@nerviq/cli 1.3.1 → 1.4.0

package/src/techniques.js

@@ -4114,6 +4114,1278 @@ const TECHNIQUES = {
     confidence: 0.7,
   },
 
+  // ── MC11: WebSocket / Real-time ──────────────────────────────────────
+
+  websocketLib: {
+    id: 130201,
+    name: 'WebSocket library configured',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      const goDeps = ctx.fileContent('go.mod') || '';
+      return /socket\.io|"ws"|sockjs|@nestjs\/websockets|phoenix|channels/i.test(deps) ||
+             /websockets|channels|tornado/i.test(pyDeps) ||
+             /gorilla\/websocket|nhooyr\.io\/websocket/i.test(goDeps) || null;
+    },
+    impact: 'low',
+    category: 'realtime',
+    fix: 'Add a WebSocket library for real-time communication if your app needs live updates.',
+    confidence: 0.7,
+  },
+
+  sseEndpoint: {
+    id: 130202,
+    name: 'Server-Sent Events patterns detected',
+    check: (ctx) => {
+      const codeFiles = findProjectFiles(ctx, /\.(js|ts|jsx|tsx|py|go|rb)$/i);
+      if (codeFiles.length === 0) return null;
+      return codeFiles.some(f => {
+        const content = ctx.fileContent(f) || '';
+        return /EventSource|text\/event-stream|SSE/i.test(content);
+      }) || null;
+    },
+    impact: 'low',
+    category: 'realtime',
+    fix: 'Consider Server-Sent Events (SSE) for server-to-client streaming when full duplex is not needed.',
+    confidence: 0.7,
+  },
+
+  realtimeDatabase: {
+    id: 130203,
+    name: 'Real-time database configured',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      return /firebase-admin|supabase|convex|pusher/i.test(deps) ||
+             /firebase-admin|supabase|pusher/i.test(pyDeps) || null;
+    },
+    impact: 'low',
+    category: 'realtime',
+    fix: 'Add a real-time database (Firebase, Supabase, Convex) for live data synchronization.',
+    confidence: 0.7,
+  },
+
+  pubsubPattern: {
+    id: 130204,
+    name: 'Pub/sub messaging configured',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      const goDeps = ctx.fileContent('go.mod') || '';
+      return /ioredis|redis|nats|kafkajs|amqplib|bullmq/i.test(deps) ||
+             /redis|nats-py|kafka-python|pika|celery/i.test(pyDeps) ||
+             /go-redis|nats\.go|sarama|amqp091-go/i.test(goDeps) || null;
+    },
+    impact: 'low',
+    category: 'realtime',
+    fix: 'Add a pub/sub messaging system (Redis, NATS, Kafka, RabbitMQ) for decoupled real-time communication.',
+    confidence: 0.7,
+  },
+
+  realtimeAuth: {
+    id: 130205,
+    name: 'WebSocket authentication patterns present',
+    check: (ctx) => {
+      const codeFiles = findProjectFiles(ctx, /\.(js|ts|jsx|tsx|py|go)$/i);
+      if (codeFiles.length === 0) return null;
+      return codeFiles.some(f => {
+        const content = ctx.fileContent(f) || '';
+        return /ws.*auth|socket.*token|connection.*auth|handleConnection.*jwt|on.*connect.*verify/i.test(content);
+      }) || null;
+    },
+    impact: 'low',
+    category: 'realtime',
+    fix: 'Add authentication to WebSocket connections — validate tokens on connect to prevent unauthorized access.',
+    confidence: 0.7,
+  },
+
+  // ── MC12: GraphQL ────────────────────────────────────────────────────
+
+  graphqlSchema: {
+    id: 130206,
+    name: 'GraphQL schema defined',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      if (!/graphql|apollo|@nestjs\/graphql|type-graphql/i.test(deps) &&
+          !/graphene|ariadne|strawberry/i.test(pyDeps) &&
+          !hasProjectFile(ctx, /\.graphql$/i)) return null;
+      const schemaFiles = findProjectFiles(ctx, /\.(graphql|gql)$/i);
+      if (schemaFiles.length > 0) return true;
+      const codeFiles = findProjectFiles(ctx, /\.(js|ts|py)$/i);
+      return codeFiles.some(f => {
+        const content = ctx.fileContent(f) || '';
+        return /buildSchema|makeExecutableSchema|typeDefs|@ObjectType|type Query/i.test(content);
+      }) || false;
+    },
+    impact: 'low',
+    category: 'graphql',
+    fix: 'Define a GraphQL schema using .graphql files or schema-first/code-first approach.',
+    confidence: 0.7,
+  },
+
+  graphqlResolvers: {
+    id: 130207,
+    name: 'GraphQL resolvers implemented',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      if (!/graphql|apollo|@nestjs\/graphql|type-graphql/i.test(deps) &&
+          !/graphene|ariadne|strawberry/i.test(pyDeps) &&
+          !hasProjectFile(ctx, /\.graphql$/i)) return null;
+      const codeFiles = findProjectFiles(ctx, /\.(js|ts|py)$/i);
+      return codeFiles.some(f => {
+        const content = ctx.fileContent(f) || '';
+        return /@Resolver|@Query|@Mutation|resolvers|resolve_/i.test(content) ||
+               /resolver/i.test(f);
+      }) || false;
+    },
+    impact: 'low',
+    category: 'graphql',
+    fix: 'Implement GraphQL resolvers to handle queries, mutations, and field resolution.',
+    confidence: 0.7,
+  },
+
+  graphqlCodegen: {
+    id: 130208,
+    name: 'GraphQL code generation configured',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      if (!/graphql|apollo|@nestjs\/graphql|type-graphql/i.test(deps) &&
+          !/graphene|ariadne|strawberry/i.test(pyDeps) &&
+          !hasProjectFile(ctx, /\.graphql$/i)) return null;
+      return /@graphql-codegen|graphql-let|graphql-code-generator/i.test(deps) || false;
+    },
+    impact: 'low',
+    category: 'graphql',
+    fix: 'Add @graphql-codegen for type-safe GraphQL operations and automatic TypeScript type generation.',
+    confidence: 0.7,
+  },
+
+  graphqlNPlusOne: {
+    id: 130209,
+    name: 'GraphQL N+1 prevention (DataLoader)',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      if (!/graphql|apollo|@nestjs\/graphql|type-graphql/i.test(deps) &&
+          !/graphene|ariadne|strawberry/i.test(pyDeps) &&
+          !hasProjectFile(ctx, /\.graphql$/i)) return null;
+      const codeFiles = findProjectFiles(ctx, /\.(js|ts|py)$/i);
+      return /dataloader/i.test(deps) ||
+             /aiodataloader|promise/i.test(pyDeps) ||
