@prajwolkc/stk 0.5.1 → 0.7.0

package/src/data/seed-patterns.json

@@ -0,0 +1,1802 @@
+[
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000001",
+    "title": "Express error handler must be last",
+    "content": "Express error-handling middleware must be defined after all other app.use() and route calls. If you place it before your routes, it won't catch errors from those routes. The 4-param signature (err, req, res, next) is what tells Express it's an error handler, and order determines when it runs.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000002",
+    "title": "Async route errors need explicit catching",
+    "content": "Express doesn't catch promise rejections in route handlers. An unhandled async error will hang the request or crash the process. Wrap handlers in try/catch or use express-async-errors which patches Router to forward rejected promises to your error middleware automatically.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "async"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000003",
+    "title": "Headers already sent crash",
+    "content": "Calling res.json() or res.send() after a response is already sent throws 'Cannot set headers after they are sent to the client'. This often happens when you forget to return after sending an error response. Always use return res.status(400).json({error}) to prevent code from continuing.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "http"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000004",
+    "title": "CORS credentials need explicit origin",
+    "content": "When using credentials: true in CORS config, the origin cannot be '*'. The browser blocks the response silently. You must specify the exact origin like 'https://myapp.com' or use a function that dynamically returns the allowed origin from a whitelist.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["express", "cors"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000005",
+    "title": "body-parser has 100kb default limit",
+    "content": "Express's built-in JSON parser (body-parser) rejects payloads over 100kb with a 413 status. If your API accepts file uploads or large JSON, increase the limit: app.use(express.json({ limit: '10mb' })). This catches many devs off guard with image base64 payloads.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000006",
+    "title": "trust proxy needed behind reverse proxy",
+    "content": "Behind Nginx, AWS ALB, or Railway, req.ip returns the proxy IP not the client IP. Set app.set('trust proxy', 1) so Express reads X-Forwarded-For. Without this, rate limiters like express-rate-limit key all requests to the same IP, making them useless.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["express", "proxy"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000007",
+    "title": "Static middleware placement matters",
+    "content": "express.static() should come before your API routes but after security middleware like helmet. If placed after a catch-all route, it never serves files. If placed before auth middleware, static files bypass authentication. Order: helmet > static > auth > api routes > 404 > error handler.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000008",
+    "title": "express.json() must come before routes",
+    "content": "If you define routes before app.use(express.json()), req.body will be undefined on POST/PUT requests. This is a common mistake when reorganizing middleware. The JSON parser must execute before any route handler that reads the request body.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000009",
+    "title": "Error middleware needs exactly 4 params",
+    "content": "Express identifies error middleware by its 4-parameter signature: (err, req, res, next). If you omit any parameter, Express treats it as regular middleware and skips it during error handling. Even if you don't use next, include it: (err, req, res, _next) => {}.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000010",
+    "title": "Route params are always strings",
+    "content": "req.params.id is always a string, even if the URL looks numeric like /users/42. Passing it directly to a database query expecting an integer causes type errors or wrong results. Always parse: const id = parseInt(req.params.id, 10) or Number(req.params.id), and validate it's not NaN.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000011",
+    "title": "next('route') skips remaining middleware",
+    "content": "Calling next('route') in Express skips any remaining middleware attached to the current route and jumps to the next matching route. This is different from next() which runs the next middleware in the stack. Useful for conditional middleware chains but confusing if hit accidentally.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000012",
+    "title": "res.locals scoped to single request",
+    "content": "res.locals is an object that persists only within a single request-response cycle. It's perfect for passing data between middleware (e.g., auth middleware sets res.locals.user), but it's gone after the response is sent. Don't confuse it with app.locals which persists across requests.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000013",
+    "title": "Helmet doesn't set CSP by default",
+    "content": "Helmet sets many security headers but Content-Security-Policy is not enabled by default since it breaks most apps. You need to explicitly configure it: helmet({ contentSecurityPolicy: { directives: { defaultSrc: [\"'self'\"], scriptSrc: [\"'self'\"] } } }). Without CSP, XSS attacks remain possible.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["express", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000014",
+    "title": "Rate limiter keys by IP—needs trustProxy",
+    "content": "express-rate-limit uses req.ip for keying. Behind a proxy, all requests appear from the same IP unless you set app.set('trust proxy', 1). Without it, one abusive client rate-limits everyone. Set trustProxy and consider adding a custom keyGenerator for authenticated routes.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["express", "rate-limiting"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000015",
+    "title": "Cookie parser before cookie-reading routes",
+    "content": "app.use(cookieParser()) must be registered before any route that accesses req.cookies. Otherwise req.cookies is undefined. This also applies to signed cookies—pass your secret to cookieParser(secret) and access them via req.signedCookies.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "cookies"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000016",
+    "title": "Multiple res.send() calls crash server",
+    "content": "Calling res.send(), res.json(), or res.end() more than once per request throws ERR_HTTP_HEADERS_SENT and can crash your server. This typically happens in if/else branches without return statements, or in async code that continues after sending a response.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "http"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000017",
+    "title": "404 handler must go after all routes",
+    "content": "A catch-all 404 handler like app.use((req, res) => res.status(404).json({error: 'Not Found'})) must be placed after all your route definitions. If placed before, it intercepts every request. This is the most common cause of 'all my routes return 404'.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "routing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000018",
+    "title": "req.body undefined without body parser",
+    "content": "Express does not parse request bodies by default. req.body is undefined until you add app.use(express.json()) for JSON or app.use(express.urlencoded({ extended: true })) for form data. This is the #1 Express beginner gotcha—always set up body parsing before routes.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000019",
+    "title": "Multer field names must match exactly",
+    "content": "Multer's upload.single('avatar') requires the form field name to be exactly 'avatar'. A mismatch means req.file is undefined with no error. For multiple fields, use upload.fields([{name: 'photo', maxCount: 1}]) and access via req.files['photo'].",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "file-upload"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000020",
+    "title": "Morgan logger should be first middleware",
+    "content": "Place morgan (HTTP request logger) as one of the first middleware to capture all requests including those rejected by auth or other middleware. If placed after auth middleware, failed auth requests won't be logged, making debugging harder.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "logging"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000021",
+    "title": "CORS preflight needs OPTIONS handling",
+    "content": "Browsers send an OPTIONS preflight request before cross-origin requests with custom headers or non-simple methods. If your server doesn't handle OPTIONS, the actual request never fires. The cors() middleware handles this automatically, but custom CORS setups often forget it.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "cors"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000022",
+    "title": "Express misses promise rejections by default",
+    "content": "Express 4 doesn't catch rejected promises from async handlers. An unhandled rejection hangs the request until timeout. Either wrap every async handler in try/catch, use a wrapper function, or install express-async-errors at the top of your entry file before any routes.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "async"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000023",
+    "title": "res.status().json() not res.json().status()",
+    "content": "The correct chain is res.status(400).json({error: 'Bad request'}). Calling res.json().status() sends the response with status 200 first, then tries to set status on an already-sent response, which either fails silently or throws. Status must be set before sending the body.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "http"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000024",
+    "title": "Express route order—first match wins",
+    "content": "Express matches routes top-to-bottom and stops at the first match. If you define GET /users/:id before GET /users/me, the request to /users/me matches :id='me'. Fix: define specific routes before parameterized ones, or use regex constraints on params.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "routing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000025",
+    "title": "app.use without path matches everything",
+    "content": "app.use(myMiddleware) with no path argument applies to every route and HTTP method. This is intentional for global middleware like cors() and helmet(), but accidentally omitting the path on route-specific middleware applies it globally. Use app.use('/api', myMiddleware) to scope it.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["express", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000026",
+    "title": "Prisma N+1 with include",
+    "content": "Using include: { posts: true } on a list query generates a separate query per parent record—classic N+1. Use select to limit fields, or restructure to fetch relations in a separate batch query. Prisma's query engine batches some includes, but deeply nested includes still cause N+1.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["prisma", "database"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000027",
+    "title": "prisma db push drops data on conflicts",
