원클릭으로
arib-check-reality
Check | Scan for mock data, fake APIs, hardcoded responses - verify the system is genuinely connected
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Check | Scan for mock data, fake APIs, hardcoded responses - verify the system is genuinely connected
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Memory | Code-graph subsystem — a native lightweight IMPORT graph (which file imports which, god-node candidates) built with ripgrep/grep, so a large monorepo can be navigated by structure instead of re-grepping every session. build/refresh/query. Honest scope: structural import graph, NOT semantic (no call-graph/type resolution); no Graphify dependency. Loads ON DEMAND only (zero always-on tokens). ADR-034.
Dev | Over-engineering review — reads a diff/module and returns a delete-list of bloat (single-use abstractions, premature generalization, speculative config, dead options) WITHOUT stripping legitimate structure. Advisory: returns recommendations, never auto-deletes. The on-demand companion to the ponytail-lite tripwire hook. Authored natively (no Ponytail dependency). ADR-033.
Wave | Pre-wave requirement lock — Act 1 derives the requirements from the codebase + memory (an honest grill, not guesswork), Act 2 hands the locked plan to an independent model (Codex) to tear apart until sign-off. Produces waves/<id>/PLAN.md + PLAN-REVIEW-LOG.md. Auto-chained idempotently from /arib-wave-start. If Act 2 can't run (no Codex), the wave proceeds but HOLDS MERGE for a human. Absorbs grill-me-codex (ADR-032).
Wave | Start a multi-session delivery wave — branch, plan, parallel architect+planner
Engine | Command the engineering team to deliver a known goal — dispatches the engineer-manager to decompose → dispatch specialists (parallel where safe) → integrate → reconcile (verification-agent) → merge gate. Scales its own reach: runs inline for a bounded goal, escalates to a parallel Workflow for a broad one, and paces under /loop for a multi-turn campaign — only when it needs to. Use when a goal needs a coordinated TEAM, not one specialist. Sibling of /arib-engine: the engine DISCOVERS its own backlog; /arib-build EXECUTES a goal you hand it.
Stack | NestJS architecture & patterns reference — modules/providers/DI, DTO+validation, guards/interceptors/pipes/filters, config, async lifecycle, testing, and the security + performance pitfalls that bite at scale. Use when building or reviewing a NestJS backend. Composes with security-auditor (OWASP), database-guardian (TypeORM/Prisma migrations), and performance (N+1). Authored natively (the ECC graft was unsourceable; this is CCM's own, MIT).
| name | arib-check-reality |
| argument-hint | <scope> |
| description | Check | Scan for mock data, fake APIs, hardcoded responses - verify the system is genuinely connected |
Perform a comprehensive reality audit of the codebase to detect mock data, fake APIs, hardcoded responses, placeholder content, and disconnected frontend-backend wiring. Produces a detailed report and remediation plan.
User types /arib-check-reality [scope]
Examples:
/arib-check-reality - Full codebase scan/arib-check-reality frontend - Frontend code only/arib-check-reality src/components - Specific directory/arib-check-reality auth - Auth-related code only/arib-check-reality payment-flow - Specific featureReal vs mock is binary: either data flows from actual backend systems or it doesn't. This audit finds every place where the codebase pretends to be connected when it isn't, preventing the experience of walking past a critical disconnect during QA or after deployment. Reality Score (% of data-driven components connected to real backends) is the key metric.
If the project uses microservices:
bash scripts/services-check.sh
bash scripts/services-check.sh --startRead .claude/agents/reality-auditor.md and follow the 10-step protocol.