+             codeFiles.some(f => /dataloader|batch.*load|DataLoader/i.test(ctx.fileContent(f) || '')) || false;
+    },
+    impact: 'low',
+    category: 'graphql',
+    fix: 'Use DataLoader or batch loading patterns to prevent N+1 query problems in GraphQL resolvers.',
+    confidence: 0.7,
+  },
+
+  graphqlSubscriptions: {
+    id: 130210,
+    name: 'GraphQL subscriptions configured',
+    check: (ctx) => {
+      const deps = ctx.fileContent('package.json') || '';
+      const pyDeps = ctx.fileContent('requirements.txt') || '';
+      if (!/graphql|apollo|@nestjs\/graphql|type-graphql/i.test(deps) &&
+          !/graphene|ariadne|strawberry/i.test(pyDeps) &&
+          !hasProjectFile(ctx, /\.graphql$/i)) return null;
+      return /subscriptions-transport-ws|graphql-ws/i.test(deps) ||
+             findProjectFiles(ctx, /\.(js|ts|py)$/i).some(f => {
+               const content = ctx.fileContent(f) || '';
+               return /@Subscription|PubSub|subscription\s+\w+/i.test(content);
+             }) || false;
+    },
+    impact: 'low',
+    category: 'graphql',
+    fix: 'Configure GraphQL subscriptions with graphql-ws for real-time data pushed to clients.',
+    confidence: 0.7,
+  },
+
+  // ============================================================
+  // === MC1: OBSERVABILITY (category: 'observability') =========
+  // ============================================================
+
+  otelConfigured: {
+    id: 130001,
+    name: 'OpenTelemetry SDK configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const goMod = ctx.fileContent('go.mod') || '';
+      const cargo = ctx.fileContent('Cargo.toml') || '';
+      const deps = [pkg, req, goMod, cargo].join('\n');
+      return /opentelemetry|@opentelemetry\/sdk|otel/i.test(deps) ||
+        ctx.files.some(f => /otel.*config|opentelemetry.*config/i.test(f));
+    },
+    impact: 'high',
+    category: 'observability',
+    fix: 'Add OpenTelemetry SDK to your project for unified traces, metrics, and logs collection.',
+  },
+
+  prometheusMetrics: {
+    id: 130002,
+    name: 'Prometheus metrics configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const goMod = ctx.fileContent('go.mod') || '';
+      const cargo = ctx.fileContent('Cargo.toml') || '';
+      const deps = [pkg, req, goMod, cargo].join('\n');
+      if (/prom-client|prometheus_client|prometheus\/client_golang|prometheus/i.test(deps)) return true;
+      const code = readProjectFiles(ctx, /\.(js|ts|py|go|rs|java)$/i);
+      return /\/metrics\b/.test(code);
+    },
+    impact: 'high',
+    category: 'observability',
+    fix: 'Add a Prometheus client library and expose a /metrics endpoint for monitoring.',
+  },
+
+  structuredLogging: {
+    id: 130003,
+    name: 'Structured logging library',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const goMod = ctx.fileContent('go.mod') || '';
+      const cargo = ctx.fileContent('Cargo.toml') || '';
+      const deps = [pkg, req, goMod, cargo].join('\n');
+      return /winston|pino|bunyan|structlog|python-json-logger|slog|log\/slog|tracing|tracing-subscriber|logback|log4j/i.test(deps);
+    },
+    impact: 'high',
+    category: 'observability',
+    fix: 'Use a structured logging library (winston, pino, structlog, slog, tracing) for machine-readable logs.',
+  },
+
+  distributedTracing: {
+    id: 130004,
+    name: 'Distributed tracing configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const goMod = ctx.fileContent('go.mod') || '';
+      const cargo = ctx.fileContent('Cargo.toml') || '';
+      const deps = [pkg, req, goMod, cargo].join('\n');
+      if (/jaeger|zipkin|opentelemetry-api|@opentelemetry\/api|dd-trace|datadog-apm/i.test(deps)) return true;
+      return ctx.files.some(f => /jaeger|zipkin|tracing.*config/i.test(f));
+    },
+    impact: 'high',
+    category: 'observability',
+    fix: 'Add a distributed tracing library (Jaeger, Zipkin, OpenTelemetry) for cross-service request tracking.',
+  },
+
+  healthEndpoint: {
+    id: 130005,
+    name: 'Health check endpoint',
+    check: (ctx) => {
+      const code = readProjectFiles(ctx, /\.(js|ts|py|go|rs|java|rb)$/i);
+      const configs = readProjectFiles(ctx, /\.(ya?ml|json|toml)$/i);
+      return /['"\/]health[z]?['"]\s*[,):]|\/health[z]?\b|healthCheck|health_check|livenessProbe|readinessProbe/i.test(code + configs);
+    },
+    impact: 'high',
+    category: 'observability',
+    fix: 'Add a /health or /healthz endpoint for load balancer and orchestrator health checks.',
+  },
+
+  alertingConfigured: {
+    id: 130006,
+    name: 'Alerting system configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const deps = [pkg, readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i)].join('\n');
+      const configs = readProjectFiles(ctx, /\.(ya?ml|json|toml)$/i);
+      return /alertmanager|pagerduty|opsgenie|victorops|alert.*rule/i.test(deps + configs) ||
+        ctx.files.some(f => /alert.*rule|alertmanager/i.test(f));
+    },
+    impact: 'medium',
+    category: 'observability',
+    fix: 'Configure alerting (Alertmanager, PagerDuty, OpsGenie) to get notified of production issues.',
+  },
+
+  dashboardDefined: {
+    id: 130007,
+    name: 'Monitoring dashboard defined',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      return ctx.files.some(f => /grafana\/.*\.json|\.dashboard\.json/i.test(f)) ||
+        /grafana|@grafana/i.test(pkg) ||
+        hasProjectFile(ctx, /grafana/i);
+    },
+    impact: 'medium',
+    category: 'observability',
+    fix: 'Add Grafana dashboard JSON files or configure dashboard-as-code for production monitoring.',
+  },
+
+  logAggregation: {
+    id: 130008,
+    name: 'Log aggregation configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const configs = readProjectFiles(ctx, /\.(ya?ml|json|toml)$/i);
+      const all = [pkg, req, configs].join('\n');
+      return /elasticsearch|elastic\.co|logstash|kibana|loki|grafana-loki|cloudwatch.*log|datadog|fluentd|fluent-bit|filebeat/i.test(all);
