start-vibing 4.4.0 → 4.4.1

package/template/.claude/skills/e2e-audit/findings.schema.json

@@ -0,0 +1,98 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://start-vibing.dev/schema/e2e-audit-findings-0.2.0.json",
+  "title": "e2e-audit findings v0.2.0",
+  "description": "Output contract for e2e-audit. Every finding carries an SHOT+TRACE+ASSERT+SOURCE quad; aggregate (meta) findings are exempt.",
+  "type": "array",
+  "items": {
+    "type": "object",
+    "required": ["id", "rule", "severity", "summary", "files_affected"],
+    "additionalProperties": true,
+    "properties": {
+      "id": {
+        "type": "string",
+        "pattern": "^E2E-\\d{4}$",
+        "description": "Stable finding id. Format E2E-NNNN. Allocate sequentially per session."
+      },
+      "rule": {
+        "type": "string",
+        "description": "Machine-matchable rule slug (kebab-case). Examples: auth-flow-broken, api-500, rbac-bypass, console-error, uncovered-route, coverage-gap-trpc, test-drift, post-run-feedback."
+      },
+      "category": {
+        "type": "string",
+        "enum": [
+          "auth",
+          "api-contract",
+          "rbac",
+          "console",
+          "server-crash",
+          "coverage-gap",
+          "test-drift",
+          "flake",
+          "ui-regression",
+          "a11y",
+          "meta"
+        ]
+      },
+      "severity": {
+        "type": "string",
+        "enum": ["critical", "high", "medium", "low", "info"]
+      },
+      "summary": { "type": "string", "minLength": 3 },
+      "detail":  { "type": "string" },
+      "files_affected": {
+        "type": "array",
+        "items": { "type": "string" },
+        "description": "Source files this finding implicates. sd-fix-style guards MUST prevent edits outside this list unless risk is reclassified."
+      },
+      "viewport": {
+        "type": "string",
+        "enum": ["mobile", "tablet", "desktop"],
+        "description": "Optional — only set when a viewport-specific flow reproduced the issue."
+      },
+      "test_file":   { "type": "string", "description": "Path to the spec that reproduced this (if any)." },
+      "test_title":  { "type": "string", "description": "Title of the failing/passing test." },
+
+      "screenshot_path": { "type": "string", "description": "SHOT — non-empty PNG captured at the assertion moment." },
+      "trace_path":      { "type": "string", "description": "TRACE — Playwright trace.zip or equivalent recording." },
+      "assertion":       { "type": "string", "description": "ASSERT — the literal assertion that fired, e.g. `expect(response.status()).toBe(200)` observed 500." },
+      "source_file":     { "type": "string", "description": "SOURCE — the source file the assertion implicates (router.ts, page.tsx, action.ts, ...)." },
+      "source_quote":    { "type": "string", "description": "Optional verbatim quote from source_file explaining the implicated code." },
+
+      "http": {
+        "type": "object",
+        "description": "Optional — populated for api-contract / server-crash rules.",
+        "properties": {
+          "method":   { "type": "string" },
+          "path":     { "type": "string" },
+          "status":   { "type": "integer" },
+          "response_snippet": { "type": "string", "maxLength": 512 },
+          "content_type":     { "type": "string" }
+        }
+      },
+      "console_messages": {
+        "type": "array",
+        "items": {
+          "type": "object",
+          "required": ["level", "text"],
+          "properties": {
+            "level": { "type": "string", "enum": ["log", "warning", "error", "debug", "info"] },
+            "text":  { "type": "string" },
+            "url":   { "type": "string" },
+            "line":  { "type": "integer" }
+          }
+        }
+      },
+
+      "suggested_fix": {
+        "type": "object",
+        "description": "Advisory only. sd-fix-style agents may consume this.",
+        "properties": {
+          "kind":  { "type": "string", "enum": ["add-test", "fix-route", "fix-zod", "fix-rbac", "fix-auth", "add-fixture", "advisory"] },
+          "notes": { "type": "string" },
+          "files": { "type": "array", "items": { "type": "string" } }
+        }
+      }
+    }
+  }
+}

package/template/.claude/skills/e2e-audit/references/api-contract-playbook.md

@@ -0,0 +1,66 @@
+# api-contract-playbook (e2e-audit 0.2.0)
+
+> How to turn Playwright's network observations into contract findings.
