start-vibing 4.4.0 → 4.4.2

package/template/.claude/skills/e2e-audit/scripts/detect-uncovered.sh

@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+# detect-uncovered.sh — intersect (current branch diff) × (existing tests) and
+# emit every NEW or CHANGED surface that has no test coverage.
+#
+# Inputs (all produced earlier in the pipeline):
+#   $1  routes.json         (from discover-routes.sh)
+#   $2  api-surface.json    (from discover-api-surface.sh)
+#   $3  existing-tests.json (from inventory-existing-tests.sh)
+#   $4  base-ref            (default: origin/main)
+#
+# Output: JSON object on stdout:
+# {
+#   "base_ref":   "origin/main",
+#   "diff_files": ["src/app/users/page.tsx", ...],
+#   "changed_routes":    [{route from routes.json}, ...],
+#   "changed_http":      [{route from api-surface.http_routes}, ...],
+#   "changed_trpc":      [{proc from api-surface.trpc_procedures}, ...],
+#   "changed_actions":   [{action from api-surface.server_actions}, ...],
+#   "uncovered_routes":  [...],  // changed AND no test references its URL or file
+#   "uncovered_http":    [...],
+#   "uncovered_trpc":    [...],
+#   "uncovered_actions": [...]
+# }
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+ROUTES_JSON="${1:?usage: detect-uncovered.sh routes.json api-surface.json existing-tests.json [base-ref]}"
+API_JSON="${2:?api-surface.json required}"
+TESTS_JSON="${3:?existing-tests.json required}"
+BASE_REF="${4:-origin/main}"
+
+for f in "$ROUTES_JSON" "$API_JSON" "$TESTS_JSON"; do
+  [[ -f "$f" ]] || { echo "missing: $f" >&2; exit 2; }
+done
+
+# --- 1. branch diff ---------------------------------------------------------
+DIFF_FILES='[]'
+if git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  # If the base ref doesn't exist locally, fall back to HEAD~10..HEAD
+  if git rev-parse --verify "$BASE_REF" >/dev/null 2>&1; then
+    MERGE_BASE="$(git merge-base "$BASE_REF" HEAD 2>/dev/null || echo "$BASE_REF")"
+  else
+    MERGE_BASE="$(git rev-parse HEAD~10 2>/dev/null || git rev-parse HEAD)"
+  fi
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    DIFF_FILES="$(jq --arg f "$f" '. + [$f]' <<<"$DIFF_FILES")"
+  done < <(git diff --name-only "$MERGE_BASE"...HEAD 2>/dev/null; git diff --name-only --cached 2>/dev/null; git diff --name-only 2>/dev/null)
+  DIFF_FILES="$(jq 'unique' <<<"$DIFF_FILES")"
+fi
+
+# --- 2. filter each inventory by membership in diff -------------------------
+# Helper: pass stdin JSON array + filter over .file field.
+filter_by_file() {
+  jq --argjson diff "$DIFF_FILES" '[.[] | select(.file as $f | $diff | any(. == $f))]'
+}
+
+CHANGED_ROUTES="$(jq '.' "$ROUTES_JSON" | filter_by_file)"
+CHANGED_HTTP="$(jq '.http_routes' "$API_JSON" | filter_by_file)"
+CHANGED_TRPC="$(jq '.trpc_procedures' "$API_JSON" | filter_by_file)"
+CHANGED_ACTIONS="$(jq '.server_actions' "$API_JSON" | filter_by_file)"
+
+# --- 3. load test corpus contents for string-search coverage ---------------
+# Build a single concatenated lowercase blob of all test-file contents;
+# a route is "covered" if its URL path OR its source file path appears in any test.
+TEST_FILES="$(jq -r '.test_files[]?.file // empty' "$TESTS_JSON")"
+TEST_BLOB="/tmp/e2e-audit-testblob-$$.txt"
+: >"$TEST_BLOB"
+while IFS= read -r tf; do
+  [[ -z "$tf" ]] && continue
+  [[ -f "$tf" ]] && tr '[:upper:]' '[:lower:]' <"$tf" >>"$TEST_BLOB" || true
+done <<<"$TEST_FILES"
+
+is_covered() {
+  # args: needle1 needle2 ...