+    },
+    impact: 'medium',
+    category: 'observability',
+    fix: 'Configure log aggregation (ELK, Loki, CloudWatch, Datadog) for centralized log analysis.',
+  },
+
+  // ============================================================
+  // === MC2: ACCESSIBILITY (category: 'accessibility') =========
+  // ============================================================
+
+  a11yTestingTool: {
+    id: 130011,
+    name: 'Accessibility testing tool',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const pkg = ctx.fileContent('package.json') || '';
+      return /axe-core|pa11y|@testing-library\/jest-dom|jest-axe|cypress-axe|@axe-core/i.test(pkg);
+    },
+    impact: 'high',
+    category: 'accessibility',
+    fix: 'Add an accessibility testing tool (axe-core, pa11y, jest-axe) to catch a11y regressions.',
+  },
+
+  ariaLabels: {
+    id: 130012,
+    name: 'ARIA labels in components',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const components = readProjectFiles(ctx, /\.(jsx|tsx|vue|svelte|html)$/i);
+      if (!components) return null;
+      return /aria-label|aria-labelledby|aria-describedby/i.test(components);
+    },
+    impact: 'high',
+    category: 'accessibility',
+    fix: 'Add aria-label or aria-labelledby attributes to interactive components for screen readers.',
+  },
+
+  wcagMentioned: {
+    id: 130013,
+    name: 'WCAG or accessibility in docs',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const docs = readProjectFiles(ctx, /\.(md|txt|rst)$/i);
+      const configs = readProjectFiles(ctx, /\.(ya?ml|json|toml)$/i);
+      return /wcag|accessibility|a11y/i.test(docs + configs);
+    },
+    impact: 'medium',
+    category: 'accessibility',
+    fix: 'Document WCAG compliance level and accessibility standards in your project docs.',
+  },
+
+  semanticHtml: {
+    id: 130014,
+    name: 'Semantic HTML elements used',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const templates = readProjectFiles(ctx, /\.(jsx|tsx|vue|svelte|html)$/i);
+      if (!templates) return null;
+      return /<(nav|main|article|section|aside|header|footer)\b/i.test(templates);
+    },
+    impact: 'medium',
+    category: 'accessibility',
+    fix: 'Use semantic HTML elements (nav, main, article, section, aside) instead of generic div elements.',
+  },
+
+  colorContrastTool: {
+    id: 130015,
+    name: 'Color contrast checking configured',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const pkg = ctx.fileContent('package.json') || '';
+      const configs = readProjectFiles(ctx, /\.(ya?ml|json|toml|js|ts)$/i);
+      return /axe-core|lighthouse|contrast-checker|color-contrast|a11y.*color/i.test(pkg + configs);
+    },
+    impact: 'medium',
+    category: 'accessibility',
+    fix: 'Configure a color contrast checking tool (axe, Lighthouse CI, contrast-checker) for WCAG AA compliance.',
+  },
+
+  keyboardNavigation: {
+    id: 130016,
+    name: 'Keyboard navigation patterns',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const components = readProjectFiles(ctx, /\.(jsx|tsx|vue|svelte|html)$/i);
+      if (!components) return null;
+      return /tabindex|onKeyDown|onKeyUp|onKeyPress|@keydown|@keyup|v-on:keydown|focus-trap|useFocusTrap|FocusTrap/i.test(components);
+    },
+    impact: 'medium',
+    category: 'accessibility',
+    fix: 'Implement keyboard navigation with tabindex, key handlers, and focus management for accessible UIs.',
+  },
+
+  // ============================================================
+  // === MC4: DATA PRIVACY / GDPR (category: 'privacy') ========
+  // ============================================================
+
+  privacyPolicy: {
+    id: 130021,
+    name: 'Privacy policy document exists',
+    check: (ctx) => {
+      return ctx.files.some(f => /privacy/i.test(f) && /\.(md|txt|html|rst)$/i.test(f)) ||
+        hasProjectFile(ctx, /privacy[_-]?policy/i);
+    },
+    impact: 'high',
+    category: 'privacy',
+    fix: 'Create a PRIVACY.md or privacy-policy document describing data handling practices.',
+  },
+
+  consentManagement: {
+    id: 130022,
+    name: 'Consent management configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const code = readProjectFiles(ctx, /\.(js|ts|jsx|tsx|html)$/i);
+      return /cookie-consent|cookieconsent|onetrust|cookiebot|consent-manager|cookie.*banner/i.test(pkg + code);
+    },
+    impact: 'high',
+    category: 'privacy',
+    fix: 'Add a consent management solution (CookieConsent, OneTrust, Cookiebot) for GDPR cookie compliance.',
+  },
+
+  dataRetentionPolicy: {
+    id: 130023,
+    name: 'Data retention policy documented',
+    check: (ctx) => {
+      const docs = readProjectFiles(ctx, /\.(md|txt|rst|ya?ml|json)$/i);
+      return /data.retention|retention.polic|ttl.*expir|expir.*polic/i.test(docs);
+    },
+    impact: 'medium',
+    category: 'privacy',
+    fix: 'Document your data retention policy specifying how long user data is stored and when it is deleted.',
+  },
+
+  piiHandling: {
+    id: 130024,
+    name: 'PII handling patterns in code',
+    check: (ctx) => {
+      const code = readProjectFiles(ctx, /\.(js|ts|py|go|rs|java|rb)$/i);
+      return /\bredact|anonymize|pseudonymize|mask.*(email|phone|ssn|pii)|pii.*mask|sanitize.*(user|personal)/i.test(code);
+    },
+    impact: 'high',
+    category: 'privacy',
+    fix: 'Implement PII handling patterns (redact, anonymize, mask) to protect personal data in logs and storage.',
+  },
+
+  gdprCompliance: {
+    id: 130025,
+    name: 'GDPR/CCPA compliance mentioned',
+    check: (ctx) => {
+      const docs = readProjectFiles(ctx, /\.(md|txt|rst)$/i);
+      const configs = readProjectFiles(ctx, /\.(ya?ml|json|toml)$/i);
+      return /\bgdpr\b|\bccpa\b|data.protection|right.to.erasure|data.subject|dpa\b/i.test(docs + configs);
+    },
+    impact: 'high',
+    category: 'privacy',
+    fix: 'Document GDPR/CCPA compliance measures and data protection practices in your project.',
