start-vibing 4.3.4 → 4.4.0

package/template/.claude/skills/e2e-audit/e2e/utils/security-helpers.ts

@@ -0,0 +1,114 @@
+import { type Page, expect } from '@playwright/test'
+
+export const XSS_PAYLOADS = [
+	'<script>alert("xss")</script>',
+	'<img src=x onerror=alert("xss")>',
+	'"><script>alert("xss")</script>',
+	"javascript:alert('xss')",
+	'<svg onload=alert("xss")>',
+	"'; DROP TABLE users; --",
+	'{{constructor.constructor("return this")()}}',
+	'${7*7}',
+]
+
+export const REQUIRED_SECURITY_HEADERS = [
+	'x-frame-options',
+	'x-content-type-options',
+	'referrer-policy',
+]
+
+/**
+ * Test XSS payloads against a text input.
+ * Fills each payload and verifies no dialog (alert/confirm/prompt) fires.
+ */
+export async function testXssOnInput(
+	page: Page,
+	inputLocator: ReturnType<Page['getByRole']>,
+) {
+	const dialogFired: string[] = []
+	const handler = (dialog: { message: () => string; dismiss: () => Promise<void> }) => {
+		dialogFired.push(dialog.message())
+		void dialog.dismiss()
+	}
+	page.on('dialog', handler)
+
+	for (const payload of XSS_PAYLOADS) {
+		await inputLocator.clear()
+		await inputLocator.fill(payload)
+		// Trigger potential execution (blur, submit)
+		await inputLocator.press('Tab')
+	}
+
+	page.off('dialog', handler)
+
+	if (dialogFired.length > 0) {
+		throw new Error(
+			`XSS detected! Dialog(s) fired with: ${dialogFired.join(', ')}`,
+		)
+	}
+}
+
+/**
+ * Verify required security headers are present on a response.
+ */
+export async function assertSecurityHeaders(page: Page, url: string) {
+	const response = await page.goto(url)
+	if (!response) throw new Error(`No response for ${url}`)
+
+	const headers = response.headers()
+
+	for (const header of REQUIRED_SECURITY_HEADERS) {
+		expect(
+			headers[header],
+			`Missing security header: ${header}`,
+		).toBeDefined()
+	}
+
+	// X-Content-Type-Options should be nosniff
+	if (headers['x-content-type-options']) {
+		expect(headers['x-content-type-options']).toBe('nosniff')
+	}
+}
+
+/**
+ * Verify that error responses don't contain stack traces.
+ */
+export async function assertNoStackTraceInResponse(page: Page) {
+	const content = await page.content()
+	const stackTraceIndicators = [
+		'at Object.',
+		'at Module.',
+		'at Function.',
+		'node_modules/',
+		'.js:',
+		'webpack-internal',
+		'__next',
+	]
+
+	for (const indicator of stackTraceIndicators) {
+		expect(content).not.toContain(indicator)
+	}
+}
+
+/**
+ * Test RBAC by navigating to a URL and checking if access is denied.
+ */
+export async function assertAccessDenied(
+	page: Page,
+	url: string,
+	expectedRedirect?: string,
+) {
+	await page.goto(url)
+	const currentUrl = page.url()
+
+	if (expectedRedirect) {
+		expect(currentUrl).toContain(expectedRedirect)
+	} else {
+		// Should redirect to /unauthorized or /auth
+		const denied =
+			currentUrl.includes('/unauthorized') ||
+			currentUrl.includes('/auth') ||
+			currentUrl.includes('/login')
+		expect(denied).toBe(true)
+	}
+}

