start-vibing 4.3.4 → 4.4.1

package/template/.claude/skills/super-design/SKILL.md

@@ -8,7 +8,7 @@ description: >
   UX audit (WCAG 2.2 AA, Nielsen heuristics, Baymard, CWV), and synthesized
   overview. Re-audits only what changed since last run. On explicit user request,
   applies surgical fixes with full rollback.
-version: 0.6.4
+version: 0.7.0
 ---
 
 # super-design
@@ -22,17 +22,36 @@ Four-phase pipeline with 6 specialist agents:
    nav, cards, modals, forms, tokens — per competitor × mobile+desktop),
    produces market-analysis.md + component-comparison.md.
 2. **UI/UX audit** (sd-audit) — drives browser via Playwright MCP directly.
-   Five layers:
+   Six layers:
    - Route discovery + static snap (Nielsen + WCAG 2.2 AA + Baymard + CWV)
+   - **Step 1.5 source-first discovery** (0.7.0+) —
+     `discover-surfaces.sh` reads the repo FIRST and emits an authoritative
+     inventory of modals, forms, triggers, internal nav, and Next.js
+     layout/error/loading/not-found/parallel/intercepting routes BEFORE
+     Playwright runs. `extract-project-rules.sh` parses FORBIDDEN tables
+     from CLAUDE.md / AGENTS.md / .cursorrules into audit-applicable
+     rules. Runtime cross-checks surface these as `modal-coverage-gap`,
+     `form-coverage-gap`, and `project-forbidden-<slug>` findings.
    - **Step 2.5 component/modal/flow discovery** (Phase A inventory, B modal
      enumeration, C flow exercising, D state matrix, E form coverage) — this
      is where modal contents, empty/loading/error states, and flow errors
-     get real evidence instead of "checklist hypothetical".
+     get real evidence instead of "checklist hypothetical". Phase B now
+     cross-references `surfaces.json` and files a `modal-coverage-gap`
+     finding for anything declared in source but never opened.
    - **Step 3g design-intelligence scoring** (17-category rubric → DIS 0–100)
      catches implicit best practices checklists miss (cards-in-flex-col,
-     low density, weak CTA hierarchy, vibecode smell).
+     low density, weak CTA hierarchy, vibecode smell). Emits MANDATORY
+     `design-intelligence-craft-summary` finding per page × viewport so
+     overview.md has one holistic verdict row ("admin mobile is 38/100
+     WEAK — holistic redesign scope") per combination, not just discrete
+     per-category findings.
    - **Step 3h mobile-native audit** (21-item Duolingo/Linear/Arc/Cash-App
      checklist) — replaces "responsive-web-on-a-phone" thinking.
+   - **Step 3i project-rule enforcement** (0.7.0+) — consumes
+     `project-rules.json` and fires primary findings keyed to the
+     project's own FORBIDDEN wording (e.g. `project-forbidden-use-cards-on-mobile`)
+     when the rule is violated at runtime. Not a tag, not a severity
+     bump — the project owner's rule IS the rule source.
    - C16 ≤ 4 → **DSC-choice** proposal: sd-synthesis runs
      `scripts/score-typeui.mjs --from-audit <dir>` to derive a 7-axis site
      fingerprint (density/contrast/geometry/color/typography/motion/audience)
@@ -189,6 +208,25 @@ Windows git-bash + Linux.
   `*.fixture.json`, `fixtures/<name>.json`, or `$SUPER_DESIGN_FIXTURES`
   env JSON; falls back to `@fixture-default` with a warning. Consumers
   (hash-pages, sd-audit) MUST strip the suffix before navigating.
+- `discover-surfaces.sh` (0.7.0+) — source-first static scan for
+  modals (`<Dialog|Sheet|Drawer|Modal|Popover|AlertDialog|DropdownMenu|CommandDialog|...>`),
+  forms (`<form>` / `useForm(` / `<Form>`), triggers (`<*Trigger>`),
+  internal navigation (`<Link href>` / `router.push`), and Next.js
+  `layout.tsx` / `error.tsx` / `loading.tsx` / `not-found.tsx` / parallel
+  routes (`@foo/`) / intercepting routes (`(.)foo/`). Emits
+  `$SESSION_DIR/surfaces.json`. sd-audit Step 2.5 Phase B cross-checks
+  runtime observations against this inventory and files
+  `modal-coverage-gap` / `form-coverage-gap` findings for declared
+  components never exercised.