+  },
+
+  dataEncryption: {
+    id: 130026,
+    name: 'Data encryption in deps or config',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const goMod = ctx.fileContent('go.mod') || '';
+      const cargo = ctx.fileContent('Cargo.toml') || '';
+      const deps = [pkg, req, goMod, cargo].join('\n');
+      return /bcrypt|argon2|scrypt|crypto|node:crypto|cryptography|ring\b|rustls|tls.*config|ssl.*config|encryption.at.rest/i.test(deps) ||
+        /encrypt|bcrypt|argon2/i.test(readProjectFiles(ctx, /\.(js|ts|py|go|rs|java)$/i));
+    },
+    impact: 'high',
+    category: 'privacy',
+    fix: 'Use encryption libraries (bcrypt, argon2, crypto) for data at rest and configure TLS for data in transit.',
+  },
+
+  // ============================================================
+  // === MC9: ERROR TRACKING (category: 'error-tracking') =======
+  // ============================================================
+
+  errorTrackingService: {
+    id: 130031,
+    name: 'Error tracking service configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const req = readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      const goMod = ctx.fileContent('go.mod') || '';
+      const cargo = ctx.fileContent('Cargo.toml') || '';
+      const deps = [pkg, req, goMod, cargo].join('\n');
+      return /@sentry\/|sentry-sdk|sentry_sdk|bugsnag|rollbar|datadog.*apm|dd-trace|getsentry/i.test(deps);
+    },
+    impact: 'high',
+    category: 'error-tracking',
+    fix: 'Add an error tracking service (Sentry, Bugsnag, Rollbar, Datadog APM) to catch production errors.',
+  },
+
+  errorBoundaries: {
+    id: 130032,
+    name: 'Error boundaries in frontend',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const components = readProjectFiles(ctx, /\.(jsx|tsx|vue|svelte|js|ts)$/i);
+      if (!components) return null;
+      return /ErrorBoundary|errorHandler|onErrorCaptured|componentDidCatch|getDerivedStateFromError|error\.vue|_error\.(jsx|tsx|js|ts)/i.test(components);
+    },
+    impact: 'high',
+    category: 'error-tracking',
+    fix: 'Add error boundaries (React ErrorBoundary, Vue errorHandler) to gracefully handle frontend errors.',
+  },
+
+  unhandledRejection: {
+    id: 130033,
+    name: 'Unhandled rejection/exception handler',
+    check: (ctx) => {
+      const code = readProjectFiles(ctx, /\.(js|ts|py|go|rs)$/i);
+      return /unhandledRejection|uncaughtException|sys\.excepthook|recover\(\)|panic.*handler|set_hook.*panic/i.test(code);
+    },
+    impact: 'high',
+    category: 'error-tracking',
+    fix: 'Add handlers for unhandledRejection and uncaughtException to prevent silent failures.',
+  },
+
+  errorReporting: {
+    id: 130034,
+    name: 'Error notification/reporting pattern',
+    check: (ctx) => {
+      const code = readProjectFiles(ctx, /\.(js|ts|py|go|rs|java|rb)$/i);
+      return /error.*webhook|error.*slack|error.*notify|alert.*error|captureException|captureMessage|notify.*error/i.test(code);
+    },
+    impact: 'medium',
+    category: 'error-tracking',
+    fix: 'Add error reporting patterns (webhook, Slack alerts, Sentry capture) to get notified of failures.',
+  },
+
+  errorBudgetSlo: {
+    id: 130035,
+    name: 'SLO/SLA or error budget defined',
+    check: (ctx) => {
+      const docs = readProjectFiles(ctx, /\.(md|txt|rst|ya?ml|json|toml)$/i);
+      return /\bslo\b|\bsla\b|error.budget|service.level|uptime.*target|availability.*target/i.test(docs);
+    },
+    impact: 'medium',
+    category: 'error-tracking',
+    fix: 'Define SLOs, SLAs, or error budgets in your docs to set clear reliability targets.',
+  },
+
+  crashReporting: {
+    id: 130036,
+    name: 'Crash reporting for mobile',
+    check: (ctx) => {
+      const hasMobile = isFlutterProject(ctx) || isSwiftProject(ctx) || isKotlinProject(ctx) ||
+        /react-native|expo/i.test(ctx.fileContent('package.json') || '');
+      if (!hasMobile) return null;
+      const deps = [
+        ctx.fileContent('package.json') || '',
+        ctx.fileContent('pubspec.yaml') || '',
+        ctx.fileContent('Podfile') || '',
+        readProjectFiles(ctx, /(^|\/)build\.gradle(\.kts)?$/i),
+      ].join('\n');
+      return /crashlytics|sentry.*native|@sentry\/react-native|bugsnag.*react-native|firebase.*crash/i.test(deps);
+    },
+    impact: 'high',
+    category: 'error-tracking',
+    fix: 'Add crash reporting (Crashlytics, Sentry Native) to track mobile app crashes in production.',
+  },
+
+  // ============================================================
+  // === MC15: SUPPLY CHAIN SECURITY (category: 'supply-chain') =
+  // ============================================================
+
+  sbomExists: {
+    id: 130041,
+    name: 'SBOM file exists',
+    check: (ctx) => {
+      return ctx.files.some(f => /sbom\.(json|xml|cdx\.json)|bom\.xml|cyclonedx/i.test(f));
+    },
+    impact: 'medium',
+    category: 'supply-chain',
+    fix: 'Generate an SBOM (Software Bill of Materials) in CycloneDX or SPDX format for supply chain transparency.',
+  },
+
+  dependencyPinning: {
+    id: 130042,
+    name: 'Lock files committed',
+    check: (ctx) => {
+      return ctx.files.some(f => /^(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|Cargo\.lock|poetry\.lock|Pipfile\.lock|bun\.lockb|composer\.lock|Gemfile\.lock|go\.sum)$/i.test(f));
+    },
+    impact: 'high',
+    category: 'supply-chain',
+    fix: 'Commit lock files (package-lock.json, yarn.lock, Cargo.lock, poetry.lock) for reproducible builds.',
+  },
+
+  provenanceAttestation: {
+    id: 130043,
+    name: 'Provenance or sigstore in CI',
+    check: (ctx) => {
+      const ci = getWorkflowContent(ctx);
+      return /provenance|sigstore|cosign|slsa|attestation/i.test(ci);
+    },
+    impact: 'medium',
+    category: 'supply-chain',
+    fix: 'Add npm provenance or sigstore attestation in CI to verify package integrity.',
+  },
+
+  lockfileIntegrity: {
+    id: 130044,
+    name: 'CI uses frozen lockfile install',