package/template/.claude/skills/e2e-audit/e2e/utils/test-data.ts

@@ -0,0 +1,64 @@
+/**
+ * Shared test data constants for E2E tests.
+ * Keep this minimal — only data used across multiple test files.
+ */
+
+export const ROUTES = {
+	// Dashboard (authenticated)
+	home: '/dashboard/home',
+	knowledge: '/dashboard/knowledge',
+	knowledgeDetail: (id: string) => `/dashboard/knowledge/${id}`,
+	chat: '/dashboard/chat',
+	integrations: '/dashboard/integrations',
+	integrationDetail: (id: string) => `/dashboard/integrations/${id}`,
+	integrationsNew: '/dashboard/integrations/new',
+	integrationsSuccess: '/dashboard/integrations/success',
+	teams: '/dashboard/teams',
+	profile: '/dashboard/profile',
+	admin: '/dashboard/admin',
+	billing: '/dashboard/billing',
+	ontology: '/dashboard/ontology',
+	transcripts: '/dashboard/transcripts',
+	transcriptDetail: (id: string) => `/dashboard/transcripts/${id}`,
+	transcriptDocument: (id: string) => `/dashboard/transcripts/documents/${id}`,
+
+	// Auth
+	root: '/',
+	authDesktop: '/auth/desktop',
+	authError: '/auth/error',
+	logout: '/auth/logout',
+	popupCallback: '/auth/popup-callback',
+	integrationCallbackSuccess: '/auth/integration/callback/success',
+	integrationCallbackError: '/auth/integration/callback/error',
+
+	// Other
+	unauthorized: '/unauthorized',
+	freeTrial: '/freetrial',
+} as const
+
+export const RBAC_ROUTES = {
+	/** Routes accessible only by ADMIN+ */
+	admin: [ROUTES.admin],
+	/** Routes accessible only by OWNER */
+	owner: [ROUTES.billing],
+	/** Routes accessible only by MANAGER+ */
+	manager: [ROUTES.integrationsNew],
+	/** Routes accessible by any authenticated user */
+	member: [
+		ROUTES.home,
+		ROUTES.knowledge,
+		ROUTES.chat,
+		ROUTES.integrations,
+		ROUTES.teams,
+		ROUTES.profile,
+		ROUTES.ontology,
+		ROUTES.transcripts,
+	],
+} as const
+
+export const TIMEOUTS = {
+	navigation: 30_000,
+	action: 10_000,
+	toast: 5_000,
+	animation: 500,
+} as const

package/template/.claude/skills/e2e-audit/runbook.md

@@ -0,0 +1,115 @@
+# E2E Audit Runbook
+
+## Setup
+
+### 1. Install Playwright
+
+```bash
+bun add -D @playwright/test
+bunx playwright install chromium
+```
+
+### 2. Start the dev server
+
+```bash
+bun run dev
+```
+
+### 3. Run tests
+
+```bash
+# All E2E tests
+bun run test:e2e
+
+# With UI mode (visual debugger)
+bunx playwright test --ui
+
+# Specific test file
+bunx playwright test tests/e2e/specs/dashboard-home.spec.ts
+
+# By tag
+bunx playwright test --grep @smoke
+bunx playwright test --grep @security
+bunx playwright test --grep @ux
+```
+
+## Test Organization
