jhste-skills 0.1.2 → 0.1.3

package/cli/deep-scan/analyze.mjs

@@ -70,63 +70,6 @@ function addSharedScannerCandidates(file, text, findings, thresholds) {
   }
 }
 
-function hasUseClientDirective(text) {
-  return /^\s*(?:"use client"|'use client')\s*;?/u.test(text);
-}
-
-function isScriptPipeline(file) {
-  return /(^|\/)scripts\/(data|ops|import|imports|backfill|repair|migrate|migration)\//.test(file.rel)
-    && /\.(ts|tsx|js|jsx|mjs|cjs|py)$/.test(file.rel);
-}
-
-function matchedResponsibilityHints(text, hintGroups) {
-  return hintGroups
-    .filter((group) => group.patterns.some((pattern) => pattern.test(text)))
-    .map((group) => group.label);
-}
-
-function scanMixedResponsibilities(file, text, findings) {
-  if (hasUseClientDirective(text)) {
-    const hints = matchedResponsibilityHints(text, [
-      { label: 'browser storage', patterns: [/\b(localStorage|sessionStorage)\b/] },
-      { label: 'network/API', patterns: [/\bfetch\s*\(/, /\baxios\./, /\buse(Query|Mutation)\s*\(/] },
-      { label: 'toast/notification', patterns: [/\btoast\b/, /\bnotify\b/] },
-      { label: 'modal/dialog state', patterns: [/\b(Dialog|Modal|Sheet)\b/, /\bopen[A-Z]\w*\b/, /\bis[A-Z]\w*Open\b/] },
-      { label: 'route navigation', patterns: [/\buseRouter\s*\(/, /\brouter\.(push|replace|refresh)\b/] },
-      { label: 'heavy mapping', patterns: [/\.(map|filter|reduce)\s*\(/] },
-    ]);
-    if (hints.length >= 3) {
-      candidate(findings.responsibilityBudget, 'mixed client responsibility candidate', file, 1, `client module mixes ${hints.slice(0, 4).join(', ')}; review hook/adapter/presentation split`, 'warning');
-    }
-  }
-
-  const routeLike = /(^|\/)(api|routes?|controllers?|pages\/api)\//i.test(file.rel) || /route\.(ts|js)$/.test(file.rel);
-  if (routeLike) {
-    const hints = matchedResponsibilityHints(text, [
-      { label: 'auth/session', patterns: [/\b(auth|session|permission|currentUser|getUser)\b/i] },
-      { label: 'validation', patterns: [/\b(z\.object|safeParse|parseAsync|validate|schema)\b/] },
-      { label: 'database', patterns: [/\b(prisma|pool\.query|client\.query|SELECT|INSERT|UPDATE|DELETE|db\.)\b/i] },
-      { label: 'response formatting', patterns: [/\b(Response\.json|NextResponse\.json|res\.json)\b/] },
-    ]);
-    if (hints.length >= 3) {
-      candidate(findings.responsibilityBudget, 'mixed route responsibility candidate', file, 1, `route/controller mixes ${hints.join(', ')}; review route/service/repository/response split`, 'warning');
-    }
-  }
-
-  if (isScriptPipeline(file)) {
-    const hints = matchedResponsibilityHints(text, [
-      { label: 'CLI parsing', patterns: [/\b(process\.argv|argparse|ArgumentParser|commander)\b/] },
-      { label: 'file IO', patterns: [/\b(readFile|writeFile|open\(|Path\(|fs\.)\b/] },
-      { label: 'data transform', patterns: [/\.(map|filter|reduce)\s*\(/, /\bjson\.loads\b/i, /\bJSON\.parse\b/] },
-      { label: 'persistence/network', patterns: [/\b(fetch|pool\.query|client\.query|INSERT|UPDATE|DELETE|requests\.)\b/i] },
-      { label: 'reporting', patterns: [/\b(console\.|print\(|logger\.)\b/] },
-    ]);
-    if (hints.length >= 4) {
-      candidate(findings.responsibilityBudget, 'mixed script responsibility candidate', file, 1, `script mixes ${hints.join(', ')}; review CLI/loader/transform/persist/report seams`, 'warning');
-    }
-  }
-}
-
 function newFindingsBag() {
   return {
     largeFiles: [],
@@ -157,7 +100,6 @@ export function scanFiles(files, thresholds) {
     try {
       const text = fs.readFileSync(file.full, 'utf8');
       addSharedScannerCandidates(file, text, findings, thresholds);
-      scanMixedResponsibilities(file, text, findings);
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       candidate(findings.scanWarnings, 'scan warning', file, 1, `file could not be scanned and was omitted from rule candidates: ${message}`, 'warning');