+    "content": "prisma db push syncs schema to DB but may drop columns or tables when resolving conflicts. It shows a warning and asks for confirmation, but in CI/scripts with --accept-data-loss it's silent. Use prisma migrate for production databases where data preservation matters.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "migration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000028",
+    "title": "Prisma connection pool exhaustion",
+    "content": "Prisma's default connection pool is 10 connections (num_physical_cpus * 2 + 1). Under high load or with long transactions, the pool exhausts and requests queue up, eventually timing out. Set connection_limit in your DATABASE_URL and increase pool_timeout. Use pgbouncer for serverless.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000029",
+    "title": "findUnique returns null not error",
+    "content": "prisma.user.findUnique({ where: { id: 999 } }) returns null when no record exists—it doesn't throw. If you assume it returns an object, you get 'Cannot read properties of null'. Use findUniqueOrThrow() if you want an error, or add a null check before accessing properties.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "errors"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000030",
+    "title": "Soft delete filter forgotten in queries",
+    "content": "After adding soft deletes (deletedAt column), every query needs where: { deletedAt: null }. It's easy to forget in count(), aggregate(), or new queries. Use Prisma middleware or a wrapper to automatically add the filter, or you'll leak deleted records to users.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "soft-delete"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000031",
+    "title": "Prisma unique constraint error is P2002",
+    "content": "When a unique constraint is violated, Prisma throws a PrismaClientKnownRequestError with code 'P2002'. Catch it specifically: if (error.code === 'P2002') { return res.status(409).json({ error: 'Already exists' }); }. The error.meta.target field tells you which field(s) caused the conflict.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "errors"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000032",
+    "title": "Prisma transaction rollback on any error",
+    "content": "Inside prisma.$transaction(), if any operation throws, ALL operations roll back. This includes validation errors and unique constraint violations. Don't mix side effects (emails, API calls) inside transactions—they can't be rolled back. Do side effects after the transaction succeeds.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "transactions"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000033",
+    "title": "Prisma DateTime stored as UTC",
+    "content": "Prisma stores all DateTime fields as UTC in the database and returns JavaScript Date objects in UTC. If you display them directly, users see UTC times. Convert to local timezone on the frontend: new Date(record.createdAt).toLocaleString(). Never store local times in the DB.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "datetime"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000034",
+    "title": "Cascade delete needs explicit onDelete",
+    "content": "Prisma doesn't cascade deletes by default. Deleting a parent record with child references throws a foreign key violation. Add onDelete: Cascade to your relation: @relation(fields: [userId], references: [id], onDelete: Cascade). Or use onDelete: SetNull to nullify the reference instead.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "relations"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000035",
+    "title": "Prisma raw query SQL injection risk",
+    "content": "prisma.$queryRawUnsafe() is vulnerable to SQL injection. Use prisma.$queryRaw with template literals instead—it parameterizes automatically: prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`. The tagged template syntax looks like string interpolation but is actually safe.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["prisma", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000036",
+    "title": "prisma generate needed after schema changes",
+    "content": "After modifying schema.prisma, you must run npx prisma generate to regenerate the TypeScript client. Without this, your code uses stale types—new fields won't appear in autocomplete and queries will fail at runtime. Add prisma generate to your build script.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "workflow"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000037",
+    "title": "connectOrCreate race condition",
+    "content": "Prisma's connectOrCreate can fail with a unique constraint error under concurrent requests. Two requests check simultaneously, both find nothing, both try to create. Wrap in a retry loop or use an upsert instead. This is a real problem in high-concurrency environments.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "concurrency"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000038",
+    "title": "BigInt serialization to JSON fails",
+    "content": "JSON.stringify() throws 'Do not know how to serialize a BigInt' for Prisma BigInt fields. Add a custom serializer: BigInt.prototype.toJSON = function() { return this.toString() }; or convert BigInt fields to strings/numbers before sending responses.",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["prisma", "serialization"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000039",
+    "title": "Prisma include is eager loading",
+    "content": "Prisma's include always executes a JOIN or separate query immediately—there's no lazy loading. Including deeply nested relations (user.posts.comments.author) generates many queries. Use select to pick only needed fields, or split into multiple targeted queries for better performance.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["prisma", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000040",
+    "title": "Count doesn't respect soft delete filter",
+    "content": "prisma.user.count() returns ALL records including soft-deleted ones unless you add where: { deletedAt: null }. This causes mismatched counts on paginated lists—the total says 100 but the list shows 95. Always apply the same where clause to both findMany and count.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "soft-delete"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000041",
+    "title": "updateMany doesn't trigger middleware",
+    "content": "Prisma middleware (used for soft deletes, audit logs) only runs on single-record operations like update() and delete(). updateMany() and deleteMany() bypass middleware entirely. If you rely on middleware for business logic, avoid bulk operations or implement the logic at the database level.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "middleware"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000042",
+    "title": "Decimal fields need string in JSON",
+    "content": "Prisma Decimal fields serialize to Prisma.Decimal objects, not numbers. JSON.stringify converts them but may lose precision. When sending to clients, convert to string: price.toString(). When receiving from clients, accept strings to avoid floating-point issues: new Prisma.Decimal('19.99').",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000043",
+    "title": "prisma migrate vs db push in production",
+    "content": "prisma db push is for prototyping—it doesn't create migration files and can drop data. For production, use prisma migrate deploy which applies versioned migration files. However, if your migration chain is broken, db push with a backup is sometimes the pragmatic choice.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["prisma", "migration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000044",
+    "title": "Connection string needs connection_limit",
+    "content": "Without connection_limit in your DATABASE_URL, Prisma uses the default pool size which may exceed your database's max connections, especially on managed databases. Add ?connection_limit=25&pool_timeout=15 to your connection string. Serverless apps need even lower limits.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000045",
+    "title": "findFirst without orderBy is nondeterministic",
+    "content": "prisma.user.findFirst({ where: { email: 'x' } }) returns an arbitrary matching record when multiple exist—the order depends on the database engine. Always add orderBy to get consistent results: findFirst({ where: {...}, orderBy: { createdAt: 'desc' } }).",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "queries"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000046",
+    "title": "Nested create doesn't validate unique",
+    "content": "When using nested create inside a Prisma query, unique constraints are only checked at the database level, not in Prisma's type system. You'll get a runtime P2002 error. Validate uniqueness before the nested create, or handle the constraint error gracefully.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "validation"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000047",
+    "title": "$transaction is sequential by default",
+    "content": "prisma.$transaction([query1, query2]) runs queries sequentially, not in parallel. For independent operations that need atomicity but not ordering, this is slower than necessary. Use the interactive transaction API ($transaction(async (tx) => {})) for more control over execution order.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["prisma", "transactions"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000048",
+    "title": "Prisma client is not tree-shakeable",
+    "content": "The generated Prisma client includes code for all models and operations, even ones you don't use. This bloats serverless function bundles. Use prisma generate --no-engine for edge runtimes, or consider splitting your schema into smaller clients for different services.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["prisma", "bundle-size"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000049",
+    "title": "Prisma enum changes need migration",
+    "content": "Adding or renaming enum values in schema.prisma requires a database migration. db push may fail or drop the enum. Create a migration: prisma migrate dev --name add_enum_value. Renaming enums is especially tricky—you may need raw SQL to ALTER TYPE.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "migration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000050",
+    "title": "Relation filter where syntax differs",
+    "content": "Prisma's relation filters use a different syntax: where: { posts: { some: { published: true } } } not where: { posts: { published: true } }. The some/every/none operators are required for to-many relations. This trips up developers coming from other ORMs like Sequelize.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["prisma", "queries"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000051",
+    "title": "useEffect stale closure from missing deps",
+    "content": "Omitting a variable from useEffect's dependency array creates a stale closure—the effect captures the old value. React's exhaustive-deps lint rule catches this. Either add the dependency, use a ref for values you don't want to trigger re-runs, or use useReducer for complex state.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000052",
+    "title": "setState on unmounted component",
