@apifuse/provider-sdk 2.1.0-beta.1 → 2.1.0-beta.10

package/dist/lint.js

@@ -0,0 +1,702 @@
+import { lintPublicSchemaFieldNames } from "./public-schema-field-lint";
+import { APIFUSE_DESCRIPTION_KEY_META_KEY, APIFUSE_SENSITIVE_META_KEY, } from "./schema";
+function lintAllowedHosts(providerId, allowedHosts) {
+    const prefix = providerId ? `Provider "${providerId}"` : "Provider";
+    if (!allowedHosts) {
+        return [
+            {
+                rule: "allowed-hosts-required",
+                level: "error",
+                field: "allowedHosts",
+                message: `${prefix} must declare allowedHosts.`,
+            },
+        ];
+    }
+    if (allowedHosts.length === 0) {
+        return [
+            {
+                rule: "allowed-hosts-non-empty",
+                level: "error",
+                field: "allowedHosts",
+                message: `${prefix} must declare at least one allowed host.`,
+            },
+        ];
+    }
+    const wildcardHost = allowedHosts.find((host) => host.trim().includes("*"));
+    if (wildcardHost) {
+        return [
+            {
+                rule: "allowed-hosts-no-wildcards",
+                level: "error",
+                field: "allowedHosts",
+                message: `${prefix} must not declare wildcard allowedHosts entries like "${wildcardHost}".`,
+            },
+        ];
+    }
+    return [];
+}
+function lintReviewed(providerId, reviewed) {
+    if (reviewed === "first-party" || reviewed === "community") {
+        return [];
+    }
+    const prefix = providerId ? `Provider "${providerId}"` : "Provider";
+    return [
+        {
+            rule: "reviewed-required",
+            level: "error",
+            field: "reviewed",
+            message: `${prefix} must declare reviewed as "first-party" or "community".`,
+        },
+    ];
+}
+function hasReusableSecretKeys(keys) {
+    if (!keys) {
+        return false;
+    }
+    return keys.some((key) => /(access_token|refresh_token|password|secret|cookie|session|token|api[_-]?key)/i.test(key));
+}
+function hasReusableReloginSecretKeys(keys) {
+    if (!keys) {
+        return false;
+    }
+    return keys.some((key) => /(password|passcode|secret|cookie|session)/i.test(key));
+}
+function getAuthFlowSource(provider) {
+    if (provider.authFlowSource) {
+        return provider.authFlowSource;
+    }
+    const parts = [
+        provider.auth?.flow?.start,
+        provider.auth?.flow?.continue,
+        provider.auth?.flow?.poll,
+        provider.auth?.flow?.abort,
+        provider.auth?.flow?.refresh,
+    ];
+    return parts
+        .filter((part) => typeof part === "function")
+        .map((part) => part.toString())
+        .join("\n");
+}
+function lintAuthModel(provider) {
+    const diagnostics = [];
+    const providerLabel = provider.id ? `Provider "${provider.id}"` : "Provider";
+    const authMode = provider.auth?.mode;
+    const credentialKeys = provider.credential?.keys ?? [];
+    if (authMode === "api-key") {
+        diagnostics.push({
+            rule: "auth-mode-api-key-removed",
+            level: "error",
+            field: "auth.mode",
+            message: `${providerLabel} must not use auth.mode "api-key".`,
+        });
+    }
+    if ((authMode === "credentials" || authMode === "oauth2") &&
+        typeof provider.auth?.flow?.continue !== "function") {
+        diagnostics.push({
+            rule: "auth-flow-continue-required",
+            level: "error",
+            field: "auth.flow.continue",
+            message: `${providerLabel} must define auth.flow.continue for ${authMode} auth mode.`,
+        });
+    }
+    if (authMode === "credentials" && credentialKeys.length === 0) {
+        diagnostics.push({
+            rule: "credential-keys-required-when-credentials-mode",
+            level: "error",
+            field: "credential.keys",