+
+## Observations to capture per test
+
+Wire these fixtures once (see `templates/base-fixture.ts.tpl`):
+
+- `page.on('response')` — filter by `url` prefix matching `/api/`, `/v1/`, `/trpc/`.
+- `page.on('console')` — levels `error` and `warning`.
+- `page.on('pageerror')` — unhandled runtime errors in the SPA.
+- `request.response()` — for explicit `page.request` calls in specs.
+
+## Detection rules
+
+### HTTP 4xx on a flow that should succeed
+
+- **Rule:** `api-4xx`
+- **Severity:** `high` (user-blocking) or `medium` (inconsistent UX)
+- **Signal:** response status in [400, 499] on a request the test expected to succeed.
+- **Evidence:** trace zip + screenshot at the assertion moment + response snippet (first 400 chars) + source_file = the route handler or tRPC procedure file.
+
+### HTTP 5xx anywhere
+
+- **Rule:** `api-5xx`
+- **Severity:** `critical`
+- **Always fails the test.** Trace zip is mandatory; Playwright's trace viewer will show the request/response payloads.
+
+### HTML-instead-of-JSON (server crash signal)
+
+Next.js and most frameworks render an HTML error page when the server throws. Detection:
+
+```ts
+if (
+  res.status() >= 500 &&
+  (res.headers()['content-type'] || '').includes('text/html') &&
+  /\/api\/|\/trpc\//.test(res.url())
+) emit({ rule: 'server-crash', ... });
+```
+
+Surface the last ~40 lines of `dev-server.log` in `detail` so the user can see the stack trace without opening the trace.
+
+### Zod validation gap
+
+- **Rule:** `zod-validation-missing`
+- **Severity:** `medium`
+- **Signal:** `api-surface.http_routes[].zod_schema_found == false` AND the route accepts `POST`/`PUT`/`PATCH`.
+- **Evidence:** SHOT is waived (meta-ish), but `source_file` is required.
+
+### RBAC bypass
+
+- **Rule:** `rbac-bypass`
+- **Severity:** `critical`
+- **Signal:** an endpoint tagged `auth: "protected"` in `api-surface.json` returned 200 for a role that should be rejected.
+- **Evidence:** trace showing the call under the "wrong" storageState + source_file (the middleware or procedure).
+
+## What NOT to flag as a contract problem
+
+- 404 on a page navigation the user typed manually — that's a route-missing finding, not a contract one.
+- 401 on an endpoint protected BEFORE login — that's expected behavior; only flag after valid login.
+- Third-party hosts (analytics, stripe, intercom) — ignore by prefix match on `stack.base_url`.
+- `/api/auth/*` during login form submit — transient 4xx (invalid-credentials) is expected; only flag if the happy-path login produced it.
+
+## Sampling
+
+To avoid flooding findings, de-dupe by `(method, path, status)` and keep the first occurrence's trace. Add `http.count` for repeats.

package/template/.claude/skills/e2e-audit/references/auth-setup-playbook.md

@@ -0,0 +1,78 @@
+# auth-setup-playbook (e2e-audit 0.2.0)
+
+> How to obtain and reuse authenticated browser state, per auth provider. Goal: one `storageState.json` per role × per audit session, produced exactly once.
+
+## Principles
+
+1. **Never read `.env*`** inside this skill. If credentials are needed, ask the user inline. State files live under `$SESSION_DIR/auth/` and are gitignored (caller's responsibility).
+2. **Reuse before synthesize.** If `existing-tests.storage_states` contains files, use them. Check freshness: any file older than 7 days is considered stale; regenerate.
+3. **One role per file.** `owner.json`, `admin.json`, `member.json` — do not collapse roles.
+4. **State files contain secrets.** They must not enter `findings.json`, `map.md`, or any output that ships to the user beyond the session dir.