package/cli/guard/registry.mjs

@@ -18,6 +18,9 @@ export const FINDING_METADATA = {
   'responsibility.route.budget': { family: 'responsibility_budget', pack: 'core', scanner: 'scanResponsibilityBudget' },
   'responsibility.script.budget': { family: 'responsibility_budget', pack: 'core', scanner: 'scanResponsibilityBudget' },
   'responsibility.python_orchestrator.budget': { family: 'responsibility_budget', pack: 'core', scanner: 'scanResponsibilityBudget' },
+  'responsibility.client.mixed': { family: 'responsibility_budget', pack: 'core', scanner: 'scanResponsibilityBudget' },
+  'responsibility.route.mixed': { family: 'responsibility_budget', pack: 'core', scanner: 'scanResponsibilityBudget' },
+  'responsibility.script.mixed': { family: 'responsibility_budget', pack: 'core', scanner: 'scanResponsibilityBudget' },
   'srp.function.length': { family: 'single_responsibility_advisory', pack: 'core', scanner: 'scanSingleResponsibility' },
   'srp.function.mixed_responsibility': { family: 'single_responsibility_advisory', pack: 'core', scanner: 'scanSingleResponsibility' },
   'srp.module.mixed_exports': { family: 'single_responsibility_advisory', pack: 'core', scanner: 'scanSingleResponsibility' },

package/cli/guard/reporting.mjs

@@ -66,7 +66,7 @@ function guidanceForFinding(item) {
   if (family === 'single_responsibility_advisory') {
     return {
       means: 'This class, module, or function may have more than one reason to change. The finding is heuristic and should be reviewed, not treated as proof.',
-      next: 'Name the one main responsibility, then move only independently changing work behind a real seam; avoid extracting shallow pass-through wrappers.',
+      next: 'Name the one main responsibility, then move only independently changing work behind a real seam; keep always-cochanging contract pieces together and avoid shallow pass-through wrappers.',
     };
   }
   if (family === 'external_input_validation') {

package/cli/guard/scanners/code-health.mjs

@@ -1,6 +1,8 @@
 import path from 'node:path';
 import {
   hasUseClientDirective,
+  isRouteLikePath,
+  isScriptPipelinePath,
   isSourceCodePath,
   lineAt,
   violation,
@@ -119,6 +121,42 @@ export function scanFileSizeAdvisory(relPath, text, settings) {
   return [];
 }
 