+  local n
+  for n in "$@"; do
+    [[ -z "$n" ]] && continue
+    # Strip dynamic segments to make a loose match: /users/[id] → /users/
+    loose="$(echo "$n" | sed -E 's#\[[^]]+\]#[^/]+#g' | tr '[:upper:]' '[:lower:]')"
+    # Plain literal check first
+    if grep -qF "$(echo "$n" | tr '[:upper:]' '[:lower:]')" "$TEST_BLOB" 2>/dev/null; then return 0; fi
+    # Regex-ish check with dynamic wildcards
+    if grep -Eq "$loose" "$TEST_BLOB" 2>/dev/null; then return 0; fi
+  done
+  return 1
+}
+
+# --- 4. compute uncovered for each category --------------------------------
+compute_uncovered() {
+  local changed_json="$1"
+  local name_field="$2"   # which field(s) to probe as test needles
+  local secondary_field="$3"  # optional (e.g., path as well as file)
+  local out='[]'
+  while IFS= read -r item; do
+    [[ -z "$item" ]] && continue
+    primary="$(jq -r --arg k "$name_field" '.[$k] // ""' <<<"$item")"
+    secondary="$(jq -r --arg k "$secondary_field" '.[$k] // ""' <<<"$item")"
+    if ! is_covered "$primary" "$secondary"; then
+      out="$(jq --argjson o "$item" '. + [$o]' <<<"$out")"
+    fi
+  done < <(jq -c '.[]' <<<"$changed_json")
+  echo "$out"
+}
+
+UNC_ROUTES="$(compute_uncovered   "$CHANGED_ROUTES"  "path" "file")"
+UNC_HTTP="$(compute_uncovered     "$CHANGED_HTTP"    "path" "file")"
+UNC_TRPC="$(compute_uncovered     "$CHANGED_TRPC"    "name" "file")"
+UNC_ACTIONS="$(compute_uncovered  "$CHANGED_ACTIONS" "name" "file")"
+
+rm -f "$TEST_BLOB"
+
+# --- 5. assemble ------------------------------------------------------------
+jq -n \
+  --arg base_ref "$BASE_REF" \
+  --argjson diff_files "$DIFF_FILES" \
+  --argjson changed_routes "$CHANGED_ROUTES" \
+  --argjson changed_http "$CHANGED_HTTP" \
+  --argjson changed_trpc "$CHANGED_TRPC" \
+  --argjson changed_actions "$CHANGED_ACTIONS" \
+  --argjson uncovered_routes "$UNC_ROUTES" \
+  --argjson uncovered_http "$UNC_HTTP" \
+  --argjson uncovered_trpc "$UNC_TRPC" \
+  --argjson uncovered_actions "$UNC_ACTIONS" \
+  '{
+    base_ref: $base_ref,
+    diff_files: $diff_files,
+    changed_routes: $changed_routes,
+    changed_http: $changed_http,
+    changed_trpc: $changed_trpc,
+    changed_actions: $changed_actions,
+    uncovered_routes: $uncovered_routes,
+    uncovered_http: $uncovered_http,
+    uncovered_trpc: $uncovered_trpc,
+    uncovered_actions: $uncovered_actions
+  }'

package/template/.claude/skills/e2e-audit/scripts/discover-api-surface.sh

@@ -0,0 +1,242 @@
+#!/usr/bin/env bash
+# discover-api-surface.sh — enumerate every network-facing surface a browser
+# or third-party client can hit: REST/HTTP route handlers, tRPC procedures,
+# GraphQL resolvers, and server actions.
+#
+# Why: Playwright deduction misses endpoints that aren't touched by the
+# flow you tested. A procedure that's only called from Settings > Advanced
+# > Danger Zone, or an API route called only by a webhook, won't show up
+# in a traffic log. This script reads the SOURCE and emits the full
+# contract so the skill can report which endpoints HAVE no tests.
+#
+# Output: JSON object on stdout:
+# {
+#   "http_routes":     [{ "method": "POST", "path": "/api/users", "file": "...", "auth": "protected"|"public"|"unknown", "zod_schema_found": true|false }],
+#   "trpc_procedures": [{ "name": "users.create", "kind": "query"|"mutation"|"subscription", "file": "...", "auth": "protected"|"public"|"unknown", "input_schema_found": true|false }],
+#   "graphql":         { "found": true|false, "files": [...] },
+#   "server_actions":  [{ "name": "createUser", "file": "...", "directive": "'use server'"|"file-scoped" }],
+#   "middleware":      { "file": "middleware.ts"|null, "has_auth_guard": true|false, "matches_public_patterns": [...] }
+# }
+#
+# No AST. False positives are OK — skill cross-references this with tests.
