@vibecheckai/cli 3.2.0 → 3.2.2

package/bin/runners/lib/analyzers.js

@@ -1,167 +1,686 @@
 // bin/runners/lib/analyzers.js
+"use strict";
+
 const fs = require("fs");
 const path = require("path");
 const fg = require("fast-glob");
 const crypto = require("crypto");
+const { URL } = require("url");
 const parser = require("@babel/parser");
 const traverse = require("@babel/traverse").default;
 const t = require("@babel/types");
+
 const { routeMatches } = require("./claims");
 const { matcherCoversPath } = require("./auth-truth");
 
+/* ============================================================================
+ * WORLD-CLASS INFRA HELPERS
+ * - file caching (speed + consistent evidence)
+ * - stable IDs (diff-friendly)
+ * - safe regex usage (fixes /g + .test() state bugs)
+ * - memory management (clearFileCache for monorepos)
+ * ========================================================================== */
+
+const _FILE_TEXT = new Map();
+const _FILE_LINES = new Map();
+
+function readFileCached(fileAbs) {
+  if (_FILE_TEXT.has(fileAbs)) return _FILE_TEXT.get(fileAbs);
+  const txt = fs.readFileSync(fileAbs, "utf8");
+  _FILE_TEXT.set(fileAbs, txt);
+  return txt;
+}
+
+function readLinesCached(fileAbs) {
+  if (_FILE_LINES.has(fileAbs)) return _FILE_LINES.get(fileAbs);
+  const lines = readFileCached(fileAbs).split(/\r?\n/);
+  _FILE_LINES.set(fileAbs, lines);
+  return lines;
+}
+
+/**
+ * V3: Clear file cache to prevent memory leaks in large monorepos.
+ * Call this after a scan completes or between major steps.
+ */
+function clearFileCache() {
+  _FILE_TEXT.clear();
+  _FILE_LINES.clear();
+}
+
+/**
+ * V3: Shannon Entropy calculator for detecting high-randomness strings (likely secrets).
+ * Entropy > 4.5 typically indicates a random/secret string vs structured data.
+ * Git SHAs (hex only) have lower effective entropy due to limited charset.
+ */
+function getShannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const len = str.length;
+  const frequencies = {};
+  for (let i = 0; i < len; i++) {
+    const char = str[i];
+    frequencies[char] = (frequencies[char] || 0) + 1;
+  }
+  
+  let entropy = 0;
+  for (const char in frequencies) {
+    const p = frequencies[char] / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
 function sha256(text) {
-  return "sha256:" + crypto.createHash("sha256").update(text).digest("hex");
+  return "sha256:" + crypto.createHash("sha256").update(String(text || "")).digest("hex");
+}
+
+function stableId(prefix, key) {
+  const h = crypto.createHash("sha256").update(String(key || "")).digest("hex").slice(0, 10);
+  return `${prefix}_${h}`;
 }
 
-function parseFile(code) {
-  return parser.parse(code, { sourceType: "unambiguous", plugins: ["typescript", "jsx"] });
+// IMPORTANT: /g + .test() is stateful. This helper makes it deterministic.
+function rxTest(rx, s) {
+  if (!rx) return false;
+  rx.lastIndex = 0;
+  return rx.test(s);
+}
+
+function parseFile(code, fileAbsForErrors = "") {
+  // Error recovery avoids hard-failing on mixed TS/JS/JSX edge cases.
+  return parser.parse(code, {
+    sourceType: "unambiguous",
+    errorRecovery: true,
+    allowReturnOutsideFunction: true,
+    plugins: [
+      "typescript",
+      "jsx",
+      "dynamicImport",
+      "topLevelAwait",
+      "classProperties",
+      "classPrivateProperties",
+      "classPrivateMethods",
+      "decorators-legacy",
+      "optionalChaining",
+      "nullishCoalescingOperator",
+    ],
+  });
 }
 
 function evidenceFromLoc(fileAbs, repoRoot, loc, reason) {
   if (!loc) return null;
   const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-  const lines = fs.readFileSync(fileAbs, "utf8").split(/\r?\n/);
+  const lines = readLinesCached(fileAbs);
   const start = Math.max(1, loc.start?.line || 1);
   const end = Math.max(start, loc.end?.line || start);
   const snippet = lines.slice(start - 1, end).join("\n");
-  return { id: `ev_${crypto.randomBytes(4).toString("hex")}`, file: fileRel, lines: `${start}-${end}`, snippetHash: sha256(snippet), reason };
+  return {
+    id: stableId("ev", `${fileRel}:${start}-${end}:${reason || ""}:${sha256(snippet)}`),
+    file: fileRel,
+    lines: `${start}-${end}`,
+    snippetHash: sha256(snippet),
+    reason,
+  };
+}
+
+/* ============================================================================
+ * ROUTE GAP ENGINE (world-class missing route logic)
+ * ========================================================================== */
+
+function safeUrlParse(maybeUrl) {
+  try {
+    // URL() needs protocol; allow //host/path too
+    if (typeof maybeUrl !== "string") return null;
+    if (/^https?:\/\//i.test(maybeUrl)) return new URL(maybeUrl);
+    if (/^\/\//.test(maybeUrl)) return new URL("https:" + maybeUrl);
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+function normalizePath(raw) {
+  if (!raw) return "/";
+  let p = String(raw).trim();
+
+  // If full URL, strip to pathname.
+  const u = safeUrlParse(p);
+  if (u) p = u.pathname || "/";
+
+  // Strip query/hash if present
+  p = p.split("?")[0].split("#")[0];
+
+  // Decode safely
+  try {
+    p = decodeURIComponent(p);
+  } catch {
+    // keep original
+  }
+
+  // Ensure leading slash
+  if (!p.startsWith("/")) p = "/" + p;
+
+  // Collapse duplicate slashes
+  p = p.replace(/\/{2,}/g, "/");
+
+  // Remove trailing slash (except root)
+  if (p.length > 1 && p.endsWith("/")) p = p.slice(0, -1);
+
+  return p;
+}
+
+function pathLooksLikeAsset(p) {
+  const s = String(p || "");
+  // Common Next/static + file extensions that are not API routes
+  if (/^\/(_next|static|assets)\b/i.test(s)) return true;
+  if (/\.(png|jpg|jpeg|gif|webp|svg|ico|css|js|map|txt|xml|woff2?|ttf|eot)$/i.test(s)) return true;
+  return false;
+}
+
+function isInternalUtilityRoute(p) {
+  return !!rxTest(/^\/(health|metrics|ready|live|version|debug|internal|security|websocket|ws|admin|dashboard|_|\.)/i, p);
+}
+
+function looksInventedRoute(p) {
+  // Stuff AI loves to hallucinate - but NOT legitimate test endpoints like /test-email
+  // Only flag truly fake/placeholder routes, not common test/debug endpoints
+  if (rxTest(/^\/(fake|dummy|foo|bar|baz|xxx|yyy|placeholder|asdf|qwerty|lorem|ipsum)\b/i, p)) return true;
+  // Random hashes in path
+  if (rxTest(/\/[a-f0-9]{32,}\b/i, p)) return true;
+  // Obvious "ai generated" patterns
+  if (rxTest(/^\/(generated|auto[-_]?gen)\b/i, p)) return true;
+  // Obvious placeholder test data patterns (not legitimate /test-* endpoints)
+  if (rxTest(/\/(test123|abc123|demo123|sample123)\b/i, p)) return true;
+  return false;
+}
+
+function canonicalizeDynamicSegments(p) {
+  // Convert common dynamic segments to a stable token so "/users/123" can match "/users/:id"
+  // NOTE: This function returns a string, not a boolean - name is for canonicalization, not validation
+  const segs = normalizePath(p).split("/").filter(Boolean);
+  const canon = segs.map((seg) => {
+    if (!seg) return seg;
+    // UUID
+    if (rxTest(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i, seg)) return ":id";
+    // Numeric IDs
+    if (rxTest(/^\d{1,18}$/i, seg)) return ":id";
+    // Long hex
+    if (rxTest(/^(0x)?[0-9a-f]{16,}$/i, seg)) return ":id";
+    // Next-ish catchalls
+    if (seg === "[...slug]" || seg === "[[...slug]]") return ":slug";
+    return seg;
+  });
+  return "/" + canon.join("/");
+}
+
+function firstSegment(p) {
+  const seg = normalizePath(p).split("/").filter(Boolean)[0];
+  return seg || "";
+}
+
+function inferDominantPrefix(paths, minShare = 0.7) {
+  // Find a dominant first segment like "api" across a set of paths
+  const counts = new Map();
+  for (const p of paths) {
+    const seg = firstSegment(p);
+    if (!seg) continue;
+    counts.set(seg, (counts.get(seg) || 0) + 1);
+  }
+  let best = { seg: "", n: 0 };
+  for (const [seg, n] of counts.entries()) {
+    if (n > best.n) best = { seg, n };
+  }
+  if (!best.seg) return null;
+  const share = best.n / Math.max(1, paths.length);
+  return share >= minShare ? "/" + best.seg : null;
+}
+
+function buildServerRouteIndex(serverRoutes) {
+  // Index by method + first segment for fast shortlist
+  const byMethod = new Map(); // method -> seg -> routes[]
+  const all = [];
+
+  for (const r of serverRoutes) {
+    const method = String(r.method || "*").toUpperCase();
+    const pNorm = normalizePath(r.path);
+    const seg = firstSegment(pNorm);
+
+    const rec = { ...r, _method: method, _pathNorm: pNorm, _seg: seg, _canon: canonicalizeDynamicSegments(pNorm) };
+    all.push(rec);
+
+    if (!byMethod.has(method)) byMethod.set(method, new Map());
+    const segMap = byMethod.get(method);
+    if (!segMap.has(seg)) segMap.set(seg, []);
+    segMap.get(seg).push(rec);
+
+    // Also index wildcard bucket
+    if (!byMethod.has("*")) byMethod.set("*", new Map());
+    const w = byMethod.get("*");
+    if (!w.has(seg)) w.set(seg, []);
+    w.get(seg).push(rec);
+  }
+
+  return { byMethod, all };
+}
+
+function shortlistServerRoutes(index, method, pNorm) {
+  const m = String(method || "*").toUpperCase();
+  const seg = firstSegment(pNorm);
+
+  const pick = (meth) => {
+    const segMap = index.byMethod.get(meth);
+    if (!segMap) return [];
+    const bucket = segMap.get(seg) || [];
+    // If seg is empty or dynamic roots exist, include a fallback bucket
+    const rootBucket = segMap.get("") || [];
+    return bucket.concat(rootBucket);
+  };
+
+  // prioritize exact method, then wildcard
+  const a = pick(m);
+  const b = pick("*");
+  // de-dupe by path+method
+  const seen = new Set();
+  const out = [];
+  for (const r of a.concat(b)) {
+    const k = `${r._method}:${r._pathNorm}`;
+    if (seen.has(k)) continue;
+    seen.add(k);
+    out.push(r);
+  }
+  return out.length ? out : index.all;
+}
+
+function routeSimilarityScore(refPath, serverPathPattern) {
+  // Score 0..1 based on static segment overlap + prefix alignment
+  const a = canonicalizeDynamicSegments(refPath).split("/").filter(Boolean);
+  const b = canonicalizeDynamicSegments(serverPathPattern).split("/").filter(Boolean);
+
+  if (!a.length || !b.length) return 0;
+
+  const aStatic = a.filter((s) => !s.startsWith(":") && !s.startsWith("["));
+  const bStatic = b.filter((s) => !s.startsWith(":") && !s.startsWith("["));
+
+  const setA = new Set(aStatic);
+  const setB = new Set(bStatic);
+
+  let inter = 0;
+  for (const s of setA) if (setB.has(s)) inter++;
+
+  const union = new Set([...setA, ...setB]).size || 1;
+
+  const jaccard = inter / union;
+
+  // prefix bonus if first 1-2 segments align
+  const prefix1 = a[0] && b[0] && a[0] === b[0] ? 0.15 : 0;
+  const prefix2 = a[1] && b[1] && a[1] === b[1] ? 0.10 : 0;
+
+  // length penalty if wildly different
+  const lenPenalty = Math.min(0.25, Math.abs(a.length - b.length) * 0.05);
+
+  const score = Math.max(0, Math.min(1, jaccard + prefix1 + prefix2 - lenPenalty));
+  return score;
+}
+
+function compileAllowPatterns(patterns) {
+  const out = [];
+  for (const p of patterns || []) {
+    if (!p) continue;
+    if (p instanceof RegExp) {
+      out.push(p);
+      continue;
+    }
+    const s = String(p);
+    // Support "/.../i" style
+    const m = s.match(/^\/(.+)\/([gimsuy]*)$/);
+    if (m) {
+      try {
+        out.push(new RegExp(m[1], m[2]));
+        continue;
+      } catch {
+        // fall through
+      }
+    }
+    // Simple wildcard "*" and "?" -> regex
+    const esc = s
+      .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+      .replace(/\*/g, ".*")
+      .replace(/\?/g, ".");
+    try {
+      out.push(new RegExp("^" + esc + "$", "i"));
+    } catch {
+      // ignore bad patterns
+    }
+  }
+  return out;
 }
 
