@stackguide/mcp-server 2.4.0 → 3.1.0

package/dist/services/codeAnalyzer.js

@@ -1,19 +1,29 @@
 /**
- * Code Analyzer Service
- * Analyzes code against rules and patterns to find issues
+ * Code Analyzer Service - v3.1.0
+ * Unified rule pipeline that supports builtin, user, and project rules
+ * Now with AST-based analysis using ts-morph
  */
 import { logger } from '../utils/logger.js';
-// Pattern-based rules for common issues
-const PATTERN_RULES = [
+import { analyzeWithAST, BUILTIN_AST_RULES, clearASTCache } from './astAnalyzer.js';
+// Re-export AST utilities
+export { clearASTCache };
+// =============================================================================
+// BUILTIN PATTERN RULES
+// =============================================================================
+const BUILTIN_PATTERN_RULES = [
     // Security
     {
         id: 'SEC001',
+        type: 'pattern',
         category: 'security',
         pattern: /eval\s*\(/g,
         severity: 'error',
         message: 'Avoid using eval() - it can execute arbitrary code',
         suggestion: 'Use JSON.parse() for JSON data or safer alternatives',
         languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin',
         quickFix: (match) => ({
             description: 'Replace eval() with JSON.parse()',
             before: match,
@@ -22,12 +32,16 @@ const PATTERN_RULES = [
     },
     {
         id: 'SEC002',
+        type: 'pattern',
         category: 'security',
         pattern: /innerHTML\s*=/g,
         severity: 'warning',
         message: 'innerHTML can lead to XSS vulnerabilities',
         suggestion: 'Use textContent or sanitize HTML input',
         languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin',
         quickFix: (match) => ({
             description: 'Replace innerHTML with textContent',
             before: match,
@@ -36,20 +50,28 @@ const PATTERN_RULES = [
     },
     {
         id: 'SEC003',
+        type: 'pattern',
         category: 'security',
         pattern: /dangerouslySetInnerHTML/g,
         severity: 'warning',
         message: 'dangerouslySetInnerHTML can lead to XSS - ensure content is sanitized',
         suggestion: 'Sanitize HTML with DOMPurify or similar library',
-        languages: ['javascript', 'typescript', 'jsx', 'tsx']
+        languages: ['javascript', 'typescript', 'jsx', 'tsx'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin'
     },
     {
         id: 'SEC004',
+        type: 'pattern',
         category: 'security',
         pattern: /password\s*[:=]\s*['"`][^'"`]+['"`]/gi,
         severity: 'error',
         message: 'Hardcoded password detected',
         suggestion: 'Use environment variables for sensitive data',
+        enabled: true,
+        priority: 100,
+        source: 'builtin',
         quickFix: (match) => ({
             description: 'Replace hardcoded password with environment variable',
             before: match,
@@ -58,11 +80,15 @@ const PATTERN_RULES = [
     },
     {
         id: 'SEC005',
+        type: 'pattern',
         category: 'security',
         pattern: /api[_-]?key\s*[:=]\s*['"`][a-zA-Z0-9]{20,}['"`]/gi,
         severity: 'error',
         message: 'Hardcoded API key detected',
         suggestion: 'Use environment variables for API keys',
+        enabled: true,
+        priority: 100,
+        source: 'builtin',
         quickFix: (match) => ({
             description: 'Replace hardcoded API key with environment variable',
             before: match,
@@ -71,81 +97,117 @@ const PATTERN_RULES = [
     },
     {
         id: 'SEC006',
+        type: 'pattern',
         category: 'security',
         pattern: /SELECT\s+\*\s+FROM\s+\w+\s+WHERE.*\+|SELECT\s+\*\s+FROM\s+\w+\s+WHERE.*\$\{/gi,
         severity: 'error',
         message: 'Potential SQL injection - string concatenation in query',
         suggestion: 'Use parameterized queries or an ORM',
+        enabled: true,
+        priority: 100,
+        source: 'builtin'
     },
     {
         id: 'SEC007',
+        type: 'pattern',
         category: 'security',
         pattern: /exec\s*\([^)]*\+|exec\s*\([^)]*\$\{/g,
         severity: 'error',
         message: 'Command injection risk - dynamic command execution',
         suggestion: 'Validate and sanitize all user input',
-        languages: ['python']
+        languages: ['python'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin'
     },
     {
         id: 'SEC008',
+        type: 'pattern',
         category: 'security',
         pattern: /jwt\.decode\s*\([^)]*verify\s*=\s*False/gi,