+    "content": "Calling setState after a component unmounts causes a React warning and potential memory leak. This happens with async operations that complete after navigation. Use an AbortController in useEffect cleanup, or check a ref: if (mountedRef.current) setState(data). React 18+ suppresses the warning but the leak remains.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000053",
+    "title": "Use stable ID for key prop, not index",
+    "content": "Using array index as key causes bugs when items are reordered, inserted, or deleted—React reuses the wrong DOM node and component state gets mixed up. Use a stable unique identifier like a database ID: items.map(item => <Item key={item.id} />). Index is only safe for static lists.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "rendering"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000054",
+    "title": "useMemo doesn't prevent children re-render",
+    "content": "useMemo memoizes a computed value but doesn't prevent child components from re-rendering. If the parent re-renders, children re-render even if the memoized value didn't change. Use React.memo() on child components to prevent unnecessary re-renders based on prop comparison.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["react", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000055",
+    "title": "Context change re-renders all consumers",
+    "content": "When a Context value changes, every component that calls useContext(MyContext) re-renders—even if it only uses a portion of the context. Split large contexts into smaller ones (AuthContext, ThemeContext) or use libraries like zustand/jotai for fine-grained subscriptions.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["react", "context"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000056",
+    "title": "useCallback identity changes with new deps",
+    "content": "useCallback returns a new function reference when any dependency changes. If the dependency is an object created in render, useCallback is useless—it gets a new identity every render. Ensure deps are primitives or stable references. Memoize the deps themselves if needed.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000057",
+    "title": "Ref updates don't trigger re-render",
+    "content": "Changing ref.current does not cause a re-render. If you need the UI to update when a ref changes, you need state instead. Refs are for values that don't affect rendering: DOM elements, timer IDs, previous values, or mutable values shared across renders without re-rendering.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000058",
+    "title": "useState initial value only on mount",
+    "content": "The initial value passed to useState(initialValue) is only used during the first render. Passing a new value on re-render does nothing: const [name, setName] = useState(props.name) won't update when props.name changes. Use useEffect to sync props to state, or derive state from props directly.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000059",
+    "title": "useEffect cleanup runs before next effect",
+    "content": "useEffect's cleanup function runs before the next effect execution AND on unmount. This is intentional for cleaning up stale subscriptions. If your effect fetches data, the cleanup can abort the previous fetch: return () => controller.abort(). Not understanding this order causes race conditions.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000060",
+    "title": "Strict mode double-invokes effects in dev",
+    "content": "React.StrictMode intentionally runs effects twice in development to catch bugs. Your useEffect fires, runs cleanup, then fires again. This exposes missing cleanup functions and side effects that aren't idempotent. It only happens in dev—production runs effects once.",
+    "category": "testing",
+    "source": "seed:stack",
+    "tags": ["react", "debugging"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000061",
+    "title": "Event handlers capture stale state",
+    "content": "Event handlers in React closures capture the state value at the time the handler was created. If state updates between the handler creation and execution, it reads the old value. Use a ref to always read the latest value, or use the functional setState form: setCount(prev => prev + 1).",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "closures"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000062",
+    "title": "forwardRef needed for ref on custom components",
+    "content": "Passing ref to a custom component does nothing unless the component uses React.forwardRef. Without it, ref is undefined inside the child. Wrap your component: const Input = forwardRef((props, ref) => <input ref={ref} {...props} />). React 19 passes ref as a regular prop instead.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "refs"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000063",
+    "title": "Suspense needs error boundary for errors",
+    "content": "React Suspense handles loading states but NOT errors. If a suspended component throws during rendering, Suspense won't catch it—the error propagates up. You need an error boundary wrapping or surrounding the Suspense component to gracefully handle fetch or render errors.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "error-handling"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000064",
+    "title": "React.lazy needs Suspense wrapper",
+    "content": "Components loaded with React.lazy() must be rendered inside a <Suspense fallback={<Loading/>}> component. Without Suspense, React throws an error when the lazy component is loading. Place Suspense at a meaningful boundary—wrapping individual lazy components or a group of them.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "code-splitting"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000065",
+    "title": "setState is batched in event handlers",
+    "content": "React batches multiple setState calls in event handlers into a single re-render. Calling setA(1); setB(2); setC(3) causes one re-render, not three. In React 18+, batching also applies to setTimeout, promises, and native event handlers. Use flushSync() to force immediate updates if needed.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["react", "state"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000066",
+    "title": "Object/array state needs spread to update",
+    "content": "React uses Object.is() to detect state changes. Mutating an object/array and calling setState with the same reference doesn't trigger re-render. Always create a new reference: setItems([...items, newItem]) or setUser({...user, name: 'new'}). This is React's immutability contract.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "state"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000067",
+    "title": "useLayoutEffect blocks browser paint",
+    "content": "useLayoutEffect fires synchronously after DOM mutations but before the browser paints. It blocks visual updates, causing jank. Only use it for DOM measurements (getBoundingClientRect) or to prevent visual flicker. For everything else, use useEffect which fires asynchronously after paint.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000068",
+    "title": "Custom hooks must start with 'use'",
+    "content": "React's linting rules and hook call validation only work if custom hooks start with 'use'. A function called 'getData' that uses hooks internally won't get lint warnings for rule violations. Rename it to 'useGetData'. This is a convention React tooling depends on, not just a style choice.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000069",
+    "title": "Portal events bubble through React tree",
+    "content": "Events from React portals bubble through the React component tree, NOT the DOM tree. A click inside a portal child bubbles to the portal's React parent, even though the portal renders in a different DOM location. This surprises developers who expect DOM-based event propagation.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "events"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000070",
+    "title": "Conditional hooks violate rules of hooks",
+    "content": "Hooks must be called in the same order every render. Putting a hook inside an if/else, loop, or early return breaks this rule and causes unpredictable bugs. React tracks hooks by call order, not name. Move the condition inside the hook instead: useEffect(() => { if (condition) {...} }).",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "hooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000071",
+    "title": "Derived state is usually an anti-pattern",
+    "content": "Storing state that can be computed from other state or props is an anti-pattern. const [fullName, setFullName] = useState(first + last) will go stale. Instead, compute during render: const fullName = first + ' ' + last. Use useMemo if the computation is expensive.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "state"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000072",
+    "title": "React.memo does shallow comparison only",
+    "content": "React.memo skips re-render only if all props are shallowly equal (===). Objects, arrays, and functions created in the parent are new references each render, defeating memo. Memoize these with useMemo/useCallback, or pass a custom comparison: React.memo(Comp, (prev, next) => ...).",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["react", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000073",
+    "title": "Fragment key prop needs explicit Fragment",
+    "content": "The shorthand <></> syntax doesn't support the key prop. If you need a key on a Fragment (e.g., in a list), use the full syntax: <Fragment key={item.id}>...</Fragment>. Import Fragment from React. This is a common error when rendering lists without wrapper elements.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "jsx"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000074",
+    "title": "Hydration mismatch with dynamic values",
+    "content": "Using Date.now(), Math.random(), or locale-dependent formatting in SSR causes hydration mismatches—server HTML differs from client render. Suppress with suppressHydrationWarning, or defer dynamic content with useEffect. For dates, format on the client only inside a useEffect.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "ssr"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000075",
+    "title": "defaultValue only for uncontrolled inputs",
+    "content": "The defaultValue prop sets the initial value of an uncontrolled input—it's ignored on subsequent renders. If you also use value and onChange (controlled), defaultValue does nothing. Pick one pattern: controlled (value + onChange) or uncontrolled (defaultValue + ref). Mixing them causes confusion.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["react", "forms"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000076",
+    "title": "Server components can't use hooks",
+    "content": "Next.js Server Components run on the server and cannot use useState, useEffect, or any React hook. They also can't use browser APIs like window or document. Add 'use client' at the top of files that need interactivity. Keep server components for data fetching and static rendering.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "server-components"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000077",
+    "title": "ISR revalidation path must match exactly",
+    "content": "revalidatePath('/blog/post-1') must match the exact route path including dynamic segments. A trailing slash mismatch or wrong casing means the page isn't revalidated and stale content persists. Use revalidateTag() for more flexible cache invalidation across multiple pages.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["nextjs", "caching"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000078",