+
+## Playwright baseline
+
+```ts
+// playwright.config.ts
+import { defineConfig, devices } from '@playwright/test';
+
+export default defineConfig({
+  projects: [
+    {
+      name: 'setup',
+      testMatch: /.*\.setup\.ts/,
+    },
+    {
+      name: 'authed',
+      dependencies: ['setup'],
+      use: {
+        ...devices['Desktop Chrome'],
+        storageState: '.e2e-audit/current/auth/owner.json',
+      },
+    },
+  ],
+});
+```
+
+## Per-provider recipes
+
+### next-auth / Auth.js (credentials provider)
+
+```ts
+// tests/e2e/auth.setup.ts
+import { test as setup } from '@playwright/test';
+setup('authenticate owner', async ({ page }) => {
+  await page.goto('/signin');
+  await page.getByLabel('Email').fill(process.env.E2E_OWNER_EMAIL!);
+  await page.getByLabel('Password').fill(process.env.E2E_OWNER_PASSWORD!);
+  await page.getByRole('button', { name: /sign in/i }).click();
+  await page.waitForURL(/\/(dashboard|home)/);
+  await page.context().storageState({ path: '.e2e-audit/current/auth/owner.json' });
+});
+```
+
+### Clerk
+
+Use Clerk's `@clerk/testing` helper. It writes a session via `setupClerkTestingToken()` and then calls `storageState`.
+
+### better-auth / Lucia
+
+Same pattern as next-auth: drive the login form, then persist storage state. Both libraries store a session cookie which storageState captures.
+
+### Supabase (JWT)
+
+After login, `localStorage` holds the session. `storageState` serializes localStorage so no extra work is needed. If the dev project uses PKCE, ensure the setup runs in a chromium context.
+
+### Custom (cookie-session / JWT header)
+
+If the app does not have a login form (API-only auth), seed storage via `page.context().addCookies([...])` using a short-lived token the user pastes in. Never store long-lived tokens in `auth/*.json`.
+
+## RBAC coverage
+
+For every role declared in `stack.auth`:
+
+1. Drive one happy-path login per role.
+2. For each `trpc_procedures[]` with `auth == "protected"`, attempt the call with a role that should be forbidden. Expect 401 or 403. If 200, emit an `rbac-bypass` finding.
+
+## Global teardown
+
+Do NOT teardown or delete storageState files at the end of a run — the skill keeps them inside `$SESSION_DIR`, which is the audit's own sandbox.

package/template/.claude/skills/e2e-audit/references/coverage-gap-playbook.md

@@ -0,0 +1,95 @@
+# coverage-gap-playbook (e2e-audit 0.2.0)
+
+> How to translate `uncovered.json` into actionable meta findings + spec suggestions.
+
+## Input
+
+`detect-uncovered.sh` produces four uncovered arrays:
+
+- `uncovered_routes` — user-facing pages the branch changed with no test referencing their URL.
+- `uncovered_http` — REST handlers the branch changed with no test referencing their path.
+- `uncovered_trpc` — tRPC procedures the branch changed with no test referencing their name.
+- `uncovered_actions` — server actions the branch changed with no test referencing their name.