         severity: 'error',
         message: 'JWT decoded without verification',
         suggestion: 'Always verify JWT signatures',
-        languages: ['python']
+        languages: ['python'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin'
     },
     // Performance
     {
         id: 'PERF001',
+        type: 'pattern',
         category: 'performance',
         pattern: /document\.querySelectorAll\([^)]+\)\.forEach/g,
         severity: 'info',
         message: 'Consider caching querySelectorAll result for multiple operations',
         suggestion: 'Store the result in a variable before iterating',
-        languages: ['javascript', 'typescript']
+        languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     {
         id: 'PERF002',
+        type: 'pattern',
         category: 'performance',
         pattern: /JSON\.parse\(JSON\.stringify\(/g,
         severity: 'warning',
         message: 'Deep clone with JSON is slow for large objects',
         suggestion: 'Use structuredClone() or a dedicated library like lodash.cloneDeep',
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     {
         id: 'PERF003',
+        type: 'pattern',
         category: 'performance',
         pattern: /useEffect\(\s*\(\)\s*=>\s*\{[^}]*\},\s*\[\s*\]\s*\)/gs,
         severity: 'info',
         message: 'Empty dependency array - effect runs only once',
         suggestion: 'Verify this is intentional behavior',
-        languages: ['javascript', 'typescript', 'jsx', 'tsx']
+        languages: ['javascript', 'typescript', 'jsx', 'tsx'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     {
         id: 'PERF004',
+        type: 'pattern',
         category: 'performance',
         pattern: /await\s+\w+\([^)]*\)\s*;\s*await\s+\w+\([^)]*\)\s*;/g,
         severity: 'suggestion',
         message: 'Sequential awaits might be parallelizable',
         suggestion: 'Consider Promise.all() for independent async operations',
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     {
         id: 'PERF005',
+        type: 'pattern',
         category: 'performance',
         pattern: /\.map\([^)]+\)\.filter\([^)]+\)/g,
         severity: 'suggestion',
         message: 'Chained map().filter() iterates twice',
         suggestion: 'Consider using reduce() for single-pass transformation',
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     // Coding Standards
     {
         id: 'STD001',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /console\.(log|debug|info)\s*\(/g,
         severity: 'warning',
         message: 'Console statement found - remove for production',
         suggestion: 'Use a proper logging library or remove before deployment',
+        enabled: true,
+        priority: 50,
+        source: 'builtin',
         quickFix: (match) => ({
             description: 'Remove console statement',
             before: match,
@@ -154,18 +216,26 @@ const PATTERN_RULES = [
     },
     {
         id: 'STD002',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /\/\/\s*TODO:|\/\/\s*FIXME:|\/\/\s*HACK:/gi,
         severity: 'info',
         message: 'TODO/FIXME comment found - address before release',
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     {
         id: 'STD003',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /debugger\s*;/g,
         severity: 'error',
         message: 'Debugger statement found - remove before deployment',
         languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin',
         quickFix: () => ({
             description: 'Remove debugger statement',
             before: 'debugger;',
@@ -174,12 +244,16 @@ const PATTERN_RULES = [
     },
     {
         id: 'STD004',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /var\s+(\w+)\s*=/g,
         severity: 'warning',
         message: 'Prefer const or let over var',
         suggestion: 'Use const for immutable values, let for mutable',
         languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin',
         quickFix: (match) => ({
             description: 'Replace var with const',
             before: match,
@@ -188,11 +262,15 @@ const PATTERN_RULES = [
     },
     {
         id: 'STD005',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /==(?!=)/g,
         severity: 'warning',
         message: 'Use strict equality (===) instead of loose equality (==)',
         languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin',
         quickFix: () => ({
             description: 'Replace == with ===',
             before: '==',
@@ -201,11 +279,15 @@ const PATTERN_RULES = [
