@critiq/cli 0.2.0 → 0.3.0

package/main.js

@@ -56,22 +56,22 @@ function createJsonPointer(segments) {
   }
   return `/${segments.map(escapeJsonPointerSegment).join("/")}`;
 }
-function createDiagnostic(input) {
-  assertNonEmptyString(String(input.code), "code");
-  assertNonEmptyString(input.message, "message");
-  const severity = input.severity ?? DIAGNOSTIC_SEVERITY_ERROR;
+function createDiagnostic(input2) {
+  assertNonEmptyString(String(input2.code), "code");
+  assertNonEmptyString(input2.message, "message");
+  const severity = input2.severity ?? DIAGNOSTIC_SEVERITY_ERROR;
   assertSeverity(severity);
-  if (input.summary !== void 0) {
-    assertNonEmptyString(input.summary, "summary");
+  if (input2.summary !== void 0) {
+    assertNonEmptyString(input2.summary, "summary");
   }
   return {
-    code: input.code,
+    code: input2.code,
     severity,
-    message: input.message,
-    summary: input.summary,
-    sourceSpan: input.sourceSpan,
-    jsonPointer: input.jsonPointer,
-    details: input.details
+    message: input2.message,
+    summary: input2.summary,
+    sourceSpan: input2.sourceSpan,
+    jsonPointer: input2.jsonPointer,
+    details: input2.details
   };
 }
 function compareNullableStrings(left, right) {
@@ -142,7 +142,7 @@ function formatDiagnosticsForTerminal(diagnostics) {
 }
 
 // apps/cli/src/main.ts
-var import_node_path15 = require("node:path");
+var import_node_path22 = require("node:path");
 
 // apps/cli/src/cli-runtime.ts
 var defaultRuntime = {
@@ -167,7 +167,10 @@ function resolveRuntime(runtime = {}) {
     writeStdout: runtime.writeStdout ?? defaultRuntime.writeStdout,
     writeStderr: runtime.writeStderr ?? defaultRuntime.writeStderr,
     writeRaw: runtime.writeRaw ?? (runtime.writeStdout || runtime.writeStderr ? discardOutput : defaultRuntime.writeRaw),
-    isInteractive: runtime.isInteractive ?? (runtime.writeRaw ? true : runtime.writeStdout || runtime.writeStderr ? false : defaultRuntime.isInteractive)
+    isInteractive: runtime.isInteractive ?? (runtime.writeRaw ? true : runtime.writeStdout || runtime.writeStderr ? false : defaultRuntime.isInteractive),
+    cliInstallScope: runtime.cliInstallScope,
+    promptChoice: runtime.promptChoice,
+    runPackageInstall: runtime.runPackageInstall
   };
 }
 
@@ -366,8 +369,8 @@ var ruleCatalogSchema = import_zod.z.object({
     }).strict()
   ).min(1)
 }).strict();
-function validateRuleCatalog(input) {
-  const result = ruleCatalogSchema.safeParse(input);
+function validateRuleCatalog(input2) {
+  const result = ruleCatalogSchema.safeParse(input2);
   if (result.success) {
     return {
       success: true,
@@ -415,20 +418,20 @@ function loadRuleCatalogText(text, path) {
   const uri = (0, import_node_url.pathToFileURL)(path).href;
   const loaded = loadYamlText(text, uri);
   if (!loaded.success) {
-    const failure = loaded;
+    const failure2 = loaded;
     return {
       success: false,
-      diagnostics: failure.issues.map(issueToDiagnostic),
+      diagnostics: failure2.issues.map(issueToDiagnostic),
       path,
       uri
     };
   }
   const validated = validateRuleCatalog(loaded.data);
   if (!validated.success) {
-    const failure = validated;
+    const failure2 = validated;
     return {
       success: false,
-      diagnostics: failure.diagnostics,
+      diagnostics: failure2.diagnostics,
       path,
       uri
     };
@@ -506,7 +509,7 @@ function resolveCatalogPackage(cwd, packageName, additionalResolverBasePaths = [
       diagnostics: [
         createDiagnostic({
           code: "catalog.package.not-found",
-          message: `Unable to resolve catalog package \`${packageName}\`.`,
+          message: `Unable to resolve catalog package \`${packageName}\`. Install it in this repository or globally, then run \`critiq check\` again.`,
           details: {
             packageName
           }
@@ -531,6 +534,18 @@ function resolveCatalogRulePaths(catalog, packageRoot, preset) {
     rulePath: (0, import_node_path.resolve)(packageRoot, entry.rulePath)
   }));
 }
+function looksLikeCloudFormationPath(filePath) {
+  const normalized = filePath.replace(/\\/gu, "/").toLowerCase();
+  const fileName = normalized.split("/").pop() ?? normalized;
+  if (/(?:^|\/)(?:templates?|cloudformation|cfn|sam|infra|iac)(?:\/|$)/u.test(
+    normalized
+  )) {
+    return true;
+  }
+  return /(?:template|cloudformation|stack|cfn|sam)[^/]*\.(?:ya?ml|json)$/u.test(
+    fileName
+  );
+}
 function detectRepositoryLanguages(filePaths) {
   const detected = /* @__PURE__ */ new Set();
   for (const filePath of filePaths) {
@@ -559,6 +574,9 @@ function detectRepositoryLanguages(filePaths) {
     if (extension === ".rs") {
       detected.add("rust");
     }
+    if ((extension === ".yaml" || extension === ".yml" || extension === ".json") && looksLikeCloudFormationPath(filePath)) {
+      detected.add("cloudformation");
+    }
   }
   return [...detected].sort();
 }
@@ -713,8 +731,8 @@ function normalizeZodIssue(issue) {
   }
   return normalized;
 }
-function validateFinding(input) {
-  const result = findingV0Schema.safeParse(input);
+function validateFinding(input2) {
+  const result = findingV0Schema.safeParse(input2);
   if (result.success) {
     return {
       success: true,
@@ -744,7 +762,8 @@ var configLanguageSchema = import_zod4.z.enum([
   "java",
   "php",
   "ruby",
-  "rust"
+  "rust",
+  "cloudformation"
 ]);
 var CRITIQ_CONFIG_DEFAULT_PATH = ".critiq/config.yaml";
 var critiqPresetSchema = import_zod4.z.enum([
@@ -866,8 +885,8 @@ function normalizeCritiqConfig(config) {
     secretsScan: normalizeSecretsScanConfig(config.secretsScan)
   };
 }
-function validateCritiqConfig(input) {
-  const result = critiqConfigSchema.safeParse(input);
+function validateCritiqConfig(input2) {
+  const result = critiqConfigSchema.safeParse(input2);
   if (result.success) {
     return {
       success: true,
@@ -889,20 +908,20 @@ function loadCritiqConfigText(text, path) {
   const uri = (0, import_node_url2.pathToFileURL)(path).href;
   const loaded = loadYamlText(text, uri);
   if (!loaded.success) {
-    const failure = loaded;
+    const failure2 = loaded;
     return {
       success: false,
-      diagnostics: failure.issues.map(issueToDiagnostic2),
+      diagnostics: failure2.issues.map(issueToDiagnostic2),
       path,
       uri
     };
   }
   const validated = validateCritiqConfig(loaded.data);
   if (!validated.success) {
-    const failure = validated;
+    const failure2 = validated;
     return {
       success: false,
-      diagnostics: failure.diagnostics,
+      diagnostics: failure2.diagnostics,
       path,
       uri
     };
@@ -1721,10 +1740,10 @@ function buildFinding(rule, analyzedFile, match, options = {}) {
   };
   const validation = validateFinding(finding);
   if (!validation.success) {
-    const failure = validation;
+    const failure2 = validation;
     return {
       success: false,
-      issues: toFindingIssues(failure.issues)
+      issues: toFindingIssues(failure2.issues)
     };
   }
   return {
@@ -1734,8 +1753,8 @@ function buildFinding(rule, analyzedFile, match, options = {}) {
 }
 
 // libs/runtime/check-runner/src/lib/check-runner/runtime.ts
-var import_node_fs8 = require("node:fs");
-var import_node_path10 = require("node:path");
+var import_node_fs9 = require("node:fs");
+var import_node_path12 = require("node:path");
 
 // libs/runtime/check-runner/src/lib/check-runner/findings.ts
 function applySeverityOverride(finding, severityOverride) {
@@ -3220,6 +3239,9 @@ var RUBY_RAILS_SECURITY_FACT_KINDS = {
   csrfDisabled: "ruby.security.rails-csrf-disabled",
   openRedirect: "ruby.security.rails-open-redirect",
   unsafeHtmlOutput: "ruby.security.rails-unsafe-html-output",
+  plaintextPasswordInCallback: "ruby.security.plaintext-password-in-callback",
+  linkToBlankWithoutNoopener: "ruby.security.rails-link-to-blank-without-noopener",
+  railsOutputUnsafe: "ruby.security.rails-output-unsafe",
   sidekiqWebUnauthenticatedMount: "ruby.security.sidekiq-web-unauthenticated-mount",
   unsafeRender: "ruby.security.rails-unsafe-render",
   detailedExceptionsEnabled: "ruby.security.rails-detailed-exceptions-enabled",
@@ -3274,7 +3296,10 @@ function collectRubyRailsSecurityFacts(options) {
     ...collectSidekiqMountFacts(text, detector),
     ...collectUnsafeRenderFacts(text, detector, state, matchesTainted),
     ...collectDetailedExceptionsFacts(text, detector, path),
-    ...collectUnsafeSessionCookieFacts(text, detector)
+    ...collectUnsafeSessionCookieFacts(text, detector),
+    ...collectPlaintextPasswordInCallbackFacts(text, detector),
+    ...collectLinkToBlankWithoutNoopenerFacts(text, detector),
+    ...collectRailsOutputUnsafeFacts(text, path, detector)
   ];
 }
 function collectUnsafeStrongParametersFacts(text, detector) {
@@ -3551,6 +3576,89 @@ function collectDetailedExceptionsFacts(text, detector, path) {
     })
   );
 }
+var RAILS_HASH_CALL_WINDOW = 420;
+function sliceRailsHashCallWindow(text, startOffset, endOffset) {
+  return text.slice(
+    startOffset,
+    Math.min(text.length, endOffset + RAILS_HASH_CALL_WINDOW)
+  );
+}
+function collectPlaintextPasswordInCallbackFacts(text, detector) {
+  const kind = RUBY_RAILS_SECURITY_FACT_KINDS.plaintextPasswordInCallback;
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind,
+    appliesTo: "block",
+    pattern: /\bhttp_basic_authenticate_with\b/g,
+    predicate: (match) => {
+      const window = sliceRailsHashCallWindow(
+        text,
+        match.startOffset,
+        match.endOffset
+      );
+      if (!/password:\s*["']/u.test(window)) {
+        return false;
+      }
+      if (/password:\s*ENV(?:\.fetch)?\b/u.test(window)) {
+        return false;
+      }
+      if (/password:\s*Rails\.application\.credentials/u.test(window)) {
+        return false;
+      }
+      return true;
+    }
+  });
+}
+function collectLinkToBlankWithoutNoopenerFacts(text, detector) {
+  const kind = RUBY_RAILS_SECURITY_FACT_KINDS.linkToBlankWithoutNoopener;
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind,
+    appliesTo: "block",
+    pattern: /\blink_to\b/g,
+    predicate: (match) => {
+      const window = sliceRailsHashCallWindow(
+        text,
+        match.startOffset,
+        match.endOffset
+      );
+      if (!/target:\s*['"]_blank['"]/u.test(window)) {
+        return false;
+      }
+      return !/rel:\s*['"][^'"]*(?:noopener|noreferrer)/u.test(window);
+    }
+  });
+}
+function collectRailsOutputUnsafeFacts(text, path, detector) {
+  if (isTestLikeSourcePath(path)) {
+    return [];
+  }
+  const kind = RUBY_RAILS_SECURITY_FACT_KINDS.railsOutputUnsafe;
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind,
+    appliesTo: "block",
+    pattern: /\.html_safe\b/g
+  }).concat(
+    collectMatchedFacts({
+      text,
+      detector,
+      kind,
+      appliesTo: "block",
+      pattern: /\braw\s*\(/g
+    }),
+    collectMatchedFacts({
+      text,
+      detector,
+      kind,
+      appliesTo: "block",
+      pattern: /\.safe_concat\s*\(/g
+    })
+  );
+}
 function collectUnsafeSessionCookieFacts(text, detector) {
   const kind = RUBY_RAILS_SECURITY_FACT_KINDS.unsafeSessionOrCookieStore;
   return collectMatchedFacts({
@@ -3584,6 +3692,234 @@ function collectRubySensitiveDataEgressFacts(options) {
   });
 }
 
