@ibalzam/codejitsu-core 0.4.0 → 0.5.0

package/modules/audit/src/groups/forms.mjs

@@ -0,0 +1,112 @@
+import { pass, fail, warn, info, summarize } from '../util.mjs';
+
+export async function runForms(ctx) {
+  const { htmlFiles, config } = ctx;
+  const auditCfg = config.audit ?? {};
+  const formCfg = auditCfg.forms ?? {};
+  const results = [];
+
+  // Dedupe forms by a stable signature so a shared modal counted on 127 pages
+  // doesn't masquerade as "127 forms".
+  const seen = new Map(); // signature → { firstPage, action, method, occurrences, hasCaptcha, hasConsent, hasHoneypot, hasJsHook }
+  for (const f of htmlFiles) {
+    for (const m of f.content.matchAll(/<form([^>]*)>([\s\S]*?)<\/form>/gi)) {
+      const attrs = m[1];
+      const body = m[2];
+      const id = attrs.match(/\bid=["']([^"']+)["']/)?.[1];
+      const action = attrs.match(/\baction=["']([^"']*)["']/)?.[1] ?? null;
+      const method = attrs.match(/\bmethod=["']([^"']*)["']/)?.[1] ?? 'get';
+      // Signature ≈ id + action + first 200 chars of body. Stable across pages.
+      const signature = `${id ?? ''}|${action ?? ''}|${body.slice(0, 200)}`;
+
+      const hasCaptcha = /(?:recaptcha|hcaptcha|h-captcha|turnstile)/i.test(body) ||
+                         /(?:recaptcha|hcaptcha|h-captcha|turnstile)/i.test(f.content);
+      const hasConsent =
+        /<input[^>]+type=["']checkbox["'][^>]*(?:consent|terms|privacy|gdpr|casl|agree)/i.test(body);
+      const hasHoneypot =
+        /<input[^>]+name=["'](?:bot[-_]?field|honey|trap|website|url)["'][^>]+(?:hidden|display\s*:\s*none|visibility\s*:\s*hidden|aria-hidden=["']true)/i.test(body);
+      // Heuristic: page has form-submission JS hooks (addEventListener('submit'),
+      // emailjs/fetch/axios, or references to the form's id). False negatives
+      // (missing here) get caught by the manual review the audit prompts.
+      const jsHints = [
+        /addEventListener\(['"]submit['"]/,
+        /\.onsubmit\s*=/,
+        /emailjs\.(?:send|sendForm)/,
+        /netlify-forms|formspree|getform|web3forms/i,
+      ];
+      const hasJsHook =
+        jsHints.some((re) => re.test(f.content)) ||
+        (!!id && new RegExp(`['"\`]${id}['"\`]`).test(f.content));
+
+      if (seen.has(signature)) {
+        seen.get(signature).occurrences++;
+      } else {
+        seen.set(signature, {
+          firstPage: f.relPath,
+          id,
+          action,
+          method,
+          occurrences: 1,
+          hasCaptcha,
+          hasConsent,
+          hasHoneypot,
+          hasJsHook,
+        });
+      }
+    }
+  }
+
+  const forms = [...seen.values()];
+
+  if (forms.length === 0) {
+    results.push(info('No <form> elements found in built HTML'));
+    return results;
+  }
+
+  results.push(info(
+    `${forms.length} unique form${forms.length === 1 ? '' : 's'}`,
+    forms.map((x) => `${x.id ?? '(no id)'} on ${x.firstPage}${x.occurrences > 1 ? ` (×${x.occurrences})` : ''} → action: ${x.action ?? '(none)'}`)
+  ));
+
+  // Forms without action AND without a JS hook → likely broken.
+  const orphanForms = forms.filter((x) => !x.action && !x.hasJsHook);
+  results.push(
+    orphanForms.length === 0
+      ? pass('All forms have an action OR a JS submit handler')
+      : warn(
+          `${orphanForms.length} forms with no action and no JS hook`,
+          orphanForms.map((x) => `${x.firstPage}: id=${x.id ?? '(none)'}`)
+        )
+  );
+
+  // Spam protection (if required).
+  if (formCfg.requireSpamProtection !== false) {
+    const noProtection = forms.filter((x) => !x.hasCaptcha && !x.hasHoneypot);
+    results.push(
+      noProtection.length === 0
+        ? pass('All forms have spam protection (captcha or honeypot)')
+        : warn(
+            `${noProtection.length} forms without spam protection`,
+            noProtection.map((x) => `${x.firstPage}: id=${x.id ?? '(none)'}`)
+          )
+    );
+  }
+
+  // Consent (if required).
