start-vibing 4.3.4 → 4.4.1

package/template/.claude/skills/e2e-audit/references/post-run-feedback-playbook.md

@@ -0,0 +1,80 @@
+# post-run-feedback-playbook (e2e-audit 0.2.0)
+
+> How to consolidate every signal emitted during a Playwright run into one feedback document that precedes findings.json.
+
+## Why a separate document?
+
+Findings are atomic and per-problem; the user needs a 30-second summary of "what broke during this run" before drilling into specifics. `post-run-feedback.md` answers that. `findings.json` answers "what do I fix."
+
+## Signals to consolidate
+
+Pull from these inputs:
+
+1. Playwright JSON reporter output (`--reporter=json`).
+2. `$SESSION_DIR/logs/dev-server.log` (last-N-lines per crash).
+3. Console + pageerror logs captured by fixtures.
+4. Network responses matching 4xx/5xx on API paths.
+5. Dev-server PID status at run end (exited unexpectedly?).
+
+## Classification
+
+| kind               | trigger                                                      | severity |
+| ------------------ | ------------------------------------------------------------ | -------- |
+| `api-4xx`          | unexpected 4xx on a test's expected-success request          | high     |
+| `api-5xx`          | any 5xx response on API path                                 | critical |
+| `server-crash`     | 5xx AND `Content-Type: text/html` on API path                | critical |
+| `console-error`    | `page.on('console')` level=error, de-duped by message stem   | medium   |
+| `pageerror`        | `page.on('pageerror')` raised                                | high     |
+| `rbac-bypass`      | protected endpoint returned 200 to wrong role                | critical |
+| `auth-flow-broken` | redirect loop or 401 on happy-path login                     | critical |
+| `dev-server-log`   | unhandledRejection / uncaughtException in dev-server.log     | high     |
+| `test-timeout`     | test exceeded Playwright timeout                             | medium   |
+| `flake`            | retried test passed on retry (suggests flake)                | low      |
+
+## Output shape
+
+`post-run-feedback.json`:
+
+```jsonc
+{
+  "session": "<abs path to session dir>",
+  "duration_s": 128,
+  "tests_total": 42,
+  "tests_passed": 39,
+  "tests_failed": 3,
+  "tests_flaky": 1,
+  "problems": [
+    {
+      "kind": "server-crash",
+      "where": "POST /api/users",
+      "count": 2,
+      "severity": "critical",
+      "sample_trace": "traces/users-create-1.zip",
+      "sample_log_tail": "TypeError: Cannot read properties of undefined (reading 'id')\n    at ..."
+    }
+  ],
+  "uncovered_carried_forward": {
+    "routes": 4, "http": 2, "trpc": 9, "actions": 1
+  }
+}
+```
+
+`post-run-feedback.md` renders the same data as a human document with:
+
+1. A one-line verdict ("3 tests failed, 2 critical problems, 16 uncovered surfaces — requires attention").
+2. Top 5 problems by severity.
+3. Link to the trace zip for each.
+4. Next-step recommendations (add spec / fix handler / update RBAC middleware).
+
+## De-duplication
+
+- `console-error`: group by the first 120 chars of `text` (to collapse stack variation across retries).
+- `api-4xx`/`api-5xx`: group by `(method, path, status)`.
+- `pageerror`: group by the error message line.
+
+## What NOT to include
+
+- Full trace bytes — only file paths.
+- Full stack traces for every occurrence — only a single `sample_log_tail` per group.
+- Source code excerpts — that belongs in a finding's `source_quote`, not the feedback.
+- Secret values (tokens, session cookies) — actively scrub any `Authorization:` header fragments out of `sample_log_tail`.

package/template/.claude/skills/e2e-audit/scripts/detect-stack.sh

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+# detect-stack.sh — identify framework, test runner, package manager, dev server,
+# and environment files so downstream scripts + the skill prompt can adapt.