+// libs/adapters/shared/src/lib/polyglot/domains/ruby-general-security.ts
+var RUBY_GENERAL_SECURITY_FACT_KINDS = {
+  dynamicCodeExecution: "ruby.security.dynamic-code-execution",
+  kernelOpen: "ruby.security.kernel-open",
+  insecureJsonLoad: "ruby.security.insecure-json-load",
+  debuggerCall: "ruby.security.debugger-call"
+};
+function collectRubyGeneralSecurityFacts(options) {
+  const { text, path, detector } = options;
+  return [
+    ...collectDynamicCodeExecutionFacts2(text, detector),
+    ...collectKernelOpenFacts(text, detector),
+    ...collectInsecureJsonLoadFacts(text, detector),
+    ...collectDebuggerCallFacts(text, path, detector)
+  ];
+}
+function collectDynamicCodeExecutionFacts2(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: RUBY_GENERAL_SECURITY_FACT_KINDS.dynamicCodeExecution,
+    appliesTo: "block",
+    pattern: /\b(?:eval|exec|binding\.eval|class_eval|module_eval|instance_eval)\s*[({]/g
+  });
+}
+function collectKernelOpenFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: RUBY_GENERAL_SECURITY_FACT_KINDS.kernelOpen,
+    appliesTo: "block",
+    pattern: /\b(?:Kernel\.)?open\s*\(\s*["'][|]/g
+  });
+}
+function collectInsecureJsonLoadFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: RUBY_GENERAL_SECURITY_FACT_KINDS.insecureJsonLoad,
+    appliesTo: "block",
+    pattern: /\b(?:JSON\.(?:load|restore)|Oj\.load|MultiJson\.load)\s*\(/g
+  });
+}
+function collectDebuggerCallFacts(text, path, detector) {
+  if (isTestLikeSourcePath(path)) {
+    return [];
+  }
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: RUBY_GENERAL_SECURITY_FACT_KINDS.debuggerCall,
+    appliesTo: "block",
+    pattern: /\b(?:debugger|byebug|binding\.break)\b/g
+  });
+}
+
+// libs/adapters/shared/src/lib/polyglot/domains/ruby-bug-risk.ts
+var RUBY_BUG_RISK_FACT_KINDS = {
+  exceptionClassOverwritten: "ruby.bug-risk.exception-class-overwritten",
+  rawSqlWithoutSquish: "ruby.bug-risk.raw-sql-without-squish",
+  divisionByZero: "ruby.bug-risk.division-by-zero",
+  assignmentInCondition: "ruby.bug-risk.assignment-in-condition",
+  duplicateHashKeys: "ruby.bug-risk.duplicate-hash-keys",
+  deprecatedUriEscape: "ruby.bug-risk.deprecated-uri-escape"
+};
+var RESCUE_EXCEPTION_CLASS_NAMES = "StandardError|Exception|RuntimeError|ArgumentError|NameError|TypeError|NoMethodError|IOError|IndexError|RangeError|RegexpError|SyntaxError|LoadError|ZeroDivisionError|NotImplementedError|ScriptError|SecurityError|SystemCallError|SystemStackError|ThreadError|FrozenError|LocalJumpError";
+function collectRubyBugRiskFacts(options) {
+  const { text, detector } = options;
+  return dedupeFacts([
+    ...collectExceptionClassOverwrittenFacts(text, detector),
+    ...collectRawSqlWithoutSquishFacts(text, detector),
+    ...collectDivisionByZeroFacts(text, detector),
+    ...collectAssignmentInConditionFacts(text, detector),
+    ...collectDuplicateHashKeyFacts(text, detector),
+    ...collectDeprecatedUriEscapeFacts(text, detector)
+  ]);
+}
+function collectExceptionClassOverwrittenFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: RUBY_BUG_RISK_FACT_KINDS.exceptionClassOverwritten,
+    appliesTo: "block",
+    pattern: new RegExp(
+      `\\brescue\\s*=>\\s*(?:${RESCUE_EXCEPTION_CLASS_NAMES})\\b`,
+      "g"
+    )
+  });
+}
+function collectRawSqlWithoutSquishFacts(text, detector) {
+  const kind = RUBY_BUG_RISK_FACT_KINDS.rawSqlWithoutSquish;
+  const callPatterns = [/\bwhere\s*\(/g, /\bfind_by_sql\s*\(/g];
+  return callPatterns.flatMap(
+    (pattern) => collectSnippetFacts({
+      text,
+      detector,
+      kind,
+      appliesTo: "block",
+      pattern,
+      state: void 0,
+      predicate: (snippet) => {
+        if (!/<<-?~?\w*/u.test(snippet.text)) {
+          return false;
+        }
+        return !/\.squish\b/u.test(snippet.text);
+      }
+    })
+  );
+}
+function collectDivisionByZeroFacts(text, detector) {
+  const kind = RUBY_BUG_RISK_FACT_KINDS.divisionByZero;
+  const facts = [];
+  const lines = text.split("\n");
+  let offset = 0;
+  for (const line of lines) {
+    const stripped = stripHashLineComment(line);
+    const pattern = /\/\s*0(?:\.0+)?\b/g;
+    for (const match of findAllMatches(stripped, pattern)) {
+      facts.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: offset + match.startOffset,
+          endOffset: offset + match.endOffset,
+          text: match.matchedText
+        })
+      );
+    }
+    offset += line.length + 1;
+  }
+  return facts;
+}
+function collectAssignmentInConditionFacts(text, detector) {
+  const kind = RUBY_BUG_RISK_FACT_KINDS.assignmentInCondition;
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind,
+    appliesTo: "block",
+    pattern: /\b(?:if|unless|while|until)\s+(?:\([^)]*\s*)?(\w+)\s*=(?!=)(?![=>])/g
+  });
+}
+function collectDeprecatedUriEscapeFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: RUBY_BUG_RISK_FACT_KINDS.deprecatedUriEscape,
+    appliesTo: "block",
+    pattern: /\bURI\.(?:escape|unescape|encode|decode)\s*\(/g
+  });
+}
+function collectDuplicateHashKeyFacts(text, detector) {
+  const kind = RUBY_BUG_RISK_FACT_KINDS.duplicateHashKeys;
+  const findings = [];
+  for (const literal of collectRubyHashLiteralRanges(text)) {
+    const seen = /* @__PURE__ */ new Set();
+    for (const key of extractRubyHashKeys(literal.content)) {
+      if (seen.has(key.normalized)) {
+        findings.push(
+          createOffsetFact(text, {
+            detector,
+            appliesTo: "block",
+            kind,
+            startOffset: literal.startOffset + key.startOffset,
+            endOffset: literal.startOffset + key.endOffset,
+            text: key.raw
+          })
+        );
+        continue;
+      }
+      seen.add(key.normalized);
+    }
+  }
+  return findings;
+}
+function collectRubyHashLiteralRanges(text) {
+  const ranges = [];
+  const stack = [];
+  for (let index = 0; index < text.length; index += 1) {
+    const char = text[index];
+    if (char === "{") {
+      stack.push(index);
+      continue;
+    }
+    if (char !== "}" || stack.length === 0) {
+      continue;
+    }
+    const start = stack.pop();
+    if (start === void 0) {
+      continue;
+    }
+    const content = text.slice(start + 1, index);
+    if (!looksLikeRubyHashLiteral(content)) {
+      continue;
+    }
+    ranges.push({
+      startOffset: start,
+      endOffset: index + 1,
+      content
+    });
+  }
+  return ranges;
+}
+function looksLikeRubyHashLiteral(content) {
+  return /:\w+\s*=>|["'][\w-]+["']\s*=>|\b\w+\s*:/u.test(content);
+}
+function extractRubyHashKeys(hashContent) {
+  const keys = [];
+  for (const match of hashContent.matchAll(
+    /(?:(["'])([^"']+)\1\s*=>)|(?::(\w+)\s*=>)|(?:\b(\w+)\s*:)/gu
+  )) {
+    const symbol = match[2] ?? match[3] ?? match[4];
+    if (!symbol) {
+      continue;
+    }
+    const raw = match[0];
+    const startOffset = match.index ?? 0;
+    keys.push({
+      raw,
+      normalized: symbol.toLowerCase(),
+      startOffset,
+      endOffset: startOffset + raw.length
+    });
+  }
+  return keys;
+}
+
 // libs/adapters/shared/src/lib/polyglot/domains/php-framework-security.ts
 var PHP_FRAMEWORK_SECURITY_FACT_KINDS = {
   laravelUnsafeMassAssignment: "php.security.laravel-unsafe-mass-assignment",
@@ -3870,8 +4206,60 @@ var PHP_CORRECTNESS_FACT_KINDS = {
   switchMultipleDefault: "php.correctness.switch-multiple-default",
   errorSuppressionOperator: "php.correctness.error-suppression-operator",
   unreachableAfterReturn: "php.correctness.unreachable-after-return",
-  nullsafeReturnedByReference: "php.correctness.nullsafe-returned-by-reference"
+  nullsafeReturnedByReference: "php.correctness.nullsafe-returned-by-reference",
+  emptyArrayLiteralSlot: "php.correctness.empty-array-literal-slot",
+  emptyBracketArrayAccess: "php.correctness.empty-bracket-array-access",
+  deprecatedUnsetCast: "php.correctness.deprecated-unset-cast",
+  duplicateDeclaration: "php.correctness.duplicate-declaration",
+  nestedFunctionDeclaration: "php.correctness.nested-function-declaration",
+  breakContinueOutsideLoop: "php.correctness.break-continue-outside-loop",
+  abstractMethodOutsideAbstractClass: "php.correctness.abstract-method-outside-abstract-class",
+  uselessUnset: "php.correctness.useless-unset",
+  invalidRegexLiteral: "php.correctness.invalid-regex-literal",
+  todoFixmeMarker: "php.correctness.todo-fixme-marker",
+  selfAssignment: "php.correctness.self-assignment",
+  defaultParameterNotLast: "php.correctness.default-parameter-not-last",
+  emptyFunctionBody: "php.correctness.empty-function-body",
+  unknownMagicMethod: "php.correctness.unknown-magic-method",
+  caseInsensitiveDefine: "php.correctness.case-insensitive-define",
+  deprecatedFilterConstant: "php.correctness.deprecated-filter-constant",
+  emptyCodeBlock: "php.correctness.empty-code-block",
+  deprecatedLibxmlEntityLoader: "php.correctness.deprecated-libxml-entity-loader",
+  redundantStringCastConcat: "php.correctness.redundant-string-cast-concat",
+  missingMemberVisibility: "php.correctness.missing-member-visibility",
+  functionComparison: "php.correctness.function-comparison",
+  uselessPostIncrement: "php.correctness.useless-post-increment",
+  nestedSwitch: "php.correctness.nested-switch",
+  invalidCookieOptions: "php.correctness.invalid-cookie-options"
 };
+var PHP_VALID_MAGIC_METHODS = /* @__PURE__ */ new Set([
+  "__construct",
+  "__destruct",
+  "__call",
+  "__callStatic",
+  "__get",
+  "__set",
+  "__isset",
+  "__unset",
+  "__sleep",
+  "__wakeup",
+  "__serialize",
+  "__unserialize",
+  "__toString",
+  "__invoke",
+  "__set_state",
+  "__clone",
+  "__debugInfo"
+]);
+var PHP_VALID_COOKIE_OPTION_KEYS = /* @__PURE__ */ new Set([
+  "expires",
+  "path",
+  "domain",
+  "secure",
+  "httponly",
+  "samesite"
+]);
+var PHP_DEPRECATED_FILTER_CONSTANTS = /\bFILTER_(?:SANITIZE_STRING|SANITIZE_MAGIC_QUOTES|FLAG_ALLOW_THOUSAND)\b/gu;
 function collectPhpCorrectnessFacts(options) {
   const { text, detector } = options;
   return dedupeFacts([
@@ -3879,7 +4267,31 @@ function collectPhpCorrectnessFacts(options) {
     ...collectSwitchMultipleDefaultFacts(text, detector),
     ...collectErrorSuppressionOperatorFacts(text, detector),
     ...collectUnreachableAfterReturnFacts(text, detector),
-    ...collectNullsafeReturnedByReferenceFacts(text, detector)
+    ...collectNullsafeReturnedByReferenceFacts(text, detector),
+    ...collectEmptyArrayLiteralSlotFacts(text, detector),
+    ...collectEmptyBracketArrayAccessFacts(text, detector),
+    ...collectDeprecatedUnsetCastFacts(text, detector),
+    ...collectDuplicateDeclarationFacts(text, detector),
+    ...collectNestedFunctionDeclarationFacts(text, detector),
+    ...collectBreakContinueOutsideLoopFacts(text, detector),
+    ...collectAbstractMethodOutsideAbstractClassFacts(text, detector),
+    ...collectUselessUnsetFacts(text, detector),
+    ...collectInvalidRegexLiteralFacts(text, detector),
+    ...collectTodoFixmeMarkerFacts(text, detector),
+    ...collectSelfAssignmentFacts(text, detector),
+    ...collectDefaultParameterNotLastFacts(text, detector),
+    ...collectEmptyFunctionBodyFacts(text, detector),
+    ...collectUnknownMagicMethodFacts(text, detector),
+    ...collectCaseInsensitiveDefineFacts(text, detector),
+    ...collectDeprecatedFilterConstantFacts(text, detector),
+    ...collectEmptyCodeBlockFacts(text, detector),
+    ...collectDeprecatedLibxmlEntityLoaderFacts(text, detector),
+    ...collectRedundantStringCastConcatFacts(text, detector),
+    ...collectMissingMemberVisibilityFacts(text, detector),
+    ...collectFunctionComparisonFacts(text, detector),
+    ...collectUselessPostIncrementFacts(text, detector),
+    ...collectNestedSwitchFacts(text, detector),
+    ...collectInvalidCookieOptionsFacts(text, detector)
   ]);
 }
 function collectDuplicateArrayKeyFacts(text, detector) {
@@ -4259,6 +4671,771 @@ function collectNullsafeReturnedByReferenceFacts(text, detector) {
     pattern: /\b(?:static\s+)?fn\s*&\s*\([^)]*\)\s*=>\s*[^;{}\n]*\?->/gu
   });
 }
+function collectEmptyArrayLiteralSlotFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.emptyArrayLiteralSlot;
+  const findings = [];
+  for (const literal of collectAllPhpArrayLiteralRanges(text)) {
+    for (const match of findAllMatches(literal.content, /,\s*,|\[\s*,/gu)) {
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: literal.startOffset + 1 + match.startOffset,
+          endOffset: literal.startOffset + 1 + match.endOffset,
+          text: match.matchedText.trim() || ","
+        })
+      );
+    }
+  }
+  return dedupeFacts(findings);
+}
+function collectAllPhpArrayLiteralRanges(text) {
+  const ranges = [];
+  const arrayCallPattern = /\barray\s*\(/gu;
+  for (const match of findAllMatches(text, arrayCallPattern)) {
+    const openParen = match.endOffset - 1;
+    const closeParen = findMatchingDelimiter(text, openParen, "(", ")");
+    if (closeParen < 0) {
+      continue;
+    }
+    ranges.push({
+      startOffset: match.startOffset,
+      endOffset: closeParen + 1,
+      content: text.slice(openParen + 1, closeParen)
+    });
+  }
+  const stack = [];
+  for (let index = 0; index < text.length; index += 1) {
+    const char = text[index];
+    if (char === "[") {
+      stack.push(index);
+      continue;
+    }
+    if (char !== "]" || stack.length === 0) {
+      continue;
+    }
+    const start = stack.pop();
+    if (start === void 0) {
+      continue;
+    }
+    ranges.push({
+      startOffset: start,
+      endOffset: index + 1,
+      content: text.slice(start + 1, index)
+    });
+  }
+  return ranges;
+}
+function collectEmptyBracketArrayAccessFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.emptyBracketArrayAccess,
+    appliesTo: "block",
+    pattern: /\$\w+\[\s*\](?!\s*=)/gu
+  });
+}
+function collectDeprecatedUnsetCastFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.deprecatedUnsetCast,
+    appliesTo: "block",
+    pattern: /\(unset\)/gu
+  });
+}
+function collectDuplicateDeclarationFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.duplicateDeclaration;
+  const findings = [];
+  const seenFunctions = /* @__PURE__ */ new Map();
+  const seenClasses = /* @__PURE__ */ new Map();
+  for (const match of findAllMatches(
+    text,
+    /\bfunction\s+([A-Za-z_][A-Za-z0-9_]*)\s*\(/gu
+  )) {
+    const name = /function\s+([A-Za-z_][A-Za-z0-9_]*)\s*\(/u.exec(
+      match.matchedText
+    )?.[1];
+    if (!name || !isTopLevelDeclaration(text, match.startOffset)) {
+      continue;
+    }
+    if (seenFunctions.has(name)) {
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: match.startOffset,
+          endOffset: match.endOffset,
+          text: match.matchedText
+        })
+      );
+      continue;
+    }
+    seenFunctions.set(name, match.startOffset);
+  }
+  for (const match of findAllMatches(
+    text,
+    /\b(?:class|interface|trait|enum)\s+([A-Za-z_][A-Za-z0-9_]*)\b/gu
+  )) {
+    const name = /(?:class|interface|trait|enum)\s+([A-Za-z_][A-Za-z0-9_]*)\b/u.exec(
+      match.matchedText
+    )?.[1];
+    if (!name || !isTopLevelDeclaration(text, match.startOffset)) {
+      continue;
+    }
+    if (seenClasses.has(name)) {
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: match.startOffset,
+          endOffset: match.endOffset,
+          text: match.matchedText
+        })
+      );
+      continue;
+    }
+    seenClasses.set(name, match.startOffset);
+  }
+  return findings;
+}
+function isTopLevelDeclaration(text, offset) {
+  let braceDepth = 0;
+  for (let index = 0; index < offset; index += 1) {
+    const char = text[index];
+    if (char === "{") {
+      braceDepth += 1;
+      continue;
+    }
+    if (char === "}") {
+      braceDepth = Math.max(0, braceDepth - 1);
+    }
+  }
+  return braceDepth === 0;
+}
+function collectNestedFunctionDeclarationFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.nestedFunctionDeclaration;
+  const findings = [];
+  for (const match of findAllMatches(
+    text,
+    /\bfunction\s+([A-Za-z_][A-Za-z0-9_]*)\s*\(/gu
+  )) {
+    if (!isInsideFunctionBody(text, match.startOffset)) {
+      continue;
+    }
+    findings.push(
+      createOffsetFact(text, {
+        detector,
+        appliesTo: "block",
+        kind,
+        startOffset: match.startOffset,
+        endOffset: match.endOffset,
+        text: match.matchedText
+      })
+    );
+  }
+  return findings;
+}
+function isInsideFunctionBody(text, offset) {
+  const stack = [];
+  let index = 0;
+  while (index < offset) {
+    index = skipPhpTrivia(text, index);
+    if (index >= offset) {
+      break;
+    }
+    const remaining = text.slice(index);
+    if (/^\bfunction\s+[A-Za-z_][\w]*\s*\(/u.test(remaining)) {
+      const openBrace = findNextControlOpenBrace(text, index);
+      if (openBrace >= 0 && openBrace < offset) {
+        stack.push("function");
+        index = openBrace + 1;
+        continue;
+      }
+    }
+    if (/^\b(?:class|trait|enum)\s+[A-Za-z_]/u.test(remaining)) {
+      const openBrace = findNextControlOpenBrace(text, index);
+      if (openBrace >= 0 && openBrace < offset) {
+        stack.push("class");
+        index = openBrace + 1;
+        continue;
+      }
+    }
+    const char = text[index];
+    if (char === "{") {
+      index += 1;
+      continue;
+    }
+    if (char === "}") {
+      stack.pop();
+      index += 1;
+      continue;
+    }
+    index += 1;
+  }
+  return stack[stack.length - 1] === "function";
+}
+function collectBreakContinueOutsideLoopFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.breakContinueOutsideLoop;
+  const findings = [];
+  const controlPattern = /\b(?:break|continue)\b(?:\s+\d+\s*)?;/gu;
+  for (const match of findAllMatches(text, controlPattern)) {
+    const keyword = /\b(break|continue)\b/u.exec(match.matchedText)?.[1];
+    if (!keyword) {
+      continue;
+    }
+    const context = getControlFlowContext(text, match.startOffset);
+    if (keyword === "continue" && context.loopDepth === 0) {
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: match.startOffset,
+          endOffset: match.endOffset,
+          text: match.matchedText
+        })
+      );
+      continue;
+    }
+    if (keyword === "break" && context.loopDepth === 0 && context.switchDepth === 0) {
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: match.startOffset,
+          endOffset: match.endOffset,
+          text: match.matchedText
+        })
+      );
+    }
+  }
+  return findings;
+}
+function getControlFlowContext(text, offset) {
+  const stack = [];
+  let index = 0;
+  while (index < offset) {
+    index = skipPhpTrivia(text, index);
+    if (index >= offset) {
+      break;
+    }
+    const remaining = text.slice(index);
+    if (/^\b(?:for|while|foreach|do)\b/u.test(remaining)) {
+      const openBrace = findNextControlOpenBrace(text, index);
+      if (openBrace >= 0 && openBrace < offset) {
+        stack.push("loop");
+        index = openBrace + 1;
+        continue;
+      }
+    }
+    if (/^\bswitch\b/u.test(remaining)) {
+      const openBrace = findNextControlOpenBrace(text, index);
+      if (openBrace >= 0 && openBrace < offset) {
+        stack.push("switch");
+        index = openBrace + 1;
+        continue;
+      }
+    }
+    const char = text[index];
+    if (char === "{") {
+      index += 1;
+      continue;
+    }
+    if (char === "}") {
+      stack.pop();
+      index += 1;
+      continue;
+    }
+    index += 1;
+  }
+  let loopDepth = 0;
+  let switchDepth = 0;
+  for (const frame of stack) {
+    if (frame === "loop") {
+      loopDepth += 1;
+    } else {
+      switchDepth += 1;
+    }
+  }
+  return { loopDepth, switchDepth };
+}
+function skipPhpTrivia(text, index) {
+  const remaining = text.slice(index);
+  if (remaining.startsWith("//") || remaining.startsWith("#")) {
+    const nextLine = remaining.search(/\r?\n/u);
+    return nextLine < 0 ? text.length : index + nextLine + 1;
+  }
+  if (remaining.startsWith("/*")) {
+    const end = remaining.indexOf("*/");
+    return end < 0 ? text.length : index + end + 2;
+  }
+  const quote = remaining[0];
+  if (quote === '"' || quote === "'") {
+    return skipQuotedPhpString(text, index, quote);
+  }
+  return index;
+}
+function skipQuotedPhpString(text, index, quote) {
+  let cursor = index + 1;
+  while (cursor < text.length) {
+    const char = text[cursor];
+    if (char === "\\") {
+      cursor += 2;
+      continue;
+    }
+    if (char === quote) {
+      return cursor + 1;
+    }
+    cursor += 1;
+  }
+  return text.length;
+}
+function findNextControlOpenBrace(text, fromOffset) {
+  let depth = 0;
+  let index = fromOffset;
+  while (index < text.length) {
+    index = skipPhpTrivia(text, index);
+    if (index >= text.length) {
+      return -1;
+    }
+    const char = text[index];
+    if (char === "(") {
+      depth += 1;
+      index += 1;
+      continue;
+    }
+    if (char === ")") {
+      depth = Math.max(0, depth - 1);
+      index += 1;
+      continue;
+    }
+    if (char === "{" && depth === 0) {
+      return index;
+    }
+    if (char === ";" && depth === 0) {
+      return -1;
+    }
+    index += 1;
+  }
+  return -1;
+}
+function collectAbstractMethodOutsideAbstractClassFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.abstractMethodOutsideAbstractClass;
+  const findings = [];
+  const classPattern = /\b(?:(abstract)\s+)?class\s+([A-Za-z_][A-Za-z0-9_]*)\b[^{]*\{/gu;
+  for (const match of findAllMatches(text, classPattern)) {
+    const isAbstract = Boolean(
+      /^\s*abstract\s+class\b/u.test(match.matchedText)
+    );
+    if (isAbstract) {
+      continue;
+    }
+    const openBrace = match.endOffset - 1;
+    const closeBrace = findMatchingDelimiter(text, openBrace, "{", "}");
+    if (closeBrace < 0) {
+      continue;
+    }
+    const body = text.slice(openBrace + 1, closeBrace);
+    const abstractMethodPattern = /\babstract\s+(?:(?:public|protected|private|static)\s+)*function\s+[A-Za-z_][\w]*\s*\(/gu;
+    for (const methodMatch of findAllMatches(body, abstractMethodPattern)) {
+      const absoluteStart = openBrace + 1 + methodMatch.startOffset;
+      const absoluteEnd = openBrace + 1 + methodMatch.endOffset;
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: absoluteStart,
+          endOffset: absoluteEnd,
+          text: methodMatch.matchedText
+        })
+      );
+    }
+  }
+  return findings;
+}
+function collectUselessUnsetFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.uselessUnset,
+    appliesTo: "block",
+    pattern: /\bunset\s*\(\s*(?:\$this->[\w]+|true|false|null|\d+|['"][^'"]*['"])\s*\)/gu
+  });
+}
+function collectInvalidRegexLiteralFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.invalidRegexLiteral;
+  const findings = [];
+  const pregPattern = /\bpreg_(?:match|match_all|replace|replace_callback|filter|grep|split)\s*\(\s*(['"])([\s\S]*?)\1/gu;
+  for (const match of findAllMatches(text, pregPattern)) {
+    const literalMatch = /(['"])([\s\S]*?)\1/u.exec(match.matchedText);
+    if (!literalMatch) {
+      continue;
+    }
+    const patternLiteral = literalMatch[2];
+    if (!isInvalidPhpRegexPattern(patternLiteral)) {
+      continue;
+    }
+    findings.push(
+      createOffsetFact(text, {
+        detector,
+        appliesTo: "block",
+        kind,
+        startOffset: match.startOffset,
+        endOffset: match.endOffset,
+        text: match.matchedText
+      })
+    );
+  }
+  return findings;
+}
+function isInvalidPhpRegexPattern(literal) {
+  const delimiter = literal[0];
+  if (!delimiter || !/[/#~@%]/u.test(delimiter)) {
+    return false;
+  }
+  let index = 1;
+  let escaped = false;
+  while (index < literal.length) {
+    const char = literal[index];
+    if (escaped) {
+      escaped = false;
+      index += 1;
+      continue;
+    }
+    if (char === "\\") {
+      escaped = true;
+      index += 1;
+      continue;
+    }
+    if (char === delimiter) {
+      const body = literal.slice(1, index);
+      try {
+        new RegExp(body, "u");
+        return false;
+      } catch {
+        return true;
+      }
+    }
+    index += 1;
+  }
+  return true;
+}
+function collectTodoFixmeMarkerFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.todoFixmeMarker,
+    appliesTo: "block",
+    pattern: /(?:\/\/|#|\/\*|\*)\s*.*\b(?:TODO|FIXME|XXX)\b/giu
+  });
+}
+function collectSelfAssignmentFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.selfAssignment,
+    appliesTo: "block",
+    pattern: /(\$this->[\w]+|\$\w+(?:->[\w]+|\[[^\]]+\])*)\s*=\s*\1\s*;/gu
+  });
+}
+function collectDefaultParameterNotLastFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.defaultParameterNotLast;
+  const findings = [];
+  const signaturePattern = /\b(?:function\s+[A-Za-z_][\w]*|fn\s*\()\s*\(([^)]*)\)/gu;
+  for (const match of findAllMatches(text, signaturePattern)) {
+    const paramsMatch = /\(([^)]*)\)/u.exec(match.matchedText);
+    if (!paramsMatch) {
+      continue;
+    }
+    const paramsStartInMatch = match.matchedText.indexOf("(") + 1;
+    const params = splitParameterList(paramsMatch[1]);
+    let sawDefault = false;
+    for (const param of params) {
+      const trimmed = param.text.trim();
+      if (!trimmed) {
+        continue;
+      }
+      const hasDefault = /(?:^|[^=<>!])=(?!=)/u.test(trimmed);
+      if (hasDefault) {
+        sawDefault = true;
+        continue;
+      }
+      if (sawDefault) {
+        const absoluteStart = match.startOffset + paramsStartInMatch + param.startOffset;
+        const absoluteEnd = match.startOffset + paramsStartInMatch + param.endOffset;
+        findings.push(
+          createOffsetFact(text, {
+            detector,
+            appliesTo: "block",
+            kind,
+            startOffset: absoluteStart,
+            endOffset: absoluteEnd,
+            text: trimmed
+          })
+        );
+      }
+    }
+  }
+  return findings;
+}
+function splitParameterList(source) {
+  const params = [];
+  let start = 0;
+  let depth = 0;
+  for (let index = 0; index < source.length; index += 1) {
+    const char = source[index];
+    if (char === "(" || char === "[") {
+      depth += 1;
+      continue;
+    }
+    if (char === ")" || char === "]") {
+      depth = Math.max(0, depth - 1);
+      continue;
+    }
+    if (char === "," && depth === 0) {
+      params.push({
+        text: source.slice(start, index),
+        startOffset: start,
+        endOffset: index
+      });
+      start = index + 1;
+    }
+  }
+  params.push({
+    text: source.slice(start),
+    startOffset: start,
+    endOffset: source.length
+  });
+  return params;
+}
+function collectEmptyFunctionBodyFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.emptyFunctionBody,
+    appliesTo: "block",
+    pattern: /\bfunction\s+[A-Za-z_][\w]*\s*\([^)]*\)\s*(?::\s*[^{]+)?\{\s*(?:\/\/[^\n]*\s*|\/\*[\s\S]*?\*\/\s*)*\}/gu
+  });
+}
+function collectUnknownMagicMethodFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.unknownMagicMethod;
+  const findings = [];
+  const magicPattern = /\bfunction\s+(__[A-Za-z_][\w]*)\s*\(/gu;
+  for (const match of findAllMatches(text, magicPattern)) {
+    const methodName = /function\s+(__[A-Za-z_][\w]*)\s*\(/u.exec(
+      match.matchedText
+    )?.[1];
+    if (!methodName || PHP_VALID_MAGIC_METHODS.has(methodName)) {
+      continue;
+    }
+    findings.push(
+      createOffsetFact(text, {
+        detector,
+        appliesTo: "block",
+        kind,
+        startOffset: match.startOffset,
+        endOffset: match.endOffset,
+        text: match.matchedText
+      })
+    );
+  }
+  return findings;
+}
+function collectCaseInsensitiveDefineFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.caseInsensitiveDefine,
+    appliesTo: "block",
+    pattern: /\bdefine\s*\(\s*['"][^'"]+['"]\s*,[\s\S]*?,\s*(?:true|1)\s*\)/gu
+  });
+}
+function collectDeprecatedFilterConstantFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.deprecatedFilterConstant,
+    appliesTo: "block",
+    pattern: PHP_DEPRECATED_FILTER_CONSTANTS
+  });
+}
+function collectEmptyCodeBlockFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.emptyCodeBlock,
+    appliesTo: "block",
+    pattern: /\b(?:if|else|elseif|try|catch|finally|for|while|foreach)\b[^{;]*\{\s*(?:\/\/[^\n]*\s*|\/\*[\s\S]*?\*\/\s*)*\}/gu
+  });
+}
+function collectDeprecatedLibxmlEntityLoaderFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.deprecatedLibxmlEntityLoader,
+    appliesTo: "block",
+    pattern: /\blibxml_disable_entity_loader\s*\(/gu
+  });
+}
+function collectRedundantStringCastConcatFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.redundantStringCastConcat,
+    appliesTo: "block",
+    pattern: /\(\s*string\s*\)\s*\$\w+\s*\./gu
+  });
+}
+function collectMissingMemberVisibilityFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.missingMemberVisibility;
+  const findings = [];
+  const classPattern = /\bclass\s+[A-Za-z_][\w]*\b[^{]*\{/gu;
+  for (const match of findAllMatches(text, classPattern)) {
+    const openBrace = match.endOffset - 1;
+    const closeBrace = findMatchingDelimiter(text, openBrace, "{", "}");
+    if (closeBrace < 0) {
+      continue;
+    }
+    const body = text.slice(openBrace + 1, closeBrace);
+    const memberPattern = /^\s*(?:\/\/[^\n]*|\/\*[\s\S]*?\*\/\s*)*(?:function\s+[A-Za-z_]|(?:var\s+)?\$[A-Za-z_])/gmu;
+    for (const memberMatch of body.matchAll(memberPattern)) {
+      const line = memberMatch[0];
+      const trimmed = line.trimStart();
+      if (/^(?:public|private|protected)\b/u.test(trimmed)) {
+        continue;
+      }
+      if (/^function\s+__/u.test(trimmed)) {
+        continue;
+      }
+      const matchIndex = memberMatch.index ?? 0;
+      const absoluteStart = openBrace + 1 + matchIndex;
+      const absoluteEnd = absoluteStart + line.trimEnd().length;
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: absoluteStart,
+          endOffset: absoluteEnd,
+          text: line.trimEnd()
+        })
+      );
+    }
+  }
+  return findings;
+}
+function collectFunctionComparisonFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.functionComparison,
+    appliesTo: "block",
+    pattern: /\$\w+\s*(?:==|===|!=|!==)\s*['"][^'"]+['"]|\[\s*\$\w+\s*,\s*['"][^'"]+['"]\s*\]\s*(?:<|>|<=|>=)\s*\[\s*\$\w+\s*,\s*['"][^'"]+['"]\s*\]/gu
+  });
+}
+function collectUselessPostIncrementFacts(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_CORRECTNESS_FACT_KINDS.uselessPostIncrement,
+    appliesTo: "block",
+    pattern: /^\s*(?:\$\w+(?:\[[^\]]+\])?(?:->\w+)*|\$this->\w+)\s*\+\+\s*;/gmu
+  });
+}
+function collectNestedSwitchFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.nestedSwitch;
+  const findings = [];
+  const switchPattern = /\bswitch\s*\(/gu;
+  for (const switchMatch of findAllMatches(text, switchPattern)) {
+    const openBrace = findSwitchOpenBrace(text, switchMatch.endOffset);
+    if (openBrace < 0) {
+      continue;
+    }
+    const parentDepth = countEnclosingSwitchDepth(text, switchMatch.startOffset);
+    if (parentDepth === 0) {
+      continue;
+    }
+    findings.push(
+      createOffsetFact(text, {
+        detector,
+        appliesTo: "block",
+        kind,
+        startOffset: switchMatch.startOffset,
+        endOffset: switchMatch.endOffset,
+        text: switchMatch.matchedText
+      })
+    );
+  }
+  return findings;
+}
+function countEnclosingSwitchDepth(text, offset) {
+  let depth = 0;
+  let index = 0;
+  while (index < offset) {
+    index = skipPhpTrivia(text, index);
+    if (index >= offset) {
+      break;
+    }
+    const remaining = text.slice(index);
+    if (/^\bswitch\b/u.test(remaining)) {
+      const openBrace = findNextControlOpenBrace(text, index);
+      if (openBrace >= 0 && openBrace < offset) {
+        depth += 1;
+        index = openBrace + 1;
+        continue;
+      }
+    }
+    const char = text[index];
+    if (char === "{") {
+      index += 1;
+      continue;
+    }
+    if (char === "}") {
+      depth = Math.max(0, depth - 1);
+      index += 1;
+      continue;
+    }
+    index += 1;
+  }
+  return depth;
+}
+function collectInvalidCookieOptionsFacts(text, detector) {
+  const kind = PHP_CORRECTNESS_FACT_KINDS.invalidCookieOptions;
+  const findings = [];
+  const cookiePattern = /\bset(?:raw)?cookie\s*\(/gu;
+  for (const match of findAllMatches(text, cookiePattern)) {
+    const openParen = match.endOffset - 1;
+    const closeParen = findMatchingDelimiter(text, openParen, "(", ")");
+    if (closeParen < 0) {
+      continue;
+    }
+    const callText = text.slice(match.startOffset, closeParen + 1);
+    const optionsPattern = /['"]([\w-]+)['"]\s*=>/gu;
+    for (const optionMatch of findAllMatches(callText, optionsPattern)) {
+      const key = /['"]([\w-]+)['"]\s*=>/u.exec(optionMatch.matchedText)?.[1];
+      if (!key || PHP_VALID_COOKIE_OPTION_KEYS.has(key.toLowerCase())) {
+        continue;
+      }
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: match.startOffset + optionMatch.startOffset,
+          endOffset: match.startOffset + optionMatch.endOffset,
+          text: optionMatch.matchedText
+        })
+      );
+    }
+  }
+  return findings;
+}
 