+
+```
+tests/e2e/
+├── fixtures/          # Auth + base fixtures
+│   ├── auth.ts        # Per-role authentication setup
+│   ├── base.ts        # Extended test fixture (authenticatedPage)
+│   └── storage/       # Generated auth state files (gitignored)
+├── pages/             # Page Object Models (1 per page)
+├── specs/             # Test specs (1 per page + security/)
+│   └── security/      # Cross-cutting security tests
+└── utils/             # Shared helpers
+    ├── console-collector.ts  # Console message interceptor
+    ├── security-helpers.ts   # XSS, header, RBAC helpers
+    └── test-data.ts          # Routes, timeouts, test constants
+```
+
+## Adding Tests for a New Page
+
+1. **Create Page Object** in `tests/e2e/pages/{page-name}.page.ts`
+2. **Create Test Spec** in `tests/e2e/specs/{page-name}.spec.ts`
+3. **Create Page Spec** in `docs/e2e-audit/page-specs/{page-name}.md`
+4. **Run and fix**: `bunx playwright test tests/e2e/specs/{page-name}.spec.ts`
+5. **Update master audit** in `docs/e2e-audit/reports/master-audit.md`
+
+## Updating Tests After App Changes
+
+1. Run the e2e-audit skill to re-discover elements on changed pages
+2. Compare new page spec with existing
+3. Update POM, test spec, and page spec
+4. Run tests: `bun run test:e2e`
+5. Fix failures
+
+## Auth Setup
+
+Tests use `storageState` for pre-authenticated sessions. The auth fixture at
+`tests/e2e/fixtures/auth.ts` needs real login flows implemented per role.
+
+For local development with OAuth, you may need to:
+1. Use the Cloudflare tunnel (`https://dev.hakutaku.ai`)
+2. Set `BASE_URL=https://dev.hakutaku.ai` when running tests
+3. Or mock auth via direct cookie/session injection
+
+## CI Integration
+
+```yaml
+# Example GitHub Actions step
+- name: E2E Tests
+  run: |
+    bunx playwright install chromium
+    bun run test:e2e
+  env:
+    BASE_URL: http://localhost:3000
+```
+
+## Debugging Failed Tests
+
+```bash
+# View trace from failed test
+bunx playwright show-trace test-results/{test-name}/trace.zip
+
+# Run with headed browser
+bunx playwright test --headed
+
+# Run with slow motion
+bunx playwright test --headed --slow-mo 500
+
+# Debug specific test
+bunx playwright test --debug tests/e2e/specs/dashboard-home.spec.ts
+```
+
+## Tags Reference
+
+| Tag | Purpose | When to run |
+|-----|---------|-------------|
+| `@smoke` | Critical paths | Every PR |
+| `@regression` | Full suite | Main merges |
+| `@security` | Security tests | Weekly + before release |
+| `@a11y` | Accessibility | Weekly |
+| `@ux` | UX/UI validation | After UI changes |

