@saulwade/swl-ses 1.4.1 → 1.4.2

package/scripts/audit-tools/code-profiler.js

@@ -1,605 +1,605 @@
-// Adaptado de temp/ultraship-main/tools/code-profiler.mjs bajo MIT License
-// Fuente: Houseofmvps/ultraship (https://github.com/Houseofmvps/ultraship)
-'use strict';
-
-const { readFileSync, existsSync } = require('fs');
-const { relative, extname } = require('path');
-const { walkCode } = require('./lib/fs-walk');
-const { outputJSON, outputError } = require('./lib/output');
-
-// Patrones de I/O síncrona que BUSCAMOS en el código analizado (no los usamos aquí)
-const SYNC_PATTERNS = [
-  { name: 'readFileSync', fix: 'readFile (async)' },
-  { name: 'writeFileSync', fix: 'writeFile (async)' },
-  { name: 'readdirSync', fix: 'readdir (async)' },
-  { name: 'statSync', fix: 'stat (async)' },
-  { name: 'existsSync', fix: 'access (async)' },
-  { name: 'copyFileSync', fix: 'copyFile (async)' },
-  { name: 'mkdirSync', fix: 'mkdir (async)' },
-];
-
-const SHELL_SYNC_NAMES = ['execSync', 'execFileSync', 'spawnSync'];
-
-// Patrones de I/O síncrona en Python dentro de handlers async
-const PYTHON_SYNC_IO = [
-  { name: 'open(', fix: 'aiofiles.open() o executor' },
-  { name: 'subprocess.run(', fix: 'asyncio.create_subprocess_exec()' },
-  { name: 'subprocess.call(', fix: 'asyncio.create_subprocess_exec()' },
-  { name: 'subprocess.check_output(', fix: 'asyncio.create_subprocess_exec()' },
-  { name: 'os.path.exists(', fix: 'asyncio.to_thread(os.path.exists, ...)' },
-  { name: 'os.listdir(', fix: 'asyncio.to_thread(os.listdir, ...)' },
-  { name: 'os.makedirs(', fix: 'asyncio.to_thread(os.makedirs, ...)' },
-];
-
-/**
- * Determina si el archivo es un route handler (JS/TS o Python).
- * @param {string} content
- * @param {string} filePath
- * @returns {boolean}
- */
-function isRouteHandler(content, filePath) {
-  const rel = filePath.toLowerCase();
-  const isPython = rel.endsWith('.py');
-
-  if (!isPython) {
-    if (rel.includes('/route') || rel.includes('/api/') || rel.includes('/handler') || rel.includes('/controller')) return true;
-    if (content.includes('app.get(') || content.includes('app.post(') || content.includes('app.put(') || content.includes('app.delete(')) return true;
-    if (content.includes('router.get(') || content.includes('router.post(')) return true;
-    if (content.includes('.onRequest(') || content.includes('Hono(')) return true;
-    if (content.includes('export default') && (content.includes('GET') || content.includes('POST')) && rel.includes('route')) return true;
-  } else {
-    // Python: FastAPI, Flask, Django views
-    if (content.includes('@app.get(') || content.includes('@app.post(') ||
-        content.includes('@app.put(') || content.includes('@app.delete(') ||
-        content.includes('@app.patch(') || content.includes('@router.get(') ||
-        content.includes('@router.post(')) return true;
-    if (rel.includes('/views') || rel.includes('/routes') || rel.includes('/handlers') || rel.includes('/api/')) return true;
-    // Django class-based views
-    if (content.includes('class') && (content.includes('APIView') || content.includes('ViewSet') || content.includes('GenericView'))) return true;
-  }
-  return false;
-}
-
-/**
- * Determina si el archivo es non-production (seed, test, migration).
- * @param {string} filePath
- * @returns {boolean}
- */
-function isNonProductionFile(filePath) {
-  const rel = filePath.toLowerCase();
-  return (
-    rel.includes('seed') || rel.includes('fixture') ||
-    rel.includes('test') || rel.includes('spec') || rel.includes('__test') ||
-    rel.includes('migration') || rel.includes('migrate') ||
-    rel.includes('/scripts/') || rel.includes('/demo')
-  );
-}
-
-/**
- * Verifica si una línea está dentro de un contexto seed/demo/test
- * (buscando hacia atrás la definición de función más cercana).
- * @param {string[]} lines
- * @param {number} lineIndex
- * @returns {boolean}
- */
-function isInSeedContext(lines, lineIndex) {
-  const SEED_KEYWORDS = /seed|demo|populate|fixture|mock|fake|sample|generate.*data|test.*data/i;
-  const ROUTE_DEF = /\.(get|post|put|delete|patch|all)\s*\(/;
-  const FUNC_DEF = /(?:function|const|let|var)\s+\w+.*(?:=>|\{)|(?:async\s+function)/;
-
-  for (let i = lineIndex; i >= Math.max(0, lineIndex - 500); i--) {
-    const line = lines[i];
-    if (ROUTE_DEF.test(line)) {
-      for (let j = Math.max(0, i - 2); j <= Math.min(lines.length - 1, i + 2); j++) {
-        if (SEED_KEYWORDS.test(lines[j])) return true;
-      }
-      return false;
-    }
-    if (SEED_KEYWORDS.test(line) && FUNC_DEF.test(line)) return true;
-    if (/^\s*\/\/.*(?:seed|demo|populate|test data)/i.test(line)) return true;
-  }
-  return false;
-}
-
-/**
- * Detecta si una línea Python está dentro de una función async.
- * Escanea hacia atrás buscando `async def`.
- * @param {string[]} lines
- * @param {number} lineIndex
- * @returns {boolean}
- */
-function isInsidePythonAsyncDef(lines, lineIndex) {
-  // Obtener nivel de indentación de la línea actual
-  const currentLine = lines[lineIndex];
-  const currentIndent = currentLine.match(/^(\s*)/)[1].length;
-
-  for (let i = lineIndex - 1; i >= Math.max(0, lineIndex - 100); i--) {
-    const line = lines[i];
-    if (!line.trim()) continue;
-    const indent = line.match(/^(\s*)/)[1].length;
-    // Buscamos una definición de función con menor indentación
-    if (indent < currentIndent && /^\s*async\s+def\s+/.test(line)) return true;
-    if (indent < currentIndent && /^\s*def\s+/.test(line)) return false;
-    if (indent === 0 && /^(class|def|async def)/.test(line)) return false;
-  }
-  return false;
-}
-
-/**
- * Analiza un archivo y devuelve los hallazgos de rendimiento.
