mix live_interaction_contracts.audit (live_interaction_contracts v1.0.0)

Copy Markdown View Source

Scans a target LiveView app's source for the KERNEL invariants that predict interaction bugs under DOM patching, and reports candidate risk sites.

mix live_interaction_contracts.audit --path /path/to/app
mix live_interaction_contracts.audit --path . --out interaction-audit.md

This is advisory — it produces a candidate list (file:line), not a verdict. High-confidence rules are syntactic; the low-confidence ones (marked) need human review because they depend on server-side dataflow the scan cannot see.

Rules (each maps to a frozen contract):

  • R1 reflected-attribute write without protection (KERNEL rule 1.3 / CURSOR §focus, REFERENCE_POPOVER): a JS hook setAttribute("aria-*"|"data-active"|"data-state") whose element likely has no JS.ignore_attributes — a patch touching it strips the attribute. High confidence when the repo has zero ignore_attributes.
  • R2 phx-update="ignore" scope (KERNEL Delegation): flags each site to check it does not wrap server-rendered dynamic content (interpolation / comprehension), which ignore would then freeze.
  • R3 roving tabindex in a patchable list (CURSOR_CONTRACT): tabindex on a non-form element, esp. near role="option|menuitem|treeitem" — not patch-safe; prefer aria-activedescendant.
  • R4 inventory: every phx-hook, <dialog>/showModal/modal wrapper, and template aria-expanded/aria-activedescendant — the interaction surface map.
  • R5 (low confidence) client event names that look like open/close/toggle reaching the server via pushEvent — candidates for "server derives canonical open state from a lossy signal" (Observation contract). Human review required.