Jest (JavaScript/TypeScript testing):
// LEGITIMATE (test file):
jest.mock('./api', () => ({
fetchUser: jest.fn(() => Promise.resolve({ id: 1, name: 'Alice' }))
}));
// ILLEGITIMATE (production file):
import { fetchUser } from './__mocks__/api'; // Should not exist in src/
Vitest (Vite testing):
// LEGITIMATE (test file):
vi.mock('./data', () => ({
userData: [{ id: 1, name: 'Test' }]
}));
// ILLEGITIMATE (production):
import { vi } from 'vitest'; // Should never import in non-test code
MSW (Mock Service Worker - legitimate in dev only):
// LEGITIMATE (dev environment):
if (process.env.NODE_ENV === 'development') {
import('./mocks/handlers').then(({ worker }) => worker.start());
}
// ILLEGITIMATE (production build):
// MSW should be stripped by build tool, if it appears in production bundle = bug
Detection Strategy:
package.json for: faker, msw, miragejs, json-server, nock, casual, chance, factory.botdependencies (not devDependencies) = potential red flag__tests__/, *.test.ts, *.spec.ts) for imports| Library | Legitimate Use | Red Flag |
|---|---|---|
faker | Test fixtures only | Imported in production code |
msw | Dev/test environments | MSW handler in production bundle |
miragejs | Dev server interceptor | Used in production code |
json-server | Local dev only | Running in production |
nock | Test HTTP mocking | Used outside test files |
Scan for mock/fake libraries in production dependencies:
package.json for faker, msw, miragejs, json-server, nock, casual, chancedependencies (BAD) or devDependencies (check usage)| Red Flag | Pattern | Example | Severity |
|---|---|---|---|
| Lorem ipsum | "Lorem ipsum dolor sit amet" | FAQ, help text, placeholders | MEDIUM (user-facing) |
| Fake phone | "555-" prefix or "(XXX) XXX-XXXX" | const phone = "555-0123" | CRITICAL (if user-facing) |
| Fake email | example.com, test.com, demo.com | email: "user@example.com" | CRITICAL (invalid email) |
| Test UUIDs | UUID patterns in plain text | "123e4567-e89b-12d3-a456-426614174000" | CRITICAL (auth/data) |
| Hardcoded array | const users = [{ id: 1, name: 'Alice' }] | Component renders static data | CRITICAL (data) |
| Mock file import | Import from mockData.ts in non-test | import { mockUsers } from '../mockData' | CRITICAL |
| setTimeout response | setTimeout(() => callback(...), 1000) | Faking API latency | CRITICAL |
Hardcoded Arrays (highest risk):
// ANTI-PATTERN: Production component with hardcoded data
export const Dashboard = () => {
const users = [
{ id: 1, name: 'Alice', email: 'alice@example.com' },
{ id: 2, name: 'Bob', email: 'bob@example.com' }
];
return <UserList users={users} />;
};
// CORRECT: Fetch from API
export const Dashboard = () => {
const [users, setUsers] = useState([]);
useEffect(() => {
fetch('/api/users').then(r => r.json()).then(setUsers);
}, []);
return <UserList users={users} />;
};
Mock Data Files:
// BAD: Imported into production code
import { mockUsers } from '../__mocks__/data';
const UserProfile = ({ userId }) => {
const user = mockUsers.find(u => u.id === userId);
return <div>{user.name}</div>;
};
// GOOD: Mock files only in tests
// src/__tests__/UserProfile.test.ts:
import { mockUsers } from '../__mocks__/data';
Fake Email Red Flags:
@example.com, @example.org, @test.com, @demo.com, @localhostnoreply@, support@, no-reply@ if actual addresses not configureduser+test@, test@, admin@ hardcoded in seed dataFake Phone Red Flags:
555-0000 to 555-9999 (reserved test range)(XXX) XXX-XXXX if not actual validation+1-800- if not real support lineLorem Ipsum Variants:
Search for hardcoded data in production source code:
mockData.ts, fakeUsers.js, sampleData.json) imported by production codesetTimeout / setInterval simulating API responsesReal API (GOOD):
// API base URL from environment
const API = process.env.REACT_APP_API_URL || 'http://localhost:8080';
export const fetchUsers = async () => {
const response = await fetch(`${API}/api/users`);
return response.json();
};
// Usage: Component fetches from real endpoint
const Dashboard = () => {