+    "title": "Next.js middleware runs on Edge runtime",
+    "content": "Next.js middleware.ts runs on the Edge Runtime which lacks Node.js APIs like fs, path, crypto.randomBytes, and most npm packages. You can't use Prisma, bcrypt, or Node streams. Only use Web APIs. For Node-dependent logic, move it to API routes or server actions instead.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "edge"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000079",
+    "title": "Next.js dynamic route params are strings",
+    "content": "In Next.js, params from dynamic routes like [id] are always strings. params.id is '42' not 42. This causes subtle bugs when comparing with === against numbers. Always parse: const id = Number(params.id) and validate: if (isNaN(id)) return notFound().",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["nextjs", "routing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000080",
+    "title": "NEXT_PUBLIC prefix for client env vars",
+    "content": "Environment variables in Next.js are server-only by default. To expose them to the browser, prefix with NEXT_PUBLIC_: NEXT_PUBLIC_API_URL. Without the prefix, process.env.API_URL is undefined on the client. This is a security feature—don't prefix secrets like database URLs.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["nextjs", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000081",
+    "title": "getServerSideProps blocks page rendering",
+    "content": "getServerSideProps runs on every request and blocks the page from rendering until it completes. A slow database query or API call delays the entire page. For non-critical data, consider client-side fetching with SWR/TanStack Query, or use ISR with revalidation instead.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["nextjs", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000082",
+    "title": "Next.js Image needs width/height or fill",
+    "content": "The Next.js Image component requires explicit width and height props for layout calculation, or use fill prop for responsive images. Without them, you get a build error. For dynamic images, use fill with a sized parent container: <div style={{position:'relative',width:300,height:200}}><Image fill .../></div>.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "images"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000083",
+    "title": "Next.js API routes lack CORS by default",
+    "content": "Next.js API routes don't include CORS headers. Cross-origin requests from other domains fail silently. Add CORS headers manually or use the next-cors package. For App Router route handlers, set headers in the Response: return new Response(body, { headers: { 'Access-Control-Allow-Origin': '*' } }).",
+    "category": "api",
+    "source": "seed:stack",
+    "tags": ["nextjs", "cors"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000084",
+    "title": "generateStaticParams for dynamic ISR",
+    "content": "In Next.js App Router, dynamic routes need generateStaticParams() to tell Next.js which paths to pre-render at build time. Without it, dynamic pages default to on-demand rendering. Return an array of param objects: return posts.map(post => ({ slug: post.slug })).",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["nextjs", "isr"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000085",
+    "title": "'use client' needed for interactive components",
+    "content": "In Next.js App Router, all components are Server Components by default. onClick, onChange, useState, and all interactivity require 'use client' at the top of the file. The boundary is the file level—you can't mix server and client code in one file. Keep client components small and leaf-level.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "server-components"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000086",
+    "title": "cookies() makes Next.js route dynamic",
+    "content": "Calling cookies() or headers() in a Server Component or route handler opts the entire route out of static generation. It becomes dynamically rendered on every request. If you only need cookies for auth, consider middleware instead to keep the page statically cacheable.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["nextjs", "caching"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000087",
+    "title": "revalidatePath doesn't work cross-layout",
+    "content": "revalidatePath() only revalidates the specific path segment and its child segments. It doesn't revalidate parent layouts or sibling routes that might show the same data. Use revalidateTag() with fetch cache tags for broader invalidation across layouts and pages.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "caching"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000088",
+    "title": "fetch defaults to force-cache in RSC",
+    "content": "In Next.js Server Components, fetch() defaults to { cache: 'force-cache' }—results are cached indefinitely. Your page shows stale data until revalidated. Add { cache: 'no-store' } for always-fresh data, or { next: { revalidate: 60 } } for time-based revalidation.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "caching"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000089",
+    "title": "loading.tsx only works with Suspense",
+    "content": "Next.js loading.tsx creates an automatic Suspense boundary for its route segment. But it only shows during the initial load of Server Components. For client-side navigation, it may flash briefly or not show at all. For granular loading states, use manual <Suspense> boundaries within your page.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "loading"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000090",
+    "title": "Parallel routes need default.tsx",
+    "content": "Next.js parallel routes (using @folder convention) require a default.tsx file as a fallback when the slot doesn't have a matching route. Without default.tsx, navigating to a route where one parallel slot doesn't match renders a 404 for the entire page.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["nextjs", "routing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000091",
+    "title": "Stripe webhook needs raw body",
+    "content": "Stripe webhook signature verification requires the raw request body, not parsed JSON. If express.json() parses it first, verification fails with 'No signatures found matching the expected signature'. Use express.raw({type:'application/json'}) on the webhook route before any JSON parser.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "webhooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000092",
+    "title": "Stripe idempotency key prevents duplicates",
+    "content": "Without an idempotency key, retrying a failed Stripe API call can create duplicate charges. Pass idempotencyKey to every mutation: stripe.charges.create({...}, {idempotencyKey: orderId}). Stripe remembers the response for 24 hours and returns the cached result on retry.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "reliability"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000093",
+    "title": "Stripe test vs live webhook differences",
+    "content": "Stripe test mode webhooks have subtle differences from live: test events include 'livemode: false', some event types behave differently, and webhook endpoints are separate. Always use Stripe CLI (stripe listen --forward-to) for local development and test the exact webhook handler that runs in production.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "testing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000094",
+    "title": "Subscription needs default payment method",
+    "content": "Creating a Stripe subscription without a default payment method on the customer or subscription fails silently—the first invoice stays in 'draft' or 'open' state. Attach a payment method first: stripe.paymentMethods.attach(pm, {customer}) then set it as default on the customer or subscription.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "subscriptions"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000095",
+    "title": "Stripe metadata values must be strings",
+    "content": "Stripe metadata only accepts string key-value pairs. Passing numbers, booleans, or objects silently converts or drops them. Always stringify: metadata: { orderId: String(orderId), isPremium: 'true' }. Metadata is limited to 50 keys with 500-char values—use it for IDs, not large data.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "api"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000096",
+    "title": "Webhook signature verification is time-sensitive",
+    "content": "Stripe's webhook signature includes a timestamp, and verification rejects events older than 300 seconds by default. If your server clock is skewed or webhook processing is delayed, verification fails. Ensure NTP is synced, or adjust tolerance: stripe.webhooks.constructEvent(body, sig, secret, 600).",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000097",
+    "title": "Stripe checkout session expires in 24h",
+    "content": "A Stripe Checkout session expires 24 hours after creation. If a user abandons checkout and returns later, the session is invalid. Create a new session on each checkout attempt, and use the expires_at parameter to set shorter expirations. Store the session ID to handle the expired_checkout_session webhook.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "checkout"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000098",
+    "title": "Stripe Price is immutable",
+    "content": "Stripe Price objects cannot be updated once created—they're immutable by design. To change a price, create a new Price and archive the old one: stripe.prices.update(oldId, {active: false}). Update subscriptions to the new price: stripe.subscriptions.update(sub, {items: [{id, price: newPriceId}]}).",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "pricing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000099",
+    "title": "Stripe Customer Portal needs config",
+    "content": "The Stripe Customer Portal doesn't work out of the box. You must configure it in the Stripe Dashboard (allowed features, cancellation reasons, proration behavior) before creating portal sessions. Without configuration, portal.sessions.create() returns an error about missing portal configuration.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "billing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000100",
+    "title": "Stripe retries webhooks for 72 hours",
+    "content": "Stripe retries failed webhook deliveries (non-2xx response) for up to 72 hours with exponential backoff. If your handler isn't idempotent, duplicate processing occurs on retries. Always check if you've already processed the event: store event IDs and skip duplicates.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "webhooks"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000101",
+    "title": "Stripe test clock for subscription testing",
+    "content": "Testing subscription lifecycle (trials, renewals, cancellations) in Stripe requires test clocks. Without them, you'd wait real-time for billing cycles. Create a test clock: stripe.testHelpers.testClocks.create({frozen_time}), attach a customer, then advance time to simulate billing events.",
+    "category": "testing",
+    "source": "seed:stack",
+    "tags": ["stripe", "testing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000102",