package/template/.claude/skills/super-design/SKILL.md

@@ -8,7 +8,7 @@ description: >
   UX audit (WCAG 2.2 AA, Nielsen heuristics, Baymard, CWV), and synthesized
   overview. Re-audits only what changed since last run. On explicit user request,
   applies surgical fixes with full rollback.
-version: 0.6.4
+version: 0.7.0
 ---
 
 # super-design
@@ -22,17 +22,36 @@ Four-phase pipeline with 6 specialist agents:
    nav, cards, modals, forms, tokens — per competitor × mobile+desktop),
    produces market-analysis.md + component-comparison.md.
 2. **UI/UX audit** (sd-audit) — drives browser via Playwright MCP directly.
-   Five layers:
+   Six layers:
    - Route discovery + static snap (Nielsen + WCAG 2.2 AA + Baymard + CWV)
+   - **Step 1.5 source-first discovery** (0.7.0+) —
+     `discover-surfaces.sh` reads the repo FIRST and emits an authoritative
+     inventory of modals, forms, triggers, internal nav, and Next.js
+     layout/error/loading/not-found/parallel/intercepting routes BEFORE
+     Playwright runs. `extract-project-rules.sh` parses FORBIDDEN tables
+     from CLAUDE.md / AGENTS.md / .cursorrules into audit-applicable
+     rules. Runtime cross-checks surface these as `modal-coverage-gap`,
+     `form-coverage-gap`, and `project-forbidden-<slug>` findings.
    - **Step 2.5 component/modal/flow discovery** (Phase A inventory, B modal
      enumeration, C flow exercising, D state matrix, E form coverage) — this
      is where modal contents, empty/loading/error states, and flow errors
-     get real evidence instead of "checklist hypothetical".
+     get real evidence instead of "checklist hypothetical". Phase B now
+     cross-references `surfaces.json` and files a `modal-coverage-gap`
+     finding for anything declared in source but never opened.
    - **Step 3g design-intelligence scoring** (17-category rubric → DIS 0–100)
      catches implicit best practices checklists miss (cards-in-flex-col,
-     low density, weak CTA hierarchy, vibecode smell).
+     low density, weak CTA hierarchy, vibecode smell). Emits MANDATORY
+     `design-intelligence-craft-summary` finding per page × viewport so
+     overview.md has one holistic verdict row ("admin mobile is 38/100
+     WEAK — holistic redesign scope") per combination, not just discrete
+     per-category findings.
    - **Step 3h mobile-native audit** (21-item Duolingo/Linear/Arc/Cash-App
      checklist) — replaces "responsive-web-on-a-phone" thinking.
+   - **Step 3i project-rule enforcement** (0.7.0+) — consumes
+     `project-rules.json` and fires primary findings keyed to the
+     project's own FORBIDDEN wording (e.g. `project-forbidden-use-cards-on-mobile`)
+     when the rule is violated at runtime. Not a tag, not a severity
+     bump — the project owner's rule IS the rule source.
    - C16 ≤ 4 → **DSC-choice** proposal: sd-synthesis runs
      `scripts/score-typeui.mjs --from-audit <dir>` to derive a 7-axis site
      fingerprint (density/contrast/geometry/color/typography/motion/audience)
@@ -189,6 +208,25 @@ Windows git-bash + Linux.
   `*.fixture.json`, `fixtures/<name>.json`, or `$SUPER_DESIGN_FIXTURES`
   env JSON; falls back to `@fixture-default` with a warning. Consumers
   (hash-pages, sd-audit) MUST strip the suffix before navigating.
+- `discover-surfaces.sh` (0.7.0+) — source-first static scan for
+  modals (`<Dialog|Sheet|Drawer|Modal|Popover|AlertDialog|DropdownMenu|CommandDialog|...>`),
+  forms (`<form>` / `useForm(` / `<Form>`), triggers (`<*Trigger>`),
+  internal navigation (`<Link href>` / `router.push`), and Next.js
+  `layout.tsx` / `error.tsx` / `loading.tsx` / `not-found.tsx` / parallel
+  routes (`@foo/`) / intercepting routes (`(.)foo/`). Emits
+  `$SESSION_DIR/surfaces.json`. sd-audit Step 2.5 Phase B cross-checks
+  runtime observations against this inventory and files
+  `modal-coverage-gap` / `form-coverage-gap` findings for declared
+  components never exercised.
+- `extract-project-rules.sh` (0.7.0+) — parses FORBIDDEN tables from
+  `CLAUDE.md` / `AGENTS.md` / `GEMINI.md` / `.claude/CLAUDE.md` /
+  `.cursorrules` into an authoritative rule source. Classifies each
+  rule as audit-applicable (mobile / design / ux / perf / a11y) or
+  code-level (skip — belongs to typecheck/lint). Emits
+  `$SESSION_DIR/project-rules.json`. sd-audit Step 3i fires primary
+  findings keyed to the project's own wording (e.g.
+  `project-forbidden-use-cards-on-mobile`) — the project owner's rule
+  IS the rule source, not a tag or severity bump.
 - `build-import-graph.sh` — builds `.super-design/import-graph.json`
   (`{nodes, edges, hash, backend}`) and persists `import_graph_sha` to
   state. Prefers `npx madge --json <roots>`; falls back to a regex