- * @param {string} filePath
- * @param {string} relPath
- * @param {string} content
- * @returns {object[]}
- */
-function analyzeFile(filePath, relPath, content) {
-  const findings = [];
-  const lines = content.split('\n');
-  const isHandler = isRouteHandler(content, relPath);
-  const isNonProd = isNonProductionFile(relPath);
-  const isPython = relPath.toLowerCase().endsWith('.py');
-
-  if (isPython) {
-    return analyzeFilePython(filePath, relPath, content, lines, isHandler, isNonProd);
-  }
-
-  // === N+1 Query Detection (JS/TS) ===
-  const blockLoopPatterns = [
-    /\bfor\s*\(/,
-    /\bfor\s+.*\bof\b/,
-    /\bwhile\s*\(/,
-  ];
-  const callbackLoopPattern = /\.(forEach|map)\s*\(/;
-  const queryPatterns = [
-    /\.findOne\s*\(/, /\.findFirst\s*\(/, /\.findUnique\s*\(/,
-    /\.find\s*\(/, /\.findMany\s*\(/,
-    /\.query\s*\(/, /\.execute\s*\(/,
-    /await\s+db\./, /await\s+prisma\./,
-  ];
-
-  const blockLoopStack = [];
-  const callbackLoopStack = [];
-  let braceDepth = 0;
-  let parenDepth = 0;
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) continue;
-
-    const isBlockLoop = blockLoopPatterns.some(p => p.test(line));
-    const callbackMatch = callbackLoopPattern.test(line);
-
-    if (isBlockLoop) blockLoopStack.push(braceDepth);
-    if (callbackMatch) callbackLoopStack.push(parenDepth);
-
-    for (const ch of line) {
-      if (ch === '{') braceDepth++;
-      if (ch === '(') parenDepth++;
-      if (ch === '}') {
-        braceDepth--;
-        while (blockLoopStack.length > 0 && braceDepth <= blockLoopStack[blockLoopStack.length - 1]) {
-          blockLoopStack.pop();
-        }
-      }
-      if (ch === ')') {
-        parenDepth--;
-        while (callbackLoopStack.length > 0 && parenDepth <= callbackLoopStack[callbackLoopStack.length - 1]) {
-          callbackLoopStack.pop();
-        }
-      }
-    }
-
-    const insideBlockLoop = blockLoopStack.length > 0;
-    const insideCallbackLoop = callbackLoopStack.length > 0;
-    const sameLineCallback = callbackMatch && !insideCallbackLoop;
-    const insideAnyLoop = insideBlockLoop || insideCallbackLoop || sameLineCallback;
-
-    if (insideAnyLoop && queryPatterns.some(p => p.test(line))) {
-      const inSeedCtx = isNonProd || isInSeedContext(lines, i);
-      const severity = inSeedCtx ? 'low' : 'high';
-      const suffix = inSeedCtx ? ' (en contexto seed/test — prioridad baja)' : '';
-      findings.push({
-        file: relPath, line: i + 1, severity, category: 'n+1',
-        message: `Consulta de BD dentro de bucle — patrón N+1 detectado. Usar consulta batch (findMany/cláusula IN)${suffix}`,
-        code: trimmed.slice(0, 120),
-      });
-    }
-  }
-
-  // === Sync I/O en Request Handlers (JS/TS) ===
-  if (isHandler) {
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      const trimmed = line.trim();
-      if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
-
-      for (const sp of SYNC_PATTERNS) {
-        if (line.includes(sp.name)) {
-          findings.push({
-            file: relPath, line: i + 1, severity: 'high', category: 'sync-io',
-            message: `I/O síncrona (${sp.name}) en request handler bloquea el event loop — usar ${sp.fix}`,
-            code: trimmed.slice(0, 120),
-          });
-        }
-      }
-
-      for (const name of SHELL_SYNC_NAMES) {
-        if (line.includes(name)) {
-          findings.push({
-            file: relPath, line: i + 1, severity: 'high', category: 'sync-io',
-            message: `Ejecución de shell síncrona (${name}) en request handler — usar alternativa async`,
-            code: trimmed.slice(0, 120),
-          });
-        }
-      }
-    }
-  }
-
-  // === Operaciones sin límite (JS/TS) ===
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
-
-    if (/\.findMany\s*\(\s*\{/.test(line)) {
-      const startIdx = content.indexOf(line);
-      const chunk = startIdx >= 0 ? content.slice(startIdx, startIdx + 300) : '';
-      if (!chunk.includes('take:') && !chunk.includes('limit')) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
-          message: 'findMany sin limit/take — puede retornar la tabla completa en memoria',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-
-    if (/SELECT\s+\*/i.test(line) && !/LIMIT/i.test(line)) {
-      const selectMatch = line.match(/SELECT\s+\*/i);
-      const selectIdx = selectMatch ? line.indexOf(selectMatch[0]) : -1;
-      const beforeSelect = selectIdx >= 0 ? line.slice(0, selectIdx) : '';
-      const isInJsxComment = /\{\/\*/.test(beforeSelect) && /\*\/\}/.test(line.slice(selectIdx));
-      const isInBlockComment = /\/\*/.test(beforeSelect) && !/\*\//.test(beforeSelect.slice(beforeSelect.lastIndexOf('/*')));
-      const isAfterLineComment = /\/\//.test(beforeSelect);
-      const isInComment = isInJsxComment || isInBlockComment || isAfterLineComment;
-      const isInSqlContext = /['"`].*SELECT\s+\*/i.test(line) || /SELECT\s+\*.*['"`]/i.test(line);
-      if (!isInComment && isInSqlContext) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
-          message: 'SELECT * sin LIMIT — puede retornar la tabla completa',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-  }
-
-  // === Índices de BD faltantes (esquemas) ===
-  if (relPath.includes('schema') || relPath.includes('migration')) {
-    const fkPattern = /\.references\s*\(\s*\(\)\s*=>\s*(\w+)\.(\w+)\)/g;
-    let fkMatch;
-    while ((fkMatch = fkPattern.exec(content)) !== null) {
-      const lineNum = content.slice(0, fkMatch.index).split('\n').length;
-      const nearby = content.slice(Math.max(0, fkMatch.index - 500), fkMatch.index + 500);