+
+## One finding per category
+
+Emit at most four meta findings:
+
+```json
+{
+  "id": "E2E-00XX",
+  "rule": "coverage-gap-routes",
+  "category": "coverage-gap",
+  "severity": "medium",
+  "summary": "N routes changed on branch without E2E coverage",
+  "detail": "<bulleted list of paths + files>",
+  "files_affected": ["<every file from the uncovered entries>"],
+  "suggested_fix": { "kind": "add-test", "files": ["tests/e2e/<slug>.spec.ts"] }
+}
+```
+
+Severities:
+
+- `coverage-gap-trpc`    — `medium` (contract risk)
+- `coverage-gap-http`    — `medium` (contract risk)
+- `coverage-gap-routes`  — `low` if diff is cosmetic, `medium` otherwise
+- `coverage-gap-actions` — `medium`
+
+## Spec suggestions per surface type
+
+**Page (route)**
+
+```ts
+test('GET /users/[id] renders user dashboard', async ({ authenticatedPage }) => {
+  const res = await authenticatedPage.goto('/users/1');
+  await expect(res!.status()).toBeLessThan(400);
+  await expect(authenticatedPage.getByRole('heading')).toBeVisible();
+});
+```
+
+**HTTP route handler**
+
+```ts
+test('POST /api/users creates user (200)', async ({ request }) => {
+  const res = await request.post('/api/users', { data: { email: 'u@test', name: 't' } });
+  expect(res.status()).toBe(200);
+  expect((await res.json()).id).toBeTruthy();
+});
+```
+
+**tRPC procedure**
+
+```ts
+test('users.create rejects invalid input (400)', async ({ request }) => {
+  const res = await request.post('/api/trpc/users.create?batch=1', {
+    data: { 0: { json: { email: 'not-an-email' } } },
+  });
+  expect(res.status()).toBeGreaterThanOrEqual(400);
+});
+```
+
+**Server action**
+
+```ts
+test('createUser action returns redirect', async ({ page }) => {
+  await page.goto('/users/new');
+  await page.getByLabel('Email').fill('u@test');
+  await page.getByRole('button', { name: /create/i }).click();
+  await page.waitForURL(/\/users\/\d+/);
+});
+```
+
+## What to NOT flag
+
+- Unchanged surfaces. If a file is not in `uncovered.diff_files`, it did not change on this branch — no finding, even if tests are missing. Coverage auditing of the whole app is out-of-scope for branch-diff mode.
+- `loading.tsx`, `error.tsx`, `layout.tsx` in Next.js — these are treated separately. A coverage gap finding should not fire for them; they are covered transitively by any page that renders through them.
+
+## suggested_fix files
+
+For each uncovered entry, suggest a plausible spec filename:
+
+- `/users/[id]` → `tests/e2e/users-id.spec.ts`
+- `POST /api/users` → `tests/e2e/api-users.spec.ts`
+- `users.create` → `tests/e2e/trpc-users.spec.ts`
+
+Do not CREATE the files. This skill stops at reporting.

package/template/.claude/skills/e2e-audit/references/post-run-feedback-playbook.md

@@ -0,0 +1,80 @@
+# post-run-feedback-playbook (e2e-audit 0.2.0)
+
+> How to consolidate every signal emitted during a Playwright run into one feedback document that precedes findings.json.
+
+## Why a separate document?
+
+Findings are atomic and per-problem; the user needs a 30-second summary of "what broke during this run" before drilling into specifics. `post-run-feedback.md` answers that. `findings.json` answers "what do I fix."
+
+## Signals to consolidate
+
+Pull from these inputs:
+
+1. Playwright JSON reporter output (`--reporter=json`).
+2. `$SESSION_DIR/logs/dev-server.log` (last-N-lines per crash).
+3. Console + pageerror logs captured by fixtures.
+4. Network responses matching 4xx/5xx on API paths.
+5. Dev-server PID status at run end (exited unexpectedly?).
+
+## Classification
+
+| kind               | trigger                                                      | severity |
+| ------------------ | ------------------------------------------------------------ | -------- |
+| `api-4xx`          | unexpected 4xx on a test's expected-success request          | high     |
+| `api-5xx`          | any 5xx response on API path                                 | critical |
+| `server-crash`     | 5xx AND `Content-Type: text/html` on API path                | critical |
+| `console-error`    | `page.on('console')` level=error, de-duped by message stem   | medium   |
+| `pageerror`        | `page.on('pageerror')` raised                                | high     |
+| `rbac-bypass`      | protected endpoint returned 200 to wrong role                | critical |
+| `auth-flow-broken` | redirect loop or 401 on happy-path login                     | critical |
+| `dev-server-log`   | unhandledRejection / uncaughtException in dev-server.log     | high     |
+| `test-timeout`     | test exceeded Playwright timeout                             | medium   |
+| `flake`            | retried test passed on retry (suggests flake)                | low      |
+
+## Output shape
+
+`post-run-feedback.json`:
+
+```jsonc
+{
+  "session": "<abs path to session dir>",
+  "duration_s": 128,
+  "tests_total": 42,
+  "tests_passed": 39,
+  "tests_failed": 3,
+  "tests_flaky": 1,
+  "problems": [
+    {
+      "kind": "server-crash",
+      "where": "POST /api/users",
+      "count": 2,
+      "severity": "critical",
+      "sample_trace": "traces/users-create-1.zip",
+      "sample_log_tail": "TypeError: Cannot read properties of undefined (reading 'id')\n    at ..."