package/template/.claude/skills/super-design/scripts/discover-surfaces.sh

@@ -0,0 +1,197 @@
+#!/usr/bin/env bash
+# discover-surfaces.sh — source-first discovery of modals, forms, triggers,
+# internal navigation, and Next.js layout/error/loading/parallel surfaces.
+#
+# Purpose: sd-audit cannot trust runtime-only modal discovery (click every
+# trigger in Playwright). A modal hidden behind a flow step, a feature flag,
+# or an auth gate will be missed. This script reads the SOURCE CODE first
+# and emits an authoritative inventory; Step 2.5 Phase B cross-checks at
+# runtime and emits `modal-coverage-gap` findings for anything declared in
+# source but never opened during the audit.
+#
+# Output: JSON object on stdout with shape:
+# {
+#   "modals":     [{ "component": "CreateUserDialog", "file": "...", "used_in": [...] }],
+#   "forms":      [{ "id": "LoginForm", "file": "...", "fields": [...] }],
+#   "triggers":   [{ "kind": "DialogTrigger", "file": "..." }],
+#   "navigation": [{ "from": "src/...", "to": "/users", "kind": "Link" }],
+#   "layouts":    ["src/app/layout.tsx", "src/app/(app)/layout.tsx"],
+#   "errors":     ["src/app/error.tsx"],
+#   "loading":    ["src/app/loading.tsx"],
+#   "not_found":  ["src/app/not-found.tsx"],
+#   "parallel":   ["src/app/@modal"],
+#   "intercepting": ["src/app/(.)photos"],
+#   "framework":  "next" | "remix" | "sveltekit" | "astro" | "nuxt" | "unknown"
+# }
+#
+# Best-effort grep-based scanner. No AST. False positives are OK —
+# sd-audit treats this as an inventory, not a contract. Missed items
+# are the real failure mode.
+set -euo pipefail
+
+log() { printf '[discover-surfaces] %s\n' "$*" >&2; }
+
+detect_framework() {
+  if   [[ -f next.config.js || -f next.config.ts || -f next.config.mjs ]]; then echo "next"
+  elif [[ -f remix.config.js || -d app/routes ]]; then echo "remix"
+  elif [[ -f svelte.config.js && -d src/routes ]]; then echo "sveltekit"
+  elif [[ -f astro.config.mjs || -f astro.config.ts ]]; then echo "astro"
+  elif [[ -f nuxt.config.ts || -f nuxt.config.js ]]; then echo "nuxt"
+  else echo "unknown"; fi
+}
+
+# Source roots to scan. Frameworks differ; union keeps the scanner simple.
+SCAN_ROOTS=()
+for d in src app src/app src/components components src/pages pages src/features features src/routes app/routes; do
+  [[ -d "$d" ]] && SCAN_ROOTS+=("$d")
+done
+if [[ ${#SCAN_ROOTS[@]} -eq 0 ]]; then
+  log "no known source roots found; emitting empty inventory"
+  jq -n '{modals:[],forms:[],triggers:[],navigation:[],layouts:[],errors:[],loading:[],not_found:[],parallel:[],intercepting:[],framework:"unknown"}'
+  exit 0
+fi
+
+# File extensions we care about.
+EXT_GLOB='\.(tsx|jsx|ts|js|svelte|vue|astro)$'
+
+# --- 1. MODALS --------------------------------------------------------------
+# Match common modal/overlay component usages. We key on JSX opening tags so
+# we catch both <Dialog> and <Dialog.Root>. The component NAME is what
+# the audit logs as the `component` field.
+MODAL_PATTERN='<(Dialog|AlertDialog|Sheet|Drawer|Modal|Popover|HoverCard|Tooltip|CommandDialog|DropdownMenu|ContextMenu|Menubar|NavigationMenu|Select|Combobox|DatePicker|ColorPicker)\b'
+
+modals_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHn --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js' \
+        --include='*.svelte' --include='*.vue' --include='*.astro' \
+        "$MODAL_PATTERN" "$root" 2>/dev/null || true
+    done
+  } | awk -F: '{
+    file=$1; line=$2;
+    # capture component name between < and the next non-word char
+    match($0, /<([A-Z][A-Za-z0-9_]*)/, m);
+    if (m[1] != "") printf "{\"component\":\"%s\",\"file\":\"%s\",\"line\":%s}\n", m[1], file, line;
+  }' | jq -s 'unique_by([.component,.file])'
+)"
+
+# --- 2. FORMS ---------------------------------------------------------------
+# Match react-hook-form useForm() calls, <Form> / <form> elements, and
+# zod schema imports co-located with forms.
+FORM_PATTERN='(useForm\s*\(|<Form[[:space:]>]|<form[[:space:]>])'
+
+forms_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHln --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js' \
+        --include='*.svelte' --include='*.vue' --include='*.astro' \
+        "$FORM_PATTERN" "$root" 2>/dev/null || true
+    done