-      if (!nearby.includes('index(') && !nearby.includes('.index(')) {
-        findings.push({
-          file: relPath, line: lineNum, severity: 'medium', category: 'missing-index',
-          message: `Clave foránea a ${fkMatch[1]}.${fkMatch[2]} sin índice — los JOINs serán lentos a escala`,
-          code: fkMatch[0].slice(0, 120),
-        });
-      }
-    }
-
-    if (content.includes('@relation')) {
-      const relPattern = /@relation.*fields:\s*\[(\w+)\]/g;
-      let relMatch;
-      while ((relMatch = relPattern.exec(content)) !== null) {
-        const field = relMatch[1];
-        if (!content.includes(`@@index([${field}]`) && !content.includes('@unique')) {
-          const lineNum = content.slice(0, relMatch.index).split('\n').length;
-          findings.push({
-            file: relPath, line: lineNum, severity: 'medium', category: 'missing-index',
-            message: `Campo de relación "${field}" sin @@index — las búsquedas serán lentas a escala`,
-            code: relMatch[0].slice(0, 120),
-          });
-        }
-      }
-    }
-  }
-
-  // === Memory Leaks (JS/TS) ===
-  const SERVER_PATTERNS = /app\.get\(|app\.listen\(|app\.post\(|Hono\(|createServer|express\(|router\.(get|post|put|delete)\(|\.onRequest\(/;
-  const isOneShotScript = (
-    relPath.includes('/scripts/') ||
-    relPath.includes('cli.') ||
-    relPath.includes('/bin/') ||
-    Boolean(relPath.match(/(?:^|\/)cli[./]/))
-  ) || !SERVER_PATTERNS.test(content);
-
-  let braceDepthML = 0;
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
-
-    for (const ch of line) {
-      if (ch === '{') braceDepthML++;
-      if (ch === '}') braceDepthML--;
-    }
-
-    if (/^(const|let|var)\s+\w+\s*=\s*\[\s*\]/.test(trimmed) && braceDepthML === 0) {
-      const varName = trimmed.match(/^(?:const|let|var)\s+(\w+)/)?.[1];
-      if (varName && content.includes(`${varName}.push(`)) {
-        findings.push({
-          file: relPath, line: i + 1, severity: isOneShotScript ? 'low' : 'medium', category: 'memory-leak',
-          message: `Array con scope de módulo "${varName}" con .push() — crece sin límite${isOneShotScript ? ' (script de una vez)' : ', memory leak en servidores long-running'}`,
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-
-    if (isHandler && (/\.addEventListener\s*\(/.test(line) || /\.on\s*\(\s*['"]/.test(line))) {
-      const isReqBodyParsing = /\b(req|request|res|response)\s*\.\s*on\s*\(\s*['"](data|end|error|close)['"]/i.test(line);
-      if (!isReqBodyParsing) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'medium', category: 'memory-leak',
-          message: 'Event listener en request handler — puede acumularse sin limpieza',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-  }
-
-  // === Error Handling en Handlers (JS/TS) ===
-  if (isHandler) {
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      const trimmed = line.trim();
-      if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
-
-      if (/JSON\.parse\s*\(/.test(line)) {
-        let hasTry = false;
-        for (let j = Math.max(0, i - 5); j < i; j++) {
-          if (lines[j].includes('try')) hasTry = true;
-        }
-        if (!hasTry) {
-          findings.push({
-            file: relPath, line: i + 1, severity: 'medium', category: 'error-handling',
-            message: 'JSON.parse sin try/catch en handler — input malformado crashea el handler',
-            code: trimmed.slice(0, 120),
-          });
-        }
-      }
-
-      if (/new RegExp\s*\(/.test(line)) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'medium', category: 'redos',
-          message: 'RegExp dinámico en handler — input controlado por usuario puede causar ReDoS',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-  }
-
-  // === Sequential Await (JS/TS) ===
-  if (!isNonProd && !relPath.includes('/scripts/') && !relPath.includes('cleanup') && !relPath.includes('migrate')) {
-    for (let i = 0; i < lines.length - 1; i++) {
-      const line = lines[i].trim();
-      const nextLine = (lines[i + 1] || '').trim();
-      if (line.startsWith('//') || line.startsWith('*')) continue;
-
-      if (/^(const|let|var)\s+\w+\s*=\s*await\b/.test(line) && /^(const|let|var)\s+\w+\s*=\s*await\b/.test(nextLine)) {
-        const firstVar = line.match(/^(?:const|let|var)\s+(\w+)/)?.[1];
-        if (firstVar && !nextLine.includes(firstVar)) {
-          findings.push({
-            file: relPath, line: i + 1, severity: 'low', category: 'sequential-await',
-            message: 'Awaits secuenciales que podrían ejecutarse en paralelo — considerar Promise.all()',
-            code: `${line.slice(0, 60)} | ${nextLine.slice(0, 60)}`,
-          });
-        }
-      }
-    }
-  }
-
-  return findings;
-}
-
-/**
- * Analiza archivos Python para detectar:
- * - N+1 con SQLAlchemy/Django ORM
- * - I/O síncrona en handlers async
- * - Consultas sin límite (.all() sin .limit())
- * @param {string} filePath
- * @param {string} relPath
- * @param {string} content
- * @param {string[]} lines
- * @param {boolean} isHandler
- * @param {boolean} isNonProd
- * @returns {object[]}
- */
-function analyzeFilePython(filePath, relPath, content, lines, isHandler, isNonProd) {
-  const findings = [];
-
-  // Patrones de consulta SQLAlchemy/Django ORM
-  const sqlalchemyQueryPatterns = [
-    /session\.query\s*\(/,
-    /\.query\s*\(/,
-    /db\.query\s*\(/,
-    /\.\bfilter\s*\(/,
-    /\.\bfirst\s*\(\s*\)/,
-    /\.\bone\s*\(\s*\)/,
-    /\.\bget\s*\(/,
-  ];
-  const djangoQueryPatterns = [
-    /\bObjects\.filter\s*\(/,
-    /\bObjects\.get\s*\(/,