+    }
+  ],
+  "uncovered_carried_forward": {
+    "routes": 4, "http": 2, "trpc": 9, "actions": 1
+  }
+}
+```
+
+`post-run-feedback.md` renders the same data as a human document with:
+
+1. A one-line verdict ("3 tests failed, 2 critical problems, 16 uncovered surfaces — requires attention").
+2. Top 5 problems by severity.
+3. Link to the trace zip for each.
+4. Next-step recommendations (add spec / fix handler / update RBAC middleware).
+
+## De-duplication
+
+- `console-error`: group by the first 120 chars of `text` (to collapse stack variation across retries).
+- `api-4xx`/`api-5xx`: group by `(method, path, status)`.
+- `pageerror`: group by the error message line.
+
+## What NOT to include
+
+- Full trace bytes — only file paths.
+- Full stack traces for every occurrence — only a single `sample_log_tail` per group.
+- Source code excerpts — that belongs in a finding's `source_quote`, not the feedback.
+- Secret values (tokens, session cookies) — actively scrub any `Authorization:` header fragments out of `sample_log_tail`.

package/template/.claude/skills/e2e-audit/scripts/detect-stack.sh

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+# detect-stack.sh — identify framework, test runner, package manager, dev server,
+# and environment files so downstream scripts + the skill prompt can adapt.
+#
+# Output: JSON object on stdout:
+# {
+#   "framework":       "next" | "remix" | "sveltekit" | "nuxt" | "astro" | "express" | "hono" | "fastify" | "unknown",
+#   "router_style":    "app-router" | "pages-router" | "mixed" | "file-routes" | "n/a",
+#   "trpc":            true | false,
+#   "trpc_version":    "10" | "11" | "unknown" | null,
+#   "graphql":         true | false,
+#   "orm":             ["prisma" | "drizzle" | "mongoose" | "typeorm" | "kysely", ...],
+#   "auth":            ["next-auth" | "authjs" | "clerk" | "auth0" | "lucia" | "better-auth" | "supabase" | "custom", ...],
+#   "test_runner":     "playwright" | "cypress" | "vitest-browser" | "jest-puppeteer" | "none",
+#   "playwright_config": "playwright.config.ts" | null,
+#   "package_manager": "bun" | "pnpm" | "yarn" | "npm",
+#   "dev_command":     "bun run dev" | "pnpm dev" | ...,
+#   "dev_port":        <number> | null,
+#   "base_url":        "http://localhost:<port>",
+#   "env_files":       [".env.local", ".env.test", ...],
+#   "src_root":        "src" | "app" | "." ,
+#   "has_middleware":  true | false,
+#   "middleware_file": "middleware.ts" | "src/middleware.ts" | null
+# }
+#
+# Best-effort. Absence of jq is fatal (downstream scripts require it).