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+HTTP='[]'
+TRPC='[]'
+GQL_FOUND=false
+GQL_FILES='[]'
+ACTIONS='[]'
+MW_FILE="null"
+MW_AUTH=false
+MW_PUBLIC='[]'
+
+# --- 1. HTTP ROUTE HANDLERS -------------------------------------------------
+# Next.js app router: app/**/route.{ts,tsx,js} with exported METHOD handlers.
+# Next.js pages router: pages/api/**/*.{ts,tsx,js} with default export.
+# Remix: resource routes (files in app/routes with a loader/action but no default).
+# Express/Hono/Fastify: app.get/post/put/delete/patch etc.
+METHODS='GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS'
+
+# Next.js app router route.ts
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  # URL path: strip app/src/app prefix and /route.* suffix; keep [param].
+  p="$f"; p="${p#src/app/}"; p="${p#app/}"; p="${p%/route.ts}"; p="${p%/route.tsx}"; p="${p%/route.js}"
+  # strip route-group segments
+  p="$(echo "$p" | awk -F/ '{out=""; for(i=1;i<=NF;i++){if($i~/^\(.*\)$/)continue; out=out(out==""?"":"/")$i} print out}')"
+  url="/$p"
+  # which methods are exported?
+  for m in GET POST PUT PATCH DELETE HEAD OPTIONS; do
+    if grep -Eq "export[[:space:]]+(async[[:space:]]+)?function[[:space:]]+$m\\b|export[[:space:]]+const[[:space:]]+$m[[:space:]]*=" "$f" 2>/dev/null; then
+      # zod schema mentioned in file?
+      zod=false
+      grep -Eq "z\\.object\\(|safeParse|\\.parse\\(|zodResolver" "$f" 2>/dev/null && zod=true
+      # auth hint: look for session/auth/protected keywords
+      auth="unknown"
+      if   grep -Eq "getServerSession|auth\\(\\)|requireAuth|requireSession|getSession|currentUser\\(|userId" "$f" 2>/dev/null; then auth="protected"
+      elif grep -Eq "// public|@public" "$f" 2>/dev/null; then auth="public"
+      fi
+      HTTP="$(jq --arg m "$m" --arg p "$url" --arg f "$f" --arg a "$auth" --argjson z "$zod" \
+                '. + [{method:$m, path:$p, file:$f, auth:$a, zod_schema_found:$z}]' <<<"$HTTP")"
+    fi
+  done
+done < <(find app src/app -type f \( -name 'route.ts' -o -name 'route.tsx' -o -name 'route.js' \) 2>/dev/null)
+
+# Next.js pages/api
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  p="$f"; p="${p#src/pages/}"; p="${p#pages/}"
+  p="${p%.ts}"; p="${p%.tsx}"; p="${p%.js}"; p="${p%.jsx}"
+  # index.ts -> directory path
+  p="${p%/index}"
+  url="/$p"
+  auth="unknown"
+  if grep -Eq "getServerSession|requireAuth|getSession|authenticate\\(|req\\.session" "$f" 2>/dev/null; then auth="protected"; fi
+  zod=false
+  grep -Eq "z\\.object\\(|safeParse|\\.parse\\(" "$f" 2>/dev/null && zod=true
+  HTTP="$(jq --arg p "$url" --arg f "$f" --arg a "$auth" --argjson z "$zod" \
+            '. + [{method:"ANY", path:$p, file:$f, auth:$a, zod_schema_found:$z}]' <<<"$HTTP")"
+done < <(find pages/api src/pages/api -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.js' \) 2>/dev/null)
+
+# Express / Hono / Fastify style (app.get/post/...)