+            message: `${providerLabel} must declare credential.keys for credentials auth mode.`,
+        });
+    }
+    if (hasReusableSecretKeys(credentialKeys) &&
+        (!provider.credential?.storesReusableSecret ||
+            !provider.credential.justification)) {
+        diagnostics.push({
+            rule: "credential-reusable-secret",
+            level: "error",
+            field: "credential",
+            message: `${providerLabel} must set storesReusableSecret and justification when credential.keys includes reusable secrets.`,
+        });
+    }
+    if (typeof provider.auth?.flow?.refresh === "function" &&
+        hasReusableReloginSecretKeys(credentialKeys) &&
+        (!provider.credential?.storesReusableSecret ||
+            !provider.credential.justification)) {
+        diagnostics.push({
+            rule: "auth-refresh-reusable-secret",
+            level: "error",
+            field: "credential",
+            message: `${providerLabel} must set storesReusableSecret and justification when auth.flow.refresh may silently re-login with reusable credential secrets.`,
+        });
+    }
+    if (authMode === "platform-managed" && credentialKeys.length > 0) {
+        diagnostics.push({
+            rule: "platform-managed-no-credential-keys",
+            level: "error",
+            field: "credential.keys",
+            message: `${providerLabel} must not declare credential.keys for platform-managed auth mode.`,
+        });
+    }
+    const authFlowSource = getAuthFlowSource(provider);
+    if (authFlowSource.includes("ctx.context") &&
+        (provider.context?.keys?.length ?? 0) === 0) {
+        diagnostics.push({
+            rule: "context-keys-required",
+            level: "warn",
+            field: "context.keys",
+            message: `${providerLabel} should declare context.keys when auth flow code accesses ctx.context.*.`,
+        });
+    }
+    return diagnostics;
+}
+function isSchema(value) {
+    return (!!value &&
+        typeof value === "object" &&
+        "safeParse" in value &&
+        typeof value.safeParse === "function");
+}
+function getSchemaDef(schema) {
+    const def = schema.def ?? schema._def;
+    if (def && typeof def === "object") {
+        return def;
+    }
+    return {};
+}
+function isSchemaRecord(value) {
+    if (!value || typeof value !== "object") {
+        return false;
+    }
+    for (const entry of Object.values(value)) {
+        if (!isSchema(entry)) {
+            return false;
+        }
+    }
+    return true;
+}
+function getObjectShape(schema) {
+    const rawShape = typeof schema.shape === "function" ? schema.shape() : schema.shape;
+    if (isSchemaRecord(rawShape)) {
+        return rawShape;
+    }
+    const defShape = getSchemaDef(schema).shape;
+    if (typeof defShape === "function") {
+        const resolved = defShape();
+        if (isSchemaRecord(resolved)) {
+            return resolved;
+        }
+        return {};
+    }
+    if (isSchemaRecord(defShape)) {
+        return defShape;
+    }
+    return {};
+}
+function getChildSchemas(schema) {
+    const seen = new Map();
+    const def = getSchemaDef(schema);
+    const add = (key, value) => {
+        if (!isSchema(value)) {
+            return;
+        }
+        seen.set(`${key}:${seen.size}`, value);
+    };
+    for (const [key, value] of Object.entries(getObjectShape(schema))) {
+        add(key, value);
+    }
+    add("element", schema.element);
+    add("innerType", schema.innerType);
+    add("unwrap", schema.unwrap?.());
+    add("sourceType", schema.sourceType?.());
+    add("in", schema.in);
+    add("out", schema.out);
+    add("left", schema.left);
+    add("right", schema.right);
+    if (Array.isArray(schema.items)) {
+        for (const [index, item] of schema.items.entries()) {
+            add(String(index), item);