 function findMissingRoutes(truthpack) {
   const findings = [];
-  const server = truthpack.routes.server || [];
-  const refs = truthpack.routes.clientRefs || [];
-  const gaps = truthpack.routes.gaps || [];
-  
-  // If we have route detection gaps, be less aggressive with BLOCKs
+
+  const server = truthpack?.routes?.server || [];
+  const refs = truthpack?.routes?.clientRefs || [];
+  const gaps = truthpack?.routes?.gaps || [];
+
   const hasGaps = gaps.length > 0;
-  
-  // In monorepos/microservices, many client refs may be to external services
-  // Only flag routes that look clearly invented/hallucinated
-  const serverRouteCount = server.length;
-  const clientRefCount = refs.length;
-  
-  // If client refs >> server routes, this is likely a monorepo or microservice architecture
-  // Be very lenient in this case
-  const isLikelyMonorepo = clientRefCount > serverRouteCount * 3;
-  
-  // Build a set of known route path prefixes for smarter matching
-  const knownPrefixes = new Set();
-  for (const r of server) {
-    const parts = r.path.split('/').filter(Boolean);
-    if (parts.length >= 2) {
-      knownPrefixes.add('/' + parts[0] + '/' + parts[1]);
+
+  // Allowlist/suppressions (lets users kill known false positives cleanly)
+  const allowMethods = new Set((truthpack?.routes?.allowlistMethods || []).map((m) => String(m).toUpperCase()));
+  const allowPatterns = compileAllowPatterns(truthpack?.routes?.allowlist || truthpack?.routes?.allowlistPatterns || []);
+  const ignorePatterns = compileAllowPatterns(truthpack?.routes?.ignore || truthpack?.routes?.ignorePatterns || []);
+
+  const isSuppressed = (method, pNorm) => {
+    const m = String(method || "*").toUpperCase();
+    if (allowMethods.size && !allowMethods.has(m) && !allowMethods.has("*")) {
+      // method not allowed by allowMethods -> don't suppress
     }
-    if (parts.length >= 1) {
-      knownPrefixes.add('/' + parts[0]);
+    for (const rx of ignorePatterns) if (rxTest(rx, `${m} ${pNorm}`) || rxTest(rx, pNorm)) return true;
+    for (const rx of allowPatterns) if (rxTest(rx, `${m} ${pNorm}`) || rxTest(rx, pNorm)) return true;
+    return false;
+  };
+
+  const serverCount = server.length;
+  const refCount = refs.length;
+
+  // Monorepo heuristic (keep, but make it less dumb)
+  const isLikelyMonorepo = refCount > Math.max(30, serverCount * 2.5);
+
+  const serverPaths = server.map((r) => normalizePath(r.path));
+  const refPaths = refs.map((r) => normalizePath(r.path));
+
+  // Dominant prefixes (commonly "/api")
+  const dominantServerPrefix = inferDominantPrefix(serverPaths, 0.7);
+  const dominantRefPrefix = inferDominantPrefix(refPaths, 0.7);
+
+  const serverPrefix = dominantServerPrefix || null;
+  const refPrefix = dominantRefPrefix || null;
+
+  const index = buildServerRouteIndex(server);
+
+  // Route-map quality gating:
+  // If we have unresolved gaps or tiny server map, DO NOT BLOCK unless obviously invented.
+  const routeMapQuality =
+    serverCount >= 10 && !hasGaps ? "strong" :
+    serverCount >= 5 ? "medium" :
+    "weak";
+
+  // More generous caps (but still bounded)
+  const MAX_WARNINGS = isLikelyMonorepo ? 35 : 60;
+  const MAX_BLOCKS = 15;
+
+  let warnCount = 0;
+  let blockCount = 0;
+
+  // Summaries to help you fix extraction instead of drowning in noise
+  const unmatchedByPrefix = new Map();
+  const externalRefs = [];
+
+  function addUnmatchedPrefix(pNorm) {
+    const seg = firstSegment(pNorm) || "/";
+    unmatchedByPrefix.set(seg, (unmatchedByPrefix.get(seg) || 0) + 1);
+  }
+
+  function tryMatch(method, pNorm) {
+    const shortlist = shortlistServerRoutes(index, method, pNorm);
+
+    // Try exact + canonicalized matching
+    const pCanon = canonicalizeDynamicSegments(pNorm);
+
+    for (const r of shortlist) {
+      if (routeMatches(r, method, pNorm) || routeMatches(r, "*", pNorm)) return { ok: true, matched: r };
+      // Try canonicalized path vs canonicalized server path
+      if (routeMatches({ ...r, path: r._canon }, method, pCanon) || routeMatches({ ...r, path: r._canon }, "*", pCanon)) {
+        return { ok: true, matched: r, usedCanon: true };
+      }
     }
+    return { ok: false };
   }
 
-  // Track how many warnings we emit - show more to demonstrate value
-  let warningCount = 0;
-  const MAX_WARNINGS = 50; // Show more to demonstrate thoroughness
+  function closestSuggestions(method, pNorm) {
+    // Use a bounded scan: shortlist first, then broaden if needed
+    const shortlist = shortlistServerRoutes(index, method, pNorm);
+    const pool = shortlist.length ? shortlist : index.all;
+
+    const scored = pool
+      .map((r) => ({ r, score: routeSimilarityScore(pNorm, r._pathNorm) }))
+      .sort((a, b) => b.score - a.score)
+      .slice(0, 3);
+
+    return scored.filter((x) => x.score >= 0.35).map((x) => ({
+      method: x.r._method,
+      path: x.r._pathNorm,
+      score: Number(x.score.toFixed(2)),
+    }));
+  }
+
+  function detectMethodMismatch(pNorm, method) {
+    // If the path exists but only under other method(s), that's not "missing route"
+    const methods = ["GET", "POST", "PUT", "PATCH", "DELETE", "*"];
+    const hits = [];
+    for (const m of methods) {
+      if (String(m) === String(method).toUpperCase()) continue;
+      const res = tryMatch(m, pNorm);
+      if (res.ok) hits.push(m);
+    }
+    return hits.length ? hits : null;
+  }
 
   for (const ref of refs) {
-    const method = ref.method || "*";
-    const p = ref.path;
+    const rawPath = ref?.path;
+    const method = String(ref?.method || "*").toUpperCase();
 
-    const ok = server.some(r => routeMatches(r, method, p) || routeMatches(r, "*", p));
-    if (ok) continue;
-    
-    // Check if route shares a prefix with known routes (might be undetected sibling)
-    const refParts = p.split('/').filter(Boolean);
-    const refPrefix1 = refParts.length >= 1 ? '/' + refParts[0] : '/';
-    const refPrefix2 = refParts.length >= 2 ? '/' + refParts[0] + '/' + refParts[1] : refPrefix1;
-    const sharesPrefix = knownPrefixes.has(refPrefix1) || knownPrefixes.has(refPrefix2);
-    
-    // In monorepos, still show routes but as warnings (demonstrates thoroughness)
-    // Skip only if route EXACTLY matches a known prefix AND monorepo
-    if (sharesPrefix && isLikelyMonorepo && warningCount > MAX_WARNINGS) continue;
-    
-    // Determine severity based on confidence and context
-    // Only BLOCK for clearly invented routes
+    // Normalize & classify
+    const u = safeUrlParse(rawPath);
+    const pNorm = normalizePath(rawPath);
+
+    // Skip asset-ish refs
+    if (pathLooksLikeAsset(pNorm)) continue;
+
+    // External refs: if full URL and host isn't localhost, treat as external service.
+    if (u && u.host && !/^(localhost|127\.0\.0\.1)(:\d+)?$/i.test(u.host)) {
+      externalRefs.push({ host: u.host, method, path: pNorm, evidence: ref.evidence || [] });
+      continue;
+    }
+
+    // Skip suppressed
+    if (isSuppressed(method, pNorm)) continue;
+
+    // Build candidate variants (this kills a lot of false positives)
+    const candidates = new Set();
+    candidates.add(pNorm);
+
+    // trailing slash variant
+    if (pNorm.length > 1) {
+      candidates.add(pNorm + "/");
+      candidates.add(pNorm.replace(/\/+$/g, ""));
+    }
+
+    // Toggle dominant server prefix (ex: /api) if mismatch likely
+    if (serverPrefix && serverPrefix !== "/" && !pNorm.startsWith(serverPrefix + "/") && pNorm !== serverPrefix) {
+      candidates.add(normalizePath(serverPrefix + pNorm));
+    }
+    if (serverPrefix && serverPrefix !== "/" && pNorm.startsWith(serverPrefix + "/")) {
+      candidates.add(normalizePath(pNorm.slice(serverPrefix.length)));
+    }
+
+    // Toggle dominant ref prefix similarly (sometimes refs have /api but server routes stored without it)
+    if (refPrefix && refPrefix !== "/" && !pNorm.startsWith(refPrefix + "/") && pNorm !== refPrefix) {
+      candidates.add(normalizePath(refPrefix + pNorm));
+    }
+    if (refPrefix && refPrefix !== "/" && pNorm.startsWith(refPrefix + "/")) {
+      candidates.add(normalizePath(pNorm.slice(refPrefix.length)));
+    }
+
+    // Canonicalized variant
+    candidates.add(canonicalizeDynamicSegments(pNorm));
+
+    // Try match all candidates
+    let matched = null;
+    let usedCanon = false;
+    for (const cand of candidates) {
+      const res = tryMatch(method, cand);
+      if (res.ok) {
+        matched = res.matched;
+        usedCanon = !!res.usedCanon;
+        break;
+      }
+    }
+    if (matched) continue;
+
+    addUnmatchedPrefix(pNorm);
+
+    // Method mismatch detection (not missing route)
+    const methodMismatch = detectMethodMismatch(pNorm, method);
+    if (methodMismatch) {
+      // Keep as WARN (not missing route) — reduces noise dramatically
+      if (warnCount >= MAX_WARNINGS) continue;
+      warnCount++;
+
+      findings.push({
+        id: stableId("F_ROUTE_METHOD_MISMATCH", `${method} ${pNorm}`),
+        severity: "WARN",
+        category: "MissingRoute",
+        title: `Method mismatch for route: ${method} ${pNorm}`,
+        why: `A server route exists for this path, but not for method ${method}. This is often a client bug or an incorrect assumption.`,
+        confidence: routeMapQuality === "strong" ? "high" : "med",
+        evidence: ref.evidence || [],
+        fixHints: [
+          `Check the client call method. Server supports: ${methodMismatch.join(", ")} for ${pNorm}`,
+          "If this is intentional, update the server to accept this method or adjust the client.",
+        ],
+      });
+      continue;
+    }
+
+    const invented = looksInventedRoute(pNorm);
+    const internal = isInternalUtilityRoute(pNorm);
+
+    // Similarity suggestions
+    const suggestions = closestSuggestions(method, pNorm);
+
+    // Confidence + severity gating
+    let confidence = "low";
     let severity = "WARN";
-    
-    // Only BLOCK if the route looks clearly invented/hallucinated
-    const looksInvented = /\/(fake|test|mock|dummy|example|foo|bar|baz|xxx|yyy|placeholder|asdf|qwerty|lorem|ipsum)/i.test(p);
-    const looksGenerated = /\/[a-f0-9]{32,}/i.test(p); // Random hash in path
-    
-    if (looksInvented || looksGenerated) {
+
+    if (invented && !internal) {
       severity = "BLOCK";
-    }
-    
-    // Always WARN (not BLOCK) for common internal/utility routes
-    const isInternalRoute = /^\/(health|metrics|ready|live|version|debug|internal|suggestions|security|analyze|websocket|dashboard|admin|_|\.)/i.test(p);
-    if (isInternalRoute) {
+      confidence = "high";
+    } else if (routeMapQuality === "strong" && !isLikelyMonorepo && !internal) {
+      // Only escalate if route map quality is strong and it doesn't look like a monorepo
+      const best = suggestions[0]?.score ?? 0;
+      // If there's no close suggestion, it's more likely actually missing
+      if (best < 0.40) {
+        severity = "WARN"; // keep WARN by default; you can flip to BLOCK if you want
+        confidence = "med";
+      } else {
+        confidence = "low";
+      }
+    } else {
+      confidence = "low";
       severity = "WARN";
     }
-    
-    // Cap warnings to avoid noise
-    if (severity === "WARN") {
-      if (warningCount >= MAX_WARNINGS) continue;
-      warningCount++;
+
+    // caps
+    if (severity === "BLOCK") {
+      if (blockCount >= MAX_BLOCKS) continue;
+      blockCount++;
+    } else {
+      if (warnCount >= MAX_WARNINGS) continue;
+      warnCount++;
     }
 
