@apifuse/provider-sdk 2.1.0-beta.5 → 2.1.0-beta.8

package/bin/apifuse-submit-check.ts

@@ -1,8 +1,8 @@
 #!/usr/bin/env bun
 
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync, readdirSync, readFileSync } from "node:fs";
 import { writeFile } from "node:fs/promises";
-import { basename, dirname, join, resolve } from "node:path";
+import { basename, dirname, join, relative, resolve } from "node:path";
 import { pathToFileURL } from "node:url";
 
 import { z } from "zod";
@@ -61,6 +61,10 @@ export type SubmitCheckReport = {
 	checks: SubmitCheck[];
 };
 
+export function isAutoPromotionEligible(report: SubmitCheckReport): boolean {
+	return report.score.total >= 95 && report.summary.blockers === 0;
+}
+
 type CliArgs = {
 	isJson: boolean;
 	markdownPath?: string;
@@ -74,6 +78,15 @@ type SecretFinding = {
 	file: string;
 };
 
+type SourceFinding = {
+	file: string;
+	line: number;
+};
+
+const SDK_NATIVE_CATEGORY = "sdk-native";
+const VENDOR_SHIM_PROVIDER_ID_PREFIX = "apifuse-provider-";
+const MAX_SOURCE_FINDING_EVIDENCE = 5;
+
 const CATEGORY_MAX_POINTS = {
 	definition: 15,
 	operations: 15,
@@ -231,8 +244,20 @@ export async function buildSubmitCheckReport(
 	const provider = await safeLoadProvider(providerRoot);
 
 	checks.push(...scoreBaseChecks(baseChecks));
+	checks.push(scoreProviderIdSlug(providerRoot, provider));
+	checks.push(scoreNoVendorShim(providerRoot));
+	checks.push(scoreNoVendorImport(providerRoot));
+	checks.push(scoreDescribeKey(providerRoot));
+	checks.push(scoreNoRawFetch(providerRoot));
+	checks.push(scoreNoRedundantRuntimeGuards(providerRoot));
+	checks.push(scoreManagedBrowserRuntime(providerRoot));
+	checks.push(scoreAsAssertionCount(providerRoot));
+	checks.push(scoreUnsafeInputPassthrough(providerRoot));
+	checks.push(scoreUnjustifiedLooseSchema(providerRoot));
+	checks.push(scoreFlatOperationComposition(providerRoot));
 
 	if (provider) {
+		checks.push(scoreCredentialUsage(providerRoot, provider));
 		checks.push(scoreLocaleCatalog(providerRoot, provider));
 		checks.push(scoreOperationMetadata(provider));
 		checks.push(scoreFixtureCoverage(provider));
@@ -288,6 +313,1328 @@ export async function buildSubmitCheckReport(
 	};
 }
 
+function scoreProviderIdSlug(
+	providerRoot: string,
+	provider: ProviderDefinition | undefined,
+): SubmitCheck {
+	const remediation =
+		'Rename defineProvider({ id }) to the short slug (e.g. "tabelog", not "apifuse-provider-tabelog"). Also update manifest/PROVIDER_ID consts and tests. Grep: git grep "apifuse-provider-<name>".';
+
+	// Prefer the loaded provider id; fall back to scanning source so the rule
+	// still fires when the provider fails to load (e.g. a vendor shim or other
+	// structural problem prevents defineProvider from resolving).
+	if (provider) {
+		if (provider.id.startsWith(VENDOR_SHIM_PROVIDER_ID_PREFIX)) {
+			return blocker(
+				"id-slug",
+				SDK_NATIVE_CATEGORY,
+				"Provider id uses the apifuse-provider- prefix.",
+				remediation,
+				0,
+				[provider.id],
+			);
+		}
+
+		return pass(
+			"id-slug",
+			SDK_NATIVE_CATEGORY,
+			"Provider id uses the short slug.",
+			0,
+		);
+	}
+
+	const findings = findSourceLineMatches(
+		providerRoot,
+		/["'`]apifuse-provider-[a-z0-9-]/i,
+	);
+	if (findings.length > 0) {
+		return blocker(
+			"id-slug",
+			SDK_NATIVE_CATEGORY,
+			"Provider id uses the apifuse-provider- prefix.",
+			remediation,
+			0,
+			formatSourceFindings(findings),
+		);
+	}
+
+	return pass(
+		"id-slug",
+		SDK_NATIVE_CATEGORY,
+		"Provider id uses the short slug.",
+		0,
+	);
+}
+
+function scoreNoVendorShim(providerRoot: string): SubmitCheck {
+	const vendorPath = resolve(providerRoot, "vendor");
+	if (existsSync(vendorPath)) {
+		return blocker(
+			"no-vendor-shim",
+			SDK_NATIVE_CATEGORY,
+			"Provider contains a vendor/ SDK shim directory.",
+			"Delete vendor/ and import directly from @apifuse/provider-sdk (/provider, root, /testing). SDK-absent symbols (e.g. createStateContext) must use real SDK equivalents (createUnsupportedProviderRuntimeState for unused ctx.state).",
+			0,
+			[vendorPath],
+		);
+	}
+
+	return pass(
+		"no-vendor-shim",
+		SDK_NATIVE_CATEGORY,
+		"Provider does not contain a vendor/ SDK shim directory.",
+		0,
+	);
+}
+
+function scoreNoVendorImport(providerRoot: string): SubmitCheck {
+	const findings = findSourceLineMatches(
+		providerRoot,
+		/from\s+["'][^"']*vendor\//,
+	);
+	if (findings.length > 0) {
+		return blocker(
+			"no-vendor-import",
+			SDK_NATIVE_CATEGORY,
+			"Provider source imports from vendor/ shim.",
+			"Re-point every import from ../vendor/provider-sdk to @apifuse/provider-sdk/provider, @apifuse/provider-sdk, or @apifuse/provider-sdk/testing.",
+			0,
+			formatSourceFindings(findings),
+		);
+	}
+
+	return pass(
+		"no-vendor-import",
+		SDK_NATIVE_CATEGORY,
+		"Provider source imports directly from the SDK.",
+		0,
+	);
+}
+
+function scoreDescribeKey(providerRoot: string): SubmitCheck {
+	const findings = findSourceLineMatches(providerRoot, /\.describe\(["']/);
+	if (findings.length > 0) {
+		return blocker(
+			"describe-key",
+			SDK_NATIVE_CATEGORY,
+			"Schema descriptions use raw .describe() prose instead of describeKey.",
+			'Replace .describe("prose") with describeKey(schema, key, { description }) backed by locale keys in locales/en.json + ko.json.',
+			0,
+			formatSourceFindings(findings),
+		);
+	}
+
+	return pass(
+		"describe-key",
+		SDK_NATIVE_CATEGORY,
+		"Schema descriptions use describeKey.",
+		0,
+	);
+}
+
+function scoreNoRawFetch(providerRoot: string): SubmitCheck {
+	const findings = findSourceLineMatches(providerRoot, /(?<![.\w])fetch\s*\(/);
+	if (findings.length > 0) {
+		return blocker(
+			"no-raw-fetch",
+			SDK_NATIVE_CATEGORY,
+			"Provider source calls raw fetch().",
+			"Replace raw fetch() with ctx.stealth.fetch() (cloud-IP-blocked otherwise) or ctx.http for non-stealth calls.",
+			0,
+			formatSourceFindings(findings),
+		);
+	}
+
+	return pass(
+		"no-raw-fetch",
+		SDK_NATIVE_CATEGORY,
+		"Provider source avoids raw fetch().",
+		0,
+	);
+}
+
+const REDUNDANT_RUNTIME_GUARD_PATTERNS: readonly RegExp[] = [
+	/\bctx\.(?:stealth|http|cache|state|browser|trace|auth|stt|choice)\?\./,
