@sun-asterisk/sunlint 1.3.2 → 1.3.4

package/CHANGELOG.md

@@ -2,6 +2,79 @@
 
 ---
 
+## � **v1.3.4 - Engine Auto Hotfix (September 5, 2025)**
+
+**Release Date**: September 5, 2025  
+**Type**: Critical Hotfix
+
+### 🚨 **Critical Bug Fix**
+- **FIXED**: Engine "auto" validation and selection logic
+  - **Issue**: `--engine=auto` causing "Invalid engine: auto" error in v1.3.3
+  - **Root Cause**: Missing auto engine support in validation and orchestrator
+  - **Solution**: Comprehensive auto engine implementation
+    - Added "auto" case to engine factory with heuristic fallback
+    - Updated CLI validation to include "auto" in valid engines
+    - Enhanced orchestrator to resolve "auto" to actual engines (heuristic + eslint)
+    - Fixed CLI action handler auto-detection logic
+
+### 🧪 **Validation Results**
+- **✅ Auto engine**: Works correctly (auto-selects heuristic + eslint)
+- **✅ Heuristic engine**: Unchanged, working properly
+- **✅ ESLint engine**: Unchanged, working properly
+- **✅ CLI help**: Shows all engines including auto option
+
+### 📦 **Upgrade Notes**
+- **Zero breaking changes** - seamless upgrade from v1.3.3
+- **Default `--engine=auto`** now works as intended
+- **All existing commands** continue to work unchanged
+
+---
+
+## �🚀 **v1.3.3 - Performance & File Limits Optimization (September 4, 2025)**
+
+**Release Date**: September 4, 2025  
+**Type**: Performance Enhancement & User Experience
+
+### ⚡ **Performance Engineering**
+- **ENHANCED**: Heuristic Engine v4.0 with integrated performance optimizations
+  - **Smart file limits**: Auto-detection prevents memory issues
+  - **Batch processing**: Optimized rule execution for large projects
+  - **Memory management**: Symbol table limits for TypeScript projects
+  - **Timeout protection**: Graceful handling of long-running analysis
+
+### 🎛️ **CLI Enhancement & Clarity**
+- **CLARIFIED**: File limit options with comprehensive documentation
+  - **`--max-files`**: Controls total analysis workload (performance)
+  - **`--max-semantic-files`**: Controls TypeScript symbol table memory
+  - **Auto-detection**: Smart defaults for 90% of use cases
+  - **Manual tuning**: Fine control for enterprise projects
+
+### � **Bug Fixes**
+- **FIXED**: Engine "auto" validation and selection logic
+  - **Engine Factory**: Added "auto" case with fallback to heuristic engine
+  - **CLI Validation**: Added "auto" to valid engines list
+  - **Orchestrator**: Auto-resolve "auto" to actual engines (heuristic + eslint)
+  - **Engine Selection**: Auto-detection works correctly for rule preferences
+
+### �📚 **Documentation Expansion**
+- **NEW**: [FILE_LIMITS_EXPLANATION.md](./docs/FILE_LIMITS_EXPLANATION.md) - Comprehensive guide (5.7KB)
+- **NEW**: [QUICK_FILE_LIMITS.md](./docs/QUICK_FILE_LIMITS.md) - Quick reference (1.8KB)
+- **ENHANCED**: CLI help with clear usage examples
+- **INTEGRATED**: Performance docs in README.md
+
+### 🧠 **Architecture Improvements**
+- **INTEGRATED**: Performance logic into heuristic engine (no separate files)
+- **ENHANCED**: Auto-performance-manager for intelligent limit calculation
+- **OPTIMIZED**: Memory usage patterns for large codebases
+- **TESTED**: GitHub Actions compatibility with resource constraints
+
+### 🎯 **User Experience**
+- **90/10 Rule**: Auto-detection works for most cases, manual tuning available
+- **Progressive disclosure**: Quick ref → detailed guide → implementation details
+- **CI/CD Ready**: Optimized for memory-constrained environments
+
+---
+
 ## 🏆 **v1.3.2 - Precision Engineering & Rule Maturity (August 21, 2025)**
 