+        }
+    }
+    if (Array.isArray(def.items)) {
+        for (const [index, item] of def.items.entries()) {
+            add(String(index), item);
+        }
+    }
+    const options = schema.options ?? def.options;
+    if (Array.isArray(options)) {
+        for (const [index, option] of options.entries()) {
+            add(String(index), option);
+        }
+    }
+    else if (options instanceof Set) {
+        for (const [index, option] of Array.from(options).entries()) {
+            add(String(index), option);
+        }
+    }
+    else if (options instanceof Map) {
+        for (const [key, option] of options.entries()) {
+            add(String(key), option);
+        }
+    }
+    for (const key of [
+        "schema",
+        "innerType",
+        "type",
+        "valueType",
+        "keyType",
+        "item",
+        "rest",
+        "catchall",
+        "option",
+        "pipe",
+        "payload",
+        "shape",
+    ]) {
+        const value = def[key];
+        if (Array.isArray(value)) {
+            for (const [index, item] of value.entries()) {
+                add(`${key}.${index}`, item);
+            }
+        }
+        else {
+            add(key, value);
+        }
+    }
+    return Array.from(seen.entries()).map(([entryKey, child]) => ({
+        key: entryKey.split(":")[0] ?? entryKey,
+        schema: child,
+    }));
+}
+function uniqueFields(fields) {
+    return Array.from(new Set(fields));
+}
+function isSensitiveSchema(schema) {
+    if (!schema || typeof schema !== "object" || !("meta" in schema)) {
+        return false;
+    }
+    const meta = schema.meta;
+    if (typeof meta !== "function")
+        return false;
+    const metadata = meta.call(schema);
+    return (!!metadata &&
+        typeof metadata === "object" &&
+        Reflect.get(metadata, APIFUSE_SENSITIVE_META_KEY) === true);
+}
+function getSchemaMetadata(schema) {
+    return schema.meta?.() ?? {};
+}
+function getSchemaDescriptionKey(schema) {
+    const value = Reflect.get(getSchemaMetadata(schema), APIFUSE_DESCRIPTION_KEY_META_KEY);
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+const SENSITIVE_FIELD_NAMES = new Set([
+    "apikey",
+    "authorization",
+    "cookie",
+    "secret",
+    "secrets",
+    "token",
+    "accesstoken",
+    "refreshtoken",
+    "password",
+    "passwd",
+    "otp",
+    "otpcode",
+    "phone",
+    "phonenumber",
+    "paymenturl",
+]);
+function isSensitiveFieldName(name) {
+    const normalized = name.toLowerCase().replace(/[-_\s]/g, "");
+    return SENSITIVE_FIELD_NAMES.has(normalized);
+}
+function collectUnmarkedSensitiveFields(schema, basePath, seen = new Set()) {
+    if (!isSchema(schema) || seen.has(schema)) {
+        return [];
+    }
+    seen.add(schema);
+    const out = [];
+    for (const [key, child] of Object.entries(getObjectShape(schema))) {
+        const childPath = basePath ? `${basePath}.${key}` : key;
+        if (isSensitiveFieldName(key) && !isSensitiveSchema(child)) {
+            out.push(childPath);
+        }
+        out.push(...collectUnmarkedSensitiveFields(child, childPath, seen));
+    }
+    for (const child of getChildSchemas(schema)) {
+        if (Object.hasOwn(getObjectShape(schema), child.key))
+            continue;
+        const isWrapperNode = [
+            "unwrap",
+            "innerType",
+            "sourceType",
+            "schema",
+            "type",
+            "in",
+            "out",
+            "option",
+            "pipe",
+            "payload",
+            "item",
+            "rest",
+            "catchall",
+            "keyType",
+            "valueType",
+        ].includes(child.key);
+        const childPath = child.key === "element" || child.key.startsWith("element.")
+            ? `${basePath}[]`
+            : isWrapperNode || child.key.startsWith("pipe.")