const [users, setUsers] = useState([]);
useEffect(() => {
fetchUsers().then(setUsers);
}, []);
return <UserList users={users} />;
};
Mock Service Worker (LEGITIMATE in dev/test):
// handlers.ts (dev only)
import { http, HttpResponse } from 'msw';
export const handlers = [
http.get('/api/users', () => {
return HttpResponse.json([
{ id: 1, name: 'Alice' }
]);
})
];
// app.tsx
if (process.env.NODE_ENV === 'development') {
import('./mocks/worker').then(({ worker }) => worker.start());
}
Disconnected Wiring (BAD):
// API function exists but is never called
export const fetchUsers = async () => {
return fetch(`${API}/api/users`).then(r => r.json());
};
// Component ignores it, uses hardcoded data
const Dashboard = () => {
const users = [{ id: 1, name: 'Mock User' }]; // <-- BUG
return <UserList users={users} />;
};
For every component that displays or submits data:
Verify authentication is real:
isAuthenticated = true hardcoded anywhereFor each component/module that handles data, classify:
Reality Score = (REAL components) / (total data-driven components) × 100%
Example:
- REAL components: 12 (fetching from real APIs)
- PARTIAL components: 3 (some real, some mock)
- FAKE components: 2 (entirely hardcoded)
- Total data-driven: 17
- Reality Score = 12 / 17 = 70.6%
| Classification | Criteria | Example | Action |
|---|---|---|---|
| 🟢 REAL | Connected to real backend, all data flows from API | User dashboard fetching from /api/users | No action needed |
| 🟡 PARTIAL | Mix of real and mock data | Loading products from API, but prices hardcoded | Identify which parts are mock, fix |
| 🔴 FAKE | Entirely disconnected, all hardcoded data | Component renders array of fake users | Replace with API call |
| ⚫ DISCONNECTED | API code exists but not connected to UI | fetchUsers() exists but component ignores it | Wire component to API |
| ⚪ STATIC | Intentionally static (about page, FAQ, legal) | Help text, company info | Document as intentional, no action |
For each FAKE or PARTIAL finding, use this template:
## Finding: [Component name]
**File:** src/components/UserList.tsx (line 45)
**Classification:** FAKE
**Risk Level:** CRITICAL (user-facing data)
**Current Reality:** Hardcoded array of 3 fake users
### Current Code
const users = [
{ id: 1, name: 'Alice', email: 'alice@example.com' },
{ id: 2, name: 'Bob', email: 'bob@example.com' },
{ id: 3, name: 'Charlie', email: 'charlie@example.com' }
];
### Proposed Code
const [users, setUsers] = useState([]);
const [loading, setLoading] = useState(false);
useEffect(() => {
setLoading(true);
fetch('/api/users')
.then(r => r.json())
.then(setUsers)
.finally(() => setLoading(false));
}, []);
### Backend Dependency
- Endpoint: `GET /api/users`
- Response format: `{ id: number, name: string, email: string }[]`
- Backend status: EXISTS (already implemented)
### Dependencies
- Phase A must complete first (API client initialization)
- No other blockers
### Effort Estimate
- Implementation: 1 point (simple fetch + useState)
- Testing: 1 point (mock fetch, test loading state)
- Total: 2 points
| Phase | Tasks | Dependencies |
|---|---|---|
| Phase A: Foundation | API client setup, env vars, auth | None |
| Phase B: Data layer | Replace mocks with real API calls | Phase A complete |
| Phase C: Cleanup | Remove mock files, mock libraries | Phase B complete |
Example execution:
Present the complete Reality Audit Report with:
git add docs/reality-audit-[date].md
git commit -m "[audit]: reality check - [score]% genuine, [N] findings"
🔍 Reality Audit Complete
Reality Score: XX% genuine
| Classification | Count |
|----------------|-------|
| 🟢 REAL | N |
| 🟡 PARTIAL | N |
| FAKE | N |
| ⚫ DISCONNECTED | N |
| ⚪ STATIC | N |
Critical Findings: N
Remediation Steps: N
Estimated Fix Time: X hours
[Detailed report follows...]
__tests__/ is OK, mock in src/ is not/arib-check-perf - Performance audit (mock data may hide N+1 queries)/arib-check-services - Verify backend services running before auditing/arib-dev-debug - Debug why API calls are failing vs why code is ignoring them