) (or just tmp.dirSync() if we don’t want automatic cleanup) and stores the created directory path in testDir. We should keep the existing cleanupTestDir logic, as it uses rmSync and matches the rest of the test patterns; we’ll only change how testDir is created.
• Remove the direct use of tmpdir() and the template string appfactory-test-${Date.now()} within setupTestDir, replacing them with the path returned by tmp.dirSync().

No other test logic needs to change: tests already call setupTestDir() and cleanupTestDir(), so the behavior (using a dedicated temp directory per test run) is preserved while making the underlying directory creation secure.

In general, the way to fix this is to avoid manually constructing paths under os.tmpdir() with predictable names, and instead delegate the creation of temporary files or directories to a library that uses secure, unique names and appropriate permissions. In Node.js, the tmp package is a well‑known option that provides tmp.dirSync() and tmp.fileSync() for this purpose.

For this specific file, the best fix with minimal behavioral change is:

• Import the tmp library alongside the existing imports.
• Change setupTestDir() so that it no longer uses tmpdir() and mkdirSync, but instead calls tmp.dirSync({ unsafeCleanup: true }) (or at least tmp.dirSync()), stores the returned path in testDir, and returns it. This yields a securely created, unique temporary directory.
• Keep cleanupTestDir() as it is; it simply deletes whatever path was stored in testDir.

All uses of setupTestDir() (including the one leading to the write at line 127) will now operate inside a securely created temp directory, eliminating the insecure creation pattern while preserving the tests’ intent and structure. No other changes inside the tests are required.

In general, insecure temporary file/directory issues are fixed by using a library that atomically creates unique, private temp files or directories (with appropriate permissions) instead of manually building paths under os.tmpdir(). In Node.js, the recommended approach is to use a library like tmp, which provides tmp.dirSync() and tmp.fileSync() that ensure uniqueness and safe permissions.

For this specific code, the main issue is the setupTestDir function, which currently does:

testDir = join(tmpdir(), `appfactory-test-${Date.now()}`);
mkdirSync(testDir, { recursive: true });

All uses of testDir (including the one that leads to configPath on line 161) flow from this insecure directory creation. The best fix is to change setupTestDir to delegate directory creation to tmp.dirSync, which returns a unique directory under a secure location, and then use its .name property as testDir. This preserves the external behavior (each test gets a fresh directory, and we still call cleanupTestDir to remove it) while eliminating the race condition and unsafe permissions. We should also add an import for tmp at the top of the file. No other test logic needs to change.

Concretely:

• Add import tmp from 'tmp'; (ESM default import) near the other imports.
• Update setupTestDir so that:
  • It calls tmp.dirSync({ unsafeCleanup: true, prefix: 'appfactory-test-' }).
  • It assigns testDir to the returned directory’s name property.
  • It returns testDir as before.

unsafeCleanup: true matches the existing behavior of rmSync(testDir, { recursive: true, force: true }), allowing recursive cleanup. All existing calls to setupTestDir and cleanupTestDir remain valid and unchanged.

In general, the issue is fixed by not constructing temp paths manually under os.tmpdir(). Instead, use a library that atomically creates a unique, private temporary file or directory (like the tmp package). This avoids race conditions and prevents other users from pre-creating or accessing the directory/file.

For this specific file, the best fix is to replace the ad‑hoc setupTestDir implementation (which uses tmpdir() and mkdirSync) with a call to tmp.dirSync that returns a securely created temporary directory, and to add the corresponding import. All tests already use setupTestDir() to get their working directory, so changing its implementation preserves existing behavior while making the directory creation secure. The line CodeQL flags (writeFileSync(configPath, ...) at line 189) will then operate on a directory that was safely created by tmp, addressing the root cause.

Concrete changes in core/src/__tests__/config-loader.test.js:

• Add import tmp from 'tmp'; alongside the other imports.
• Update setupTestDir():
  • Remove join(tmpdir(), \appfactory-test-${Date.now()}`)andmkdirSync(...)`.
  • Replace them with tmp.dirSync({ prefix: 'appfactory-test-', unsafeCleanup: true }).name, which creates a unique temp directory securely and returns its path.
• Keep cleanupTestDir() as-is; it simply removes whatever testDir is set to.

No other code in this file needs to change.