+#
+# Output: JSON object on stdout:
+# {
+#   "framework":       "next" | "remix" | "sveltekit" | "nuxt" | "astro" | "express" | "hono" | "fastify" | "unknown",
+#   "router_style":    "app-router" | "pages-router" | "mixed" | "file-routes" | "n/a",
+#   "trpc":            true | false,
+#   "trpc_version":    "10" | "11" | "unknown" | null,
+#   "graphql":         true | false,
+#   "orm":             ["prisma" | "drizzle" | "mongoose" | "typeorm" | "kysely", ...],
+#   "auth":            ["next-auth" | "authjs" | "clerk" | "auth0" | "lucia" | "better-auth" | "supabase" | "custom", ...],
+#   "test_runner":     "playwright" | "cypress" | "vitest-browser" | "jest-puppeteer" | "none",
+#   "playwright_config": "playwright.config.ts" | null,
+#   "package_manager": "bun" | "pnpm" | "yarn" | "npm",
+#   "dev_command":     "bun run dev" | "pnpm dev" | ...,
+#   "dev_port":        <number> | null,
+#   "base_url":        "http://localhost:<port>",
+#   "env_files":       [".env.local", ".env.test", ...],
+#   "src_root":        "src" | "app" | "." ,
+#   "has_middleware":  true | false,
+#   "middleware_file": "middleware.ts" | "src/middleware.ts" | null
+# }
+#
+# Best-effort. Absence of jq is fatal (downstream scripts require it).
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+read_pkg() {
+  [[ -f package.json ]] || { echo "null"; return; }
+  jq -r "${1:-.}" package.json 2>/dev/null || echo "null"
+}
+
+has_dep() {
+  local name="$1"
+  [[ -f package.json ]] || return 1
+  jq -e --arg n "$name" '(.dependencies[$n]? // .devDependencies[$n]? // empty)' package.json >/dev/null 2>&1
+}
+
+dep_version() {
+  local name="$1"
+  [[ -f package.json ]] || { echo ""; return; }
+  jq -r --arg n "$name" '.dependencies[$n]? // .devDependencies[$n]? // ""' package.json 2>/dev/null | sed 's/^[^0-9]*//'
+}
+
+# --- framework --------------------------------------------------------------
+FRAMEWORK="unknown"
+ROUTER_STYLE="n/a"
+if   has_dep next; then
+  FRAMEWORK="next"
+  if   [[ -d app || -d src/app ]] && [[ -d pages || -d src/pages ]]; then ROUTER_STYLE="mixed"
+  elif [[ -d app || -d src/app ]]; then ROUTER_STYLE="app-router"
+  elif [[ -d pages || -d src/pages ]]; then ROUTER_STYLE="pages-router"
+  fi
+elif has_dep @remix-run/react || has_dep @remix-run/node; then FRAMEWORK="remix"; ROUTER_STYLE="file-routes"
+elif has_dep @sveltejs/kit; then FRAMEWORK="sveltekit"; ROUTER_STYLE="file-routes"
+elif has_dep nuxt;       then FRAMEWORK="nuxt";       ROUTER_STYLE="file-routes"
+elif has_dep astro;      then FRAMEWORK="astro";      ROUTER_STYLE="file-routes"
+elif has_dep hono;       then FRAMEWORK="hono"
+elif has_dep fastify;    then FRAMEWORK="fastify"
+elif has_dep express;    then FRAMEWORK="express"
+fi
+
+# --- trpc / graphql ---------------------------------------------------------
+TRPC=false; TRPC_VER="null"
+if has_dep @trpc/server; then
+  TRPC=true
+  v="$(dep_version @trpc/server)"
+  if   [[ "$v" =~ ^10\. ]]; then TRPC_VER='"10"'
+  elif [[ "$v" =~ ^11\. ]]; then TRPC_VER='"11"'
+  else TRPC_VER='"unknown"'
+  fi
+fi
+GRAPHQL=false
+if has_dep graphql || has_dep @apollo/server || has_dep @apollo/client || has_dep graphql-yoga; then
+  GRAPHQL=true
+fi
+
+# --- ORMs -------------------------------------------------------------------
+orm_arr='[]'
+for candidate in @prisma/client drizzle-orm mongoose typeorm kysely; do
+  if has_dep "$candidate"; then
+    short="${candidate##*/}"; short="${short%-orm}"
+    orm_arr="$(jq --arg o "$short" '. + [$o]' <<<"$orm_arr")"
+  fi
+done
+
+# --- auth providers ---------------------------------------------------------
+auth_arr='[]'
+add_auth() { auth_arr="$(jq --arg o "$1" '. + [$o]' <<<"$auth_arr")"; }
+has_dep next-auth        && add_auth next-auth
+has_dep @auth/core       && add_auth authjs
+has_dep @clerk/nextjs    && add_auth clerk
+has_dep @clerk/clerk-sdk-node && add_auth clerk
+has_dep @auth0/nextjs-auth0 && add_auth auth0
+has_dep lucia            && add_auth lucia
+has_dep better-auth      && add_auth better-auth
+has_dep @supabase/supabase-js && add_auth supabase
+
+# --- test runner ------------------------------------------------------------
+TEST_RUNNER="none"
+PLAYWRIGHT_CFG="null"
+if has_dep @playwright/test; then
+  TEST_RUNNER="playwright"
+  for c in playwright.config.ts playwright.config.js playwright.config.mjs; do
+    [[ -f "$c" ]] && PLAYWRIGHT_CFG="\"$c\"" && break
+  done
+elif has_dep cypress; then TEST_RUNNER="cypress"
+elif has_dep @vitest/browser; then TEST_RUNNER="vitest-browser"
+elif has_dep jest-puppeteer; then TEST_RUNNER="jest-puppeteer"
+fi
+
+# --- package manager + dev command -----------------------------------------
+if   [[ -f bun.lockb || -f bun.lock ]]; then PM="bun";  DEV_CMD="bun run dev"
+elif [[ -f pnpm-lock.yaml ]];            then PM="pnpm"; DEV_CMD="pnpm dev"
+elif [[ -f yarn.lock ]];                 then PM="yarn"; DEV_CMD="yarn dev"
+else                                          PM="npm";  DEV_CMD="npm run dev"
+fi
+
+# Check `scripts.dev` exists; fall back to start script if not.