+    const didYouMean = suggestions.length
+      ? `Closest server routes: ${suggestions.map((s) => `${s.method} ${s.path} (${s.score})`).join(" • ")}`
+      : "No close server route candidates were found (based on static segment similarity).";
+
     findings.push({
-      id: `F_MISSING_ROUTE_${String(findings.length + 1).padStart(3, "0")}`,
+      id: stableId("F_MISSING_ROUTE", `${method} ${pNorm}`),
       severity,
       category: "MissingRoute",
-      title: `Client references route that does not exist: ${method} ${p}`,
-      why: severity === "BLOCK" 
-        ? "AI frequently invents endpoints. Shipping this = broken flows (404 / silent failure)."
-        : "Route reference found but server route not detected. May be a false positive in monorepo/microservice setups.",
-      confidence: severity === "BLOCK" ? "high" : "low",
+      title: `Client references route not found in detected server map: ${method} ${pNorm}`,
+      why:
+        severity === "BLOCK"
+          ? "This looks invented. Shipping this will break flows (404 / silent failure)."
+          : routeMapQuality === "weak" || hasGaps
+            ? "Route reference didn't match the detected server map. Route detection may be incomplete (dynamic registration, plugins, prefixes)."
+            : "Route reference didn't match the detected server map. This can be a real missing endpoint or an undetected server route.",
+      confidence,
       evidence: ref.evidence || [],
       fixHints: [
-        "Update the client call to a real server route (see route map).",
-        "If the route exists but wasn't detected, it may use dynamic registration.",
-        "If this is an external service, this warning can be ignored."
-      ]
+        didYouMean,
+        usedCanon ? "Note: matching tried canonicalized ID segments (/:id normalization)." : "Matching tried normalization (origin/query/trailing slash/prefix toggles).",
+        hasGaps ? `Route map had ${gaps.length} unresolved sources; fix route extraction to reduce false positives.` : "If this is a real endpoint, add it server-side or correct the client call.",
+        isLikelyMonorepo ? "Monorepo/microservices likely: consider allowlisting external services or feeding service domains into truthpack." : "If this is an external service call, store it as external/allowlisted so it won't be flagged.",
+      ],
     });
   }
 
-  // If route scan had gaps, add a WARN so users know why some routes may be unknown
+  // Route map diagnostics (actionable, reduces "blame the analyzer" loops)
   if (hasGaps) {
     findings.push({
-      id: `F_ROUTE_MAP_GAPS_001`,
+      id: stableId("F_ROUTE_MAP_GAPS", String(gaps.length)),
       severity: "WARN",
       category: "RouteMapGaps",
-      title: `Route map incomplete (${gaps.length} unresolved sources)`,
-      why: "Some routes may not be detected due to dynamic registration or unresolved plugins.",
-      confidence: "low",
+      title: `Route map incomplete (${gaps.length} unresolved route sources)`,
+      why: "Dynamic registration, unresolved plugin imports, or non-standard routing prevented complete detection. Missing route findings may be false positives.",
+      confidence: "med",
       evidence: [],
       fixHints: [
-        "Routes registered dynamically or via unresolved imports may not be detected.",
-        "Consider using explicit route registration for better static analysis.",
-        "Run with --verbose to see detection gaps."
-      ]
+        "Fix route extraction: resolve Fastify plugins and prefix registration (fastify.register(...,{ prefix })) and inline fastify.get/post routes.",
+        "If using Next App Router: ensure route handlers (app/**/route.ts) are included in server route extraction.",
+        "Add allowlistPatterns for external services to silence expected gaps.",
+      ],
     });
   }
-  
-  // If we capped warnings, note that
-  if (warningCount >= MAX_WARNINGS) {
+
+  // External refs summary (useful in microservices)
+  if (externalRefs.length) {
+    const topHosts = new Map();
+    for (const r of externalRefs) topHosts.set(r.host, (topHosts.get(r.host) || 0) + 1);
+    const hostSummary = [...topHosts.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5)
+      .map(([h, n]) => `${h} (${n})`).join(", ");
+
     findings.push({
-      id: `F_MISSING_ROUTE_CAPPED`,
-      severity: "WARN",
+      id: stableId("F_EXTERNAL_ROUTE_REFS", hostSummary),
+      severity: "INFO",
       category: "MissingRoute",
-      title: `${clientRefCount - serverRouteCount - MAX_WARNINGS} additional unmatched routes not shown`,
-      why: "Many client references don't match detected server routes. This is common in monorepos/microservices.",
-      confidence: "low",
+      title: `External service routes detected in client refs (${externalRefs.length})`,
+      why: "These are full-URL calls to non-local hosts; they are not expected to match server route maps.",
+      confidence: "high",
       evidence: [],
       fixHints: [
-        "This codebase appears to be a monorepo or use microservices.",
-        "Many client refs may be to external services not detected by static analysis.",
-        "Use vibecheck scan --allowlist to suppress known false positives."
-      ]
+        `Top hosts: ${hostSummary}`,
+        "If you want to validate external APIs, add a separate analyzer that checks OpenAPI/spec contracts for those services.",
+        "Optionally add allowlistPatterns like '/^https?:\\/\\/(api\\.stripe\\.com|...)/' at truthpack.routes.allowlistPatterns.",
+      ],
+    });
+  }
+
+  // Biggest unmatched prefixes (points directly at extraction gaps)
+  if (unmatchedByPrefix.size) {
+    const top = [...unmatchedByPrefix.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5);
+    const summary = top.map(([k, v]) => `${k}:${v}`).join(" • ");
+    findings.push({
+      id: stableId("F_ROUTE_UNMATCHED_PREFIXES", summary),
+      severity: "INFO",
+      category: "MissingRoute",
+      title: "Unmatched client route prefixes (helps fix extraction/allowlists)",
+      why: "When one prefix dominates unmatched refs, it usually means server extraction missed a router/plugin prefix or the client is calling a different service.",
+      confidence: "med",
+      evidence: [],
+      fixHints: [
+        `Top unmatched prefixes: ${summary}`,
+        serverPrefix ? `Dominant server prefix inferred: ${serverPrefix}` : "No dominant server prefix detected.",
+        "If these should be local, improve route extraction for that prefix (Fastify register(prefix), Next middleware rewrites, basePath, etc.).",
+      ],
     });
   }
 
   return findings;
 }
 
-// ============================================================================
-// ENV GAPS ANALYZER
-// ============================================================================
+/* ============================================================================
+ * ENV GAPS ANALYZER (tightened + fewer false positives)
+ * ========================================================================== */
 
 function findEnvGaps(truthpack) {
   const findings = [];
@@ -169,163 +688,162 @@ function findEnvGaps(truthpack) {
   const declared = new Set(truthpack?.env?.declared || []);
   const declaredSources = truthpack?.env?.declaredSources || [];
 