+    check: (ctx) => {
+      const ci = getWorkflowContent(ctx);
+      return /npm ci\b|--frozen-lockfile|--immutable|cargo.*--locked|pip install.*--require-hashes/i.test(ci);
+    },
+    impact: 'high',
+    category: 'supply-chain',
+    fix: 'Use `npm ci` or `--frozen-lockfile` in CI instead of `npm install` for deterministic builds.',
+  },
+
+  dependencyScanning: {
+    id: 130045,
+    name: 'Dependency scanning configured',
+    check: (ctx) => {
+      const hasConfig = ctx.files.some(f => /dependabot\.yml|renovate\.json|\.snyk/i.test(f));
+      if (hasConfig) return true;
+      const ci = getWorkflowContent(ctx);
+      return /dependabot|renovate|snyk|npm audit|cargo audit|pip-audit|safety check/i.test(ci);
+    },
+    impact: 'high',
+    category: 'supply-chain',
+    fix: 'Configure Dependabot, Renovate, or Snyk to automatically scan and update vulnerable dependencies.',
+  },
+
+  // ── MC3: Internationalization i18n ──────────────────────────────────
+
+  i18nLibrary: {
+    id: 130101,
+    name: 'i18n library in dependencies',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      if (/i18next|react-intl|vue-i18n|@angular\/localize/i.test(pkg)) return true;
+      const py = readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i) + readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      if (/gettext|babel|fluent/i.test(py)) return true;
+      return false;
+    },
+    impact: 'medium',
+    category: 'i18n',
+    fix: 'Add an i18n library (i18next, react-intl, vue-i18n, gettext, fluent) for internationalization support.',
+    confidence: 0.7,
+  },
+
+  localeFiles: {
+    id: 130102,
+    name: 'Locale files exist',
+    check: (ctx) => {
+      return hasProjectFile(ctx, /(^|\/)locales\//i) ||
+        hasProjectFile(ctx, /(^|\/)messages\//i) ||
+        hasProjectFile(ctx, /(^|\/)translations\//i) ||
+        hasProjectFile(ctx, /\.(po|xlf)$/i);
+    },
+    impact: 'medium',
+    category: 'i18n',
+    fix: 'Add locale files in a locales/, messages/, or translations/ directory for multi-language support.',
+    confidence: 0.7,
+  },
+
+  rtlSupport: {
+    id: 130103,
+    name: 'RTL support configured',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|vue|html|css|scss)$/i, 30);
+      return /dir=["']rtl["']|\brtl\b|\bbidi\b/i.test(src);
+    },
+    impact: 'low',
+    category: 'i18n',
+    fix: 'Add RTL (right-to-left) support with dir="rtl" or bidi utilities for languages like Arabic and Hebrew.',
+    confidence: 0.7,
+  },
+
+  pluralizationRules: {
+    id: 130104,
+    name: 'ICU message format or pluralization',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|json|properties)$/i, 30);
+      return /\{[^}]*,\s*plural\s*,/i.test(src) || /\bplural\b.*\bone\b|\bICU\b/i.test(src);
+    },
+    impact: 'low',
+    category: 'i18n',
+    fix: 'Use ICU message format or pluralization rules for correct multi-language number/gender handling.',
+    confidence: 0.7,
+  },
+
+  i18nExtraction: {
+    id: 130105,
+    name: 'i18n extraction tool configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      return /babel-plugin-react-intl|i18next-parser|@formatjs\/cli|react-intl-translations-manager/i.test(pkg);
+    },
+    impact: 'low',
+    category: 'i18n',
+    fix: 'Add an i18n extraction tool (i18next-parser, @formatjs/cli) to auto-extract translatable strings.',
+    confidence: 0.7,
+  },
+
+  dateTimeFormatting: {
+    id: 130106,
+    name: 'Locale-aware date/time formatting',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|vue)$/i, 30);
+      return /Intl\.DateTimeFormat|date-fns\/locale|dayjs\/locale|moment\/locale/i.test(src);
+    },
+    impact: 'low',
+    category: 'i18n',
+    fix: 'Use locale-aware date/time formatting (Intl.DateTimeFormat, date-fns/locale, dayjs/locale) instead of hardcoded formats.',
+    confidence: 0.7,
+  },
+
+  // ── MC5: API Versioning ─────────────────────────────────────────────
+
+  apiVersionHeader: {
+    id: 130111,
+    name: 'API versioning pattern present',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|py|go|java|rb)$/i, 30);
+      const config = readProjectFiles(ctx, /\.(ya?ml|json)$/i, 20);
+      return /\/v[12]\/|api-version|Accept-Version|x-api-version/i.test(src + config);
+    },
+    impact: 'medium',
+    category: 'api-versioning',
+    fix: 'Add API versioning (URL prefix /v1/, header Accept-Version) to manage breaking changes safely.',
+    confidence: 0.7,
+  },
+
+  deprecationNotices: {
+    id: 130112,
+    name: 'Deprecation notices in API code',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|py|go|java|rb)$/i, 30);
+      return /@deprecated|Deprecation|Sunset|x-deprecated/i.test(src);
+    },
+    impact: 'low',
+    category: 'api-versioning',
+    fix: 'Add @deprecated annotations or Deprecation/Sunset headers to signal API endpoint retirement.',
+    confidence: 0.7,
+  },
+
+  apiChangelog: {
+    id: 130113,
+    name: 'API changelog exists',
+    check: (ctx) => {
+      if (hasProjectFile(ctx, /(^|\/)api-changelog/i)) return true;
+      const changelog = ctx.fileContent('CHANGELOG.md') || '';
+      return /\bAPI\b/i.test(changelog);
+    },
+    impact: 'low',
+    category: 'api-versioning',
+    fix: 'Add an API changelog (CHANGELOG.md with API section or api-changelog file) to document breaking changes.',
+    confidence: 0.7,
+  },
+
+  backwardCompat: {
+    id: 130114,
+    name: 'Backward compatibility tests or migrations',
+    check: (ctx) => {
+      return hasProjectFile(ctx, /(^|\/)(migration|migrate)/i) ||
+        hasProjectFile(ctx, /(backward|compat).*test/i);
+    },
+    impact: 'medium',
+    category: 'api-versioning',
+    fix: 'Add backward compatibility tests or migration scripts to validate API changes don\'t break clients.',
+    confidence: 0.7,
+  },
+
+  apiDocVersioned: {
+    id: 130115,
+    name: 'Versioned API documentation',
+    check: (ctx) => {