+while IFS= read -r hit; do
+  [[ -z "$hit" ]] && continue
+  f="${hit%%:*}"; rest="${hit#*:}"
+  line="${rest%%:*}"
+  match="${rest#*:}"
+  m="$(echo "$match" | grep -oE "\\.(get|post|put|patch|delete|head|options)\\(" | head -1 | tr -d '.(' | tr '[:lower:]' '[:upper:]')"
+  url="$(echo "$match" | grep -oE "[\"'][^\"']+[\"']" | head -1 | tr -d "\"'")"
+  [[ -z "$m" || -z "$url" ]] && continue
+  [[ "$url" =~ ^/ ]] || continue
+  HTTP="$(jq --arg m "$m" --arg p "$url" --arg f "$f" \
+            '. + [{method:$m, path:$p, file:$f, auth:"unknown", zod_schema_found:false}]' <<<"$HTTP")"
+done < <(grep -rEHn --include='*.ts' --include='*.tsx' --include='*.js' --include='*.mjs' \
+           "\\.(get|post|put|patch|delete|head|options)\\([\"'][^\"']+[\"']" \
+           src server app 2>/dev/null | head -500 || true)
+
+# --- 2. tRPC PROCEDURES -----------------------------------------------------
+# Look for files that import `router` or `procedure` and enumerate calls:
+#   foo: publicProcedure.input(...).query(...)
+#   bar: protectedProcedure.mutation(...)
+#
+# We don't build a router namespace tree; we emit procedure names as seen.
+# Nested router paths can be computed by the skill from the file layout.
+TRPC_FILES="$(grep -rl -E "createTRPCRouter|publicProcedure|protectedProcedure|router\\(\\{" \
+  --include='*.ts' --include='*.tsx' \
+  src server 2>/dev/null || true)"
+
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  # For each procedure definition in this file, capture name + kind + auth.
+  # Pattern matches: <name>: (public|protected|<prefix>)Procedure[.input(...)]?.<query|mutation|subscription>
+  awk -v file="$f" '
+    /(\w+Procedure)/ {
+      # join multi-line chains until we hit one of the terminators.
+      chain = chain " " $0
+    }
+    /\.query\s*\(|\.mutation\s*\(|\.subscription\s*\(/ {
+      chain = chain " " $0
+      # extract name (the last "foo:" before the chain start)
+      if (match(chain, /([A-Za-z_][A-Za-z0-9_]*)\s*:\s*[A-Za-z_][A-Za-z0-9_]*Procedure/, m)) {
+        name = m[1]
+      } else name = "_"
+      # extract kind
+      if (chain ~ /\.query\s*\(/) kind = "query"
+      else if (chain ~ /\.mutation\s*\(/) kind = "mutation"
+      else kind = "subscription"
+      # extract auth (protected vs public vs custom)
+      if (chain ~ /protectedProcedure/) auth = "protected"
+      else if (chain ~ /publicProcedure/) auth = "public"
+      else auth = "unknown"
+      # input schema?
+      input_found = (chain ~ /\.input\s*\(/) ? "true" : "false"
+      printf "%s|%s|%s|%s|%s\n", name, kind, file, auth, input_found
+      chain = ""
+    }
+  ' "$f" 2>/dev/null || true
+done <<<"$TRPC_FILES" | while IFS='|' read -r name kind file auth input_found; do
+  [[ -z "$name" ]] && continue
+  jq --arg n "$name" --arg k "$kind" --arg f "$file" --arg a "$auth" --argjson i "$input_found" \
+     '. + [{name:$n, kind:$k, file:$f, auth:$a, input_schema_found:$i}]'
+done > /tmp/e2e-audit-trpc-$$.jsonl || true
+
+if [[ -s /tmp/e2e-audit-trpc-$$.jsonl ]]; then
+  # The above pipeline created one growing JSON object per line via jq --arg,
+  # but each jq invocation started from scratch. Join properly:
+  TRPC='[]'
+  while IFS= read -r _; do :; done < /tmp/e2e-audit-trpc-$$.jsonl
+fi
+rm -f /tmp/e2e-audit-trpc-$$.jsonl
+
+# Simpler, correct approach for tRPC — rebuild as JSON array in a single pass.