-  // Well-known system/CI env vars that shouldn't be flagged as undeclared
+  // Well-known system/CI env vars that shouldn't be flagged
   const systemEnvVars = new Set([
-    // System
-    'HOME', 'USER', 'PATH', 'PWD', 'SHELL', 'TERM', 'LANG', 'TZ', 'TMPDIR', 'TEMP', 'TMP',
-    'COLORTERM', 'FORCE_COLOR', 'NO_COLOR', 'TERM_PROGRAM', 'TERM_PROGRAM_VERSION',
-    // Windows
-    'APPDATA', 'LOCALAPPDATA', 'USERPROFILE', 'COMPUTERNAME', 'USERNAME', 'HOMEDRIVE', 'HOMEPATH',
-    'SYSTEMROOT', 'WINDIR', 'PROGRAMFILES', 'PROGRAMDATA', 'COMMONPROGRAMFILES',
-    // Node.js
-    'NODE_ENV', 'NODE_OPTIONS', 'NODE_PATH', 'NODE_DEBUG', 'NODE_NO_WARNINGS',
-    // CI/CD platforms
-    'CI', 'CONTINUOUS_INTEGRATION', 'BUILD_NUMBER', 'BUILD_ID',
-    'GITHUB_ACTIONS', 'GITHUB_WORKFLOW', 'GITHUB_RUN_ID', 'GITHUB_RUN_NUMBER', 'GITHUB_SHA', 'GITHUB_REF',
-    'GITLAB_CI', 'CI_COMMIT_SHA', 'CI_PIPELINE_ID', 'CI_JOB_ID',
-    'CIRCLECI', 'CIRCLE_BUILD_NUM', 'CIRCLE_SHA1', 'CIRCLE_BRANCH',
-    'TRAVIS', 'TRAVIS_BUILD_NUMBER', 'TRAVIS_COMMIT',
-    'JENKINS_URL', 'BUILD_TAG', 'GIT_COMMIT',
-    'BUILDKITE', 'BUILDKITE_BUILD_NUMBER', 'BUILDKITE_COMMIT',
-    'CODEBUILD_BUILD_ID', 'CODEBUILD_RESOLVED_SOURCE_VERSION',
-    'VERCEL', 'VERCEL_ENV', 'VERCEL_URL', 'VERCEL_GIT_COMMIT_SHA',
-    'NETLIFY', 'CONTEXT', 'DEPLOY_PRIME_URL',
-    'RAILWAY_ENVIRONMENT', 'RAILWAY_GIT_COMMIT_SHA',
-    'HEROKU', 'DYNO', 'RENDER', 'FLY_APP_NAME',
-    // CI user info
-    'GITHUB_ACTOR', 'GITLAB_USER_LOGIN', 'GITLAB_USER_NAME', 'GITLAB_USER_EMAIL',
-    // Network/proxy
-    'HTTP_PROXY', 'HTTPS_PROXY', 'NO_PROXY', 'http_proxy', 'https_proxy', 'no_proxy',
-    'HOSTNAME', 'HOST',
-    // Debug/logging
-    'DEBUG', 'VERBOSE', 'LOG_LEVEL',
-    // Editor/IDE
-    'EDITOR', 'VISUAL', 'VSCODE_PID', 'TERM_SESSION_ID',
-    // Common optional vars that are often checked but not required
-    'PORT', 'npm_package_version', 'npm_package_name',
+    "HOME","USER","PATH","PWD","SHELL","TERM","LANG","TZ","TMPDIR","TEMP","TMP","COLORTERM","FORCE_COLOR","NO_COLOR",
+    "APPDATA","LOCALAPPDATA","USERPROFILE","COMPUTERNAME","USERNAME","HOMEDRIVE","HOMEPATH","SYSTEMROOT","WINDIR",
+    "PROGRAMFILES","PROGRAMDATA","COMMONPROGRAMFILES",
+    "NODE_ENV","NODE_OPTIONS","NODE_PATH","NODE_DEBUG","NODE_NO_WARNINGS",
+    "CI","CONTINUOUS_INTEGRATION","BUILD_NUMBER","BUILD_ID",
+    "GITHUB_ACTIONS","GITHUB_WORKFLOW","GITHUB_RUN_ID","GITHUB_RUN_NUMBER","GITHUB_SHA","GITHUB_REF","GITHUB_ACTOR",
+    "GITLAB_CI","CI_COMMIT_SHA","CI_PIPELINE_ID","CI_JOB_ID",
+    "CIRCLECI","CIRCLE_BUILD_NUM","CIRCLE_SHA1","CIRCLE_BRANCH",
+    "TRAVIS","TRAVIS_BUILD_NUMBER","TRAVIS_COMMIT",
+    "JENKINS_URL","BUILD_TAG","GIT_COMMIT",
+    "BUILDKITE","BUILDKITE_BUILD_NUMBER","BUILDKITE_COMMIT",
+    "CODEBUILD_BUILD_ID","CODEBUILD_RESOLVED_SOURCE_VERSION",
+    "VERCEL","VERCEL_ENV","VERCEL_URL","VERCEL_GIT_COMMIT_SHA",
+    "NETLIFY","CONTEXT","DEPLOY_PRIME_URL",
+    "RAILWAY_ENVIRONMENT","RAILWAY_GIT_COMMIT_SHA",
+    "HEROKU","DYNO","RENDER","FLY_APP_NAME",
+    "HTTP_PROXY","HTTPS_PROXY","NO_PROXY","http_proxy","https_proxy","no_proxy",
+    "HOSTNAME","HOST",
+    "DEBUG","VERBOSE","LOG_LEVEL",
+    "EDITOR","VISUAL","VSCODE_PID","TERM_SESSION_ID",
+    "PORT","npm_package_version","npm_package_name",
   ]);
-  
-  // Patterns for env vars that are commonly optional/internal and shouldn't BLOCK
+
+  // Patterns for env vars that are commonly optional/internal
   const optionalPatterns = [
-    /^(OPENAI|ANTHROPIC|COHERE|AZURE|AWS|GCP|GOOGLE)_/i,  // AI/Cloud providers (often optional)
-    /^(STRIPE|PAYPAL|PLAID)_/i,                            // Payment providers (often optional in dev)
-    /^(SENDGRID|RESEND|MAILGUN|SES)_/i,                    // Email providers
-    /^(SENTRY|DATADOG|NEWRELIC|LOGROCKET)_/i,              // Monitoring (optional)
-    /^(REDIS|POSTGRES|MYSQL|MONGO|DATABASE)_/i,            // Database (often has defaults)
-    /^(NEXT_|NUXT_|VITE_|REACT_APP_)/i,                    // Framework prefixes
-    /^(VIBECHECK|GUARDRAIL)_/i,                            // Our own vars
-    /_(URL|KEY|SECRET|TOKEN|ID|PASSWORD|HOST|PORT)$/i,     // Common suffixes (often optional)
-    /^(ENABLE_|DISABLE_|USE_|SKIP_|ALLOW_|NO_)/i,          // Feature flags (optional by nature)
-    /^(MAX_|MIN_|DEFAULT_|TIMEOUT_|LIMIT_|RATE_)/i,        // Config limits (have defaults)
-    /^(LOG_|DEBUG_|VERBOSE_|TRACE_)/i,                     // Logging config
-    /^(TEST_|DEV_|STAGING_|PROD_)/i,                       // Environment-specific
-    /^(ARTIFACTS_|CACHE_|TMP_|OUTPUT_)/i,                  // Paths (have defaults)
-    /^npm_/i,                                               // npm internal
+    /^(OPENAI|ANTHROPIC|COHERE|AZURE|AWS|GCP|GOOGLE)_/i,
+    /^(STRIPE|PAYPAL|PLAID)_/i,
+    /^(SENDGRID|RESEND|MAILGUN|SES)_/i,
+    /^(SENTRY|DATADOG|NEWRELIC|LOGROCKET)_/i,
+    /^(REDIS|POSTGRES|MYSQL|MONGO|DATABASE)_/i,
+    /^(NEXT_|NUXT_|VITE_|REACT_APP_)/i,
+    /^(VIBECHECK|GUARDRAIL)_/i,
+    /_(URL|KEY|SECRET|TOKEN|ID|PASSWORD|HOST|PORT)$/i,
+    /^(ENABLE_|DISABLE_|USE_|SKIP_|ALLOW_|NO_)/i,
+    /^(MAX_|MIN_|DEFAULT_|TIMEOUT_|LIMIT_|RATE_)/i,
+    /^(LOG_|DEBUG_|VERBOSE_|TRACE_)/i,
+    /^(TEST_|DEV_|STAGING_|PROD_)/i,
+    /^(ARTIFACTS_|CACHE_|TMP_|OUTPUT_)/i,
+    /^npm_/i,
   ];
-  
+
   function isOptionalEnvVar(name) {
-    return optionalPatterns.some(p => p.test(name));
+    return optionalPatterns.some((p) => rxTest(p, name));
+  }
+
+  // Heuristic: treat vars referenced only in tooling/scripts as WARN (not BLOCK)
+  function evidenceIsToolingOnly(v) {
+    const refs = v.references || [];
+    if (!refs.length) return false;
+    return refs.every((r) => {
+      const f = String(r.file || "");
+      return /(^|\/)(scripts|tools|bin|cli|devops|infra|config)\//i.test(f);
+    });
   }
 
-  // 1) USED but not declared in templates/examples
-  // Only BLOCK for truly required vars, WARN for everything else, skip optional patterns
   for (const v of used) {
+    if (!v?.name) continue;
     if (declared.has(v.name)) continue;
-    // Skip well-known system/CI env vars
     if (systemEnvVars.has(v.name)) continue;
-    // Skip vars that match optional patterns (very common, likely have defaults)
     if (isOptionalEnvVar(v.name)) continue;
-    
-    // Only BLOCK if:
-    // 1. Explicitly marked required AND
-    // 2. No fallback detected AND
-    // 3. Not a common optional pattern
-    const isReallyRequired = v.required && !v.hasFallback;
+
+    const toolingOnly = evidenceIsToolingOnly(v);
+
+    // Only BLOCK if it's truly required, no fallback, and not tooling-only
+    const isReallyRequired = !!v.required && !v.hasFallback && !toolingOnly;
     const sev = isReallyRequired ? "BLOCK" : "WARN";
-    
+
     findings.push({
       id: `F_ENV_UNDECLARED_${v.name}`,
       severity: sev,
       category: "EnvContract",
       title: `Env var used but not declared in env templates: ${v.name}`,
       why: isReallyRequired
-        ? "Required env var is used with no fallback. Vibecoders will ship a broken app if it's not documented."
-        : "Env var appears optional but should still be documented to prevent guesswork.",
+        ? "Required env var is used with no fallback and not documented. This ships broken installs."
+        : toolingOnly
+          ? "Env var appears used in tooling/scripts. Document it if users need it; otherwise ignore."
+          : "Env var appears optional/guarded but should still be documented to prevent guesswork.",
       confidence: isReallyRequired ? "high" : "low",
       evidence: v.references || [],
       fixHints: [
         `Add ${v.name}= to .env.example (or .env.template).`,
-        "If it's truly optional, ensure the code has an explicit fallback or guard."
-      ]
+        "If optional, ensure there's an explicit fallback or guard (and document expected behavior).",
+      ],
     });
   }
 
-  // 2) Declared but never used => WARN (hygiene)
-  const usedSet = new Set(used.map(v => v.name));
+  // Declared but never used
+  const usedSet = new Set(used.map((v) => v.name));
   for (const name of declared) {
     if (usedSet.has(name)) continue;
-
     findings.push({
       id: `F_ENV_UNUSED_${name}`,
       severity: "WARN",
       category: "EnvContract",
       title: `Env var declared but never used: ${name}`,
-      why: "Dead config creates confusion and encourages hallucinated wiring.",
+      why: "Dead config creates confusion and invites hallucinated wiring.",
       confidence: "med",
       evidence: [],
       fixHints: [
-        "Remove it from templates if it's obsolete, or wire it into code intentionally.",
-        "If used at runtime only (in infra), document that explicitly."
-      ]
+        "Remove it from templates if obsolete, or wire it intentionally.",
+        "If used only in infra/runtime, document that explicitly (where/why).",
+      ],
     });
   }
 
-  // 3) If no template sources exist, warn loudly
   if (!declaredSources.length && used.length) {
     findings.push({
       id: "F_ENV_NO_TEMPLATE",
       severity: "WARN",
       category: "EnvContract",
       title: "No .env.example/.env.template found",
-      why: "Without an env contract file, AI and humans will guess env vars and ship broken setups.",
+      why: "Without an env contract, humans and AI guess env vars and ship broken setups.",
       confidence: "high",
       evidence: [],
-      fixHints: ["Add a .env.example that lists required/optional vars with comments."]
+      fixHints: ["Add a .env.example listing required/optional vars with comments."],
     });
   }
 
   return findings;
 }
 
-// ============================================================================
-// FAKE SUCCESS ANALYZER (INV_NO_FAKE_SUCCESS)
-// ============================================================================
+/* ============================================================================
+ * FAKE SUCCESS ANALYZER (kept, but made safer & less noisy)
+ * ========================================================================== */
 
 function isToastSuccessCall(node) {
-  return t.isCallExpression(node) &&
+  return !!(
+    t.isCallExpression(node) &&
     t.isMemberExpression(node.callee) &&
     t.isIdentifier(node.callee.object, { name: "toast" }) &&
-    t.isIdentifier(node.callee.property, { name: "success" });
+    t.isIdentifier(node.callee.property, { name: "success" })
+  );
 }
 
 function isRouterPushCall(node) {
-  return t.isCallExpression(node) && (
-    (t.isMemberExpression(node.callee) &&
-      t.isIdentifier(node.callee.property, { name: "push" })) ||
-    (t.isIdentifier(node.callee) && (node.callee.name === "navigate"))
+  return (
+    t.isCallExpression(node) &&
+    ((t.isMemberExpression(node.callee) && t.isIdentifier(node.callee.property, { name: "push" })) ||
+      (t.isIdentifier(node.callee) && node.callee.name === "navigate"))
   );
 }
 
 function isFetchCall(node) {
-  return t.isCallExpression(node) && t.isIdentifier(node.callee, { name: "fetch" });
+  return !!(t.isCallExpression(node) && t.isIdentifier(node.callee, { name: "fetch" }));
 }
 
 function isAxiosCall(node) {
-  return t.isCallExpression(node) &&
+  return !!(
+    t.isCallExpression(node) &&
     t.isMemberExpression(node.callee) &&
     t.isIdentifier(node.callee.object, { name: "axios" }) &&
     t.isIdentifier(node.callee.property) &&
-    ["get","post","put","patch","delete"].includes(node.callee.property.name);
+    ["get", "post", "put", "patch", "delete"].includes(node.callee.property.name)
+  );
 }
 
 function findFakeSuccess(repoRoot) {
@@ -333,78 +851,103 @@ function findFakeSuccess(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
   });
 
   for (const fileAbs of files) {
-    const code = fs.readFileSync(fileAbs, "utf8");
+    const code = readFileCached(fileAbs);
+    
+    // V3: FAST PATH OPTIMIZATION
+    // AST parsing is 100x slower than regex. Skip files that don't contain
+    // relevant keywords (toast/push/navigate AND fetch/axios).
+    const hasSuccessUI = /\b(toast|\.push|navigate)\b/.test(code);
+    const hasNetworkCall = /\b(fetch|axios)\b/.test(code);
+    if (!hasSuccessUI || !hasNetworkCall) {
+      continue;
+    }
+
     let ast;
-    try { ast = parseFile(code); } catch { continue; }
+    try {
+      ast = parseFile(code, fileAbs);
+    } catch {
+      continue;
+    }
 