+      const docs = readProjectFiles(ctx, /(openapi|swagger)\.(ya?ml|json)$/i);
+      return /version/i.test(docs);
+    },
+    impact: 'low',
+    category: 'api-versioning',
+    fix: 'Add versioned API documentation (OpenAPI/Swagger spec with version field) for API consumers.',
+    confidence: 0.7,
+  },
+
+  // ── MC6: Caching Strategy ───────────────────────────────────────────
+
+  cacheLayer: {
+    id: 130121,
+    name: 'Cache library in dependencies',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      if (/redis|memcached|ioredis|node-cache|lru-cache/i.test(pkg)) return true;
+      const py = readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i) + readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      if (/redis|memcached|django-cache|cachetools/i.test(py)) return true;
+      return false;
+    },
+    impact: 'medium',
+    category: 'caching',
+    fix: 'Add a caching layer (redis, memcached, ioredis, lru-cache) to reduce latency and database load.',
+    confidence: 0.7,
+  },
+
+  cdnConfigured: {
+    id: 130122,
+    name: 'CDN configured',
+    check: (ctx) => {
+      const config = readProjectFiles(ctx, /\.(json|ya?ml|toml|conf)$/i, 20);
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?)$/i, 20);
+      return /cloudfront|cloudflare|fastly|cdn/i.test(config + src) ||
+        (ctx.files.includes('vercel.json') && /headers/i.test(ctx.fileContent('vercel.json') || ''));
+    },
+    impact: 'medium',
+    category: 'caching',
+    fix: 'Configure a CDN (CloudFront, Cloudflare, Fastly) for static asset delivery and edge caching.',
+    confidence: 0.7,
+  },
+
+  cacheHeaders: {
+    id: 130123,
+    name: 'Cache-Control headers configured',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|py|go|java|rb|conf)$/i, 30);
+      return /Cache-Control|max-age|s-maxage|stale-while-revalidate/i.test(src);
+    },
+    impact: 'medium',
+    category: 'caching',
+    fix: 'Set Cache-Control headers (max-age, s-maxage, stale-while-revalidate) for HTTP response caching.',
+    confidence: 0.7,
+  },
+
+  cacheInvalidation: {
+    id: 130124,
+    name: 'Cache invalidation patterns present',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|py|go|java|rb)$/i, 30);
+      return /cache.*purge|cache.*bust|cache.*invalidat|\.del\(|\.flush\(/i.test(src);
+    },
+    impact: 'low',
+    category: 'caching',
+    fix: 'Implement cache invalidation patterns (purge, bust, invalidate) to prevent serving stale data.',
+    confidence: 0.7,
+  },
+
+  httpCaching: {
+    id: 130125,
+    name: 'ETag or Last-Modified caching',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|py|go|java|rb|conf)$/i, 30);
+      return /ETag|Last-Modified|If-None-Match|If-Modified-Since/i.test(src);
+    },
+    impact: 'low',
+    category: 'caching',
+    fix: 'Implement ETag or Last-Modified headers for conditional HTTP caching and bandwidth savings.',
+    confidence: 0.7,
+  },
+
+  // ── MC7: Rate Limiting ──────────────────────────────────────────────
+
+  rateLimitMiddleware: {
+    id: 130131,
+    name: 'Rate limiting middleware configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      if (/express-rate-limit|@nestjs\/throttler|rate-limiter-flexible|koa-ratelimit/i.test(pkg)) return true;
+      const py = readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i) + readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      if (/django-ratelimit|slowapi|flask-limiter/i.test(py)) return true;
+      return false;
+    },
+    impact: 'medium',
+    category: 'rate-limiting',
+    fix: 'Add rate limiting middleware (express-rate-limit, @nestjs/throttler, rate-limiter-flexible) to protect APIs.',
+    confidence: 0.7,
+  },
+
+  ddosProtection: {
+    id: 130132,
+    name: 'DDoS protection configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const config = readProjectFiles(ctx, /\.(json|ya?ml|toml|conf)$/i, 20);
+      return /helmet|cors|cloudflare|waf|ddos/i.test(pkg + config);
+    },
+    impact: 'medium',
+    category: 'rate-limiting',
+    fix: 'Add DDoS protection (helmet, CORS, WAF, Cloudflare) to defend against abuse and volumetric attacks.',
+    confidence: 0.7,
+  },
+
+  backoffStrategy: {
+    id: 130133,
+    name: 'Retry/backoff strategy in dependencies',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      if (/exponential-backoff|p-retry|async-retry|retry|got.*retry|axios-retry/i.test(pkg)) return true;
+      const py = readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i) + readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      if (/tenacity|backoff|urllib3.*retry/i.test(py)) return true;
+      return false;
+    },
+    impact: 'low',
+    category: 'rate-limiting',
+    fix: 'Add a retry/backoff library (p-retry, tenacity, exponential-backoff) for resilient external calls.',
+    confidence: 0.7,
+  },
+
+  requestThrottling: {
+    id: 130134,
+    name: 'Request throttling in dependencies',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      return /bottleneck|p-throttle|p-limit|throttle/i.test(pkg);
+    },
+    impact: 'low',
+    category: 'rate-limiting',
+    fix: 'Add request throttling (bottleneck, p-throttle) to control outbound API call rates.',
+    confidence: 0.7,
+  },
+
+  rateLimitHeaders: {
+    id: 130135,
+    name: 'Rate limit headers or 429 responses',
+    check: (ctx) => {
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?|py|go|java|rb)$/i, 30);
+      return /X-RateLimit|RateLimit-|429|Too Many Requests/i.test(src);
+    },
+    impact: 'low',
+    category: 'rate-limiting',
+    fix: 'Return X-RateLimit headers and 429 status codes so clients can handle rate limiting gracefully.',
+    confidence: 0.7,
+  },
+
+  // ── MC8: Feature Flags ──────────────────────────────────────────────
+
+  featureFlagService: {
+    id: 130141,
+    name: 'Feature flag service in dependencies',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      if (/launchdarkly|unleash|flagsmith|growthbook|@split/i.test(pkg)) return true;