+if [[ -f package.json ]]; then
+  HAS_DEV="$(jq -r '.scripts.dev // empty' package.json)"
+  [[ -z "$HAS_DEV" ]] && {
+    if jq -re '.scripts.start' package.json >/dev/null 2>&1; then
+      DEV_CMD="${DEV_CMD% dev} start"
+    fi
+  }
+fi
+
+# --- dev port ---------------------------------------------------------------
+DEV_PORT="null"
+# Common places: package.json scripts.dev "-p 3000" or "--port 3000", next.config, remix config
+if [[ -f package.json ]]; then
+  if script="$(jq -r '.scripts.dev // ""' package.json)"; then
+    p="$(echo "$script" | grep -oE -- '--port[= ]+[0-9]+|-p[= ]+[0-9]+|PORT=[0-9]+' | grep -oE '[0-9]+' | head -1 || true)"
+    [[ -n "$p" ]] && DEV_PORT="$p"
+  fi
+fi
+# Fallback defaults per framework
+if [[ "$DEV_PORT" == "null" ]]; then
+  case "$FRAMEWORK" in
+    next|express|hono|fastify) DEV_PORT=3000 ;;
+    remix)                     DEV_PORT=3000 ;;
+    sveltekit)                 DEV_PORT=5173 ;;
+    nuxt)                      DEV_PORT=3000 ;;
+    astro)                     DEV_PORT=4321 ;;
+  esac
+fi
+BASE_URL="http://localhost:${DEV_PORT:-3000}"
+
+# --- env files --------------------------------------------------------------
+env_arr='[]'
+for f in .env .env.local .env.development .env.development.local .env.test .env.test.local; do
+  [[ -f "$f" ]] && env_arr="$(jq --arg n "$f" '. + [$n]' <<<"$env_arr")"
+done
+
+# --- src root + middleware --------------------------------------------------
+SRC_ROOT="."
+[[ -d src ]] && SRC_ROOT="src"
+[[ -d app && ! -d src/app ]] && SRC_ROOT="."
+HAS_MW=false; MW_FILE="null"
+for f in middleware.ts middleware.js src/middleware.ts src/middleware.js; do
+  if [[ -f "$f" ]]; then HAS_MW=true; MW_FILE="\"$f\""; break; fi
+done
+
+# --- assemble ---------------------------------------------------------------
+jq -n \
+  --arg framework "$FRAMEWORK" \
+  --arg router_style "$ROUTER_STYLE" \
+  --argjson trpc "$TRPC" \
+  --argjson trpc_version "$TRPC_VER" \
+  --argjson graphql "$GRAPHQL" \
+  --argjson orm "$orm_arr" \
+  --argjson auth "$auth_arr" \
+  --arg test_runner "$TEST_RUNNER" \
+  --argjson playwright_config "$PLAYWRIGHT_CFG" \
+  --arg package_manager "$PM" \
+  --arg dev_command "$DEV_CMD" \
+  --argjson dev_port "${DEV_PORT:-null}" \
+  --arg base_url "$BASE_URL" \
+  --argjson env_files "$env_arr" \
+  --arg src_root "$SRC_ROOT" \
+  --argjson has_middleware "$HAS_MW" \
+  --argjson middleware_file "$MW_FILE" \
+  '{
+    framework: $framework,
+    router_style: $router_style,
+    trpc: $trpc,
+    trpc_version: $trpc_version,
+    graphql: $graphql,
+    orm: $orm,
+    auth: $auth,
+    test_runner: $test_runner,
+    playwright_config: $playwright_config,
+    package_manager: $package_manager,
+    dev_command: $dev_command,
+    dev_port: $dev_port,
+    base_url: $base_url,
+    env_files: $env_files,
+    src_root: $src_root,
+    has_middleware: $has_middleware,
+    middleware_file: $middleware_file
+  }'

package/template/.claude/skills/e2e-audit/scripts/detect-uncovered.sh

@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+# detect-uncovered.sh — intersect (current branch diff) × (existing tests) and
+# emit every NEW or CHANGED surface that has no test coverage.