+    try {
     traverse(ast, {
       Function(pathFn) {
-        let hasSuccess = false;
-        let successLoc = null;
-        let hasNetwork = false;
-        let hasAwaitNetwork = false;
-        let hasOkCheck = false;
+        // Collect call sites with positions to reduce false positives.
+        const successCalls = [];
+        const networkCalls = [];
+        const okChecks = [];
 
         pathFn.traverse({
           CallExpression(p) {
             const n = p.node;
 
             if (isToastSuccessCall(n) || isRouterPushCall(n)) {
-              hasSuccess = true;
-              successLoc = successLoc || n.loc;
+              successCalls.push({ loc: n.loc, pos: n.start ?? 0 });
             }
 
             if (isFetchCall(n) || isAxiosCall(n)) {
-              hasNetwork = true;
-              if (p.parentPath && p.parentPath.isAwaitExpression()) hasAwaitNetwork = true;
+              const isAwaited = p.parentPath && p.parentPath.isAwaitExpression();
+              networkCalls.push({ pos: n.start ?? 0, awaited: !!isAwaited });
             }
           },
           IfStatement(p) {
             const test = p.node.test;
-            const text = code.slice(test.start || 0, test.end || 0);
-            if (/\b(ok|status)\b/.test(text) && /(res|response)/.test(text)) {
-              hasOkCheck = true;
-            }
-          }
+            const txt = code.slice(test.start || 0, test.end || 0);
+            if (/\b(res|response)\b/i.test(txt) && /\b(ok|status)\b/i.test(txt)) okChecks.push({ pos: p.node.start ?? 0 });
+          },
         });
 
-        if (!hasSuccess || !hasNetwork) return;
+        if (!successCalls.length || !networkCalls.length) return;
 
-        const severity = hasAwaitNetwork ? (hasOkCheck ? null : "WARN") : "BLOCK";
-        if (!severity) return;
+        // For each success call: if there exists an awaited network call before it, it's less severe.
+        for (const sc of successCalls) {
+          const netBefore = networkCalls.filter((n) => n.pos < sc.pos);
+          const awaitedBefore = netBefore.some((n) => n.awaited);
+          const okCheckBefore = okChecks.some((c) => c.pos < sc.pos);
 
-        const ev = evidenceFromLoc(fileAbs, repoRoot, successLoc, "Success UI call in networked flow");
-        findings.push({
-          id: `F_FAKE_SUCCESS_${String(findings.length + 1).padStart(3, "0")}`,
-          severity,
-          category: "FakeSuccess",
-          title: severity === "BLOCK"
-            ? "Success UI triggered without awaiting network call"
-            : "Success UI triggered without verifying network result (res.ok/status)",
-          why: severity === "BLOCK"
-            ? "This ships lies. Users see success even when the request never completed."
-            : "This often ships lies. You're not gating success on a real response.",
-          confidence: "med",
-          evidence: ev ? [ev] : [],
-          fixHints: [
-            "Await the network call (await fetch/await axios...).",
-            "Gate success UI behind res.ok / status checks; surface errors otherwise."
-          ]
-        });
-      }
+          // If no awaited call before success -> strong signal
+          const severity = awaitedBefore ? (okCheckBefore ? null : "WARN") : "BLOCK";
+          if (!severity) continue;
+
+          const ev = evidenceFromLoc(fileAbs, repoRoot, sc.loc, "Success UI call in networked flow");
+          findings.push({
+            id: stableId("F_FAKE_SUCCESS", `${path.relative(repoRoot, fileAbs)}:${sc.pos}:${severity}`),
+            severity,
+            category: "FakeSuccess",
+            title:
+              severity === "BLOCK"
+                ? "Success UI triggered without awaiting network call"
+                : "Success UI triggered without verifying network result (res.ok/status)",
+            why:
+              severity === "BLOCK"
+                ? "This ships lies. Users see success even when the request never completed."
+                : "You're not gating success on a real response; this often ships false success.",
+            confidence: "med",
+            evidence: ev ? [ev] : [],
+            fixHints: [
+              "Await the network call (await fetch/await axios...).",
+              "Gate success UI behind res.ok / status checks; surface errors otherwise.",
+            ],
+          });
+        }
+      },
     });
+    } catch {
+      // Babel traverse can fail on some edge-case files; skip them
+      continue;
+    }
   }
 
   return findings;
 }
 
-// ============================================================================
-// GHOST AUTH ANALYZER (INV_NO_GHOST_AUTH)
-// ============================================================================
+/* ============================================================================
+ * GHOST AUTH ANALYZER (kept)
+ * ========================================================================== */
 
 function looksSensitive(pathStr) {
   const p = String(pathStr || "");
@@ -423,14 +966,13 @@ function looksSensitive(pathStr) {
 
 function hasRouteLevelProtection(routeDef) {
   const hooks = routeDef.hooks || [];
-  if (hooks.includes("preHandler") || hooks.includes("onRequest") || hooks.includes("preValidation")) return true;
-  return false;
+  return !!(hooks.includes("preHandler") || hooks.includes("onRequest") || hooks.includes("preValidation"));
 }
 
 function handlerHasAuthSignal(repoRoot, handlerRel) {
   const abs = path.join(repoRoot, handlerRel);
   if (!fs.existsSync(abs)) return false;
-  const code = fs.readFileSync(abs, "utf8");
+  const code = readFileCached(abs);
 
   return (
     /\bgetServerSession\b|\bauth\(\)\b|\bclerk\b|@clerk\/nextjs|\bcreateRouteHandlerClient\b|@supabase/i.test(code) ||
@@ -441,7 +983,7 @@ function handlerHasAuthSignal(repoRoot, handlerRel) {
 
 function isProtectedByNextMiddleware(truthpack, routePath) {
   const patterns = truthpack?.auth?.nextMatcherPatterns || [];
-  return matcherCoversPath(patterns, routePath);
+  return !!matcherCoversPath(patterns, routePath);
 }
 
 function findGhostAuth(truthpack, repoRoot) {
@@ -459,26 +1001,25 @@ function findGhostAuth(truthpack, repoRoot) {
 
     if (!protectedSomehow) {
       findings.push({
-        id: `F_GHOST_AUTH_${r.method}_${r.path}`.replace(/[^A-Z0-9_\/:*-]/gi, "_"),
+        id: stableId("F_GHOST_AUTH", `${r.method} ${r.path}`),
         severity: "BLOCK",
         category: "GhostAuth",
         title: `Sensitive endpoint appears unprotected: ${r.method} ${r.path}`,
-        why: "This is how apps get owned. UI gating doesn't matter. If the server doesn't enforce auth, it's public.",
+        why: "If the server doesn't enforce auth, it's public. UI gating is irrelevant.",
         confidence: "med",
         evidence: (r.evidence || []).slice(0, 2),
         fixHints: [
-          "Add server-side auth verification in the handler (session/jwt).",
-          "Or protect the path via Next middleware matcher (and verify it actually applies).",
-          "If Fastify: add preHandler/onRequest auth hook and ensure it's registered for this route."
-        ]
+          "Add server-side auth verification (session/jwt).",
+          "Or protect the path via middleware matcher (verify it actually applies).",
+          "If Fastify: add preHandler/onRequest auth hook and ensure it's registered for this route.",
+        ],
       });
     }
   }
 
-  // If there IS middleware but it doesn't cover obvious sensitive prefixes, warn
   const patterns = truthpack?.auth?.nextMatcherPatterns || [];
   if (patterns.length) {
-    const coversApi = patterns.some(p => String(p).includes("/api"));
+    const coversApi = patterns.some((p) => String(p).includes("/api"));
     if (!coversApi) {
       findings.push({
         id: "F_MIDDLEWARE_NOT_COVERING_API",
@@ -488,7 +1029,7 @@ function findGhostAuth(truthpack, repoRoot) {
         why: "People assume middleware protects APIs. Often it doesn't. Verify matcher patterns.",
         confidence: "high",
         evidence: (truthpack?.auth?.nextMiddleware?.[0]?.evidence || []).slice(0, 3),
-        fixHints: ["Add /api/:path* to middleware matcher if your design expects API auth protection."]
+        fixHints: ["Add /api/:path* to middleware matcher if your design expects API auth protection."],
       });
     }
   }
@@ -496,9 +1037,9 @@ function findGhostAuth(truthpack, repoRoot) {
   return findings;
 }
 
-// ============================================================================
-// STRIPE WEBHOOK VIOLATIONS (INV_WEBHOOK_VERIFIED + INV_WEBHOOK_IDEMPOTENT)
-// ============================================================================
+/* ============================================================================
+ * STRIPE WEBHOOK VIOLATIONS (kept)
+ * ========================================================================== */
 
 function findStripeWebhookViolations(truthpack) {
   const findings = [];
@@ -514,10 +1055,10 @@ function findStripeWebhookViolations(truthpack) {
       severity: "WARN",
       category: "Billing",
       title: "Stripe appears used but no webhook handler candidate detected",
-      why: "If you bill with Stripe, webhooks are usually required. Missing webhooks often means subscription state desync.",
+      why: "Stripe billing usually needs webhooks; missing them causes subscription state desync.",
       confidence: "med",
       evidence: [],
-      fixHints: ["Add a Stripe webhook handler with signature verification and idempotency."]
+      fixHints: ["Add a Stripe webhook handler with signature verification and idempotency."],
     });
     return findings;
   }
@@ -528,34 +1069,34 @@ function findStripeWebhookViolations(truthpack) {
 
     if (!verified) {
       findings.push({
-        id: `F_STRIPE_WEBHOOK_NOT_VERIFIED_${w.file.replace(/[^a-z0-9]/gi, "_")}`,
+        id: stableId("F_STRIPE_WEBHOOK_NOT_VERIFIED", w.file),
         severity: "BLOCK",
         category: "Billing",
         title: `Stripe webhook handler not clearly signature-verified: ${w.file}`,
-        why: "Unverified webhooks = spoofable billing state. That's catastrophic.",
+        why: "Unverified webhooks = spoofable billing state.",
         confidence: "high",
         evidence: (w.evidence || []).slice(0, 4),
         fixHints: [
           "Use stripe.webhooks.constructEvent(rawBody, sigHeader, STRIPE_WEBHOOK_SECRET).",
           "Ensure raw body is used (disable bodyParser in pages router; in app router read req.text()/arrayBuffer).",
-          "Reject if signature missing/invalid."
-        ]
+          "Reject if signature missing/invalid.",
+        ],
       });
     }
 
     if (!idempotent) {
       findings.push({
-        id: `F_STRIPE_WEBHOOK_NOT_IDEMPOTENT_${w.file.replace(/[^a-z0-9]/gi, "_")}`,
+        id: stableId("F_STRIPE_WEBHOOK_NOT_IDEMPOTENT", w.file),
         severity: "BLOCK",
         category: "Billing",
         title: `Stripe webhook handler not clearly idempotent: ${w.file}`,
-        why: "Stripe retries webhooks. Without dedupe, you'll double-grant access, double-send emails, or double-write state.",
+        why: "Stripe retries webhooks; without dedupe you can double-grant access or double-write state.",
         confidence: "med",
         evidence: (w.evidence || []).slice(0, 4),
         fixHints: [
           "Persist event.id as processed (DB/Redis). If seen, return 200 immediately.",
-          "Wrap state mutation in a transaction keyed by event.id."
-        ]
+          "Wrap state mutation in a transaction keyed by event.id.",
+        ],
       });
     }
   }
@@ -563,176 +1104,186 @@ function findStripeWebhookViolations(truthpack) {
   return findings;
 }
 