-    /\bObjects\.exclude\s*\(/,
-    /\.objects\.\w+\s*\(/,
-  ];
-
-  // Loop patterns en Python
-  const pythonLoopPattern = /^\s*for\s+\w+.*\bin\b/;
-  const pythonWhilePattern = /^\s*while\s+/;
-
-  // Seguimiento de profundidad de indentación para loops
-  let loopIndentStack = []; // cada entry: nivel de indentación del loop
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (trimmed.startsWith('#')) continue;
-
-    const currentIndent = line.match(/^(\s*)/)[1].length;
-
-    // Sacar loops que ya cerraron (por indentación)
-    loopIndentStack = loopIndentStack.filter(indent => indent < currentIndent);
-
-    const isLoopLine = pythonLoopPattern.test(line) || pythonWhilePattern.test(line);
-    if (isLoopLine) {
-      loopIndentStack.push(currentIndent);
-    }
-
-    const insideLoop = loopIndentStack.length > 0;
-
-    // N+1 con SQLAlchemy
-    if (insideLoop && !isNonProd) {
-      const hasQuery = sqlalchemyQueryPatterns.some(p => p.test(line)) ||
-                       djangoQueryPatterns.some(p => p.test(trimmed.toLowerCase() === trimmed ? line : line));
-      if (hasQuery) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'high', category: 'n+1',
-          message: 'Consulta ORM dentro de bucle Python — patrón N+1 detectado. Usar carga eager (joinedload/selectinload) o consultas batch',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-
-    // I/O síncrona en handlers async
-    if (isHandler || /^\s*async\s+def\s+/.test(line)) {
-      // Verificar que estamos dentro de una función async
-      const isAsync = isInsidePythonAsyncDef(lines, i);
-      if (isAsync) {
-        for (const sp of PYTHON_SYNC_IO) {
-          if (line.includes(sp.name)) {
-            findings.push({
-              file: relPath, line: i + 1, severity: 'high', category: 'sync-io',
-              message: `I/O síncrona (${sp.name}) en handler async Python bloquea el event loop — usar ${sp.fix}`,
-              code: trimmed.slice(0, 120),
-            });
-          }
-        }
-      }
-    }
-
-    // Consultas sin límite: .all() sin .limit() previo
-    if (/\.all\s*\(\s*\)/.test(line)) {
-      // Buscar si hay .limit() en la misma línea o en las 5 líneas previas
-      let hasLimit = /\.limit\s*\(/.test(line);
-      if (!hasLimit) {
-        for (let j = Math.max(0, i - 5); j < i; j++) {
-          if (/\.limit\s*\(/.test(lines[j])) { hasLimit = true; break; }
-        }
-      }
-      if (!hasLimit && !isNonProd) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
-          message: '.all() sin .limit() previo — puede retornar la tabla completa en memoria',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-
-    // SELECT * sin LIMIT en strings Python
-    if (/SELECT\s+\*/i.test(line) && !/LIMIT/i.test(line)) {
-      const isInComment = trimmed.startsWith('#');
-      const isInSqlContext = /['""].*SELECT\s+\*/i.test(line) || /SELECT\s+\*.*['""]/.test(line);
-      if (!isInComment && isInSqlContext) {
-        findings.push({
-          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
-          message: 'SELECT * sin LIMIT en Python — puede retornar la tabla completa',
-          code: trimmed.slice(0, 120),
-        });
-      }
-    }
-  }
-
-  return findings;
-}
-
-function main() {
-  const dir = process.argv[2];
-  if (!dir) {
-    outputError('Uso: node code-profiler.js <directorio-proyecto>');
-    process.exit(0);
-  }
-
-  if (!existsSync(dir)) {
-    outputError(`Ruta no encontrada: ${dir}`);
-    process.exit(0);
-  }
-
-  const codeFiles = walkCode(dir, { extensions: ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.py'] });
-  if (codeFiles.length === 0) {
-    outputJSON({ success: true, message: 'No se encontraron archivos TypeScript/JavaScript/Python', findings: [] });
-    process.exit(0);
-  }
-
-  const allFindings = [];
-  let filesAnalyzed = 0;
-  let handlersFound = 0;
-
-  for (const file of codeFiles) {
-    let content;
-    try {
-      content = readFileSync(file, 'utf8');
-    } catch {
-      continue;
-    }
-    const relPath = relative(dir, file).replace(/\\/g, '/');
-    if (isRouteHandler(content, relPath)) handlersFound++;
-    allFindings.push(...analyzeFile(file, relPath, content));
-    filesAnalyzed++;
-  }
-
-  const byCategory = {};
-  for (const f of allFindings) {
-    if (!byCategory[f.category]) byCategory[f.category] = [];
-    byCategory[f.category].push(f);
-  }
-
-  const categorySummary = {};
-  for (const [cat, items] of Object.entries(byCategory)) {
-    categorySummary[cat] = {
-      count: items.length,
-      critical: items.filter(i => i.severity === 'critical').length,
-      high: items.filter(i => i.severity === 'high').length,
-      medium: items.filter(i => i.severity === 'medium').length,
-      low: items.filter(i => i.severity === 'low').length,
-    };
-  }
-
-  let score = 100;
-  const seenCatFile = new Set();
-  for (const f of allFindings) {
-    const key = `${f.category}:${f.file}`;
-    const firstInFile = !seenCatFile.has(key);
-    seenCatFile.add(key);
-    const mult = firstInFile ? 1 : 0.5;
-    if (f.severity === 'high') score -= 5 * mult;
-    else if (f.severity === 'medium') score -= 2 * mult;
-    else if (f.severity === 'low') score -= 0.5 * mult;
-  }
-
-  outputJSON({
-    success: true,
-    files_analyzed: filesAnalyzed,
-    handlers_found: handlersFound,
-    total_findings: allFindings.length,
-    performance_score: Math.max(0, Math.round(score)),
-    categories: categorySummary,
-    findings: allFindings,
-  });
-}
-
-main();
-
-module.exports = { analyzeFile, isRouteHandler, isNonProductionFile, isInSeedContext };