+];
+
+const SDK_CONTEXT_METHOD_ALIAS_PATTERN =
+	/\bconst\s+(\w+)\s*=\s*ctx\.(?:stealth|http|cache|state|browser|trace|auth|stt|choice)\.(?:\w+)/;
+
+function hasRedundantRuntimeGuard(
+	line: string,
+	remainingLines: readonly string[],
+): boolean {
+	if (REDUNDANT_RUNTIME_GUARD_PATTERNS.some((pattern) => pattern.test(line))) {
+		return true;
+	}
+
+	const aliasMatch = SDK_CONTEXT_METHOD_ALIAS_PATTERN.exec(line);
+	const alias = aliasMatch?.[1];
+	if (!alias) {
+		return false;
+	}
+
+	const guardPattern = new RegExp(
+		`(?:typeof\\s+${alias}\\s*!==\\s*["']function["']|!${alias}\\b)`,
+	);
+	return remainingLines
+		.slice(0, 8)
+		.some((candidate) => guardPattern.test(candidate));
+}
+
+function scoreNoRedundantRuntimeGuards(providerRoot: string): SubmitCheck {
+	const findings = findSourceFindings(providerRoot, hasRedundantRuntimeGuard);
+	if (findings.length > 0) {
+		return blocker(
+			"no-redundant-runtime-guards",
+			SDK_NATIVE_CATEGORY,
+			"Provider source has redundant runtime guard code for SDK-owned context APIs.",
+			"Trust the provider SDK context contract: call ctx.stealth.fetch(), ctx.http, and other SDK-owned context APIs directly. Remove optional chaining and typeof function guards around non-null runtime clients.",
+			0,
+			formatSourceFindings(findings),
+		);
+	}
+
+	return pass(
+		"no-redundant-runtime-guards",
+		SDK_NATIVE_CATEGORY,
+		"Provider source avoids redundant runtime guard code around SDK-owned context APIs.",
+		0,
+	);
+}
+
+const AS_ASSERTION_PATTERN =
+	/\bas\s+(any|unknown|never|string|number|boolean)\b|\bas\s+[A-Z]|\bas\s+\{|\bas\s+Record\b|\bas\s+typeof\b/;
+
+function countAsAssertions(providerRoot: string): {
+	count: number;
+	findings: SourceFinding[];
+} {
+	let count = 0;
+	const findings: SourceFinding[] = [];
+
+	for (const filePath of listNonTestTypeScriptFiles(providerRoot)) {
+		const content = readFileSync(filePath, "utf8");
+		const lines = content.split(/\r?\n/);
+		for (let index = 0; index < lines.length; index += 1) {
+			const line = lines[index];
+			if (
+				line === undefined ||
+				line.includes("import") ||
+				/\bas\s*const\b/.test(line) ||
+				!AS_ASSERTION_PATTERN.test(line)
+			) {
+				continue;
+			}
+
+			count += 1;
+			if (findings.length < MAX_SOURCE_FINDING_EVIDENCE) {
+				findings.push({
+					file: toRelativeProviderPath(providerRoot, filePath),
+					line: index + 1,
+				});
+			}
+		}
+	}
+
+	return { count, findings };
+}
+
+function scoreAsAssertionCount(providerRoot: string): SubmitCheck {
+	const { count, findings } = countAsAssertions(providerRoot);
+	const assertionLabel = "as " + "Type";
+	const remediation = `Replace \`${assertionLabel}\` with zod \`schema.safeParse()\` or \`if ('key' in obj)\` type guards. \`as const\` is allowed.`;
+
+	if (count > 20) {
+		return blocker(
+			"as-assertion-count",
+			SDK_NATIVE_CATEGORY,
+			`Provider uses ${count} type assertions (${assertionLabel}). Replace with zod safeParse or type guards.`,
+			remediation,
+			0,
+			formatSourceFindings(findings),
+		);
+	}
+
+	if (count >= 6) {
+		return {
+			id: "as-assertion-count",
+			category: SDK_NATIVE_CATEGORY,
+			level: "warn",
+			status: "warn",
+			points: 0,
+			maxPoints: 0,
+			message: `Provider uses ${count} type assertions (${assertionLabel}). Replace with zod safeParse or type guards.`,
+			remediation,
+			evidence: formatSourceFindings(findings),
+		};
+	}
+
+	return pass(
+		"as-assertion-count",
+		SDK_NATIVE_CATEGORY,
+		"Type assertions are within the recommended limit.",
+		0,
+	);
+}
+
+// Returns true when `findingLine` (1-based) or the line directly above it
+// carries an `// @apifuse-allow <ruleId>:` acknowledgement comment.
+function hasAllowOverride(
+	lines: readonly string[],
+	findingLine: number,
+	ruleId: string,
+): boolean {
+	const pattern = new RegExp(`@apifuse-allow\\s+${ruleId}\\b`);
+	const current = lines[findingLine - 1];
+	const previous = lines[findingLine - 2];
+	return (
+		(current !== undefined && pattern.test(current)) ||
+		(previous !== undefined && pattern.test(previous))
+	);
+}
+
+// Splits source findings into non-overridden (still violations) and
+// acknowledged (escape-hatched) sets by re-reading each file's lines.
+function partitionAllowOverrides(
+	providerRoot: string,
+	findings: readonly SourceFinding[],
+	ruleId: string,
+): { violations: SourceFinding[]; overridden: SourceFinding[] } {
+	const fileLineCache = new Map<string, string[]>();
+	const violations: SourceFinding[] = [];
+	const overridden: SourceFinding[] = [];
+
+	for (const finding of findings) {
+		const absolute = resolve(providerRoot, finding.file);
+		let lines = fileLineCache.get(absolute);
+		if (lines === undefined) {
+			lines = readFileSync(absolute, "utf8").split(/\r?\n/);
+			fileLineCache.set(absolute, lines);
+		}
+		if (hasAllowOverride(lines, finding.line, ruleId)) {
+			overridden.push(finding);
+		} else {
+			violations.push(finding);
+		}
+	}
+
+	return { violations, overridden };
+}
+
+// Builds a blocker/warn/pass result for an escape-hatch-aware rule:
+// any non-overridden finding => blocker; only acknowledged overrides => warn;
+// nothing => pass.
+function escapeHatchResult(
+	providerRoot: string,
+	ruleId: string,
+	findings: readonly SourceFinding[],
+	copy: { blockerMessage: string; remediation: string; passMessage: string },
+): SubmitCheck {
+	if (findings.length === 0) {
+		return pass(ruleId, SDK_NATIVE_CATEGORY, copy.passMessage, 0);
+	}
+
+	const { violations, overridden } = partitionAllowOverrides(
+		providerRoot,
+		findings,
+		ruleId,
+	);
+
+	if (violations.length > 0) {
+		return blocker(
+			ruleId,
+			SDK_NATIVE_CATEGORY,
+			copy.blockerMessage,
+			copy.remediation,
+			0,
+			formatSourceFindings(violations),
+		);
+	}
+
+	return {
+		id: ruleId,
+		category: SDK_NATIVE_CATEGORY,
+		level: "warn",
+		status: "warn",
+		points: 0,
+		maxPoints: 0,
+		message: `${copy.blockerMessage} ${overridden.length} acknowledged @apifuse-allow override(s).`,
+		remediation: copy.remediation,
+		evidence: formatSourceFindings(overridden),
+	};
+}
+
+// 1-based line number of a character offset in `source`.
