tryassay 0.17.0 → 0.19.0

package/dist/runtime/check-catalog.js

@@ -0,0 +1,662 @@
+/**
+ * CheckCatalog — prebuilt integration check definitions for known failure patterns.
+ *
+ * Every check here catches a bug that compiles clean but breaks at runtime.
+ * Organized by framework/category. Each check specifies a CheckStrategy
+ * that the CheckExecutor can run deterministically (no LLM needed).
+ *
+ * Tier 1: Uses existing executor strategies — ready to execute today.
+ * Tier 2: Needs new strategy executor — documented, not yet runnable.
+ *
+ * Usage:
+ *   const checks = getCatalogChecks({ frameworks: ['electron', 'react'] });
+ *   for (const check of checks) {
+ *     await checkStore.save(check);
+ *   }
+ */
+// ── Helpers ──────────────────────────────────────────────────
+function entry(id, name, type, strategy, opts) {
+    return {
+        id,
+        name,
+        type,
+        strategy,
+        severity: opts.severity,
+        frameworks: opts.frameworks,
+        category: opts.category,
+        tier: opts.tier,
+        description: opts.description,
+        evidenceTemplate: opts.evidenceTemplate,
+        status: 'active',
+        createdAt: '2026-02-22T00:00:00.000Z',
+    };
+}
+// ════════════════════════════════════════════════════════════════
+// 1. ELECTRON — IPC & Process Boundary
+// ════════════════════════════════════════════════════════════════
+const ELECTRON_IPC = [
+    // ── Already implemented (5 checks) ───────────────────────
+    entry('cat_electron_001', 'IPC handler coverage', 'ipc_handler_coverage', {
+        type: 'cross_reference',
+        sourceGlob: '**/preload/**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "ipcRenderer\\.invoke\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        targetGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        targetPattern: "ipcMain\\.handle\\(\\s*['\"`]{{item}}['\"`]",
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron IPC',
+        tier: 1,
+        description: 'Preload invokes an IPC channel that has no handler in the main process. The invoke call will hang or reject at runtime with "No handler registered for channel".',
+        evidenceTemplate: "Channel '{match}' invoked in {sourceFile} has no handler in main process.",
+    }),
+    entry('cat_electron_002', 'Response shape consistency', 'response_shape', {
+        type: 'response_shape',
+        preloadGlob: '**/preload/**/*.{ts,tsx,js,jsx}',
+        handlerGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        invokePattern: "ipcRenderer\\.invoke\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        handlePattern: "ipcMain\\.handle\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        wrappedReturnPattern: "return\\s*\\{\\s*success:\\s*true,\\s*data:",
+        unwrapAccessPattern: "\\.(data)\\b",
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron IPC',
+        tier: 1,
+        description: 'Handler wraps response in { success, data } but preload passes it through without unwrapping .data. Renderer accesses result.rows but actual data is at result.data.rows. Compiles clean, breaks at runtime.',
+        evidenceTemplate: "Channel '{channel}' in {preloadFile}: handler wraps response but preload does not unwrap .data.",
+    }),
+    entry('cat_electron_003', 'Stub function in preload', 'stub_function', {
+        type: 'pattern_absence',
+        fileGlob: '**/preload/**/*.{ts,tsx,js,jsx}',
+        pattern: 'async\\s*\\([^)]*\\)\\s*(?::\\s*Promise<[^>]+>)?\\s*=>\\s*\\{\\s*return\\s+\\{[^}]*\\}\\s*;?\\s*\\}',
+    }, {
+        severity: 'high',
+        frameworks: ['electron'],
+        category: 'Electron IPC',
+        tier: 1,
+        description: 'Preload function returns a hardcoded empty object instead of calling ipcRenderer.invoke. The UI renders but all data is empty or undefined.',
+        evidenceTemplate: "Stub function found: {match} in {sourceFile}.",
+    }),
+    // ── New checks ────────────────────────────────────────────
+    entry('cat_electron_004', 'contextBridge exposure', 'context_bridge_exposure', {
+        type: 'cross_reference',
+        sourceGlob: '**/preload/**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "ipcRenderer\\.invoke\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        targetGlob: '**/preload/**/*.{ts,tsx,js,jsx}',