+  if (formCfg.requireConsent === true) {
+    const noConsent = forms.filter((x) => !x.hasConsent);
+    results.push(
+      noConsent.length === 0
+        ? pass('All forms have GDPR/CASL consent')
+        : fail(
+            `${noConsent.length} forms missing consent`,
+            noConsent.map((x) => `${x.firstPage}: id=${x.id ?? '(none)'}`)
+          )
+    );
+  } else {
+    const withConsent = forms.filter((x) => x.hasConsent).length;
+    results.push(info(`${withConsent}/${forms.length} forms have visible consent indicators`));
+  }
+
+  return results;
+}

package/modules/audit/src/groups/links.mjs

@@ -0,0 +1,58 @@
+import { pass, fail, warn, summarize, anchorHrefs, isExternal } from '../util.mjs';
+
+export async function runLinks(ctx) {
+  const { htmlFiles, config } = ctx;
+  const siteOrigin = config.site.url.replace(/\/$/, '');
+  const results = [];
+
+  // Internal links must end with `/` (trailing slash policy).
+  const missingSlash = [];
+  // External links must have target="_blank" + rel containing noopener.
+  const unsafeExternal = [];
+  // Stray dev/localhost references in production HTML.
+  const localhost = [];
+
+  for (const f of htmlFiles) {
+    for (const { href, full } of anchorHrefs(f.content)) {
+      // Ignore anchors-only, mailto, tel, javascript:
+      if (href.startsWith('#') || href.startsWith('mailto:') ||
+          href.startsWith('tel:') || href.startsWith('javascript:')) continue;
+
+      const external = isExternal(href, siteOrigin);
+
+      if (external) {
+        const hasBlank = /target=["']_blank["']/.test(full);
+        const hasNoopener = /rel=["'][^"']*noopener[^"']*["']/.test(full);
+        if (hasBlank && !hasNoopener) {
+          unsafeExternal.push(`${f.relPath}: ${href}`);
+        }
+      } else {
+        // Internal link. Strip query/hash; require trailing slash on the path.
+        const cleanPath = href.split('?')[0].split('#')[0];
+        if (cleanPath && cleanPath !== '/' && !cleanPath.endsWith('/') &&
+            !/\.(html?|xml|txt|webp|png|jpe?g|svg|pdf|json|js|css|ico|woff2?)$/i.test(cleanPath)) {
+          missingSlash.push(`${f.relPath}: ${href}`);
+        }
+      }
+
+      if (/localhost|127\.0\.0\.1|0\.0\.0\.0/.test(href)) {
+        localhost.push(`${f.relPath}: ${href}`);
+      }
+    }
+
+    // Also scan raw content for localhost references (CSS bg images, scripts).
+    if (/(?:src|href)=["'][^"']*(?:localhost|127\.0\.0\.1)/.test(f.content)) {
+      localhost.push(`${f.relPath}: (other ref)`);
+    }
+  }
+
+  results.push(summarize('All internal links end with /', dedupe(missingSlash)));
+  results.push(summarize('External links use rel="noopener noreferrer"', dedupe(unsafeExternal), 'warn'));
+  results.push(summarize('No localhost/dev URLs in production HTML', dedupe(localhost)));
+
+  return results;
+}
+
+function dedupe(arr) {
+  return Array.from(new Set(arr));
+}

package/modules/audit/src/groups/performance.mjs

@@ -0,0 +1,117 @@
+import { pass, fail, warn, info, summarize } from '../util.mjs';
+
+export async function runPerformance(ctx) {
+  const { htmlFiles, config } = ctx;
+  const auditCfg = config.audit ?? {};
+  const perfCfg = auditCfg.performance ?? {};
+  const results = [];
+
+  // Defaults — these are advisory thresholds, not standards.
