Found in BugHunter smoke #15
SurfaceMCP's vite stack discovers pages but returns 0 API tools for the comprehensive-bench's web surface. `surface_routes_for_page` returns `not_found` for every SPA path. Result: BugHunter's form-reachability probe runs 0 probes, XSS canaries 0 planned, pen-test form payloads 0, race conditions 0, multi-context 0. 80 of 96 gold kinds blocked.
Hypothesis
The vite extractor in SurfaceMCP looks for backend route handlers but a Vite SPA is frontend-only — backend is at the API surface. The vite extractor should instead enumerate forms in the React component tree and treat each form's submit endpoint as a callable tool.
Fix paths
- A: have the vite extractor walk the React component tree for `` elements + their action URLs, register each as a "form_submit" tool
- B: have BugHunter cross-reference the vite surface's pages against the api surface's tools (the api surface DOES have tools at endpoints the forms POST to)
Recommend B if simpler — extends BugHunter's surface-aware crawler to recognize that forms on UI surfaces correspond to tools on backend surfaces.
Priority
Highest — single biggest gap blocking 80 BugKinds in comprehensive-bench. Likely affects every Vite/Next/React-frontend real-world target too.
Found in BugHunter smoke #15
SurfaceMCP's vite stack discovers pages but returns 0 API tools for the comprehensive-bench's web surface. `surface_routes_for_page` returns `not_found` for every SPA path. Result: BugHunter's form-reachability probe runs 0 probes, XSS canaries 0 planned, pen-test form payloads 0, race conditions 0, multi-context 0. 80 of 96 gold kinds blocked.
Hypothesis
The vite extractor in SurfaceMCP looks for backend route handlers but a Vite SPA is frontend-only — backend is at the API surface. The vite extractor should instead enumerate forms in the React component tree and treat each form's submit endpoint as a callable tool.
Fix paths
Recommend B if simpler — extends BugHunter's surface-aware crawler to recognize that forms on UI surfaces correspond to tools on backend surfaces.
Priority
Highest — single biggest gap blocking 80 BugKinds in comprehensive-bench. Likely affects every Vite/Next/React-frontend real-world target too.