 // libs/adapters/shared/src/lib/polyglot/domains/php-baseline-security.ts
 var PHP_BASELINE_SECURITY_FACT_KINDS = {
@@ -4267,7 +5444,9 @@ var PHP_BASELINE_SECURITY_FACT_KINDS = {
   weakCipher: "php.security.weak-cipher",
   insecureSessionIdGeneration: "php.security.insecure-session-id-generation",
   xmlExternalEntity: "php.security.xml-external-entity",
-  debugFunctionExposure: "php.security.debug-function-exposure"
+  debugFunctionExposure: "php.security.debug-function-exposure",
+  unsafeNewStatic: "php.security.unsafe-new-static",
+  deprecatedLibxmlEntityLoader: "php.security.deprecated-libxml-entity-loader"
 };
 var WEAK_OPENSSL_CIPHER_PATTERN = /\b(?:DES|RC4|BF|ECB)\b|(?:^|[^A-Za-z])DES(?:[^A-Za-z]|$)/iu;
 var XML_LOAD_PATTERN = /\b(?:simplexml_load_(?:file|string|xml)|domxml_(?:open_mem|xml)|xml_parse)\s*\(|\b(?:DOMDocument|SimpleXMLElement)\b[\s\S]{0,120}?->\s*load(?:XML|HTML)?\s*\(/g;
@@ -4292,7 +5471,9 @@ function collectPhpBaselineSecurityFacts(options) {
       matchesTainted
     }),
     ...collectXmlExternalEntityFacts(text, detector),
-    ...collectDebugFunctionExposureFacts(text, path, detector)
+    ...collectDebugFunctionExposureFacts(text, path, detector),
+    ...collectUnsafeNewStaticFacts(text, detector),
+    ...collectDeprecatedLibxmlEntityLoaderFacts2(text, detector)
   ]);
 }
 function collectNoDynamicEvalFacts(text, detector) {
@@ -4441,6 +5622,51 @@ function collectDebugFunctionExposureFacts(text, path, detector) {
     pattern: /\b(?:var_dump|print_r|debug_zval_dump)\s*\(|\bxdebug_[a-z_]+\s*\(/gi
   });
 }
+function collectUnsafeNewStaticFacts(text, detector) {
+  const kind = PHP_BASELINE_SECURITY_FACT_KINDS.unsafeNewStatic;
+  const findings = [];
+  const classPattern = /\b(?:(?:abstract|readonly|final)\s+)*class\s+([A-Za-z_][\w]*)\b[^{]*\{/gu;
+  for (const match of findAllMatches(text, classPattern)) {
+    const declarationWindow = text.slice(
+      Math.max(0, match.startOffset - 12),
+      match.endOffset
+    );
+    if (/\bfinal\b/u.test(declarationWindow)) {
+      continue;
+    }
+    const openBrace = match.endOffset - 1;
+    const closeBrace = findMatchingDelimiter(text, openBrace, "{", "}");
+    if (closeBrace < 0) {
+      continue;
+    }
+    const body = text.slice(openBrace + 1, closeBrace);
+    const staticPattern = /\bnew\s+static\s*\(/gu;
+    for (const staticMatch of findAllMatches(body, staticPattern)) {
+      const absoluteStart = openBrace + 1 + staticMatch.startOffset;
+      const absoluteEnd = openBrace + 1 + staticMatch.endOffset;
+      findings.push(
+        createOffsetFact(text, {
+          detector,
+          appliesTo: "block",
+          kind,
+          startOffset: absoluteStart,
+          endOffset: absoluteEnd,
+          text: staticMatch.matchedText
+        })
+      );
+    }
+  }
+  return findings;
+}
+function collectDeprecatedLibxmlEntityLoaderFacts2(text, detector) {
+  return collectMatchedFacts({
+    text,
+    detector,
+    kind: PHP_BASELINE_SECURITY_FACT_KINDS.deprecatedLibxmlEntityLoader,
+    appliesTo: "block",
+    pattern: /\blibxml_disable_entity_loader\s*\(/gu
+  });
+}
 
 // libs/adapters/shared/src/lib/polyglot/domains/java-open-redirect.ts
 var javaRedirectSinkPattern = /\bsendRedirect\s*\(|\bnew\s+RedirectView\s*\(/g;
@@ -4551,6 +5777,49 @@ function collectSpringConfigDebugExposureFacts(options) {
   return [...debugPairs, ...verboseLogging];
 }
 
+// libs/adapters/shared/src/lib/polyglot/domains/android-screenshot-exposure.ts
+var defaultAndroidActivityPattern = /\bclass\s+[A-Za-z_][A-Za-z0-9_]*\s+extends\s+(?:[A-Za-z_][A-Za-z0-9_]*Activity|Activity|AppCompatActivity|ComponentActivity|FragmentActivity)\b/g;
+var secureFlagEnabledPattern = /\b(?:getWindow\(\)\.)?(?:addFlags|setFlags)\s*\([^;\n]*FLAG_SECURE\b/g;
+var secureFlagClearedPattern = /\b(?:getWindow\(\)\.)?clearFlags\s*\([^;\n]*FLAG_SECURE\b/g;
+var sensitiveAndroidScreenPattern = /\b(?:account|auth|balance|billing|card|credential|login|otp|password|payment|pin|secret|session|token|transfer|wallet)\b|[A-Za-z0-9_]*(?:Otp|Passcode|Password|Pin|Secret|Session|Token)\b/i;
+function collectAndroidScreenshotExposureFacts(options) {
+  const hasSecureFlag = secureFlagEnabledPattern.test(options.text);
+  const hasClearedSecureFlag = secureFlagClearedPattern.test(options.text);
+  if (hasSecureFlag && !hasClearedSecureFlag) {
+    return [];
+  }
+  if (!hasClearedSecureFlag && !sensitiveAndroidScreenPattern.test(options.text)) {
+    return [];
+  }
+  return collectMatchedFacts({
+    text: options.text,
+    detector: options.detector,
+    kind: "security.android-screenshot-exposure",
+    pattern: options.activityPattern ?? defaultAndroidActivityPattern,
+    appliesTo: options.appliesTo ?? "file",
+    props: () => ({
+      reason: hasClearedSecureFlag ? "flag-secure-cleared" : "flag-secure-missing"
+    }),
+    textValue: ({ matchedText }) => matchedText.trim()
+  });
+}
+
+// libs/adapters/shared/src/lib/polyglot/domains/android-world-readable-mode.ts
+var defaultAndroidWorldReadablePattern = /\b(?:Context\.)?MODE_WORLD_(?:READABLE|WRITABLE|WRITEABLE)\b/g;
+function collectAndroidWorldReadableModeFacts(options) {
+  return collectMatchedFacts({
+    text: options.text,
+    detector: options.detector,
+    kind: "security.android-world-readable-mode",
+    pattern: options.pattern ?? defaultAndroidWorldReadablePattern,
+    appliesTo: options.appliesTo ?? "block",
+    props: ({ matchedText }) => ({
+      mode: matchedText.trim()
+    }),
+    textValue: ({ matchedText }) => matchedText.trim()
+  });
+}
+
 // libs/adapters/shared/src/lib/polyglot/domains/java-framework-security.ts
 var JAVA_FRAMEWORK_SECURITY_FACT_KINDS = {
   springPermitAllDefault: "java.security.spring-permit-all-default",
@@ -8269,6 +9538,12 @@ function collectRustQualityMaintainabilityFacts(options) {
 }
 