     },
     {
         id: 'STD006',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /!=(?!=)/g,
         severity: 'warning',
         message: 'Use strict inequality (!==) instead of loose inequality (!=)',
         languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin',
         quickFix: () => ({
             description: 'Replace != with !==',
             before: '!=',
@@ -214,141 +296,429 @@ const PATTERN_RULES = [
     },
     {
         id: 'STD007',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /function\s+\w+\s*\([^)]*\)\s*\{[\s\S]{500,}\}/g,
         severity: 'warning',
         message: 'Function appears too long (>500 chars)',
         suggestion: 'Consider breaking into smaller functions',
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     {
         id: 'STD008',
+        type: 'pattern',
         category: 'coding-standards',
         pattern: /catch\s*\(\s*\w*\s*\)\s*\{\s*\}/g,
         severity: 'warning',
         message: 'Empty catch block - errors are silently ignored',
         suggestion: 'Log the error or handle it appropriately',
+        enabled: true,
+        priority: 75,
+        source: 'builtin'
     },
     // Architecture
     {
         id: 'ARCH001',
+        type: 'pattern',
         category: 'architecture',
         pattern: /import.*from\s+['"]\.\.\/\.\.\/\.\.\/\.\./g,
         severity: 'warning',
         message: 'Deep relative import - consider path aliases',
         suggestion: 'Configure path aliases in tsconfig.json',
-        languages: ['javascript', 'typescript']
+        languages: ['javascript', 'typescript'],
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     {
         id: 'ARCH002',
+        type: 'pattern',
         category: 'architecture',
         pattern: /class\s+\w+\s*\{[\s\S]*constructor\s*\([^)]{200,}\)/g,
         severity: 'warning',
         message: 'Constructor has many parameters - consider dependency injection',
         suggestion: 'Use a DI container or builder pattern',
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     {
         id: 'ARCH003',
+        type: 'pattern',
         category: 'architecture',
         pattern: /new\s+(Date|Math\.random)\s*\(\)/g,
         severity: 'suggestion',
         message: 'Direct instantiation makes testing harder',
         suggestion: 'Inject dependencies for better testability',
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     // Python specific
     {
         id: 'PY001',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'python',
         pattern: /except\s*:/g,
         severity: 'warning',
         message: 'Bare except catches all exceptions including SystemExit',
         suggestion: 'Specify exception type: except Exception:',
-        languages: ['python']
+        languages: ['python'],
+        enabled: true,
+        priority: 75,
+        source: 'builtin'
     },
     {
         id: 'PY002',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'python',
         pattern: /print\s*\(/g,
         severity: 'info',
         message: 'Print statement found - consider using logging',
         suggestion: 'Use the logging module for production code',
-        languages: ['python']
+        languages: ['python'],
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     {
         id: 'PY003',
+        type: 'pattern',
         category: 'security',
         pattern: /pickle\.load|pickle\.loads/g,
         severity: 'error',
         message: 'Pickle is unsafe for untrusted data',
         suggestion: 'Use JSON or a safe serialization format',
-        languages: ['python']
+        languages: ['python'],
+        enabled: true,
+        priority: 100,
+        source: 'builtin'
     },
     {
         id: 'PY004',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'python',
         pattern: /from\s+\w+\s+import\s+\*/g,
         severity: 'warning',
         message: 'Wildcard imports make code harder to understand',
         suggestion: 'Import specific names explicitly',
-        languages: ['python']
+        languages: ['python'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     // Go specific
     {
         id: 'GO001',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'go',
         pattern: /fmt\.Print|fmt\.Println/g,
         severity: 'info',
         message: 'fmt.Print found - consider using structured logging',
         suggestion: 'Use log/slog or a logging library',
-        languages: ['go']
+        languages: ['go'],
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     {