+        targetPattern: "contextBridge\\.exposeInMainWorld",
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron IPC',
+        tier: 1,
+        description: 'Preload defines IPC functions but never calls contextBridge.exposeInMainWorld. The renderer has no access to the API object — window.api is undefined. This compiles clean because preload and renderer are separate compilation units.',
+        evidenceTemplate: "Preload has {count} IPC invoke call(s) but contextBridge.exposeInMainWorld is {found}.",
+    }),
+    entry('cat_electron_005', 'IPC channel constant drift', 'ipc_channel_drift', {
+        type: 'cross_reference',
+        sourceGlob: '**/shared/**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "([A-Z_]+)\\s*[:=]\\s*['\"`]([^'\"`]+)['\"`]",
+        targetGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        targetPattern: "ipcMain\\.handle\\(\\s*['\"`]{{item}}['\"`]",
+    }, {
+        severity: 'high',
+        frameworks: ['electron'],
+        category: 'Electron IPC',
+        tier: 1,
+        description: 'IPC channel constants defined in shared/types.ts but handler uses a string literal that does not match the constant value. The channel name is subtly different (typo, old name) so the handler never fires.',
+        evidenceTemplate: "Constant '{match}' maps to '{value}' but handler string literal does not match.",
+    }),
+    entry('cat_electron_006', 'IPC send without listener', 'ipc_send_coverage', {
+        type: 'cross_reference',
+        sourceGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "(?:webContents|mainWindow)\\.send\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        targetGlob: '**/preload/**/*.{ts,tsx,js,jsx}',
+        targetPattern: "ipcRenderer\\.on\\(\\s*['\"`]{{item}}['\"`]",
+    }, {
+        severity: 'high',
+        frameworks: ['electron'],
+        category: 'Electron IPC',
+        tier: 1,
+        description: 'Main process sends a message to the renderer via webContents.send but no ipcRenderer.on listener exists in preload. The message is silently dropped — no error, no data delivered.',
+        evidenceTemplate: "Channel '{match}' sent from main but no listener in preload.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 2. ELECTRON — Security & Configuration
+// ════════════════════════════════════════════════════════════════
+const ELECTRON_SECURITY = [
+    entry('cat_electron_010', 'nodeIntegration enabled', 'node_integration_security', {
+        type: 'pattern_absence',
+        fileGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        pattern: 'nodeIntegration\\s*:\\s*true',
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron Security',
+        tier: 1,
+        description: 'BrowserWindow created with nodeIntegration: true. This gives the renderer direct access to Node.js APIs, making XSS vulnerabilities equivalent to RCE. Should always be false with contextIsolation: true.',
+        evidenceTemplate: "nodeIntegration: true found in {sourceFile}.",
+    }),
+    entry('cat_electron_011', 'contextIsolation disabled', 'context_isolation_disabled', {
+        type: 'pattern_absence',
+        fileGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        pattern: 'contextIsolation\\s*:\\s*false',
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron Security',
+        tier: 1,
+        description: 'BrowserWindow created with contextIsolation: false. Preload script shares the JavaScript context with the renderer, allowing prototype pollution attacks to escalate to arbitrary code execution.',
+        evidenceTemplate: "contextIsolation: false found in {sourceFile}.",
+    }),
+    entry('cat_electron_012', 'Preload script path validity', 'preload_script_path', {
+        type: 'file_reference',
+        fileGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        referencePattern: "preload\\s*:\\s*(?:path\\.join\\([^,]+,\\s*)?['\"`]([^'\"`]+)['\"`]",
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron Security',
+        tier: 1,
+        description: 'webPreferences.preload points to a path that does not exist on disk. The BrowserWindow loads but window.api is undefined — all IPC calls fail silently. Often caused by build output directory mismatch.',
+        evidenceTemplate: "Preload path '{match}' in {sourceFile} does not resolve to an existing file.",