+  const INLINE_SCRIPT_BUDGET = perfCfg.inlineScriptBudgetBytes ?? 200_000;
+  const INLINE_STYLE_BUDGET = perfCfg.inlineStyleBudgetBytes ?? 100_000;
+  const SCRIPT_TAG_BUDGET = perfCfg.scriptTagBudget ?? 15;
+
+  const imgsNoSize = [];
+  const imgsHaveLoadingEager = [];
+  const imgsBelowFoldNotLazy = [];
+  const oversizedScripts = [];
+  const oversizedStyles = [];
+  const tooManyScripts = [];
+  const noFontPreload = [];
+
+  for (const f of htmlFiles) {
+    // <img> dimensions for CLS
+    for (const m of f.content.matchAll(/<img[^>]*>/gi)) {
+      const tag = m[0];
+      const hasWidth = /\swidth=/.test(tag);
+      const hasHeight = /\sheight=/.test(tag);
+      if (!hasWidth || !hasHeight) {
+        const src = tag.match(/src=["']([^"']+)["']/)?.[1] ?? '?';
+        // Astro's <Image> auto-emits dimensions; raw <img> doesn't. We only
+        // flag if BOTH are missing.
+        if (!hasWidth && !hasHeight) imgsNoSize.push(`${f.relPath}: ${src}`);
+      }
+    }
+
+    // Lazy-loading heuristic: only the first <img> per page should be eager
+    // (the LCP candidate). Everything else should be loading="lazy".
+    const imgs = [...f.content.matchAll(/<img[^>]*>/gi)].map((m) => m[0]);
+    imgs.forEach((tag, idx) => {
+      const isLazy = /loading=["']lazy["']/.test(tag);
+      const isEager = /loading=["']eager["']/.test(tag);
+      const src = tag.match(/src=["']([^"']+)["']/)?.[1] ?? '?';
+
+      if (idx === 0) {
+        // First image is OK eager (it's likely the hero).
+        // If it's lazy, that hurts LCP — flag.
+        if (isLazy) imgsBelowFoldNotLazy.push(`${f.relPath}: first img is lazy (LCP risk): ${src}`);
+      } else {
+        // Subsequent images should be lazy.
+        if (!isLazy && !isEager) imgsBelowFoldNotLazy.push(`${f.relPath}: below-fold img not lazy: ${src}`);
+      }
+    });
+
+    // Inline <script> total size + count
+    let inlineScriptSize = 0;
+    let scriptTagCount = 0;
+    for (const m of f.content.matchAll(/<script[^>]*>([\s\S]*?)<\/script>/gi)) {
+      scriptTagCount++;
+      inlineScriptSize += m[1].length;
+    }
+    // External scripts too
+    scriptTagCount += [...f.content.matchAll(/<script[^>]+src=["'][^"']+["'][^>]*>/gi)].length;
+
+    if (inlineScriptSize > INLINE_SCRIPT_BUDGET) {
+      oversizedScripts.push(`${f.relPath}: ${(inlineScriptSize / 1024).toFixed(1)} KB inline`);
+    }
+    if (scriptTagCount > SCRIPT_TAG_BUDGET) {
+      tooManyScripts.push(`${f.relPath}: ${scriptTagCount} <script> tags`);
+    }
+
+    // Inline <style> total size
+    let inlineStyleSize = 0;
+    for (const m of f.content.matchAll(/<style[^>]*>([\s\S]*?)<\/style>/gi)) {
+      inlineStyleSize += m[1].length;
+    }
+    if (inlineStyleSize > INLINE_STYLE_BUDGET) {
+      oversizedStyles.push(`${f.relPath}: ${(inlineStyleSize / 1024).toFixed(1)} KB inline`);
+    }
+
+    // Font preload (look for <link rel="preload" as="font">)
+    const hasFontPreload = /<link\s+rel=["']preload["'][^>]+as=["']font["']/.test(f.content);
+    if (!hasFontPreload) noFontPreload.push(f.relPath);
+  }
+
+  results.push(summarize('All <img> have width/height attrs (CLS)', dedupe(imgsNoSize), 'warn'));
+  results.push(summarize('Below-fold <img> use loading="lazy"', dedupe(imgsBelowFoldNotLazy), 'warn'));
+  results.push(summarize(
+    `Inline <script> ≤ ${(INLINE_SCRIPT_BUDGET / 1024).toFixed(0)} KB per page`,
+    dedupe(oversizedScripts),
+    'warn'
+  ));
+  results.push(summarize(
+    `Inline <style> ≤ ${(INLINE_STYLE_BUDGET / 1024).toFixed(0)} KB per page`,
+    dedupe(oversizedStyles),
+    'warn'
+  ));
+  results.push(summarize(
+    `≤ ${SCRIPT_TAG_BUDGET} <script> tags per page`,
+    dedupe(tooManyScripts),
+    'warn'
+  ));
+
+  // Font preload — high-value but easy to miss. Info only (don't fail).