+function matchedResponsibilityHints(text, hintGroups) {
+  return hintGroups
+    .filter((group) => group.patterns.some((pattern) => pattern.test(text)))
+    .map((group) => group.label);
+}
+
+function mixedClientResponsibilityHints(text) {
+  return matchedResponsibilityHints(text, [
+    { label: 'browser storage', patterns: [/\b(localStorage|sessionStorage)\b/] },
+    { label: 'network/API', patterns: [/\bfetch\s*\(/, /\baxios\./, /\buse(Query|Mutation)\s*\(/] },
+    { label: 'toast/notification', patterns: [/\btoast\b/, /\bnotify\b/] },
+    { label: 'modal/dialog state', patterns: [/\b(Dialog|Modal|Sheet)\b/, /\bopen[A-Z]\w*\b/, /\bis[A-Z]\w*Open\b/] },
+    { label: 'route navigation', patterns: [/\buseRouter\s*\(/, /\brouter\.(push|replace|refresh)\b/] },
+    { label: 'heavy mapping', patterns: [/\.(map|filter|reduce)\s*\(/] },
+  ]);
+}
+
+function mixedRouteResponsibilityHints(text) {
+  return matchedResponsibilityHints(text, [
+    { label: 'auth/session', patterns: [/\b(auth|session|permission|currentUser|getUser)\b/i] },
+    { label: 'validation', patterns: [/\b(z\.object|safeParse|parseAsync|validate|schema)\b/] },
+    { label: 'database', patterns: [/\b(prisma|pool\.query|client\.query|SELECT|INSERT|UPDATE|DELETE|db\.)\b/i] },
+    { label: 'response formatting', patterns: [/\b(Response\.json|NextResponse\.json|res\.json)\b/] },
+  ]);
+}
+
+function mixedScriptResponsibilityHints(text) {
+  return matchedResponsibilityHints(text, [
+    { label: 'CLI parsing', patterns: [/\b(process\.argv|argparse|ArgumentParser|commander)\b/] },
+    { label: 'file IO', patterns: [/\b(readFile|writeFile|open\(|Path\(|fs\.)\b/] },
+    { label: 'data transform', patterns: [/\.(map|filter|reduce)\s*\(/, /\bjson\.loads\b/i, /\bJSON\.parse\b/] },
+    { label: 'persistence/network', patterns: [/\b(fetch|pool\.query|client\.query|INSERT|UPDATE|DELETE|requests\.)\b/i] },
+    { label: 'reporting', patterns: [/\b(console\.|print\(|logger\.)\b/] },
+  ]);
+}
+
 export function scanResponsibilityBudget(relPath, text, settings) {
   const ext = path.extname(relPath).toLowerCase();
   if (!['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py'].includes(ext)) return [];
@@ -131,17 +169,35 @@ export function scanResponsibilityBudget(relPath, text, settings) {
   if (hasUseClientDirective(text) && lineCount > settings.client_module_review_lines) {
     out.push(violation({ ruleId: 'responsibility.client.budget', severity: 'warning', relPath, symbol: 'use-client', message: `${lineCount} lines in client module; review hook/adapter/presentation split.`, confidence: 'medium' }));
   }
-  const routeLike = /(^|\/)(api|routes?|controllers?|pages\/api)\//i.test(relPath) || /route\.(ts|js)$/.test(relPath);
+  const routeLike = isRouteLikePath(relPath);
   if (routeLike && lineCount >= settings.route_review_lines) {
     out.push(violation({ ruleId: 'responsibility.route.budget', severity: 'warning', relPath, symbol: 'route', message: `${lineCount} lines in route/controller-like file; review auth/validation/service/response seams.`, confidence: 'medium' }));
   }
-  const scriptPipeline = /(^|\/)scripts\/(data|ops|import|imports|backfill|repair|migrate|migration)\//.test(relPath);
+  const scriptPipeline = isScriptPipelinePath(relPath);
   if (scriptPipeline && lineCount >= settings.import_ops_script_review_lines) {
     out.push(violation({ ruleId: 'responsibility.script.budget', severity: 'warning', relPath, symbol: 'script-pipeline', message: `${lineCount} lines in import/ops-style script; review CLI/loader/transform/persist/report seams.`, confidence: 'medium' }));
   }
   if (ext === '.py' && /(^|\/)(main|.*orchestrator|.*runner|stage_runner)\.py$/.test(relPath) && lineCount >= settings.python_orchestrator_review_lines) {
     out.push(violation({ ruleId: 'responsibility.python_orchestrator.budget', severity: 'warning', relPath, symbol: 'python-orchestrator', message: `${lineCount} lines in Python orchestrator/runner; review policy/IO/runtime/notification/result seams.`, confidence: 'medium' }));
   }
+  if (hasUseClientDirective(text)) {
+    const hints = mixedClientResponsibilityHints(text);
+    if (hints.length >= 3) {
+      out.push(violation({ ruleId: 'responsibility.client.mixed', severity: 'warning', relPath, symbol: 'use-client-mixed', message: `client module mixes ${hints.slice(0, 4).join(', ')}; review hook/adapter/presentation split.`, confidence: 'low' }));
+    }
+  }
+  if (routeLike) {
+    const hints = mixedRouteResponsibilityHints(text);
+    if (hints.length >= 3) {
+      out.push(violation({ ruleId: 'responsibility.route.mixed', severity: 'warning', relPath, symbol: 'route-mixed', message: `route/controller mixes ${hints.join(', ')}; review route/service/repository/response split.`, confidence: 'low' }));
+    }
+  }
+  if (scriptPipeline) {
+    const hints = mixedScriptResponsibilityHints(text);
+    if (hints.length >= 4) {
+      out.push(violation({ ruleId: 'responsibility.script.mixed', severity: 'warning', relPath, symbol: 'script-pipeline-mixed', message: `script mixes ${hints.join(', ')}; review CLI/loader/transform/persist/report seams.`, confidence: 'low' }));
+    }
+  }
   return out;
 }
 