+    }),
+    entry('cat_electron_013', 'Main/renderer boundary violation', 'main_renderer_boundary', {
+        type: 'pattern_absence',
+        fileGlob: '**/renderer/**/*.{ts,tsx,js,jsx}',
+        pattern: "from\\s+['\"`].*[\\\\/]main[\\\\/]",
+    }, {
+        severity: 'high',
+        frameworks: ['electron'],
+        category: 'Electron Security',
+        tier: 1,
+        description: 'Renderer code directly imports from the main process directory. This breaks Electron process isolation — main-process modules (fs, child_process, etc.) are not available in the renderer with contextIsolation enabled. Compiles because TypeScript resolves the import, but crashes at runtime.',
+        evidenceTemplate: "Renderer file {sourceFile} imports from main process: {match}.",
+    }),
+    entry('cat_electron_014', 'BrowserWindow without loadURL/loadFile', 'browser_window_no_load', {
+        type: 'conditional_presence',
+        fileGlob: '**/main/**/*.{ts,tsx,js,jsx}',
+        conditionPattern: 'new\\s+BrowserWindow\\s*\\(',
+        requiredPattern: '\\.(loadURL|loadFile)\\s*\\(',
+    }, {
+        severity: 'critical',
+        frameworks: ['electron'],
+        category: 'Electron Security',
+        tier: 1,
+        description: 'BrowserWindow is created but never loads a URL or file. The window appears as a blank white screen. Usually caused by the loadURL call being conditional or in a callback that never fires.',
+        evidenceTemplate: "BrowserWindow created in {sourceFile} but no .loadURL or .loadFile found.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 3. REACT — Routing & Navigation
+// ════════════════════════════════════════════════════════════════
+const REACT_ROUTING = [
+    entry('cat_react_001', 'Router provider missing', 'routing_provider', {
+        type: 'pattern_presence',
+        fileGlob: '**/*.{tsx,jsx}',
+        pattern: '\\b(BrowserRouter|HashRouter|MemoryRouter|RouterProvider|createBrowserRouter)\\b',
+        requireIn: 'any',
+        contextGlob: '**/*.{tsx,jsx}',
+        contextPattern: '\\b(useNavigate|useParams|useLocation|useSearchParams)\\b',
+    }, {
+        severity: 'critical',
+        frameworks: ['react'],
+        category: 'React Routing',
+        tier: 1,
+        description: 'Components call useNavigate/useParams/useLocation but no Router provider wraps the component tree. Crashes at runtime: "useNavigate() may be used only in the context of a <Router> component."',
+        evidenceTemplate: "Router hook usage found but no Router provider in any file.",
+    }),
+    entry('cat_react_002', 'Unreachable page component', 'unreachable_page', {
+        type: 'import_reachability',
+        pageGlob: '**/pages/**/*.{tsx,jsx}',
+        entryPattern: 'createRoot|ReactDOM\\.render',
+    }, {
+        severity: 'high',
+        frameworks: ['react'],
+        category: 'React Routing',
+        tier: 1,
+        description: 'A page component exists in the pages directory but is never imported into the router or any component reachable from the entry point. The page is dead code — no URL navigates to it.',
+        evidenceTemplate: "Page '{match}' is not imported from any file reachable from the entry point.",
+    }),
+    entry('cat_react_003', 'Link to undefined route', 'link_route_mismatch', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{tsx,jsx}',
+        sourcePattern: '<(?:Link|NavLink)\\s+[^>]*to=["\']([^"\']+)["\']',
+        targetGlob: '**/*.{tsx,jsx}',
+        targetPattern: '<Route\\s+[^>]*path=["\']{{item}}["\']',
+    }, {
+        severity: 'high',
+        frameworks: ['react'],
+        category: 'React Routing',
+        tier: 1,
+        description: 'A Link or NavLink points to a path that has no matching Route definition. Clicking the link navigates but renders nothing (blank area) or the catch-all 404 route.',
+        evidenceTemplate: "Link to='{match}' in {sourceFile} has no matching Route path.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 4. REACT — Context & State
+// ════════════════════════════════════════════════════════════════
+const REACT_CONTEXT = [
+    entry('cat_react_010', 'Missing error boundary', 'missing_error_boundary', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{tsx,jsx}',
+        conditionPattern: '<Route\\s',