+  if (noFontPreload.length === htmlFiles.length) {
+    results.push(info('No font preload found on any page', 'Consider <link rel="preload" as="font" type="font/woff2" crossorigin> for LCP gains.'));
+  } else if (noFontPreload.length > 0) {
+    results.push(info(`${noFontPreload.length}/${htmlFiles.length} pages without font preload`));
+  } else {
+    results.push(pass('Every page preloads at least one font'));
+  }
+
+  return results;
+}
+
+function dedupe(arr) {
+  return Array.from(new Set(arr)).slice(0, 20);
+}

package/modules/audit/src/groups/seo.mjs

@@ -0,0 +1,178 @@
+import { pass, fail, warn, info, summarize, getTitle, getMeta, getLinkHref } from '../util.mjs';
+
+// Required fields per common JSON-LD @type. Used by the schema-completeness check.
+const SCHEMA_REQUIRED = {
+  Organization:    ['name', 'url'],
+  LocalBusiness:   ['name', 'url', 'address', 'telephone'],
+  Service:         ['name', 'description', 'provider'],
+  BlogPosting:     ['headline', 'datePublished', 'author', 'publisher'],
+  Article:         ['headline', 'datePublished', 'author', 'publisher'],
+  FAQPage:         ['mainEntity'],
+  Product:         ['name', 'image', 'description', 'offers'],
+  Event:           ['name', 'startDate', 'location'],
+  WebSite:         ['name', 'url'],
+  WebPage:         ['name'],
+  BreadcrumbList:  ['itemListElement'],
+};
+
+const BOILERPLATE_DESC_RE = /^(welcome to|home of|the official|your one-?stop)/i;
+
+export async function runSeo(ctx) {
+  const { htmlFiles, config } = ctx;
+  const siteOrigin = config.site.url.replace(/\/$/, '');
+  const siteName = config.site.name;
+  const results = [];
+
+  const titles = new Map();
+  const descriptions = new Map();
+  const noTitle = [];
+  const titleTooLong = [];
+  const titleNoBrand = [];
+  const noDescription = [];
+  const descTooLong = [];
+  const descBoilerplate = [];
+  const noCanonical = [];
+  const wrongCanonicalDomain = [];
+  const canonicalNoTrailingSlash = [];
+  const noOg = [];
+  const noOgImage = [];
+  const noTwitter = [];
+  const noJsonLd = [];
+  const unsafeJsonLd = [];
+  const invalidJsonLd = [];
+  const incompleteSchemas = [];
+
+  for (const f of htmlFiles) {
+    // Title
+    const title = getTitle(f.content);
+    if (!title) noTitle.push(f.relPath);
+    else {
+      if (title.length > 60) titleTooLong.push(`${f.relPath} (${title.length} chars)`);
+      if (siteName && !title.toLowerCase().includes(siteName.toLowerCase())) {
+        // Skip the homepage and 404 — they sometimes omit brand intentionally.
+        if (f.relPath !== 'index.html' && f.relPath !== '404.html') {
+          titleNoBrand.push(`${f.relPath}: "${title.slice(0, 60)}"`);
+        }
+      }
+      (titles.get(title) ?? titles.set(title, []).get(title)).push(f.relPath);
+    }
+
+    // Description
+    const desc = getMeta(f.content, 'description');
+    if (!desc) noDescription.push(f.relPath);
+    else {
+      if (desc.length > 160) descTooLong.push(`${f.relPath} (${desc.length} chars)`);
+      if (BOILERPLATE_DESC_RE.test(desc)) {
+        descBoilerplate.push(`${f.relPath}: "${desc.slice(0, 60)}..."`);
+      }
+      (descriptions.get(desc) ?? descriptions.set(desc, []).get(desc)).push(f.relPath);
+    }
+
+    // Canonical
+    const canonical = getLinkHref(f.content, 'canonical');
+    if (!canonical) noCanonical.push(f.relPath);
+    else {
+      if (!canonical.startsWith(siteOrigin)) wrongCanonicalDomain.push(`${f.relPath}: ${canonical}`);
+      else if (!canonical.endsWith('/')) canonicalNoTrailingSlash.push(`${f.relPath}: ${canonical}`);
+    }
+
+    // OG / Twitter
+    if (!getMeta(f.content, 'og:title') || !getMeta(f.content, 'og:description') ||
+        !getMeta(f.content, 'og:url') || !getMeta(f.content, 'og:type')) {
+      noOg.push(f.relPath);
+    }
+    if (!getMeta(f.content, 'og:image')) noOgImage.push(f.relPath);