+    "title": "Stripe invoice finalization triggers payment",
+    "content": "Stripe invoices must be finalized before payment is attempted. Auto-finalization happens on the due date, but manually created invoices stay in 'draft'. Call stripe.invoices.finalizeInvoice(id) then stripe.invoices.pay(id). Sending an unfinalised invoice link results in a 'not ready' error.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "invoices"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000103",
+    "title": "Stripe refund processing time",
+    "content": "Stripe processes refunds immediately on their end, but the customer's bank takes 5-10 business days to show the credit. Customers often contact support thinking the refund failed. Display the expected timeline in your UI and store the refund ID for tracking: stripe.refunds.create({payment_intent}).",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "refunds"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000104",
+    "title": "Connect accounts need separate webhooks",
+    "content": "Stripe Connect account events are delivered to a different webhook endpoint than your platform events. You need to register a separate webhook URL for Connect events and handle them with stripe.webhooks.constructEvent() using the Connect webhook secret, not your platform secret.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "connect"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000105",
+    "title": "Check PaymentIntent status before fulfillment",
+    "content": "Never fulfill an order based solely on the checkout.session.completed webhook. Always verify the PaymentIntent status is 'succeeded' before delivering goods: const pi = await stripe.paymentIntents.retrieve(session.payment_intent). A completed session can have a pending or failed payment.",
+    "category": "payments",
+    "source": "seed:stack",
+    "tags": ["stripe", "payments"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000106",
+    "title": "httpOnly cookie not accessible from JS",
+    "content": "Cookies set with httpOnly: true cannot be read by document.cookie or JavaScript—that's the point, it prevents XSS from stealing tokens. But this means you can't check if a user is logged in client-side. Use a separate non-httpOnly indicator cookie or a /me API endpoint to check auth status.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "cookies"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000107",
+    "title": "Refresh token rotation must invalidate old",
+    "content": "When issuing a new refresh token, you must invalidate the old one. Without rotation, a stolen refresh token grants permanent access. Store refresh tokens in the database and invalidate on use: if the old token is used again, assume theft and revoke all tokens for that user.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000108",
+    "title": "JWT exp is seconds not milliseconds",
+    "content": "JWT exp claim uses Unix timestamp in seconds, but JavaScript Date.now() returns milliseconds. Using Date.now() + 3600 sets expiry to 3.6 seconds, not 1 hour. Use Math.floor(Date.now() / 1000) + 3600 for 1 hour. The jsonwebtoken library handles this if you pass expiresIn: '1h'.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "time"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000109",
+    "title": "bcrypt compare is async—must await",
+    "content": "bcrypt.compare() returns a Promise, not a boolean. Writing if (bcrypt.compare(password, hash)) always evaluates to true because a Promise is truthy. You must await it: const match = await bcrypt.compare(password, hash). This bug lets anyone log in with any password.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["auth", "bcrypt"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000110",
+    "title": "Password reset must revoke all sessions",
+    "content": "After a password reset, all existing sessions and refresh tokens should be invalidated. Otherwise, an attacker who stole a session continues to have access even after the password change. Increment a token version in the database and check it on every authenticated request.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["auth", "sessions"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000111",
+    "title": "JWT payload shouldn't contain secrets",
+    "content": "JWT payloads are base64-encoded, not encrypted. Anyone can decode them: atob(token.split('.')[1]). Never include passwords, API keys, credit card numbers, or PII. Only include user ID, role, and organizational context. Keep tokens minimal—sensitive data belongs in your database.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000112",
+    "title": "Clock skew causes JWT premature expiry",
+    "content": "If the server issuing JWTs has a clock ahead of the server verifying them, tokens appear expired immediately. Even a few seconds of drift causes intermittent auth failures. Use NTP to sync clocks, and add clockTolerance to your verification: jwt.verify(token, secret, { clockTolerance: 30 }).",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "infrastructure"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000113",
+    "title": "JWT none algorithm attack",
+    "content": "Some JWT libraries accept alg:'none' which means no signature verification. An attacker can craft a token with any payload and alg:none that passes verification. Always specify the algorithm explicitly: jwt.verify(token, secret, { algorithms: ['HS256'] }). Never allow 'none'.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["jwt", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000114",
+    "title": "Refresh token needs DB for revocation",
+    "content": "JWTs are stateless—once issued, they can't be revoked until they expire. Refresh tokens must be stored in the database so you can delete them on logout, password change, or security events. Without DB storage, a stolen refresh token is valid for its entire lifetime.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "database"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000115",
+    "title": "CSRF protection needed with cookie auth",
+    "content": "Cookie-based auth is vulnerable to CSRF—a malicious site can make requests that include your auth cookie. Mitigation: use SameSite=Strict or Lax cookies, add a CSRF token to state-changing requests, or verify the Origin/Referer header. Token-based auth in headers is immune to CSRF.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["auth", "csrf"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000116",
+    "title": "JWT token size impacts request overhead",
+    "content": "Every claim added to a JWT increases its size. With many claims, tokens can exceed 4KB—the cookie size limit. Large tokens also add overhead to every HTTP request since they're sent in headers or cookies. Keep access tokens lean (ID, role, org) and fetch details from the database when needed.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["jwt", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000117",
+    "title": "SameSite=None requires Secure flag",
+    "content": "Setting SameSite=None on a cookie (needed for cross-site requests) requires the Secure flag—browsers reject SameSite=None cookies without Secure. This means cross-site cookies only work over HTTPS. In local development over HTTP, use SameSite=Lax instead.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["cookies", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000118",
+    "title": "Short access token with long refresh is wrong",
+    "content": "If your access token is too long-lived, the refresh token mechanism is pointless. The standard pattern: access token expires in 15 minutes, refresh token in 7 days. The short access token limits the window of abuse if stolen, while the refresh token provides a smooth user experience.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "auth"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000119",
+    "title": "Bearer prefix in Authorization header",
+    "content": "The Authorization header format is 'Bearer <token>' with a space after Bearer. Forgetting the prefix or the space causes auth middleware to fail: const token = header.split(' ')[1]. Some APIs are strict about the 'Bearer' prefix being case-sensitive. Always validate the prefix before extracting the token.",
+    "category": "auth",
+    "source": "seed:stack",
+    "tags": ["jwt", "http"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000120",
+    "title": "Password hash timing attack",
+    "content": "String comparison (===) on password hashes is vulnerable to timing attacks—the comparison short-circuits on first mismatch, leaking information about correct prefix bytes. Use constant-time comparison: crypto.timingSafeEqual(). bcrypt.compare() already does this internally, so always use it instead of manual comparison.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["auth", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000121",
+    "title": "Missing index on FK kills JOIN performance",
+    "content": "PostgreSQL doesn't automatically create indexes on foreign key columns. Without an index on orders.customer_id, a JOIN between customers and orders scans the entire orders table. Always create indexes on foreign keys: CREATE INDEX idx_orders_customer_id ON orders(customer_id).",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000122",
+    "title": "Connection limit is per-pool not per-app",
+    "content": "PostgreSQL's max_connections is the total across ALL clients. If your app pool is 25 connections and you run 4 instances, that's 100 connections. Managed databases like RDS have low defaults (100-200). Use a connection pooler like pgbouncer, and set pool size = max_connections / num_instances.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000123",
+    "title": "SELECT FOR UPDATE can deadlock",
+    "content": "Two transactions doing SELECT FOR UPDATE on rows in different order can deadlock. Transaction A locks row 1, Transaction B locks row 2, then each waits for the other. Always lock rows in a consistent order (e.g., by primary key ASC), or use NOWAIT/SKIP LOCKED to avoid blocking.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "concurrency"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000124",
+    "title": "Always use timestamptz not timestamp",
+    "content": "PostgreSQL's timestamp stores a datetime without timezone—it's ambiguous. timestamptz (timestamp with time zone) converts to UTC on storage and to local time on retrieval. Using timestamp causes bugs when servers or users are in different timezones. Always use timestamptz.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "datetime"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000125",
+    "title": "VACUUM doesn't run on busy tables",
+    "content": "PostgreSQL's autovacuum can fall behind on write-heavy tables, causing table bloat and slow queries. Dead rows accumulate because autovacuum can't keep up. Monitor with pg_stat_user_tables.n_dead_tup. Tune autovacuum_vacuum_scale_factor and autovacuum_vacuum_cost_delay for busy tables.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "maintenance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000126",
+    "title": "IN clause with empty array syntax error",
+    "content": "WHERE id IN () is invalid SQL—PostgreSQL throws a syntax error. When building dynamic queries with empty arrays, add a guard: WHERE (array_length > 0 AND id = ANY($1)) or short-circuit in application code. Prisma handles this automatically, but raw queries don't.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "queries"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000127",