+        requiredPattern: '<ErrorBoundary|errorElement',
+    }, {
+        severity: 'medium',
+        frameworks: ['react'],
+        category: 'React Context',
+        tier: 1,
+        description: 'Route definitions exist but no ErrorBoundary or errorElement wraps them. Any unhandled error in a route component crashes the entire app with a white screen instead of showing a fallback UI.',
+        evidenceTemplate: "Routes found in {sourceFile} but no ErrorBoundary or errorElement.",
+    }),
+    entry('cat_react_011', 'Missing Suspense for lazy import', 'missing_suspense_boundary', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{tsx,jsx}',
+        conditionPattern: '\\blazy\\s*\\(',
+        requiredPattern: '<Suspense',
+    }, {
+        severity: 'critical',
+        frameworks: ['react'],
+        category: 'React Context',
+        tier: 1,
+        description: 'React.lazy() is used to code-split a component but no <Suspense> boundary wraps it. React throws: "A component suspended while responding to synchronous input." The lazy component never renders.',
+        evidenceTemplate: "lazy() import found in {sourceFile} but no <Suspense> boundary.",
+    }),
+    entry('cat_react_012', 'Context used without Provider', 'context_without_provider', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{tsx,jsx}',
+        sourcePattern: 'useContext\\(\\s*(\\w+)\\s*\\)',
+        targetGlob: '**/*.{tsx,jsx}',
+        targetPattern: '<{{item}}\\.Provider',
+    }, {
+        severity: 'critical',
+        frameworks: ['react'],
+        category: 'React Context',
+        tier: 1,
+        description: 'A component calls useContext(SomeContext) but no <SomeContext.Provider> exists anywhere in the component tree. The hook returns the default value (often undefined), causing silent data loss or null reference errors.',
+        evidenceTemplate: "useContext({match}) in {sourceFile} but no <{match}.Provider> found.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 5. NEXT.JS — Server/Client Boundary
+// ════════════════════════════════════════════════════════════════
+const NEXTJS = [
+    entry('cat_next_001', "'use client' missing for hooks", 'use_client_missing', {
+        type: 'conditional_presence',
+        fileGlob: '**/app/**/*.{tsx,jsx}',
+        conditionPattern: '\\b(useState|useEffect|useRef|useCallback|useMemo|useReducer|useContext)\\b',
+        requiredPattern: "['\"]use client['\"]",
+    }, {
+        severity: 'critical',
+        frameworks: ['nextjs'],
+        category: 'Next.js Boundary',
+        tier: 1,
+        description: "File in the app directory uses React hooks (useState, useEffect, etc.) but is missing the 'use client' directive. Next.js treats it as a server component, which cannot use hooks. Build may pass but page crashes at runtime.",
+        evidenceTemplate: "File {sourceFile} uses {match} but is missing 'use client' directive.",
+    }),
+    entry('cat_next_002', 'Server component imports client module', 'server_imports_client', {
+        type: 'cross_reference',
+        sourceGlob: '**/app/**/*.{tsx,jsx}',
+        sourcePattern: "import\\s+.*from\\s+['\"]([^'\"]+)['\"]",
+        targetGlob: '**/*.{tsx,jsx}',
+        targetPattern: "['\"]use client['\"]",
+    }, {
+        severity: 'high',
+        frameworks: ['nextjs'],
+        category: 'Next.js Boundary',
+        tier: 1,
+        description: 'A server component imports a module that contains "use client". This is allowed for component imports (renders as client boundary) but breaks for importing hooks or client-only utilities directly.',
+        evidenceTemplate: "Server component {sourceFile} imports client module '{match}'.",
+    }),
+    entry('cat_next_003', 'API route missing HTTP method export', 'api_route_export', {
+        type: 'conditional_presence',
+        fileGlob: '**/app/api/**/route.{ts,tsx,js,jsx}',
+        conditionPattern: '.', // any content (file exists = condition met)
+        requiredPattern: 'export\\s+(?:async\\s+)?function\\s+(GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)',
+    }, {
+        severity: 'critical',
+        frameworks: ['nextjs'],
+        category: 'Next.js Boundary',
+        tier: 1,
+        description: 'An API route file exists at app/api/.../route.ts but does not export any HTTP method handler (GET, POST, etc.). Requests to this endpoint return 405 Method Not Allowed.',