+- `extract-project-rules.sh` (0.7.0+) — parses FORBIDDEN tables from
+  `CLAUDE.md` / `AGENTS.md` / `GEMINI.md` / `.claude/CLAUDE.md` /
+  `.cursorrules` into an authoritative rule source. Classifies each
+  rule as audit-applicable (mobile / design / ux / perf / a11y) or
+  code-level (skip — belongs to typecheck/lint). Emits
+  `$SESSION_DIR/project-rules.json`. sd-audit Step 3i fires primary
+  findings keyed to the project's own wording (e.g.
+  `project-forbidden-use-cards-on-mobile`) — the project owner's rule
+  IS the rule source, not a tag or severity bump.
 - `build-import-graph.sh` — builds `.super-design/import-graph.json`
   (`{nodes, edges, hash, backend}`) and persists `import_graph_sha` to
   state. Prefers `npx madge --json <roots>`; falls back to a regex

package/template/.claude/skills/super-design/scripts/discover-surfaces.sh

@@ -0,0 +1,197 @@
+#!/usr/bin/env bash
+# discover-surfaces.sh — source-first discovery of modals, forms, triggers,
+# internal navigation, and Next.js layout/error/loading/parallel surfaces.
+#
+# Purpose: sd-audit cannot trust runtime-only modal discovery (click every
+# trigger in Playwright). A modal hidden behind a flow step, a feature flag,
+# or an auth gate will be missed. This script reads the SOURCE CODE first
+# and emits an authoritative inventory; Step 2.5 Phase B cross-checks at
+# runtime and emits `modal-coverage-gap` findings for anything declared in
+# source but never opened during the audit.
+#
+# Output: JSON object on stdout with shape:
+# {
+#   "modals":     [{ "component": "CreateUserDialog", "file": "...", "used_in": [...] }],
+#   "forms":      [{ "id": "LoginForm", "file": "...", "fields": [...] }],
+#   "triggers":   [{ "kind": "DialogTrigger", "file": "..." }],
+#   "navigation": [{ "from": "src/...", "to": "/users", "kind": "Link" }],
+#   "layouts":    ["src/app/layout.tsx", "src/app/(app)/layout.tsx"],
+#   "errors":     ["src/app/error.tsx"],
+#   "loading":    ["src/app/loading.tsx"],
+#   "not_found":  ["src/app/not-found.tsx"],
+#   "parallel":   ["src/app/@modal"],
+#   "intercepting": ["src/app/(.)photos"],
+#   "framework":  "next" | "remix" | "sveltekit" | "astro" | "nuxt" | "unknown"
+# }
+#
+# Best-effort grep-based scanner. No AST. False positives are OK —
+# sd-audit treats this as an inventory, not a contract. Missed items
+# are the real failure mode.
+set -euo pipefail
+
+log() { printf '[discover-surfaces] %s\n' "$*" >&2; }
+
+detect_framework() {
+  if   [[ -f next.config.js || -f next.config.ts || -f next.config.mjs ]]; then echo "next"
+  elif [[ -f remix.config.js || -d app/routes ]]; then echo "remix"
+  elif [[ -f svelte.config.js && -d src/routes ]]; then echo "sveltekit"
+  elif [[ -f astro.config.mjs || -f astro.config.ts ]]; then echo "astro"
+  elif [[ -f nuxt.config.ts || -f nuxt.config.js ]]; then echo "nuxt"
+  else echo "unknown"; fi
+}
+
+# Source roots to scan. Frameworks differ; union keeps the scanner simple.
+SCAN_ROOTS=()
+for d in src app src/app src/components components src/pages pages src/features features src/routes app/routes; do
+  [[ -d "$d" ]] && SCAN_ROOTS+=("$d")
+done
+if [[ ${#SCAN_ROOTS[@]} -eq 0 ]]; then
+  log "no known source roots found; emitting empty inventory"
+  jq -n '{modals:[],forms:[],triggers:[],navigation:[],layouts:[],errors:[],loading:[],not_found:[],parallel:[],intercepting:[],framework:"unknown"}'
+  exit 0
+fi
+
+# File extensions we care about.