+function offsetToLine(source: string, offset: number): number {
+	let line = 1;
+	for (let index = 0; index < offset && index < source.length; index += 1) {
+		if (source[index] === "\n") {
+			line += 1;
+		}
+	}
+	return line;
+}
+
+// ---------------------------------------------------------------------------
+// SDK-native structural rules (input-passthrough, loose-schema, flat-operation)
+//
+// SCOPE & LIMITATION: these checks are source-grep heuristics, not a full AST
+// analysis. They are deliberately tuned against the new-structure golden corpus
+// (demaecan / kakaomap / triple) to catch the common non-standard SDK
+// integration shapes seen in bounty submissions: inline/aliased/multi-line
+// input .passthrough(), unjustified loose schemas, and factory-composed
+// operations (inline, aliased, destructured, sibling-module, or unresolved
+// import). They balance brackets and resolve one alias hop across the whole
+// provider submission so trivial formatting/aliasing/module-split bypasses do
+// not slip through.
+//
+// The flat-operation rule guards the "unsafe form" (an op map built by an
+// OPAQUE builder whose operation set is hidden at the call site), not the mere
+// presence of a function call. The stdlib enumerate-and-reshape idiom
+// `Object.fromEntries(Object.entries(<source-visible obj>) ...)` is exempted:
+// its op set still originates from a source-enumerable object and is only
+// filtered/reshaped by pure built-ins. This is the verified golden pattern
+// (triple narrows a statically-defined op object by a whitelist Set). Any other
+// call — `makeOperations()`, a destructured factory, or
+// `Object.fromEntries(buildEntries())` with no source-visible `Object.entries`
+// — stays classified as factory composition and is blocked.
+//
+// They do NOT achieve AST-completeness. Known residual bypasses (schemas or
+// operation maps imported from an external npm package, computed/dynamic
+// property construction, or deliberate obfuscation) are out of reach for a
+// text scan. submit-check is a bounty-workspace gate that runs ALONGSIDE human
+// review; manual review remains the final backstop for adversarial submissions.
+// Promoting these rules to a real TypeScript AST pass (ts.createSourceFile)
+// is tracked as deferred follow-up work (Phase 8.7) and would require adding
+// TypeScript as a provider-sdk dependency.
+// ---------------------------------------------------------------------------
+
+// Matches a `.passthrough()` call tolerant of whitespace before the parens or
+// between them, so `.passthrough ()` / `.passthrough\n()` are still detected.
+const PASSTHROUGH_CALL = /\.passthrough\s*\(\s*\)/;
+
+// Strips redundant wrapping parentheses from an expression so that a value like
+// `(makeOperations())` or `((x))` classifies the same as `makeOperations()`.
+// Only unwraps when the leading `(` matches the trailing `)` at depth 0 (i.e.
+// the whole expression is parenthesized), preserving call expressions such as
+// `makeOperations()` whose first `(` is not a wrapper.
+function unwrapParens(expr: string): string {
+	let value = expr.trim();
+	while (value.startsWith("(")) {
+		let depth = 0;
+		let matchIndex = -1;
+		for (let i = 0; i < value.length; i += 1) {
+			const ch = value[i];
+			if (ch === "(") {
+				depth += 1;
+			} else if (ch === ")") {
+				depth -= 1;
+				if (depth === 0) {
+					matchIndex = i;
+					break;
+				}
+			}
+		}
+		// Only a true wrapper spans the entire expression (closing paren is the
+		// last char). Otherwise the leading `(` belongs to a sub-expression.
+		if (matchIndex === value.length - 1) {
+			value = value.slice(1, -1).trim();
+		} else {
+			break;
+		}
+	}
+	return value;
+}
+
+// Returns the value-expression substring starting at `valueStart`, balanced
+// across (){}[] and stopping at the first top-level `,`/`;` or unmatched
+// closing bracket. This lets a property value be read across newlines, so a
+// multi-line `input: z.object({...})\n.passthrough()` is captured whole.
+function balancedValueExpression(source: string, valueStart: number): string {
+	let depth = 0;
+	let index = valueStart;
+	for (; index < source.length; index += 1) {
+		const ch = source[index];
+		if (ch === "(" || ch === "{" || ch === "[") {
+			depth += 1;
+		} else if (ch === ")" || ch === "}" || ch === "]") {
+			if (depth === 0) {
+				break;
+			}
+			depth -= 1;
+		} else if ((ch === "," || ch === ";") && depth === 0) {
+			break;
+		}
+	}
+	return source.slice(valueStart, index);
+}
+
+// True when an object-literal expression spreads a CALL expression at its top
+// level, e.g. `{ ...makeOperations() }` or `{ ...a, ...build(x) }`. Spreads
+// nested deeper than the outer object (inside handler bodies, nested objects,
+// or arrays) are ignored, so only a factory composition of the object itself
+// is detected. Input is expected to start at the outer `{`.
+function hasTopLevelFactorySpread(expr: string): boolean {
+	const open = expr.indexOf("{");
+	if (open === -1) {
+		return false;
+	}
+	let depth = 0;
+	for (let i = open; i < expr.length; i += 1) {
+		const ch = expr[i];
+		if (ch === "{" || ch === "(" || ch === "[") {
+			depth += 1;
+		} else if (ch === "}" || ch === ")" || ch === "]") {
+			depth -= 1;
+			if (depth === 0) {
+				break;
+			}
+		} else if (ch === "." && depth === 1 && expr.startsWith("...", i)) {
+			// A spread at the object's own level. Check whether the spread
+			// argument is a call expression (factory) rather than a plain
+			// identifier/member spread of an already-built object.
+			const rest = expr.slice(i + 3);
+			if (/^\s*[A-Za-z_$][\w$.]*\s*\(/.test(rest)) {
+				return true;
+			}
+		}
+	}
+	return false;
+}
+
+// Collects the depth-1 spread IDENTIFIERS of an object-literal expression that
+// are bare identifiers (not call expressions), e.g. `{ ...hidden, ...base }` ->
+// ["hidden", "base"]. A `...makeOps()` call spread is already caught by
+// hasTopLevelFactorySpread, so it is excluded here. These identifiers must be
+// resolved to their declarations: `const hidden = makeOperations()` spread as
+// `{ ...hidden }` is still a factory-composed map and must block.
+function topLevelSpreadIdentifiers(expr: string): string[] {
+	const open = expr.indexOf("{");
+	if (open === -1) {
+		return [];
+	}
+	const names: string[] = [];
+	let depth = 0;
+	for (let i = open; i < expr.length; i += 1) {
+		const ch = expr[i];
+		if (ch === "{" || ch === "(" || ch === "[") {
+			depth += 1;
+		} else if (ch === "}" || ch === ")" || ch === "]") {
+			depth -= 1;
+			if (depth === 0) {
+				break;
+			}
+		} else if (ch === "." && depth === 1 && expr.startsWith("...", i)) {
+			const rest = expr.slice(i + 3);
+			// Bare identifier spread (no call parens) -> needs declaration
+			// resolution. `...obj.prop` member spreads are treated as already
+			// built and ignored (the leading identifier is captured).