+    "title": "NULL in unique index allows duplicates",
+    "content": "PostgreSQL treats each NULL as distinct in unique indexes. A unique constraint on (email, deleted_at) allows multiple rows with the same email as long as deleted_at is NULL. Use a partial unique index instead: CREATE UNIQUE INDEX ON users(email) WHERE deleted_at IS NULL.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "constraints"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000128",
+    "title": "EXPLAIN ANALYZE needed, not just EXPLAIN",
+    "content": "EXPLAIN shows the query plan with estimated costs. EXPLAIN ANALYZE actually executes the query and shows real timing. Estimates can be wildly wrong due to stale statistics. Always use EXPLAIN (ANALYZE, BUFFERS) for real performance data. Be careful—ANALYZE runs the query, including writes.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000129",
+    "title": "Large IN clauses are slow—use ANY",
+    "content": "WHERE id IN (1, 2, ..., 10000) generates a massive query plan. Use WHERE id = ANY($1::int[]) with a PostgreSQL array parameter instead—it's faster and avoids query plan cache pollution. For very large sets, use a temporary table or CTE joined with your target table.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["postgresql", "queries"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000130",
+    "title": "Prefer IDENTITY over SERIAL",
+    "content": "PostgreSQL's SERIAL type is a legacy syntax that creates a sequence and default separately. GENERATED ALWAYS AS IDENTITY (SQL standard) is safer—it prevents accidental manual inserts that break the sequence. Use: id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["postgresql", "schema"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000131",
+    "title": "Partial index for soft delete queries",
+    "content": "Queries filtering WHERE deleted_at IS NULL scan the full index including deleted rows. Create a partial index: CREATE INDEX idx_active_users ON users(email) WHERE deleted_at IS NULL. This index is smaller, faster, and only covers active records—perfect for soft-delete patterns.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["postgresql", "indexing"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000132",
+    "title": "Serverless needs connection pooler",
+    "content": "Serverless functions (Lambda, Vercel) create a new database connection per invocation. With many concurrent requests, you quickly exhaust PostgreSQL's max_connections. Use an external connection pooler like PgBouncer, Supabase's built-in pooler, or Neon's serverless driver.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["postgresql", "serverless"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000133",
+    "title": "Full text search needs tsvector index",
+    "content": "PostgreSQL's LIKE '%term%' can't use regular indexes—it does a full table scan. For text search, use tsvector/tsquery with a GIN index: CREATE INDEX idx_search ON articles USING GIN(to_tsvector('english', title || ' ' || body)). It's significantly faster and supports stemming and ranking.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["postgresql", "search"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000134",
+    "title": "Batch insert faster than individual inserts",
+    "content": "Inserting 1000 rows one at a time takes 1000 round trips. A single INSERT with VALUES for all rows takes one round trip and is 10-100x faster. Use Prisma's createMany() or construct a batch: INSERT INTO t(a,b) VALUES (1,2),(3,4),...  For very large imports, use COPY for maximum speed.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["postgresql", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000135",
+    "title": "pg_stat_statements for slow query detection",
+    "content": "pg_stat_statements is a PostgreSQL extension that tracks query execution statistics: call count, total/mean time, rows returned. Enable it in postgresql.conf and query pg_stat_statements to find your slowest queries. Essential for production performance monitoring—sort by total_time to find optimization targets.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["postgresql", "monitoring"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000136",
+    "title": "KEYS command blocks Redis in production",
+    "content": "Redis KEYS pattern scans the entire keyspace and blocks all other operations while running. With millions of keys, it can block Redis for seconds. Use SCAN instead—it returns results in batches with a cursor and doesn't block: SCAN 0 MATCH 'user:*' COUNT 100.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["redis", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000137",
+    "title": "Redis TTL -1 means no expiry set",
+    "content": "The Redis TTL command returns -1 when a key exists but has no expiry, and -2 when the key doesn't exist. Don't confuse them. Keys without TTL persist forever and can fill memory. Always set TTL on cache keys: SET key value EX 3600. Use PERSIST to remove an expiry if needed.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["redis", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000138",
+    "title": "Pub/sub messages lost without subscribers",
+    "content": "Redis Pub/Sub is fire-and-forget. If no subscriber is listening when a message is published, the message is lost permanently. It's not a queue—there's no replay. For reliable messaging, use Redis Streams (XADD/XREAD) or a proper message queue like BullMQ which persists jobs.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["redis", "messaging"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000139",
+    "title": "Redis connection pool exhaustion",
+    "content": "Opening too many Redis connections crashes your app or gets connections refused. Use a connection pool (ioredis supports this natively) and set maxRetriesPerRequest. In serverless environments, reuse connections across invocations. Monitor with INFO clients to see connected_clients count.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["redis", "connections"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000140",
+    "title": "Redis key naming convention matters",
+    "content": "Use a consistent key naming convention like 'entity:id:field' (user:42:sessions). This enables SCAN pattern matching for bulk operations and makes debugging easier. Avoid spaces and special characters. Prefix keys with your app name in shared Redis instances to prevent collisions.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["redis", "conventions"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000141",
+    "title": "Redis memory full causes write failures",
+    "content": "When Redis hits maxmemory with noeviction policy (the default), all write commands return OOM errors while reads still work. Your cache stops caching and your queue stops queuing. Set an appropriate maxmemory-policy like allkeys-lru to evict old keys, or monitor memory and scale proactively.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["redis", "operations"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000142",
+    "title": "Lua scripts are atomic but block Redis",
+    "content": "Redis Lua scripts execute atomically—no other command runs during execution. This is great for consistency but a long-running Lua script blocks ALL Redis operations. Keep scripts short and O(1) or O(log N). Use the EVALSHA command with script caching to reduce network overhead.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["redis", "scripting"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000143",
+    "title": "Redis pipeline reduces roundtrips",
+    "content": "Sending 100 individual Redis commands takes 100 network roundtrips. Pipelining batches them into a single roundtrip: pipe = redis.pipeline(); pipe.get('a'); pipe.set('b', 1); results = await pipe.exec(). This can improve throughput by 5-10x for bulk operations.",
+    "category": "performance",
+    "source": "seed:stack",
+    "tags": ["redis", "performance"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000144",
+    "title": "WATCH for optimistic locking in Redis",
+    "content": "Redis WATCH implements optimistic locking: WATCH a key, read its value, start MULTI, modify, EXEC. If another client changed the watched key, EXEC returns null and you retry. This is how you implement check-and-set without blocking other clients. Essential for counters and inventory.",
+    "category": "database",
+    "source": "seed:stack",
+    "tags": ["redis", "concurrency"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000145",
+    "title": "maxmemory-policy defaults to noeviction",
+    "content": "Redis's default maxmemory-policy is noeviction—when memory is full, writes fail with OOM errors. For cache use cases, set allkeys-lru (evict least recently used) or volatile-lru (evict only keys with TTL). For queues, noeviction is correct because you don't want to lose jobs.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["redis", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000146",
+    "title": "Docker COPY order for layer caching",
+    "content": "COPY package*.json ./ then RUN npm ci, THEN COPY . ./ for source code. Docker caches layers from top to bottom—the first changed line invalidates all layers below. Copying package.json first means npm install only reruns when dependencies change, not on every code change. Saves minutes per build.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "optimization"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000147",
+    "title": "Non-root user can't bind port 80",
+    "content": "Running a Docker container as non-root (USER node) prevents binding to ports below 1024. Your app on port 80 gets EACCES. Use a high port like 3000 inside the container and map it externally: docker run -p 80:3000. Or use setcap in the Dockerfile, but non-root is the better security practice.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "security"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000148",
+    "title": "ENTRYPOINT vs CMD in Dockerfile",
+    "content": "ENTRYPOINT defines the executable that always runs. CMD provides default arguments that can be overridden. Use ENTRYPOINT for the main process (node, python) and CMD for default arguments. Docker run args replace CMD but append to ENTRYPOINT. For flexibility, use CMD alone: CMD [\"node\", \"server.js\"].",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000149",
+    "title": ".dockerignore must exclude node_modules",
+    "content": "Without a .dockerignore file, COPY . ./ sends node_modules (hundreds of MB) to the Docker daemon and into the image. This bloats the image, slows builds, and can cause platform-specific binary issues. Add node_modules, .git, .env, and dist to .dockerignore.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "optimization"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000150",
+    "title": "Multi-stage build loses devDependencies",
+    "content": "In a multi-stage Docker build, the production stage only copies built artifacts and production dependencies. If your build step needs devDependencies (TypeScript, build tools), install them in the build stage. The final stage runs npm ci --production or copies only node_modules from the build stage.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "build"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000151",
+    "title": "Docker build args unavailable at runtime",