+      const py = readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i) + readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      if (/launchdarkly|unleash|flagsmith|growthbook/i.test(py)) return true;
+      return false;
+    },
+    impact: 'medium',
+    category: 'feature-flags',
+    fix: 'Add a feature flag service (LaunchDarkly, Unleash, Flagsmith, GrowthBook) for safe feature rollouts.',
+    confidence: 0.7,
+  },
+
+  featureFlagConfig: {
+    id: 130142,
+    name: 'Feature flag config files exist',
+    check: (ctx) => {
+      return hasProjectFile(ctx, /(^|\/)flags\.json$/i) ||
+        hasProjectFile(ctx, /(^|\/)features\.json$/i) ||
+        hasProjectFile(ctx, /(^|\/)feature-flags\//i);
+    },
+    impact: 'low',
+    category: 'feature-flags',
+    fix: 'Add feature flag configuration files (flags.json, features.json, or feature-flags/ directory).',
+    confidence: 0.7,
+  },
+
+  featureFlagTests: {
+    id: 130143,
+    name: 'Feature flag testing present',
+    check: (ctx) => {
+      const testFiles = readProjectFiles(ctx, /(test|spec)\.(jsx?|tsx?|py|go|java|rb)$/i, 30);
+      return /flag|feature.*toggle|variation/i.test(testFiles);
+    },
+    impact: 'low',
+    category: 'feature-flags',
+    fix: 'Add tests for feature flag variations to verify behavior under different flag states.',
+    confidence: 0.7,
+  },
+
+  flagLifecycle: {
+    id: 130144,
+    name: 'Flag lifecycle management',
+    check: (ctx) => {
+      return hasProjectFile(ctx, /flag-audit|remove-flag|flag.*cleanup/i) ||
+        /flag.*lifecycle|flag.*cleanup|stale.*flag/i.test(readProjectFiles(ctx, /\.(md|txt|json)$/i, 10));
+    },
+    impact: 'low',
+    category: 'feature-flags',
+    fix: 'Add flag lifecycle scripts or docs (flag-audit, remove-flag) to prevent stale flag accumulation.',
+    confidence: 0.7,
+  },
+
+  envBasedFlags: {
+    id: 130145,
+    name: 'Environment-based feature toggles',
+    check: (ctx) => {
+      const envFiles = readProjectFiles(ctx, /(^|\/)(\.env|\.env\.\w+)$/i);
+      const config = readProjectFiles(ctx, /\.(json|ya?ml|toml)$/i, 15);
+      return /FEATURE_|ENABLE_|FF_/i.test(envFiles + config);
+    },
+    impact: 'low',
+    category: 'feature-flags',
+    fix: 'Use environment-based feature toggles (FEATURE_, ENABLE_, FF_ prefixes) for deployment-time configuration.',
+    confidence: 0.7,
+  },
+
+  // ── MC10: Documentation Quality ─────────────────────────────────────
+
+  readmeQuality: {
+    id: 130151,
+    name: 'README has installation, usage, and contributing sections',
+    check: (ctx) => {
+      const readme = ctx.fileContent('README.md') || '';
+      if (!readme) return false;
+      return /install/i.test(readme) && /usage/i.test(readme) && /contribut/i.test(readme);
+    },
+    impact: 'medium',
+    category: 'docs-quality',
+    fix: 'Ensure README.md includes installation, usage, and contributing sections for developer onboarding.',
+    confidence: 0.7,
+  },
+
+  contributingGuide: {
+    id: 130152,
+    name: 'CONTRIBUTING.md exists',
+    check: (ctx) => ctx.files.some(f => /^contributing\.md$/i.test(f)),
+    impact: 'low',
+    category: 'docs-quality',
+    fix: 'Add CONTRIBUTING.md with contribution guidelines, code standards, and PR process.',
+    confidence: 0.7,
+  },
+
+  apiDocsGenerated: {
+    id: 130153,
+    name: 'API documentation generator configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      if (/typedoc|jsdoc|apidoc|compodoc/i.test(pkg)) return true;
+      const py = readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i) + readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i);
+      if (/sphinx|pdoc|mkdocstrings/i.test(py)) return true;
+      if (isGoProject(ctx) && hasProjectFile(ctx, /(^|\/)doc\.go$/i)) return true;
+      return false;
+    },
+    impact: 'low',
+    category: 'docs-quality',
+    fix: 'Add an API documentation generator (typedoc, jsdoc, sphinx, godoc) for auto-generated docs.',
+    confidence: 0.7,
+  },
+
+  storybookConfigured: {
+    id: 130154,
+    name: 'Storybook configured for component docs',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      return ctx.hasDir('.storybook') || hasProjectFile(ctx, /(^|\/)\.storybook\//i);
+    },
+    impact: 'low',
+    category: 'docs-quality',
+    fix: 'Add Storybook (.storybook/) for interactive component documentation and visual testing.',
+    confidence: 0.7,
+  },
+
+  codeOfConduct: {
+    id: 130155,
+    name: 'CODE_OF_CONDUCT.md exists',
+    check: (ctx) => ctx.files.some(f => /^code.of.conduct\.md$/i.test(f)),
+    impact: 'low',
+    category: 'docs-quality',
+    fix: 'Add CODE_OF_CONDUCT.md to set community standards and expectations.',
+    confidence: 0.7,
+  },
+
+  licenseDeclared: {
+    id: 130156,
+    name: 'LICENSE file exists',
+    check: (ctx) => ctx.files.some(f => /^license/i.test(f)),
+    impact: 'low',
+    category: 'docs-quality',
+    fix: 'Add a LICENSE file to clarify usage rights and legal terms.',
+    confidence: 0.7,
+  },
+
+  // ── MC13: Monorepo Tooling ──────────────────────────────────────────
+
+  monorepoTool: {
+    id: 130161,
+    name: 'Monorepo tool configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const hasMonorepo = /workspaces/i.test(pkg) || ctx.files.includes('lerna.json') ||
+        ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+        hasProjectFile(ctx, /(^|\/)pnpm-workspace\.yaml$/i);
+      if (!hasMonorepo) return null;
+      return /turborepo|turbo|"nx"|lerna|rush|bazel/i.test(pkg) ||
+        ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+        ctx.files.includes('lerna.json') || ctx.files.includes('rush.json');
+    },
+    impact: 'medium',
+    category: 'monorepo',
+    fix: 'Configure a monorepo orchestration tool (Turborepo, Nx, Lerna, Rush) for efficient multi-package builds.',
+    confidence: 0.7,
+  },
+
+  workspaceDeps: {
+    id: 130162,