+#
+# Inputs (all produced earlier in the pipeline):
+#   $1  routes.json         (from discover-routes.sh)
+#   $2  api-surface.json    (from discover-api-surface.sh)
+#   $3  existing-tests.json (from inventory-existing-tests.sh)
+#   $4  base-ref            (default: origin/main)
+#
+# Output: JSON object on stdout:
+# {
+#   "base_ref":   "origin/main",
+#   "diff_files": ["src/app/users/page.tsx", ...],
+#   "changed_routes":    [{route from routes.json}, ...],
+#   "changed_http":      [{route from api-surface.http_routes}, ...],
+#   "changed_trpc":      [{proc from api-surface.trpc_procedures}, ...],
+#   "changed_actions":   [{action from api-surface.server_actions}, ...],
+#   "uncovered_routes":  [...],  // changed AND no test references its URL or file
+#   "uncovered_http":    [...],
+#   "uncovered_trpc":    [...],
+#   "uncovered_actions": [...]
+# }
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+ROUTES_JSON="${1:?usage: detect-uncovered.sh routes.json api-surface.json existing-tests.json [base-ref]}"
+API_JSON="${2:?api-surface.json required}"
+TESTS_JSON="${3:?existing-tests.json required}"
+BASE_REF="${4:-origin/main}"
+
+for f in "$ROUTES_JSON" "$API_JSON" "$TESTS_JSON"; do
+  [[ -f "$f" ]] || { echo "missing: $f" >&2; exit 2; }
+done
+
+# --- 1. branch diff ---------------------------------------------------------
+DIFF_FILES='[]'
+if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  # If the base ref doesn't exist locally, fall back to HEAD~10..HEAD
+  if git rev-parse --verify "$BASE_REF" >/dev/null 2>&1; then
+    MERGE_BASE="$(git merge-base "$BASE_REF" HEAD 2>/dev/null || echo "$BASE_REF")"
+  else
+    MERGE_BASE="$(git rev-parse HEAD~10 2>/dev/null || git rev-parse HEAD)"
+  fi
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    DIFF_FILES="$(jq --arg f "$f" '. + [$f]' <<<"$DIFF_FILES")"
+  done < <(git diff --name-only "$MERGE_BASE"...HEAD 2>/dev/null; git diff --name-only --cached 2>/dev/null; git diff --name-only 2>/dev/null)
+  DIFF_FILES="$(jq 'unique' <<<"$DIFF_FILES")"
+fi
+
+# --- 2. filter each inventory by membership in diff -------------------------
+# Helper: pass stdin JSON array + filter over .file field.
+filter_by_file() {
+  jq --argjson diff "$DIFF_FILES" '[.[] | select(.file as $f | $diff | any(. == $f))]'
+}
+
+CHANGED_ROUTES="$(jq '.' "$ROUTES_JSON" | filter_by_file)"
+CHANGED_HTTP="$(jq '.http_routes' "$API_JSON" | filter_by_file)"
+CHANGED_TRPC="$(jq '.trpc_procedures' "$API_JSON" | filter_by_file)"
+CHANGED_ACTIONS="$(jq '.server_actions' "$API_JSON" | filter_by_file)"
+
+# --- 3. load test corpus contents for string-search coverage ---------------
+# Build a single concatenated lowercase blob of all test-file contents;
+# a route is "covered" if its URL path OR its source file path appears in any test.
+TEST_FILES="$(jq -r '.test_files[]?.file // empty' "$TESTS_JSON")"
+TEST_BLOB="/tmp/e2e-audit-testblob-$$.txt"
+: >"$TEST_BLOB"
+while IFS= read -r tf; do
+  [[ -z "$tf" ]] && continue
+  [[ -f "$tf" ]] && tr '[:upper:]' '[:lower:]' <"$tf" >>"$TEST_BLOB" || true
+done <<<"$TEST_FILES"
+
+is_covered() {
+  # args: needle1 needle2 ...