+// Adaptado de temp/ultraship-main/tools/code-profiler.mjs bajo MIT License
+// Fuente: Houseofmvps/ultraship (https://github.com/Houseofmvps/ultraship)
+'use strict';
+
+const { readFileSync, existsSync } = require('fs');
+const { relative, extname } = require('path');
+const { walkCode } = require('./lib/fs-walk');
+const { outputJSON, outputError } = require('./lib/output');
+
+// Patrones de I/O síncrona que BUSCAMOS en el código analizado (no los usamos aquí)
+const SYNC_PATTERNS = [
+  { name: 'readFileSync', fix: 'readFile (async)' },
+  { name: 'writeFileSync', fix: 'writeFile (async)' },
+  { name: 'readdirSync', fix: 'readdir (async)' },
+  { name: 'statSync', fix: 'stat (async)' },
+  { name: 'existsSync', fix: 'access (async)' },
+  { name: 'copyFileSync', fix: 'copyFile (async)' },
+  { name: 'mkdirSync', fix: 'mkdir (async)' },
+];
+
+const SHELL_SYNC_NAMES = ['execSync', 'execFileSync', 'spawnSync'];
+
+// Patrones de I/O síncrona en Python dentro de handlers async
+const PYTHON_SYNC_IO = [
+  { name: 'open(', fix: 'aiofiles.open() o executor' },
+  { name: 'subprocess.run(', fix: 'asyncio.create_subprocess_exec()' },
+  { name: 'subprocess.call(', fix: 'asyncio.create_subprocess_exec()' },
+  { name: 'subprocess.check_output(', fix: 'asyncio.create_subprocess_exec()' },
+  { name: 'os.path.exists(', fix: 'asyncio.to_thread(os.path.exists, ...)' },
+  { name: 'os.listdir(', fix: 'asyncio.to_thread(os.listdir, ...)' },
+  { name: 'os.makedirs(', fix: 'asyncio.to_thread(os.makedirs, ...)' },
+];
+
+/**
+ * Determina si el archivo es un route handler (JS/TS o Python).
+ * @param {string} content
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isRouteHandler(content, filePath) {
+  const rel = filePath.toLowerCase();
+  const isPython = rel.endsWith('.py');
+
+  if (!isPython) {
+    if (rel.includes('/route') || rel.includes('/api/') || rel.includes('/handler') || rel.includes('/controller')) return true;
+    if (content.includes('app.get(') || content.includes('app.post(') || content.includes('app.put(') || content.includes('app.delete(')) return true;
+    if (content.includes('router.get(') || content.includes('router.post(')) return true;
+    if (content.includes('.onRequest(') || content.includes('Hono(')) return true;
+    if (content.includes('export default') && (content.includes('GET') || content.includes('POST')) && rel.includes('route')) return true;
+  } else {
+    // Python: FastAPI, Flask, Django views
+    if (content.includes('@app.get(') || content.includes('@app.post(') ||
+        content.includes('@app.put(') || content.includes('@app.delete(') ||
+        content.includes('@app.patch(') || content.includes('@router.get(') ||
+        content.includes('@router.post(')) return true;
+    if (rel.includes('/views') || rel.includes('/routes') || rel.includes('/handlers') || rel.includes('/api/')) return true;
+    // Django class-based views
+    if (content.includes('class') && (content.includes('APIView') || content.includes('ViewSet') || content.includes('GenericView'))) return true;
+  }
+  return false;
+}
+
+/**
+ * Determina si el archivo es non-production (seed, test, migration).
+ * @param {string} filePath
+ * @returns {boolean}
+ */
+function isNonProductionFile(filePath) {
+  const rel = filePath.toLowerCase();
+  return (
+    rel.includes('seed') || rel.includes('fixture') ||
+    rel.includes('test') || rel.includes('spec') || rel.includes('__test') ||
+    rel.includes('migration') || rel.includes('migrate') ||
+    rel.includes('/scripts/') || rel.includes('/demo')
+  );
+}
+
+/**
+ * Verifica si una línea está dentro de un contexto seed/demo/test
+ * (buscando hacia atrás la definición de función más cercana).
+ * @param {string[]} lines
+ * @param {number} lineIndex
+ * @returns {boolean}
+ */
+function isInSeedContext(lines, lineIndex) {
+  const SEED_KEYWORDS = /seed|demo|populate|fixture|mock|fake|sample|generate.*data|test.*data/i;
+  const ROUTE_DEF = /\.(get|post|put|delete|patch|all)\s*\(/;
+  const FUNC_DEF = /(?:function|const|let|var)\s+\w+.*(?:=>|\{)|(?:async\s+function)/;
+
+  for (let i = lineIndex; i >= Math.max(0, lineIndex - 500); i--) {
+    const line = lines[i];
+    if (ROUTE_DEF.test(line)) {
+      for (let j = Math.max(0, i - 2); j <= Math.min(lines.length - 1, i + 2); j++) {
+        if (SEED_KEYWORDS.test(lines[j])) return true;
+      }
+      return false;
+    }
+    if (SEED_KEYWORDS.test(line) && FUNC_DEF.test(line)) return true;
+    if (/^\s*\/\/.*(?:seed|demo|populate|test data)/i.test(line)) return true;
+  }
+  return false;
+}
+
+/**
+ * Detecta si una línea Python está dentro de una función async.
+ * Escanea hacia atrás buscando `async def`.
+ * @param {string[]} lines
+ * @param {number} lineIndex
+ * @returns {boolean}
+ */
+function isInsidePythonAsyncDef(lines, lineIndex) {
+  // Obtener nivel de indentación de la línea actual
+  const currentLine = lines[lineIndex];
+  const currentIndent = currentLine.match(/^(\s*)/)[1].length;
+
+  for (let i = lineIndex - 1; i >= Math.max(0, lineIndex - 100); i--) {
+    const line = lines[i];
+    if (!line.trim()) continue;
+    const indent = line.match(/^(\s*)/)[1].length;
+    // Buscamos una definición de función con menor indentación
+    if (indent < currentIndent && /^\s*async\s+def\s+/.test(line)) return true;
+    if (indent < currentIndent && /^\s*def\s+/.test(line)) return false;
+    if (indent === 0 && /^(class|def|async def)/.test(line)) return false;
+  }
+  return false;
+}
+
+/**
+ * Analiza un archivo y devuelve los hallazgos de rendimiento.