+			const m = rest.match(/^\s*([A-Za-z_$][\w$]*)\s*(?![\w$(])/);
+			if (m?.[1]) {
+				names.push(m[1]);
+			}
+		}
+	}
+	return names;
+}
+
+// A call expression is an OPAQUE builder (block) when it invokes a
+// provider-authored function whose body — and therefore the operation set — is
+// not visible at the call site, e.g. `makeOperations()` or a destructured
+// `const { operations } = createProviderComposition(...)`. It is NOT opaque
+// when it is the stdlib `Object.fromEntries(Object.entries(<obj>) ...)`
+// enumerate-and-reshape idiom: the operation set still originates from a
+// source-visible object (the `Object.entries(...)` argument) and is merely
+// filtered/reshaped by pure built-ins, so the registry/reviewer can still
+// enumerate the op map from source. This is the verified golden pattern (a
+// statically-defined op object narrowed by a whitelist Set).
+//
+// The exemption requires `Object.entries(` to be the ROOT of fromEntries'
+// FIRST argument — not merely present somewhere inside the expression. This
+// rejects opaque maps that only mention `Object.entries` deeper in a predicate,
+// e.g. `Object.fromEntries(buildEntries().filter(([id]) => Object.entries(ALLOWED).some(...)))`,
+// whose entries still originate from the opaque `buildEntries()` call. Any other
+// expression — `Object.fromEntries(buildEntries())`, a destructured factory,
+// `makeOperations()` — stays classified as factory composition.
+const TRANSPARENT_RESHAPE_HEAD = /^Object\s*\.\s*fromEntries\s*\(/;
+const OBJECT_ENTRIES_HEAD = /^Object\s*\.\s*entries\s*\(/;
+function isTransparentObjectReshape(expr: string): boolean {
+	const head = TRANSPARENT_RESHAPE_HEAD.exec(expr);
+	if (!head) {
+		return false;
+	}
+	// First argument starts immediately after `fromEntries(`. The reshape is
+	// transparent only when that argument's root callee is `Object.entries(`
+	// (optionally chained: `Object.entries(obj).filter(...)`), so the source
+	// object is enumerable from source rather than produced by an opaque call.
+	const firstArg = expr.slice(head[0].length).trimStart();
+	return OBJECT_ENTRIES_HEAD.test(firstArg);
+}
+
+// Decide whether an `input:` property at `propIndex` is an operation's public
+// input schema (the thing the rule guards) or merely a field literally named
+// "input" inside a zod schema body (e.g. modelling an upstream payload that
+// happens to have an `input` field: `z.object({ input: z.object(...) })`).
+// We walk backwards to the directly-enclosing `{` and inspect the token that
+// opened it: if that brace is the argument of a zod builder call such as
+// `z.object(`, `z.strictObject(`, `z.looseObject(`, `z.record(`, or a bare
+// `.object(` / `.shape(`, the `input` key is a schema field, not an operation
+// input. Operation inputs live in a plain object literal (the operation
+// definition), so their enclosing `{` is NOT immediately preceded by `(` of a
+// schema builder.
+function inputKeyIsSchemaField(source: string, propIndex: number): boolean {
+	let depth = 0;
+	let i = propIndex - 1;
+	for (; i >= 0; i -= 1) {
+		const ch = source[i];
+		if (ch === "}" || ch === ")" || ch === "]") {
+			depth += 1;
+		} else if (ch === "(" || ch === "[") {
+			if (depth === 0) {
+				// Reached an opening paren/bracket that directly contains the
+				// property — an array/call arg position, not an object literal.
+				return false;
+			}
+			depth -= 1;
+		} else if (ch === "{") {
+			if (depth === 0) {
+				break;
+			}
+			depth -= 1;
+		}
+	}
+	if (i < 0) {
+		return false;
+	}
+	// `i` indexes the directly-enclosing `{`. Look at the non-whitespace text
+	// immediately before it. A zod object/record builder opens with `(` then
+	// optionally whitespace then `{`, so the char before `{` is `(` and the
+	// callee just before that `(` is a zod builder identifier.
+	let j = i - 1;
+	while (j >= 0 && /\s/.test(source[j] ?? "")) {
+		j -= 1;
+	}
+	if (source[j] !== "(") {
+		return false;
+	}
+	// Capture the callee identifier chain that ends at this `(` and test its
+	// final member against the set of zod builders that take an object body.
+	const before = source.slice(Math.max(0, j - 60), j);
+	const calleeMatch = before.match(/([A-Za-z_$][\w$]*)\s*$/);
+	const callee = calleeMatch?.[1];
+	if (callee === undefined) {
+		return false;
+	}
+	const SCHEMA_BODY_BUILDERS = new Set([
+		"object",
+		"strictObject",
+		"looseObject",
+		"record",
+		"shape",
+		"extend",
+		"merge",
+		"catchall",
+		"partial",
+		"required",
+		"pick",
+		"omit",
+		"augment",
+	]);
+	return SCHEMA_BODY_BUILDERS.has(callee);
+}
+
+// True when `source` imports the binding `name` from another module, i.e. a
+// top-level `import { ..., name, ... } from "..."` (named or aliased) or a
+// default/namespace import of `name`. Used to confirm an `input: <alias>`
+// reference actually binds to an imported declaration before resolving it
+// against the provider-wide passthrough map (prevents same-name collisions
+// across unrelated modules from producing false positives).
+function fileImportsBinding(source: string, name: string): boolean {
+	const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+	return new RegExp(`\\bimport\\b[^;]*\\b${escaped}\\b[^;]*\\bfrom\\b`).test(
+		source,
+	);
+}
+
+// Resolves the ORIGINAL exported name for a local binding `localName`. When the
+// file imports it under an alias — `import { requestSchema as inputSchema }` —
+// the provider-wide passthrough map is keyed by the exported declaration name
+// (`requestSchema`), not the local alias (`inputSchema`), so the alias must be
+// mapped back before lookup. Returns `localName` unchanged when there is no
+// aliased import (plain `import { requestSchema }` or a local declaration).
+function importedOriginalName(source: string, localName: string): string {
+	const escaped = localName.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+	// Match `<original> as <localName>` inside any import specifier list.
+	const aliasMatch = new RegExp(
+		`\\bimport\\b[^;]*\\{[^}]*\\b([A-Za-z_$][\\w$]*)\\s+as\\s+${escaped}\\b[^}]*\\}[^;]*\\bfrom\\b`,
+	).exec(source);
+	return aliasMatch?.[1] ?? localName;
+}
+
+function scoreUnsafeInputPassthrough(providerRoot: string): SubmitCheck {
+	const findings: SourceFinding[] = [];
+	const files = listNonTestTypeScriptFiles(providerRoot);
+
+	// Pass 1: collect every passthrough schema const across the WHOLE provider
+	// submission (not per-file), keyed by name -> declaration site. This lets an
+	// `input:` in index.ts resolve a non-`input`-named passthrough schema that
+	// was declared in another module (e.g. schemas.ts) and imported.
+	type ConstSite = { file: string; line: number };
+	const passthroughConsts = new Map<string, ConstSite>();
+	// Per-file map of passthrough const declarations, so an `input: <alias>` can
+	// resolve its ACTUAL binding (a same-file local declaration) before falling
+	// back to an imported cross-module schema. This prevents a generic name like
+	// `requestSchema` declared in one module from being matched against an
+	// unrelated `input: requestSchema` in another module (a false positive on a
+	// strict schema that merely shares the identifier).