+TRPC='[]'
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  while IFS='|' read -r name kind file auth input_found; do
+    [[ -z "$name" ]] && continue
+    TRPC="$(jq --arg n "$name" --arg k "$kind" --arg fi "$file" --arg a "$auth" --argjson i "$input_found" \
+              '. + [{name:$n, kind:$k, file:$fi, auth:$a, input_schema_found:$i}]' <<<"$TRPC")"
+  done < <(
+    awk -v file="$f" '
+      /(\w+Procedure)/ { chain = chain " " $0 }
+      /\.query\s*\(|\.mutation\s*\(|\.subscription\s*\(/ {
+        chain = chain " " $0
+        name = "_"
+        if (match(chain, /([A-Za-z_][A-Za-z0-9_]*)[[:space:]]*:[[:space:]]*[A-Za-z_][A-Za-z0-9_]*Procedure/, m)) name = m[1]
+        if (chain ~ /\.query[[:space:]]*\(/) kind = "query"
+        else if (chain ~ /\.mutation[[:space:]]*\(/) kind = "mutation"
+        else kind = "subscription"
+        if (chain ~ /protectedProcedure/) auth = "protected"
+        else if (chain ~ /publicProcedure/) auth = "public"
+        else auth = "unknown"
+        input_found = (chain ~ /\.input[[:space:]]*\(/) ? "true" : "false"
+        printf "%s|%s|%s|%s|%s\n", name, kind, file, auth, input_found
+        chain = ""
+      }
+    ' "$f" 2>/dev/null
+  )
+done <<<"$TRPC_FILES"
+
+# --- 3. GRAPHQL -------------------------------------------------------------
+GQL_HITS="$(grep -rl -E 'typeDefs|buildSchema|gql`|@ObjectType|@Resolver|createSchema' \
+  --include='*.ts' --include='*.tsx' --include='*.graphql' --include='*.gql' \
+  src server schema 2>/dev/null | head -50 || true)"
+if [[ -n "$GQL_HITS" ]]; then
+  GQL_FOUND=true
+  GQL_FILES="$(echo "$GQL_HITS" | jq -Rn '[inputs]')"
+fi
+
+# --- 4. SERVER ACTIONS (Next.js) --------------------------------------------
+# Two forms: 'use server' directive at top of file, or 'use server' inline in a
+# function body. We emit both kinds.
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  if grep -Eq "^['\"]use server['\"]" "$f" 2>/dev/null; then
+    # File-scoped: every exported async function is an action.
+    while IFS= read -r name; do
+      [[ -z "$name" ]] && continue
+      ACTIONS="$(jq --arg n "$name" --arg fi "$f" '. + [{name:$n, file:$fi, directive:"file-scoped"}]' <<<"$ACTIONS")"
+    done < <(grep -Eo "export[[:space:]]+(async[[:space:]]+)?function[[:space:]]+[A-Za-z_][A-Za-z0-9_]*" "$f" \
+             | awk '{print $NF}' | sed 's/^function[[:space:]]*//')
+  fi
+  # Inline: async function () { 'use server'; ... }
+  while IFS= read -r hit; do
+    name="$(echo "$hit" | grep -oE "function[[:space:]]+[A-Za-z_][A-Za-z0-9_]*" | awk '{print $2}')"
+    [[ -z "$name" ]] && continue
+    ACTIONS="$(jq --arg n "$name" --arg fi "$f" '. + [{name:$n, file:$fi, directive:"'\''use server'\''"}]' <<<"$ACTIONS")"
+  done < <(grep -B1 -E "^[[:space:]]*['\"]use server['\"]" "$f" 2>/dev/null | grep -E "function[[:space:]]+[A-Za-z_]" || true)
+done < <(find src app server -type f \( -name '*.ts' -o -name '*.tsx' \) 2>/dev/null)
+
+# --- 5. MIDDLEWARE (Next.js) -----------------------------------------------
+for cand in middleware.ts middleware.js src/middleware.ts src/middleware.js; do
+  if [[ -f "$cand" ]]; then
+    MW_FILE="\"$cand\""
+    grep -Eq "auth|getToken|getSession|currentUser|getServerSession|redirect\\(.*sign[_-]?in" "$cand" 2>/dev/null && MW_AUTH=true
+    # Extract matcher patterns that look like public paths.