-// ============================================================================
-// PAID SURFACE NOT ENFORCED (INV_PAID_FEATURE_ENFORCED_SERVER_SIDE)
-// ============================================================================
+/* ============================================================================
+ * PAID SURFACE NOT ENFORCED (kept)
+ * ========================================================================== */
 
 function findPaidSurfaceNotEnforced(truthpack) {
   const findings = [];
   const enforcement = truthpack?.enforcement;
-
   const checks = enforcement?.checks || [];
+
   for (const c of checks) {
     if (c.enforced) continue;
-
     findings.push({
-      id: `F_PAID_SURFACE_NOT_ENFORCED_${c.method}_${c.path}`.replace(/[^a-z0-9]/gi, "_"),
+      id: stableId("F_PAID_SURFACE_NOT_ENFORCED", `${c.method} ${c.path}`),
       severity: "BLOCK",
       category: "Entitlements",
       title: `Paid surface appears un-enforced server-side: ${c.method} ${c.path}`,
-      why: "If enforcement is only in the CLI/UI, users can call the endpoint directly. That's a free enterprise bypass.",
+      why: "If enforcement is only in the CLI/UI, users can call the endpoint directly.",
       confidence: "med",
       evidence: [],
       fixHints: [
-        "Add enforceFeature/enforceLimit in the server handler BEFORE doing work.",
+        "Enforce in the server handler BEFORE doing work.",
         "Return 402/403 with a structured error code.",
-        "Make the CLI treat that code as an upgrade prompt."
-      ]
+        "Make the CLI treat that code as an upgrade prompt.",
+      ],
     });
   }
   return findings;
 }
 
-// ============================================================================
-// OWNER MODE BYPASS (INV_NO_OWNER_MODE_BYPASS)
-// ============================================================================
+/* ============================================================================
+ * OWNER MODE BYPASS (kept; uses deterministic regex testing)
+ * ========================================================================== */
 
 function findOwnerModeBypass(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**","**/.next/**","**/dist/**","**/build/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
   });
 
   const patterns = [
     /OWNER_MODE/i,
     /GUARDRAIL_OWNER_MODE/i,
     /VIBECHECK_OWNER_MODE/i,
-    /process\.env\.[A-Z0-9_]*OWNER[A-Z0-9_]*/i
+    /process\.env\.[A-Z0-9_]*OWNER[A-Z0-9_]*/i,
   ];
 
   for (const fileAbs of files) {
-    const code = fs.readFileSync(fileAbs, "utf8");
-    const hit = patterns.some(rx => rx.test(code));
+    const code = readFileCached(fileAbs);
+    const hit = patterns.some((rx) => rxTest(rx, code));
     if (!hit) continue;
 
     const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
 
     findings.push({
-      id: `F_OWNER_MODE_BYPASS_${fileRel.replace(/[^a-z0-9]/gi, "_")}`,
+      id: stableId("F_OWNER_MODE_BYPASS", fileRel),
       severity: "BLOCK",
       category: "Security",
       title: `Owner mode / env bypass signal detected: ${fileRel}`,
-      why: "This is a production backdoor unless it's cryptographically gated. It cannot ship.",
+      why: "This is a production backdoor unless cryptographically gated. It cannot ship.",
       confidence: "high",
       evidence: [],
       fixHints: [
         "Delete owner mode bypass. If you need dev override, require a signed admin token + non-prod environment.",
-        "Add a test that asserts no OWNER_MODE env var grants entitlements."
-      ]
+        "Add a test that asserts no OWNER_MODE env var grants entitlements.",
+      ],
     });
   }
 
   return findings;
 }
 
-// ============================================================================
-// MOCK DATA DETECTOR
-// ============================================================================
+/* ============================================================================
+ * MOCK DATA DETECTOR (fixed /g+.test() bug + better line discovery)
+ * ========================================================================== */
 
 function findMockData(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/*.test.*", "**/*.spec.*", "**/tests/**", "**/test/**", "**/__tests__/**", "**/mocks/**", "**/__mocks__/**"]
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/tests/**",
+      "**/test/**",
+      "**/__tests__/**",
+      "**/mocks/**",
+      "**/__mocks__/**",
+    ],
   });
 
   const mockPatterns = [
-    { rx: /\bmockData\b/gi, label: "mockData variable" },
-    { rx: /\bfakeData\b/gi, label: "fakeData variable" },
-    { rx: /\bdummyData\b/gi, label: "dummyData variable" },
-    { rx: /\btestData\b/gi, label: "testData variable (in production code)" },
-    { rx: /\bsampleData\b/gi, label: "sampleData variable" },
-    { rx: /['"]fake[_-]?user['"]|['"]test[_-]?user['"]|['"]demo[_-]?user['"]/gi, label: "Hardcoded test user" },
-    { rx: /['"]password123['"]|['"]test123['"]|['"]admin123['"]|['"]secret123['"]/gi, label: "Hardcoded test password" },
-    { rx: /['"]test@(test|example|fake)\.com['"]/gi, label: "Hardcoded test email" },
-    { rx: /\bMOCK_API\b|\bFAKE_API\b|\bDUMMY_API\b/gi, label: "Mock API reference" },
-    { rx: /setTimeout\([^)]*[5-9]\d{3,}|setTimeout\([^)]*\d{5,}/g, label: "Long setTimeout (simulated delay?)" },
-    { rx: /Math\.random\(\)\s*[*<>]\s*\d+/g, label: "Random data generation" },
-    { rx: /\bplaceholder\b.*\bdata\b|\bdata\b.*\bplaceholder\b/gi, label: "Placeholder data" },
+    { rx: /\bmockData\b/i, label: "mockData variable" },
+    { rx: /\bfakeData\b/i, label: "fakeData variable" },
+    { rx: /\bdummyData\b/i, label: "dummyData variable" },
+    { rx: /\btestData\b/i, label: "testData variable (in production code)" },
+    { rx: /\bsampleData\b/i, label: "sampleData variable" },
+    { rx: /['"]fake[_-]?user['"]|['"]test[_-]?user['"]|['"]demo[_-]?user['"]/i, label: "Hardcoded test user" },
+    { rx: /['"]password123['"]|['"]test123['"]|['"]admin123['"]|['"]secret123['"]/i, label: "Hardcoded test password" },
+    { rx: /['"]test@(test|example|fake)\.com['"]/i, label: "Hardcoded test email" },
+    { rx: /\b(MOCK_API|FAKE_API|DUMMY_API)\b/i, label: "Mock API reference" },
+    { rx: /setTimeout\([^)]*[5-9]\d{3,}|setTimeout\([^)]*\d{5,}/i, label: "Long setTimeout (simulated delay?)" },
+    { rx: /Math\.random\(\)\s*[*<>]\s*\d+/i, label: "Random data generation" },
+    { rx: /\bplaceholder\b.*\bdata\b|\bdata\b.*\bplaceholder\b/i, label: "Placeholder data" },
   ];
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      // Skip if file looks like a test/mock file even if not in test folder
+
       if (/\.(test|spec|mock|fake|stub)\./i.test(fileRel)) continue;
       if (/mock|fake|test|spec|fixture/i.test(fileRel) && !/src\//.test(fileRel)) continue;
-      
+
+      const lines = code.split("\n");
+
       for (const { rx, label } of mockPatterns) {
-        const matches = code.match(rx);
-        if (matches && matches.length > 0) {
-          const lines = code.split('\n');
-          let lineNum = 1;
-          for (let i = 0; i < lines.length; i++) {
-            if (rx.test(lines[i])) {
-              lineNum = i + 1;
-              break;
-            }
+        if (!rxTest(rx, code)) continue;
+
+        let lineNum = 1;
+        for (let i = 0; i < lines.length; i++) {
+          if (rxTest(rx, lines[i])) {
+            lineNum = i + 1;
+            break;
           }
-          
-          findings.push({
-            id: `F_MOCK_DATA_${fileRel.replace(/[^a-z0-9]/gi, "_")}_${label.replace(/[^a-z0-9]/gi, "_")}`,
-            severity: "WARN",
-            category: "MockData",
-            title: `${label} in production code: ${fileRel}`,
-            why: "Mock/fake data in production causes embarrassing bugs and makes your app look unfinished.",
-            confidence: "med",
-            evidence: [{ file: fileRel, lines: `${lineNum}`, reason: label }],
-            fixHints: [
-              "Replace mock data with real API calls or database queries.",
-              "If this is intentional sample data, move to a clearly marked demo mode."
-            ]
-          });
-          break; // One finding per file per pattern type
         }
+
+        findings.push({
+          id: stableId("F_MOCK_DATA", `${fileRel}:${label}`),
+          severity: "WARN",
+          category: "MockData",
+          title: `${label} in production code: ${fileRel}`,
+          why: "Mock/fake data in production causes embarrassing bugs and makes your app look unfinished.",
+          confidence: "med",
+          evidence: [{ file: fileRel, lines: `${lineNum}`, reason: label }],
+          fixHints: [
+            "Replace mock data with real API calls or database queries.",
+            "If intentional sample data, move to a clearly marked demo mode.",
+          ],
+        });
+        break;
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
   return findings;
 }
 
-// ============================================================================
-// TODO/FIXME DETECTOR
-// ============================================================================
+/* ============================================================================
+ * TODO/FIXME DETECTOR (fixed /g+.test() bug)
+ * ========================================================================== */
 
 function findTodoFixme(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
   });
 
   const todoPatterns = [
-    { rx: /\/\/\s*TODO[\s:]/gi, label: "TODO comment", severity: "WARN" },
-    { rx: /\/\/\s*FIXME[\s:]/gi, label: "FIXME comment", severity: "WARN" },
-    { rx: /\/\/\s*HACK[\s:]/gi, label: "HACK comment", severity: "WARN" },
-    { rx: /\/\/\s*XXX[\s:]/gi, label: "XXX comment", severity: "WARN" },
-    { rx: /\/\/\s*BUG[\s:]/gi, label: "BUG comment", severity: "BLOCK" },
-    { rx: /\/\/\s*BROKEN[\s:]/gi, label: "BROKEN comment", severity: "BLOCK" },
-    { rx: /\/\/\s*URGENT[\s:]/gi, label: "URGENT comment", severity: "BLOCK" },
-    { rx: /\/\/\s*SECURITY[\s:]/gi, label: "SECURITY comment", severity: "BLOCK" },
-    { rx: /\/\/\s*DANGER[\s:]/gi, label: "DANGER comment", severity: "BLOCK" },
-    { rx: /\/\*\s*TODO[\s:]/gi, label: "TODO block comment", severity: "WARN" },
-    { rx: /\/\*\s*FIXME[\s:]/gi, label: "FIXME block comment", severity: "WARN" },
+    { rx: /\/\/\s*TODO[\s:]/i, label: "TODO comment", severity: "WARN" },
+    { rx: /\/\/\s*FIXME[\s:]/i, label: "FIXME comment", severity: "WARN" },
+    { rx: /\/\/\s*HACK[\s:]/i, label: "HACK comment", severity: "WARN" },
+    { rx: /\/\/\s*XXX[\s:]/i, label: "XXX comment", severity: "WARN" },
+    { rx: /\/\/\s*BUG[\s:]/i, label: "BUG comment", severity: "BLOCK" },
+    { rx: /\/\/\s*BROKEN[\s:]/i, label: "BROKEN comment", severity: "BLOCK" },
+    { rx: /\/\/\s*URGENT[\s:]/i, label: "URGENT comment", severity: "BLOCK" },
+    { rx: /\/\/\s*SECURITY[\s:]/i, label: "SECURITY comment", severity: "BLOCK" },
+    { rx: /\/\/\s*DANGER[\s:]/i, label: "DANGER comment", severity: "BLOCK" },
+    { rx: /\/\*\s*TODO[\s:]/i, label: "TODO block comment", severity: "WARN" },
+    { rx: /\/\*\s*FIXME[\s:]/i, label: "FIXME block comment", severity: "WARN" },
   ];
 