+        evidenceTemplate: "API route {sourceFile} has no exported HTTP method handler.",
+    }),
+    entry('cat_next_004', 'generateMetadata in client component', 'metadata_in_client', {
+        type: 'conditional_presence',
+        fileGlob: '**/app/**/*.{tsx,jsx}',
+        conditionPattern: 'generateMetadata|export\\s+const\\s+metadata',
+        requiredPattern: "(?!['\"]use client['\"])", // must NOT have 'use client'
+    }, {
+        severity: 'high',
+        frameworks: ['nextjs'],
+        category: 'Next.js Boundary',
+        tier: 1,
+        description: "File exports generateMetadata or metadata constant but also has 'use client'. Metadata APIs only work in server components. The metadata is silently ignored — page renders but has no title/description.",
+        evidenceTemplate: "Metadata export in {sourceFile} will be ignored because file is a client component.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 6. API INTEGRATION
+// ════════════════════════════════════════════════════════════════
+const API_INTEGRATION = [
+    entry('cat_api_001', 'Fetch URL matches no API route', 'fetch_route_mismatch', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "fetch\\(\\s*['\"`]/api/([^'\"`\\s]+)['\"`]",
+        targetGlob: '**/api/**/*.{ts,tsx,js,jsx}',
+        targetPattern: '{{item}}',
+    }, {
+        severity: 'critical',
+        frameworks: ['nextjs', 'express', 'general'],
+        category: 'API Integration',
+        tier: 1,
+        description: 'Frontend calls fetch("/api/some-path") but no API route handler exists for that path. The request returns 404 at runtime. Common after renaming or reorganizing API routes.',
+        evidenceTemplate: "fetch('/api/{match}') in {sourceFile} has no matching API route handler.",
+    }),
+    entry('cat_api_002', 'Supabase function call without edge function', 'supabase_function_missing', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "supabase\\.functions\\.invoke\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        targetGlob: '**/supabase/functions/*/index.ts',
+        targetPattern: '{{item}}',
+    }, {
+        severity: 'critical',
+        frameworks: ['supabase'],
+        category: 'API Integration',
+        tier: 1,
+        description: 'Frontend calls supabase.functions.invoke("function-name") but no edge function directory with that name exists. The call returns a FunctionNotFound error at runtime.',
+        evidenceTemplate: "supabase.functions.invoke('{match}') in {sourceFile} has no matching edge function.",
+    }),
+    entry('cat_api_003', 'Missing error handling on fetch', 'fetch_no_error_handling', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{ts,tsx,js,jsx}',
+        conditionPattern: '\\bfetch\\(',
+        requiredPattern: '(?:\\.catch|try\\s*\\{|response\\.ok|response\\.status)',
+    }, {
+        severity: 'medium',
+        frameworks: ['general'],
+        category: 'API Integration',
+        tier: 1,
+        description: 'fetch() call without any error handling — no .catch(), no try/catch, no response.ok check. Network failures or server errors crash the app with an unhandled promise rejection instead of showing an error state.',
+        evidenceTemplate: "fetch() in {sourceFile} has no error handling.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 7. DATABASE & SCHEMA
+// ════════════════════════════════════════════════════════════════
+const DATABASE = [
+    entry('cat_db_001', 'Supabase table without RLS', 'missing_rls_policy', {
+        type: 'pattern_absence',
+        fileGlob: '**/migrations/**/*.sql',
+        pattern: 'CREATE\\s+TABLE\\s+(?!.*ALTER\\s+TABLE.*ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY)',
+    }, {
+        severity: 'critical',
+        frameworks: ['supabase'],
+        category: 'Database',
+        tier: 1,
+        description: 'A migration creates a table but never enables RLS (Row Level Security). With Supabase, this means the anon key has full read/write access to the table from the client — a data exposure vulnerability.',
+        evidenceTemplate: "Table created in {sourceFile} but RLS not enabled.",
+    }),
+    entry('cat_db_002', 'Code references non-existent column', 'schema_column_mismatch', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "\\.select\\(['\"`]([^'\"`]+)['\"`]\\)",
