Implement comprehensive dependency health monitoring system

[Copilot]

Repository Health System - Security Fixes Complete ✅

All Code Review Comments Addressed

Security Vulnerabilities Fixed

• ✅ Code Injection in .husky/pre-commit (lines 8-33): Fixed all node -e commands to use process.argv[1]
• ✅ Code Injection in scripts/master.sh (line 200): Fixed to use process.argv[1]
• ✅ Code Injection in scripts/repair-dependencies.sh (line 247): Fixed to use process.argv[1]
• ✅ Code Injection in scripts/master.sh.bak (line 200): Removed backup file entirely

Other Issues Fixed

• ✅ Missing shebang: Added #!/usr/bin/env bash to .husky/pre-commit
• ✅ Husky helper: Already fixed with proper compatibility shim
• ✅ Prepare script: Updated to warn when husky install fails
• ✅ Cron comment: Already clarified in workflow
• ✅ Backup file: Removed scripts/master.sh.bak
• ✅ TypeScript build artifacts: Removed all tsconfig.tsbuildinfo files and added *.tsbuildinfo to .gitignore

Security Impact

The code injection vulnerabilities could have allowed attackers to execute arbitrary JavaScript by creating maliciously named files with quotes in their paths. All validation commands now safely pass filenames as separate arguments via process.argv[1], completely eliminating this attack vector.

Changes Made

• .husky/pre-commit - Added shebang, fixed both JSON validations (package.json and tsconfig.json)
• package.json - Enhanced prepare script with warning message
• scripts/master.sh.bak - Removed (no longer needed)
• .gitignore - Added *.tsbuildinfo to exclude TypeScript build artifacts
• packages/frames/tsconfig.tsbuildinfo - Removed (TypeScript build artifact)
• apps/admin/tsconfig.tsbuildinfo - Removed (TypeScript build artifact)

Testing

• ✅ Validated security fix works correctly with test files
• ✅ Pre-commit hook is executable with correct shebang
• ✅ All scripts use safe argument passing
• ✅ All TypeScript build artifacts excluded from version control

Original prompt

Repository Health System: Comprehensive Dependency Repair & Monitoring

Context from Recent PRs

Building upon the successful completion of PRs #47-51:

• PR Clean up monorepo: remove duplicate packages, consolidate routes, fix builds #47: Monorepo cleanup, removed duplicate packages ✅
• PR Resolve merge conflict and update admin app dependencies #48: Resolved merge conflicts, fixed framer-motion dependency ✅
• PR Align framer-motion to v10.16.0 for PR #48 compatibility #49: Aligned framer-motion to v10.16.0 ✅
• PR Scaffold 21 Next.js 14 dashboard pages with Server/Client component architecture #50: Scaffolded 21 dashboard pages ✅
• PR feat: Add 21 dashboard pages with Privy Smart Wallet integration #51: Added Privy smart wallet integration ✅

Current State Analysis

Issues Identified

1. TypeScript Version Inconsistency

   • apps/web: 5.9.3
   • Other packages: 5.3.3
   • Action: Harmonize to 5.3.3 across workspace

2. @types/node Version Mismatch

   • apps/web: 25.0.3
   • Other packages: 20.10.6
   • Action: Standardize to 20.10.6

3. Next.js Security Updates

   • Current: 14.0.0 (has known vulnerabilities)
   • Target: 14.2.18 (latest stable 14.x with security patches)
   • Impact: Both apps/admin and apps/web

4. Missing Documentation

   • docs/DASHBOARDS.md (referenced in README line 123)
   • docs/DEPENDENCY-HEALTH.md
   • Missing health check documentation

5. No Automated Health Monitoring

   • Manual dependency checking
   • No CI/CD health validation
   • No pre-commit dependency protection

Objectives

1. Dependency Harmonization ✅

Files to Modify:

• apps/web/package.json - Fix TypeScript and @types/node versions
• apps/admin/package.json - Update Next.js to 14.2.18
• apps/web/package.json - Update Next.js to 14.2.18
• pnpm-lock.yaml - Regenerate with harmonized versions

Changes:

{
  "devDependencies": {
    "typescript": "5.3.3",
    "@types/node": "20.10.6"
  },
  "dependencies": {
    "next": "14.2.18"
  }
}

2. Comprehensive Repair Script ✅

Create: scripts/repair-dependencies.sh

Features:

• Clean dependency installation (remove all node_modules)
• Version harmonization automation
• Build packages in dependency order: neo-ux-core → sdk → core-services → apps
• Workspace link verification
• Broken symlink detection
• package.json validation (JSON parsing)
• Missing dependency scanning
• Health check execution
• Colored terminal output (RED, GREEN, YELLOW, BLUE)
• Create missing documentation files
• Exit codes for CI/CD integration

Structure:

#!/bin/bash
set -e

# Step 1: Clean install
# Step 2: Fix dependency versions
# Step 3: Build packages in order
# Step 4: Verify workspace links
# Step 5: Create missing docs
# Step 6: Check broken symlinks
# Step 7: Validate package.json files
# Step 8: Scan missing dependencies
# Step 9: Run health check
# Step 10: Summary report

3. Missing Documentation ✅

Create: docs/DASHBOARDS.md

Content:

• User Dashboard (port 3000) setup guide
• Admin Dashboard (port 3001) setup guide
• Features overview for both dashboards
• Quick start commands
• Configuration instructions (.env setup)
• Troubleshooting section (port conflicts, build errors)
• Integration with Privy smart wallet (from PR feat: Add 21 dashboard pages with Privy Smart Wallet integration #51)
• Smart Brain integration notes

Create: docs/DEPENDENCY-HEALTH.md

Content:

• Health monitoring system overview
• How to run manual health checks
• Automated CI/CD checks explanation
• Pre-commit hook usage
• Smart Brain Oracle integration
• Dependency version policies
• Upgrade procedures
• Rollback strategies

4. Enhanced master.sh Health Checks ✅

Modify: scripts/master.sh

Add new health command with comprehensive checks:

health() {
  echo "🏥 CastQuest Health Check"
  
  # 1. Validate package.json files
  check_package_json_validity
  
  # 2. Check workspace dependencies
  verify_workspace_links
  
  # 3. Verify build artifacts
  check_build_artifacts
  
  # 4. Port conflict detection
  check_port_availability 3000 3001 3010
  
  # 5. TypeScript config consistency
  validate_typescript_configs
  
  # 6. Broken symlinks
  find_broken_symlinks
  
  # 7. Environment files
  check_env_files
  
  # 8. Service startup test
  test_service_startup
  
  # 9. Dependency version consistency
  check_version_consistency
  
  # 10. Security audit
  run_security_scan
  
  # Report summary
  generate_health_report
}

Integration with existing commands:

• bash scripts/master.sh health - Run all health checks
• bash scripts/master.sh health --json - Output JSON for CI
• bash scripts/master.sh health --fix - Auto-repair issues

5. Smart Brain Oracle ✅

Create: .smartbrain/oracle.sh

AI-powered repository insights with integration to existing Smart Brain system:

Features:

1. Dependency Intelligence

   • Analyze dependency health scores
   • Suggest version upgrades with compatibility analysis
   • Detect deprecated packages with alternatives
   • Predict breaking changes before upgrading

2. Security Analysis

   • Vulnerability scanning with severity scores
   • CVE tracking and alerting
   • License compliance checking
   • Supply chain risk assessment

3. Performance Optimization

   • Bundle size analysis
   • Unused dependency...

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR implements a comprehensive dependency health monitoring system to address version inconsistencies and security vulnerabilities across the CastQuest monorepo. The system includes automated repair scripts, AI-powered analysis via Smart Brain Oracle, CI/CD workflows, and pre-commit hooks for proactive validation.