+ * @param {string} filePath
+ * @param {string} relPath
+ * @param {string} content
+ * @returns {object[]}
+ */
+function analyzeFile(filePath, relPath, content) {
+  const findings = [];
+  const lines = content.split('\n');
+  const isHandler = isRouteHandler(content, relPath);
+  const isNonProd = isNonProductionFile(relPath);
+  const isPython = relPath.toLowerCase().endsWith('.py');
+
+  if (isPython) {
+    return analyzeFilePython(filePath, relPath, content, lines, isHandler, isNonProd);
+  }
+
+  // === N+1 Query Detection (JS/TS) ===
+  const blockLoopPatterns = [
+    /\bfor\s*\(/,
+    /\bfor\s+.*\bof\b/,
+    /\bwhile\s*\(/,
+  ];
+  const callbackLoopPattern = /\.(forEach|map)\s*\(/;
+  const queryPatterns = [
+    /\.findOne\s*\(/, /\.findFirst\s*\(/, /\.findUnique\s*\(/,
+    /\.find\s*\(/, /\.findMany\s*\(/,
+    /\.query\s*\(/, /\.execute\s*\(/,
+    /await\s+db\./, /await\s+prisma\./,
+  ];
+
+  const blockLoopStack = [];
+  const callbackLoopStack = [];
+  let braceDepth = 0;
+  let parenDepth = 0;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*')) continue;
+
+    const isBlockLoop = blockLoopPatterns.some(p => p.test(line));
+    const callbackMatch = callbackLoopPattern.test(line);
+
+    if (isBlockLoop) blockLoopStack.push(braceDepth);
+    if (callbackMatch) callbackLoopStack.push(parenDepth);
+
+    for (const ch of line) {
+      if (ch === '{') braceDepth++;
+      if (ch === '(') parenDepth++;
+      if (ch === '}') {
+        braceDepth--;
+        while (blockLoopStack.length > 0 && braceDepth <= blockLoopStack[blockLoopStack.length - 1]) {
+          blockLoopStack.pop();
+        }
+      }
+      if (ch === ')') {
+        parenDepth--;
+        while (callbackLoopStack.length > 0 && parenDepth <= callbackLoopStack[callbackLoopStack.length - 1]) {
+          callbackLoopStack.pop();
+        }
+      }
+    }
+
+    const insideBlockLoop = blockLoopStack.length > 0;
+    const insideCallbackLoop = callbackLoopStack.length > 0;
+    const sameLineCallback = callbackMatch && !insideCallbackLoop;
+    const insideAnyLoop = insideBlockLoop || insideCallbackLoop || sameLineCallback;
+
+    if (insideAnyLoop && queryPatterns.some(p => p.test(line))) {
+      const inSeedCtx = isNonProd || isInSeedContext(lines, i);
+      const severity = inSeedCtx ? 'low' : 'high';
+      const suffix = inSeedCtx ? ' (en contexto seed/test — prioridad baja)' : '';
+      findings.push({
+        file: relPath, line: i + 1, severity, category: 'n+1',
+        message: `Consulta de BD dentro de bucle — patrón N+1 detectado. Usar consulta batch (findMany/cláusula IN)${suffix}`,
+        code: trimmed.slice(0, 120),
+      });
+    }
+  }
+
+  // === Sync I/O en Request Handlers (JS/TS) ===
+  if (isHandler) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const trimmed = line.trim();
+      if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+      for (const sp of SYNC_PATTERNS) {
+        if (line.includes(sp.name)) {
+          findings.push({
+            file: relPath, line: i + 1, severity: 'high', category: 'sync-io',
+            message: `I/O síncrona (${sp.name}) en request handler bloquea el event loop — usar ${sp.fix}`,
+            code: trimmed.slice(0, 120),
+          });
+        }
+      }
+
+      for (const name of SHELL_SYNC_NAMES) {
+        if (line.includes(name)) {
+          findings.push({
+            file: relPath, line: i + 1, severity: 'high', category: 'sync-io',
+            message: `Ejecución de shell síncrona (${name}) en request handler — usar alternativa async`,
+            code: trimmed.slice(0, 120),
+          });
+        }
+      }
+    }
+  }
+
+  // === Operaciones sin límite (JS/TS) ===
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    if (/\.findMany\s*\(\s*\{/.test(line)) {
+      const startIdx = content.indexOf(line);
+      const chunk = startIdx >= 0 ? content.slice(startIdx, startIdx + 300) : '';
+      if (!chunk.includes('take:') && !chunk.includes('limit')) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
+          message: 'findMany sin limit/take — puede retornar la tabla completa en memoria',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+
+    if (/SELECT\s+\*/i.test(line) && !/LIMIT/i.test(line)) {
+      const selectMatch = line.match(/SELECT\s+\*/i);
+      const selectIdx = selectMatch ? line.indexOf(selectMatch[0]) : -1;
+      const beforeSelect = selectIdx >= 0 ? line.slice(0, selectIdx) : '';
+      const isInJsxComment = /\{\/\*/.test(beforeSelect) && /\*\/\}/.test(line.slice(selectIdx));
+      const isInBlockComment = /\/\*/.test(beforeSelect) && !/\*\//.test(beforeSelect.slice(beforeSelect.lastIndexOf('/*')));
+      const isAfterLineComment = /\/\//.test(beforeSelect);
+      const isInComment = isInJsxComment || isInBlockComment || isAfterLineComment;
+      const isInSqlContext = /['"`].*SELECT\s+\*/i.test(line) || /SELECT\s+\*.*['"`]/i.test(line);
+      if (!isInComment && isInSqlContext) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
+          message: 'SELECT * sin LIMIT — puede retornar la tabla completa',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+  }
+
+  // === Índices de BD faltantes (esquemas) ===
+  if (relPath.includes('schema') || relPath.includes('migration')) {
+    const fkPattern = /\.references\s*\(\s*\(\)\s*=>\s*(\w+)\.(\w+)\)/g;
+    let fkMatch;
+    while ((fkMatch = fkPattern.exec(content)) !== null) {
+      const lineNum = content.slice(0, fkMatch.index).split('\n').length;
+      const nearby = content.slice(Math.max(0, fkMatch.index - 500), fkMatch.index + 500);