   let todoCount = 0;
@@ -741,51 +1292,49 @@ function findTodoFixme(repoRoot) {
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      const lines = code.split('\n');
-      
+      const lines = code.split("\n");
+
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        
         for (const { rx, label, severity } of todoPatterns) {
-          if (rx.test(line)) {
-            if (label.includes("TODO")) todoCount++;
-            if (label.includes("FIXME")) fixmeCount++;
-            
-            // Only emit individual findings up to limit
-            if (findings.length < MAX_INDIVIDUAL_FINDINGS) {
-              const snippet = line.trim().slice(0, 80);
-              findings.push({
-                id: `F_TODO_${fileRel.replace(/[^a-z0-9]/gi, "_")}_L${i + 1}`,
-                severity,
-                category: "TodoFixme",
-                title: `${label}: ${snippet}${line.length > 80 ? '...' : ''}`,
-                why: severity === "BLOCK" 
+          if (!rxTest(rx, line)) continue;
+
+          if (label.includes("TODO")) todoCount++;
+          if (label.includes("FIXME")) fixmeCount++;
+
+          if (findings.length < MAX_INDIVIDUAL_FINDINGS) {
+            const snippet = line.trim().slice(0, 80);
+            findings.push({
+              id: stableId("F_TODO", `${fileRel}:${i + 1}:${label}`),
+              severity,
+              category: "TodoFixme",
+              title: `${label}: ${snippet}${line.length > 80 ? "..." : ""}`,
+              why:
+                severity === "BLOCK"
                   ? "This comment indicates a known critical issue that must be addressed before shipping."
                   : "Unfinished work markers suggest the code isn't production-ready.",
-                confidence: "high",
-                evidence: [{ file: fileRel, lines: `${i + 1}`, reason: label }],
-                fixHints: [
-                  "Complete the TODO or remove it if already done.",
-                  "If deferring, create a tracked issue and reference it in the comment."
-                ]
-              });
-            }
-            break; // One finding per line
+              confidence: "high",
+              evidence: [{ file: fileRel, lines: `${i + 1}`, reason: label }],
+              fixHints: [
+                "Complete the TODO or remove it if already done.",
+                "If deferring, create a tracked issue and reference it in the comment.",
+              ],
+            });
           }
+          break;
         }
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
-  // Add summary finding if there are many TODOs
   const totalTodos = todoCount + fixmeCount;
   if (totalTodos > MAX_INDIVIDUAL_FINDINGS) {
     findings.push({
-      id: `F_TODO_SUMMARY`,
+      id: "F_TODO_SUMMARY",
       severity: "WARN",
       category: "TodoFixme",
       title: `${totalTodos} TODO/FIXME comments found (${totalTodos - MAX_INDIVIDUAL_FINDINGS} more not shown)`,
@@ -794,24 +1343,35 @@ function findTodoFixme(repoRoot) {
       evidence: [],
       fixHints: [
         "Review and address high-priority TODOs before shipping.",
-        `Run: grep -rn "TODO\\|FIXME" --include="*.ts" --include="*.js" .`
-      ]
+        `Run: grep -rn "TODO\\|FIXME" --include="*.ts" --include="*.js" .`,
+      ],
     });
   }
 
   return findings;
 }
 
-// ============================================================================
-// CONSOLE.LOG DETECTOR
-// ============================================================================
+/* ============================================================================
+ * CONSOLE.LOG DETECTOR (kept)
+ * ========================================================================== */
 
 function findConsoleLogs(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/*.test.*", "**/*.spec.*", "**/tests/**", "**/__tests__/**", "**/scripts/**", "**/bin/**"]
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/tests/**",
+      "**/__tests__/**",
+      "**/scripts/**",
+      "**/bin/**",
+    ],
   });
 
   let consoleCount = 0;
@@ -819,327 +1379,344 @@ function findConsoleLogs(repoRoot) {
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      // Skip config/setup files
+
       if (/config|setup|jest|vitest|eslint|prettier/i.test(fileRel)) continue;
-      
-      const lines = code.split('\n');
-      
+
+      const lines = code.split("\n");
+
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        
-        // Match console.log, console.warn, console.error, console.debug
         if (/console\.(log|warn|debug|info|trace)\s*\(/.test(line)) {
-          // Skip if it's commented out
           if (/^\s*\/\//.test(line)) continue;
-          
+
           consoleCount++;
-          
+
           if (findings.length < MAX_INDIVIDUAL_FINDINGS) {
             const snippet = line.trim().slice(0, 60);
             findings.push({
-              id: `F_CONSOLE_LOG_${fileRel.replace(/[^a-z0-9]/gi, "_")}_L${i + 1}`,
+              id: stableId("F_CONSOLE_LOG", `${fileRel}:${i + 1}`),
               severity: "WARN",
               category: "ConsoleLog",
               title: `console.log in production code: ${fileRel}:${i + 1}`,
-              why: "Console statements leak debugging info to users and clutter browser console.",
+              why: "Console statements leak debugging info and clutter logs/console.",
               confidence: "high",
               evidence: [{ file: fileRel, lines: `${i + 1}`, reason: snippet }],
-              fixHints: [
-                "Remove console.log or replace with a proper logger.",
-                "Use a logger that can be silenced in production."
-              ]
+              fixHints: ["Remove console.log or replace with a proper logger.", "Use a logger that can be silenced in production."],
             });
           }
         }
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
-  // Add summary if there are many console logs
   if (consoleCount > MAX_INDIVIDUAL_FINDINGS) {
     findings.push({
-      id: `F_CONSOLE_LOG_SUMMARY`,
+      id: "F_CONSOLE_LOG_SUMMARY",
       severity: "WARN",
       category: "ConsoleLog",
       title: `${consoleCount} console.log statements found (${consoleCount - MAX_INDIVIDUAL_FINDINGS} more not shown)`,
       why: "Large numbers of console statements suggest debugging code left in production.",
       confidence: "high",
       evidence: [],
-      fixHints: [
-        "Use ESLint no-console rule to catch these automatically.",
-        "Replace with a proper logging library (pino, winston, etc.)."
-      ]
+      fixHints: ["Use ESLint no-console to catch automatically.", "Replace with a proper logging library (pino, winston, etc.)."],
     });
   }
 
   return findings;
 }
 
-// ============================================================================
-// HARDCODED SECRETS DETECTOR
-// ============================================================================
+/* ============================================================================
+ * HARDCODED SECRETS DETECTOR (kept)
+ * ========================================================================== */
 
 function findHardcodedSecrets(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx,json}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/package*.json", "**/*.test.*", "**/tests/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/package*.json", "**/*.test.*", "**/tests/**"],
   });
 
-  const secretPatterns = [
-    { rx: /['"]sk_live_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe live secret key" },
-    { rx: /['"]sk_test_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe test secret key" },
-    { rx: /['"]pk_live_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe live publishable key" },
-    { rx: /['"]AKIA[0-9A-Z]{16}['"]/g, label: "AWS Access Key ID" },
-    { rx: /['"][a-zA-Z0-9+\/]{40}['"]/g, label: "Possible AWS Secret Key" },
-    { rx: /['"]ghp_[a-zA-Z0-9]{36}['"]/g, label: "GitHub Personal Access Token" },
-    { rx: /['"]gho_[a-zA-Z0-9]{36}['"]/g, label: "GitHub OAuth Token" },
-    { rx: /['"]xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}['"]/g, label: "Slack Token" },
-    { rx: /['"]eyJ[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{43,}['"]/g, label: "JWT Token (hardcoded)" },
-    { rx: /password\s*[:=]\s*['"][^'"]{8,}['"]/gi, label: "Hardcoded password" },
-    { rx: /api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9]{20,}['"]/gi, label: "Hardcoded API key" },
-    { rx: /secret\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]/gi, label: "Hardcoded secret" },
+  // V3: Split patterns into "specific" (prefix-based, high confidence) and "generic" (entropy-based)
+  // Specific patterns have distinctive prefixes - no entropy check needed
+  const specificPatterns = [
+    { rx: /['"]sk_live_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe live secret key", severity: "BLOCK" },
+    { rx: /['"]sk_test_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe test secret key", severity: "WARN" },
+    { rx: /['"]pk_live_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe live publishable key", severity: "BLOCK" },
+    { rx: /['"]AKIA[0-9A-Z]{16}['"]/g, label: "AWS Access Key ID", severity: "BLOCK" },
+    { rx: /['"]ghp_[a-zA-Z0-9]{36}['"]/g, label: "GitHub Personal Access Token", severity: "BLOCK" },
+    { rx: /['"]gho_[a-zA-Z0-9]{36}['"]/g, label: "GitHub OAuth Token", severity: "BLOCK" },
+    { rx: /['"]xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}['"]/g, label: "Slack Token", severity: "BLOCK" },
+    { rx: /['"]eyJ[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{43,}['"]/g, label: "JWT Token (hardcoded)", severity: "WARN" },
+  ];
+
+  // V3: Generic patterns need Shannon entropy check to avoid false positives (Git SHAs, image IDs, etc.)
+  const genericPatterns = [
+    { rx: /['"]([a-zA-Z0-9+/]{40})['"]/g, label: "Possible AWS Secret Key", minEntropy: 4.5 },
+    { rx: /password\s*[:=]\s*['"]([^'"]{8,})['"]/gi, label: "Hardcoded password", minEntropy: 3.0 },
+    { rx: /api[_-]?key\s*[:=]\s*['"]([a-zA-Z0-9]{20,})['"]/gi, label: "Hardcoded API key", minEntropy: 4.0 },
+    { rx: /secret\s*[:=]\s*['"]([a-zA-Z0-9]{16,})['"]/gi, label: "Hardcoded secret", minEntropy: 4.0 },
   ];
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      // Skip env files (they're supposed to have secrets, just not committed)
       if (/\.env/.test(fileRel)) continue;
       
-      for (const { rx, label } of secretPatterns) {
+      let foundInFile = false;
+
+      // 1. Check specific patterns (prefix-based, high confidence - no entropy needed)
+      for (const { rx, label, severity } of specificPatterns) {
+        rx.lastIndex = 0;
         const matches = code.match(rx);
         if (matches && matches.length > 0) {
           findings.push({
-            id: `F_SECRET_${fileRel.replace(/[^a-z0-9]/gi, "_")}_${label.replace(/[^a-z0-9]/gi, "_")}`,
-            severity: "BLOCK",
+            id: stableId("F_SECRET", `${fileRel}:${label}`),
+            severity,
             category: "HardcodedSecret",
             title: `${label} detected in: ${fileRel}`,
-            why: "Hardcoded secrets in code get committed to git and leaked. This is a critical security issue.",
+            why: "Hardcoded secrets get committed and leaked. This is critical.",
             confidence: "high",
             evidence: [{ file: fileRel, reason: label }],
             fixHints: [
               "Move the secret to environment variables.",
               "Rotate the compromised secret immediately.",
-              "Add the file to .gitignore if it shouldn't be committed."
-            ]
+              "Add the file to .gitignore if it shouldn't be committed.",
+            ],
           });
-          break; // One finding per file per secret type
+          foundInFile = true;
+          break;
         }
       }
-    } catch (e) {
-      // Skip unreadable files
+      
+      if (foundInFile) continue;
+
+      // 2. Check generic patterns WITH Shannon entropy to reduce false positives
+      for (const { rx, label, minEntropy } of genericPatterns) {
+        rx.lastIndex = 0;
+        let match;
+        while ((match = rx.exec(code)) !== null) {
+          const potentialSecret = match[1] || match[0];
+          
+          // Skip hex-only strings (likely Git SHAs, image IDs, not secrets)
+          if (/^[a-f0-9]+$/i.test(potentialSecret)) continue;
+          
+          // Skip common false positive patterns
+          if (/^(undefined|null|true|false|localhost|example|placeholder)/i.test(potentialSecret)) continue;
+          
+          const entropy = getShannonEntropy(potentialSecret);
+          if (entropy >= minEntropy) {
+            findings.push({
+              id: stableId("F_SECRET_ENTROPY", `${fileRel}:${label}:${potentialSecret.slice(0, 8)}`),
+              severity: "WARN", // Entropy is probabilistic, use WARN not BLOCK
+              category: "HardcodedSecret",
+              title: `${label} detected (high entropy ${entropy.toFixed(2)}): ${fileRel}`,
+              why: "This string looks mathematically random, which usually indicates a hardcoded secret key.",
+              confidence: "med",
+              evidence: [{ file: fileRel, reason: `Entropy: ${entropy.toFixed(2)} >= ${minEntropy}` }],
+              fixHints: [
+                "Move the secret to environment variables.",
+                "If this is not a secret, consider using a more descriptive variable name.",
+              ],
+            });
+            foundInFile = true;
+            break;
+          }
+        }
+        if (foundInFile) break;
+      }
+    } catch {
+      // skip
     }
   }
 