+EXT_GLOB='\.(tsx|jsx|ts|js|svelte|vue|astro)$'
+
+# --- 1. MODALS --------------------------------------------------------------
+# Match common modal/overlay component usages. We key on JSX opening tags so
+# we catch both <Dialog> and <Dialog.Root>. The component NAME is what
+# the audit logs as the `component` field.
+MODAL_PATTERN='<(Dialog|AlertDialog|Sheet|Drawer|Modal|Popover|HoverCard|Tooltip|CommandDialog|DropdownMenu|ContextMenu|Menubar|NavigationMenu|Select|Combobox|DatePicker|ColorPicker)\b'
+
+modals_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHn --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js' \
+        --include='*.svelte' --include='*.vue' --include='*.astro' \
+        "$MODAL_PATTERN" "$root" 2>/dev/null || true
+    done
+  } | awk -F: '{
+    file=$1; line=$2;
+    # capture component name between < and the next non-word char
+    match($0, /<([A-Z][A-Za-z0-9_]*)/, m);
+    if (m[1] != "") printf "{\"component\":\"%s\",\"file\":\"%s\",\"line\":%s}\n", m[1], file, line;
+  }' | jq -s 'unique_by([.component,.file])'
+)"
+
+# --- 2. FORMS ---------------------------------------------------------------
+# Match react-hook-form useForm() calls, <Form> / <form> elements, and
+# zod schema imports co-located with forms.
+FORM_PATTERN='(useForm\s*\(|<Form[[:space:]>]|<form[[:space:]>])'
+
+forms_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHln --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js' \
+        --include='*.svelte' --include='*.vue' --include='*.astro' \
+        "$FORM_PATTERN" "$root" 2>/dev/null || true
+    done
+  } | sort -u | awk '{ printf "{\"file\":\"%s\"}\n", $0 }' | jq -s '.'
+)"
+
+# --- 3. TRIGGERS ------------------------------------------------------------
+# Explicit *Trigger components (Radix / shadcn convention) tell us the
+# connection between a button and its overlay.
+TRIGGER_PATTERN='<(DialogTrigger|SheetTrigger|DrawerTrigger|PopoverTrigger|DropdownMenuTrigger|AlertDialogTrigger|HoverCardTrigger|TooltipTrigger|SelectTrigger|ComboboxTrigger|ContextMenuTrigger|MenubarTrigger|NavigationMenuTrigger)\b'
+
+triggers_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHn --include='*.tsx' --include='*.jsx' \
+        "$TRIGGER_PATTERN" "$root" 2>/dev/null || true
+    done
+  } | awk -F: '{
+    file=$1; line=$2;
+    match($0, /<([A-Z][A-Za-z0-9_]*Trigger)/, m);
+    if (m[1] != "") printf "{\"kind\":\"%s\",\"file\":\"%s\",\"line\":%s}\n", m[1], file, line;
+  }' | jq -s '.'
+)"
+
+# --- 4. NAVIGATION ----------------------------------------------------------
+# Internal nav: <Link href=...>, <Link to=...>, router.push("/..."),
+# redirect("/..."), navigate("/..."). We only keep destinations that start
+# with "/" (internal) — external URLs are not audit targets here.
+nav_json="$(
+  {
+    for root in "${SCAN_ROOTS[@]}"; do
+      grep -rEHno --include='*.tsx' --include='*.jsx' --include='*.ts' --include='*.js' \
+        "(href|to)=[\"']/[^\"']*[\"']|(router\.push|redirect|navigate)\(\s*[\"']/[^\"']*[\"']" \
+        "$root" 2>/dev/null || true
+    done
+  } | awk -F: '{
+    file=$1; line=$2; rest=""; for (i=3;i<=NF;i++) rest = rest (i==3?"":":") $i;
+    # extract first "/..." path literal from the match
+    match(rest, /[\"'"'"']\/[^\"'"'"']*[\"'"'"']/, m);
+    if (m[0] != "") {
+      dest=m[0]; gsub(/[\"'"'"']/, "", dest);
+      kind = (rest ~ /push|redirect|navigate/) ? "imperative" : "link";
+      printf "{\"from\":\"%s\",\"to\":\"%s\",\"kind\":\"%s\",\"line\":%s}\n", file, dest, kind, line;
+    }
+  }' | jq -s 'unique_by([.from,.to])'
+)"
+
+# --- 5. NEXT.JS LAYOUT / ERROR / LOADING / NOT-FOUND / PARALLEL -------------
+# Empty arrays for non-Next frameworks.