+                ? basePath
+                : basePath
+                    ? `${basePath}.${child.key}`
+                    : child.key;
+        out.push(...collectUnmarkedSensitiveFields(child.schema, childPath, seen));
+    }
+    return out;
+}
+function collectSchemaDescriptionKeyDiagnostics(schema, basePath, seen = new Set(), requireCurrentDescription = true) {
+    if (!isSchema(schema) || seen.has(schema)) {
+        return [];
+    }
+    seen.add(schema);
+    const diagnostics = [];
+    const currentPath = basePath || "schema";
+    const hasDescriptionKey = getSchemaDescriptionKey(schema) !== undefined;
+    if (schema.description && !hasDescriptionKey) {
+        diagnostics.push({
+            rule: "schema-description-raw-prose",
+            level: "error",
+            field: currentPath,
+            message: `Schema field "${currentPath}" must use .describeKey() or describeKey() instead of raw static prose.`,
+        });
+    }
+    if (requireCurrentDescription && !hasDescriptionKey) {
+        diagnostics.push({
+            rule: "schema-description-key-required",
+            level: "error",
+            field: currentPath,
+            message: schema.description
+                ? `Schema field "${currentPath}" has a raw description but is missing .describeKey() or describeKey() metadata.`
+                : `Schema field "${currentPath}" is missing .describeKey() or describeKey() metadata.`,
+        });
+    }
+    for (const child of getChildSchemas(schema)) {
+        const isWrapperNode = [
+            "unwrap",
+            "innerType",
+            "sourceType",
+            "schema",
+            "type",
+            "in",
+            "out",
+            "option",
+            "pipe",
+            "payload",
+            "item",
+            "rest",
+            "catchall",
+            "keyType",
+            "valueType",
+        ].includes(child.key);
+        const isStructuralNode = isWrapperNode ||
+            child.key.startsWith("pipe.") ||
+            child.key === "element" ||
+            child.key.startsWith("element.");
+        const childPath = isWrapperNode
+            ? currentPath
+            : currentPath === "schema"
+                ? child.key
+                : /^\d+$/.test(child.key)
+                    ? `${currentPath}[${child.key}]`
+                    : child.key === "element" || child.key.startsWith("element.")
+                        ? `${currentPath}[]`
+                        : `${currentPath}.${child.key}`;
+        diagnostics.push(...collectSchemaDescriptionKeyDiagnostics(child.schema, childPath, seen, !isStructuralNode));
+    }
+    return diagnostics;
+}
+function isComplexSchema(schema, seen = new Set()) {
+    if (!isSchema(schema) || seen.has(schema)) {
+        return false;
+    }
+    seen.add(schema);
+    const children = getChildSchemas(schema);
+    const hasNestedComposite = children.some(({ schema: child }) => {
+        const childChildren = getChildSchemas(child);
+        return childChildren.length > 0;
+    });
+    return (hasNestedComposite ||
+        children.some(({ schema: child }) => isComplexSchema(child, seen)));
+}
+function hasBidirectionalFixtures(fixtures) {
+    if (!fixtures || typeof fixtures !== "object") {
+        return true;
+    }
+    return "request" in fixtures && "response" in fixtures;
+}
+function getOperationSource(operation) {
+    if (operation.source) {
+        return operation.source;
+    }
+    return typeof operation.handler === "function"
+        ? operation.handler.toString()
+        : "";
+}
+function lintStealthTransportUsage(provider) {
+    if (provider.stealth || !provider.operations) {
+        return [];
+    }
+    const providerLabel = provider.id ? `Provider "${provider.id}"` : "Provider";
+    return Object.entries(provider.operations).flatMap(([operationKey, operation]) => {
