AXE-3625: Add defaultCategory to Phase 2 bulk-review rules

[rajathmr2000]

Wire seven axe-core rules to their Phase 2 bulk-review categories via metadata.defaultCategory (reference data only; no rule logic change):

aria-hidden-focus -> aria-hidden
aria-valid-attr-value -> aria-attributes
bypass -> bypass-blocks
css-orientation-lock -> orientation
duplicate-id-aria -> duplicate-ids
identical-links-same-purpose -> link-consistency
video-caption -> media-captions

<< Describe the changes >>

Closes:

[rajathmr2000]

Claude Code PR Review

PR: #244 • Head: 7b2a6b3 • Reviewers: stack:code-reviewer

Summary

Adds a metadata.defaultCategory string to 7 axe-core rule definitions (aria-hidden-focus, aria-valid-attr-value, bypass, css-orientation-lock, duplicate-id-aria, identical-links-same-purpose, video-caption), routing each rule to a review category for the AXE-3625 Phase-2 bulk-review feature. Inert metadata only — no effect on scan correctness, evaluation, or in-flight version compatibility.

Review Table

Priority	Category	Check	Status	Notes
High	Security	No hardcoded secrets or credentials	Pass	Data-only JSON metadata.
High	Security	Authentication/authorization checks present	N/A	No auth surface touched.
High	Security	Input validation and sanitization	N/A	No runtime input handling.
High	Security	No IDOR — resource ownership validated	N/A	No resource access.
High	Security	No SQL injection (parameterized queries)	N/A	No DB.
High	Correctness	Logic is correct, handles edge cases	Pass	All 7 files parse cleanly; one defaultCategory key each, correct comma placement, no duplicate keys.
High	Correctness	Error handling is explicit, no swallowed exceptions	N/A	No code paths.
High	Correctness	No race conditions or concurrency issues	N/A	Static data.
Medium	Testing	New code has corresponding tests	Pass	Guard suite ip-protection/test/rules/bulk-review-categories.test.js (PHASE2_BATCH2) asserts this rule→slug map; 29/29 pass.
Medium	Testing	Error paths and edge cases tested	N/A	No new logic.
Medium	Testing	Existing tests still pass (no regressions)	Pass	29/29 green with the diff applied.
Medium	Performance	No N+1 queries or unbounded data fetching	N/A	No data access.
Medium	Performance	Long-running tasks use background jobs	N/A	N/A.
Medium	Quality	Follows existing codebase patterns	Pass	defaultCategory already present on ~12 other rules; allowed in build validator schema (build/tasks/validate.js:237, metadata is additionalProperties:false).
Medium	Quality	Changes are focused (single concern)	Pass	Single concern: category metadata for Phase-2 batch.
Low	Quality	Meaningful names, no dead code	Pass	All 7 slugs resolve to existing keys in a11y-engine-core/review_category.json.
Low	Quality	Comments explain why, not what	N/A	JSON cannot hold comments; // [tag]: convention inapplicable to .json.
Low	Quality	No unnecessary dependencies added	Pass	None added.

Findings

No blocking findings.

Note: defaultCategory is inserted as the first metadata property (before description), whereas existing rules like color-contrast.json place it after needsReviewConfidence. Ordering is semantically irrelevant for JSON — cosmetic only, not worth blocking.

Note: The guarding tests live in the consuming ip-protection / a11y-engine-core repos, not in this submodule PR's diff (correctly out-of-scope here). The category keys in review_category.json and the bulk-review-categories.test.js map are already on main in the monorepo working tree, so the submodule bump can land together with or after them safely.

---

Verdict: PASS — clean, low-risk, test-backed metadata addition; every value resolves against the category registry and the guard suite is green.