 **Release Date**: August 21, 2025  

package/README.md

@@ -9,12 +9,13 @@ Sun Lint is a universal coding standards checker providing comprehensive code qu
 ### **✨ Key Features**
 - ✅ **256+ Coding Rules**: Quality (161), Security (70), Performance (25)
 - ✅ **Unified Architecture**: Same adapter pattern for CLI and VSCode extension
-- ✅ **Multi-Engine Support**: Heuristic (244 rules) + ESLint (17 rules) + AI (256 rules)
+- ✅ **Multi-Engine Support**: Heuristic v4.0 (244 rules) + ESLint (17 rules) + AI (256 rules)
+- ✅ **Performance Optimized**: Auto file limits, memory management, GitHub Actions ready
 - ✅ **Built-in AST Analysis**: JavaScript/TypeScript parsing out of the box
 - ✅ **Git Integration**: `--changed-files`, `--staged-files`, `--pr-mode`
-- ✅ **TypeScript Support**: Native TypeScript 5.8+ analysis
+- ✅ **TypeScript Support**: Native TypeScript 5.8+ analysis with smart memory limits
 - ✅ **Zero Config**: Works immediately after `npm install`
-- ✅ **CI/CD Ready**: Baseline comparison, fail-on-new-violations
+- ✅ **CI/CD Ready**: Baseline comparison, fail-on-new-violations, timeout protection
 - ✅ **Advanced File Targeting**: Include/exclude patterns, language filtering
 
 ### **🏗️ Architecture**
@@ -376,6 +377,7 @@ sunlint --validate-config .sunlint.json
 ## 📚 **Documentation**
 
 - **[Configuration Guide](./docs/CONFIGURATION.md)** - Complete config options with examples
+- **[Performance & File Limits](./docs/FILE_LIMITS_EXPLANATION.md)** - Understanding `--max-files` vs `--max-semantic-files`
 - [ESLint Integration Guide](./docs/ESLINT_INTEGRATION.md)
 - [CI/CD Guide](./docs/CI-CD-GUIDE.md)
 - [Architecture](./docs/ARCHITECTURE.md)