package/cli/guard/scanners/single-responsibility.mjs

@@ -12,11 +12,14 @@ const RESPONSIBILITY_HINTS = [
   { label: 'validation', patterns: [/\b(validate|validator|safeParse|parseAsync|schema|assert|parseEnv|errors\.push)\b/i] },
   { label: 'filesystem IO', patterns: [/\b(fs\.|readFile|writeFile|mkdir|rmSync|cpSync|readdirSync)\b/i] },
   { label: 'process/git/network IO', patterns: [/\b(spawnSync|execFileSync|fetch\(|axios\.|git\(|git\s+-C)\b/i] },
-  { label: 'persistence', patterns: [/\b(prisma|pool\.query|client\.query|db\.|INSERT\s+INTO|UPDATE\s+\w|DELETE\s+FROM|SELECT\s+.+\s+FROM)\b/i] },
+  { label: 'persistence', patterns: [/\b(prisma|pool\.query|client\.query|db\.|INSERT\s+INTO|UPDATE\s+\w|DELETE\s+FROM|SELECT\s+.+\s+FROM)\b/i, /\b\w*(Repository|Repo|Store)\.(find|findMany|save|create|insert|update|delete|upsert|query|persist)\w*\s*\(/i] },
   { label: 'rendering/reporting', patterns: [/\b(console\.|Response\.json|NextResponse\.json|res\.json|render|markdown|tableRows|print|logger\.)\b/i] },
   { label: 'prompting', patterns: [/\b(ask\(|readline|question\(|prompt)\b/i] },
   { label: 'data transformation', patterns: [/\btransform|serialize|deserialize\b/i] },
   { label: 'time/crypto policy', patterns: [/\b(Date\.now|new Date\(|crypto\.|randomUUID|createHash)\b/i] },
+  { label: 'notification/email side effect', patterns: [/\b\w*(Email|Mail|Notification|Notifier)\w*\.(send|deliver|notify|enqueue|publish)\w*\s*\(/i, /\b(sendEmail|sendMail|sendWelcome|notifyUser)\w*\s*\(/i] },
+  { label: 'billing/payment side effect', patterns: [/\b\w*(Payment|Billing|Invoice|Subscription|Stripe)\w*\.(create|charge|capture|refund|update|cancel)\w*\s*\(/i] },
+  { label: 'event/queue side effect', patterns: [/\b(eventBus|queue|publisher|producer)\.(publish|send|enqueue|emit)\w*\s*\(/i] },
 ];
 
 const EXPORT_NAME_FAMILIES = [
@@ -56,6 +59,45 @@ function functionDeclarations(text) {
   return out;
 }
 