+	const passthroughByFile = new Map<string, Map<string, ConstSite>>();
+	const fileSources = new Map<string, string>();
+	for (const filePath of files) {
+		const source = readFileSync(filePath, "utf8");
+		const relPath = toRelativeProviderPath(providerRoot, filePath);
+		fileSources.set(filePath, source);
+		const localMap = new Map<string, ConstSite>();
+		passthroughByFile.set(filePath, localMap);
+		const constDecl =
+			/(?:^|\n)[ \t]*(?:export\s+)?(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*(?::[^=\n]+)?\s*=/g;
+		for (
+			let match = constDecl.exec(source);
+			match !== null;
+			match = constDecl.exec(source)
+		) {
+			const name = match[1];
+			if (name === undefined) {
+				continue;
+			}
+			const valueStart = match.index + match[0].length;
+			const value = balancedValueExpression(source, valueStart);
+			if (PASSTHROUGH_CALL.test(value)) {
+				const site: ConstSite = {
+					file: relPath,
+					line: offsetToLine(source, valueStart),
+				};
+				localMap.set(name, site);
+				// First declaration wins for line attribution; duplicate names
+				// across modules are rare and either site is a valid pointer.
+				if (!passthroughConsts.has(name)) {
+					passthroughConsts.set(name, site);
+				}
+			}
+		}
+	}
+
+	const seen = new Set<string>();
+	const push = (site: ConstSite) => {
+		const key = `${site.file}:${site.line}`;
+		if (!seen.has(key)) {
+			seen.add(key);
+			findings.push({ file: site.file, line: site.line });
+		}
+	};
+
+	// Pass 2: inspect every `input:` property value across all files. A value
+	// that is itself a passthrough expression, or that references a passthrough
+	// const by name (resolved against the provider-wide map), is a violation.
+	for (const filePath of files) {
+		const source = fileSources.get(filePath) ?? readFileSync(filePath, "utf8");
+		const relPath = toRelativeProviderPath(providerRoot, filePath);
+
+		const inputProp = /\binput\s*:\s*/g;
+		for (
+			let match = inputProp.exec(source);
+			match !== null;
+			match = inputProp.exec(source)
+		) {
+			// Skip `input` keys that are fields inside a zod schema body (e.g. an
+			// upstream payload modelled as `z.object({ input: ... })`). Only an
+			// operation's public `input:` property is in scope for this rule.
+			if (inputKeyIsSchemaField(source, match.index)) {
+				continue;
+			}
+			const valueStart = match.index + match[0].length;
+			const value = balancedValueExpression(source, valueStart);
+			if (PASSTHROUGH_CALL.test(value)) {
+				push({ file: relPath, line: offsetToLine(source, valueStart) });
+				continue;
+			}
+			const ref = value.trim().match(/^([A-Za-z_$][\w$]*)/);
+			const refName = ref?.[1];
+			if (refName) {
+				// Resolve the alias by BINDING, not by global name. Prefer a
+				// passthrough const declared in THIS file; otherwise only fall
+				// back to the provider-wide map when this file actually imports
+				// `refName` (so a generic name shared across modules cannot link
+				// an unrelated strict input to a foreign passthrough schema).
+				const localSite = passthroughByFile.get(filePath)?.get(refName);
+				if (localSite) {
+					push(localSite);
+				} else if (fileImportsBinding(source, refName)) {
+					// Imported binding: map a possible `orig as refName` alias
+					// back to the exported name the provider-wide map is keyed by.
+					const originalName = importedOriginalName(source, refName);
+					const site =
+						passthroughConsts.get(refName) ??
+						passthroughConsts.get(originalName);
+					if (site) {
+						push(site);
+					}
+				}
+			}
+		}
+
+		// `input,` shorthand binds a local `input` const; flag it if that const
+		// is a passthrough schema declared in THIS file (the binding the
+		// shorthand actually closes over).
+		if (/(?:^|\n)[ \t]*input\s*,/.test(source)) {
+			const localInput = passthroughByFile.get(filePath)?.get("input");
+			if (localInput) {
+				push(localInput);
+			} else if (fileImportsBinding(source, "input")) {
+				const site = passthroughConsts.get("input");
+				if (site) {
+					push(site);
+				}
+			}
+		}
+	}
+
+	return escapeHatchResult(providerRoot, "unsafe-input-passthrough", findings, {
+		blockerMessage:
+			"Public input schema uses .passthrough(); unknown caller fields are silently accepted or dropped.",
+		remediation:
+			"Use strict input schemas (z.object({...}) without .passthrough()). If upstream form replay genuinely needs it, allowlist the forwarded fields and add `// @apifuse-allow unsafe-input-passthrough: <reason>`.",
+		passMessage: "Input schemas do not use unscoped .passthrough().",
+	});
+}
+
+function scoreUnjustifiedLooseSchema(providerRoot: string): SubmitCheck {
+	const findings: SourceFinding[] = [];
+
+	for (const filePath of listNonTestTypeScriptFiles(providerRoot)) {
+		const lines = readFileSync(filePath, "utf8").split(/\r?\n/);
+		for (let index = 0; index < lines.length; index += 1) {
+			const line = lines[index];
+			if (line === undefined || !/\bz\.(record|unknown|any)\s*\(/.test(line)) {
+				continue;
+			}
+			// A `//` justification comment on the same line or the line above
+			// (including the `@apifuse-allow loose-schema:` form) acknowledges it.
+			const previous = lines[index - 1];
+			const justified =
+				line.includes("//") || previous?.trim().startsWith("//") === true;
+			if (!justified) {
+				findings.push({
+					file: toRelativeProviderPath(providerRoot, filePath),
+					line: index + 1,
+				});
+			}
+		}
+	}
+
+	return escapeHatchResult(providerRoot, "unjustified-loose-schema", findings, {
+		blockerMessage:
+			"Loose schema (z.record/z.unknown/z.any) used without justification.",
+		remediation:
+			"Model the real shape with a typed zod schema. If the upstream payload is genuinely arbitrary, add a `// <reason>` comment or `// @apifuse-allow loose-schema: <reason>` on the line above.",
+		passMessage: "Loose schemas are justified or absent.",
+	});
+}
+
+// True when `name` resolves, anywhere in the provider submission, to a
+// declaration whose initializer is an OPAQUE factory — a call expression
+// (`const hidden = makeOperations()`) or itself a factory spread — or to an
+// imported binding with no local declaration (out-of-view construction). Used
+// to classify a top-level spread identifier (`{ ...hidden }`) so an opaque
+// factory map cannot be laundered through a variable before being spread. The
+// stdlib transparent reshape is NOT treated as a factory (parity with the
+// direct-alias classification).
+function spreadIdentifierResolvesToFactory(
+	providerRoot: string,
+	indexPath: string,
+	indexSource: string,
+	name: string,
+): boolean {
+	const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+	const declRe = new RegExp(
+		`(?:^|\\n)[ \t]*(?:export\\s+)?(?:const|let|var)\\s+${escaped}\\s*(?::[^=\\n]+)?\\s*=`,
+		"g",
+	);
+	let sawDeclaration = false;
+	for (const filePath of [
+		indexPath,
+		...listNonTestTypeScriptFiles(providerRoot).filter(
+			(p) => resolve(p) !== resolve(indexPath),
+		),
+	]) {
+		if (!existsSync(filePath)) {
+			continue;
+		}
+		const fileSource =
+			filePath === indexPath ? indexSource : readFileSync(filePath, "utf8");
+		const re = new RegExp(declRe.source, "g");
+		for (let m = re.exec(fileSource); m !== null; m = re.exec(fileSource)) {
+			sawDeclaration = true;
+			const expr = unwrapParens(
+				balancedValueExpression(fileSource, m.index + m[0].length).trim(),
+			);
+			const isFactory =
+				(/^[A-Za-z_$][\w$.]*\s*\(/.test(expr) ||
+					hasTopLevelFactorySpread(expr)) &&
+				!isTransparentObjectReshape(expr);
+			if (isFactory) {
+				return true;
+			}
+		}
+	}
+	// No local declaration anywhere but imported into index.ts => constructed
+	// out of view; treat as factory (conservative, false-negative-safe).