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+read_pkg() {
+  [[ -f package.json ]] || { echo "null"; return; }
+  jq -r "${1:-.}" package.json 2>/dev/null || echo "null"
+}
+
+has_dep() {
+  local name="$1"
+  [[ -f package.json ]] || return 1
+  jq -e --arg n "$name" '(.dependencies[$n]? // .devDependencies[$n]? // empty)' package.json >/dev/null 2>&1
+}
+
+dep_version() {
+  local name="$1"
+  [[ -f package.json ]] || { echo ""; return; }
+  jq -r --arg n "$name" '.dependencies[$n]? // .devDependencies[$n]? // ""' package.json 2>/dev/null | sed 's/^[^0-9]*//'
+}
+
+# --- framework --------------------------------------------------------------
+FRAMEWORK="unknown"
+ROUTER_STYLE="n/a"
+if   has_dep next; then
+  FRAMEWORK="next"
+  if   [[ -d app || -d src/app ]] && [[ -d pages || -d src/pages ]]; then ROUTER_STYLE="mixed"
+  elif [[ -d app || -d src/app ]]; then ROUTER_STYLE="app-router"
+  elif [[ -d pages || -d src/pages ]]; then ROUTER_STYLE="pages-router"
+  fi
+elif has_dep @remix-run/react || has_dep @remix-run/node; then FRAMEWORK="remix"; ROUTER_STYLE="file-routes"
+elif has_dep @sveltejs/kit; then FRAMEWORK="sveltekit"; ROUTER_STYLE="file-routes"
+elif has_dep nuxt;       then FRAMEWORK="nuxt";       ROUTER_STYLE="file-routes"
+elif has_dep astro;      then FRAMEWORK="astro";      ROUTER_STYLE="file-routes"
+elif has_dep hono;       then FRAMEWORK="hono"
+elif has_dep fastify;    then FRAMEWORK="fastify"
+elif has_dep express;    then FRAMEWORK="express"
+fi
+
+# --- trpc / graphql ---------------------------------------------------------
+TRPC=false; TRPC_VER="null"
+if has_dep @trpc/server; then
+  TRPC=true
+  v="$(dep_version @trpc/server)"
+  if   [[ "$v" =~ ^10\. ]]; then TRPC_VER='"10"'
+  elif [[ "$v" =~ ^11\. ]]; then TRPC_VER='"11"'
+  else TRPC_VER='"unknown"'
+  fi
+fi
+GRAPHQL=false
+if has_dep graphql || has_dep @apollo/server || has_dep @apollo/client || has_dep graphql-yoga; then
+  GRAPHQL=true
+fi
+
+# --- ORMs -------------------------------------------------------------------
+orm_arr='[]'
+for candidate in @prisma/client drizzle-orm mongoose typeorm kysely; do
+  if has_dep "$candidate"; then
+    short="${candidate##*/}"; short="${short%-orm}"
+    orm_arr="$(jq --arg o "$short" '. + [$o]' <<<"$orm_arr")"
+  fi
+done
+
+# --- auth providers ---------------------------------------------------------
+auth_arr='[]'
+add_auth() { auth_arr="$(jq --arg o "$1" '. + [$o]' <<<"$auth_arr")"; }
+has_dep next-auth        && add_auth next-auth
+has_dep @auth/core       && add_auth authjs
+has_dep @clerk/nextjs    && add_auth clerk
+has_dep @clerk/clerk-sdk-node && add_auth clerk
+has_dep @auth0/nextjs-auth0 && add_auth auth0
+has_dep lucia            && add_auth lucia
+has_dep better-auth      && add_auth better-auth
+has_dep @supabase/supabase-js && add_auth supabase
+
+# --- test runner ------------------------------------------------------------
+TEST_RUNNER="none"
+PLAYWRIGHT_CFG="null"
+if has_dep @playwright/test; then
+  TEST_RUNNER="playwright"
+  for c in playwright.config.ts playwright.config.js playwright.config.mjs; do
+    [[ -f "$c" ]] && PLAYWRIGHT_CFG="\"$c\"" && break
+  done
+elif has_dep cypress; then TEST_RUNNER="cypress"
+elif has_dep @vitest/browser; then TEST_RUNNER="vitest-browser"
+elif has_dep jest-puppeteer; then TEST_RUNNER="jest-puppeteer"
+fi
+
+# --- package manager + dev command -----------------------------------------
+if   [[ -f bun.lockb || -f bun.lock ]]; then PM="bun";  DEV_CMD="bun run dev"
+elif [[ -f pnpm-lock.yaml ]];            then PM="pnpm"; DEV_CMD="pnpm dev"
+elif [[ -f yarn.lock ]];                 then PM="yarn"; DEV_CMD="yarn dev"
+else                                          PM="npm";  DEV_CMD="npm run dev"
+fi
+
+# Check `scripts.dev` exists; fall back to start script if not.