+    while IFS= read -r pat; do
+      [[ -z "$pat" ]] && continue
+      MW_PUBLIC="$(jq --arg p "$pat" '. + [$p]' <<<"$MW_PUBLIC")"
+    done < <(grep -oE "['\"]/[^'\"]*['\"]" "$cand" | tr -d "'\"" | sort -u | head -40)
+    break
+  fi
+done
+
+# --- ASSEMBLE ---------------------------------------------------------------
+jq -n \
+  --argjson http "$HTTP" \
+  --argjson trpc "$TRPC" \
+  --argjson graphql_found "$GQL_FOUND" \
+  --argjson graphql_files "$GQL_FILES" \
+  --argjson actions "$ACTIONS" \
+  --argjson mw_file "$MW_FILE" \
+  --argjson mw_auth "$MW_AUTH" \
+  --argjson mw_public "$MW_PUBLIC" \
+  '{
+    http_routes: ($http | unique_by([.method, .path, .file])),
+    trpc_procedures: ($trpc | unique_by([.name, .kind, .file])),
+    graphql: { found: $graphql_found, files: $graphql_files },
+    server_actions: ($actions | unique_by([.name, .file])),
+    middleware: { file: $mw_file, has_auth_guard: $mw_auth, matches_public_patterns: $mw_public }
+  }'

package/template/.claude/skills/e2e-audit/scripts/discover-routes.sh

@@ -0,0 +1,163 @@
+#!/usr/bin/env bash
+# discover-routes.sh — enumerate every user-facing page route from the source tree.
+#
+# Output: JSON array on stdout. Each item:
+# { "path": "/users/[id]", "kind": "page" | "layout" | "route-group" | "parallel" | "intercepting",
+#   "file": "src/app/users/[id]/page.tsx", "dynamic": true, "catch_all": false }
+#
+# Supports next (app + pages router), remix, sveltekit, nuxt, astro.
+# Non-framework repos emit an empty array.
+set -euo pipefail
+
+command -v jq >/dev/null || { echo "jq required" >&2; exit 2; }
+
+detect_fw() {
+  if   jq -e '.dependencies.next // .devDependencies.next' package.json >/dev/null 2>&1; then echo "next"
+  elif jq -e '.dependencies["@remix-run/react"] // .devDependencies["@remix-run/react"]' package.json >/dev/null 2>&1; then echo "remix"
+  elif jq -e '.dependencies["@sveltejs/kit"] // .devDependencies["@sveltejs/kit"]' package.json >/dev/null 2>&1; then echo "sveltekit"
+  elif jq -e '.dependencies.nuxt // .devDependencies.nuxt' package.json >/dev/null 2>&1; then echo "nuxt"
+  elif jq -e '.dependencies.astro // .devDependencies.astro' package.json >/dev/null 2>&1; then echo "astro"
+  else echo "unknown"
+  fi
+}
+
+FW="$(detect_fw)"
+OUT='[]'
+
+emit() {
+  # args: path kind file dynamic catch_all
+  OUT="$(jq --arg p "$1" --arg k "$2" --arg f "$3" \
+            --argjson d "$4" --argjson c "$5" \
+            '. + [{path:$p, kind:$k, file:$f, dynamic:$d, catch_all:$c}]' <<<"$OUT")"
+}
+
+# Translate a Next/Remix/Nuxt/SvelteKit file path into a URL path.
+# Strips: src/app, app, src/pages, pages, src/routes, app/routes.
+# Drops: route-group segments like (marketing), private _segments (Nuxt/SvelteKit),
+# converts [param] into a URL segment that keeps the bracket notation.
+path_to_url() {
+  local p="$1"
+  # strip known leading prefixes
+  p="${p#src/app/}"; p="${p#app/}"
+  p="${p#src/pages/}"; p="${p#pages/}"
+  p="${p#src/routes/}"; p="${p#app/routes/}"
+  p="${p#routes/}"
+  # drop trailing filename
+  p="${p%/page.tsx}"; p="${p%/page.ts}"; p="${p%/page.jsx}"; p="${p%/page.js}"
+  p="${p%/+page.svelte}"; p="${p%/+layout.svelte}"
+  p="${p%/index.tsx}"; p="${p%/index.ts}"; p="${p%/index.jsx}"; p="${p%/index.js}"
+  p="${p%/index.vue}"; p="${p%/index.astro}"
+  p="${p%.tsx}"; p="${p%.ts}"; p="${p%.jsx}"; p="${p%.js}"
+  p="${p%.vue}"; p="${p%.astro}"; p="${p%.svelte}"
+  # remove Next route-group segments (parentheses)
+  p="$(echo "$p" | awk -F/ '{
+    out=""; for(i=1;i<=NF;i++){
+      if($i ~ /^\(.*\)$/) continue;
+      out = out (out==""?"":"/") $i;
+    }
+    print out
+  }')"
+  # remove private Nuxt/SvelteKit underscore segments