+	if (!sawDeclaration && fileImportsBinding(indexSource, name)) {
+		return true;
+	}
+	return false;
+}
+
+function scoreFlatOperationComposition(providerRoot: string): SubmitCheck {
+	const indexPath = resolve(providerRoot, "index.ts");
+	const ruleId = "flat-operation-composition";
+	if (!existsSync(indexPath)) {
+		return pass(
+			ruleId,
+			SDK_NATIVE_CATEGORY,
+			"Provider index.ts not found; flat-operation check skipped.",
+			0,
+		);
+	}
+
+	const source = readFileSync(indexPath, "utf8");
+	// Use the same whitespace-tolerant detection as the resolver below, so a
+	// `defineProvider (` / `defineProvider\n(` formatting cannot pass the early
+	// exit before the real classification runs.
+	if (!/\bdefineProvider\s*\(/.test(source)) {
+		return pass(
+			ruleId,
+			SDK_NATIVE_CATEGORY,
+			"No defineProvider call to evaluate for operation composition.",
+			0,
+		);
+	}
+
+	// Scope the scan to the argument of the EXPORTED `defineProvider(...)` call.
+	// A provider can contain helper/non-exported defineProvider calls before the
+	// real default export (e.g. test scaffolds), so resolve the default export
+	// rather than blindly taking the first regex match. Resolution order:
+	//   1. `export default defineProvider(` — inline default export
+	//   2. `export default <ident>` then `const <ident> = defineProvider(`
+	//   3. fallback: first `defineProvider(` in the file
+	let defineParenIndex = -1;
+	const inlineDefault = /\bexport\s+default\s+defineProvider\s*\(/.exec(source);
+	if (inlineDefault) {
+		defineParenIndex = inlineDefault.index + inlineDefault[0].length - 1; // points at `(`
+	} else {
+		const namedDefault = /\bexport\s+default\s+([A-Za-z_$][\w$]*)\s*;?/.exec(
+			source,
+		);
+		const exportedName = namedDefault?.[1];
+		if (exportedName !== undefined) {
+			const namedDecl = new RegExp(
+				`(?:^|\\n)[ \t]*(?:export\\s+)?(?:const|let|var)\\s+${exportedName}\\s*(?::[^=\\n]+)?\\s*=\\s*defineProvider\\s*\\(`,
+			).exec(source);
+			if (namedDecl) {
+				defineParenIndex = namedDecl.index + namedDecl[0].length - 1;
+			}
+		}
+		if (defineParenIndex === -1) {
+			const firstCall = /\bdefineProvider\s*\(/.exec(source);
+			if (firstCall) {
+				defineParenIndex = firstCall.index + firstCall[0].length - 1;
+			}
+		}
+	}
+	if (defineParenIndex === -1) {
+		return pass(
+			ruleId,
+			SDK_NATIVE_CATEGORY,
+			"No defineProvider call to evaluate for operation composition.",
+			0,
+		);
+	}
+	const argStart = defineParenIndex + 1;
+	const argText = balancedValueExpression(source, argStart);
+
+	// Resolve the value passed as `operations:` inside the defineProvider call,
+	// following one alias hop. The value is classified as a static object
+	// literal (pass) or a factory/call expression (block). The regex index is
+	// offset back into the full source so line numbers stay accurate.
+	const opsProp = /\boperations\s*:\s*/.exec(argText);
+	let opsValue: string | undefined;
+	let opsLine = 1;
+	if (opsProp) {
+		const valueStart = argStart + opsProp.index + opsProp[0].length;
+		opsValue = unwrapParens(balancedValueExpression(source, valueStart).trim());
+		opsLine = offsetToLine(source, valueStart);
+	}
+
+	// Property shorthand: `defineProvider({ ..., operations })` — resolve the
+	// local `operations` const initializer.
+	let aliasName: string | undefined;
+	if (opsValue === undefined) {
+		if (/\boperations\s*[,}]/.test(argText)) {
+			aliasName = "operations";
+		}
+	} else if (/^[A-Za-z_$][\w$]*$/.test(opsValue)) {
+		// `operations: ops` — a bare identifier alias to resolve.
+		aliasName = opsValue;
+	}
+
+	// Determine the effective initializer expression to classify. The alias may
+	// be declared in index.ts OR re-exported from a sibling module (the common
+	// generated scaffold: `import { operations } from "./operations"` where
+	// ./operations.ts builds the map with makeOperations()/Object.fromEntries).
+	// Resolve across every provider source file so cross-module factory
+	// composition cannot evade the blocker.
+	let effective = opsValue;
+	let effectiveLine = opsLine;
+	let effectiveFile = "index.ts";
+	if (aliasName !== undefined) {
+		const aliasDecl = new RegExp(
+			`(?:^|\\n)[ \t]*(?:export\\s+)?(?:const|let|var)\\s+${aliasName}\\s*(?::[^=\\n]+)?\\s*=`,
+		);
+		// Destructured factory form: `const { operations } = makeOps()`.
+		const destructured = new RegExp(
+			`(?:^|\\n)[ \t]*(?:export\\s+)?(?:const|let|var)\\s*\\{[^}]*\\b${aliasName}\\b[^}]*\\}\\s*=\\s*([A-Za-z_$][\\w$.]*)\\s*\\(`,
+		);
+
+		// Search index.ts first (its line attribution wins), then siblings.
+		const searchOrder = [
+			indexPath,
+			...listNonTestTypeScriptFiles(providerRoot).filter(
+				(p) => resolve(p) !== resolve(indexPath),
+			),
+		];
+
+		// Collect EVERY same-named declaration across the submission and classify
+		// each as factory vs static. A factory declaration anywhere wins, so a
+		// decoy static `const operations = {}` in an earlier-scanned file cannot
+		// mask a factory-composed declaration in another module. (We deliberately
+		// do not resolve the exact import target path; "any same-named factory
+		// blocks" is the conservative, false-negative-avoiding choice for a gate.)
+		type Candidate = {
+			expr: string;
+			line: number;
+			file: string;
+			isFactory: boolean;
+		};
+		const candidates: Candidate[] = [];
+		for (const filePath of searchOrder) {
+			if (!existsSync(filePath)) {
+				continue;
+			}
+			const fileSource =
+				filePath === indexPath ? source : readFileSync(filePath, "utf8");
+			const relPath = toRelativeProviderPath(providerRoot, filePath);
+
+			const declRe = new RegExp(aliasDecl.source, "g");
+			for (
+				let m = declRe.exec(fileSource);
+				m !== null;
+				m = declRe.exec(fileSource)
+			) {
+				const valueStart = m.index + m[0].length;
+				const expr = unwrapParens(
+					balancedValueExpression(fileSource, valueStart).trim(),
+				);
+				const isFactory =
+					(/^[A-Za-z_$][\w$.]*\s*\(/.test(expr) ||
+						hasTopLevelFactorySpread(expr)) &&
+					!isTransparentObjectReshape(expr);
+				candidates.push({
+					expr,
+					line: offsetToLine(fileSource, valueStart),
+					file: relPath,
+					isFactory,
+				});
+			}
+			const destructRe = new RegExp(destructured.source, "g");
+			for (
+				let m = destructRe.exec(fileSource);
+				m !== null;
+				m = destructRe.exec(fileSource)
+			) {
+				candidates.push({
+					expr: `${m[1]}(`,
+					line: offsetToLine(fileSource, m.index),
+					file: relPath,
+					isFactory: true,
+				});
+			}
+		}
+
+		const resolved = candidates.length > 0;
+		if (resolved) {
+			// Prefer a factory declaration (it blocks); otherwise keep the first
+			// static declaration for line attribution.