package/config/rules/enhanced-rules-registry.json

@@ -27,14 +27,8 @@
       "status": "stable",
       "tags": ["logging", "error-handling", "severity"],
       "engineMappings": {
-        "eslint": [
-          "no-console",
-          "no-alert",
-          "no-debugger"
-        ],
-        "heuristic": [
-          "rules/common/C019_log_level_usage/analyzer.js"
-        ]
+        "eslint": ["no-console", "no-alert", "no-debugger"],
+        "heuristic": ["rules/common/C019_log_level_usage/analyzer.js"]
       }
     },
     "C006": {
@@ -635,8 +629,8 @@
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s017",
+      "analyzer": "./rules/security/S017_use_parameterized_queries/analyzer.js",
+      "config": "./rules/security/S017_use_parameterized_queries/config.json",
       "version": "1.0.0",
       "status": "stable",
       "tags": ["security", "sql-injection", "database"]
@@ -769,41 +763,122 @@
       "status": "stable",
       "tags": ["security", "directory-browsing", "information-disclosure"]
     },
+    "S031": {
+      "name": "Set Secure flag for Session Cookies",
+      "description": "Set Secure flag for Session Cookies to protect via HTTPS. This ensures cookies are only transmitted over secure connections, preventing interception.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S031_secure_session_cookies/analyzer.js",
+      "config": "./rules/security/S031_secure_session_cookies/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "cookies", "session", "https", "secure"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": ["rules/security/S031_secure_session_cookies/analyzer.js"]
+      }
+    },
+    "S032": {
+      "name": "Set HttpOnly attribute for Session Cookies",
+      "description": "Set HttpOnly attribute for Session Cookies to prevent JavaScript access. This protects against XSS attacks by preventing client-side script access to sensitive cookies.",
+      "category": "security",
+      "severity": "error",
+      "languages": ["typescript", "javascript"],
+      "analyzer": "./rules/security/S032_httponly_session_cookies/analyzer.js",
+      "config": "./rules/security/S032_httponly_session_cookies/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["security", "cookies", "session", "httponly", "xss"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S032_httponly_session_cookies/analyzer.js"
+        ]
+      }
+    },
     "S033": {
-      "name": "Require SameSite Cookie",
-      "description": "Require SameSite attribute for cookies",
+      "name": "Set SameSite attribute for Session Cookies",
+      "description": "Set SameSite attribute for Session Cookies to reduce CSRF risk. This prevents the browser from sending cookies along with cross-site requests, mitigating CSRF attacks.",
       "category": "security",
       "severity": "error",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s033",
+      "analyzer": "./rules/security/S033_samesite_session_cookies/analyzer.js",
+      "config": "./rules/security/S033_samesite_session_cookies/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "cookies", "samesite"]
+      "tags": ["security", "cookies", "session", "samesite", "csrf"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S033_samesite_session_cookies/analyzer.js"
+        ]
+      }
     },
     "S034": {
-      "name": "Require Host Cookie Prefix",
-      "description": "Require __Host- prefix for secure cookies",
+      "name": "Use __Host- prefix for Session Cookies",
+      "description": "Use __Host- prefix for Session Cookies to prevent subdomain sharing. The __Host- prefix ensures cookies are only sent to the exact domain that set them, preventing subdomain cookie sharing attacks.",
       "category": "security",
-      "severity": "error",
+      "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s034",
+      "analyzer": "./rules/security/S034_host_prefix_session_cookies/analyzer.js",
+      "config": "./rules/security/S034_host_prefix_session_cookies/config.json",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "cookies", "host-prefix"]
+      "tags": ["security", "cookies", "session", "host-prefix", "subdomain"],
+      "strategy": {
+        "preferred": "ast",
+        "fallbacks": ["ast", "regex"],
+        "accuracy": {
+          "ast": 95,
+          "regex": 85
+        }
+      },
+      "engineMappings": {
+        "heuristic": [
+          "rules/security/S034_host_prefix_session_cookies/analyzer.js"
+        ]
+      }
     },
     "S035": {
-      "name": "Cookie Specific Path",
-      "description": "Require specific path for sensitive cookies",
+      "name": "Set Path attribute for Session Cookies",
+      "description": "Set Path attribute for Session Cookies to limit access scope",
       "category": "security",
-      "severity": "error",
+      "severity": "warning",
       "languages": ["typescript", "javascript"],
-      "analyzer": "eslint",
-      "eslintRule": "custom/typescript_s035",
+      "analyzer": "heuristic",
       "version": "1.0.0",
       "status": "stable",
-      "tags": ["security", "cookies", "path"]
+      "tags": ["security", "cookies", "path"],
+      "strategy": {
+        "defaultEngine": "heuristic",
+        "engineMappings": {
+          "heuristic": ["rules/security/S035_path_session_cookies/analyzer.js"]
+        }
+      },
+      "configPath": "rules/security/S035_path_session_cookies/config.json",
+      "analyzerPath": ["rules/security/S035_path_session_cookies/analyzer.js"]
     },
     "S036": {
       "name": "No Unsafe File Include",
@@ -1196,6 +1271,36 @@
         "accuracy": {}
       }
     },
+    "C048": {
+      "name": "Do not bypass architectural layers (controller/service/repository)",
+      "description": "Maintain a clear layered architecture, ensuring logic and data flow are well-structured and maintainable.",
+      "category": "naming",
+      "severity": "warning",
+      "languages": ["typescript", "javascript", "dart", "kotlin"],
+      "analyzer": "./rules/common/C048_no_bypass_architectural_layers/analyzer.js",
+      "config": "./rules/common/C048_no_bypass_architectural_layers/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["naming", "domain", "readability"],
+      "engineMappings": {
+        "eslint": ["@typescript-eslint/naming-convention", "camelcase"]
+      }
+    },
+    "C052": {
+      "name": "Parsing or data transformation logic must be separated from controllers",
+      "description": "Enforce separation of concerns — controllers should only handle requests and delegate processing, improving testability, maintainability, and reuse.",
+      "category": "naming",
+      "severity": "warning",
+      "languages": ["typescript", "javascript", "dart", "kotlin"],
+      "analyzer": "./rules/common/C052_parsing_or_data_transformation/analyzer.js",
+      "config": "./rules/common/C052_parsing_or_data_transformation/config.json",
+      "version": "1.0.0",
+      "status": "stable",
+      "tags": ["naming", "domain", "readability"],
+      "engineMappings": {
+        "eslint": ["@typescript-eslint/naming-convention", "camelcase"]
+      }
+    },
     "C072": {
       "id": "C072",
       "name": "Single Test Behavior",
@@ -1612,6 +1717,7 @@
         "C017",
         "C018",
         "C023",
+        "C024",
         "C029",
         "C030",
         "C035",
@@ -1619,6 +1725,8 @@
         "C042",
         "C043",
         "C047",
+        "C048",
+        "C052",
         "C072",
         "C075",
         "T002",
@@ -1668,6 +1776,8 @@
         "S027",
         "S029",
         "S030",
+        "S031",
+        "S032",
         "S033",
         "S034",
         "S035",
@@ -1777,12 +1887,12 @@
     }
   },
   "metadata": {
-    "version": "1.1.6",
-    "lastUpdated": "2025-08-19",
-    "totalRules": 95,
+    "version": "1.1.7",
+    "lastUpdated": "2025-08-25",
+    "totalRules": 97,
     "qualityRules": 33,
-    "securityRules": 47,
-    "stableRules": 43,
+    "securityRules": 49,
+    "stableRules": 45,
     "experimentalRules": 1,
     "supportedLanguages": 4,
     "features": [
@@ -1791,7 +1901,8 @@
       "Dynamic rule configuration",
       "ESLint 9.x integration",
       "React rules integration",
-      "Memory leak fixes"
+      "Memory leak fixes",
+      "S032 HttpOnly session cookies"
     ],
     "consolidatedFrom": "/Users/bach.ngoc.hoai/Docs/ee/coding-quality/extensions/sunlint/config/rules/rules-registry.json"
   }