+FW="$(detect_framework)"
+layouts_json='[]'
+errors_json='[]'
+loading_json='[]'
+notfound_json='[]'
+parallel_json='[]'
+intercepting_json='[]'
+
+if [[ "$FW" == "next" ]]; then
+  # layout.tsx / template.tsx nesting defines wrapper chrome (headers,
+  # sidebars) — sd-audit must audit these at EVERY viewport because a
+  # layout that misbehaves on mobile breaks every child page.
+  layouts_json="$(
+    find app src/app -type f \( -name 'layout.tsx' -o -name 'layout.ts' -o -name 'layout.jsx' -o -name 'layout.js' -o -name 'template.tsx' -o -name 'template.ts' \) 2>/dev/null \
+      | jq -Rn '[inputs]'
+  )"
+  errors_json="$(
+    find app src/app -type f \( -name 'error.tsx' -o -name 'global-error.tsx' \) 2>/dev/null \
+      | jq -Rn '[inputs]'
+  )"
+  loading_json="$(
+    find app src/app -type f -name 'loading.tsx' 2>/dev/null | jq -Rn '[inputs]'
+  )"
+  notfound_json="$(
+    find app src/app -type f -name 'not-found.tsx' 2>/dev/null | jq -Rn '[inputs]'
+  )"
+  # Parallel route slots: directories starting with @
+  parallel_json="$(
+    find app src/app -type d -name '@*' 2>/dev/null | jq -Rn '[inputs]'
+  )"
+  # Intercepting routes: directories starting with (.) / (..) / (...)
+  intercepting_json="$(
+    find app src/app -type d \( -name '(.)*' -o -name '(..)*' -o -name '(...)*' \) 2>/dev/null | jq -Rn '[inputs]'
+  )"
+fi
+
+# --- ASSEMBLE ---------------------------------------------------------------
+jq -n \
+  --argjson modals "$modals_json" \
+  --argjson forms "$forms_json" \
+  --argjson triggers "$triggers_json" \
+  --argjson navigation "$nav_json" \
+  --argjson layouts "$layouts_json" \
+  --argjson errors "$errors_json" \
+  --argjson loading "$loading_json" \
+  --argjson not_found "$notfound_json" \
+  --argjson parallel "$parallel_json" \
+  --argjson intercepting "$intercepting_json" \
+  --arg framework "$FW" \
+  '{
+    framework: $framework,
+    modals: $modals,
+    forms: $forms,
+    triggers: $triggers,
+    navigation: $navigation,
+    layouts: $layouts,
+    errors: $errors,
+    loading: $loading,
+    not_found: $not_found,
+    parallel: $parallel,
+    intercepting: $intercepting
+  }'

package/template/.claude/skills/super-design/scripts/extract-project-rules.sh

@@ -0,0 +1,240 @@
+#!/usr/bin/env bash
+# extract-project-rules.sh — parse project FORBIDDEN rules from
+# CLAUDE.md / AGENTS.md / .cursorrules into an authoritative rule
+# source for sd-audit Step 3h.
+#
+# User-owned FORBIDDEN tables ("Use Cards on mobile", "Waterfall data
+# fetching", "Make responsive UI only") are HIGHER-PRIORITY than generic
+# Nielsen/WCAG heuristics because the project owner has already
+# codified them as the right answer for this codebase. sd-audit treats
+# violations as primary findings — NOT as a severity bump or a tag on
+# another finding. If CLAUDE.md says "no cards on mobile" and we see a
+# Card in a mobile flex-col, the rule fires as
+# `project-forbidden-use-cards-on-mobile` with the project's own wording.
+#
+# Output: JSON on stdout
+# {
+#   "source_files": ["CLAUDE.md", ".claude/CLAUDE.md"],
+#   "rules": [
+#     {
+#       "raw": "Use Cards on mobile",
+#       "reason": "Waste space in flex-col",
+#       "slug": "use-cards-on-mobile",
+#       "audit_applicable": true,
+#       "detector_family": "mobile",
+#       "template_id": "M2",
+#       "detector_hint": "flag <Card> inside flex-col at viewport ≤ 768"
+#     }
+#   ]
+# }
+#
+# `audit_applicable: false` means the rule is code-level (e.g. "Files >
+# 400 lines", "Use `any` type", "'use client' at top level") and does
+# NOT produce an audit finding. sd-audit only iterates applicable rules.