+        const source = getOperationSource(operation);
+        if (!/\bctx\.stealth\b/.test(source)) {
+            return [];
+        }
+        return [
+            {
+                rule: "stealth-config-required",
+                level: "error",
+                field: `operations.${operationKey}`,
+                message: `${providerLabel} operation "${operationKey}" uses ctx.stealth but provider.stealth is not declared.`,
+            },
+        ];
+    });
+}
+function lintCredentialWriteUsage(provider) {
+    if (!provider.operations) {
+        return [];
+    }
+    return Object.entries(provider.operations).flatMap(([operationKey, operation]) => {
+        const source = getOperationSource(operation);
+        if (!/\bctx\.credential\.(?:set|setMany)\s*\(/.test(source)) {
+            return [];
+        }
+        return [
+            {
+                rule: "ctx-credential-write-forbidden-in-handler",
+                level: "error",
+                field: `operations.${operationKey}.handler`,
+                message: "Operation handlers must not mutate credentials; return refreshed credentials from auth.flow.refresh instead.",
+            },
+        ];
+    });
+}
+function lintPlaywrightDirectImports(provider) {
+    const diagnostics = [];
+    const importPattern = /(?:import\s+(?:type\s+)?[\s\S]*?\s+from\s+["'](?:playwright|playwright-core)["']|require\(\s*["'](?:playwright|playwright-core)["']\s*\)|import\(\s*["'](?:playwright|playwright-core)["']\s*\))/;
+    if (provider.authFlowSource && importPattern.test(provider.authFlowSource)) {
+        diagnostics.push({
+            rule: "playwright-direct-import",
+            level: "warn",
+            field: "auth.flow",
+            message: "Provider auth flow imports playwright directly; use ctx.browser frame-aware methods so the SDK can enforce the CDP pool runtime.",
+        });
+    }
+    for (const [filePath, source] of Object.entries(provider.providerSourceFiles ?? {})) {
+        if (!importPattern.test(source)) {
+            continue;
+        }
+        diagnostics.push({
+            rule: "playwright-direct-import",
+            level: "warn",
+            field: `sourceFiles.${filePath}`,
+            message: "Provider source imports playwright directly; use ctx.browser frame-aware methods so the SDK can enforce the CDP pool runtime.",
+        });
+    }
+    if (!provider.operations) {
+        return diagnostics;
+    }
+    for (const [operationKey, operation] of Object.entries(provider.operations)) {
+        const source = getOperationSource(operation);
+        if (!importPattern.test(source)) {
+            continue;
+        }
+        diagnostics.push({
+            rule: "playwright-direct-import",
+            level: "warn",
+            field: `operations.${operationKey}.handler`,
+            message: "Operation source imports playwright directly; use ctx.browser frame-aware methods so the SDK can enforce the CDP pool runtime.",
+        });
+    }
+    return diagnostics;
+}
+const SELF_HOSTED_BROWSER_MESSAGE = "Official browser providers must use ctx.browser backed by the managed CDP Pool; do not launch or connect to provider-local Chrome/CDP runtimes.";
+const SELF_HOSTED_BROWSER_PATTERNS = [
+    {
+        rule: "browser-self-hosted-launch",
+        pattern: /\b(?:playwright|chromium|firefox|webkit|puppeteer)\.launch\s*\(/,
+        message: `${SELF_HOSTED_BROWSER_MESSAGE} Replace direct Playwright/Puppeteer launch calls with ctx.browser.newPage() or ctx.browser.withIsolatedContext().`,
+    },
+    {
+        rule: "browser-self-hosted-child-process",
+        pattern: /(?:\b(?:spawn|spawnSync|exec|execSync|execFile|execFileSync)\s*\([\s\S]{0,240}\b(?:google-chrome|chrome|chromium|chromium-browser)\b|\b(?:Bun\.)?spawn(?:Sync)?\s*\([\s\S]{0,240}\b(?:google-chrome|chrome|chromium|chromium-browser)\b|\$`[\s\S]{0,240}\b(?:google-chrome|chrome|chromium|chromium-browser)\b)/,