   return findings;
 }
 
-// ============================================================================
-// DEAD CODE / UNUSED EXPORTS DETECTOR
-// ============================================================================
+/* ============================================================================
+ * DEAD CODE / UNUSED EXPORTS DETECTOR (fixed /g+.test() bug)
+ * ========================================================================== */
 
 function findDeadCode(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/*.d.ts"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/*.d.ts"],
   });
 
   const deadCodePatterns = [
-    { rx: /^\s*\/\/\s*export\s+(const|function|class|interface|type)/gm, label: "Commented out export" },
-    { rx: /^\s*\/\*[\s\S]*?export[\s\S]*?\*\//gm, label: "Block-commented export" },
-    { rx: /if\s*\(\s*false\s*\)\s*\{/g, label: "if (false) block" },
-    { rx: /if\s*\(\s*0\s*\)\s*\{/g, label: "if (0) block" },
-    { rx: /return;\s*\n\s*[^}]/g, label: "Unreachable code after return" },
-    { rx: /throw\s+new\s+Error[^;]*;\s*\n\s*[^}]/g, label: "Unreachable code after throw" },
+    { rx: /^\s*\/\/\s*export\s+(const|function|class|interface|type)/m, label: "Commented out export" },
+    { rx: /^\s*\/\*[\s\S]*?export[\s\S]*?\*\//m, label: "Block-commented export" },
+    { rx: /if\s*\(\s*false\s*\)\s*\{/m, label: "if (false) block" },
+    { rx: /if\s*\(\s*0\s*\)\s*\{/m, label: "if (0) block" },
+    { rx: /return;\s*\n\s*[^}]/m, label: "Unreachable code after return" },
+    { rx: /throw\s+new\s+Error[^;]*;\s*\n\s*[^}]/m, label: "Unreachable code after throw" },
   ];
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
+
       for (const { rx, label } of deadCodePatterns) {
-        if (rx.test(code)) {
-          findings.push({
-            id: `F_DEAD_CODE_${fileRel.replace(/[^a-z0-9]/gi, "_")}_${label.replace(/[^a-z0-9]/gi, "_")}`,
-            severity: "WARN",
-            category: "DeadCode",
-            title: `${label} in: ${fileRel}`,
-            why: "Dead code adds confusion and maintenance burden. It often indicates incomplete refactoring.",
-            confidence: "med",
-            evidence: [{ file: fileRel, reason: label }],
-            fixHints: [
-              "Remove the dead code entirely.",
-              "If needed for reference, check git history instead of commenting."
-            ]
-          });
-          break; // One finding per file
-        }
+        if (!rxTest(rx, code)) continue;
+        findings.push({
+          id: stableId("F_DEAD_CODE", `${fileRel}:${label}`),
+          severity: "WARN",
+          category: "DeadCode",
+          title: `${label} in: ${fileRel}`,
+          why: "Dead code adds confusion and maintenance burden and usually indicates incomplete refactoring.",
+          confidence: "med",
+          evidence: [{ file: fileRel, reason: label }],
+          fixHints: ["Remove the dead code entirely.", "If needed for reference, use git history instead of commenting."],
+        });
+        break;
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
   return findings;
 }
 
-// ============================================================================
-// DEPRECATED API USAGE DETECTOR
-// ============================================================================
+/* ============================================================================
+ * DEPRECATED API USAGE DETECTOR (kept; deterministic)
+ * ========================================================================== */
 
 function findDeprecatedApis(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
   });
 
   const deprecatedPatterns = [
-    { rx: /\bcomponentWillMount\b/g, label: "componentWillMount (deprecated React lifecycle)" },
-    { rx: /\bcomponentWillReceiveProps\b/g, label: "componentWillReceiveProps (deprecated)" },
-    { rx: /\bcomponentWillUpdate\b/g, label: "componentWillUpdate (deprecated)" },
-    { rx: /\bgetInitialProps\b/g, label: "getInitialProps (legacy Next.js)" },
-    { rx: /\bsubstr\s*\(/g, label: "String.substr() (deprecated, use slice)" },
-    { rx: /\bdocument\.write\b/g, label: "document.write (deprecated)" },
-    { rx: /new\s+Buffer\s*\(/g, label: "new Buffer() (deprecated, use Buffer.from)" },
-    { rx: /\brequire\(['"]fs['"]\)\.exists\b/g, label: "fs.exists (deprecated)" },
-    { rx: /\.__proto__\b/g, label: "__proto__ (deprecated)" },
+    { rx: /\bcomponentWillMount\b/, label: "componentWillMount (deprecated React lifecycle)" },
+    { rx: /\bcomponentWillReceiveProps\b/, label: "componentWillReceiveProps (deprecated)" },
+    { rx: /\bcomponentWillUpdate\b/, label: "componentWillUpdate (deprecated)" },
+    { rx: /\bgetInitialProps\b/, label: "getInitialProps (legacy Next.js)" },
+    { rx: /\bsubstr\s*\(/, label: "String.substr() (deprecated, use slice)" },
+    { rx: /\bdocument\.write\b/, label: "document.write (deprecated)" },
+    { rx: /new\s+Buffer\s*\(/, label: "new Buffer() (deprecated, use Buffer.from)" },
+    { rx: /\brequire\(['"]fs['"]\)\.exists\b/, label: "fs.exists (deprecated)" },
+    { rx: /\.__proto__\b/, label: "__proto__ (deprecated)" },
   ];
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
+
       for (const { rx, label } of deprecatedPatterns) {
-        const matches = code.match(rx);
-        if (matches && matches.length > 0) {
-          findings.push({
-            id: `F_DEPRECATED_${fileRel.replace(/[^a-z0-9]/gi, "_")}_${label.replace(/[^a-z0-9]/gi, "_")}`,
-            severity: "WARN",
-            category: "DeprecatedApi",
-            title: `${label}: ${fileRel}`,
-            why: "Deprecated APIs may stop working in future versions and often have security issues.",
-            confidence: "high",
-            evidence: [{ file: fileRel, reason: `${matches.length} occurrence(s)` }],
-            fixHints: [
-              "Update to the modern API equivalent.",
-              "Check migration guides for the specific deprecation."
-            ]
-          });
-          break; // One finding per file per deprecated API
-        }
+        if (!rxTest(rx, code)) continue;
+        const matches = code.match(new RegExp(rx.source, "g")) || [];
+        findings.push({
+          id: stableId("F_DEPRECATED", `${fileRel}:${label}`),
+          severity: "WARN",
+          category: "DeprecatedApi",
+          title: `${label}: ${fileRel}`,
+          why: "Deprecated APIs may break in future versions and sometimes carry security issues.",
+          confidence: "high",
+          evidence: [{ file: fileRel, reason: `${matches.length} occurrence(s)` }],
+          fixHints: ["Update to the modern API equivalent.", "Check migration guides for the specific deprecation."],
+        });
+        break;
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
   return findings;
 }
 
-// ============================================================================
-// EMPTY CATCH BLOCKS DETECTOR
-// ============================================================================
+/* ============================================================================
+ * EMPTY CATCH BLOCKS DETECTOR (kept)
+ * ========================================================================== */
 
 function findEmptyCatch(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
   });
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      // Match catch blocks that are empty or only have comments
+
       const emptyCatchRx = /catch\s*\([^)]*\)\s*\{\s*(\/\/[^\n]*)?\s*\}/g;
       const matches = code.match(emptyCatchRx);
-      
+
       if (matches && matches.length > 0) {
         findings.push({
-          id: `F_EMPTY_CATCH_${fileRel.replace(/[^a-z0-9]/gi, "_")}`,
+          id: stableId("F_EMPTY_CATCH", fileRel),
           severity: "WARN",
           category: "EmptyCatch",
           title: `Empty catch block(s) in: ${fileRel} (${matches.length} found)`,
-          why: "Empty catch blocks silently swallow errors, making debugging impossible.",
+          why: "Empty catch blocks swallow errors and make debugging impossible.",
           confidence: "high",
           evidence: [{ file: fileRel, reason: `${matches.length} empty catch block(s)` }],
-          fixHints: [
-            "Log the error or handle it appropriately.",
-            "If intentionally ignoring, add a comment explaining why."
-          ]
+          fixHints: ["Log the error or handle it appropriately.", "If intentionally ignoring, add a comment explaining why."],
         });
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
   return findings;
 }
 
-// ============================================================================
-// UNSAFE REGEX DETECTOR
-// ============================================================================
+/* ============================================================================
+ * UNSAFE REGEX DETECTOR (fixed /g+.test() bug)
+ * ========================================================================== */
 
 function findUnsafeRegex(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"]
+    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
   });
 
-  // Patterns that can cause ReDoS (catastrophic backtracking)
   const unsafePatterns = [
-    { rx: /new\s+RegExp\s*\([^)]*\+[^)]*\)/g, label: "Dynamic regex with concatenation" },
-    { rx: /\(\.\*\)\+|\(\.\+\)\+|\(\.\*\)\*|\(\.\+\)\*/g, label: "Nested quantifiers (ReDoS risk)" },
-    { rx: /\([^)]+\|[^)]+\)\+/g, label: "Alternation with quantifier (ReDoS risk)" },
+    { rx: /new\s+RegExp\s*\([^)]*\+[^)]*\)/, label: "Dynamic regex with concatenation" },
+    { rx: /\(\.\*\)\+|\(\.\+\)\+|\(\.\*\)\*|\(\.\+\)\*/, label: "Nested quantifiers (ReDoS risk)" },
+    { rx: /\([^)]+\|[^)]+\)\+/, label: "Alternation with quantifier (ReDoS risk)" },
   ];
 
   for (const fileAbs of files) {
     try {
-      const code = fs.readFileSync(fileAbs, "utf8");
+      const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
+
       for (const { rx, label } of unsafePatterns) {
-        if (rx.test(code)) {
-          findings.push({
-            id: `F_UNSAFE_REGEX_${fileRel.replace(/[^a-z0-9]/gi, "_")}_${label.replace(/[^a-z0-9]/gi, "_")}`,
-            severity: "WARN",
-            category: "UnsafeRegex",
-            title: `${label}: ${fileRel}`,
-            why: "Unsafe regex patterns can cause denial of service via catastrophic backtracking.",
-            confidence: "med",
-            evidence: [{ file: fileRel, reason: label }],
-            fixHints: [
-              "Use atomic groups or possessive quantifiers if supported.",
-              "Validate input length before applying regex.",
-              "Consider using a regex linting tool."
-            ]
-          });
-          break;
-        }
+        if (!rxTest(rx, code)) continue;
+        findings.push({
+          id: stableId("F_UNSAFE_REGEX", `${fileRel}:${label}`),
+          severity: "WARN",
+          category: "UnsafeRegex",
+          title: `${label}: ${fileRel}`,
+          why: "Unsafe regex patterns can cause denial of service via catastrophic backtracking.",
+          confidence: "med",
+          evidence: [{ file: fileRel, reason: label }],
+          fixHints: ["Validate input length before applying regex.", "Consider safer parsing or a regex linter.", "Avoid nested quantifiers."],
+        });
+        break;
       }
-    } catch (e) {
-      // Skip unreadable files
+    } catch {
+      // skip
     }
   }
 
@@ -1147,6 +1724,13 @@ function findUnsafeRegex(repoRoot) {
 }
 
 module.exports = {
+  // V3: Cache management - call after scan completes to prevent memory leaks
+  clearFileCache,
+  
+  // V3: Entropy helper - exported for testing/reuse
+  getShannonEntropy,
+  
+  // Analyzers
   findMissingRoutes,
   findEnvGaps,
   findFakeSuccess,
@@ -1154,7 +1738,6 @@ module.exports = {
   findStripeWebhookViolations,
   findPaidSurfaceNotEnforced,
   findOwnerModeBypass,
-  // New analyzers
   findMockData,
   findTodoFixme,
   findConsoleLogs,