+const CONTROL_FLOW_NAMES = new Set(['if', 'for', 'while', 'switch', 'catch', 'function']);
+
+function braceDepthBetween(text, start, end) {
+  let depth = 0;
+  for (let index = start; index < end; index += 1) {
+    if (text[index] === '{') depth += 1;
+    if (text[index] === '}') depth -= 1;
+  }
+  return depth;
+}
+
+function classMethodDeclarations(text) {
+  const classPattern = /(?:^|\n)[ \t]*(?:export\s+)?(?:default\s+)?(?:abstract\s+)?class\s+([A-Za-z_$][\w$]*)[^{]*\{/gu;
+  const methodPattern = /(?:^|\n)([ \t]*(?:(?:public|private|protected|static|override|abstract|async|get|set)\s+)*([A-Za-z_$][\w$]*)\s*\([^)]*\)\s*(?::[^{;\n]+)?\s*\{)/gu;
+  const out = [];
+  for (const classMatch of text.matchAll(classPattern)) {
+    const className = classMatch[1] || 'AnonymousClass';
+    const classStart = (classMatch.index || 0) + (classMatch[0].startsWith('\n') ? 1 : 0);
+    const classOpen = text.indexOf('{', classStart);
+    if (classOpen === -1) continue;
+    const classEnd = matchingBraceIndex(text, classOpen);
+    if (classEnd === -1) continue;
+    const classBodyStart = classOpen + 1;
+    const classBody = text.slice(classBodyStart, classEnd);
+    for (const methodMatch of classBody.matchAll(methodPattern)) {
+      const methodName = methodMatch[2] || 'anonymous';
+      if (CONTROL_FLOW_NAMES.has(methodName)) continue;
+      const relativeStart = (methodMatch.index || 0) + (methodMatch[0].startsWith('\n') ? 1 : 0);
+      const start = classBodyStart + relativeStart;
+      if (braceDepthBetween(text, classOpen, start) !== 1) continue;
+      const openBrace = classBodyStart + (methodMatch.index || 0) + methodMatch[0].lastIndexOf('{');
+      const end = matchingBraceIndex(text, openBrace);
+      if (end === -1 || end > classEnd) continue;
+      out.push({ name: `${className}.${methodName}`, start, end, body: text.slice(start, end + 1) });
+    }
+  }
+  return out;
+}
+
 function matchingBraceIndex(text, openBrace) {
   let depth = 0;
   let quote = '';
@@ -111,7 +153,8 @@ function pythonFunctionDeclarations(text) {
 }
 
 function declarationsForPath(relPath, text) {
-  return relPath.endsWith('.py') ? pythonFunctionDeclarations(text) : functionDeclarations(text);
+  if (relPath.endsWith('.py')) return pythonFunctionDeclarations(text);
+  return [...functionDeclarations(text), ...classMethodDeclarations(text)].sort((left, right) => left.start - right.start);
 }
 
 function exportedCallableNames(text) {

package/docs/ACCEPTANCE_CHECK.md

@@ -54,3 +54,9 @@ Record actual command output in release notes before publishing a release.
 Release gates include dependency-free syntax checking, a first-run `install -> deep-scan -> tune --yes -> guard` smoke flow, `npm pack --dry-run` contents checks, and packed-tarball bin execution in a fresh temp consumer. These gates are not part of commit-time hooks.
 
 - Verify `sync`/`update` migrates older managed vendored renames without leaving duplicate directories, including `diagnose` → `diagnosing-bugs`.
+
+## npm trusted publishing
+
+Package publishing is handled by `.github/workflows/publish-npm.yml` on `v*.*.*` tags using GitHub Actions OIDC trusted publishing. The workflow grants `id-token: write`, runs `npm test`, and publishes with provenance, so it does not require a long-lived npm token, local `npm adduser`, or OAuth login in the release shell.
+
+Before cutting a tag, confirm the npm package's trusted publisher settings match this repository and workflow file exactly: GitHub owner/repo `jhste102lab/jhste-skills`, workflow `publish-npm.yml`, and no environment unless one is added to the workflow.

package/docs/RULES.md

@@ -89,6 +89,8 @@ The rule should be used with `advisory`, `changed-files`, or `baseline-new-only`
 
 `single_responsibility_advisory` is a heuristic review signal for changed classes, modules, and functions. It looks for long functions, functions that appear to mix several concern categories, and modules whose exports look like unrelated helper families. Treat findings as prompts to name one main responsibility and one reason to change; do not extract pass-through wrappers just to silence the warning. The rule remains advisory by default, but repositories can opt into changed-file blocking by setting the rule mode and `guard.fail_on: warning`.
 
+SRP is not a "one function per file" or "smallest possible file" rule. A split is useful when the separated code has an independent reason to change, an understandable file-level responsibility, and a natural behavior or side-effect seam to test. If type definitions, select aliases, mappers, constants, or tiny wrappers always change together and force readers to chase several files to understand one contract, prefer a cohesive contract module instead. The built-in scanner only emits low-confidence static candidates; co-change history, call graphs, and reader navigation cost still require human review.
+
 ## Restricted profile format
 