package/core/analysis-orchestrator.js

@@ -10,6 +10,7 @@ const path = require('path');
 const fs = require('fs');
 const AnalysisEngineInterface = require('./interfaces/analysis-engine.interface');
 const SunlintRuleAdapter = require('./adapters/sunlint-rule-adapter');
+const PerformanceOptimizer = require('./performance-optimizer');
 
 class AnalysisOrchestrator {
   constructor() {
@@ -18,6 +19,7 @@ class AnalysisOrchestrator {
     this.defaultTimeout = 30000; // 30 seconds default timeout
     this.ruleAdapter = SunlintRuleAdapter.getInstance();
     this.enginesConfigPath = path.join(__dirname, '..', 'config', 'engines', 'engines.json');
+    this.performanceOptimizer = new PerformanceOptimizer();
   }
 
   /**
@@ -171,14 +173,35 @@ class AnalysisOrchestrator {
         throw new Error('No analysis engines registered');
       }
 
+      // Initialize performance optimizer
+      await this.performanceOptimizer.initialize(config);
+
+      // Apply performance optimizations to files and rules
+      const { optimizedFiles, optimizedRules, performanceMetrics } = 
+        await this.performanceOptimizer.optimizeAnalysis(
+          options.files || [options.input], 
+          rulesToRun, 
+          config
+        );
+
+      if (!options.quiet) {
+        console.log(chalk.cyan(`🔍 Analyzing ${optimizedRules.length} rules on ${optimizedFiles.length} files...`));
+        if (performanceMetrics.filteredFiles > 0) {
+          console.log(chalk.gray(`   📦 Filtered ${performanceMetrics.filteredFiles} files for performance`));
+        }
+        if (performanceMetrics.ruleBatches > 1) {
+          console.log(chalk.gray(`   🔄 Using ${performanceMetrics.ruleBatches} rule batches`));
+        }
+      }
+
       // Group rules by their preferred engines
-      const engineGroups = this.groupRulesByEngine(rulesToRun, config);
+      const engineGroups = this.groupRulesByEngine(optimizedRules, config);
       
       if (!options.quiet) {
-        console.log(chalk.cyan(`🔍 Analyzing ${rulesToRun.length} rules across ${engineGroups.size} engines...`));
+        console.log(chalk.cyan(`🚀 Running analysis across ${engineGroups.size} engines...`));
       }
 
-      // Run analysis on each engine
+      // Run analysis on each engine with batching
       const results = [];
       for (const [engineName, rules] of engineGroups) {
         const engine = this.engines.get(engineName);
@@ -187,35 +210,64 @@ class AnalysisOrchestrator {
           continue;
         }
 
-        if (!options.quiet) {
-          console.log(chalk.blue(`⚙️ Running ${rules.length} rules on ${engineName} engine...`));
-        }
-
-        try {
-          const engineResult = await this.runEngineWithTimeout(
-            engine, 
-            options.files || [options.input], 
-            rules, 
-            options
-          );
-          
-          results.push({
-            engine: engineName,
-            rules: rules.map(r => r.id),
-            ...engineResult
-          });
+        // Process rules in batches for performance
+        const ruleBatches = this.performanceOptimizer.createRuleBatches(rules, config);
+        
+        for (let i = 0; i < ruleBatches.length; i++) {
+          const batch = ruleBatches[i];
+          const batchNumber = i + 1;
           