+      if (!nearby.includes('index(') && !nearby.includes('.index(')) {
+        findings.push({
+          file: relPath, line: lineNum, severity: 'medium', category: 'missing-index',
+          message: `Clave foránea a ${fkMatch[1]}.${fkMatch[2]} sin índice — los JOINs serán lentos a escala`,
+          code: fkMatch[0].slice(0, 120),
+        });
+      }
+    }
+
+    if (content.includes('@relation')) {
+      const relPattern = /@relation.*fields:\s*\[(\w+)\]/g;
+      let relMatch;
+      while ((relMatch = relPattern.exec(content)) !== null) {
+        const field = relMatch[1];
+        if (!content.includes(`@@index([${field}]`) && !content.includes('@unique')) {
+          const lineNum = content.slice(0, relMatch.index).split('\n').length;
+          findings.push({
+            file: relPath, line: lineNum, severity: 'medium', category: 'missing-index',
+            message: `Campo de relación "${field}" sin @@index — las búsquedas serán lentas a escala`,
+            code: relMatch[0].slice(0, 120),
+          });
+        }
+      }
+    }
+  }
+
+  // === Memory Leaks (JS/TS) ===
+  const SERVER_PATTERNS = /app\.get\(|app\.listen\(|app\.post\(|Hono\(|createServer|express\(|router\.(get|post|put|delete)\(|\.onRequest\(/;
+  const isOneShotScript = (
+    relPath.includes('/scripts/') ||
+    relPath.includes('cli.') ||
+    relPath.includes('/bin/') ||
+    Boolean(relPath.match(/(?:^|\/)cli[./]/))
+  ) || !SERVER_PATTERNS.test(content);
+
+  let braceDepthML = 0;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    for (const ch of line) {
+      if (ch === '{') braceDepthML++;
+      if (ch === '}') braceDepthML--;
+    }
+
+    if (/^(const|let|var)\s+\w+\s*=\s*\[\s*\]/.test(trimmed) && braceDepthML === 0) {
+      const varName = trimmed.match(/^(?:const|let|var)\s+(\w+)/)?.[1];
+      if (varName && content.includes(`${varName}.push(`)) {
+        findings.push({
+          file: relPath, line: i + 1, severity: isOneShotScript ? 'low' : 'medium', category: 'memory-leak',
+          message: `Array con scope de módulo "${varName}" con .push() — crece sin límite${isOneShotScript ? ' (script de una vez)' : ', memory leak en servidores long-running'}`,
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+
+    if (isHandler && (/\.addEventListener\s*\(/.test(line) || /\.on\s*\(\s*['"]/.test(line))) {
+      const isReqBodyParsing = /\b(req|request|res|response)\s*\.\s*on\s*\(\s*['"](data|end|error|close)['"]/i.test(line);
+      if (!isReqBodyParsing) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'medium', category: 'memory-leak',
+          message: 'Event listener en request handler — puede acumularse sin limpieza',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+  }
+
+  // === Error Handling en Handlers (JS/TS) ===
+  if (isHandler) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const trimmed = line.trim();
+      if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+      if (/JSON\.parse\s*\(/.test(line)) {
+        let hasTry = false;
+        for (let j = Math.max(0, i - 5); j < i; j++) {
+          if (lines[j].includes('try')) hasTry = true;
+        }
+        if (!hasTry) {
+          findings.push({
+            file: relPath, line: i + 1, severity: 'medium', category: 'error-handling',
+            message: 'JSON.parse sin try/catch en handler — input malformado crashea el handler',
+            code: trimmed.slice(0, 120),
+          });
+        }
+      }
+
+      if (/new RegExp\s*\(/.test(line)) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'medium', category: 'redos',
+          message: 'RegExp dinámico en handler — input controlado por usuario puede causar ReDoS',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+  }
+
+  // === Sequential Await (JS/TS) ===
+  if (!isNonProd && !relPath.includes('/scripts/') && !relPath.includes('cleanup') && !relPath.includes('migrate')) {
+    for (let i = 0; i < lines.length - 1; i++) {
+      const line = lines[i].trim();
+      const nextLine = (lines[i + 1] || '').trim();
+      if (line.startsWith('//') || line.startsWith('*')) continue;
+
+      if (/^(const|let|var)\s+\w+\s*=\s*await\b/.test(line) && /^(const|let|var)\s+\w+\s*=\s*await\b/.test(nextLine)) {
+        const firstVar = line.match(/^(?:const|let|var)\s+(\w+)/)?.[1];
+        if (firstVar && !nextLine.includes(firstVar)) {
+          findings.push({
+            file: relPath, line: i + 1, severity: 'low', category: 'sequential-await',
+            message: 'Awaits secuenciales que podrían ejecutarse en paralelo — considerar Promise.all()',
+            code: `${line.slice(0, 60)} | ${nextLine.slice(0, 60)}`,
+          });
+        }
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Analiza archivos Python para detectar:
+ * - N+1 con SQLAlchemy/Django ORM
+ * - I/O síncrona en handlers async
+ * - Consultas sin límite (.all() sin .limit())
+ * @param {string} filePath
+ * @param {string} relPath
+ * @param {string} content
+ * @param {string[]} lines
+ * @param {boolean} isHandler
+ * @param {boolean} isNonProd
+ * @returns {object[]}
+ */
+function analyzeFilePython(filePath, relPath, content, lines, isHandler, isNonProd) {
+  const findings = [];
+
+  // Patrones de consulta SQLAlchemy/Django ORM
+  const sqlalchemyQueryPatterns = [
+    /session\.query\s*\(/,
+    /\.query\s*\(/,
+    /db\.query\s*\(/,
+    /\.\bfilter\s*\(/,
+    /\.\bfirst\s*\(\s*\)/,
+    /\.\bone\s*\(\s*\)/,
+    /\.\bget\s*\(/,
+  ];
+  const djangoQueryPatterns = [
+    /\bObjects\.filter\s*\(/,
+    /\bObjects\.get\s*\(/,
+    /\bObjects\.exclude\s*\(/,