 `.jhste/profile.yaml` uses a documented restricted YAML-like contract rather than arbitrary YAML. Supported operational sections are `mode`, `packs.<id>.mode`, `rules.<id>.mode`, file-size/responsibility/single-responsibility threshold keys, `baseline.enabled`, `baseline.path`, `guard.default_scope`, `guard.default_format`, `guard.fail_on`, `guard.exit_codes`, and `commands` with `cmd`/`args` or legacy `run`. Unknown pack ids, rule ids, guard keys, baseline keys, command keys, duplicate operational sections, and invalid numeric thresholds are config failures with exit `3`. Documentation-only metadata sections such as `recommendations`, `adapters`, `deep_scan`, `workflow`, and `strict` do not affect guard runtime settings.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jhste-skills",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Installable engineering guardrails and workflow skills for AI coding agents.",
   "type": "module",
   "license": "MIT",
@@ -33,7 +33,7 @@
     "LICENSE"
   ],
   "scripts": {
-    "test": "npm run syntax:check && npm run docs:check && npm run vendor:check && npm run public-safety:check && npm run public-safety-fixtures:test && npm run profile-fixtures:test && npm run guard-fixtures:test && npm run single-responsibility-fixtures:test && npm run smoke:test && npm run release:gates",
+    "test": "npm run syntax:check && npm run docs:check && npm run vendor:check && npm run public-safety:check && npm run public-safety-fixtures:test && npm run profile-fixtures:test && npm run guard-fixtures:test && npm run responsibility-budget-fixtures:test && npm run single-responsibility-fixtures:test && npm run smoke:test && npm run release:gates",
     "syntax:check": "node scripts/syntax-check.mjs",
     "docs:check": "node scripts/docs-check.mjs",
     "vendor:check": "node scripts/vendor-check.mjs",
@@ -41,6 +41,7 @@
     "public-safety-fixtures:test": "node scripts/public-safety-fixtures-test.mjs",
     "profile-fixtures:test": "node scripts/profile-fixtures-test.mjs",
     "guard-fixtures:test": "node scripts/guard-fixtures-test.mjs",
+    "responsibility-budget-fixtures:test": "node scripts/responsibility-budget-fixtures-test.mjs",
     "single-responsibility-fixtures:test": "node scripts/single-responsibility-fixtures-test.mjs",
     "smoke:test": "node scripts/smoke-test.mjs",
     "release:gates": "node scripts/release-gates-test.mjs"

package/rules/core/responsibility_budget.yaml

@@ -35,6 +35,9 @@ implementation:
       - responsibility.route.budget
       - responsibility.script.budget
       - responsibility.python_orchestrator.budget
+      - responsibility.client.mixed
+      - responsibility.route.mixed
+      - responsibility.script.mixed
 recommendation:
   changed_files: true
   baseline_supported: true

package/rules/core/single_responsibility_advisory.yaml

@@ -31,5 +31,5 @@ recommendation:
   baseline_supported: true
   default_enforcement: review_only
 public_safe_examples:
-  bad: Keep adding parsing, validation, filesystem IO, prompting, transformation, persistence, and reporting to one function or shared utility bucket.
-  good: Name the changed module or function's one responsibility, keep cohesive implementation inside deep modules, and extract only when a real seam improves locality.
+  bad: Keep adding parsing, validation, filesystem IO, prompting, transformation, persistence, and reporting to one function or split every type, select alias, mapper, and tiny wrapper into separate files that always change together.
+  good: Name the changed module or function's one responsibility and one independent reason to change; keep cohesive contracts together inside deep modules, and extract only when a real tested seam improves locality.