+        targetGlob: '**/migrations/**/*.sql',
+        targetPattern: '{{item}}',
+    }, {
+        severity: 'high',
+        frameworks: ['supabase', 'general'],
+        category: 'Database',
+        tier: 1,
+        description: 'Application code references a column name in a select/insert/update that does not appear in any migration file. The query fails at runtime with "column does not exist". Often caused by renaming columns in code but not in migrations.',
+        evidenceTemplate: "Column '{match}' referenced in {sourceFile} not found in any migration.",
+    }),
+    entry('cat_db_003', 'Query return type mismatch', 'query_type_mismatch', {
+        type: 'response_shape',
+        preloadGlob: '**/*.{ts,tsx,js,jsx}',
+        handlerGlob: '**/migrations/**/*.sql',
+        invokePattern: "\\.from\\(['\"`]([^'\"`]+)['\"`]\\)",
+        handlePattern: "CREATE\\s+TABLE\\s+(?:public\\.)?([\\w]+)",
+        wrappedReturnPattern: 'data:\\s*\\{',
+        unwrapAccessPattern: '\\.data\\b',
+    }, {
+        severity: 'medium',
+        frameworks: ['supabase'],
+        category: 'Database',
+        tier: 1,
+        description: 'Supabase query returns { data, error } but code accesses the result directly without destructuring. The component renders undefined instead of the queried data.',
+        evidenceTemplate: "Query on table '{match}' in {sourceFile}: result not properly destructured.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 8. AUTH & SECURITY
+// ════════════════════════════════════════════════════════════════
+const AUTH_SECURITY = [
+    entry('cat_auth_001', 'Unprotected route with sensitive data', 'unprotected_route', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{tsx,jsx}',
+        sourcePattern: '<Route\\s+[^>]*path=["\']/(admin|dashboard|settings|profile|billing)["\']',
+        targetGlob: '**/*.{tsx,jsx}',
+        targetPattern: '(ProtectedRoute|RequireAuth|AuthGuard|withAuth)',
+    }, {
+        severity: 'critical',
+        frameworks: ['react', 'nextjs'],
+        category: 'Auth & Security',
+        tier: 1,
+        description: 'Routes for sensitive areas (admin, dashboard, settings, billing) exist but no auth guard component (ProtectedRoute, RequireAuth, etc.) is found. Unauthenticated users can navigate directly to these routes.',
+        evidenceTemplate: "Route '{match}' has no auth guard. Found auth guard components: {found}.",
+    }),
+    entry('cat_auth_002', 'Environment variable missing from .env', 'env_var_missing', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{ts,tsx,js,jsx}',
+        sourcePattern: 'process\\.env\\.([A-Z_][A-Z0-9_]+)',
+        targetGlob: '**/.env*',
+        targetPattern: '{{item}}\\s*=',
+    }, {
+        severity: 'high',
+        frameworks: ['general'],
+        category: 'Auth & Security',
+        tier: 1,
+        description: 'Code references process.env.SOME_VAR but the variable is not defined in any .env file. The value is undefined at runtime, causing silent failures in API calls, auth flows, or configuration.',
+        evidenceTemplate: "process.env.{match} in {sourceFile} not defined in any .env file.",
+    }),
+    entry('cat_auth_003', 'Hardcoded secret in source', 'hardcoded_secret', {
+        type: 'pattern_absence',
+        fileGlob: '**/*.{ts,tsx,js,jsx}',
+        pattern: "(?:api[_-]?key|secret|password|token|auth)\\s*[:=]\\s*['\"`][A-Za-z0-9+/=_-]{20,}['\"`]",
+        allowIn: ['**/*.test.*', '**/*.spec.*', '**/__tests__/**'],
+    }, {
+        severity: 'critical',
+        frameworks: ['general'],
+        category: 'Auth & Security',
+        tier: 1,
+        description: 'An API key, secret, password, or token is hardcoded as a string literal in source code. This is a security vulnerability — the secret is exposed in version control and built artifacts.',
+        evidenceTemplate: "Hardcoded secret found in {sourceFile}: {match}.",
+    }),
+    entry('cat_auth_004', 'Missing CORS configuration', 'cors_missing', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{ts,js}',
+        conditionPattern: "(?:express\\(\\)|createServer|Hono|Fastify)",
+        requiredPattern: '(?:cors\\(|Access-Control-Allow-Origin|allowedOrigins)',
+    }, {
+        severity: 'high',