+    /\.objects\.\w+\s*\(/,
+  ];
+
+  // Loop patterns en Python
+  const pythonLoopPattern = /^\s*for\s+\w+.*\bin\b/;
+  const pythonWhilePattern = /^\s*while\s+/;
+
+  // Seguimiento de profundidad de indentación para loops
+  let loopIndentStack = []; // cada entry: nivel de indentación del loop
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed.startsWith('#')) continue;
+
+    const currentIndent = line.match(/^(\s*)/)[1].length;
+
+    // Sacar loops que ya cerraron (por indentación)
+    loopIndentStack = loopIndentStack.filter(indent => indent < currentIndent);
+
+    const isLoopLine = pythonLoopPattern.test(line) || pythonWhilePattern.test(line);
+    if (isLoopLine) {
+      loopIndentStack.push(currentIndent);
+    }
+
+    const insideLoop = loopIndentStack.length > 0;
+
+    // N+1 con SQLAlchemy
+    if (insideLoop && !isNonProd) {
+      const hasQuery = sqlalchemyQueryPatterns.some(p => p.test(line)) ||
+                       djangoQueryPatterns.some(p => p.test(trimmed.toLowerCase() === trimmed ? line : line));
+      if (hasQuery) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'high', category: 'n+1',
+          message: 'Consulta ORM dentro de bucle Python — patrón N+1 detectado. Usar carga eager (joinedload/selectinload) o consultas batch',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+
+    // I/O síncrona en handlers async
+    if (isHandler || /^\s*async\s+def\s+/.test(line)) {
+      // Verificar que estamos dentro de una función async
+      const isAsync = isInsidePythonAsyncDef(lines, i);
+      if (isAsync) {
+        for (const sp of PYTHON_SYNC_IO) {
+          if (line.includes(sp.name)) {
+            findings.push({
+              file: relPath, line: i + 1, severity: 'high', category: 'sync-io',
+              message: `I/O síncrona (${sp.name}) en handler async Python bloquea el event loop — usar ${sp.fix}`,
+              code: trimmed.slice(0, 120),
+            });
+          }
+        }
+      }
+    }
+
+    // Consultas sin límite: .all() sin .limit() previo
+    if (/\.all\s*\(\s*\)/.test(line)) {
+      // Buscar si hay .limit() en la misma línea o en las 5 líneas previas
+      let hasLimit = /\.limit\s*\(/.test(line);
+      if (!hasLimit) {
+        for (let j = Math.max(0, i - 5); j < i; j++) {
+          if (/\.limit\s*\(/.test(lines[j])) { hasLimit = true; break; }
+        }
+      }
+      if (!hasLimit && !isNonProd) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
+          message: '.all() sin .limit() previo — puede retornar la tabla completa en memoria',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+
+    // SELECT * sin LIMIT en strings Python
+    if (/SELECT\s+\*/i.test(line) && !/LIMIT/i.test(line)) {
+      const isInComment = trimmed.startsWith('#');
+      const isInSqlContext = /['""].*SELECT\s+\*/i.test(line) || /SELECT\s+\*.*['""]/.test(line);
+      if (!isInComment && isInSqlContext) {
+        findings.push({
+          file: relPath, line: i + 1, severity: 'high', category: 'unbounded',
+          message: 'SELECT * sin LIMIT en Python — puede retornar la tabla completa',
+          code: trimmed.slice(0, 120),
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+function main() {
+  const dir = process.argv[2];
+  if (!dir) {
+    outputError('Uso: node code-profiler.js <directorio-proyecto>');
+    process.exit(0);
+  }
+
+  if (!existsSync(dir)) {
+    outputError(`Ruta no encontrada: ${dir}`);
+    process.exit(0);
+  }
+
+  const codeFiles = walkCode(dir, { extensions: ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.py'] });
+  if (codeFiles.length === 0) {
+    outputJSON({ success: true, message: 'No se encontraron archivos TypeScript/JavaScript/Python', findings: [] });
+    process.exit(0);
+  }
+
+  const allFindings = [];
+  let filesAnalyzed = 0;
+  let handlersFound = 0;
+
+  for (const file of codeFiles) {
+    let content;
+    try {
+      content = readFileSync(file, 'utf8');
+    } catch {
+      continue;
+    }
+    const relPath = relative(dir, file).replace(/\\/g, '/');
+    if (isRouteHandler(content, relPath)) handlersFound++;
+    allFindings.push(...analyzeFile(file, relPath, content));
+    filesAnalyzed++;
+  }
+
+  const byCategory = {};
+  for (const f of allFindings) {
+    if (!byCategory[f.category]) byCategory[f.category] = [];
+    byCategory[f.category].push(f);
+  }
+
+  const categorySummary = {};
+  for (const [cat, items] of Object.entries(byCategory)) {
+    categorySummary[cat] = {
+      count: items.length,
+      critical: items.filter(i => i.severity === 'critical').length,
+      high: items.filter(i => i.severity === 'high').length,
+      medium: items.filter(i => i.severity === 'medium').length,
+      low: items.filter(i => i.severity === 'low').length,
+    };
+  }
+
+  let score = 100;
+  const seenCatFile = new Set();
+  for (const f of allFindings) {
+    const key = `${f.category}:${f.file}`;
+    const firstInFile = !seenCatFile.has(key);
+    seenCatFile.add(key);
+    const mult = firstInFile ? 1 : 0.5;
+    if (f.severity === 'high') score -= 5 * mult;
+    else if (f.severity === 'medium') score -= 2 * mult;
+    else if (f.severity === 'low') score -= 0.5 * mult;
+  }
+
+  outputJSON({
+    success: true,
+    files_analyzed: filesAnalyzed,
+    handlers_found: handlersFound,
+    total_findings: allFindings.length,
+    performance_score: Math.max(0, Math.round(score)),
+    categories: categorySummary,
+    findings: allFindings,
+  });
+}
+
+main();
+
+module.exports = { analyzeFile, isRouteHandler, isNonProductionFile, isInSeedContext };