+    "content": "ARG values in Dockerfile are only available during build, not at runtime. If you pass --build-arg API_KEY=xxx, it's available in RUN commands but not when the container runs. Use ENV to set runtime environment variables. For secrets, use Docker secrets or environment variables at run time, not build args.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000152",
+    "title": "Alpine missing glibc breaks npm packages",
+    "content": "Alpine Linux uses musl libc instead of glibc. Some npm packages with native bindings (bcrypt, sharp, prisma engines) crash with 'Error loading shared library'. Use the -slim Debian variant instead: FROM node:20-slim. It's slightly larger but avoids native module headaches.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "nodejs"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000153",
+    "title": "HEALTHCHECK marks unhealthy but doesn't restart",
+    "content": "Docker's HEALTHCHECK instruction marks a container as unhealthy but doesn't restart it. You need an orchestrator (Docker Compose restart: unless-stopped, Kubernetes liveness probe, or Docker Swarm) to take action on unhealthy status. HEALTHCHECK alone is just monitoring, not self-healing.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "health"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000154",
+    "title": "Layer cache invalidates from first change",
+    "content": "Docker builds layers sequentially. If layer 3 of 10 changes, layers 3-10 are all rebuilt even if 4-10 haven't changed. Order Dockerfile instructions from least to most frequently changed: OS setup > system deps > language deps > app config > source code. This maximizes cache hits.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "optimization"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000155",
+    "title": "COPY --from needs stage name or number",
+    "content": "In multi-stage builds, COPY --from=builder copies files from another stage. The stage must be named (FROM node:20 AS builder) or referenced by zero-based index (--from=0). Using an undeclared name silently copies nothing. Always name your stages explicitly for clarity.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["docker", "multi-stage"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000156",
+    "title": "GitHub Actions secrets hidden in fork PRs",
+    "content": "For security, GitHub Actions doesn't expose repository secrets to workflows triggered by fork pull requests. Tests that need API keys or database URLs fail silently. Use environment-specific secrets, mock external services in tests, or use pull_request_target (carefully—it runs with write access).",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000157",
+    "title": "CI cache key must include lockfile hash",
+    "content": "Cache keys like 'node-modules-v1' don't invalidate when dependencies change. Use a hash of the lockfile: key: node-modules-${{ hashFiles('package-lock.json') }}. This ensures the cache busts when any dependency changes, preventing stale module issues that cause mysterious CI failures.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "caching"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000158",
+    "title": "CI parallel jobs share nothing",
+    "content": "Jobs in GitHub Actions run in separate VMs. Files created in one job don't exist in another. To share data, use artifacts (actions/upload-artifact + actions/download-artifact) or cache. This catches developers who expect 'build' job output to be available in the 'test' job.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000159",
+    "title": "npm ci faster and safer than npm install",
+    "content": "npm ci deletes node_modules and installs from package-lock.json exactly. It's faster than npm install because it skips dependency resolution. It also fails if lock file is out of sync with package.json, catching inconsistencies. Always use npm ci in CI pipelines, npm install only for local development.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "npm"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000160",
+    "title": "actions/checkout only fetches 1 commit",
+    "content": "actions/checkout@v4 with default settings performs a shallow clone (depth 1). Git history operations like git log, git diff between branches, or changelog generation fail or return wrong results. Use fetch-depth: 0 for full history, or a specific depth for performance balance.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000161",
+    "title": "Env vars in GitHub Actions run steps",
+    "content": "In GitHub Actions, environment variables in run steps use $VARIABLE (shell syntax), not ${{ env.VARIABLE }} (expression syntax). The expression syntax works in with: and env: blocks but in run steps, use the shell's native dollar sign. Missing dollar signs result in empty strings, not errors.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000162",
+    "title": "Matrix strategy fail-fast is true by default",
+    "content": "GitHub Actions matrix strategy has fail-fast: true by default. If one matrix job fails, all other running jobs are cancelled immediately. Set fail-fast: false if you want all combinations to run to completion, which is useful for identifying platform-specific failures across OS/Node versions.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000163",
+    "title": "GitHub Actions artifacts expire in 90 days",
+    "content": "Build artifacts uploaded with actions/upload-artifact are automatically deleted after 90 days (configurable). If your deployment relies on artifacts from a previous workflow run, they may be gone. For long-term storage, push artifacts to S3, a container registry, or use GitHub Releases.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000164",
+    "title": "Reusable workflows need workflow_call trigger",
+    "content": "To call a workflow from another workflow, the called workflow must have on: workflow_call trigger—not workflow_dispatch or push. Without it, you get 'error parsing called workflow'. The calling workflow uses: jobs: my-job: uses: ./.github/workflows/reusable.yml.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "github"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000165",
+    "title": "Docker layer cache in GitHub Actions",
+    "content": "GitHub Actions runners don't persist Docker build cache between runs. Each build starts cold, taking minutes. Use actions/cache with docker buildx or the docker/build-push-action with cache-from/cache-to to persist layers. Without this, multi-stage builds are painfully slow in CI.",
+    "category": "deployment",
+    "source": "seed:stack",
+    "tags": ["ci-cd", "docker"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000166",
+    "title": "Strict null checks break existing code",
+    "content": "Enabling strictNullChecks in tsconfig catches real bugs but produces hundreds of errors in existing code. Every value that could be null/undefined must be explicitly checked. Enable it early in a project. For existing code, use the --strict flag incrementally with strict: false and individual strict options.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000167",
+    "title": "TypeScript enum is a runtime object",
+    "content": "Unlike most TypeScript types that are erased at compile time, enums generate real JavaScript objects. enum Color { Red, Green } becomes { 0: 'Red', 1: 'Green', Red: 0, Green: 1 }. This increases bundle size. Use const enum for zero-cost or union types: type Color = 'red' | 'green'.",
+    "category": "architecture",
+    "source": "seed:stack",
+    "tags": ["typescript", "enums"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000168",
+    "title": "Optional chaining returns undefined not null",
+    "content": "The ?. operator returns undefined when the chain is broken, even if the missing value is null. user?.address?.city returns undefined if user is null. This matters when you check === null—use == null (loose equality) to catch both null and undefined, or check explicitly.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "operators"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000169",
+    "title": "as const for literal types in objects",
+    "content": "TypeScript widens object property types: { status: 'active' } has type { status: string }. Use as const to preserve literal types: { status: 'active' } as const gives { readonly status: 'active' }. Essential for discriminated unions, action types, and any code that depends on exact string values.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000170",
+    "title": "Interface extends vs type intersection",
+    "content": "Interface extends checks for property conflicts and errors on incompatible types. Type intersection (&) silently creates never for conflicting properties. interface A extends B is safer but less flexible. Type intersection works with primitives and unions. Use interfaces for objects you extend, types for unions.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000171",
+    "title": "Module augmentation for Express Request",
+    "content": "To add custom properties to Express's Request type, use declaration merging: declare global { namespace Express { interface Request { user?: User } } }. Put this in a .d.ts file included in tsconfig. Without it, req.user causes a TypeScript error even though it works at runtime.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "express"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000172",
+    "title": "Generic default doesn't constrain the type",
+    "content": "A generic default like <T = string> sets the default type when T isn't specified, but doesn't constrain T. Users can still pass <number>. To constrain, use extends: <T extends string = string>. Without extends, the default is just a suggestion, not a requirement.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "generics"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000173",
+    "title": "typeof in type vs value position",
+    "content": "typeof behaves differently in type and value positions. In value: typeof x returns 'string', 'number', etc. at runtime. In type: type T = typeof x captures the full TypeScript type at compile time. They look identical but serve completely different purposes. The type-level typeof is much more powerful.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "operators"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000174",
+    "title": "Discriminated unions need literal member",
+    "content": "Discriminated unions require a common property with literal types for TypeScript to narrow correctly: type Shape = { kind: 'circle'; radius: number } | { kind: 'square'; side: number }. If kind is just string instead of literal types, switch/if narrowing doesn't work—TypeScript can't distinguish the variants.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000175",
+    "title": "Declaration merging with interfaces",
+    "content": "TypeScript interfaces with the same name in the same scope automatically merge. Declaring interface Window { myVar: string } extends the global Window type. This is powerful for augmentation but can cause accidental merges if you reuse interface names. Types (type aliases) don't merge—they error on duplicates.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "interfaces"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000176",
+    "title": "noUncheckedIndexedAccess catches bounds errors",
+    "content": "With noUncheckedIndexedAccess enabled, array access (arr[0]) and object index access (obj[key]) return T | undefined instead of T. This catches out-of-bounds array access at compile time. Without it, accessing arr[100] on a 3-element array is typed as defined, causing runtime crashes.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "configuration"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000177",