+        frameworks: ['express', 'general'],
+        category: 'Auth & Security',
+        tier: 1,
+        description: 'An HTTP server is created but no CORS configuration is applied. Cross-origin requests from the frontend fail with "Access-Control-Allow-Origin" errors. The API works from same-origin (dev) but breaks in production.',
+        evidenceTemplate: "Server created in {sourceFile} but no CORS configuration found.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 9. EXPRESS / NODE API
+// ════════════════════════════════════════════════════════════════
+const EXPRESS_NODE = [
+    entry('cat_express_001', 'Auth middleware after route handlers', 'middleware_ordering', {
+        type: 'ordering',
+        fileGlob: '**/*.{ts,js}',
+        beforePattern: '(?:app|router)\\.use\\(\\s*(?:auth|requireAuth|verifyToken|passport\\.authenticate)',
+        afterPattern: '(?:app|router)\\.(get|post|put|patch|delete)\\(',
+    }, {
+        severity: 'critical',
+        frameworks: ['express'],
+        category: 'Express/Node',
+        tier: 1,
+        description: 'Auth middleware is registered after route handlers. Express middleware runs in registration order, so routes defined before the auth middleware are unprotected. All requests to those routes bypass authentication.',
+        evidenceTemplate: "Auth middleware in {sourceFile} registered at line {line} but route handlers start at line {beforeLine}.",
+    }),
+    entry('cat_express_002', 'Missing error middleware', 'missing_error_middleware', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{ts,js}',
+        conditionPattern: "(?:express\\(\\)|new\\s+Hono)",
+        requiredPattern: "app\\.use\\(\\s*\\(\\s*(?:err|error)\\s*,\\s*req\\s*,\\s*res\\s*,\\s*next",
+    }, {
+        severity: 'high',
+        frameworks: ['express'],
+        category: 'Express/Node',
+        tier: 1,
+        description: 'Express app has no error handling middleware (4-parameter function). Unhandled errors in route handlers crash the process or leak stack traces to the client.',
+        evidenceTemplate: "Express app in {sourceFile} has no error handling middleware.",
+    }),
+    entry('cat_express_003', 'Async route without error handling', 'async_route_unhandled', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{ts,js}',
+        conditionPattern: '\\.(get|post|put|delete)\\(.*async\\s*\\(',
+        requiredPattern: '(?:try\\s*\\{|asyncHandler|express-async-errors)',
+    }, {
+        severity: 'high',
+        frameworks: ['express'],
+        category: 'Express/Node',
+        tier: 1,
+        description: 'An async route handler has no try/catch and no express-async-errors or asyncHandler wrapper. If the async function throws, Express does not catch it — the request hangs until timeout, and the error is an unhandled rejection.',
+        evidenceTemplate: "Async route handler in {sourceFile} has no error wrapping.",
+    }),
+    entry('cat_express_004', 'Missing body parser for POST', 'missing_body_parser', {
+        type: 'conditional_presence',
+        fileGlob: '**/*.{ts,js}',
+        conditionPattern: '\\.(post|put|patch)\\(.*req\\.body',
+        requiredPattern: '(?:express\\.json\\(|bodyParser\\.json|express\\.urlencoded)',
+    }, {
+        severity: 'high',
+        frameworks: ['express'],
+        category: 'Express/Node',
+        tier: 1,
+        description: 'Route handler accesses req.body but no JSON body parser middleware is registered. req.body is undefined — the handler receives no data from POST/PUT requests.',
+        evidenceTemplate: "Route in {sourceFile} uses req.body but no body parser middleware found.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// 10. GENERAL WEB
+// ════════════════════════════════════════════════════════════════
+const GENERAL_WEB = [
+    entry('cat_web_001', 'Form action without handler', 'form_action_missing', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{tsx,jsx}',
+        sourcePattern: "<form\\s+[^>]*action=['\"]([^'\"]+)['\"]",
+        targetGlob: '**/api/**/*.{ts,tsx,js,jsx}',
+        targetPattern: '{{item}}',
+    }, {
+        severity: 'high',
+        frameworks: ['general'],
+        category: 'General Web',
+        tier: 1,
+        description: 'A form has an action attribute pointing to a URL that has no server-side handler. Form submission navigates to a 404 or returns an error.',