         id: 'GO002',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'go',
         pattern: /panic\s*\(/g,
         severity: 'warning',
         message: 'Panic should be used sparingly',
         suggestion: 'Return errors instead of panicking',
-        languages: ['go']
+        languages: ['go'],
+        enabled: true,
+        priority: 75,
+        source: 'builtin'
     },
     {
         id: 'GO003',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'go',
         pattern: /if\s+err\s*!=\s*nil\s*\{\s*return\s+nil\s*,?\s*err\s*\}/g,
         severity: 'suggestion',
         message: 'Consider wrapping errors with context',
         suggestion: 'Use fmt.Errorf("context: %w", err)',
-        languages: ['go']
+        languages: ['go'],
+        enabled: true,
+        priority: 25,
+        source: 'builtin'
     },
     // Rust specific
     {
         id: 'RS001',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'rust',
         pattern: /\.unwrap\(\)/g,
         severity: 'warning',
         message: 'unwrap() can panic on None/Err',
         suggestion: 'Use ? operator or match/if let for proper error handling',
-        languages: ['rust']
+        languages: ['rust'],
+        enabled: true,
+        priority: 75,
+        source: 'builtin'
     },
     {
         id: 'RS002',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'rust',
         pattern: /\.expect\("[^"]*"\)/g,
         severity: 'info',
         message: 'expect() can panic - ensure this is intentional',
         suggestion: 'Use ? operator for propagating errors',
-        languages: ['rust']
+        languages: ['rust'],
+        enabled: true,
+        priority: 50,
+        source: 'builtin'
     },
     {
         id: 'RS003',
-        category: 'coding-standards',
+        type: 'pattern',
+        category: 'rust',
         pattern: /unsafe\s*\{/g,
         severity: 'warning',
         message: 'Unsafe block found - ensure safety invariants are documented',
         suggestion: 'Add SAFETY comment explaining why this is safe',
-        languages: ['rust']
+        languages: ['rust'],
+        enabled: true,
+        priority: 75,
+        source: 'builtin'
     }
 ];
-function detectLanguage(file, content) {
+// =============================================================================
+// RULE REGISTRY - Unified Management
+// =============================================================================
+/**
+ * In-memory registry of all active rules (Pattern + AST)
+ */
+class RuleRegistry {
+    builtinPatternRules = [...BUILTIN_PATTERN_RULES];
+    builtinASTRules = [...BUILTIN_AST_RULES];
+    userPatternRules = [];
+    userASTRules = [];
+    projectPatternRules = [];
+    projectASTRules = [];
+    // For backwards compatibility
+    get builtinRules() {
+        return this.builtinPatternRules;
+    }
+    get userRules() {
+        return this.userPatternRules;
+    }
+    set userRules(rules) {
+        this.userPatternRules = rules;
+    }
+    get projectRules() {
+        return this.projectPatternRules;
+    }
+    set projectRules(rules) {
+        this.projectPatternRules = rules;
+    }
+    /**
+     * Get all builtin pattern rules
+     */
+    getBuiltinRules() {
+        return this.builtinPatternRules.filter(r => r.enabled);
+    }
+    /**
+     * Get all builtin AST rules
+     */
+    getBuiltinASTRules() {
+        return this.builtinASTRules.filter(r => r.enabled);
+    }
+    /**
+     * Get all user-defined pattern rules
+     */
+    getUserRules() {
+        return this.userPatternRules.filter(r => r.enabled);
+    }
+    /**
+     * Get all user-defined AST rules
+     */
+    getUserASTRules() {
+        return this.userASTRules.filter(r => r.enabled);
+    }
+    /**
+     * Get all project-specific pattern rules
+     */
+    getProjectRules() {
+        return this.projectPatternRules.filter(r => r.enabled);
+    }
+    /**
+     * Get all project-specific AST rules
+     */
+    getProjectASTRules() {
+        return this.projectASTRules.filter(r => r.enabled);
+    }
+    /**
+     * Get all active pattern rules, sorted by priority (highest first)
+     */
+    getAllRules() {
+        const all = [
+            ...this.builtinPatternRules,
+            ...this.userPatternRules,
+            ...this.projectPatternRules
+        ].filter(r => r.enabled);
+        // Sort by priority (higher priority = runs first)
+        return all.sort((a, b) => b.priority - a.priority);
+    }
+    /**
+     * Get all active AST rules, sorted by priority (highest first)