+  local n
+  for n in "$@"; do
+    [[ -z "$n" ]] && continue
+    # Strip dynamic segments to make a loose match: /users/[id] → /users/
+    loose="$(echo "$n" | sed -E 's#\[[^]]+\]#[^/]+#g' | tr '[:upper:]' '[:lower:]')"
+    # Plain literal check first
+    if grep -qF "$(echo "$n" | tr '[:upper:]' '[:lower:]')" "$TEST_BLOB" 2>/dev/null; then return 0; fi
+    # Regex-ish check with dynamic wildcards
+    if grep -Eq "$loose" "$TEST_BLOB" 2>/dev/null; then return 0; fi
+  done
+  return 1
+}
+
+# --- 4. compute uncovered for each category --------------------------------
+compute_uncovered() {
+  local changed_json="$1"
+  local name_field="$2"   # which field(s) to probe as test needles
+  local secondary_field="$3"  # optional (e.g., path as well as file)
+  local out='[]'
+  while IFS= read -r item; do
+    [[ -z "$item" ]] && continue
+    primary="$(jq -r --arg k "$name_field" '.[$k] // ""' <<<"$item")"
+    secondary="$(jq -r --arg k "$secondary_field" '.[$k] // ""' <<<"$item")"
+    if ! is_covered "$primary" "$secondary"; then
+      out="$(jq --argjson o "$item" '. + [$o]' <<<"$out")"
+    fi
+  done < <(jq -c '.[]' <<<"$changed_json")
+  echo "$out"
+}
+
+UNC_ROUTES="$(compute_uncovered   "$CHANGED_ROUTES"  "path" "file")"
+UNC_HTTP="$(compute_uncovered     "$CHANGED_HTTP"    "path" "file")"
+UNC_TRPC="$(compute_uncovered     "$CHANGED_TRPC"    "name" "file")"
+UNC_ACTIONS="$(compute_uncovered  "$CHANGED_ACTIONS" "name" "file")"
+
+rm -f "$TEST_BLOB"
+
+# --- 5. assemble ------------------------------------------------------------
+jq -n \
+  --arg base_ref "$BASE_REF" \
+  --argjson diff_files "$DIFF_FILES" \
+  --argjson changed_routes "$CHANGED_ROUTES" \
+  --argjson changed_http "$CHANGED_HTTP" \
+  --argjson changed_trpc "$CHANGED_TRPC" \
+  --argjson changed_actions "$CHANGED_ACTIONS" \
+  --argjson uncovered_routes "$UNC_ROUTES" \
+  --argjson uncovered_http "$UNC_HTTP" \
+  --argjson uncovered_trpc "$UNC_TRPC" \
+  --argjson uncovered_actions "$UNC_ACTIONS" \
+  '{
+    base_ref: $base_ref,
+    diff_files: $diff_files,
+    changed_routes: $changed_routes,
+    changed_http: $changed_http,
+    changed_trpc: $changed_trpc,
+    changed_actions: $changed_actions,
+    uncovered_routes: $uncovered_routes,
+    uncovered_http: $uncovered_http,
+    uncovered_trpc: $uncovered_trpc,
+    uncovered_actions: $uncovered_actions
+  }'

package/template/.claude/skills/e2e-audit/scripts/discover-api-surface.sh

@@ -0,0 +1,242 @@
+#!/usr/bin/env bash
+# discover-api-surface.sh — enumerate every network-facing surface a browser
+# or third-party client can hit: REST/HTTP route handlers, tRPC procedures,
+# GraphQL resolvers, and server actions.
+#
+# Why: Playwright deduction misses endpoints that aren't touched by the
+# flow you tested. A procedure that's only called from Settings > Advanced
+# > Danger Zone, or an API route called only by a webhook, won't show up
+# in a traffic log. This script reads the SOURCE and emits the full
+# contract so the skill can report which endpoints HAVE no tests.
+#
+# Output: JSON object on stdout:
+# {
+#   "http_routes":     [{ "method": "POST", "path": "/api/users", "file": "...", "auth": "protected"|"public"|"unknown", "zod_schema_found": true|false }],
+#   "trpc_procedures": [{ "name": "users.create", "kind": "query"|"mutation"|"subscription", "file": "...", "auth": "protected"|"public"|"unknown", "input_schema_found": true|false }],
+#   "graphql":         { "found": true|false, "files": [...] },
+#   "server_actions":  [{ "name": "createUser", "file": "...", "directive": "'use server'"|"file-scoped" }],
+#   "middleware":      { "file": "middleware.ts"|null, "has_auth_guard": true|false, "matches_public_patterns": [...] }
+# }
+#
+# No AST. False positives are OK — skill cross-references this with tests.