+    "title": "Excess property checking only on literals",
+    "content": "TypeScript only checks for excess properties on object literals. const x: {a: number} = {a: 1, b: 2} errors, but const obj = {a: 1, b: 2}; const x: {a: number} = obj compiles fine. The extra property b is allowed through a variable. This is intentional but surprising.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000178",
+    "title": "readonly doesn't make deep immutable",
+    "content": "TypeScript's readonly modifier only applies to the immediate level: readonly arr: string[] prevents reassignment but arr.push('x') still works. For deep immutability, use Readonly<{items: readonly string[]}> or libraries like immer. readonly is a compile-time hint, not runtime enforcement.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "immutability"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000179",
+    "title": "satisfies preserves literal types",
+    "content": "The satisfies operator validates a value matches a type without widening it. const config = { port: 3000 } satisfies Config preserves the literal type 3000, while const config: Config = { port: 3000 } widens it to number. Use satisfies for configuration objects where you want type checking and literal inference.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000180",
+    "title": "Mapped types lose method signatures",
+    "content": "TypeScript mapped types like Partial<T> convert method signatures to function properties: { method(): void } becomes { method?: (() => void) | undefined }. This changes the type's structure and can break code that checks for method existence using typeof. Use Pick/Omit for more precise transformations.",
+    "category": "general",
+    "source": "seed:stack",
+    "tags": ["typescript", "types"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000181",
+    "title": "SQL injection via string interpolation",
+    "content": "Building SQL with template literals or concatenation is the #1 web vulnerability. Query(`SELECT * FROM users WHERE id = ${userId}`) lets attackers inject: '1; DROP TABLE users'. Always use parameterized queries: query('SELECT * FROM users WHERE id = $1', [userId]). ORMs do this automatically.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "database"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000182",
+    "title": "XSS through dangerouslySetInnerHTML",
+    "content": "React's dangerouslySetInnerHTML renders raw HTML, enabling XSS if the content comes from user input. An attacker can inject <script>stealCookies()</script>. Sanitize with DOMPurify before rendering: dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userContent)}}. Better yet, avoid raw HTML entirely.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "react"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000183",
+    "title": "CSRF without SameSite cookies",
+    "content": "Without SameSite cookie attribute, a malicious site can make authenticated requests to your API using the user's cookies. Set SameSite=Lax (default in modern browsers) or Strict for sensitive operations. SameSite=None is needed for cross-site use but requires Secure and CSRF tokens.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "cookies"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000184",
+    "title": "Open redirect via unvalidated return URL",
+    "content": "Login flows often redirect to a returnUrl parameter after auth. Without validation, attackers craft links like /login?returnUrl=https://evil.com that redirect authenticated users to phishing sites. Validate the URL is relative or matches an allowlist of domains before redirecting.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "auth"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000185",
+    "title": "Rate limit login by IP and user",
+    "content": "Rate limiting login only by username lets attackers try one password across thousands of accounts. Rate limiting only by IP lets distributed attacks bypass limits. Apply both: 10 attempts per username per hour AND 100 attempts per IP per hour. Add exponential backoff and CAPTCHA after failures.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "rate-limiting"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000186",
+    "title": "Git secrets persist after deletion",
+    "content": "Deleting a file with secrets and committing doesn't remove it from git history. Anyone with repo access can find it: git log --all --full-history -- .env. Use git-filter-repo or BFG Repo Cleaner to purge history. Immediately rotate any exposed credentials. Use .gitignore from the start.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "git"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000187",
+    "title": "CORS wildcard with credentials fails silently",
+    "content": "Setting Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true is rejected by browsers silently. The request appears to work but cookies aren't sent. You must specify the exact origin. This is the most common reason authentication stops working after adding CORS.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "cors"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000188",
+    "title": "Helmet doesn't set all security headers",
+    "content": "Helmet sets reasonable defaults for X-Content-Type-Options, X-Frame-Options, and others, but doesn't enable CSP, Permissions-Policy, or Cross-Origin-Embedder-Policy by default. Review your headers at securityheaders.com. Enable CSP and configure each header based on your specific needs.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "headers"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000189",
+    "title": "bcrypt truncates passwords at 72 bytes",
+    "content": "bcrypt silently ignores characters after 72 bytes. A 100-character password and the same password truncated to 72 chars produce the same hash. For long passphrases, pre-hash with SHA-256 before bcrypt: bcrypt(sha256(password), salt). Or use argon2id which has no length limit.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "auth"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000190",
+    "title": "JWT none algorithm bypass",
+    "content": "The JWT 'none' algorithm attack lets attackers create tokens without a signature that some libraries accept as valid. Always specify allowed algorithms in verification: jwt.verify(token, secret, { algorithms: ['HS256'] }). Never accept the algorithm from the token's header without validation.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "jwt"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000191",
+    "title": "Path traversal in file uploads",
+    "content": "Accepting user-provided filenames for uploads enables path traversal: ../../etc/passwd overwrites system files. Always generate a random filename server-side: `${uuid()}.${ext}`. Validate file extensions against an allowlist and never use the original filename for storage paths.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "file-upload"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000192",
+    "title": "Timing attack on string comparison",
+    "content": "Comparing secrets with === leaks information through timing: the comparison stops at the first mismatch, so longer correct prefixes take longer. Attackers can brute-force character by character. Use crypto.timingSafeEqual() for comparing tokens, API keys, and signatures.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "crypto"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000193",
+    "title": "SSRF through user-provided URLs",
+    "content": "If your server fetches a URL provided by the user (e.g., webhook URL, avatar URL), attackers can make it request internal services: http://169.254.169.254/metadata for cloud credentials. Validate URLs against an allowlist, block private IP ranges, and use a DNS rebinding-resistant resolver.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "network"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000194",
+    "title": "Clickjacking without X-Frame-Options",
+    "content": "Without X-Frame-Options or CSP frame-ancestors, attackers embed your site in an invisible iframe on their page. Users click what they think is the attacker's page but actually interact with your site. Set X-Frame-Options: DENY or SAMEORIGIN. Helmet sets this by default.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "headers"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000195",
+    "title": "Session fixation after login",
+    "content": "If the session ID doesn't change after login, an attacker can set a known session ID (via URL or cookie), wait for the victim to log in, then use that same session ID. Always regenerate the session after authentication: req.session.regenerate(). This invalidates the pre-authentication session.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "sessions"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000196",
+    "title": "Mass assignment without allowlist",
+    "content": "Passing req.body directly to a database update lets attackers modify fields they shouldn't: { role: 'admin', verified: true }. Always destructure or pick allowed fields: const { name, email } = req.body; await user.update({ name, email }). Never trust the full request body for writes.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "validation"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000197",
+    "title": "Insecure direct object reference (IDOR)",
+    "content": "Accessing /api/orders/42 should verify the user owns order 42. Without authorization checks, any authenticated user can access any order by changing the ID. Always check: where: { id: orderId, organizationId: req.user.orgId }. This is the most common authorization vulnerability.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "authorization"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000198",
+    "title": "Error messages leak stack traces",
+    "content": "Sending error.stack or detailed error messages to clients exposes internal file paths, library versions, and logic. In production, return generic messages: res.status(500).json({error: 'Internal server error'}). Log the full error server-side. Never set NODE_ENV=development in production.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "error-handling"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000199",
+    "title": "Default credentials in dev tools",
+    "content": "Database GUIs (pgAdmin, Prisma Studio), monitoring dashboards (BullMQ Board), and admin panels often ship with no auth or default credentials. In production, these must be behind VPN/auth or disabled entirely. Attackers scan for exposed admin interfaces using known default ports and paths.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "devops"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  },
+  {
+    "id": "a1b2c3d4-1234-4abc-8def-000000000200",
+    "title": "Dependency confusion attack in npm",
+    "content": "If your org uses private packages like @myorg/utils, an attacker can publish a public @myorg/utils with a higher version. npm may install the public malicious package instead. Mitigate with .npmrc registry scoping: @myorg:registry=https://your-private-registry. Always verify package sources.",
+    "category": "security",
+    "source": "seed:stack",
+    "tags": ["security", "npm"],
+    "created_at": "2026-03-25T00:00:00.000Z"
+  }
+]