+     */
+    getAllASTRules() {
+        const all = [
+            ...this.builtinASTRules,
+            ...this.userASTRules,
+            ...this.projectASTRules
+        ].filter(r => r.enabled);
+        return all.sort((a, b) => b.priority - a.priority);
+    }
+    /**
+     * Register a user-defined pattern rule
+     */
+    registerUserRule(rule) {
+        const fullRule = {
+            ...rule,
+            type: 'pattern',
+            source: 'user'
+        };
+        // Remove existing rule with same ID
+        this.userPatternRules = this.userPatternRules.filter(r => r.id !== rule.id);
+        this.userPatternRules.push(fullRule);
+        logger.info('Registered user rule', { ruleId: rule.id });
+    }
+    /**
+     * Register a project-specific pattern rule
+     */
+    registerProjectRule(rule) {
+        const fullRule = {
+            ...rule,
+            type: 'pattern',
+            source: 'project'
+        };
+        // Remove existing rule with same ID
+        this.projectPatternRules = this.projectPatternRules.filter(r => r.id !== rule.id);
+        this.projectPatternRules.push(fullRule);
+        logger.info('Registered project rule', { ruleId: rule.id });
+    }
+    /**
+     * Register multiple project rules at once
+     */
+    registerProjectRules(rules) {
+        for (const rule of rules) {
+            this.registerProjectRule(rule);
+        }
+    }
+    /**
+     * Register a user-defined AST rule
+     */
+    registerUserASTRule(rule) {
+        const fullRule = {
+            ...rule,
+            type: 'ast',
+            source: 'user'
+        };
+        this.userASTRules = this.userASTRules.filter(r => r.id !== rule.id);
+        this.userASTRules.push(fullRule);
+        logger.info('Registered user AST rule', { ruleId: rule.id });
+    }
+    /**
+     * Register a project-specific AST rule
+     */
+    registerProjectASTRule(rule) {
+        const fullRule = {
+            ...rule,
+            type: 'ast',
+            source: 'project'
+        };
+        this.projectASTRules = this.projectASTRules.filter(r => r.id !== rule.id);
+        this.projectASTRules.push(fullRule);
+        logger.info('Registered project AST rule', { ruleId: rule.id });
+    }
+    /**
+     * Clear all user rules (pattern + AST)
+     */
+    clearUserRules() {
+        this.userPatternRules = [];
+        this.userASTRules = [];
+        logger.info('Cleared user rules');
+    }
+    /**
+     * Clear all project rules (pattern + AST)
+     */
+    clearProjectRules() {
+        this.projectPatternRules = [];
+        this.projectASTRules = [];
+        logger.info('Cleared project rules');
+    }
+    /**
+     * Disable a builtin rule by ID (pattern or AST)
+     */
+    disableBuiltinRule(ruleId) {
+        // Check pattern rules
+        const patternRule = this.builtinPatternRules.find(r => r.id === ruleId);
+        if (patternRule) {
+            patternRule.enabled = false;
+            logger.info('Disabled builtin pattern rule', { ruleId });
+            return true;
+        }
+        // Check AST rules
+        const astRule = this.builtinASTRules.find(r => r.id === ruleId);
+        if (astRule) {
+            astRule.enabled = false;
+            logger.info('Disabled builtin AST rule', { ruleId });
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Enable a builtin rule by ID (pattern or AST)
+     */
+    enableBuiltinRule(ruleId) {
+        // Check pattern rules
+        const patternRule = this.builtinPatternRules.find(r => r.id === ruleId);
+        if (patternRule) {
+            patternRule.enabled = true;
+            logger.info('Enabled builtin pattern rule', { ruleId });
+            return true;
+        }
+        // Check AST rules
+        const astRule = this.builtinASTRules.find(r => r.id === ruleId);
+        if (astRule) {
+            astRule.enabled = true;
+            logger.info('Enabled builtin AST rule', { ruleId });
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Get statistics about registered rules
+     */
+    getStats() {
+        const builtinPattern = this.builtinPatternRules.filter(r => r.enabled).length;
+        const builtinAST = this.builtinASTRules.filter(r => r.enabled).length;
+        const userPattern = this.userPatternRules.filter(r => r.enabled).length;
+        const userAST = this.userASTRules.filter(r => r.enabled).length;
+        const projectPattern = this.projectPatternRules.filter(r => r.enabled).length;
+        const projectAST = this.projectASTRules.filter(r => r.enabled).length;