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+HTTP='[]'
+TRPC='[]'
+GQL_FOUND=false
+GQL_FILES='[]'
+ACTIONS='[]'
+MW_FILE="null"
+MW_AUTH=false
+MW_PUBLIC='[]'
+
+# --- 1. HTTP ROUTE HANDLERS -------------------------------------------------
+# Next.js app router: app/**/route.{ts,tsx,js} with exported METHOD handlers.
+# Next.js pages router: pages/api/**/*.{ts,tsx,js} with default export.
+# Remix: resource routes (files in app/routes with a loader/action but no default).
+# Express/Hono/Fastify: app.get/post/put/delete/patch etc.
+METHODS='GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS'
+
+# Next.js app router route.ts
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  # URL path: strip app/src/app prefix and /route.* suffix; keep [param].
+  p="$f"; p="${p#src/app/}"; p="${p#app/}"; p="${p%/route.ts}"; p="${p%/route.tsx}"; p="${p%/route.js}"
+  # strip route-group segments
+  p="$(echo "$p" | awk -F/ '{out=""; for(i=1;i<=NF;i++){if($i~/^\(.*\)$/)continue; out=out(out==""?"":"/")$i} print out}')"
+  url="/$p"
+  # which methods are exported?
+  for m in GET POST PUT PATCH DELETE HEAD OPTIONS; do
+    if grep -Eq "export[[:space:]]+(async[[:space:]]+)?function[[:space:]]+$m\\b|export[[:space:]]+const[[:space:]]+$m[[:space:]]*=" "$f" 2>/dev/null; then
+      # zod schema mentioned in file?
+      zod=false
+      grep -Eq "z\\.object\\(|safeParse|\\.parse\\(|zodResolver" "$f" 2>/dev/null && zod=true
+      # auth hint: look for session/auth/protected keywords
+      auth="unknown"
+      if   grep -Eq "getServerSession|auth\\(\\)|requireAuth|requireSession|getSession|currentUser\\(|userId" "$f" 2>/dev/null; then auth="protected"
+      elif grep -Eq "// public|@public" "$f" 2>/dev/null; then auth="public"
+      fi
+      HTTP="$(jq --arg m "$m" --arg p "$url" --arg f "$f" --arg a "$auth" --argjson z "$zod" \
+                '. + [{method:$m, path:$p, file:$f, auth:$a, zod_schema_found:$z}]' <<<"$HTTP")"
+    fi
+  done
+done < <(find app src/app -type f \( -name 'route.ts' -o -name 'route.tsx' -o -name 'route.js' \) 2>/dev/null)
+
+# Next.js pages/api
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  p="$f"; p="${p#src/pages/}"; p="${p#pages/}"
+  p="${p%.ts}"; p="${p%.tsx}"; p="${p%.js}"; p="${p%.jsx}"
+  # index.ts -> directory path
+  p="${p%/index}"
+  url="/$p"
+  auth="unknown"
+  if grep -Eq "getServerSession|requireAuth|getSession|authenticate\\(|req\\.session" "$f" 2>/dev/null; then auth="protected"; fi
+  zod=false
+  grep -Eq "z\\.object\\(|safeParse|\\.parse\\(" "$f" 2>/dev/null && zod=true
+  HTTP="$(jq --arg p "$url" --arg f "$f" --arg a "$auth" --argjson z "$zod" \
+            '. + [{method:"ANY", path:$p, file:$f, auth:$a, zod_schema_found:$z}]' <<<"$HTTP")"
+done < <(find pages/api src/pages/api -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.js' \) 2>/dev/null)
+
+# Express / Hono / Fastify style (app.get/post/...)
+while IFS= read -r hit; do
+  [[ -z "$hit" ]] && continue
+  f="${hit%%:*}"; rest="${hit#*:}"
+  line="${rest%%:*}"
+  match="${rest#*:}"
+  m="$(echo "$match" | grep -oE "\\.(get|post|put|patch|delete|head|options)\\(" | head -1 | tr -d '.(' | tr '[:lower:]' '[:upper:]')"
+  url="$(echo "$match" | grep -oE "[\"'][^\"']+[\"']" | head -1 | tr -d "\"'")"
+  [[ -z "$m" || -z "$url" ]] && continue
+  [[ "$url" =~ ^/ ]] || continue
+  HTTP="$(jq --arg m "$m" --arg p "$url" --arg f "$f" \
+            '. + [{method:$m, path:$p, file:$f, auth:"unknown", zod_schema_found:false}]' <<<"$HTTP")"
+done < <(grep -rEHn --include='*.ts' --include='*.tsx' --include='*.js' --include='*.mjs' \
+           "\\.(get|post|put|patch|delete|head|options)\\([\"'][^\"']+[\"']" \
+           src server app 2>/dev/null | head -500 || true)
+
+# --- 2. tRPC PROCEDURES -----------------------------------------------------
+# Look for files that import `router` or `procedure` and enumerate calls:
+#   foo: publicProcedure.input(...).query(...)