+set -euo pipefail
+
+log() { printf '[extract-project-rules] %s\n' "$*" >&2; }
+
+# Files to scan in order of authority.
+CANDIDATE_FILES=(
+  "CLAUDE.md"
+  "AGENTS.md"
+  "GEMINI.md"
+  ".claude/CLAUDE.md"
+  ".cursorrules"
+)
+
+SOURCE_FILES=()
+for f in "${CANDIDATE_FILES[@]}"; do
+  [[ -f "$f" ]] && SOURCE_FILES+=("$f")
+done
+
+if [[ ${#SOURCE_FILES[@]} -eq 0 ]]; then
+  log "no project rule files found; emitting empty rule set"
+  jq -n '{source_files:[],rules:[]}'
+  exit 0
+fi
+
+# Extract FORBIDDEN table rows. We look for Markdown tables under any
+# heading that contains the word "FORBIDDEN" (case-insensitive). Rows
+# have shape: `| <action> | <reason> |`. We skip header, separator, and
+# empty rows.
+#
+# Implementation: awk state machine — enter "in table" when we see a
+# FORBIDDEN-ish heading followed by a table header; exit when we see a
+# blank line followed by a new heading or the next "---" separator
+# OUTSIDE the table.
+extract_rows() {
+  local file="$1"
+  awk '
+    BEGIN { mode=0; seen_header=0 }
+    /^#+[[:space:]]+.*[Ff][Oo][Rr][Bb][Ii][Dd][Dd][Ee][Nn]/ { mode=1; seen_header=0; next }
+    # Close on next top-level or section heading when we were inside
+    mode == 1 && /^#+[[:space:]]/ && !/[Ff][Oo][Rr][Bb][Ii][Dd][Dd][Ee][Nn]/ { mode=0; seen_header=0; next }
+    mode == 1 && /^\|.*\|.*\|/ {
+      if (seen_header == 0) { seen_header=1; next }
+      # skip separator row
+      if ($0 ~ /^\|[[:space:]]*[-]+/) { next }
+      # split on | and take cells 1 and 2 (cells 0 and last are empty)
+      n = split($0, cells, "|");
+      # cells[2] = action, cells[3] = reason (after leading |)
+      action = cells[2]; reason = cells[3];
+      gsub(/^[[:space:]]+|[[:space:]]+$/, "", action);
+      gsub(/^[[:space:]]+|[[:space:]]+$/, "", reason);
+      if (action != "" && action !~ /^-+$/ && action !~ /^Action$/i) {
+        printf "%s\t%s\n", action, reason;
+      }
+    }
+  ' "$file"
+}
+
+# Slugify: lowercase, non-word → dash, collapse, trim.
+slugify() {
+  printf '%s' "$1" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9]+/-/g; s/^-+|-+$//g'
+}
+
+# Classify a rule into {audit_applicable, detector_family, template_id,
+# detector_hint}. Keyword-based — additive over time.
+#
+# Audit-applicable families:
+#   mobile    → M1-M15 (cards on mobile, responsive-only, card grid on mobile, etc.)
+#   design    → V1-V8  (Cards used everywhere, masonry on mobile, etc.)
+#   ux        → U1-U10 (no loading states, waterfall fetching hits UX)
+#   perf      → P1-P10 (bundle size, waterfall as perf issue)
+#   a11y      → A1-A15 (contrast, focus, etc.)
+#
+# Non-audit (code-level, skip): "Files >", "'use client'", "Use any
+# type", "wildcard imports", "skip typecheck", etc.