+  } | sort -u | awk '{ printf "{\"file\":\"%s\"}\n", $0 }' | jq -s '.'
+)"
+
+# --- 3. TRIGGERS ------------------------------------------------------------
+# Explicit *Trigger components (Radix / shadcn convention) tell us the
+# connection between a button and its overlay.
+TRIGGER_PATTERN='<(DialogTrigger|SheetTrigger|DrawerTrigger|PopoverTrigger|DropdownMenuTrigger|AlertDialogTrigger|HoverCardTrigger|TooltipTrigger|SelectTrigger|ComboboxTrigger|ContextMenuTrigger|MenubarTrigger|NavigationMenuTrigger)\b'
+
+triggers_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHn --include='*.tsx' --include='*.jsx' \
+        "$TRIGGER_PATTERN" "$root" 2>/dev/null || true
+    done
+  } | awk -F: '{
+    file=$1; line=$2;
+    match($0, /<([A-Z][A-Za-z0-9_]*Trigger)/, m);
+    if (m[1] != "") printf "{\"kind\":\"%s\",\"file\":\"%s\",\"line\":%s}\n", m[1], file, line;
+  }' | jq -s '.'
+)"
+
+# --- 4. NAVIGATION ----------------------------------------------------------
+# Internal nav: <Link href=...>, <Link to=...>, router.push("/..."),
+# redirect("/..."), navigate("/..."). We only keep destinations that start
+# with "/" (internal) — external URLs are not audit targets here.
+nav_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHno --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js' \
+        "(href|to)=[\"']/[^\"']*[\"']|(router\.push|redirect|navigate)\(\s*[\"']/[^\"']*[\"']" \
+        "$root" 2>/dev/null || true
+    done
+  } | awk -F: '{
+    file=$1; line=$2; rest=""; for (i=3;i<=NF;i++) rest = rest (i==3?"":":") $i;
+    # extract first "/..." path literal from the match
+    match(rest, /[\"'"'"']\/[^\"'"'"']*[\"'"'"']/, m);
+    if (m[0] != "") {
+      dest=m[0]; gsub(/[\"'"'"']/, "", dest);
+      kind = (rest ~ /push|redirect|navigate/) ? "imperative" : "link";
+      printf "{\"from\":\"%s\",\"to\":\"%s\",\"kind\":\"%s\",\"line\":%s}\n", file, dest, kind, line;
+    }
+  }' | jq -s 'unique_by([.from,.to])'
+)"
+
+# --- 5. NEXT.JS LAYOUT / ERROR / LOADING / NOT-FOUND / PARALLEL -------------
+# Empty arrays for non-Next frameworks.
+FW="$(detect_framework)"
+layouts_json='[]'
+errors_json='[]'
+loading_json='[]'
+notfound_json='[]'
+parallel_json='[]'
+intercepting_json='[]'
+
+if [[ "$FW" == "next" ]]; then
+  # layout.tsx / template.tsx nesting defines wrapper chrome (headers,
+  # sidebars) — sd-audit must audit these at EVERY viewport because a
+  # layout that misbehaves on mobile breaks every child page.
+  layouts_json="$(
+    find app src/app -type f \( -name 'layout.tsx' -o -name 'layout.ts' -o -name 'layout.jsx' -o -name 'layout.js' -o -name 'template.tsx' -o -name 'template.ts' \) 2>/dev/null \
+      | jq -Rn '[inputs]'
+  )"
+  errors_json="$(
+    find app src/app -type f \( -name 'error.tsx' -o -name 'global-error.tsx' \) 2>/dev/null \
+      | jq -Rn '[inputs]'
+  )"
+  loading_json="$(
+    find app src/app -type f -name 'loading.tsx' 2>/dev/null | jq -Rn '[inputs]'
+  )"
+  notfound_json="$(
+    find app src/app -type f -name 'not-found.tsx' 2>/dev/null | jq -Rn '[inputs]'
+  )"
+  # Parallel route slots: directories starting with @
+  parallel_json="$(
+    find app src/app -type d -name '@*' 2>/dev/null | jq -Rn '[inputs]'
+  )"
+  # Intercepting routes: directories starting with (.) / (..) / (...)
+  intercepting_json="$(
+    find app src/app -type d \( -name '(.)*' -o -name '(..)*' -o -name '(...)*' \) 2>/dev/null | jq -Rn '[inputs]'
+  )"
+fi
+
+# --- ASSEMBLE ---------------------------------------------------------------
+jq -n \
+  --argjson modals "$modals_json" \
+  --argjson forms "$forms_json" \
+  --argjson triggers "$triggers_json" \
+  --argjson navigation "$nav_json" \
+  --argjson layouts "$layouts_json" \
+  --argjson errors "$errors_json" \
+  --argjson loading "$loading_json" \
+  --argjson not_found "$notfound_json" \
+  --argjson parallel "$parallel_json" \
+  --argjson intercepting "$intercepting_json" \
+  --arg framework "$FW" \
+  '{
+    framework: $framework,
+    modals: $modals,
+    forms: $forms,
+    triggers: $triggers,
+    navigation: $navigation,
+    layouts: $layouts,
+    errors: $errors,
+    loading: $loading,
+    not_found: $not_found,
+    parallel: $parallel,
+    intercepting: $intercepting
+  }'