-          if (!options.quiet) {
-            const violationCount = this.countViolations(engineResult);
-            console.log(chalk.blue(`✅ ${engineName}: ${violationCount} violations found`));
+          if (!options.quiet && ruleBatches.length > 1) {
+            console.log(chalk.blue(`⚙️ ${engineName} - Batch ${batchNumber}/${ruleBatches.length}: ${batch.length} rules`));
+          } else if (!options.quiet) {
+            console.log(chalk.blue(`⚙️ Running ${batch.length} rules on ${engineName} engine...`));
+          }
+
+          try {
+            const engineResult = await this.runEngineWithOptimizations(
+              engine, 
+              optimizedFiles, 
+              batch, 
+              options,
+              { batchNumber, totalBatches: ruleBatches.length }
+            );
+            
+            results.push({
+              engine: engineName,
+              batch: batchNumber,
+              rules: batch.map(r => r.id),
+              ...engineResult
+            });
+            
+            if (!options.quiet) {
+              const violationCount = this.countViolations(engineResult);
+              console.log(chalk.blue(`✅ ${engineName} batch ${batchNumber}: ${violationCount} violations found`));
+            }
+          } catch (error) {
+            // Enhanced error recovery with batch context
+            const errorInfo = this.performanceOptimizer.handleAnalysisError(error, {
+              engine: engineName,
+              batch: batchNumber,
+              rules: batch.map(r => r.id),
+              files: optimizedFiles.length
+            });
+            
+            console.error(chalk.red(`❌ Engine ${engineName} batch ${batchNumber} failed:`), errorInfo.message);
+            
+            if (errorInfo.shouldRetry && !options.noRetry) {
+              console.log(chalk.yellow(`🔄 Retrying with reduced batch size...`));
+              // Split batch and retry - implement recursive retry logic here
+            }
+            // Continue with other batches instead of failing completely
           }
-        } catch (error) {
-          console.error(chalk.red(`❌ Engine ${engineName} failed:`), error.message);
-          // Continue with other engines instead of failing completely
         }
       }
 
-      return this.mergeEngineResults(results, options);
+      // Merge results and add performance metrics
+      const mergedResults = this.mergeEngineResults(results, options);
+      mergedResults.performance = performanceMetrics;
+      
+      return mergedResults;
       
     } catch (error) {
       console.error(chalk.red('❌ Analysis orchestration failed:'), error.message);
@@ -293,6 +345,12 @@ class AnalysisOrchestrator {
   getEnginePreference(rule, config) {
     // If user specified a specific engine via --engine option, use only that engine
     if (config.requestedEngine) {
+      // Handle "auto" engine selection
+      if (config.requestedEngine === 'auto') {
+        // Auto-select best engines: default to heuristic, add eslint for JS/TS
+        return ['heuristic', 'eslint'];
+      }
+      
       return [config.requestedEngine];
     }
 
@@ -393,23 +451,68 @@ class AnalysisOrchestrator {
   }
 
   /**
-   * Run engine analysis with timeout protection
+   * Run engine analysis with timeout protection and performance optimizations
    * Following Rule C006: Verb-noun naming
    * @param {AnalysisEngineInterface} engine - Engine to run
    * @param {string[]} files - Files to analyze
    * @param {Object[]} rules - Rules to apply
    * @param {Object} options - Analysis options
+   * @param {Object} batchInfo - Batch context information
    * @returns {Promise<Object>} Engine results
    */
-  async runEngineWithTimeout(engine, files, rules, options) {
-    const timeout = options.timeout || this.defaultTimeout;
+  async runEngineWithOptimizations(engine, files, rules, options, batchInfo = {}) {
+    // Dynamic timeout based on file count and rules
+    const adaptiveTimeout = this.performanceOptimizer.calculateAdaptiveTimeout(
+      files.length, 
+      rules.length, 
+      options.timeout || this.defaultTimeout
+    );
     