+			const factory = candidates.find((c) => c.isFactory);
+			const chosen = factory ?? candidates[0];
+			if (chosen !== undefined) {
+				effective = chosen.expr;
+				effectiveLine = chosen.line;
+				effectiveFile = chosen.file;
+			}
+		}
+
+		// An imported alias that resolves to no local declaration anywhere in the
+		// submission means the operations map is constructed out of view. Treat
+		// the unresolved import as a factory-composed (non-static) shape rather
+		// than silently passing.
+		if (!resolved) {
+			const importMatch = new RegExp(
+				`\\bimport\\b[^;]*\\b${aliasName}\\b[^;]*\\bfrom\\b`,
+			).exec(source);
+			if (importMatch) {
+				effective = `${aliasName}(`;
+				effectiveLine = offsetToLine(source, importMatch.index);
+				effectiveFile = "index.ts";
+			}
+		}
+	}
+
+	// A value starting with `{` is an object literal, but it is only STATIC if
+	// its TOP-LEVEL entries are all explicit properties. A factory spread such
+	// as `{ ...makeOperations() }` still composes the map dynamically. We only
+	// inspect depth-1 entries so that ordinary spreads deep inside operation
+	// handler bodies (e.g. `{ ...headers }`, `...arr.map(...)`) are NOT mistaken
+	// for a top-level factory composition of the operations map itself.
+	const hasFactorySpread =
+		effective !== undefined && hasTopLevelFactorySpread(effective);
+	// A spread of a bare identifier (`{ ...hidden }`) is static ONLY when that
+	// identifier resolves to a non-factory declaration. Resolve each top-level
+	// spread identifier so an opaque factory map laundered through a variable
+	// (`const hidden = makeOperations(); operations: { ...hidden }`) still blocks.
+	const hasFactorySpreadIdentifier =
+		effective !== undefined &&
+		topLevelSpreadIdentifiers(effective).some((name) =>
+			spreadIdentifierResolvesToFactory(providerRoot, indexPath, source, name),
+		);
+	const isStaticLiteral =
+		effective?.startsWith("{") === true &&
+		!hasFactorySpread &&
+		!hasFactorySpreadIdentifier;
+	// A call expression `ident(...)` (factory) or a factory-spread literal is
+	// the rejected, non-static shape — UNLESS it is the stdlib
+	// `Object.fromEntries(Object.entries(<source-visible obj>)...)` reshape,
+	// whose op set is still enumerable from source (verified golden pattern).
+	const isFactoryCall =
+		effective !== undefined &&
+		(/^[A-Za-z_$][\w$.]*\s*\(/.test(effective) ||
+			hasFactorySpread ||
+			hasFactorySpreadIdentifier) &&
+		!isTransparentObjectReshape(effective);
+
+	if (isFactoryCall && !isStaticLiteral) {
+		// Route through the shared escape-hatch partitioner so an
+		// `// @apifuse-allow flat-operation-composition: <reason>` comment on
+		// the reported line (or the line above) downgrades this blocker to a
+		// counted warning, consistent with the other structural rules.
+		return escapeHatchResult(
+			providerRoot,
+			ruleId,
+			[{ file: effectiveFile, line: effectiveLine }],
+			{
+				blockerMessage:
+					"defineProvider operations are composed by a factory call instead of a static object literal.",
+				remediation:
+					"Declare operations as a static literal: defineProvider({ operations: { 'op-id': defineOperation({...}) } }). The provider-registry AST gate requires static runtime/operations; factory composition fails the registry build. If composition is unavoidable, add `// @apifuse-allow flat-operation-composition: <reason>`.",
+				passMessage:
+					"defineProvider declares operations as a static object literal.",
+			},
+		);
+	}
+
+	return pass(
+		ruleId,
+		SDK_NATIVE_CATEGORY,
+		"defineProvider declares operations as a static object literal.",
+		0,
+	);
+}
+
+function scoreCredentialUsage(
+	providerRoot: string,
+	provider: ProviderDefinition,
+): SubmitCheck {
+	const credentialReferences = findSourceLineMatches(
+		providerRoot,
+		/ctx\.credential/,
+	);
+	const authMode = provider.auth?.mode ?? "none";
+	const credentialKeys = provider.credential?.keys ?? [];
+	const storesProviderCredential =
+		authMode !== "none" || credentialKeys.length > 0;
+
+	if (storesProviderCredential && credentialReferences.length === 0) {
+		return {
+			id: "credential-usage",
+			category: SDK_NATIVE_CATEGORY,
+			level: "warn",
+			status: "warn",
+			points: 0,
+			maxPoints: 0,
+			message:
+				"Credential-backed provider does not reference credential persistence in source.",
+			remediation:
+				"Persist provider session state through the SDK credential context instead of process-local state. See providers/catchtable for the reference pattern.",
+		};
+	}
+
+	return pass(
+		"credential-usage",
+		SDK_NATIVE_CATEGORY,
+		authMode === "none" && credentialKeys.length === 0
+			? "Provider does not declare reusable credentials."