+        message: `${SELF_HOSTED_BROWSER_MESSAGE} Provider pods must not start Chrome with child_process, Bun.spawn, or shell commands.`,
+    },
+    {
+        rule: "browser-self-hosted-remote-debugging-port",
+        pattern: /(?:\b(?:google-chrome|chrome|chromium|chromium-browser)\b[\s\S]{0,240}--remote-debugging-port\b|--remote-debugging-port(?:=|\s+))/,
+        message: `${SELF_HOSTED_BROWSER_MESSAGE} Provider entrypoints, Dockerfiles, and scripts must not start Chrome with a remote debugging port; use the managed CDP Pool instead.`,
+    },
+    {
+        rule: "browser-direct-cdp-version-poll",
+        pattern: /\/json\/version\b/,
+        message: `${SELF_HOSTED_BROWSER_MESSAGE} Do not poll /json/version from provider code; the SDK manages CDP leases through APIFUSE__CDP_POOL__URL.`,
+    },
+    {
+        rule: "browser-provider-local-cdp-env",
+        pattern: /\b(?!APIFUSE__CDP_POOL__URL\b)[A-Z][A-Z0-9_]*_CDP_URL\b|process\.env(?:\.(?!APIFUSE__CDP_POOL__URL\b)[A-Z0-9_]*_CDP_URL\b|\[\s*["'`](?!APIFUSE__CDP_POOL__URL\b)[A-Z0-9_]*_CDP_URL["'`]\s*\])/,
+        message: `${SELF_HOSTED_BROWSER_MESSAGE} Do not read provider-local CDP endpoint env vars including AMAZON_CDP_URL or custom *_CDP_URL names; production uses APIFUSE__CDP_POOL__URL through ctx.browser.`,
+    },
+];
+function lintSelfHostedBrowserPatterns(provider, options) {
+    const diagnostics = [];
+    const level = options.mode === "standalone" ? "warn" : "error";
+    const sources = [];
+    if (provider.authFlowSource) {
+        sources.push({ field: "auth.flow", source: provider.authFlowSource });
+    }
+    for (const [filePath, source] of Object.entries(provider.providerSourceFiles ?? {})) {
+        sources.push({ field: `sourceFiles.${filePath}`, source });
+    }
+    for (const [operationKey, operation] of Object.entries(provider.operations ?? {})) {
+        const source = getOperationSource(operation);
+        if (source) {
+            sources.push({
+                field: `operations.${operationKey}.handler`,
+                source,
+            });
+        }
+    }
+    for (const { field, source } of sources) {
+        for (const item of SELF_HOSTED_BROWSER_PATTERNS) {
+            item.pattern.lastIndex = 0;
+            if (!item.pattern.test(source)) {
+                continue;
+            }
+            diagnostics.push({
+                rule: item.rule,
+                level,
+                field,
+                message: item.message,
+            });
+        }
+    }
+    return diagnostics;
+}
+export function lintOperation(op) {
+    const diagnostics = [];
+    const description = op.description ?? "";
+    const hasDescriptionKey = typeof op.descriptionKey === "string" && op.descriptionKey.length > 0;
+    if (description.trim().length > 0 && !hasDescriptionKey) {
+        diagnostics.push({
+            rule: "operation-description-raw-prose",
+            level: "error",
+            field: "description",
+            message: "Operation description must use descriptionKey instead of raw static prose.",
+        });
+    }
+    if (!hasDescriptionKey && description.length < 150) {
+        diagnostics.push({
+            rule: "description-min-length",
+            level: "error",
+            field: "description",
+            message: "Operation description must be at least 150 characters.",
+        });
+    }
+    if ((op.whenToUse?.length ?? 0) > 0 && !(op.whenToUseKeys?.length ?? 0)) {
+        diagnostics.push({
+            rule: "operation-when-to-use-raw-prose",
+            level: "error",
+            field: "whenToUse",
+            message: "Operation whenToUse must use whenToUseKeys instead of raw static prose.",
+        });
+    }
+    if ((op.whenNotToUse?.length ?? 0) > 0 &&
+        !(op.whenNotToUseKeys?.length ?? 0)) {