 // libs/adapters/shared/src/lib/polyglot/domains/performance.ts
+var PHP_PERFORMANCE_FACT_KINDS = {
+  noRegexConstructionInLoop: "php.performance.no-regex-construction-in-loop",
+  noSyncFsInRequestPath: "php.performance.no-sync-fs-in-request-path",
+  expensiveLoopCondition: "php.performance.expensive-loop-condition",
+  noUnboundedConcurrency: "php.performance.no-unbounded-concurrency"
+};
 function collectSharedPerformanceFacts(options, languagePrefix) {
   const { text, detector } = options;
   return [
@@ -8302,7 +9577,57 @@ function collectJavaPerformanceFacts(options) {
   return collectSharedPerformanceFacts(options, "java");
 }
 function collectPhpPerformanceFacts(options) {
-  return collectSharedPerformanceFacts(options, "php");
+  const { text, detector } = options;
+  return [
+    ...collectMatchedFacts({
+      text,
+      detector,
+      kind: PHP_PERFORMANCE_FACT_KINDS.noRegexConstructionInLoop,
+      pattern: /\b(?:for|while)\b[\s\S]{0,300}\bpreg_(?:match|match_all|replace|replace_callback|filter|grep|split)\s*\(/gu,
+      appliesTo: "block"
+    }),
+    ...collectPhpSyncFsInRequestPathFacts(options),
+    ...collectMatchedFacts({
+      text,
+      detector,
+      kind: PHP_PERFORMANCE_FACT_KINDS.expensiveLoopCondition,
+      pattern: /\b(?:for|while)\s*\([\s\S]{0,240}?\b(?:count|sizeof|strlen|preg_match|preg_match_all|array_sum|in_array|file_get_contents|file_exists|glob)\s*\(/gu,
+      appliesTo: "block"
+    }),
+    ...collectMatchedFacts({
+      text,
+      detector,
+      kind: PHP_PERFORMANCE_FACT_KINDS.noUnboundedConcurrency,
+      appliesTo: "block",
+      pattern: /\b(?:GuzzleHttp\\Promise\\(?:all|unwrap)|Amp\\Promise\\all)\s*\(\s*\$\w+/gu
+    })
+  ];
+}
+var phpSyncFsCallPattern = /\b(?:file_get_contents|fopen|readfile|file|scandir|glob)\s*\(/gu;
+function collectPhpSyncFsInRequestPathFacts(options) {
+  const { text, detector, state, matchesTainted } = options;
+  if (!state || !matchesTainted) {
+    return [];
+  }
+  return collectSnippetFacts({
+    text,
+    detector,
+    kind: PHP_PERFORMANCE_FACT_KINDS.noSyncFsInRequestPath,
+    pattern: phpSyncFsCallPattern,
+    state,
+    appliesTo: "block",
+    predicate: (snippet, scanState) => isPhpSyncFsInRequestHandler(text, snippet.startOffset) && matchesTainted(snippet.text, scanState)
+  });
+}
+function isPhpSyncFsInRequestHandler(text, callStartOffset) {
+  const prefix = text.slice(0, callStartOffset);
+  const functionStart = prefix.lastIndexOf("function");
+  if (functionStart < 0) {
+    return false;
+  }
+  return /\$_(?:GET|POST|REQUEST|COOKIE|FILES|SERVER)\b/u.test(
+    text.slice(functionStart, callStartOffset)
+  );
 }
 function collectPythonPerformanceFacts(options) {
   return collectSharedPerformanceFacts(options, "py");
@@ -8314,6 +9639,323 @@ function collectRustPerformanceFacts(options) {
   return collectSharedPerformanceFacts(options, "rust");
 }
 
+// libs/adapters/cloudformation/src/lib/cloudformation.ts
+var import_node_fs4 = require("node:fs");
+var import_node_os = require("node:os");
+var import_node_path5 = require("node:path");
+
+// libs/adapters/cloudformation/src/lib/collect-cfn-lint-facts.util.ts
+var CFN_LINT_FACT_KIND = "cfn.lint.finding";
+var CFN_LINT_DETECTOR = "cfn-lint";
+function lineColumnToOffset(text, line, column) {
+  const lines = text.split("\n");
+  const safeLine = Math.max(line, 1);
+  let offset = 0;
+  for (let index = 0; index < safeLine - 1 && index < lines.length; index += 1) {
+    offset += lines[index].length + 1;
+  }
+  const lineText = lines[safeLine - 1] ?? "";
+  offset += Math.min(Math.max(column - 1, 0), lineText.length);
+  return offset;
+}
+function createRangeFromLineColumns(text, startLine, startColumn, endLine, endColumn) {
+  const startOffset = lineColumnToOffset(text, startLine, startColumn);
+  const endOffset = Math.max(
+    startOffset + 1,
+    lineColumnToOffset(text, endLine, endColumn)
+  );
+  const lines = text.split("\n");
+  const excerptLines = lines.slice(
+    Math.max(startLine - 1, 0),
+    Math.min(endLine, lines.length)
+  );
+  return {
+    startOffset,
+    endOffset,
+    excerpt: excerptLines.join("\n"),
+    range: {
+      startLine,
+      startColumn,
+      endLine,
+      endColumn
+    }
+  };
+}
+function collectCfnLintFacts(text, findings) {
+  return findings.map((finding) => {
+    const positioned = createRangeFromLineColumns(
+      text,
+      finding.line,
+      finding.column,
+      finding.endLine,
+      finding.endColumn
+    );
+    return {
+      id: [
+        CFN_LINT_DETECTOR,
+        CFN_LINT_FACT_KIND,
+        finding.ruleId,
+        positioned.range.startLine,
+        positioned.range.startColumn,
+        positioned.range.endLine,
+        positioned.range.endColumn
+      ].join(":"),
+      kind: CFN_LINT_FACT_KIND,
+      appliesTo: "file",
+      range: positioned.range,
+      text: positioned.excerpt,
+      props: {
+        ruleId: finding.ruleId,
+        level: finding.level,
+        message: finding.message,
+        line: finding.line,
+        column: finding.column
+      }
+    };
+  });
+}
+
+// libs/adapters/cloudformation/src/lib/is-cloudformation-template.util.ts
+var import_node_path4 = require("node:path");
+function looksLikeCloudFormationPath2(filePath) {
+  const normalized = filePath.replace(/\\/gu, "/").toLowerCase();
+  const fileName = normalized.split("/").pop() ?? normalized;
+  if (/(?:^|\/)(?:templates?|cloudformation|cfn|sam|infra|iac)(?:\/|$)/u.test(
+    normalized
+  )) {
+    return true;
+  }
+  return /(?:template|cloudformation|stack|cfn|sam)[^/]*\.(?:ya?ml|json)$/u.test(
+    fileName
+  );
+}
+function hasServerlessTransform(transform) {
+  if (transform === "AWS::Serverless") {
+    return true;
+  }
+  if (Array.isArray(transform)) {
+    return transform.includes("AWS::Serverless");
+  }
+  return false;
+}
+function hasCloudFormationObjectMarkers(value) {
+  if (typeof value["AWSTemplateFormatVersion"] === "string") {
+    return true;
+  }
+  if (value["Resources"] !== void 0 && typeof value["Resources"] === "object" && value["Resources"] !== null) {
+    return true;
+  }
+  return hasServerlessTransform(value["Transform"]);
+}
+function isCloudFormationTemplate(path, text) {
+  const trimmed = text.trim();
+  if (!trimmed) {
+    return false;
+  }
+  const extension = (0, import_node_path4.extname)(path).toLowerCase();
+  if (extension === ".json") {
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return false;
+      }
+      return hasCloudFormationObjectMarkers(parsed);
+    } catch {
+      return false;
+    }
+  }
+  if (/AWSTemplateFormatVersion\s*:/m.test(trimmed)) {
+    return true;
+  }
+  if (/^Resources\s*:/m.test(trimmed)) {
+    return true;
+  }
+  if (/Transform\s*:\s*(?:AWS::Serverless|['"]AWS::Serverless['"])/m.test(trimmed)) {
+    return true;
+  }
+  return false;
+}
+
+// libs/adapters/cloudformation/src/lib/parse-cfn-lint-json.util.ts
+function isCfnLintJsonMatch(value) {
+  return typeof value === "object" && value !== null;
+}
+function parseCfnLintJson(stdout) {
+  const trimmed = stdout.trim();
+  if (!trimmed) {
+    return [];
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(trimmed);
+  } catch {
+    return [];
+  }
+  if (!Array.isArray(parsed)) {
+    return [];
+  }
+  const findings = [];
+  for (const entry of parsed) {
+    if (!isCfnLintJsonMatch(entry)) {
+      continue;
+    }
+    const ruleId = entry.Rule?.Id?.trim();
+    if (!ruleId) {
+      continue;
+    }
+    const line = entry.Location?.Start?.LineNumber ?? 1;
+    const column = entry.Location?.Start?.ColumnNumber ?? 1;
+    const endLine = entry.Location?.End?.LineNumber ?? line;
+    const endColumn = entry.Location?.End?.ColumnNumber ?? column;
+    const message = entry.Message?.trim() ?? "";
+    const level = entry.Level?.trim() ?? "Unknown";
+    findings.push({
+      ruleId,
+      level,
+      message,
+      line,
+      column,
+      endLine,
+      endColumn
+    });
+  }
+  return findings;
+}
+
+// libs/adapters/cloudformation/src/lib/run-cfn-lint.util.ts
+var import_node_child_process = require("node:child_process");
+function readExecOutput(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (Buffer.isBuffer(value)) {
+    return value.toString("utf8");
+  }
+  return "";
+}
+function runCfnLint(filePath) {
+  try {
+    const stdout = (0, import_node_child_process.execFileSync)("cfn-lint", ["-f", "json", filePath], {
+      encoding: "utf8",
+      maxBuffer: 16 * 1024 * 1024
+    });
+    return {
+      ok: true,
+      stdout,
+      stderr: "",
+      exitCode: 0
+    };
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      return {
+        ok: false,
+        stdout: "",
+        stderr: "",
+        exitCode: -1,
+        errorCode: "ENOENT"
+      };
+    }
+    if (typeof error === "object" && error !== null && "stdout" in error) {
+      return {
+        ok: true,
+        stdout: readExecOutput(error.stdout),
+        stderr: readExecOutput(
+          "stderr" in error ? error.stderr : void 0
+        ),
+        exitCode: "status" in error && typeof error.status === "number" ? error.status : 1
+      };
+    }
+    const message = error instanceof Error ? error.message : "Unexpected cfn-lint failure.";
+    return {
+      ok: false,
+      stdout: "",
+      stderr: message,
+      exitCode: 1
+    };
+  }
+}
+
+// libs/adapters/cloudformation/src/lib/cloudformation.ts
+var SUPPORTED_EXTENSIONS = [".yaml", ".yml", ".json"];
+function templateExtensionForPath(path) {
+  const extension = (0, import_node_path5.extname)(path).toLowerCase();
+  if (extension === ".yaml" || extension === ".yml" || extension === ".json") {
+    return extension;
+  }
+  return ".yaml";
+}
+function createMissingCfnLintDiagnostic(path) {
+  return createDiagnostic({
+    code: "adapter.cloudformation.cfn-lint-missing",
+    message: "The `cfn-lint` executable was not found on PATH. Install cfn-lint to analyze CloudFormation templates.",
+    severity: "warning",
+    details: {
+      path
+    }
+  });
+}
+function createCfnLintFailureDiagnostic(path, stderr) {
+  return createDiagnostic({
+    code: "adapter.cloudformation.cfn-lint-failed",
+    message: `cfn-lint failed while analyzing \`${path}\`.`,
+    severity: "warning",
+    details: {
+      path,
+      stderr
+    }
+  });
+}
+function analyzeCloudFormationFile(path, text, options = {}) {
+  if (!isCloudFormationTemplate(path, text)) {
+    return {
+      success: true,
+      data: buildAnalyzedFileWithFacts(path, "cloudformation", text, [])
+    };
+  }
+  const runner = options.runCfnLint ?? runCfnLint;
+  const tempDirectory = (0, import_node_fs4.mkdtempSync)((0, import_node_path5.join)((0, import_node_os.tmpdir)(), "critiq-cfn-"));
+  const tempPath = (0, import_node_path5.join)(
+    tempDirectory,
+    `${(0, import_node_path5.basename)(path, (0, import_node_path5.extname)(path)) || "template"}${templateExtensionForPath(path)}`
+  );
+  try {
+    (0, import_node_fs4.writeFileSync)(tempPath, text, "utf8");
+    const lintResult = runner(tempPath);
+    if (lintResult.errorCode === "ENOENT") {
+      return {
+        success: true,
+        data: buildAnalyzedFileWithFacts(path, "cloudformation", text, []),
+        diagnostics: [createMissingCfnLintDiagnostic(path)]
+      };
+    }
+    if (!lintResult.ok && !lintResult.stdout.trim()) {
+      return {
+        success: true,
+        data: buildAnalyzedFileWithFacts(path, "cloudformation", text, []),
+        diagnostics: [
+          createCfnLintFailureDiagnostic(path, lintResult.stderr)
+        ]
+      };
+    }
+    const findings = parseCfnLintJson(lintResult.stdout);
+    const facts = collectCfnLintFacts(text, findings);
+    return {
+      success: true,
+      data: buildAnalyzedFileWithFacts(path, "cloudformation", text, facts)
+    };
+  } finally {
+    (0, import_node_fs4.rmSync)(tempDirectory, { recursive: true, force: true });
+  }
+}
+var cloudformationSourceAdapter = {
+  packageName: "@critiq/adapter-cloudformation",
+  supportedExtensions: SUPPORTED_EXTENSIONS,
+  supportedLanguages: ["cloudformation"],
+  canHandlePath: looksLikeCloudFormationPath2,
+  canHandle: isCloudFormationTemplate,
+  analyze: analyzeCloudFormationFile
+};
+
 // libs/adapters/go/src/lib/go.ts
 var hardcodedCredentialPattern = /(?:^|\n)\s*(?:const|var)?\s*([A-Za-z_][A-Za-z0-9_]*)\s*(?::=|=)\s*["'`][^"'`\n]{8,}["'`]/g;
 var fileReadCallPattern = /\b(?:os|ioutil)\.ReadFile\s*\(/g;
@@ -8625,6 +10267,14 @@ var javaAdapterDefinition = {
       text,
       detector
     }),
+    ...collectAndroidScreenshotExposureFacts({
+      text,
+      detector
+    }),
+    ...collectAndroidWorldReadableModeFacts({
+      text,
+      detector
+    }),
     ...collectSpringConfigDebugExposureFacts({
       text,
       detector,
@@ -8860,7 +10510,13 @@ var phpAdapterDefinition = {
     }),
     ...collectPhpTestingHygieneFacts({ text, path, detector }),
     ...collectPhpQualityMaintainabilityFacts({ text, path, detector }),
-    ...collectPhpPerformanceFacts({ text, path, detector }),
+    ...collectPhpPerformanceFacts({
+      text,
+      path,
+      detector,
+      state,
+      matchesTainted: matchesPhpTainted
+    }),
     ...collectPhpCorrectnessFacts({ text, detector })
   ]
 };
@@ -9236,6 +10892,8 @@ var rubyAdapterDefinition = {
       detector,
       pattern: weakHashCallPattern5
     }),
+    ...collectRubyGeneralSecurityFacts({ text, path, detector }),
+    ...collectRubyBugRiskFacts({ text, detector }),
     ...collectRubyRailsSecurityFacts({
       text,
       detector,
@@ -9503,7 +11161,7 @@ function looksLikeRustSqlInterpolation(expression) {
 
 // libs/adapters/typescript/src/lib/typescript.ts
 var import_typescript_estree = require("@typescript-eslint/typescript-estree");
-var import_node_path4 = require("node:path");
+var import_node_path6 = require("node:path");
 
 // libs/adapters/typescript/src/lib/ast/source-text.ts
 function isNodeLike(value) {
@@ -17927,6 +19585,323 @@ var collectAdditionalPublicSecurityFacts = (context) => {
   ];
 };
 