+    if (!getMeta(f.content, 'twitter:card')) noTwitter.push(f.relPath);
+
+    // JSON-LD
+    const blocks = [...f.content.matchAll(/<script[^>]*application\/ld\+json[^>]*>([\s\S]*?)<\/script>/gi)];
+    if (blocks.length === 0) {
+      noJsonLd.push(f.relPath);
+    } else {
+      for (const m of blocks) {
+        if (/<\/[a-z]/i.test(m[1])) unsafeJsonLd.push(`${f.relPath} (unescaped </ )`);
+        let parsed;
+        try { parsed = JSON.parse(m[1]); } catch {
+          invalidJsonLd.push(`${f.relPath} (invalid JSON)`);
+          continue;
+        }
+        const types = collectTypes(parsed);
+        for (const type of types) {
+          const required = SCHEMA_REQUIRED[type];
+          if (!required) continue;
+          const missing = required.filter((k) => !hasField(parsed, k, type));
+          if (missing.length > 0) {
+            incompleteSchemas.push(`${f.relPath}: ${type} missing ${missing.join(', ')}`);
+          }
+        }
+      }
+    }
+  }
+
+  results.push(summarize('Every page has <title>', noTitle));
+  results.push(summarize('Titles ≤ 60 chars', titleTooLong, 'warn'));
+  if (siteName) results.push(summarize('Titles include brand name', titleNoBrand, 'warn'));
+  results.push(summarize('Every page has <meta description>', noDescription));
+  results.push(summarize('Descriptions ≤ 160 chars', descTooLong, 'warn'));
+  results.push(summarize('Descriptions don\'t start with boilerplate ("Welcome to...")', descBoilerplate, 'warn'));
+  results.push(summarize('Every page has canonical', noCanonical));
+  results.push(summarize('Canonical URLs use site domain', wrongCanonicalDomain));
+  results.push(summarize('Canonical URLs have trailing slash', canonicalNoTrailingSlash));
+  results.push(summarize('Every page has OG title/description/url/type', noOg));
+  results.push(summarize('Every page has og:image', noOgImage, 'warn'));
+  results.push(summarize('Every page has Twitter card', noTwitter, 'warn'));
+  results.push(summarize('Every page has JSON-LD schema', noJsonLd));
+  results.push(summarize('JSON-LD escapes </ safely', unsafeJsonLd));
+  results.push(summarize('JSON-LD is valid JSON', invalidJsonLd));
+  results.push(summarize('JSON-LD has required fields per @type', incompleteSchemas, 'warn'));
+
+  const dupTitles = [...titles.entries()].filter(([, ps]) => ps.length > 1);
+  results.push(
+    dupTitles.length === 0
+      ? pass('Page titles are unique')
+      : warn(`${dupTitles.length} duplicate titles`,
+          dupTitles.slice(0, 5).map(([t, ps]) => `"${t.slice(0, 50)}..." → ${ps.length} pages`))
+  );
+
+  const dupDesc = [...descriptions.entries()].filter(([, ps]) => ps.length > 1);
+  results.push(
+    dupDesc.length === 0
+      ? pass('Page descriptions are unique')
+      : warn(`${dupDesc.length} duplicate descriptions`,
+          dupDesc.slice(0, 5).map(([d, ps]) => `"${d.slice(0, 50)}..." → ${ps.length} pages`))
+  );
+
+  return results;
+}
+
+/** Walk a (possibly nested or arrayed) JSON-LD object and collect every @type. */
+function collectTypes(obj) {
+  const types = new Set();
+  function walk(node) {
+    if (!node || typeof node !== 'object') return;
+    if (Array.isArray(node)) { node.forEach(walk); return; }
+    if (typeof node['@type'] === 'string') types.add(node['@type']);
+    if (Array.isArray(node['@type'])) node['@type'].forEach((t) => types.add(t));
+    for (const v of Object.values(node)) walk(v);
+  }
+  walk(obj);
+  return types;
+}
+
+/** Does the JSON-LD object (anywhere in its tree) have field `key` set, for the given @type? */
+function hasField(obj, key, type) {
+  let found = false;
+  function walk(node) {
+    if (found || !node || typeof node !== 'object') return;
+    if (Array.isArray(node)) { node.forEach(walk); return; }
+    const t = node['@type'];
+    const matches = t === type || (Array.isArray(t) && t.includes(type));
+    if (matches && node[key] !== undefined && node[key] !== null && node[key] !== '') {