+if [[ -f package.json ]]; then
+  HAS_DEV="$(jq -r '.scripts.dev // empty' package.json)"
+  [[ -z "$HAS_DEV" ]] && {
+    if jq -re '.scripts.start' package.json >/dev/null 2>&1; then
+      DEV_CMD="${DEV_CMD% dev} start"
+    fi
+  }
+fi
+
+# --- dev port ---------------------------------------------------------------
+DEV_PORT="null"
+# Common places: package.json scripts.dev "-p 3000" or "--port 3000", next.config, remix config
+if [[ -f package.json ]]; then
+  if script="$(jq -r '.scripts.dev // ""' package.json)"; then
+    p="$(echo "$script" | grep -oE -- '--port[= ]+[0-9]+|-p[= ]+[0-9]+|PORT=[0-9]+' | grep -oE '[0-9]+' | head -1 || true)"
+    [[ -n "$p" ]] && DEV_PORT="$p"
+  fi
+fi
+# Fallback defaults per framework
+if [[ "$DEV_PORT" == "null" ]]; then
+  case "$FRAMEWORK" in
+    next|express|hono|fastify) DEV_PORT=3000 ;;
+    remix)                     DEV_PORT=3000 ;;
+    sveltekit)                 DEV_PORT=5173 ;;
+    nuxt)                      DEV_PORT=3000 ;;
+    astro)                     DEV_PORT=4321 ;;
+  esac
+fi
+BASE_URL="http://localhost:${DEV_PORT:-3000}"
+
+# --- env files --------------------------------------------------------------
+env_arr='[]'
+for f in .env .env.local .env.development .env.development.local .env.test .env.test.local; do
+  [[ -f "$f" ]] && env_arr="$(jq --arg n "$f" '. + [$n]' <<<"$env_arr")"
+done
+
+# --- src root + middleware --------------------------------------------------
+SRC_ROOT="."
+[[ -d src ]] && SRC_ROOT="src"
+[[ -d app && ! -d src/app ]] && SRC_ROOT="."
+HAS_MW=false; MW_FILE="null"
+for f in middleware.ts middleware.js src/middleware.ts src/middleware.js; do
+  if [[ -f "$f" ]]; then HAS_MW=true; MW_FILE="\"$f\""; break; fi
+done
+
+# --- assemble ---------------------------------------------------------------
+jq -n \
+  --arg framework "$FRAMEWORK" \
+  --arg router_style "$ROUTER_STYLE" \
+  --argjson trpc "$TRPC" \
+  --argjson trpc_version "$TRPC_VER" \
+  --argjson graphql "$GRAPHQL" \
+  --argjson orm "$orm_arr" \
+  --argjson auth "$auth_arr" \
+  --arg test_runner "$TEST_RUNNER" \
+  --argjson playwright_config "$PLAYWRIGHT_CFG" \
+  --arg package_manager "$PM" \
+  --arg dev_command "$DEV_CMD" \
+  --argjson dev_port "${DEV_PORT:-null}" \
+  --arg base_url "$BASE_URL" \
+  --argjson env_files "$env_arr" \
+  --arg src_root "$SRC_ROOT" \
+  --argjson has_middleware "$HAS_MW" \
+  --argjson middleware_file "$MW_FILE" \
+  '{
+    framework: $framework,
+    router_style: $router_style,
+    trpc: $trpc,
+    trpc_version: $trpc_version,
+    graphql: $graphql,
+    orm: $orm,
+    auth: $auth,
+    test_runner: $test_runner,
+    playwright_config: $playwright_config,
+    package_manager: $package_manager,
+    dev_command: $dev_command,
+    dev_port: $dev_port,
+    base_url: $base_url,
+    env_files: $env_files,
+    src_root: $src_root,
+    has_middleware: $has_middleware,
+    middleware_file: $middleware_file
+  }'