+// libs/adapters/typescript/src/lib/custom-facts/additional-public-security/electron-shell-open-external-unvalidated.ts
+var openExternalCalleePattern = /(^|\.)(openExternal)$/u;
+var requestDrivenUrlPattern = /\b(?:req|request|body|query|params)\b/u;
+function collectElectronShellOpenExternalUnvalidatedFacts(context) {
+  const facts = [];
+  walkAst(context.program, (node) => {
+    if (node.type !== "CallExpression") {
+      return;
+    }
+    const calleeText2 = getCalleeText(node.callee, context.sourceText);
+    if (!calleeText2 || !openExternalCalleePattern.test(calleeText2)) {
+      return;
+    }
+    const urlText = getNodeText(
+      node.arguments[0],
+      context.sourceText
+    );
+    if (!urlText || !requestDrivenUrlPattern.test(urlText)) {
+      return;
+    }
+    facts.push(
+      createObservedFact({
+        appliesTo: "block",
+        kind: FACT_KINDS.electronShellOpenExternalUnvalidated,
+        node,
+        nodeIds: context.nodeIds,
+        text: calleeText2,
+        props: {
+          url: urlText
+        }
+      })
+    );
+  });
+  return facts;
+}
+
+// libs/adapters/typescript/src/lib/custom-facts/substrate/client-security.ts
+var electronDangerousWebPreferences = [
+  {
+    name: "allowRunningInsecureContent",
+    insecureBooleanValue: true
+  },
+  {
+    name: "contextIsolation",
+    insecureBooleanValue: false
+  },
+  {
+    name: "enableRemoteModule",
+    insecureBooleanValue: true
+  },
+  {
+    name: "nodeIntegration",
+    insecureBooleanValue: true
+  },
+  {
+    name: "sandbox",
+    insecureBooleanValue: false
+  },
+  {
+    name: "webSecurity",
+    insecureBooleanValue: false
+  }
+];
+var electronTrustedOriginValidatorNames = /* @__PURE__ */ new Set([
+  "allowlistedOrigin",
+  "assertAllowedOrigin",
+  "assertTrustedSenderFrame",
+  "assertTrustedWebContents",
+  "ensureAllowedOrigin",
+  "ensureTrustedSender",
+  "validateAllowedOrigin",
+  "validateTrustedOrigin",
+  "validateTrustedSender"
+]);
+var electronPrivilegedIpcSinkPattern = /\b(?:BrowserWindow|dialog\.(?:showOpenDialog|showSaveDialog)|exec|fs\.(?:appendFile|appendFileSync|readFile|readFileSync|rm|rmSync|unlink|unlinkSync|writeFile|writeFileSync)|openExternal|process\.env|shell\.(?:openExternal|openPath|showItemInFolder)|spawn|systemPreferences|webContents)\b/u;
+function isElectronTrustedOriginValidatorName(calleeText2) {
+  return Boolean(
+    calleeText2 && electronTrustedOriginValidatorNames.has(calleeText2)
+  );
+}
+function isElectronSensitiveStorageKey(text) {
+  return isAuthStorageKey(text) || isAuthLikeText(text);
+}
+function isLikelyPrivilegedElectronIpcBody(bodyText2) {
+  return Boolean(
+    bodyText2 && electronPrivilegedIpcSinkPattern.test(bodyText2)
+  );
+}
+
+// libs/adapters/typescript/src/lib/custom-facts/client-application-security.ts
+var ELECTRON_DANGEROUS_WEBPREFERENCES_FACT_KIND = "security.electron-dangerous-webpreferences";
+var ELECTRON_MISSING_IPC_ORIGIN_CHECK_FACT_KIND = "security.electron-missing-ipc-origin-check";
+var ELECTRON_INSECURE_LOCAL_STATE_FACT_KIND = "security.electron-insecure-local-state";
+var browserWindowCalleePattern = /(^|\.)(BrowserWindow)$/u;
+var ipcMainHandlerPattern = /(^|\.)(ipcMain)\.(handle|on)$/u;
+function collectElectronStoreConstructorNames(context) {
+  const constructorNames = /* @__PURE__ */ new Set();
+  walkAst(context.program, (node) => {
+    if (node.type === "ImportDeclaration" && node.source.value === "electron-store") {
+      for (const specifier of node.specifiers) {
+        constructorNames.add(specifier.local.name);
+      }
+      return;
+    }
+    if (node.type !== "VariableDeclarator" || node.id.type !== "Identifier" || !node.init || node.init.type !== "CallExpression" || node.init.callee.type !== "Identifier" || node.init.callee.name !== "require") {
+      return;
+    }
+    const sourceValue = getNodeText(
+      node.init.arguments[0],
+      context.sourceText
+    )?.replace(/^['"]|['"]$/gu, "");
+    if (sourceValue === "electron-store") {
+      constructorNames.add(node.id.name);
+    }
+  });
+  return constructorNames;
+}
+function collectElectronStoreInstanceNames(context, constructorNames) {
+  const instanceNames = /* @__PURE__ */ new Set();
+  if (constructorNames.size === 0) {
+    return instanceNames;
+  }
+  walkAst(context.program, (node) => {
+    if (node.type !== "VariableDeclarator" || node.id.type !== "Identifier" || !node.init || node.init.type !== "NewExpression") {
+      return;
+    }
+    const calleeText2 = getNodeText(node.init.callee, context.sourceText);
+    if (calleeText2 && constructorNames.has(calleeText2)) {
+      instanceNames.add(node.id.name);
+    }
+  });
+  return instanceNames;
+}
+function hasElectronOriginCheck(handler, sourceText) {
+  const firstParam = handler.params[0];
+  if (!firstParam || firstParam.type !== "Identifier") {
+    return false;
+  }
+  const originExpressions = [
+    `${firstParam.name}.senderFrame.origin`,
+    `${firstParam.name}.senderFrame.url`,
+    `${firstParam.name}.sender.getURL()`
+  ];
+  let checked = false;
+  walkAst(handler.body, (node) => {
+    if (checked) {
+      return;
+    }
+    if (node.type === "IfStatement" || node.type === "ConditionalExpression") {
+      const testText = getNodeText(node.test, sourceText)?.replace(/\s+/gu, " ");
+      if (testText && originExpressions.some((expression) => testText.includes(expression))) {
+        checked = true;
+      }
+      return;
+    }
+    if (node.type === "SwitchStatement") {
+      const discriminantText = getNodeText(
+        node.discriminant,
+        sourceText
+      )?.replace(/\s+/gu, " ");
+      if (discriminantText && originExpressions.some(
+        (expression) => discriminantText.includes(expression)
+      )) {
+        checked = true;
+      }
+      return;
+    }
+    if (node.type !== "CallExpression") {
+      return;
+    }
+    const calleeText2 = getCalleeText(node.callee, sourceText);
+    const firstArgumentText = getNodeText(
+      node.arguments[0],
+      sourceText
+    )?.replace(/\s+/gu, " ");
+    if (isElectronTrustedOriginValidatorName(calleeText2) && firstArgumentText && originExpressions.some((expression) => firstArgumentText.includes(expression))) {
+      checked = true;
+    }
+  });
+  return checked;
+}
+function collectElectronDangerousWebPreferenceFacts(context) {
+  const objectBindings = collectObjectBindings(context);
+  const facts = [];
+  walkAst(context.program, (node) => {
+    if (node.type !== "NewExpression") {
+      return;
+    }
+    const calleeText2 = getNodeText(node.callee, context.sourceText);
+    if (!calleeText2 || !browserWindowCalleePattern.test(calleeText2)) {
+      return;
+    }
+    const windowOptions = resolveObjectExpression(node.arguments[0], objectBindings);
+    const webPreferences = resolveObjectExpression(
+      getObjectProperty(windowOptions, "webPreferences")?.value,
+      objectBindings
+    );
+    if (!webPreferences) {
+      return;
+    }
+    for (const preference of electronDangerousWebPreferences) {
+      const property = getObjectProperty(webPreferences, preference.name);
+      if (!property || !isBooleanLiteral(
+        property.value,
+        preference.insecureBooleanValue
+      )) {
+        continue;
+      }
+      facts.push(
+        createObservedFact({
+          appliesTo: "block",
+          kind: ELECTRON_DANGEROUS_WEBPREFERENCES_FACT_KIND,
+          node: property,
+          nodeIds: context.nodeIds,
+          props: {
+            preference: preference.name,
+            configuredValue: getNodeText(
+              property.value,
+              context.sourceText
+            ),
+            sink: calleeText2
+          },
+          text: `webPreferences.${preference.name}`
+        })
+      );
+    }
+  });
+  return facts;
+}
+function collectElectronIpcOriginFacts(context) {
+  const functionBindings = resolveFunctionBindings(context);
+  const facts = [];
+  walkAst(context.program, (node) => {
+    if (node.type !== "CallExpression") {
+      return;
+    }
+    const calleeText2 = getCalleeText(node.callee, context.sourceText);
+    if (!calleeText2 || !ipcMainHandlerPattern.test(calleeText2)) {
+      return;
+    }
+    const handler = resolveFunctionLike(node.arguments[1], functionBindings);
+    const bodyText2 = handler ? getNodeText(handler.body, context.sourceText) : void 0;
+    if (!handler || !isLikelyPrivilegedElectronIpcBody(bodyText2) || hasElectronOriginCheck(handler, context.sourceText)) {
+      return;
+    }
+    facts.push(
+      createObservedFact({
+        appliesTo: "block",
+        kind: ELECTRON_MISSING_IPC_ORIGIN_CHECK_FACT_KIND,
+        node,
+        nodeIds: context.nodeIds,
+        props: {
+          channel: getNodeText(
+            node.arguments[0],
+            context.sourceText
+          ),
+          sink: calleeText2
+        },
+        text: `${calleeText2}(${getNodeText(
+          node.arguments[0],
+          context.sourceText
+        ) ?? ""})`
+      })
+    );
+  });
+  return facts;
+}
+function collectElectronInsecureLocalStateFacts(context) {
+  const constructorNames = collectElectronStoreConstructorNames(context);
+  const instanceNames = collectElectronStoreInstanceNames(
+    context,
+    constructorNames
+  );
+  const facts = [];
+  if (instanceNames.size === 0) {
+    return facts;
+  }
+  walkAst(context.program, (node) => {
+    if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
+      return;
+    }
+    if (node.callee.object.type !== "Identifier" || !instanceNames.has(node.callee.object.name) || getMemberPropertyName(node.callee) !== "set") {
+      return;
+    }
+    const storageKeyText = getNodeText(
+      node.arguments[0],
+      context.sourceText
+    );
+    const storageValueText = getNodeText(
+      node.arguments[1],
+      context.sourceText
+    );
+    if (!isElectronSensitiveStorageKey(storageKeyText) && !isElectronSensitiveStorageKey(storageValueText)) {
+      return;
+    }
+    facts.push(
+      createObservedFact({
+        appliesTo: "block",
+        kind: ELECTRON_INSECURE_LOCAL_STATE_FACT_KIND,
+        node,
+        nodeIds: context.nodeIds,
+        props: {
+          key: storageKeyText,
+          sink: `${node.callee.object.name}.set`
+        },
+        text: `${node.callee.object.name}.set(${storageKeyText ?? "unknown"})`
+      })
+    );
+  });
+  return facts;
+}
+var collectClientApplicationSecurityFacts = (context) => [
+  ...collectElectronDangerousWebPreferenceFacts(context),
+  ...collectElectronIpcOriginFacts(context),
+  ...collectElectronInsecureLocalStateFacts(context)
+];
+
 // libs/adapters/typescript/src/lib/custom-facts/typescript-async-correctness.ts
 var ARRAY_METHODS_EXPECTING_SYNC_CALLBACK = /* @__PURE__ */ new Set([
   "every",
@@ -25380,6 +27355,8 @@ var collectWeakCryptoFacts = (context) => {
 function collectAdditionalTypeScriptFacts(context) {
   const facts = [
     ...collectAdditionalPublicSecurityFacts(context),
+    ...collectClientApplicationSecurityFacts(context),
+    ...collectElectronShellOpenExternalUnvalidatedFacts(context),
     ...collectTypescriptAsyncCorrectnessFacts(context),
     ...collectTypescriptCoreLanguageCorrectnessFacts(context),
     ...collectTypescriptCorrectnessLanguageExtendedFacts(context),
@@ -25562,7 +27539,7 @@ var typescriptSourceAdapter = {
   analyze: analyzeTypeScriptFile
 };
 function extensionToLanguage(path) {
-  switch ((0, import_node_path4.extname)(path).toLowerCase()) {
+  switch ((0, import_node_path6.extname)(path).toLowerCase()) {
     case ".js":
     case ".jsx":
       return "javascript";
@@ -25573,7 +27550,7 @@ function extensionToLanguage(path) {
   }
 }
 function supportsJsx(path) {
-  return [".jsx", ".tsx"].includes((0, import_node_path4.extname)(path).toLowerCase());
+  return [".jsx", ".tsx"].includes((0, import_node_path6.extname)(path).toLowerCase());
 }
 function analyzeTypeScriptFile(path, text) {
   try {
@@ -25629,7 +27606,7 @@ function analyzeTypeScriptFile(path, text) {
 }
 
 // libs/runtime/check-runner/src/lib/check-runner/registry.ts
-var import_node_path7 = require("node:path");
+var import_node_path9 = require("node:path");
 
 // libs/core/ir/src/lib/ir.ts
 var import_node_crypto2 = require("node:crypto");
@@ -25885,8 +27862,8 @@ function normalizeRuleDocument(validatedRuleDocument) {
 }
 
 // libs/core/rules-dsl/src/lib/rules-dsl.ts
-var import_node_fs4 = require("node:fs");
-var import_node_path5 = require("node:path");
+var import_node_fs5 = require("node:fs");
+var import_node_path7 = require("node:path");
 var import_zod6 = require("zod");
 
 // libs/core/rules-dsl/src/lib/rules-dsl-schema.ts
@@ -25906,6 +27883,7 @@ var ruleLanguageSchema = import_zod5.z.enum([
   "ruby",
   "rust",
   "dockerfile",
+  "cloudformation",
   "all"
 ]);
 var ruleStabilitySchema = import_zod5.z.enum(["stable", "experimental"]);
@@ -26149,16 +28127,16 @@ var ruleDocumentV0Alpha1Schema = import_zod5.z.object({
 // libs/core/rules-dsl/src/lib/rules-dsl.ts
 function loadRuleDocumentV0Alpha1JsonSchema() {
   const candidatePaths = [
-    (0, import_node_path5.resolve)(__dirname, "./schema/rule-document-v0alpha1.schema.json"),
-    (0, import_node_path5.resolve)(__dirname, "../../schema/rule-document-v0alpha1.schema.json"),
-    (0, import_node_path5.resolve)(
+    (0, import_node_path7.resolve)(__dirname, "./schema/rule-document-v0alpha1.schema.json"),
+    (0, import_node_path7.resolve)(__dirname, "../../schema/rule-document-v0alpha1.schema.json"),
+    (0, import_node_path7.resolve)(
       __dirname,
       "../../../../../workspace_modules/@critiq/core-rules-dsl/schema/rule-document-v0alpha1.schema.json"
     )
   ];
   for (const candidatePath of candidatePaths) {
-    if ((0, import_node_fs4.existsSync)(candidatePath)) {
-      return JSON.parse((0, import_node_fs4.readFileSync)(candidatePath, "utf8"));
+    if ((0, import_node_fs5.existsSync)(candidatePath)) {
+      return JSON.parse((0, import_node_fs5.readFileSync)(candidatePath, "utf8"));
     }
   }
   throw new Error("Unable to locate rule-document-v0alpha1.schema.json.");
@@ -26210,7 +28188,7 @@ function summarizeValidatedRuleDocument(validatedRuleDocument) {
 }
 
 // libs/core/rules-dsl/src/lib/rules-dsl-loader.ts
-var import_node_fs5 = require("node:fs");
+var import_node_fs6 = require("node:fs");
 var import_node_url3 = require("node:url");
 function toSourceMap(sourceMap) {
   return Object.fromEntries(
@@ -26272,7 +28250,7 @@ function loadRuleText(text, uri) {
 }
 function loadRuleFile(path) {
   try {
-    const text = (0, import_node_fs5.readFileSync)(path, "utf8");
+    const text = (0, import_node_fs6.readFileSync)(path, "utf8");
     const uri = (0, import_node_url3.pathToFileURL)(path).href;
     return loadRuleText(text, uri);
   } catch (error) {
@@ -27006,10 +28984,10 @@ function validateRuleDocumentSemantics(validatedRuleDocument) {
 function validateLoadedRuleDocument(loadedRuleDocument) {
   const contractValidation = validateLoadedRuleDocumentContract(loadedRuleDocument);
   if (!contractValidation.success) {
-    const failure = contractValidation;
+    const failure2 = contractValidation;
     return {
       success: false,
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
   const semanticValidation = validateRuleDocumentSemantics(contractValidation.data);
@@ -27027,16 +29005,16 @@ function validateLoadedRuleDocument(loadedRuleDocument) {
 }
 