+      found = true;
+      return;
+    }
+    for (const v of Object.values(node)) walk(v);
+  }
+  walk(obj);
+  return found;
+}

package/modules/audit/src/groups/structure.mjs

@@ -0,0 +1,105 @@
+import fs from 'fs';
+import path from 'path';
+import { pass, fail, warn, info } from '../util.mjs';
+
+export async function runStructure(ctx) {
+  const { cwd, distDir, htmlFiles, enabled } = ctx;
+  const results = [];
+
+  results.push(info(`${htmlFiles.length} HTML pages built`));
+
+  const hasSitemap =
+    fs.existsSync(path.join(distDir, 'sitemap-index.xml')) ||
+    fs.existsSync(path.join(distDir, 'sitemap-0.xml'));
+  results.push(hasSitemap ? pass('Sitemap present') : fail('Sitemap missing in dist/'));
+
+  const robotsPath = path.join(distDir, 'robots.txt');
+  if (!fs.existsSync(robotsPath)) {
+    results.push(fail('robots.txt missing'));
+  } else {
+    results.push(pass('robots.txt present'));
+    const robots = fs.readFileSync(robotsPath, 'utf8');
+    results.push(
+      /Sitemap:\s*https?:\/\//i.test(robots)
+        ? pass('robots.txt references sitemap')
+        : warn('robots.txt does not reference sitemap')
+    );
+  }
+
+  results.push(
+    fs.existsSync(path.join(distDir, '404.html'))
+      ? pass('Custom 404 page (dist/404.html)')
+      : warn('No custom 404 page (dist/404.html)')
+  );
+
+  if (enabled.llms) {
+    results.push(
+      fs.existsSync(path.join(distDir, 'llms.txt'))
+        ? pass('llms.txt present')
+        : warn('llms.txt missing (llms module is enabled)')
+    );
+    results.push(
+      fs.existsSync(path.join(distDir, 'llms-full.txt'))
+        ? pass('llms-full.txt present')
+        : warn('llms-full.txt missing (llms module is enabled)')
+    );
+  }
+
+  if (enabled.deploy) {
+    results.push(
+      fs.existsSync(path.join(cwd, 'wrangler.toml'))
+        ? pass('wrangler.toml at site root')
+        : fail('wrangler.toml missing')
+    );
+    results.push(
+      fs.existsSync(path.join(cwd, '.github/workflows/daily-deploy.yml'))
+        ? pass('Daily deploy workflow present')
+        : warn('No .github/workflows/daily-deploy.yml')
+    );
+  }
+
+  // Astro config sanity + trailing-slash plugin agreement
+  const astroCfgPath =
+    fs.existsSync(path.join(cwd, 'astro.config.ts'))
+      ? path.join(cwd, 'astro.config.ts')
+      : fs.existsSync(path.join(cwd, 'astro.config.mjs'))
+        ? path.join(cwd, 'astro.config.mjs')
+        : null;
+  if (astroCfgPath) {
+    const astroCfg = fs.readFileSync(astroCfgPath, 'utf8');
+
+    const trailingSlashAlways = /trailingSlash:\s*['"]always['"]/.test(astroCfg);
+    results.push(
+      trailingSlashAlways
+        ? pass("astro.config: trailingSlash: 'always'")
+        : fail("astro.config missing trailingSlash: 'always'")
+    );
+
+    results.push(
+      /output:\s*['"]static['"]/.test(astroCfg)
+        ? pass("astro.config: output: 'static'")
+        : fail("astro.config missing output: 'static'")
+    );
+
+    // Trailing-slash plugin: if astro.config enforces 'always', the rehype
+    // plugin should also be wired so markdown hrefs get auto-fixed. The audit
+    // catches violations either way, but the plugin prevents them entering dist/.
+    if (trailingSlashAlways) {
+      const hasPlugin =
+        /@ibalzam\/codejitsu-core\/rehype\/trailing-slash/.test(astroCfg) ||
+        /rehype.*[Tt]railing[Ss]lash/.test(astroCfg);
+      results.push(
+        hasPlugin
+          ? pass('rehype/trailing-slash plugin wired into markdown')
+          : info(
+              'No trailing-slash rehype plugin detected',
+              'Add @ibalzam/codejitsu-core/rehype/trailing-slash to astro.config markdown.rehypePlugins to auto-fix /foo → /foo/ in markdown.'
+            )
+      );
+    }
+  } else {
+    results.push(fail('astro.config.{ts,mjs} missing'));
+  }
+
+  return results;
+}