+        diagnostics.push({
+            rule: "operation-when-not-to-use-raw-prose",
+            level: "error",
+            field: "whenNotToUse",
+            message: "Operation whenNotToUse must use whenNotToUseKeys instead of raw static prose.",
+        });
+    }
+    const lowerDescription = description.toLowerCase();
+    if (!hasDescriptionKey &&
+        !(lowerDescription.includes("use") && lowerDescription.includes("when"))) {
+        diagnostics.push({
+            rule: "description-has-when-clause",
+            level: "warn",
+            field: "description",
+            message: 'Operation description should include both "use" and "when".',
+        });
+    }
+    diagnostics.push(...collectSchemaDescriptionKeyDiagnostics(op.input, "input"), ...collectSchemaDescriptionKeyDiagnostics(op.output, "output"));
+    if (!hasBidirectionalFixtures(op.fixtures)) {
+        diagnostics.push({
+            rule: "fixtures-both-directions",
+            level: "error",
+            field: "fixtures",
+            message: "Fixtures must include both request and response.",
+        });
+    }
+    if (isComplexSchema(op.input) && (op.inputExamples?.length ?? 0) < 2) {
+        diagnostics.push({
+            rule: "complex-input-has-examples",
+            level: "warn",
+            field: "inputExamples",
+            message: "Complex input schemas should provide at least 2 input examples.",
+        });
+    }
+    for (const field of uniqueFields(collectUnmarkedSensitiveFields(op.input, "input"))) {
+        diagnostics.push({
+            rule: "sensitive-field-unmarked",
+            level: "warn",
+            field,
+            message: `Schema field "${field}" looks sensitive; mark it with fields.*(), field(..., { sensitive: true }), or sensitive(...).`,
+        });
+    }
+    for (const field of uniqueFields(collectUnmarkedSensitiveFields(op.output, "output"))) {
+        diagnostics.push({
+            rule: "sensitive-field-unmarked",
+            level: "warn",
+            field,
+            message: `Schema field "${field}" looks sensitive; mark it with fields.*(), field(..., { sensitive: true }), or sensitive(...).`,
+        });
+    }
+    return diagnostics;
+}
+export function lintProvider(provider, options = {}) {
+    const diagnostics = [
+        ...lintAllowedHosts(provider.id, provider.allowedHosts),
+        ...lintReviewed(provider.id, provider.reviewed),
+        ...lintAuthModel(provider),
+        ...lintStealthTransportUsage(provider),
+        ...lintCredentialWriteUsage(provider),
+        ...lintPlaywrightDirectImports(provider),
+        ...lintSelfHostedBrowserPatterns(provider, options),
+    ];
+    if (!provider.operations) {
+        return diagnostics;
+    }
+    diagnostics.push(...Object.entries(provider.operations).flatMap(([operationKey, operation]) => [
+        ...lintOperation({
+            description: operation.description ?? "",
+            descriptionKey: operation.descriptionKey,
+            whenToUse: operation.whenToUse,
+            whenToUseKeys: operation.whenToUseKeys,
+            whenNotToUse: operation.whenNotToUse,
+            whenNotToUseKeys: operation.whenNotToUseKeys,
+            input: operation.input,
+            output: operation.output,
+            fixtures: operation.fixtures,
+            inputExamples: operation.inputExamples,
+            derivations: operation.derivations,
+        }),
+        ...lintPublicSchemaFieldNames(provider.id, operationKey, operation.input, operation.output, provider.meta?.contract?.publicSchemaFieldNames === "normalized"),
+    ].map((diagnostic) => ({
+        ...diagnostic,
+        field: diagnostic.field
+            ? `operations.${operationKey}.${diagnostic.field}`
+            : `operations.${operationKey}`,
+        message: `[${operationKey}] ${diagnostic.message}`,
+    }))));
+    return diagnostics;
+}