 // libs/runtime/check-runner/src/lib/check-runner/shared.ts
-var import_node_fs6 = require("node:fs");
-var import_node_path6 = require("node:path");
+var import_node_fs7 = require("node:fs");
+var import_node_path8 = require("node:path");
 var DEFAULT_CATALOG_PACKAGE_NAME = "@critiq/rules";
 var RULE_CATALOG_FILENAME = "catalog.yaml";
 function toPosixPath(value) {
-  return value.split(import_node_path6.sep).join("/");
+  return value.split(import_node_path8.sep).join("/");
 }
 function toDisplayPath(cwd, absolutePath) {
-  const relativePath = toPosixPath((0, import_node_path6.relative)(cwd, absolutePath));
-  if (relativePath.length > 0 && !relativePath.startsWith("..") && !(0, import_node_path6.isAbsolute)(relativePath)) {
+  const relativePath = toPosixPath((0, import_node_path8.relative)(cwd, absolutePath));
+  if (relativePath.length > 0 && !relativePath.startsWith("..") && !(0, import_node_path8.isAbsolute)(relativePath)) {
     return relativePath;
   }
   return toPosixPath(absolutePath);
@@ -27061,7 +29039,7 @@ function isSkippableDirectory(currentDirectory, name) {
   )) {
     return true;
   }
-  return name === "cache" && currentDirectory.split(import_node_path6.sep).at(-1) === ".yarn";
+  return name === "cache" && currentDirectory.split(import_node_path8.sep).at(-1) === ".yarn";
 }
 function walkFiles(rootDirectory) {
   const files = [];
@@ -27071,11 +29049,11 @@ function walkFiles(rootDirectory) {
     if (!currentDirectory) {
       continue;
     }
-    const entries = (0, import_node_fs6.readdirSync)(currentDirectory, { withFileTypes: true }).sort(
+    const entries = (0, import_node_fs7.readdirSync)(currentDirectory, { withFileTypes: true }).sort(
       (left, right) => left.name.localeCompare(right.name)
     );
     for (const entry of entries) {
-      const absolutePath = (0, import_node_path6.resolve)(currentDirectory, entry.name);
+      const absolutePath = (0, import_node_path8.resolve)(currentDirectory, entry.name);
       if (entry.isDirectory()) {
         if (!isSkippableDirectory(currentDirectory, entry.name)) {
           queue.push(absolutePath);
@@ -27100,7 +29078,7 @@ function readTextFileSafe(path) {
   try {
     return {
       success: true,
-      text: (0, import_node_fs6.readFileSync)(path, "utf8")
+      text: (0, import_node_fs7.readFileSync)(path, "utf8")
     };
   } catch (error) {
     return {
@@ -27125,16 +29103,16 @@ function loadNormalizedRulesForCatalog(absoluteRulePaths) {
   )) {
     const loadResult = loadRuleFile(absolutePath);
     if (!loadResult.success) {
-      const failure = loadResult;
-      diagnostics.push(...failure.diagnostics);
+      const failure2 = loadResult;
+      diagnostics.push(...failure2.diagnostics);
       continue;
     }
     const contractValidation = validateLoadedRuleDocumentContract(
       loadResult.data
     );
     if (!contractValidation.success) {
-      const failure = contractValidation;
-      diagnostics.push(...failure.diagnostics);
+      const failure2 = contractValidation;
+      diagnostics.push(...failure2.diagnostics);
       continue;
     }
     const semanticValidation = validateRuleDocumentSemantics(
@@ -27173,13 +29151,13 @@ function defaultCatalogPackageRootsFromEnvironment() {
   if (!rulesRoot) {
     return {};
   }
-  const directRoot = (0, import_node_path6.resolve)(rulesRoot);
+  const directRoot = (0, import_node_path8.resolve)(rulesRoot);
   const candidateRoots = [
     directRoot,
-    (0, import_node_path6.resolve)(directRoot, "libs/rules/catalog")
+    (0, import_node_path8.resolve)(directRoot, "libs/rules/catalog")
   ];
   for (const candidateRoot of candidateRoots) {
-    if ((0, import_node_fs6.existsSync)((0, import_node_path6.resolve)(candidateRoot, RULE_CATALOG_FILENAME))) {
+    if ((0, import_node_fs7.existsSync)((0, import_node_path8.resolve)(candidateRoot, RULE_CATALOG_FILENAME))) {
       return {
         [DEFAULT_CATALOG_PACKAGE_NAME]: candidateRoot
       };
@@ -27197,7 +29175,7 @@ function resolveCatalogPackageForRuntime(_displayRoot, packageName, options) {
     packageRootOverrides,
     hasOverrideCatalog(packageRootOverride) {
       return Boolean(
-        packageRootOverride && (0, import_node_fs6.existsSync)((0, import_node_path6.resolve)(packageRootOverride, RULE_CATALOG_FILENAME))
+        packageRootOverride && (0, import_node_fs7.existsSync)((0, import_node_path8.resolve)(packageRootOverride, RULE_CATALOG_FILENAME))
       );
     }
   };
@@ -27220,11 +29198,33 @@ function createSourceAdapterRegistry(adapters) {
   }));
   return {
     adapters: normalizedAdapters,
-    findAdapterForPath(path) {
-      const extension = normalizeExtension((0, import_node_path7.extname)(path));
-      return normalizedAdapters.find(
+    findAdapterForPath(path, text) {
+      const extension = normalizeExtension((0, import_node_path9.extname)(path));
+      const candidates = normalizedAdapters.filter(
         (adapter) => adapter.supportedExtensions.includes(extension)
       );
+      if (candidates.length === 0) {
+        return void 0;
+      }
+      if (candidates.length === 1) {
+        const adapter = candidates[0];
+        if (adapter.canHandle) {
+          if (text === void 0) {
+            return adapter.canHandlePath?.(path) ? adapter : void 0;
+          }
+          return adapter.canHandle(path, text) ? adapter : void 0;
+        }
+        return adapter;
+      }
+      if (text !== void 0) {
+        for (const adapter of candidates) {
+          if (adapter.canHandle?.(path, text)) {
+            return adapter;
+          }
+        }
+        return candidates.find((adapter) => !adapter.canHandle) ?? candidates[0];
+      }
+      return candidates.find((adapter) => !adapter.canHandle) ?? candidates[0];
     },
     hasAdapterForLanguage(language) {
       return normalizedAdapters.some(
@@ -27249,6 +29249,7 @@ function createSourceAdapterRegistry(adapters) {
 }
 function createDefaultSourceAdapterRegistry() {
   return createSourceAdapterRegistry([
+    cloudformationSourceAdapter,
     goSourceAdapter,
     javaSourceAdapter,
     phpSourceAdapter,
@@ -27261,12 +29262,12 @@ function createDefaultSourceAdapterRegistry() {
 
 // libs/runtime/check-runner/src/lib/check-runner/scope.ts
 var import_minimatch2 = require("minimatch");
-var import_node_child_process = require("node:child_process");
-var import_node_fs7 = require("node:fs");
-var import_node_path9 = require("node:path");
+var import_node_child_process2 = require("node:child_process");
+var import_node_fs8 = require("node:fs");
+var import_node_path11 = require("node:path");
 
 // libs/runtime/check-runner/src/lib/secrets-scanner/eligibility.ts
-var import_node_path8 = require("node:path");
+var import_node_path10 = require("node:path");
 var SECRETS_SCAN_MAX_FILE_BYTES = 512 * 1024;
 var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
   ".png",
@@ -27371,7 +29372,7 @@ var NO_EXTENSION_NAMES = /* @__PURE__ */ new Set([
 ]);
 function isSecretsEligiblePath(displayPath) {
   const lower = displayPath.toLowerCase();
-  const ext = (0, import_node_path8.extname)(lower);
+  const ext = (0, import_node_path10.extname)(lower);
   const base = lower.includes("/") ? lower.slice(lower.lastIndexOf("/") + 1) : lower;
   if (BINARY_EXTENSIONS.has(ext)) {
     return false;
@@ -27437,13 +29438,13 @@ var defaultIgnoredPathPatterns = [
   "**/*_generated.go"
 ];
 function isPathWithinDirectory(directoryPath, candidatePath) {
-  const relativePath = (0, import_node_path9.relative)(directoryPath, candidatePath);
-  return relativePath.length === 0 || !relativePath.startsWith("..") && !(0, import_node_path9.isAbsolute)(relativePath);
+  const relativePath = (0, import_node_path11.relative)(directoryPath, candidatePath);
+  return relativePath.length === 0 || !relativePath.startsWith("..") && !(0, import_node_path11.isAbsolute)(relativePath);
 }
 function tryResolveGitRepoRoot(workingDirectory) {
   try {
     return toPosixPath(
-      (0, import_node_child_process.execFileSync)("git", ["rev-parse", "--show-toplevel"], {
+      (0, import_node_child_process2.execFileSync)("git", ["rev-parse", "--show-toplevel"], {
         cwd: workingDirectory,
         encoding: "utf8",
         stdio: ["ignore", "pipe", "pipe"]
@@ -27465,10 +29466,10 @@ function resolveCheckTarget(cwd, target) {
       ]
     };
   }
-  const candidatePath = (0, import_node_path9.resolve)(cwd, resolvedTarget);
+  const candidatePath = (0, import_node_path11.resolve)(cwd, resolvedTarget);
   try {
-    const absolutePath = toPosixPath((0, import_node_fs7.realpathSync)(candidatePath));
-    const stats = (0, import_node_fs7.statSync)(absolutePath);
+    const absolutePath = toPosixPath((0, import_node_fs8.realpathSync)(candidatePath));
+    const stats = (0, import_node_fs8.statSync)(absolutePath);
     if (!stats.isDirectory() && !stats.isFile()) {
       return {
         success: false,
@@ -27479,7 +29480,7 @@ function resolveCheckTarget(cwd, target) {
         ]
       };
     }
-    const scopeDirectory = stats.isDirectory() ? absolutePath : (0, import_node_path9.dirname)(absolutePath);
+    const scopeDirectory = stats.isDirectory() ? absolutePath : (0, import_node_path11.dirname)(absolutePath);
     const repoRoot = tryResolveGitRepoRoot(scopeDirectory);
     return {
       success: true,
@@ -27526,10 +29527,10 @@ function normalizeGitDiffPath(value) {
   }
   return value;
 }
-function parseGitDiffChangedRanges(output) {
+function parseGitDiffChangedRanges(output2) {
   const changedRanges = /* @__PURE__ */ new Map();
   let currentPath = null;
-  for (const line of output.split(/\r?\n/)) {
+  for (const line of output2.split(/\r?\n/)) {
     if (line.startsWith("+++ ")) {
       currentPath = normalizeGitDiffPath(line.slice(4));
       if (currentPath && !changedRanges.has(currentPath)) {
@@ -27559,7 +29560,7 @@ function runGitCommand(cwd, args) {
   try {
     return {
       success: true,
-      stdout: (0, import_node_child_process.execFileSync)("git", args, {
+      stdout: (0, import_node_child_process2.execFileSync)("git", args, {
         cwd,
         encoding: "utf8",
         stdio: ["ignore", "pipe", "pipe"]
@@ -27617,8 +29618,8 @@ function resolveCheckScope(target, baseRef, headRef, registry) {
   return diffScope;
 }
 function readGitStagedFileText(repoRoot, absolutePath) {
-  const relPath = toPosixPath((0, import_node_path9.relative)(repoRoot, absolutePath));
-  if (!relPath || relPath.startsWith("..") || (0, import_node_path9.isAbsolute)(relPath)) {
+  const relPath = toPosixPath((0, import_node_path11.relative)(repoRoot, absolutePath));
+  if (!relPath || relPath.startsWith("..") || (0, import_node_path11.isAbsolute)(relPath)) {
     return {
       success: false,
       diagnostics: [
@@ -27634,7 +29635,7 @@ function readGitStagedFileText(repoRoot, absolutePath) {
     };
   }
   try {
-    const text = (0, import_node_child_process.execFileSync)("git", ["show", `:${relPath}`], {
+    const text = (0, import_node_child_process2.execFileSync)("git", ["show", `:${relPath}`], {
       cwd: repoRoot,
       encoding: "utf8",
       stdio: ["ignore", "pipe", "pipe"],
@@ -27714,18 +29715,18 @@ function resolveStagedSecretsScope(target) {
     };
   }
   const changedRangesByRelativePath = parseGitDiffChangedRanges(diffResult.stdout);
-  const files = changedFilesResult.stdout.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).map((line) => (0, import_node_path9.resolve)(target.repoRoot, line)).filter(
-    (absolutePath) => target.isDirectory ? isPathWithinDirectory(target.absolutePath, absolutePath) : (0, import_node_path9.resolve)(absolutePath) === target.absolutePath
+  const files = changedFilesResult.stdout.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).map((line) => (0, import_node_path11.resolve)(target.repoRoot, line)).filter(
+    (absolutePath) => target.isDirectory ? isPathWithinDirectory(target.absolutePath, absolutePath) : (0, import_node_path11.resolve)(absolutePath) === target.absolutePath
   ).filter((absolutePath) => {
     try {
-      return (0, import_node_fs7.statSync)(absolutePath).isFile();
+      return (0, import_node_fs8.statSync)(absolutePath).isFile();
     } catch {
       return true;
     }
   }).sort((left, right) => left.localeCompare(right));
   const changedRangesByAbsolutePath = /* @__PURE__ */ new Map();
   for (const absolutePath of files) {
-    const relativePath = toPosixPath((0, import_node_path9.relative)(target.repoRoot, absolutePath));
+    const relativePath = toPosixPath((0, import_node_path11.relative)(target.repoRoot, absolutePath));
     changedRangesByAbsolutePath.set(
       absolutePath,
       changedRangesByRelativePath.get(relativePath) ?? []
@@ -27835,18 +29836,18 @@ function resolveRepositoryDiffScope(target, baseRef, headRef, includeAbsolutePat
     };
   }
   const changedRangesByRelativePath = parseGitDiffChangedRanges(diffResult.stdout);
-  const files = changedFilesResult.stdout.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).map((line) => (0, import_node_path9.resolve)(target.repoRoot, line)).filter(
-    (absolutePath) => includeAbsolutePath(absolutePath) && (target.isDirectory ? isPathWithinDirectory(target.absolutePath, absolutePath) : (0, import_node_path9.resolve)(absolutePath) === target.absolutePath)
+  const files = changedFilesResult.stdout.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).map((line) => (0, import_node_path11.resolve)(target.repoRoot, line)).filter(
+    (absolutePath) => includeAbsolutePath(absolutePath) && (target.isDirectory ? isPathWithinDirectory(target.absolutePath, absolutePath) : (0, import_node_path11.resolve)(absolutePath) === target.absolutePath)
   ).filter((absolutePath) => {
     try {
-      return (0, import_node_fs7.statSync)(absolutePath).isFile();
+      return (0, import_node_fs8.statSync)(absolutePath).isFile();
     } catch {
       return false;
     }
   }).sort((left, right) => left.localeCompare(right));
   const changedRangesByAbsolutePath = /* @__PURE__ */ new Map();
   for (const absolutePath of files) {
-    const relativePath = toPosixPath((0, import_node_path9.relative)(target.repoRoot, absolutePath));
+    const relativePath = toPosixPath((0, import_node_path11.relative)(target.repoRoot, absolutePath));
     changedRangesByAbsolutePath.set(
       absolutePath,
       changedRangesByRelativePath.get(relativePath) ?? []
@@ -28334,13 +30335,13 @@ function packagePolicyId(packageName, versionRange) {
   }
   return void 0;
 }
-function collectNpmDependencies(input) {
-  if ((0, import_posix2.basename)(input.path) !== "package.json") {
+function collectNpmDependencies(input2) {
+  if ((0, import_posix2.basename)(input2.path) !== "package.json") {
     return [];
   }
   let parsed;
   try {
-    parsed = JSON.parse(input.text);
+    parsed = JSON.parse(input2.text);
   } catch {
     return [];
   }
@@ -28364,17 +30365,17 @@ function collectNpmDependencies(input) {
         ecosystem: "npm",
         packageName,
         versionRange: rawVersion,
-        manifestPath: input.path,
+        manifestPath: input2.path,
         policyId: packagePolicyId(packageName, rawVersion)
       });
     }
   }
   return facts;
 }
-function collectLineBasedDependencies(input) {
-  const name = (0, import_posix2.basename)(input.path);
+function collectLineBasedDependencies(input2) {
+  const name = (0, import_posix2.basename)(input2.path);
   const facts = [];
-  for (const line of input.text.split(/\r?\n/u)) {
+  for (const line of input2.text.split(/\r?\n/u)) {
     const trimmed = line.trim();
     let match = null;
     let ecosystem;
@@ -28399,13 +30400,13 @@ function collectLineBasedDependencies(input) {
       ecosystem,
       packageName: match[1],
       versionRange: match[2],
-      manifestPath: input.path
+      manifestPath: input2.path
     });
   }
   return facts;
 }
-function collectRegexDependencies(input) {
-  const name = (0, import_posix2.basename)(input.path);
+function collectRegexDependencies(input2) {
+  const name = (0, import_posix2.basename)(input2.path);
   const facts = [];
   let ecosystem;
   let pattern;
@@ -28422,7 +30423,7 @@ function collectRegexDependencies(input) {
   if (!ecosystem || !pattern) {
     return facts;
   }
-  for (const match of input.text.matchAll(pattern)) {
+  for (const match of input2.text.matchAll(pattern)) {
     const packageName = match[1] ?? match[3];
     const versionRange = match[2] ?? match[4] ?? match[5];
     if (!packageName || !versionRange) {
@@ -28432,7 +30433,7 @@ function collectRegexDependencies(input) {
       ecosystem,
       packageName,
       versionRange,
-      manifestPath: input.path
+      manifestPath: input2.path
     });
   }
   return facts;
@@ -28442,10 +30443,10 @@ function isDependencyManifestPath(path) {
   return name === "package.json" || name === "package-lock.json" || name === "yarn.lock" || name === "pnpm-lock.yaml" || name === "go.mod" || name === "pom.xml" || name.endsWith(".gradle") || name === "composer.json" || name === "composer.lock" || name === "requirements.txt" || name === "requirements.lock" || name === "Gemfile" || name === "Gemfile.lock" || name === "Cargo.toml" || name === "Cargo.lock";
 }
 function collectProjectDependencyFacts(manifests) {
-  return manifests.flatMap((input) => [
-    ...collectNpmDependencies(input),
-    ...collectLineBasedDependencies(input),
-    ...collectRegexDependencies(input)
+  return manifests.flatMap((input2) => [
+    ...collectNpmDependencies(input2),
+    ...collectLineBasedDependencies(input2),
+    ...collectRegexDependencies(input2)
   ]);
 }
 function appendDependencyFacts(analyzedFiles, dependencyFacts) {
@@ -29279,15 +31280,15 @@ function augmentProjectFacts(analyzedFiles, options) {
 var CHECK_ENGINE_KIND = "critiq-cli";
 function loadCheckEngineVersion() {
   const candidatePaths = [
-    (0, import_node_path10.resolve)(__dirname, "./package.json"),
-    (0, import_node_path10.resolve)(__dirname, "../package.json"),
-    (0, import_node_path10.resolve)(__dirname, "../../../package.json")
+    (0, import_node_path12.resolve)(__dirname, "./package.json"),
+    (0, import_node_path12.resolve)(__dirname, "../package.json"),
+    (0, import_node_path12.resolve)(__dirname, "../../../package.json")
   ];
   try {
     for (const candidatePath of candidatePaths) {
       try {
         const packageJson = JSON.parse(
-          (0, import_node_fs8.readFileSync)(candidatePath, "utf8")
+          (0, import_node_fs9.readFileSync)(candidatePath, "utf8")
         );
         if (packageJson.version && packageJson.version.trim().length > 0) {
           return packageJson.version.trim();
@@ -29352,8 +31353,8 @@ function resolveCatalogPackageRuntime(displayRoot, packageName, options) {
       data: {
         packageName,
         packageRoot: packageRootOverride,
-        entryPath: (0, import_node_path10.resolve)(packageRootOverride, "package.json"),
-        catalogPath: (0, import_node_path10.resolve)(
+        entryPath: (0, import_node_path12.resolve)(packageRootOverride, "package.json"),
+        catalogPath: (0, import_node_path12.resolve)(
           packageRootOverride,
           RULE_CATALOG_FILENAME
         )
@@ -29619,7 +31620,7 @@ function runCheckCommand(options = {}) {
       continue;
     }
     sourceTextsByPath.set(displayPath, textResult.text);
-    const adapter = registry.findAdapterForPath(displayPath);
+    const adapter = registry.findAdapterForPath(displayPath, textResult.text);
     if (!adapter) {
       diagnostics.push(
         createCheckRuntimeDiagnostic(
@@ -29649,6 +31650,9 @@ function runCheckCommand(options = {}) {
       });
       continue;
     }
+    if (analysis.diagnostics?.length) {
+      diagnostics.push(...analysis.diagnostics);
+    }
     analyzedFiles.push({
       ...analysis.data,
       changedRanges: filteredScope.changedRangesByAbsolutePath.get(absolutePath)
@@ -29764,7 +31768,7 @@ function runCheckCommand(options = {}) {
 }
 
 // libs/runtime/check-runner/src/lib/secrets-scanner/run-secrets-scan.ts
-var import_node_fs9 = require("node:fs");
+var import_node_fs10 = require("node:fs");
 
 // libs/runtime/check-runner/src/lib/secrets-scanner/detectors.ts
 var import_node_crypto3 = require("node:crypto");
@@ -30097,7 +32101,7 @@ function runSecretsScan(options = {}) {
     } else {
       let size = 0;
       try {
-        size = (0, import_node_fs9.statSync)(absolutePath).size;
+        size = (0, import_node_fs10.statSync)(absolutePath).size;
       } catch {
         continue;
       }
@@ -30175,8 +32179,8 @@ function toCheckSecretsScanPayload(result) {
 }
 