+			: "Credential-backed provider references ctx.credential.",
+		0,
+		credentialReferences.length > 0
+			? formatSourceFindings(credentialReferences)
+			: undefined,
+	);
+}
+
+function findSourceLineMatches(
+	providerRoot: string,
+	pattern: RegExp | ((line: string) => boolean),
+): SourceFinding[] {
+	return findSourceFindings(providerRoot, (line) =>
+		matchesLinePattern(line, pattern),
+	);
+}
+
+function findSourceFindings(
+	providerRoot: string,
+	matchesLine: (line: string, remainingLines: readonly string[]) => boolean,
+): SourceFinding[] {
+	const findings: SourceFinding[] = [];
+	for (const filePath of listNonTestTypeScriptFiles(providerRoot)) {
+		const content = readFileSync(filePath, "utf8");
+		const lines = content.split(/\r?\n/);
+		for (let index = 0; index < lines.length; index += 1) {
+			const line = lines[index];
+			if (line !== undefined && matchesLine(line, lines.slice(index + 1))) {
+				findings.push({
+					file: toRelativeProviderPath(providerRoot, filePath),
+					line: index + 1,
+				});
+				if (findings.length >= MAX_SOURCE_FINDING_EVIDENCE) {
+					return findings;
+				}
+			}
+		}
+	}
+	return findings;
+}
+
+function matchesLinePattern(
+	line: string,
+	pattern: RegExp | ((line: string) => boolean),
+): boolean {
+	return typeof pattern === "function" ? pattern(line) : pattern.test(line);
+}
+
+function listNonTestTypeScriptFiles(providerRoot: string): string[] {
+	const files: string[] = [];
+	collectNonTestTypeScriptFiles(providerRoot, providerRoot, files);
+	return files;
+}
+
+function listNonTestProviderSourceFiles(providerRoot: string): string[] {
+	const files: string[] = [];
+	collectNonTestProviderSourceFiles(providerRoot, providerRoot, files);
+	return files;
+}
+
+function collectNonTestProviderSourceFiles(
+	providerRoot: string,
+	currentPath: string,
+	files: string[],
+): void {
+	for (const entry of readdirSync(currentPath, { withFileTypes: true })) {
+		const entryPath = join(currentPath, entry.name);
+		const relativePath = toRelativeProviderPath(providerRoot, entryPath);
+		if (entry.isDirectory()) {
+			if (shouldScanSourceDirectory(relativePath)) {
+				collectNonTestProviderSourceFiles(providerRoot, entryPath, files);
+			}
+			continue;
+		}
+		if (
+			entry.isFile() &&
+			isScannableProviderSourceFile(relativePath) &&
+			!isExcludedTestSource(relativePath)
+		) {
+			files.push(entryPath);
+		}
+	}
+}
+
+function collectNonTestTypeScriptFiles(
+	providerRoot: string,
+	currentPath: string,
+	files: string[],
+): void {
+	for (const entry of readdirSync(currentPath, { withFileTypes: true })) {
+		const entryPath = join(currentPath, entry.name);
+		const relativePath = toRelativeProviderPath(providerRoot, entryPath);
+		if (entry.isDirectory()) {
+			if (shouldScanSourceDirectory(relativePath)) {
+				collectNonTestTypeScriptFiles(providerRoot, entryPath, files);
+			}
+			continue;
+		}
+		if (
+			entry.isFile() &&
+			relativePath.endsWith(".ts") &&
+			!isExcludedTestSource(relativePath)
+		) {
+			files.push(entryPath);
+		}
+	}
+}
+
+function isScannableProviderSourceFile(relativePath: string): boolean {
+	return (
+		/\.(?:ts|tsx|js|jsx|mjs|cjs|sh|bash)$/.test(relativePath) ||
+		/(?:^|\/)Dockerfile(?:\.|$)/.test(relativePath) ||
+		/(?:^|\/)entrypoint(?:\.|$)/.test(relativePath)
+	);
+}
+
+function shouldScanSourceDirectory(relativePath: string): boolean {
+	return ![".git", "node_modules", "dist", "build", "coverage"].includes(
+		relativePath,
+	);
+}
+
+function isExcludedTestSource(relativePath: string): boolean {
+	return (
+		relativePath.endsWith(".test.ts") ||
+		relativePath.startsWith("__tests__/") ||
+		relativePath.includes("/__tests__/") ||
+		relativePath.startsWith("tests/") ||
+		relativePath.includes("/tests/")
+	);
+}
+
+function toRelativeProviderPath(
+	providerRoot: string,
+	filePath: string,
+): string {
+	return relative(providerRoot, filePath).replaceAll("\\", "/");
+}
+
+function formatSourceFindings(findings: readonly SourceFinding[]): string[] {
+	return findings.map((finding) => `${finding.file}:${finding.line}`);
+}
+
 function scoreRepositoryDx(providerRoot: string): SubmitCheck {
 	const missing: string[] = [];
 	if (!existsSync(resolve(providerRoot, ".gitignore"))) {
@@ -353,7 +1700,7 @@ function checkScriptRunsTypeCheck(checkScript: unknown): boolean {
 
 async function safeRunChecks(providerRoot: string): Promise<CheckResult[]> {
 	try {
-		return await runChecks(providerRoot);
+		return await runChecks(providerRoot, { lintMode: "standalone" });
 	} catch (error) {
 		return [
 			{
@@ -365,6 +1712,81 @@ async function safeRunChecks(providerRoot: string): Promise<CheckResult[]> {
 	}
 }
 
+const SUBMIT_CHECK_BROWSER_PATTERNS: ReadonlyArray<{
+	rule: string;
+	pattern: RegExp;
+}> = [
+	{
+		rule: "browser-self-hosted-launch",
+		pattern: /\b(?:playwright|chromium|firefox|webkit|puppeteer)\.launch\s*\(/,
+	},
+	{
+		rule: "browser-self-hosted-child-process",
+		pattern:
+			/\b(?:spawn|spawnSync|exec|execSync|execFile|execFileSync|Bun\.spawn|Bun\.spawnSync)\s*\([^;]*\b(?:google-chrome|chrome|chromium|chromium-browser)\b|\$`[^`]*\b(?:google-chrome|chrome|chromium|chromium-browser)\b/,
+	},
+	{
+		rule: "browser-self-hosted-remote-debugging-port",
+		pattern:
+			/(?:\b(?:google-chrome|chrome|chromium|chromium-browser)\b[\s\S]{0,240}--remote-debugging-port\b|--remote-debugging-port(?:=|\s+))/,
+	},
+	{
+		rule: "browser-direct-cdp-version-poll",
+		pattern: /\/json\/version\b/,
+	},
+	{
+		rule: "browser-provider-local-cdp-env",
+		pattern:
+			/\b(?!APIFUSE__CDP_POOL__URL\b)[A-Z][A-Z0-9_]*_CDP_URL\b|process\.env(?:\.(?!APIFUSE__CDP_POOL__URL\b)[A-Z0-9_]*_CDP_URL\b|\[\s*["'`](?!APIFUSE__CDP_POOL__URL\b)[A-Z0-9_]*_CDP_URL["'`]\s*\])/,
+	},
+];
+
+function scoreManagedBrowserRuntime(providerRoot: string): SubmitCheck {
+	const maxManagedBrowserEvidence = MAX_SOURCE_FINDING_EVIDENCE * 2;
+	const browserFindings: string[] = [];
+	for (const filePath of listNonTestProviderSourceFiles(providerRoot)) {
+		const content = readFileSync(filePath, "utf8");
+		const lines = content.split(/\r?\n/);
+		for (let index = 0; index < lines.length; index += 1) {
+			const line = lines[index];
+			if (line === undefined) continue;
+			for (const { rule, pattern } of SUBMIT_CHECK_BROWSER_PATTERNS) {
+				pattern.lastIndex = 0;
+				if (!pattern.test(line)) continue;
+				browserFindings.push(
+					`${rule} ${toRelativeProviderPath(providerRoot, filePath)}:${index + 1}`,
+				);
+				if (browserFindings.length >= maxManagedBrowserEvidence) break;
+			}
+			if (browserFindings.length >= maxManagedBrowserEvidence) break;
+		}
+		if (browserFindings.length >= maxManagedBrowserEvidence) break;
+	}
+
+	if (browserFindings.length > 0) {
+		return {
+			id: "managed-browser-runtime",
+			category: SDK_NATIVE_CATEGORY,
+			level: "warn",
+			status: "warn",
+			points: 0,
+			maxPoints: 0,
+			message:
+				"Provider source contains self-hosted browser/CDP patterns that APIFuse maintainers must review before promotion.",
+			remediation:
+				"Use ctx.browser backed by the managed CDP Pool. Do not launch Playwright/Puppeteer/Chrome, poll /json/version, or read provider-local *_CDP_URL env vars in provider runtime code.",
+			evidence: browserFindings.map(redact),
+		};
+	}
+
+	return pass(
+		"managed-browser-runtime",
+		SDK_NATIVE_CATEGORY,
+		"Provider source avoids self-hosted browser/CDP runtime patterns.",
+		0,
+	);
+}
+
 function scoreBaseChecks(results: CheckResult[]): SubmitCheck[] {
 	const failed = results.filter((result) => !result.passed);
 	if (failed.length > 0) {