+        const builtin = builtinPattern + builtinAST;
+        const user = userPattern + userAST;
+        const project = projectPattern + projectAST;
+        const ast = builtinAST + userAST + projectAST;
+        return { builtin, user, project, total: builtin + user + project, ast };
+    }
+}
+// Global rule registry instance
+export const ruleRegistry = new RuleRegistry();
+// =============================================================================
+// ANALYSIS FUNCTIONS
+// =============================================================================
+function detectLanguage(file, _content) {
     const ext = file.split('.').pop()?.toLowerCase() || '';
     const langMap = {
         'ts': 'typescript',
@@ -370,20 +740,35 @@ function detectLanguage(file, content) {
 function getLineNumber(content, index) {
     return content.substring(0, index).split('\n').length;
 }
+/**
+ * Analyze code using the unified rule pipeline
+ */
 export function analyzeCode(file, content, focus = 'all') {
     const language = detectLanguage(file, content);
     const issues = [];
     logger.debug('Analyzing code', { file, language, focus, contentLength: content.length });
+    // Get all active rules from registry
+    const allRules = ruleRegistry.getAllRules();
+    // Track rules applied by source
+    const rulesApplied = { builtin: 0, user: 0, project: 0 };
     // Filter rules by focus and language
-    const applicableRules = PATTERN_RULES.filter(rule => {
+    const applicableRules = allRules.filter(rule => {
         if (focus !== 'all' && rule.category !== focus)
             return false;
         if (rule.languages && !rule.languages.includes(language))
             return false;
         return true;
     });
+    logger.debug('Applying rules', {
+        totalRules: allRules.length,
+        applicableRules: applicableRules.length,
+        focus,
+        language
+    });
     // Apply pattern rules
     for (const rule of applicableRules) {
+        if (rule.type !== 'pattern')
+            continue; // Skip non-pattern rules for now
         let match;
         // Reset regex state
         rule.pattern.lastIndex = 0;
@@ -400,14 +785,49 @@ export function analyzeCode(file, content, focus = 'all') {
                 line,
                 code: matchedText.substring(0, 100),
                 suggestion: rule.suggestion,
-                quickFix
+                quickFix,
+                source: rule.source
             });
+            // Track which source contributed
+            rulesApplied[rule.source]++;
             // Prevent infinite loop on zero-length matches
             if (match.index === rule.pattern.lastIndex) {
                 rule.pattern.lastIndex++;
             }
         }
     }
+    // ==========================================================================
+    // PHASE 2: Apply AST rules (for TS/JS files)
+    // ==========================================================================
+    const isJsTsFile = ['typescript', 'tsx', 'javascript', 'jsx'].includes(language);
+    if (isJsTsFile) {
+        const astRules = ruleRegistry.getAllASTRules();
+        // Filter AST rules by focus and language
+        const applicableASTRules = astRules.filter(rule => {
+            if (focus !== 'all' && rule.category !== focus)
+                return false;
+            if (rule.languages && !rule.languages.includes(language))
+                return false;
+            return true;
+        });
+        if (applicableASTRules.length > 0) {
+            logger.debug('Applying AST rules', {
+                file,
+                astRuleCount: applicableASTRules.length
+            });
+            try {
+                const astIssues = analyzeWithAST(file, content, applicableASTRules);
+                // Add AST issues and track sources
+                for (const issue of astIssues) {
+                    issues.push(issue);
+                    rulesApplied[issue.source]++;
+                }
+            }
+            catch (error) {
+                logger.warn('AST analysis failed', { file, error: String(error) });
+            }
+        }
+    }
     // Sort issues by severity and line
     const severityOrder = { error: 0, warning: 1, info: 2, suggestion: 3 };
     issues.sort((a, b) => {
@@ -435,14 +855,21 @@ export function analyzeCode(file, content, focus = 'all') {
         .filter(i => i.quickFix)
         .map(i => i.quickFix)
         .filter((fix, idx, arr) => arr.findIndex(f => f.before === fix.before) === idx);