 // apps/cli/src/commands/audit-secrets.command.ts
-var import_node_fs10 = require("node:fs");
-var import_node_path11 = require("node:path");
+var import_node_fs11 = require("node:fs");
+var import_node_path13 = require("node:path");
 
 // apps/cli/src/rendering/check/terminal-frames.rendering.ts
 var ansi = {
@@ -30501,9 +32505,9 @@ function collectSourceTextsForFindings(displayRoot, result) {
   }
   const map = /* @__PURE__ */ new Map();
   for (const displayPath of paths) {
-    const absolutePath = (0, import_node_path11.isAbsolute)(displayPath) ? displayPath : (0, import_node_path11.resolve)(displayRoot, displayPath);
+    const absolutePath = (0, import_node_path13.isAbsolute)(displayPath) ? displayPath : (0, import_node_path13.resolve)(displayRoot, displayPath);
     try {
-      map.set(displayPath, (0, import_node_fs10.readFileSync)(absolutePath, "utf8"));
+      map.set(displayPath, (0, import_node_fs11.readFileSync)(absolutePath, "utf8"));
     } catch {
     }
   }
@@ -30803,8 +32807,597 @@ function renderCheckSarif(envelope) {
   );
 }
 
+// apps/cli/src/utils/ensure-catalog-package.util.ts
+var import_node_fs16 = require("node:fs");
+var import_node_path18 = require("node:path");
+
+// apps/cli/src/utils/detect-cli-install-scope.util.ts
+var import_node_fs13 = require("node:fs");
+var import_node_path15 = require("node:path");
+
+// apps/cli/src/utils/node-modules-roots.util.ts
+var import_node_child_process3 = require("node:child_process");
+var import_node_fs12 = require("node:fs");
+var import_node_path14 = require("node:path");
+function tryCommandOutput(command, args) {
+  try {
+    return (0, import_node_child_process3.execFileSync)(command, args, {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+function getRepoNodeModulesRoot(cwd) {
+  return (0, import_node_path14.resolve)(cwd, "node_modules");
+}
+function getGlobalNodeModulesRoots() {
+  const roots = /* @__PURE__ */ new Set();
+  const npmRoot = tryCommandOutput("npm", ["root", "-g"]);
+  if (npmRoot) {
+    roots.add(npmRoot);
+  }
+  const pnpmRoot = tryCommandOutput("pnpm", ["root", "-g"]);
+  if (pnpmRoot) {
+    roots.add(pnpmRoot);
+  }
+  const yarnGlobalDir = tryCommandOutput("yarn", ["global", "dir"]);
+  if (yarnGlobalDir) {
+    roots.add((0, import_node_path14.resolve)(yarnGlobalDir, "node_modules"));
+  }
+  return [...roots].filter((root) => (0, import_node_fs12.existsSync)(root));
+}
+
+// apps/cli/src/utils/detect-cli-install-scope.util.ts
+function safeRealpath(path) {
+  try {
+    return (0, import_node_fs13.realpathSync)(path);
+  } catch {
+    return null;
+  }
+}
+function normalizeEntryPath(entryPath) {
+  if (!entryPath) {
+    return null;
+  }
+  return safeRealpath(entryPath) ?? (0, import_node_path15.resolve)(entryPath);
+}
+function detectCliInstallScope(cwd, entryPath = process.argv[1]) {
+  const resolvedEntryPath = normalizeEntryPath(entryPath);
+  if (!resolvedEntryPath) {
+    return "external";
+  }
+  const repoNodeModules = safeRealpath(getRepoNodeModulesRoot(cwd));
+  if (repoNodeModules) {
+    const localCliMain = safeRealpath(
+      (0, import_node_path15.resolve)(repoNodeModules, "@critiq/cli/main.js")
+    );
+    const localBin = safeRealpath((0, import_node_path15.resolve)(repoNodeModules, ".bin/critiq"));
+    if (resolvedEntryPath === localCliMain || resolvedEntryPath === localBin || resolvedEntryPath.startsWith(`${(0, import_node_path15.resolve)(repoNodeModules, "@critiq/cli")}${import_node_path15.sep}`)) {
+      return "local";
+    }
+  }
+  for (const globalRoot of getGlobalNodeModulesRoots()) {
+    const globalCliMain = (0, import_node_path15.resolve)(globalRoot, "@critiq/cli/main.js");
+    const globalBin = (0, import_node_path15.resolve)(globalRoot, ".bin/critiq");
+    if (resolvedEntryPath === safeRealpath(globalCliMain) || resolvedEntryPath === safeRealpath(globalBin) || resolvedEntryPath.startsWith(`${(0, import_node_path15.resolve)(globalRoot, "@critiq/cli")}${import_node_path15.sep}`)) {
+      return "global";
+    }
+  }
+  if (resolvedEntryPath.includes(`${import_node_path15.sep}node_modules${import_node_path15.sep}`)) {
+    return "external";
+  }
+  if ((0, import_node_fs13.existsSync)(resolvedEntryPath)) {
+    return "external";
+  }
+  return "external";
+}
+
+// apps/cli/src/utils/detect-package-manager.util.ts
+var import_node_fs14 = require("node:fs");
+var import_node_path16 = require("node:path");
+function readPackageManagerField(cwd) {
+  const packageJsonPath = (0, import_node_path16.join)(cwd, "package.json");
+  if (!(0, import_node_fs14.existsSync)(packageJsonPath)) {
+    return null;
+  }
+  try {
+    const manifest = JSON.parse((0, import_node_fs14.readFileSync)(packageJsonPath, "utf8"));
+    const value = manifest.packageManager?.trim();
+    if (!value) {
+      return null;
+    }
+    if (value.startsWith("pnpm@")) {
+      return "pnpm";
+    }
+    if (value.startsWith("yarn@")) {
+      return "yarn";
+    }
+    if (value.startsWith("npm@")) {
+      return "npm";
+    }
+    if (value.startsWith("bun@")) {
+      return "bun";
+    }
+  } catch {
+    return null;
+  }
+  return null;
+}
+function detectPackageManager(cwd) {
+  const fromField = readPackageManagerField(cwd);
+  if (fromField) {
+    return fromField;
+  }
+  if ((0, import_node_fs14.existsSync)((0, import_node_path16.join)(cwd, "bun.lockb")) || (0, import_node_fs14.existsSync)((0, import_node_path16.join)(cwd, "bun.lock"))) {
+    return "bun";
+  }
+  if ((0, import_node_fs14.existsSync)((0, import_node_path16.join)(cwd, "pnpm-lock.yaml"))) {
+    return "pnpm";
+  }
+  if ((0, import_node_fs14.existsSync)((0, import_node_path16.join)(cwd, "yarn.lock"))) {
+    return "yarn";
+  }
+  if ((0, import_node_fs14.existsSync)((0, import_node_path16.join)(cwd, "package-lock.json")) || (0, import_node_fs14.existsSync)((0, import_node_path16.join)(cwd, "npm-shrinkwrap.json"))) {
+    return "npm";
+  }
+  return "npm";
+}
+function buildCatalogInstallCommand(packageManager, packageName, scope) {
+  switch (packageManager) {
+    case "yarn":
+      if (scope === "global") {
+        return {
+          executable: "yarn",
+          args: ["global", "add", packageName],
+          display: `yarn global add ${packageName}`
+        };
+      }
+      return {
+        executable: "yarn",
+        args: ["add", "-D", packageName],
+        display: `yarn add -D ${packageName}`
+      };
+    case "pnpm":
+      if (scope === "global") {
+        return {
+          executable: "pnpm",
+          args: ["add", "-g", packageName],
+          display: `pnpm add -g ${packageName}`
+        };
+      }
+      return {
+        executable: "pnpm",
+        args: ["add", "-D", packageName],
+        display: `pnpm add -D ${packageName}`
+      };
+    case "bun":
+      if (scope === "global") {
+        return {
+          executable: "bun",
+          args: ["add", "-g", packageName],
+          display: `bun add -g ${packageName}`
+        };
+      }
+      return {
+        executable: "bun",
+        args: ["add", "-d", packageName],
+        display: `bun add -d ${packageName}`
+      };
+    case "npm":
+      if (scope === "global") {
+        return {
+          executable: "npm",
+          args: ["install", "-g", packageName],
+          display: `npm install -g ${packageName}`
+        };
+      }
+      return {
+        executable: "npm",
+        args: ["install", "-D", packageName],
+        display: `npm install -D ${packageName}`
+      };
+  }
+}
+
+// apps/cli/src/utils/format-catalog-not-found-message.util.ts
+function formatSuggestedInstallCommands(cwd, packageName) {
+  const packageManager = detectPackageManager(cwd);
+  const localCommand = buildCatalogInstallCommand(
+    packageManager,
+    packageName,
+    "local"
+  );
+  const globalCommand = buildCatalogInstallCommand(
+    packageManager,
+    packageName,
+    "global"
+  );
+  const oneShotCommand = `npx -p @critiq/cli -p ${packageName} critiq check .`;
+  return [
+    `Install in this repository: ${localCommand.display}`,
+    `Install globally: ${globalCommand.display}`,
+    `Run once without installing: ${oneShotCommand}`
+  ];
+}
+function formatCatalogPackageNotFoundMessage(input2) {
+  const lines = [
+    `Critiq could not find the rules catalog package \`${input2.packageName}\`.`
+  ];
+  if (input2.cliScope === "local") {
+    lines.push(
+      "The CLI is installed in this repository, but the rules catalog is missing from `./node_modules`."
+    );
+  } else if (input2.cliScope === "global") {
+    lines.push(
+      "The CLI is installed globally. Critiq checked this repository and your global Node modules, but the rules catalog is not installed in either place."
+    );
+  } else {
+    lines.push(
+      "Critiq checked this repository and your global Node modules, but the rules catalog is not installed in either place."
+    );
+  }
+  if (input2.includeInstallSuggestions) {
+    lines.push("", "You can install the default OSS rules catalog with:");
+    for (const suggestion of formatSuggestedInstallCommands(
+      input2.cwd,
+      input2.packageName
+    )) {
+      lines.push(`  ${suggestion}`);
+    }
+  } else {
+    lines.push(
+      "",
+      `Install the catalog package manually, or point \`catalog.package\` in \`.critiq/config.yaml\` at the package you want to use.`
+    );
+  }
+  lines.push(
+    "",
+    "For CI or non-interactive runs, install the catalog before running `critiq check`."
+  );
+  return lines.join("\n");
+}
+function formatInstallCancelledMessage(packageName) {
+  return `Cancelled. \`${packageName}\` was not installed, so the scan did not run.`;
+}
+function formatInstallFailureMessage(command) {
+  return `Failed to install the rules catalog with \`${command.display}\`. Fix the error above and try again.`;
+}
+function formatInstallSuccessMessage(command) {
+  return `Installed the rules catalog with \`${command.display}\`. Continuing with the scan...`;
+}
+function formatLocalInstallUnavailableMessage() {
+  return "A local install requires a `package.json` in this repository. Choose global install instead, or create a package manifest first.";
+}
+
+// apps/cli/src/utils/prompt.util.ts
+var import_promises = require("node:readline/promises");
+var import_node_process = require("node:process");
+async function promptChoice(promptInput) {
+  const lines = [promptInput.title, ""];
+  for (const option of promptInput.options) {
+    const suffix = option.id === promptInput.defaultOptionId ? " (default)" : "";
+    lines.push(`  [${option.id}] ${option.label}${suffix}`);
+  }
+  lines.push("", "Enter a choice and press Return.");
+  const readline = (0, import_promises.createInterface)({
+    input: import_node_process.stdin,
+    output: import_node_process.stdout,
+    terminal: true
+  });
+  try {
+    const answer = (await readline.question(`${lines.join("\n")}
+> `)).trim();
+    if (answer.length === 0 && promptInput.defaultOptionId) {
+      return promptInput.defaultOptionId;
+    }
+    const matched = promptInput.options.find((option) => option.id === answer);
+    return matched?.id ?? null;
+  } finally {
+    readline.close();
+  }
+}
+
+// apps/cli/src/utils/probe-catalog-package.util.ts
+function probeFromBasePath(cwd, packageName, basePath) {
+  const result = resolveCatalogPackage(cwd, packageName, [basePath]);
+  if (!result.success) {
+    return null;
+  }
+  return result.data.packageRoot;
+}
+function probeCatalogPackageInRepo(cwd, packageName) {
+  return probeFromBasePath(cwd, packageName, getRepoNodeModulesRoot(cwd));
+}
+function probeCatalogPackageGlobally(cwd, packageName) {
+  for (const globalRoot of getGlobalNodeModulesRoots()) {
+    const packageRoot = probeFromBasePath(cwd, packageName, globalRoot);
+    if (packageRoot) {
+      return packageRoot;
+    }
+  }
+  return null;
+}
+function probeCatalogPackageResolution(cwd, packageName, options = {}) {
+  const repoPackageRoot = probeCatalogPackageInRepo(cwd, packageName);
+  if (repoPackageRoot) {
+    return {
+      packageName,
+      location: "repo",
+      packageRoot: repoPackageRoot
+    };
+  }
+  if (options.includeGlobal !== false) {
+    const globalPackageRoot = probeCatalogPackageGlobally(cwd, packageName);
+    if (globalPackageRoot) {
+      return {
+        packageName,
+        location: "global",
+        packageRoot: globalPackageRoot
+      };
+    }
+  }
+  return null;
+}
+
+// apps/cli/src/utils/resolve-catalog-package-name.util.ts
+var import_node_fs15 = require("node:fs");
+var import_node_path17 = require("node:path");
+function resolveCatalogPackageNameForEnsure(cwd) {
+  const loaded = loadCritiqConfigForDirectory(cwd);
+  if (!loaded.success) {
+    const firstCode = loaded.diagnostics[0]?.code;
+    if (firstCode === "config.file.not-found") {
+      return DEFAULT_CATALOG_PACKAGE_NAME;
+    }
+    return null;
+  }
+  return loaded.data.catalogPackage ?? DEFAULT_CATALOG_PACKAGE_NAME;
+}
+function repoHasPackageJson(cwd) {
+  return (0, import_node_fs15.existsSync)((0, import_node_path17.join)(cwd, "package.json"));
+}
+function canInstallCatalogLocally(cwd) {
+  return repoHasPackageJson(cwd);
+}
+function isDefaultInstallableCatalogPackage(packageName) {
+  return packageName === DEFAULT_CATALOG_PACKAGE_NAME;
+}
+
+// apps/cli/src/utils/run-package-install.util.ts
+var import_node_child_process4 = require("node:child_process");
+function runPackageInstall(options) {
+  options.writeStdout(`Running: ${options.command.display}`);
+  try {
+    (0, import_node_child_process4.execFileSync)(options.command.executable, [...options.command.args], {
+      cwd: options.cwd,
+      stdio: "inherit"
+    });
+    return true;
+  } catch {
+    options.writeStderr(
+      `Command failed: ${options.command.display}`
+    );
+    return false;
+  }
+}
+
+// apps/cli/src/utils/ensure-catalog-package.util.ts
+function buildCatalogRuntimeOptions(packageName, packageRoot, cwd) {
+  if (probeCatalogPackageInRepo(cwd, packageName)) {
+    return {
+      ok: true,
+      catalogResolverBasePaths: [cwd]
+    };
+  }
+  return {
+    ok: true,
+    catalogPackageRoots: {
+      [packageName]: packageRoot
+    },
+    catalogResolverBasePaths: [cwd]
+  };
+}
+function failure(message, exitCode = 1) {
+  return {
+    ok: false,
+    exitCode,
+    message
+  };
+}
+function shouldOfferInteractiveInstall(runtime, format) {
+  if (format !== "pretty") {
+    return false;
+  }
+  if (!runtime.isInteractive) {
+    return false;
+  }
+  if (process.env["CI"]?.trim()) {
+    return false;
+  }
+  return true;
+}
+async function installCatalogPackage(runtime, packageName, scope) {
+  const packageManager = detectPackageManager(runtime.cwd);
+  const command = buildCatalogInstallCommand(
+    packageManager,
+    packageName,
+    scope
+  );
+  if (runtime.runPackageInstall) {
+    return runtime.runPackageInstall({
+      cwd: scope === "local" ? runtime.cwd : void 0,
+      command
+    });
+  }
+  return runPackageInstall({
+    cwd: scope === "local" ? runtime.cwd : void 0,
+    command,
+    writeStdout: runtime.writeStdout,
+    writeStderr: runtime.writeStderr
+  });
+}
+async function promptForInstallChoice(runtime, packageName, cliScope) {
+  if (runtime.promptChoice) {
+    if (cliScope === "local") {
+      return runtime.promptChoice({
+        title: `The rules catalog \`${packageName}\` is not installed in this repository.`,
+        options: [
+          { id: "local", label: "Install in this repository" },
+          { id: "cancel", label: "Cancel the scan" }
+        ],
+        defaultOptionId: "local"
+      });
+    }
+    const options2 = [
+      ...canInstallCatalogLocally(runtime.cwd) ? [{ id: "local", label: "Install in this repository" }] : [],
+      { id: "global", label: "Install globally" },
+      { id: "cancel", label: "Cancel the scan" }
+    ];
+    return runtime.promptChoice({
+      title: `The rules catalog \`${packageName}\` is not installed.`,
+      options: [...options2],
+      defaultOptionId: canInstallCatalogLocally(runtime.cwd) ? "local" : "global"
+    });
+  }
+  if (cliScope === "local") {
+    const choice2 = await promptChoice({
+      title: `The rules catalog \`${packageName}\` is not installed in this repository.`,
+      options: [
+        { id: "local", label: "Install in this repository" },
+        { id: "cancel", label: "Cancel the scan" }
+      ],
+      defaultOptionId: "local"
+    });
+    return choice2;
+  }
+  const options = [
+    ...canInstallCatalogLocally(runtime.cwd) ? [{ id: "local", label: "Install in this repository" }] : [],
+    { id: "global", label: "Install globally" },
+    { id: "cancel", label: "Cancel the scan" }
+  ];
+  const choice = await promptChoice({
+    title: `The rules catalog \`${packageName}\` is not installed.`,
+    options,
+    defaultOptionId: canInstallCatalogLocally(runtime.cwd) ? "local" : "global"
+  });
+  return choice;
+}
+async function handleMissingCatalogPackage(runtime, packageName, cliScope, includeInstallSuggestions, format) {
+  if (!shouldOfferInteractiveInstall(runtime, format)) {
+    return failure(
+      formatCatalogPackageNotFoundMessage({
+        cwd: runtime.cwd,
+        packageName,
+        cliScope,
+        includeInstallSuggestions
+      })
+    );
+  }
+  const choice = await promptForInstallChoice(runtime, packageName, cliScope);
+  if (choice === null || choice === "cancel") {
+    return failure(formatInstallCancelledMessage(packageName));
+  }
+  if (choice === "local" && !canInstallCatalogLocally(runtime.cwd)) {
+    runtime.writeStderr(formatLocalInstallUnavailableMessage());
+    return failure(formatInstallCancelledMessage(packageName));
+  }
+  const packageManager = detectPackageManager(runtime.cwd);
+  const command = buildCatalogInstallCommand(
+    packageManager,
+    packageName,
+    choice
+  );
+  runtime.writeStdout(`About to run: ${command.display}`);
+  const installed = await installCatalogPackage(runtime, packageName, choice);
+  if (!installed) {
+    return failure(formatInstallFailureMessage(command));
+  }
+  runtime.writeStdout(formatInstallSuccessMessage(command));
+  const packageRoot = choice === "local" ? probeCatalogPackageInRepo(runtime.cwd, packageName) : probeCatalogPackageGlobally(runtime.cwd, packageName);
+  if (!packageRoot) {
+    return failure(
+      formatCatalogPackageNotFoundMessage({
+        cwd: runtime.cwd,
+        packageName,
+        cliScope,
+        includeInstallSuggestions
+      })
+    );
+  }
+  return buildCatalogRuntimeOptions(packageName, packageRoot, runtime.cwd);
+}
+function probeCatalogFromEnvironment() {
+  const rulesRoot = process.env["CRITIQ_RULES_ROOT"]?.trim();
+  if (!rulesRoot) {
+    return null;
+  }
+  const candidateRoots = [
+    (0, import_node_path18.resolve)(rulesRoot),
+    (0, import_node_path18.resolve)(rulesRoot, "libs/rules/catalog")
+  ];
+  for (const candidateRoot of candidateRoots) {
+    if ((0, import_node_fs16.existsSync)((0, import_node_path18.resolve)(candidateRoot, "catalog.yaml"))) {
+      return candidateRoot;
+    }
+  }
+  return null;
+}
+async function ensureCatalogPackageForCheck(runtime, format) {
+  const packageName = resolveCatalogPackageNameForEnsure(runtime.cwd);
+  if (!packageName) {
+    return { ok: true };
+  }
+  const environmentCatalogRoot = probeCatalogFromEnvironment();
+  if (environmentCatalogRoot) {
+    return buildCatalogRuntimeOptions(
+      packageName,
+      environmentCatalogRoot,
+      runtime.cwd
+    );
+  }
+  const cliScope = runtime.cliInstallScope ?? detectCliInstallScope(runtime.cwd);
+  const includeGlobalLookup = cliScope !== "local";
+  const resolved = probeCatalogPackageResolution(runtime.cwd, packageName, {
+    includeGlobal: includeGlobalLookup
+  });
+  if (resolved) {
+    return buildCatalogRuntimeOptions(
+      resolved.packageName,
+      resolved.packageRoot,
+      runtime.cwd
+    );
+  }
+  const includeInstallSuggestions = isDefaultInstallableCatalogPackage(
+    packageName
+  );
+  if (!includeInstallSuggestions || !shouldOfferInteractiveInstall(runtime, format)) {
+    return failure(
+      formatCatalogPackageNotFoundMessage({
+        cwd: runtime.cwd,
+        packageName,
+        cliScope,
+        includeInstallSuggestions
+      })
+    );
+  }
+  return handleMissingCatalogPackage(
+    runtime,
+    packageName,
+    cliScope,
+    includeInstallSuggestions,
+    format
+  );
+}
+
 // apps/cli/src/commands/check.command.ts
-function handleCheck(target, format, runtime, baseRef, headRef, staged = false) {
+async function handleCheck(target, format, runtime, baseRef, headRef, staged = false) {
+  const catalogEnsure = await ensureCatalogPackageForCheck(runtime, format);
+  if (catalogEnsure.ok === false) {
+    runtime.writeStderr(catalogEnsure.message);
+    return catalogEnsure.exitCode;
+  }
   const progressRenderer = format === "pretty" ? createScanProgressRenderer(runtime) : null;
   const runnerFormat = format === "pretty" ? "pretty" : "json";
   const result = runCheckCommand({
@@ -30813,7 +33406,10 @@ function handleCheck(target, format, runtime, baseRef, headRef, staged = false)
     format: runnerFormat,
     baseRef,
     headRef,
-    catalogResolverBasePaths: [runtime.cwd],
+    catalogResolverBasePaths: catalogEnsure.catalogResolverBasePaths ?? [
+      runtime.cwd
+    ],
+    catalogPackageRoots: catalogEnsure.catalogPackageRoots,
     onProgress: progressRenderer ? (update) => {
       progressRenderer.update(update);
     } : void 0
@@ -30855,8 +33451,8 @@ function handleCheck(target, format, runtime, baseRef, headRef, staged = false)
 }
 