+  p="$(echo "$p" | awk -F/ '{
+    out=""; for(i=1;i<=NF;i++){
+      if($i ~ /^_/) continue;
+      out = out (out==""?"":"/") $i;
+    }
+    print out
+  }')"
+  # remix: convert dot-delimited route files to slashes, $param -> [param]
+  if [[ "$FW" == "remix" ]]; then
+    p="$(echo "$p" | sed 's/\./\//g; s/\$/:/g')"
+  fi
+  # sveltekit/nuxt: [[optional]] / [...rest] already close enough; leave as-is
+  echo "/${p}"
+}
+
+classify() {
+  # args: url file
+  local url="$1" file="$2"
+  local dyn=false cat=false
+  [[ "$url" == *"["*"]"* || "$url" == *":"* ]] && dyn=true
+  [[ "$url" == *"[..."*"]"* || "$url" == *"\$\$"* ]] && cat=true
+  echo "$dyn $cat"
+}
+
+# --- Next.js app router -----------------------------------------------------
+if [[ "$FW" == "next" ]]; then
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    url="$(path_to_url "$f")"
+    read -r dyn cat < <(classify "$url" "$f")
+    emit "$url" "page" "$f" "$dyn" "$cat"
+  done < <(find app src/app -type f \( -name 'page.tsx' -o -name 'page.ts' -o -name 'page.jsx' -o -name 'page.js' \) 2>/dev/null)
+
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    url="$(path_to_url "$f")"
+    emit "$url" "layout" "$f" false false
+  done < <(find app src/app -type f \( -name 'layout.tsx' -o -name 'layout.ts' \) 2>/dev/null)
+
+  while IFS= read -r d; do
+    [[ -z "$d" ]] && continue
+    emit "${d#*app/}" "parallel" "$d" false false
+  done < <(find app src/app -type d -name '@*' 2>/dev/null)
+
+  while IFS= read -r d; do
+    [[ -z "$d" ]] && continue
+    emit "${d#*app/}" "intercepting" "$d" false false
+  done < <(find app src/app -type d \( -name '(.)*' -o -name '(..)*' -o -name '(...)*' \) 2>/dev/null)
+
+  # Pages router (legacy)
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    # exclude _app, _document, _error, api/
+    case "$f" in
+      */_app.*|*/_document.*|*/_error.*|*/api/*) continue ;;
+    esac
+    url="$(path_to_url "$f")"
+    read -r dyn cat < <(classify "$url" "$f")
+    emit "$url" "page" "$f" "$dyn" "$cat"
+  done < <(find pages src/pages -type f \( -name '*.tsx' -o -name '*.ts' -o -name '*.jsx' -o -name '*.js' \) 2>/dev/null)
+fi
+
+# --- Remix ------------------------------------------------------------------
+if [[ "$FW" == "remix" ]]; then
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    url="$(path_to_url "$f")"
+    read -r dyn cat < <(classify "$url" "$f")
+    emit "$url" "page" "$f" "$dyn" "$cat"
+  done < <(find app/routes src/routes -type f \( -name '*.tsx' -o -name '*.ts' \) 2>/dev/null)
+fi
+
+# --- SvelteKit --------------------------------------------------------------
+if [[ "$FW" == "sveltekit" ]]; then
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    url="$(path_to_url "$f")"
+    read -r dyn cat < <(classify "$url" "$f")
+    emit "$url" "page" "$f" "$dyn" "$cat"
+  done < <(find src/routes -type f -name '+page.svelte' 2>/dev/null)
+fi
+
+# --- Nuxt -------------------------------------------------------------------
+if [[ "$FW" == "nuxt" ]]; then
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    url="$(path_to_url "$f")"
+    read -r dyn cat < <(classify "$url" "$f")
+    emit "$url" "page" "$f" "$dyn" "$cat"
+  done < <(find pages src/pages -type f \( -name '*.vue' \) 2>/dev/null)
+fi
+
+# --- Astro ------------------------------------------------------------------
+if [[ "$FW" == "astro" ]]; then
+  while IFS= read -r f; do
+    [[ -z "$f" ]] && continue
+    url="$(path_to_url "$f")"
+    read -r dyn cat < <(classify "$url" "$f")
+    emit "$url" "page" "$f" "$dyn" "$cat"
+  done < <(find src/pages -type f \( -name '*.astro' -o -name '*.tsx' -o -name '*.ts' \) 2>/dev/null)
+fi
+
+echo "$OUT" | jq '. | unique_by([.path, .file])'