+#   bar: protectedProcedure.mutation(...)
+#
+# We don't build a router namespace tree; we emit procedure names as seen.
+# Nested router paths can be computed by the skill from the file layout.
+TRPC_FILES="$(grep -rl -E "createTRPCRouter|publicProcedure|protectedProcedure|router\\(\\{" \
+  --include='*.ts' --include='*.tsx' \
+  src server 2>/dev/null || true)"
+
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  # For each procedure definition in this file, capture name + kind + auth.
+  # Pattern matches: <name>: (public|protected|<prefix>)Procedure[.input(...)]?.<query|mutation|subscription>
+  awk -v file="$f" '
+    /(\w+Procedure)/ {
+      # join multi-line chains until we hit one of the terminators.
+      chain = chain " " $0
+    }
+    /\.query\s*\(|\.mutation\s*\(|\.subscription\s*\(/ {
+      chain = chain " " $0
+      # extract name (the last "foo:" before the chain start)
+      if (match(chain, /([A-Za-z_][A-Za-z0-9_]*)\s*:\s*[A-Za-z_][A-Za-z0-9_]*Procedure/, m)) {
+        name = m[1]
+      } else name = "_"
+      # extract kind
+      if (chain ~ /\.query\s*\(/) kind = "query"
+      else if (chain ~ /\.mutation\s*\(/) kind = "mutation"
+      else kind = "subscription"
+      # extract auth (protected vs public vs custom)
+      if (chain ~ /protectedProcedure/) auth = "protected"
+      else if (chain ~ /publicProcedure/) auth = "public"
+      else auth = "unknown"
+      # input schema?
+      input_found = (chain ~ /\.input\s*\(/) ? "true" : "false"
+      printf "%s|%s|%s|%s|%s\n", name, kind, file, auth, input_found
+      chain = ""
+    }
+  ' "$f" 2>/dev/null || true
+done <<<"$TRPC_FILES" | while IFS='|' read -r name kind file auth input_found; do
+  [[ -z "$name" ]] && continue
+  jq --arg n "$name" --arg k "$kind" --arg f "$file" --arg a "$auth" --argjson i "$input_found" \
+     '. + [{name:$n, kind:$k, file:$f, auth:$a, input_schema_found:$i}]'
+done > /tmp/e2e-audit-trpc-$$.jsonl || true
+
+if [[ -s /tmp/e2e-audit-trpc-$$.jsonl ]]; then
+  # The above pipeline created one growing JSON object per line via jq --arg,
+  # but each jq invocation started from scratch. Join properly:
+  TRPC='[]'
+  while IFS= read -r _; do :; done < /tmp/e2e-audit-trpc-$$.jsonl
+fi
+rm -f /tmp/e2e-audit-trpc-$$.jsonl
+
+# Simpler, correct approach for tRPC — rebuild as JSON array in a single pass.