+classify() {
+  local raw="$1"
+  local low
+  low="$(printf '%s' "$raw" | tr '[:upper:]' '[:lower:]')"
+
+  # -- code-level (NOT audit-applicable) --
+  case "$low" in
+    *"files >"*|*"> 400 lines"*|*"> 300 lines"*|*"wildcard icon"*|\
+    *"'use client'"*|*"use \`any\`"*|*"use any type"*|\
+    *"relative imports"*|*"skip typecheck"*|*"skip lint"*|\
+    *"define types in"*|*"@types"*|*"skip docker"*|*"write in non-english"*|\
+    *"commit directly to main"*|*"skip code-simplifier"*|\
+    *"auto-document"*|*"mix doc types"*|*"leave docs unlinked"*|\
+    *"skip claude.md"*|*"use mui"*|*"skip todo"*|*"stack last change"*|\
+    *"skip research"*|*"skip superpowers"*|*"skip documenter"*|\
+    *"skip planning"*|*"skip domain"*|*"skip cn utility"*|\
+    *"skip flow documentation"*|*"waterfall data fetching"*)
+      # note: waterfall IS audit-adjacent via perf, but the primary
+      # signal is in package code not in rendered UI. Keep as code-level.
+      echo "false	code-level	-	-"
+      return
+      ;;
+  esac
+
+  # -- mobile (M family) --
+  case "$low" in
+    *"card"*"mobile"*|*"mobile"*"card"*|*"cards on mobile"*|\
+    *"masonry grid on mobile"*|*"3d elements on mobile"*)
+      echo "true	mobile	M2	flag <Card>/card components inside vertical stack at viewport ≤ 768"
+      return
+      ;;
+    *"responsive ui only"*|*"responsive only"*|*"make responsive"*)
+      echo "true	mobile	M-distinct	check mobile viewport is a distinct layout not a scaled-down desktop"
+      return
+      ;;
+    *"hamburger-only"*|*"no bottom tabs"*|*"bottom nav"*)
+      echo "true	mobile	M1	require bottom tabs on mobile for primary nav"
+      return
+      ;;
+    *"centered modal on mobile"*|*"centered dialog on mobile"*)
+      echo "true	mobile	M6	require bottom-sheet on mobile, not centered dialog"
+      return
+      ;;
+  esac
+
+  # -- design (V family) --
+  case "$low" in
+    *"neumorphism"*)
+      echo "true	design	V-neumorphism	flag neumorphic styles on form surfaces (accessibility risk)"
+      return
+      ;;
+    *"scroll animations on dashboard"*)
+      echo "true	design	V-scroll	flag scroll-triggered animations on dashboard/app routes"
+      return
+      ;;
+    *"mix animation libraries"*)
+      echo "true	design	V-animmix	flag presence of multiple animation libs (framer + gsap + lottie)"
+      return
+      ;;
+  esac
+
+  # -- ux (U family) --
+  case "$low" in
+    *"skip loading.tsx"*|*"no loading state"*|*"skip skeleton"*)
+      echo "true	ux	U3	flag absence of loading state on data-fetching page"
+      return
+      ;;
+    *"skip empty state"*|*"no empty state"*)
+      echo "true	ux	U4	flag absence of empty state on zero-data views"
+      return
+      ;;
+  esac
+
+  # -- default: unknown but still emit, detector_family=generic --
+  echo "true	generic	-	match rule text against page copy / component names"
+}
+
+# Build the rules array.
+rules_tsv=""
+for f in "${SOURCE_FILES[@]}"; do
+  rows="$(extract_rows "$f" || true)"
+  [[ -z "$rows" ]] && continue
+  while IFS=$'\t' read -r action reason; do
+    [[ -z "$action" ]] && continue
+    cls="$(classify "$action")"
+    slug="$(slugify "$action")"
+    # pack: raw \t reason \t slug \t applicable \t family \t template \t hint \t source
+    IFS=$'\t' read -r applicable family tpl hint <<<"$cls"
+    printf '%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n' \
+      "$action" "$reason" "$slug" "$applicable" "$family" "$tpl" "$hint" "$f"
+    rules_tsv+="1"
+  done <<<"$rows"
+done
+
+# Emit JSON. jq slurps TSV lines from stdin.