+        evidenceTemplate: "Form action='{match}' in {sourceFile} has no matching handler.",
+    }),
+    entry('cat_web_002', 'Event listener for never-dispatched event', 'dead_event_listener', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{ts,tsx,js,jsx}',
+        sourcePattern: "addEventListener\\(\\s*['\"`]([^'\"`]+)['\"`]",
+        targetGlob: '**/*.{ts,tsx,js,jsx}',
+        targetPattern: "dispatchEvent.*['\"`]{{item}}['\"`]|new\\s+CustomEvent\\(['\"`]{{item}}['\"`]",
+    }, {
+        severity: 'medium',
+        frameworks: ['general'],
+        category: 'General Web',
+        tier: 1,
+        description: 'Code registers an event listener for a custom event that is never dispatched anywhere in the codebase. The listener is dead code — the callback never fires.',
+        evidenceTemplate: "Listener for '{match}' in {sourceFile} but event never dispatched.",
+    }),
+    entry('cat_web_003', 'CSS class used but not defined', 'css_class_missing', {
+        type: 'cross_reference',
+        sourceGlob: '**/*.{tsx,jsx}',
+        sourcePattern: "className=['\"`]([\\w-]+)['\"`]",
+        targetGlob: '**/*.{css,scss,less}',
+        targetPattern: '\\.{{item}}\\b',
+    }, {
+        severity: 'medium',
+        frameworks: ['general'],
+        category: 'General Web',
+        tier: 1,
+        description: 'A component uses className="some-class" but no CSS file defines .some-class. The styling is silently missing. Note: does not apply to Tailwind or CSS-in-JS which generate classes dynamically.',
+        evidenceTemplate: "className='{match}' in {sourceFile} has no CSS definition.",
+    }),
+    entry('cat_web_004', 'Image src points to missing asset', 'asset_reference_broken', {
+        type: 'file_reference',
+        fileGlob: '**/*.{tsx,jsx,html}',
+        referencePattern: "(?:src|href)=['\"`](/[^'\"`]+\\.(?:png|jpg|jpeg|gif|svg|webp|ico))['\"`]",
+        baseDir: 'public',
+    }, {
+        severity: 'medium',
+        frameworks: ['general'],
+        category: 'General Web',
+        tier: 1,
+        description: 'An img src or link href points to a static asset path that does not exist in the public directory. The image renders as a broken icon. Often caused by moving or renaming assets without updating references.',
+        evidenceTemplate: "Asset '{match}' referenced in {sourceFile} not found in public/.",
+    }),
+];
+// ════════════════════════════════════════════════════════════════
+// FULL CATALOG
+// ════════════════════════════════════════════════════════════════
+const ALL_CHECKS = [
+    ...ELECTRON_IPC,
+    ...ELECTRON_SECURITY,
+    ...REACT_ROUTING,
+    ...REACT_CONTEXT,
+    ...NEXTJS,
+    ...API_INTEGRATION,
+    ...DATABASE,
+    ...AUTH_SECURITY,
+    ...EXPRESS_NODE,
+    ...GENERAL_WEB,
+];
+/**
+ * Get prebuilt checks from the catalog, optionally filtered by framework.
+ *
+ * @param opts.frameworks  Only return checks relevant to these frameworks.
+ *                         If omitted, returns all checks.
+ * @param opts.tier        Only return checks of this tier (1 = executable, 2 = needs strategy).
+ *                         If omitted, returns both tiers.
+ */
+export function getCatalogChecks(opts) {
+    let checks = [...ALL_CHECKS];
+    if (opts?.frameworks?.length) {
+        const fw = new Set(opts.frameworks.map((f) => f.toLowerCase()));
+        checks = checks.filter((c) => c.frameworks.some((f) => fw.has(f)) ||
+            c.frameworks.includes('general'));
+    }
+    if (opts?.tier) {
+        checks = checks.filter((c) => c.tier === opts.tier);
+    }
+    return checks;
+}
+/** Summary statistics for the catalog. */
+export function getCatalogStats() {
+    const byCategory = {};
+    const byFramework = {};
+    for (const check of ALL_CHECKS) {
+        byCategory[check.category] = (byCategory[check.category] ?? 0) + 1;
+        for (const fw of check.frameworks) {
+            byFramework[fw] = (byFramework[fw] ?? 0) + 1;
+        }
+    }
+    return {
+        total: ALL_CHECKS.length,
+        tier1: ALL_CHECKS.filter((c) => c.tier === 1).length,
+        tier2: ALL_CHECKS.filter((c) => c.tier === 2).length,
+        byCategory,
+        byFramework,
+    };
+}
+//# sourceMappingURL=check-catalog.js.map