-    logger.info('Analysis complete', { file, issuesFound: issues.length, score, quickFixesAvailable: quickFixes.length });
+    logger.info('Analysis complete', {
+        file,
+        issuesFound: issues.length,
+        score,
+        quickFixesAvailable: quickFixes.length,
+        rulesApplied
+    });
     return {
         file,
         language,
         issues,
         score: Math.round(score),
         summary,
-        quickFixes: quickFixes.length > 0 ? quickFixes : undefined
+        quickFixes: quickFixes.length > 0 ? quickFixes : undefined,
+        rulesApplied
     };
 }
 export function analyzeMultipleFiles(files, focus = 'all') {
@@ -457,13 +884,19 @@ export function analyzeMultipleFiles(files, focus = 'all') {
         info: results.reduce((sum, r) => sum + r.summary.info, 0),
         suggestions: results.reduce((sum, r) => sum + r.summary.suggestions, 0)
     };
+    const rulesApplied = {
+        builtin: results.reduce((sum, r) => sum + r.rulesApplied.builtin, 0),
+        user: results.reduce((sum, r) => sum + r.rulesApplied.user, 0),
+        project: results.reduce((sum, r) => sum + r.rulesApplied.project, 0)
+    };
     return {
         files: results,
         overall: {
             totalFiles: results.length,
             totalIssues,
             averageScore,
-            summary
+            summary,
+            rulesApplied
         }
     };
 }
@@ -471,6 +904,7 @@ export function formatAnalysisReport(result) {
     const lines = [];
     lines.push(`## Code Review: ${result.file}`);
     lines.push(`**Language:** ${result.language} | **Score:** ${result.score}/100`);
+    lines.push(`**Rules Applied:** ${result.rulesApplied.builtin} builtin, ${result.rulesApplied.user} user, ${result.rulesApplied.project} project`);
     lines.push('');
     if (result.issues.length === 0) {
         lines.push('✅ No issues found!');
@@ -487,7 +921,8 @@ export function formatAnalysisReport(result) {
             const icon = issue.severity === 'error' ? '🔴' :
                 issue.severity === 'warning' ? '🟡' :
                     issue.severity === 'info' ? '🔵' : '💡';
-            lines.push(`#### ${icon} [${issue.rule}] ${issue.message}`);
+            const sourceTag = issue.source !== 'builtin' ? ` [${issue.source}]` : '';
+            lines.push(`#### ${icon} [${issue.rule}]${sourceTag} ${issue.message}`);
             if (issue.line)
                 lines.push(`- Line: ${issue.line}`);
             if (issue.code)
@@ -514,4 +949,52 @@ export function formatAnalysisReport(result) {
     }
     return lines.join('\n');
 }
+// =============================================================================
+// HELPER: Convert user rules from RuleManager format to PatternRule
+// =============================================================================
+/**
+ * Parse a user-defined rule content to extract pattern rules
+ * This bridges the gap between RuleManager's documentation rules and analysis rules
+ */
+export function parseUserRuleToPatternRule(ruleId, content, category) {
+    // Look for patterns defined in markdown code blocks with special syntax
+    // Example: ```pattern:error
+    // /console\.log/g
+    // ```
+    const patternMatch = content.match(/```pattern:(error|warning|info|suggestion)\s*\n(\/[^/]+\/[gimsu]*)\s*\n```/);
+    if (!patternMatch) {
+        return null;
+    }
+    const severity = patternMatch[1];
+    const patternStr = patternMatch[2];
+    try {
+        // Parse the regex string
+        const regexMatch = patternStr.match(/^\/(.+)\/([gimsu]*)$/);
+        if (!regexMatch)
+            return null;
+        const pattern = new RegExp(regexMatch[1], regexMatch[2] || 'g');
+        // Extract message from the rule content
+        const messageMatch = content.match(/##?\s*(?:Rule|Message):\s*(.+)/i);
+        const message = messageMatch?.[1] || `Custom rule: ${ruleId}`;
+        // Extract suggestion if present
+        const suggestionMatch = content.match(/##?\s*Suggestion:\s*(.+)/i);
+        const suggestion = suggestionMatch?.[1];
+        return {
+            id: ruleId,
+            type: 'pattern',
+            category: category,
+            pattern,
+            severity,
+            message,
+            suggestion,
+            enabled: true,
+            priority: 150, // User rules have higher priority than builtin
+            source: 'user'
+        };
+    }
+    catch {
+        logger.warn('Failed to parse pattern rule', { ruleId });
+        return null;
+    }
+}
 //# sourceMappingURL=codeAnalyzer.js.map