-    return Promise.race([
-      engine.analyze(files, rules, options),
-      new Promise((_, reject) => 
-        setTimeout(() => reject(new Error(`Engine ${engine.name} timed out after ${timeout}ms`)), timeout)
-      )
-    ]);
+    const enhancedOptions = {
+      ...options,
+      timeout: adaptiveTimeout,
+      batchInfo
+    };
+
+    try {
+      return await Promise.race([
+        engine.analyze(files, rules, enhancedOptions),
+        new Promise((_, reject) => 
+          setTimeout(() => reject(new Error(
+            `Engine ${engine.name} batch ${batchInfo.batchNumber || 1} timed out after ${adaptiveTimeout}ms`
+          )), adaptiveTimeout)
+        )
+      ]);
+    } catch (error) {
+      // Enhanced error context for debugging
+      const errorContext = {
+        engine: engine.name,
+        filesCount: files.length,
+        rulesCount: rules.length,
+        timeout: adaptiveTimeout,
+        batch: batchInfo
+      };
+      
+      // Wrap error with context
+      const enhancedError = new Error(`${error.message} (Context: ${JSON.stringify(errorContext)})`);
+      enhancedError.originalError = error;
+      enhancedError.context = errorContext;
+      
+      throw enhancedError;
+    }
+  }
+
+  /**
+   * Run engine analysis with timeout protection (legacy method for backward compatibility)
+   * Following Rule C006: Verb-noun naming
+   * @param {AnalysisEngineInterface} engine - Engine to run
+   * @param {string[]} files - Files to analyze
+   * @param {Object[]} rules - Rules to apply
+   * @param {Object} options - Analysis options
+   * @returns {Promise<Object>} Engine results
+   */
+  async runEngineWithTimeout(engine, files, rules, options) {
+    return this.runEngineWithOptimizations(engine, files, rules, options);
   }
 
   /**
@@ -425,6 +528,7 @@ class AnalysisOrchestrator {
       results: [],
       summary: {
         totalEngines: engineResults.length,
+        totalBatches: engineResults.length,
         totalViolations: 0,
         totalFiles: 0,
         engines: {}
@@ -436,8 +540,13 @@ class AnalysisOrchestrator {
       }
     };
 
+    // Track unique engines for summary
+    const uniqueEngines = new Set();
+
     // Combine results from all engines
     for (const engineResult of engineResults) {
+      uniqueEngines.add(engineResult.engine);
+      
       // Add engine-specific results
       if (engineResult.results) {
         mergedResults.results.push(...engineResult.results);
@@ -445,16 +554,30 @@ class AnalysisOrchestrator {
       
       // Track engine statistics
       const violationCount = this.countViolations(engineResult);
-      mergedResults.summary.engines[engineResult.engine] = {
-        rules: engineResult.rules || [],
-        violations: violationCount,
-        files: engineResult.filesAnalyzed || 0
-      };
+      const engineName = engineResult.engine;
+      
+      if (!mergedResults.summary.engines[engineName]) {
+        mergedResults.summary.engines[engineName] = {
+          rules: [],
+          violations: 0,
+          files: 0,
+          batches: 0
+        };
+      }
+      
+      // Accumulate engine statistics across batches
+      mergedResults.summary.engines[engineName].rules.push(...(engineResult.rules || []));
+      mergedResults.summary.engines[engineName].violations += violationCount;
+      mergedResults.summary.engines[engineName].files += engineResult.filesAnalyzed || 0;
+      mergedResults.summary.engines[engineName].batches += 1;
       
       mergedResults.summary.totalViolations += violationCount;
       mergedResults.summary.totalFiles += engineResult.filesAnalyzed || 0;
     }
 
+    // Update unique engine count
+    mergedResults.summary.totalEngines = uniqueEngines.size;
+
     return mergedResults;
   }
 
@@ -517,7 +640,7 @@ class AnalysisOrchestrator {
   }
 
   /**
-   * Cleanup all engines
+   * Cleanup all engines and performance optimizer
    * Following Rule C006: Verb-noun naming
    * @returns {Promise<void>}
    */
@@ -529,6 +652,14 @@ class AnalysisOrchestrator {
         console.warn(chalk.yellow(`⚠️ Failed to cleanup engine ${engine.id}:`), error.message);
       }
     }
+    
+    // Cleanup performance optimizer
+    try {
+      await this.performanceOptimizer.cleanup();
+    } catch (error) {
+      console.warn(chalk.yellow(`⚠️ Failed to cleanup performance optimizer:`), error.message);
+    }
+    
     this.initialized = false;
     console.log(chalk.blue('🧹 Engine cleanup completed'));
   }