+    name: 'Workspace dependency management configured',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const hasMonorepo = /workspaces/i.test(pkg) || ctx.files.includes('lerna.json') ||
+        ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+        hasProjectFile(ctx, /(^|\/)pnpm-workspace\.yaml$/i);
+      if (!hasMonorepo) return null;
+      return hasProjectFile(ctx, /(^|\/)pnpm-workspace\.yaml$/i) || /workspaces/i.test(pkg);
+    },
+    impact: 'medium',
+    category: 'monorepo',
+    fix: 'Configure workspace dependencies (pnpm-workspace.yaml or workspaces in package.json) for cross-package linking.',
+    confidence: 0.7,
+  },
+
+  changesetsConfigured: {
+    id: 130163,
+    name: 'Changesets or conventional commits for versioning',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const hasMonorepo = /workspaces/i.test(pkg) || ctx.files.includes('lerna.json') ||
+        ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+        hasProjectFile(ctx, /(^|\/)pnpm-workspace\.yaml$/i);
+      if (!hasMonorepo) return null;
+      return /@changesets\/cli|changeset/i.test(pkg) || ctx.hasDir('.changeset') ||
+        hasProjectFile(ctx, /(^|\/)\.changeset\//i);
+    },
+    impact: 'low',
+    category: 'monorepo',
+    fix: 'Add @changesets/cli or conventional commits for coordinated versioning across packages.',
+    confidence: 0.7,
+  },
+
+  monorepoCI: {
+    id: 130164,
+    name: 'CI uses affected/changed detection',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const hasMonorepo = /workspaces/i.test(pkg) || ctx.files.includes('lerna.json') ||
+        ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+        hasProjectFile(ctx, /(^|\/)pnpm-workspace\.yaml$/i);
+      if (!hasMonorepo) return null;
+      const ci = getWorkflowContent(ctx);
+      return /nx affected|turbo.*--filter|lerna changed|lerna run.*--since/i.test(ci);
+    },
+    impact: 'medium',
+    category: 'monorepo',
+    fix: 'Use affected/changed detection in CI (nx affected, turbo --filter) to only build what changed.',
+    confidence: 0.7,
+  },
+
+  sharedConfigs: {
+    id: 130165,
+    name: 'Shared configs across packages',
+    check: (ctx) => {
+      const pkg = ctx.fileContent('package.json') || '';
+      const hasMonorepo = /workspaces/i.test(pkg) || ctx.files.includes('lerna.json') ||
+        ctx.files.includes('nx.json') || ctx.files.includes('turbo.json') ||
+        hasProjectFile(ctx, /(^|\/)pnpm-workspace\.yaml$/i);
+      if (!hasMonorepo) return null;
+      return hasProjectFile(ctx, /(^|\/)packages\/.*eslint/i) ||
+        hasProjectFile(ctx, /(^|\/)packages\/.*tsconfig/i) ||
+        hasProjectFile(ctx, /shared.*config/i);
+    },
+    impact: 'low',
+    category: 'monorepo',
+    fix: 'Create shared config packages (eslint, tsconfig) referenced across monorepo packages for consistency.',
+    confidence: 0.7,
+  },
+
+  // ── MC14: Performance Budget ────────────────────────────────────────
+
+  lighthouseCI: {
+    id: 130171,
+    name: 'Lighthouse CI configured',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      return hasProjectFile(ctx, /(^|\/)\.?lighthouserc\.(js|json|ya?ml)$/i) ||
+        /lighthouse/i.test(getWorkflowContent(ctx));
+    },
+    impact: 'medium',
+    category: 'performance-budget',
+    fix: 'Add Lighthouse CI (lighthouserc.js) to enforce performance budgets in your CI pipeline.',
+    confidence: 0.7,
+  },
+
+  bundleSizeLimit: {
+    id: 130172,
+    name: 'Bundle size check configured',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const pkg = ctx.fileContent('package.json') || '';
+      return /size-limit|bundlewatch|@next\/bundle-analyzer|webpack-bundle-analyzer/i.test(pkg);
+    },
+    impact: 'medium',
+    category: 'performance-budget',
+    fix: 'Add bundle size checks (size-limit, bundlewatch, @next/bundle-analyzer) to prevent bundle bloat.',
+    confidence: 0.7,
+  },
+
+  webVitals: {
+    id: 130173,
+    name: 'Core Web Vitals tracking configured',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const pkg = ctx.fileContent('package.json') || '';
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?)$/i, 20);
+      return /web-vitals|next\/web-vitals|@vercel\/speed-insights/i.test(pkg + src);
+    },
+    impact: 'medium',
+    category: 'performance-budget',
+    fix: 'Add Core Web Vitals tracking (web-vitals, next/web-vitals) for real user performance monitoring.',
+    confidence: 0.7,
+  },
+
+  performanceRegression: {
+    id: 130174,
+    name: 'Performance regression testing in CI',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const ci = getWorkflowContent(ctx);
+      const pkg = ctx.fileContent('package.json') || '';
+      return /benchmark|bench|perf.*test|lighthouse.*assert/i.test(ci + pkg);
+    },
+    impact: 'low',
+    category: 'performance-budget',
+    fix: 'Add performance regression testing in CI (benchmark, lighthouse assert) to catch regressions early.',
+    confidence: 0.7,
+  },
+
+  imageOptimization: {
+    id: 130175,
+    name: 'Image optimization configured',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const pkg = ctx.fileContent('package.json') || '';
+      return /sharp|imagemin|next\/image|responsive-loader|@squoosh/i.test(pkg);
+    },
+    impact: 'low',
+    category: 'performance-budget',
+    fix: 'Add image optimization (sharp, imagemin, next/image) to reduce page weight and improve loading.',
+    confidence: 0.7,
+  },
+
+  lazyLoading: {
+    id: 130176,
+    name: 'Code splitting and lazy loading',
+    check: (ctx) => {
+      if (!hasFrontendSignals(ctx)) return null;
+      const src = readProjectFiles(ctx, /\.(jsx?|tsx?)$/i, 30);
+      return /React\.lazy|import\s*\(|loadable|dynamic\s*\(\s*\(\)\s*=>/i.test(src);
+    },
+    impact: 'low',
+    category: 'performance-budget',
+    fix: 'Use code splitting and lazy loading (React.lazy, dynamic import, loadable) to reduce initial bundle size.',
+    confidence: 0.7,
+  },
+
 
 };