package/scripts/responsibility-budget-fixtures-test.mjs

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+import path from 'node:path';
+import {
+  fail,
+  guardJson,
+  hasRule,
+  makeRepo,
+  write,
+} from './guard-fixtures/helpers.mjs';
+
+{
+  const repo = makeRepo('responsibility-mixed');
+  write(path.join(repo, 'src/components/EventPanel.tsx'), `"use client";
+export function EventPanel() {
+  const cached = localStorage.getItem('event');
+  fetch('/api/events');
+  toast.success(cached);
+  return <Dialog open={true} />;
+}
+`);
+  write(path.join(repo, 'src/app/api/events/route.ts'), `const schema = { safeParse(value) { return { success: true, data: value }; } };
+export async function POST(request) {
+  const user = await requireUser();
+  const body = schema.safeParse(await request.json());
+  const rows = await prisma.event.findMany({ where: { userId: user.id } });
+  return Response.json({ body, rows });
+}
+`);
+  write(path.join(repo, 'scripts/import/events.ts'), `import fs from 'node:fs';
+export async function main() {
+  const file = process.argv[2];
+  const rows = JSON.parse(fs.readFileSync(file, 'utf8')).map((row) => row.id);
+  await fetch('https://example.test/events');
+  console.log(rows.length);
+}
+`);
+  const result = guardJson(repo);
+  if (!hasRule(result, 'responsibility.client.mixed', 'EventPanel.tsx')) fail('mixed client responsibility was not reported by guard');
+  if (!hasRule(result, 'responsibility.route.mixed', 'events/route.ts')) fail('mixed route responsibility was not reported by guard');
+  if (!hasRule(result, 'responsibility.script.mixed', 'scripts/import/events.ts')) fail('mixed script responsibility was not reported by guard');
+  for (const ruleId of ['responsibility.client.mixed', 'responsibility.route.mixed', 'responsibility.script.mixed']) {
+    const item = result.violations.find((violation) => violation.rule_id === ruleId);
+    if (item.confidence !== 'low' || item.severity !== 'warning') fail(`${ruleId} should be low-confidence warning`);
+  }
+}
+
+console.log('responsibility-budget-fixtures-test passed: mixed responsibility candidates verified.');

package/scripts/single-responsibility-fixtures-test.mjs

@@ -61,6 +61,23 @@ export function importRows(argv) {
   if (item.confidence !== 'low' || item.severity !== 'warning') fail('mixed function SRP candidate should be low-confidence warning');
 }
 
+{
+  const repo = makeRepo('class-method-mixed');
+  write(path.join(repo, 'src/UserService.ts'), `export class UserService {
+  async register(input) {
+    const user = await userRepository.save(input);
+    await emailService.sendWelcome(user.email);
+    await paymentClient.createCustomer(user.id);
+    return user;
+  }
+}
+`);
+  const result = guardJson(repo);
+  const item = result.violations.find((violation) => violation.rule_id === 'srp.function.mixed_responsibility' && violation.symbol === 'UserService.register');
+  if (!item) fail('mixed class method SRP candidate was not reported');
+  if (item.confidence !== 'low' || item.severity !== 'warning') fail('mixed class method SRP candidate should be low-confidence warning');
+}
+
 {
   const repo = makeRepo('module-exports');
   write(path.join(repo, 'src/shared.ts'), `export function parseArgs() { return {}; }

package/skills/jhste-architecture-review/references/architecture-review.md

@@ -9,6 +9,8 @@ When reviewing a proposed change, ask:
 - Does this module hide complexity or merely pass it through?
 - Are repo-local docs using a more specific term or rule?
 - Where do caller contracts, mutation safety, or hot-path performance assumptions belong so they stay visible instead of leaking across seams?
+- Do the proposed files change independently, or do they always move together as one cohesive contract?
+- Would the split reduce the number of files touched for a typical change, or merely make readers chase more files?
 
 ## Bad / better / why skeletons
 
@@ -34,6 +36,12 @@ Change adjacent code only when it sits on the changed execution path and leaving
 - Better: each module owns one responsibility such as argument parsing, repository discovery, filesystem operations, prompting, or rendering; keep a compatibility facade only when it contains no policy and prevents churn.
 - Why: maintainers can name one reason to change the module, while callers do not learn unrelated helpers.
 
+### Over-fragmented contract split
+
+- Bad: a cohesive feature contract is split into separate `*-types`, `*-select`, `*-mapper`, `*-aliases`, and tiny wrapper files that are hard to understand alone and usually change in the same commit.
+- Better: keep type, select/shape alias, mapper, and small constants together when they describe one caller-facing contract; split only the independently changing query, policy, side effect, or behavior seam.
+- Why: SRP is about independent reasons to change, not maximizing file count; good splits reduce change surface and test scope without increasing reader navigation cost.
+
 ### Function responsibility split
 
 - Bad: one function parses input, validates it, reads files, transforms data, writes output, prints a report, and decides exit behavior.