+rules_json="$(
+  {
+    for f in "${SOURCE_FILES[@]}"; do
+      rows="$(extract_rows "$f" || true)"
+      [[ -z "$rows" ]] && continue
+      while IFS=$'\t' read -r action reason; do
+        [[ -z "$action" ]] && continue
+        cls="$(classify "$action")"
+        slug="$(slugify "$action")"
+        IFS=$'\t' read -r applicable family tpl hint <<<"$cls"
+        jq -n \
+          --arg raw "$action" \
+          --arg reason "$reason" \
+          --arg slug "$slug" \
+          --arg applicable "$applicable" \
+          --arg family "$family" \
+          --arg tpl "$tpl" \
+          --arg hint "$hint" \
+          --arg source "$f" \
+          '{
+            raw: $raw,
+            reason: $reason,
+            slug: $slug,
+            source_file: $source,
+            audit_applicable: ($applicable == "true"),
+            detector_family: $family,
+            template_id: $tpl,
+            detector_hint: $hint
+          }'
+      done <<<"$rows"
+    done
+  } | jq -s 'unique_by(.slug)'
+)"
+
+jq -n \
+  --argjson sources "$(printf '%s\n' "${SOURCE_FILES[@]}" | jq -Rn '[inputs]')" \
+  --argjson rules "${rules_json:-[]}" \
+  '{ source_files: $sources, rules: $rules }'

package/template/.claude/skills/super-design/scripts/verify-audit.sh

@@ -54,7 +54,9 @@ while IFS=$'\t' read -r id shot snap; do
 done
 
 # 4. snapshot_quote must appear verbatim in the snapshot.
-jq -c '.[]' "$FINDINGS" | while read -r f; do
+#    Skipped for meta findings (coverage, craft-summary, project-rule)
+#    where evidence is aggregate, not a single DOM quote.
+jq -c '.[] | select(.rule | test("^(audit-coverage-|design-intelligence-craft-summary|modal-coverage-gap|form-coverage-gap|project-forbidden-)") | not)' "$FINDINGS" | while read -r f; do
   id=$(echo "$f" | jq -r .id)
   q=$(echo "$f"  | jq -r .snapshot_quote)
   s=$(echo "$f"  | jq -r .snapshot_path)
@@ -63,6 +65,37 @@ jq -c '.[]' "$FINDINGS" | while read -r f; do
   fi
 done
 
+# 5. design-intelligence/<slug>_<vp>.json MUST exist for every
+#    page × viewport combination in MATRIX. This enforces the
+#    0.7.0 mandatory per-combo craft scoring.
+DIS_DIR="$SESSION_DIR/design-intelligence"
+if [ -d "$DIS_DIR" ]; then
+  DIS_COUNT=$(find "$DIS_DIR" -maxdepth 1 -type f -name '*.json' | wc -l)
+  if [ "$DIS_COUNT" -lt 1 ]; then
+    warn "design-intelligence/ exists but is empty — Step 3g skipped"
+  fi
+else
+  warn "no design-intelligence/ directory — Step 3g (craft scoring) did not run"
+fi
+
+# 6. Viewport quota check: if >= 10 total findings, mobile must be
+#    >= 30% unless an explicit audit-coverage-skewed meta finding
+#    was emitted (which acknowledges the gap).
+TOTAL=$(jq '[.[] | select(.viewport)] | length' "$FINDINGS")
+if [ "$TOTAL" -ge 10 ]; then
+  MOBILE=$(jq '[.[] | select(.viewport == "mobile")] | length' "$FINDINGS")
+  COVERAGE_ACK=$(jq '[.[] | select(.rule == "audit-coverage-skewed")] | length' "$FINDINGS")
+  # integer math: mobile * 100 / total < 30 means < 30%
+  if [ "$COVERAGE_ACK" -eq 0 ] && [ $(( MOBILE * 100 / TOTAL )) -lt 30 ]; then
+    warn "mobile viewport is $MOBILE / $TOTAL (< 30%) and no audit-coverage-skewed meta finding was emitted"
+  fi
+fi
+
+# 7. surfaces.json + project-rules.json should exist (0.7.0 contract).
+#    Absence is a warning, not a fatal — allows stale sessions to still verify.
+[ -f "$SESSION_DIR/surfaces.json" ] || warn "missing surfaces.json (Step 1.5 skipped)"
+[ -f "$SESSION_DIR/project-rules.json" ] || warn "missing project-rules.json (Step 1.5 skipped)"
+
 COUNT=$(jq 'length' "$FINDINGS")
 if [ "$STRICT" -eq 1 ] && [ "$WARNINGS" -gt 0 ]; then
   echo "STRICT: $COUNT findings verified, $WARNINGS warning(s)" >&2