+TRPC='[]'
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  while IFS='|' read -r name kind file auth input_found; do
+    [[ -z "$name" ]] && continue
+    TRPC="$(jq --arg n "$name" --arg k "$kind" --arg fi "$file" --arg a "$auth" --argjson i "$input_found" \
+              '. + [{name:$n, kind:$k, file:$fi, auth:$a, input_schema_found:$i}]' <<<"$TRPC")"
+  done < <(
+    awk -v file="$f" '
+      /(\w+Procedure)/ { chain = chain " " $0 }
+      /\.query\s*\(|\.mutation\s*\(|\.subscription\s*\(/ {
+        chain = chain " " $0
+        name = "_"
+        if (match(chain, /([A-Za-z_][A-Za-z0-9_]*)[[:space:]]*:[[:space:]]*[A-Za-z_][A-Za-z0-9_]*Procedure/, m)) name = m[1]
+        if (chain ~ /\.query[[:space:]]*\(/) kind = "query"
+        else if (chain ~ /\.mutation[[:space:]]*\(/) kind = "mutation"
+        else kind = "subscription"
+        if (chain ~ /protectedProcedure/) auth = "protected"
+        else if (chain ~ /publicProcedure/) auth = "public"
+        else auth = "unknown"
+        input_found = (chain ~ /\.input[[:space:]]*\(/) ? "true" : "false"
+        printf "%s|%s|%s|%s|%s\n", name, kind, file, auth, input_found
+        chain = ""
+      }
+    ' "$f" 2>/dev/null
+  )
+done <<<"$TRPC_FILES"
+
+# --- 3. GRAPHQL -------------------------------------------------------------
+GQL_HITS="$(grep -rl -E 'typeDefs|buildSchema|gql`|@ObjectType|@Resolver|createSchema' \
+  --include='*.ts' --include='*.tsx' --include='*.graphql' --include='*.gql' \
+  src server schema 2>/dev/null | head -50 || true)"
+if [[ -n "$GQL_HITS" ]]; then
+  GQL_FOUND=true
+  GQL_FILES="$(echo "$GQL_HITS" | jq -Rn '[inputs]')"
+fi
+
+# --- 4. SERVER ACTIONS (Next.js) --------------------------------------------
+# Two forms: 'use server' directive at top of file, or 'use server' inline in a
+# function body. We emit both kinds.
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  if grep -Eq "^['\"]use server['\"]" "$f" 2>/dev/null; then
+    # File-scoped: every exported async function is an action.
+    while IFS= read -r name; do
+      [[ -z "$name" ]] && continue
+      ACTIONS="$(jq --arg n "$name" --arg fi "$f" '. + [{name:$n, file:$fi, directive:"file-scoped"}]' <<<"$ACTIONS")"
+    done < <(grep -Eo "export[[:space:]]+(async[[:space:]]+)?function[[:space:]]+[A-Za-z_][A-Za-z0-9_]*" "$f" \
+             | awk '{print $NF}' | sed 's/^function[[:space:]]*//')
+  fi
+  # Inline: async function () { 'use server'; ... }
+  while IFS= read -r hit; do
+    name="$(echo "$hit" | grep -oE "function[[:space:]]+[A-Za-z_][A-Za-z0-9_]*" | awk '{print $2}')"
+    [[ -z "$name" ]] && continue
+    ACTIONS="$(jq --arg n "$name" --arg fi "$f" '. + [{name:$n, file:$fi, directive:"'\''use server'\''"}]' <<<"$ACTIONS")"
+  done < <(grep -B1 -E "^[[:space:]]*['\"]use server['\"]" "$f" 2>/dev/null | grep -E "function[[:space:]]+[A-Za-z_]" || true)
+done < <(find src app server -type f \( -name '*.ts' -o -name '*.tsx' \) 2>/dev/null)
+
+# --- 5. MIDDLEWARE (Next.js) -----------------------------------------------
+for cand in middleware.ts middleware.js src/middleware.ts src/middleware.js; do
+  if [[ -f "$cand" ]]; then
+    MW_FILE="\"$cand\""
+    grep -Eq "auth|getToken|getSession|currentUser|getServerSession|redirect\\(.*sign[_-]?in" "$cand" 2>/dev/null && MW_AUTH=true
+    # Extract matcher patterns that look like public paths.
+    while IFS= read -r pat; do
+      [[ -z "$pat" ]] && continue
+      MW_PUBLIC="$(jq --arg p "$pat" '. + [$p]' <<<"$MW_PUBLIC")"
+    done < <(grep -oE "['\"]/[^'\"]*['\"]" "$cand" | tr -d "'\"" | sort -u | head -40)
+    break
+  fi
+done
+
+# --- ASSEMBLE ---------------------------------------------------------------
+jq -n \
+  --argjson http "$HTTP" \
+  --argjson trpc "$TRPC" \
+  --argjson graphql_found "$GQL_FOUND" \
+  --argjson graphql_files "$GQL_FILES" \
+  --argjson actions "$ACTIONS" \
+  --argjson mw_file "$MW_FILE" \
+  --argjson mw_auth "$MW_AUTH" \
+  --argjson mw_public "$MW_PUBLIC" \
+  '{
+    http_routes: ($http | unique_by([.method, .path, .file])),
+    trpc_procedures: ($trpc | unique_by([.name, .kind, .file])),
+    graphql: { found: $graphql_found, files: $graphql_files },
+    server_actions: ($actions | unique_by([.name, .file])),
+    middleware: { file: $mw_file, has_auth_guard: $mw_auth, matches_public_patterns: $mw_public }
+  }'