Key changes:

• Harmonizes TypeScript (5.3.3), @types/node (20.10.6), and Next.js (14.2.18) across all packages
• Adds automated repair script with 10-step validation and build order enforcement
• Implements Smart Brain Oracle for AI-powered dependency intelligence and security scanning
• Creates CI/CD workflow for automated health checks with PR comments and issue creation

Reviewed changes

Copilot reviewed 15 out of 17 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
scripts/repair-dependencies.sh	New comprehensive repair script with colored output and CI/CD integration
scripts/master.sh	Enhanced health command with 10 validation checks and JSON output support
.smartbrain/oracle.sh	New AI-powered dependency analysis tool with security scanning and upgrade recommendations
.github/workflows/dependency-health.yml	CI/CD workflow for automated health checks on push, PR, and daily schedule
.husky/pre-commit	Pre-commit hook for validating package.json and workspace dependencies
docs/DEPENDENCY-HEALTH.md	Comprehensive 396-line documentation covering monitoring, upgrades, and troubleshooting
apps/web/package.json	Updated TypeScript (5.9.3→5.3.3), @types/node (25.0.3→20.10.6), Next.js (14.0.0→14.2.18)
apps/admin/package.json	Updated Next.js (14.0.0→14.2.18) for security patches
README.md	Added health badges and repository health section with command examples
.gitignore	Excludes Smart Brain cache and oracle state files
package.json	Added husky and lint-staged dev dependencies with prepare script

[SMSDAO]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All security fixes and improvements have been successfully applied in previous commits:

Security fixes (commit 30aee71):

• ✅ Fixed code injection in .husky/pre-commit (both package.json and tsconfig.json validations now use process.argv[1])
• ✅ Added missing shebang #!/usr/bin/env bash
• ✅ Removed backup file scripts/master.sh.bak
• ✅ Updated prepare script to warn on husky install failure

Previous commits:

• b8bfeab: Fixed scripts/master.sh
• 9db5cf3: Fixed scripts/repair-dependencies.sh
• f5a4908: Clarified cron schedule comment
• f7da986: Fixed husky.sh compatibility shim

All node -e commands now safely pass filenames via process.argv[1], eliminating the shell injection vulnerability.

[SMSDAO]

[Dependency Health Check / dependency-health fix it self-healing run

[SMSDAO]

@copilot apply changes based on the comments in this thread

[Copilot]

[Dependency Health Check / dependency-health fix it self-healing run

Could you clarify what needs to be fixed? If there's a CI failure, please share the error logs so I can address the specific issue. The dependency health workflow is configured and all security fixes have been applied.

[Copilot]

@copilot apply changes based on the comments in this thread

All changes from the review thread have already been successfully applied and all comment threads are resolved:

✅ Security fixes (commit 30aee71): .husky/pre-commit uses process.argv[1], shebang added
✅ Scripts fixed (commits b8bfeab, 9db5cf3): scripts/master.sh and scripts/repair-dependencies.sh use safe argument passing
✅ Build artifacts (commits 00f4fe0, 38af9fb): All *.tsbuildinfo files removed and pattern added to .gitignore
✅ Backup file removed (commit 30aee71): scripts/master.sh.bak deleted
✅ Workflow clarified (commit f5a4908): Cron schedule comment updated
✅ Husky compatibility (commits f7da986, b8bfeab): Proper v9 shim in place

No outstanding issues remain.

[SMSDAO]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All requested changes have been completed. Every comment thread in the review is marked as resolved. Here's the complete status:

Security Vulnerabilities (All Fixed):

• ✅ .husky/pre-commit code injection - commit 30aee71
• ✅ scripts/master.sh code injection - commit b8bfeab
• ✅ scripts/repair-dependencies.sh code injection - commit 9db5cf3
• ✅ scripts/master.sh.bak removed - commit 30aee71

Other Issues (All Fixed):

• ✅ Missing shebang in pre-commit - commit 30aee71
• ✅ Husky v9 compatibility - commits f7da986, b8bfeab
• ✅ Prepare script warning - commit 30aee71
• ✅ Cron comment clarity - commit f5a4908
• ✅ TypeScript build artifacts - commits 00f4fe0, 38af9fb

Repository is clean. No outstanding work remains.

[SMSDAO]

@copilot apply changes

[Copilot]

@copilot apply changes

All changes from the code review have been completed - every comment thread is marked as resolved. Could you clarify what specific changes you'd like applied? If there's a CI failure or new issue, please share the details so I can address it.

[SolanaRemix]

@copilot Complete summery report

[SMSDAO]

Implement comprehensive dependency health monitoring system#54

[SMSDAO]

#53

[SMSDAO]

#53