 // tools/testing/harness/src/lib/harness.ts
-var import_node_fs11 = require("node:fs");
-var import_node_path12 = require("node:path");
+var import_node_fs17 = require("node:fs");
+var import_node_path19 = require("node:path");
 var import_node_url4 = require("node:url");
 var import_zod8 = require("zod");
 var observedRangeSchema = import_zod8.z.object({
@@ -30967,7 +33563,7 @@ var ruleSpecSchema = import_zod8.z.object({
   fixtures: import_zod8.z.array(ruleSpecFixtureSchema).min(1)
 }).strict();
 function readTextFile(path) {
-  return (0, import_node_fs11.readFileSync)(path, "utf8");
+  return (0, import_node_fs17.readFileSync)(path, "utf8");
 }
 function toPointer(path) {
   return path.length === 0 ? "/" : `/${path.join("/")}`;
@@ -31012,7 +33608,7 @@ function validateObservationFixture(fixturePath, text) {
   return validated.data;
 }
 function analyzeSourceFixture(fixturePath, text, adapterRegistry) {
-  const extension = (0, import_node_path12.extname)(fixturePath).toLowerCase();
+  const extension = (0, import_node_path19.extname)(fixturePath).toLowerCase();
   const adapter = adapterRegistry.findAdapterForPath(fixturePath);
   if (!adapter) {
     return [
@@ -31056,8 +33652,8 @@ function analyzeWorkspaceFixture(workspaceRoot, adapterRegistry) {
     }
     const result = entry.adapter.analyze(entry.displayPath, textOrFailure);
     if (!result.success) {
-      const failure = result;
-      diagnostics.push(...failure.diagnostics);
+      const failure2 = result;
+      diagnostics.push(...failure2.diagnostics);
       continue;
     }
     analyzedFiles.push(result.data);
@@ -31181,20 +33777,20 @@ function assertFixtureExpectations(fixture, emittedFindings) {
   }
   return failures;
 }
-function formatAssertionFailure(failure) {
-  const lines = [`- ${failure.assertion}: ${failure.message}`];
-  if (failure.expected !== void 0) {
-    lines.push(`  expected: ${JSON.stringify(failure.expected)}`);
+function formatAssertionFailure(failure2) {
+  const lines = [`- ${failure2.assertion}: ${failure2.message}`];
+  if (failure2.expected !== void 0) {
+    lines.push(`  expected: ${JSON.stringify(failure2.expected)}`);
   }
-  if (failure.received !== void 0) {
-    lines.push(`  received: ${JSON.stringify(failure.received)}`);
+  if (failure2.received !== void 0) {
+    lines.push(`  received: ${JSON.stringify(failure2.received)}`);
   }
   return lines.join("\n");
 }
 function analyzeFixture(specDirectory, fixture, adapterRegistry) {
   const sourceKind = fixture.sourcePath ? "source" : fixture.observationPath ? "observation" : "workspace";
   const declaredPath = fixture.sourcePath ?? fixture.observationPath ?? fixture.workspacePath ?? "";
-  const fixturePath = (0, import_node_path12.resolve)(specDirectory, declaredPath);
+  const fixturePath = (0, import_node_path19.resolve)(specDirectory, declaredPath);
   if (sourceKind === "workspace") {
     const workspaceAnalysis = analyzeWorkspaceFixture(fixturePath, adapterRegistry);
     return {
@@ -31226,8 +33822,8 @@ function analyzeFixture(specDirectory, fixture, adapterRegistry) {
     }
   };
 }
-function validateRuleSpec(input) {
-  const result = ruleSpecSchema.safeParse(input);
+function validateRuleSpec(input2) {
+  const result = ruleSpecSchema.safeParse(input2);
   if (result.success) {
     return {
       success: true,
@@ -31245,10 +33841,10 @@ function loadRuleSpec(path) {
     const uri = (0, import_node_url4.pathToFileURL)(path).href;
     const loaded = loadYamlText(text, uri);
     if (!loaded.success) {
-      const failure = loaded;
+      const failure2 = loaded;
       return {
         success: false,
-        diagnostics: failure.issues.map(
+        diagnostics: failure2.issues.map(
           (issue) => createDiagnostic({
             code: `harness.rulespec.${issue.kind}`,
             message: issue.message,
@@ -31260,10 +33856,10 @@ function loadRuleSpec(path) {
     }
     const validation = validateRuleSpec(loaded.data);
     if (!validation.success) {
-      const failure = validation;
+      const failure2 = validation;
       return {
         success: false,
-        diagnostics: failure.issues.map(
+        diagnostics: failure2.issues.map(
           (issue) => createDiagnostic({
             code: `harness.rulespec.${issue.code}`,
             message: issue.message,
@@ -31297,26 +33893,26 @@ function runRuleSpec(path, options = {}) {
   const adapterRegistry = options.adapterRegistry ?? createDefaultSourceAdapterRegistry();
   const loadedSpec = loadRuleSpec(path);
   if (!loadedSpec.success) {
-    const failure = loadedSpec;
+    const failure2 = loadedSpec;
     return {
       specPath: path,
       rulePath: "",
       success: false,
       fixtureResults: [],
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
-  const specDirectory = (0, import_node_path12.dirname)(loadedSpec.data.path);
-  const absoluteRulePath = (0, import_node_path12.resolve)(specDirectory, loadedSpec.data.spec.rulePath);
+  const specDirectory = (0, import_node_path19.dirname)(loadedSpec.data.path);
+  const absoluteRulePath = (0, import_node_path19.resolve)(specDirectory, loadedSpec.data.spec.rulePath);
   const loadedRule = loadRuleFile(absoluteRulePath);
   if (!loadedRule.success) {
-    const failure = loadedRule;
+    const failure2 = loadedRule;
     return {
       specPath: loadedSpec.data.path,
       rulePath: absoluteRulePath,
       success: false,
       fixtureResults: [],
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
   const validatedRule = validateLoadedRuleDocument(loadedRule.data);
@@ -31443,7 +34039,7 @@ function formatRuleSpecRunAsJson(result) {
 }
 
 // apps/cli/src/commands/rules.command.ts
-var import_node_path14 = require("node:path");
+var import_node_path21 = require("node:path");
 var import_node_url5 = require("node:url");
 
 // apps/cli/src/rendering/rules.rendering.ts
@@ -31592,13 +34188,13 @@ function renderSingleFilePretty(heading, state) {
 
 // apps/cli/src/commands/rules-targets.ts
 var import_minimatch3 = require("minimatch");
-var import_node_fs12 = require("node:fs");
-var import_node_path13 = require("node:path");
+var import_node_fs18 = require("node:fs");
+var import_node_path20 = require("node:path");
 function resolveValidateTargets(cwd, target) {
-  const absoluteCandidate = (0, import_node_path13.resolve)(cwd, target);
+  const absoluteCandidate = (0, import_node_path20.resolve)(cwd, target);
   if (!hasGlobMagic(target)) {
     try {
-      if (!(0, import_node_fs12.statSync)(absoluteCandidate).isFile()) {
+      if (!(0, import_node_fs18.statSync)(absoluteCandidate).isFile()) {
         return {
           success: false,
           diagnostics: [
@@ -31667,11 +34263,11 @@ function resolveTestTargets(cwd, target) {
   const resolvedTarget = target ?? "**/*.spec.yaml";
   const resolved = resolveValidateTargets(cwd, resolvedTarget);
   if (!resolved.success) {
-    const failure = resolved;
+    const failure2 = resolved;
     return {
       success: false,
       target: resolvedTarget,
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
   return {
@@ -31693,7 +34289,7 @@ function resolveSingleFilePath(cwd, inputPath) {
   }
   return {
     success: true,
-    absolutePath: (0, import_node_path13.resolve)(cwd, inputPath)
+    absolutePath: (0, import_node_path20.resolve)(cwd, inputPath)
   };
 }
 
@@ -31724,12 +34320,12 @@ function validateResultForFileSafe(absolutePath, cwd) {
   const uri = (0, import_node_url5.pathToFileURL)(absolutePath).href;
   const loaded = loadRuleFile(absolutePath);
   if (!loaded.success) {
-    const failure = loaded;
+    const failure2 = loaded;
     return {
       path: displayPath,
       uri,
       success: false,
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
   const validated = validateLoadedRuleDocument(loaded.data);
@@ -31756,19 +34352,19 @@ function buildSingleFileState(absolutePath, cwd) {
   const loadResult = loadRuleFile(absolutePath);
   parsedSummary.phases.load = loadResult.success ? "success" : "failure";
   if (!loadResult.success) {
-    const failure = loadResult;
+    const failure2 = loadResult;
     return {
       displayPath,
       uri,
       parsedSummary,
       semanticStatus: {
         success: false,
-        diagnostics: failure.diagnostics
+        diagnostics: failure2.diagnostics
       },
       normalizedRule: null,
       ruleHash: null,
       templateVariables,
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
   const contractValidation = validateLoadedRuleDocumentContract(
@@ -31776,19 +34372,19 @@ function buildSingleFileState(absolutePath, cwd) {
   );
   parsedSummary.phases.contractValidation = contractValidation.success ? "success" : "failure";
   if (!contractValidation.success) {
-    const failure = contractValidation;
+    const failure2 = contractValidation;
     return {
       displayPath,
       uri,
       parsedSummary,
       semanticStatus: {
         success: false,
-        diagnostics: failure.diagnostics
+        diagnostics: failure2.diagnostics
       },
       normalizedRule: null,
       ruleHash: null,
       templateVariables,
-      diagnostics: failure.diagnostics
+      diagnostics: failure2.diagnostics
     };
   }
   const explainSummary = summarizeValidatedRuleDocument(
@@ -31838,7 +34434,7 @@ function buildSingleFileState(absolutePath, cwd) {
   };
 }
 function createInvalidSingleFileState(cwd, inputPath, diagnostics) {
-  const uri = (0, import_node_url5.pathToFileURL)((0, import_node_path14.resolve)(cwd, inputPath)).href;
+  const uri = (0, import_node_url5.pathToFileURL)((0, import_node_path21.resolve)(cwd, inputPath)).href;
   return {
     displayPath: inputPath,
     uri,
@@ -31856,15 +34452,15 @@ function createInvalidSingleFileState(cwd, inputPath, diagnostics) {
 function handleValidate(target, format, runtime) {
   const resolved = resolveValidateTargets(runtime.cwd, target);
   if (!resolved.success) {
-    const failure = resolved;
-    const exitCode2 = determineExitCode(failure.diagnostics);
+    const failure2 = resolved;
+    const exitCode2 = determineExitCode(failure2.diagnostics);
     const envelope2 = {
       command: "rules.validate",
       format,
       target,
       matchedFileCount: 0,
       results: [],
-      diagnostics: aggregateDiagnostics(failure.diagnostics),
+      diagnostics: aggregateDiagnostics(failure2.diagnostics),
       exitCode: exitCode2 === 0 ? 1 : exitCode2
     };
     if (format === "json") {
@@ -31900,15 +34496,15 @@ function handleValidate(target, format, runtime) {
 function handleTest(target, format, runtime) {
   const resolved = resolveTestTargets(runtime.cwd, target);
   if (!resolved.success) {
-    const failure = resolved;
-    const exitCode2 = determineExitCode(failure.diagnostics) || 1;
+    const failure2 = resolved;
+    const exitCode2 = determineExitCode(failure2.diagnostics) || 1;
     const envelope2 = {
       command: "rules.test",
       format,
-      target: failure.target,
+      target: failure2.target,
       matchedFileCount: 0,
       results: [],
-      diagnostics: aggregateDiagnostics(failure.diagnostics),
+      diagnostics: aggregateDiagnostics(failure2.diagnostics),
       exitCode: exitCode2
     };
     if (format === "json") {
@@ -31957,8 +34553,8 @@ function handleTest(target, format, runtime) {
 function handleNormalizeOrExplain(command, inputPath, format, runtime) {
   const resolved = resolveSingleFilePath(runtime.cwd, inputPath);
   if (!resolved.success) {
-    const failure = resolved;
-    const diagnostics = aggregateDiagnostics(failure.diagnostics);
+    const failure2 = resolved;
+    const diagnostics = aggregateDiagnostics(failure2.diagnostics);
     const exitCode2 = determineExitCode(diagnostics) || 1;
     const baseState = createInvalidSingleFileState(
       runtime.cwd,
@@ -32197,7 +34793,7 @@ function isLegacyRulesArgument(value) {
 function isPrettyOrJson(format) {
   return format === "pretty" || format === "json";
 }
-function runCli(args = process.argv.slice(2), runtime = {}) {
+async function runCli(args = process.argv.slice(2), runtime = {}) {
   const resolvedRuntime = resolveRuntime(runtime);
   if (args.length === 0 || args[0] === "help" || args[0] === "--help") {
     resolvedRuntime.writeStdout(renderHelpMessage());
@@ -32225,7 +34821,7 @@ function runCli(args = process.argv.slice(2), runtime = {}) {
       );
       return 1;
     }
-    return handleCheck(
+    return await handleCheck(
       parsed2.positionals[0],
       parsed2.format,
       resolvedRuntime,
@@ -32380,10 +34976,12 @@ function isCliEntrypoint() {
   if (!mainFilename) {
     return false;
   }
-  return mainFilename === (0, import_node_path15.resolve)(__dirname, "..", "..", "..", "main.js");
+  return mainFilename === (0, import_node_path22.resolve)(__dirname, "..", "..", "..", "main.js");
 }
 if (isCliEntrypoint()) {
-  process.exitCode = runCli();
+  void runCli().then((exitCode) => {
+    process.exitCode = exitCode;
+  });
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {