@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/analyzers.js

@@ -1182,6 +1182,7 @@ function findOwnerModeBypass(repoRoot) {
  * ========================================================================== */
 
 function findMockData(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
@@ -1196,64 +1197,39 @@ function findMockData(repoRoot) {
       "**/tests/**",
       "**/test/**",
       "**/__tests__/**",
-      "**/mocks/**",
-      "**/__mocks__/**",
     ],
   });
 
-  const mockPatterns = [
-    { rx: /\bmockData\b/i, label: "mockData variable" },
-    { rx: /\bfakeData\b/i, label: "fakeData variable" },
-    { rx: /\bdummyData\b/i, label: "dummyData variable" },
-    { rx: /\btestData\b/i, label: "testData variable (in production code)" },
-    { rx: /\bsampleData\b/i, label: "sampleData variable" },
-    { rx: /['"]fake[_-]?user['"]|['"]test[_-]?user['"]|['"]demo[_-]?user['"]/i, label: "Hardcoded test user" },
-    { rx: /['"]password123['"]|['"]test123['"]|['"]admin123['"]|['"]secret123['"]/i, label: "Hardcoded test password" },
-    { rx: /['"]test@(test|example|fake)\.com['"]/i, label: "Hardcoded test email" },
-    { rx: /\b(MOCK_API|FAKE_API|DUMMY_API)\b/i, label: "Mock API reference" },
-    { rx: /setTimeout\([^)]*[5-9]\d{3,}|setTimeout\([^)]*\d{5,}/i, label: "Long setTimeout (simulated delay?)" },
-    { rx: /Math\.random\(\)\s*[*<>]\s*\d+/i, label: "Random data generation" },
-    { rx: /\bplaceholder\b.*\bdata\b|\bdata\b.*\bplaceholder\b/i, label: "Placeholder data" },
-  ];
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
 
-      if (/\.(test|spec|mock|fake|stub)\./i.test(fileRel)) continue;
-      if (/mock|fake|test|spec|fixture/i.test(fileRel) && !/src\//.test(fileRel)) continue;
-
-      const lines = code.split("\n");
-
-      for (const { rx, label } of mockPatterns) {
-        if (!rxTest(rx, code)) continue;
-
-        let lineNum = 1;
-        for (let i = 0; i < lines.length; i++) {
-          if (rxTest(rx, lines[i])) {
-            lineNum = i + 1;
-            break;
-          }
-        }
-
+      // Use unified engines
+      const engineFindings = engines.analyzeMockData(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
         findings.push({
-          id: stableId("F_MOCK_DATA", `${fileRel}:${label}`),
-          severity: "WARN",
-          category: "MockData",
-          title: `${label} in production code: ${fileRel}`,
+          id: stableId("F_MOCK_DATA", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
           why: "Mock/fake data in production causes embarrassing bugs and makes your app look unfinished.",
-          confidence: "med",
-          evidence: [{ file: fileRel, lines: `${lineNum}`, reason: label }],
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
           fixHints: [
             "Replace mock data with real API calls or database queries.",
             "If intentional sample data, move to a clearly marked demo mode.",
           ],
         });
-        break;
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
@@ -1265,89 +1241,73 @@ function findMockData(repoRoot) {
  * ========================================================================== */
 
 function findTodoFixme(repoRoot) {
+  // TODO/FIXME engine not in unified engines yet - keep using existing
+  const { analyzeTodoFixme } = require("./engines/todo-fixme-engine");
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
   });
 
-  const todoPatterns = [
-    { rx: /\/\/\s*TODO[\s:]/i, label: "TODO comment", severity: "WARN" },
-    { rx: /\/\/\s*FIXME[\s:]/i, label: "FIXME comment", severity: "WARN" },
-    { rx: /\/\/\s*HACK[\s:]/i, label: "HACK comment", severity: "WARN" },
-    { rx: /\/\/\s*XXX[\s:]/i, label: "XXX comment", severity: "WARN" },
-    { rx: /\/\/\s*BUG[\s:]/i, label: "BUG comment", severity: "BLOCK" },
-    { rx: /\/\/\s*BROKEN[\s:]/i, label: "BROKEN comment", severity: "BLOCK" },
-    { rx: /\/\/\s*URGENT[\s:]/i, label: "URGENT comment", severity: "BLOCK" },
-    { rx: /\/\/\s*SECURITY[\s:]/i, label: "SECURITY comment", severity: "BLOCK" },
-    { rx: /\/\/\s*DANGER[\s:]/i, label: "DANGER comment", severity: "BLOCK" },
-    { rx: /\/\*\s*TODO[\s:]/i, label: "TODO block comment", severity: "WARN" },
-    { rx: /\/\*\s*FIXME[\s:]/i, label: "FIXME block comment", severity: "WARN" },
-  ];
-
-  let todoCount = 0;
-  let fixmeCount = 0;
-  const MAX_INDIVIDUAL_FINDINGS = 20;
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      const lines = code.split("\n");
-
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        for (const { rx, label, severity } of todoPatterns) {
-          if (!rxTest(rx, line)) continue;
-
-          if (label.includes("TODO")) todoCount++;
-          if (label.includes("FIXME")) fixmeCount++;
-
-          if (findings.length < MAX_INDIVIDUAL_FINDINGS) {
-            const snippet = line.trim().slice(0, 80);
-            findings.push({
-              id: stableId("F_TODO", `${fileRel}:${i + 1}:${label}`),
-              severity,
-              category: "TodoFixme",
-              title: `${label}: ${snippet}${line.length > 80 ? "..." : ""}`,
-              why:
-                severity === "BLOCK"
-                  ? "This comment indicates a known critical issue that must be addressed before shipping."
-                  : "Unfinished work markers suggest the code isn't production-ready.",
-              confidence: "high",
-              evidence: [{ file: fileRel, lines: `${i + 1}`, reason: label }],
-              fixHints: [
-                "Complete the TODO or remove it if already done.",
-                "If deferring, create a tracked issue and reference it in the comment.",
-              ],
-            });
-          }
-          break;
+      
+      // Use AST-based engine (not in unified engines yet)
+      const engineFindings = analyzeTodoFixme(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
+        if (finding.type === "summary") {
+          findings.push({
+            id: "F_TODO_SUMMARY",
+            severity: finding.severity,
+            category: finding.category,
+            title: finding.title,
+            why: "Large numbers of TODO comments indicate significant unfinished work.",
+            confidence: finding.confidence,
+            evidence: [],
+            fixHints: [
+              "Review and address high-priority TODOs before shipping.",
+              `Run: grep -rn "TODO\\|FIXME" --include="*.ts" --include="*.js" .`,
+            ],
+          });
+        } else {
+          findings.push({
+            id: stableId("F_TODO", `${fileRel}:${finding.line}:${finding.type}`),
+            severity: finding.severity,
+            category: finding.category,
+            title: finding.title,
+            message: finding.message,
+            file: finding.file,
+            line: finding.line,
+            why: finding.severity === "BLOCK"
+              ? "This comment indicates a known critical issue that must be addressed before shipping."
+              : "Unfinished work markers suggest the code isn't production-ready.",
+            confidence: finding.confidence,
+            evidence: [{ file: fileRel, lines: `${finding.line}`, reason: finding.title }],
+            fixHints: [
+              "Complete the TODO or remove it if already done.",
+              "If deferring, create a tracked issue and reference it in the comment.",
+            ],
+          });
         }
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
-  const totalTodos = todoCount + fixmeCount;
-  if (totalTodos > MAX_INDIVIDUAL_FINDINGS) {
-    findings.push({
-      id: "F_TODO_SUMMARY",
-      severity: "WARN",
-      category: "TodoFixme",
-      title: `${totalTodos} TODO/FIXME comments found (${totalTodos - MAX_INDIVIDUAL_FINDINGS} more not shown)`,
-      why: "Large numbers of TODO comments indicate significant unfinished work.",
-      confidence: "high",
-      evidence: [],
-      fixHints: [
-        "Review and address high-priority TODOs before shipping.",
-        `Run: grep -rn "TODO\\|FIXME" --include="*.ts" --include="*.js" .`,
-      ],
-    });
-  }
-
   return findings;
 }
 
@@ -1356,6 +1316,7 @@ function findTodoFixme(repoRoot) {
  * ========================================================================== */
 
 function findConsoleLogs(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
@@ -1365,67 +1326,40 @@ function findConsoleLogs(repoRoot) {
       "**/.next/**",
       "**/dist/**",
       "**/build/**",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-      "**/__tests__/**",
-      "**/scripts/**",
-      "**/bin/**",
+      "**/*.d.ts",
     ],
   });
 
-  let consoleCount = 0;
-  const MAX_INDIVIDUAL_FINDINGS = 15;
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
 
-      if (/config|setup|jest|vitest|eslint|prettier/i.test(fileRel)) continue;
-
-      const lines = code.split("\n");
-
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        if (/console\.(log|warn|debug|info|trace)\s*\(/.test(line)) {
-          if (/^\s*\/\//.test(line)) continue;
-
-          consoleCount++;
-
-          if (findings.length < MAX_INDIVIDUAL_FINDINGS) {
-            const snippet = line.trim().slice(0, 60);
-            findings.push({
-              id: stableId("F_CONSOLE_LOG", `${fileRel}:${i + 1}`),
-              severity: "WARN",
-              category: "ConsoleLog",
-              title: `console.log in production code: ${fileRel}:${i + 1}`,
-              why: "Console statements leak debugging info and clutter logs/console.",
-              confidence: "high",
-              evidence: [{ file: fileRel, lines: `${i + 1}`, reason: snippet }],
-              fixHints: ["Remove console.log or replace with a proper logger.", "Use a logger that can be silenced in production."],
-            });
-          }
-        }
+      // Use unified engines
+      const engineFindings = engines.analyzeConsoleLogs(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_CONSOLE_LOG", `${fileRel}:${finding.line}:${finding.type}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Console statements leak debugging info and clutter logs/console.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, lines: `${finding.line}`, reason: finding.codeSnippet || finding.title }],
+          fixHints: ["Remove console.log or replace with a proper logger.", "Use a logger that can be silenced in production."],
+        });
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
-  if (consoleCount > MAX_INDIVIDUAL_FINDINGS) {
-    findings.push({
-      id: "F_CONSOLE_LOG_SUMMARY",
-      severity: "WARN",
-      category: "ConsoleLog",
-      title: `${consoleCount} console.log statements found (${consoleCount - MAX_INDIVIDUAL_FINDINGS} more not shown)`,
-      why: "Large numbers of console statements suggest debugging code left in production.",
-      confidence: "high",
-      evidence: [],
-      fixHints: ["Use ESLint no-console to catch automatically.", "Replace with a proper logging library (pino, winston, etc.)."],
-    });
-  }
-
   return findings;
 }
 
@@ -1434,104 +1368,61 @@ function findConsoleLogs(repoRoot) {
  * ========================================================================== */
 
 function findHardcodedSecrets(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx,json}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/package*.json", "**/*.test.*", "**/tests/**"],
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/package*.json",
+      "**/*.test.*",
+      "**/tests/**",
+      "**/*.d.ts",
+    ],
   });
 
-  // V3: Split patterns into "specific" (prefix-based, high confidence) and "generic" (entropy-based)
-  // Specific patterns have distinctive prefixes - no entropy check needed
-  const specificPatterns = [
-    { rx: /['"]sk_live_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe live secret key", severity: "BLOCK" },
-    { rx: /['"]sk_test_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe test secret key", severity: "WARN" },
-    { rx: /['"]pk_live_[a-zA-Z0-9]{20,}['"]/g, label: "Stripe live publishable key", severity: "BLOCK" },
-    { rx: /['"]AKIA[0-9A-Z]{16}['"]/g, label: "AWS Access Key ID", severity: "BLOCK" },
-    { rx: /['"]ghp_[a-zA-Z0-9]{36}['"]/g, label: "GitHub Personal Access Token", severity: "BLOCK" },
-    { rx: /['"]gho_[a-zA-Z0-9]{36}['"]/g, label: "GitHub OAuth Token", severity: "BLOCK" },
-    { rx: /['"]xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}['"]/g, label: "Slack Token", severity: "BLOCK" },
-    { rx: /['"]eyJ[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{43,}['"]/g, label: "JWT Token (hardcoded)", severity: "WARN" },
-  ];
-
-  // V3: Generic patterns need Shannon entropy check to avoid false positives (Git SHAs, image IDs, etc.)
-  const genericPatterns = [
-    { rx: /['"]([a-zA-Z0-9+/]{40})['"]/g, label: "Possible AWS Secret Key", minEntropy: 4.5 },
-    { rx: /password\s*[:=]\s*['"]([^'"]{8,})['"]/gi, label: "Hardcoded password", minEntropy: 3.0 },
-    { rx: /api[_-]?key\s*[:=]\s*['"]([a-zA-Z0-9]{20,})['"]/gi, label: "Hardcoded API key", minEntropy: 4.0 },
-    { rx: /secret\s*[:=]\s*['"]([a-zA-Z0-9]{16,})['"]/gi, label: "Hardcoded secret", minEntropy: 4.0 },
-  ];
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      if (/\.env/.test(fileRel)) continue;
       
-      let foundInFile = false;
-
-      // 1. Check specific patterns (prefix-based, high confidence - no entropy needed)
-      for (const { rx, label, severity } of specificPatterns) {
-        rx.lastIndex = 0;
-        const matches = code.match(rx);
-        if (matches && matches.length > 0) {
-          findings.push({
-            id: stableId("F_SECRET", `${fileRel}:${label}`),
-            severity,
-            category: "HardcodedSecret",
-            title: `${label} detected in: ${fileRel}`,
-            why: "Hardcoded secrets get committed and leaked. This is critical.",
-            confidence: "high",
-            evidence: [{ file: fileRel, reason: label }],
-            fixHints: [
-              "Move the secret to environment variables.",
-              "Rotate the compromised secret immediately.",
-              "Add the file to .gitignore if it shouldn't be committed.",
-            ],
-          });
-          foundInFile = true;
-          break;
-        }
-      }
+      // Use unified engines
+      const engineFindings = engines.analyzeHardcodedSecrets(code, fileRel);
       
-      if (foundInFile) continue;
-
-      // 2. Check generic patterns WITH Shannon entropy to reduce false positives
-      for (const { rx, label, minEntropy } of genericPatterns) {
-        rx.lastIndex = 0;
-        let match;
-        while ((match = rx.exec(code)) !== null) {
-          const potentialSecret = match[1] || match[0];
-          
-          // Skip hex-only strings (likely Git SHAs, image IDs, not secrets)
-          if (/^[a-f0-9]+$/i.test(potentialSecret)) continue;
-          
-          // Skip common false positive patterns
-          if (/^(undefined|null|true|false|localhost|example|placeholder)/i.test(potentialSecret)) continue;
-          
-          const entropy = getShannonEntropy(potentialSecret);
-          if (entropy >= minEntropy) {
-            findings.push({
-              id: stableId("F_SECRET_ENTROPY", `${fileRel}:${label}:${potentialSecret.slice(0, 8)}`),
-              severity: "WARN", // Entropy is probabilistic, use WARN not BLOCK
-              category: "HardcodedSecret",
-              title: `${label} detected (high entropy ${entropy.toFixed(2)}): ${fileRel}`,
-              why: "This string looks mathematically random, which usually indicates a hardcoded secret key.",
-              confidence: "med",
-              evidence: [{ file: fileRel, reason: `Entropy: ${entropy.toFixed(2)} >= ${minEntropy}` }],
-              fixHints: [
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_SECRET", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: finding.severity === "BLOCK"
+            ? "Hardcoded secrets get committed and leaked. This is critical."
+            : "This string looks mathematically random, which usually indicates a hardcoded secret key.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: finding.severity === "BLOCK"
+            ? [
+                "Move the secret to environment variables.",
+                "Rotate the compromised secret immediately.",
+                "Add the file to .gitignore if it shouldn't be committed.",
+              ]
+            : [
                 "Move the secret to environment variables.",
                 "If this is not a secret, consider using a more descriptive variable name.",
               ],
-            });
-            foundInFile = true;
-            break;
-          }
-        }
-        if (foundInFile) break;
+        });
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
@@ -1539,47 +1430,51 @@ function findHardcodedSecrets(repoRoot) {
 }
 
 /* ============================================================================
- * DEAD CODE / UNUSED EXPORTS DETECTOR (fixed /g+.test() bug)
+ * DEAD CODE / UNUSED EXPORTS DETECTOR (AST-based engine)
  * ========================================================================== */
 
 function findDeadCode(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**", "**/*.d.ts"],
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
   });
 
-  const deadCodePatterns = [
-    { rx: /^\s*\/\/\s*export\s+(const|function|class|interface|type)/m, label: "Commented out export" },
-    { rx: /^\s*\/\*[\s\S]*?export[\s\S]*?\*\//m, label: "Block-commented export" },
-    { rx: /if\s*\(\s*false\s*\)\s*\{/m, label: "if (false) block" },
-    { rx: /if\s*\(\s*0\s*\)\s*\{/m, label: "if (0) block" },
-    { rx: /return;\s*\n\s*[^}]/m, label: "Unreachable code after return" },
-    { rx: /throw\s+new\s+Error[^;]*;\s*\n\s*[^}]/m, label: "Unreachable code after throw" },
-  ];
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-      for (const { rx, label } of deadCodePatterns) {
-        if (!rxTest(rx, code)) continue;
+      
+      // Use unified engines
+      const engineFindings = engines.analyzeDeadCode(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
         findings.push({
-          id: stableId("F_DEAD_CODE", `${fileRel}:${label}`),
-          severity: "WARN",
-          category: "DeadCode",
-          title: `${label} in: ${fileRel}`,
+          id: stableId("F_DEAD_CODE", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
           why: "Dead code adds confusion and maintenance burden and usually indicates incomplete refactoring.",
-          confidence: "med",
-          evidence: [{ file: fileRel, reason: label }],
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
           fixHints: ["Remove the dead code entirely.", "If needed for reference, use git history instead of commenting."],
         });
-        break;
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
@@ -1591,47 +1486,47 @@ function findDeadCode(repoRoot) {
  * ========================================================================== */
 
 function findDeprecatedApis(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
   });
 
-  const deprecatedPatterns = [
-    { rx: /\bcomponentWillMount\b/, label: "componentWillMount (deprecated React lifecycle)" },
-    { rx: /\bcomponentWillReceiveProps\b/, label: "componentWillReceiveProps (deprecated)" },
-    { rx: /\bcomponentWillUpdate\b/, label: "componentWillUpdate (deprecated)" },
-    { rx: /\bgetInitialProps\b/, label: "getInitialProps (legacy Next.js)" },
-    { rx: /\bsubstr\s*\(/, label: "String.substr() (deprecated, use slice)" },
-    { rx: /\bdocument\.write\b/, label: "document.write (deprecated)" },
-    { rx: /new\s+Buffer\s*\(/, label: "new Buffer() (deprecated, use Buffer.from)" },
-    { rx: /\brequire\(['"]fs['"]\)\.exists\b/, label: "fs.exists (deprecated)" },
-    { rx: /\.__proto__\b/, label: "__proto__ (deprecated)" },
-  ];
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-      for (const { rx, label } of deprecatedPatterns) {
-        if (!rxTest(rx, code)) continue;
-        const matches = code.match(new RegExp(rx.source, "g")) || [];
+      
+      // Use unified engines
+      const engineFindings = engines.analyzeDeprecatedApi(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
         findings.push({
-          id: stableId("F_DEPRECATED", `${fileRel}:${label}`),
-          severity: "WARN",
-          category: "DeprecatedApi",
-          title: `${label}: ${fileRel}`,
+          id: stableId("F_DEPRECATED", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
           why: "Deprecated APIs may break in future versions and sometimes carry security issues.",
-          confidence: "high",
-          evidence: [{ file: fileRel, reason: `${matches.length} occurrence(s)` }],
-          fixHints: ["Update to the modern API equivalent.", "Check migration guides for the specific deprecation."],
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: finding.replacement ? [`Use ${finding.replacement} instead.`, "Check migration guides for the specific deprecation."] : ["Update to the modern API equivalent.", "Check migration guides for the specific deprecation."],
         });
-        break;
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
@@ -1639,39 +1534,51 @@ function findDeprecatedApis(repoRoot) {
 }
 
 /* ============================================================================
- * EMPTY CATCH BLOCKS DETECTOR (kept)
+ * EMPTY CATCH BLOCKS DETECTOR (AST-based engine)
  * ========================================================================== */
 
 function findEmptyCatch(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
   });
 
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-      const emptyCatchRx = /catch\s*\([^)]*\)\s*\{\s*(\/\/[^\n]*)?\s*\}/g;
-      const matches = code.match(emptyCatchRx);
-
-      if (matches && matches.length > 0) {
+      
+      // Use unified engines
+      const engineFindings = engines.analyzeEmptyCatch(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
         findings.push({
-          id: stableId("F_EMPTY_CATCH", fileRel),
-          severity: "WARN",
-          category: "EmptyCatch",
-          title: `Empty catch block(s) in: ${fileRel} (${matches.length} found)`,
+          id: stableId("F_EMPTY_CATCH", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
           why: "Empty catch blocks swallow errors and make debugging impossible.",
-          confidence: "high",
-          evidence: [{ file: fileRel, reason: `${matches.length} empty catch block(s)` }],
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
           fixHints: ["Log the error or handle it appropriately.", "If intentionally ignoring, add a comment explaining why."],
         });
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
     }
   }
 
@@ -1683,40 +1590,405 @@ function findEmptyCatch(repoRoot) {
  * ========================================================================== */
 
 function findUnsafeRegex(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
   });
 
-  const unsafePatterns = [
-    { rx: /new\s+RegExp\s*\([^)]*\+[^)]*\)/, label: "Dynamic regex with concatenation" },
-    { rx: /\(\.\*\)\+|\(\.\+\)\+|\(\.\*\)\*|\(\.\+\)\*/, label: "Nested quantifiers (ReDoS risk)" },
-    { rx: /\([^)]+\|[^)]+\)\+/, label: "Alternation with quantifier (ReDoS risk)" },
-  ];
-
   for (const fileAbs of files) {
     try {
       const code = readFileCached(fileAbs);
       const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-
-      for (const { rx, label } of unsafePatterns) {
-        if (!rxTest(rx, code)) continue;
+      
+      // Use unified engines
+      const engineFindings = engines.analyzeUnsafeRegex(code, fileRel);
+      
+      // Convert engine findings to analyzer format
+      for (const finding of engineFindings) {
         findings.push({
-          id: stableId("F_UNSAFE_REGEX", `${fileRel}:${label}`),
-          severity: "WARN",
-          category: "UnsafeRegex",
-          title: `${label}: ${fileRel}`,
+          id: stableId("F_UNSAFE_REGEX", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
           why: "Unsafe regex patterns can cause denial of service via catastrophic backtracking.",
-          confidence: "med",
-          evidence: [{ file: fileRel, reason: label }],
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
           fixHints: ["Validate input length before applying regex.", "Consider safer parsing or a regex linter.", "Avoid nested quantifiers."],
         });
-        break;
       }
-    } catch {
-      // skip
+    } catch (err) {
+      // Skip files that can't be analyzed
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+/* ============================================================================
+ * NEW SECURITY & PERFORMANCE ANALYZERS
+ * ========================================================================== */
+
+function findSecurityVulnerabilities(repoRoot) {
+  // Note: Security vulnerabilities engine not in unified engines yet
+  // Keep using the existing engine for now
+  const { analyzeSecurityVulnerabilities } = require("./engines/security-vulnerabilities-engine");
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = analyzeSecurityVulnerabilities(code, fileRel);
+      
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_SECURITY", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Security vulnerabilities can lead to data breaches, unauthorized access, or system compromise.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [
+            "Review security best practices for the detected vulnerability type.",
+            "Use parameterized queries for SQL operations.",
+            "Sanitize and validate all user inputs.",
+            "Use Content Security Policy (CSP) headers for XSS protection.",
+          ],
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+function findPerformanceIssues(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      // Use unified engines
+      const engineFindings = engines.analyzePerformanceIssues(code, fileRel);
+      
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_PERF", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Performance issues can degrade user experience and increase server costs.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [
+            "Optimize algorithms and data structures.",
+            "Use pagination for large datasets.",
+            "Remove unnecessary re-renders.",
+            "Use async/await for I/O operations.",
+          ],
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+function findCodeQualityIssues(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      // Use unified engines
+      const engineFindings = engines.analyzeCodeQuality(code, fileRel);
+      
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_QUALITY", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Code quality issues make code harder to maintain, test, and extend.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [
+            "Break down complex functions into smaller, focused functions.",
+            "Extract magic numbers into named constants.",
+            "Reduce nesting depth with early returns.",
+            "Consider design patterns for common problems.",
+          ],
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+function findCrossFileIssues(repoRoot) {
+  const { analyzeCrossFile } = require("./engines/cross-file-analysis-engine");
+  const fg = require("fast-glob");
+  
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/tests/**",
+    ],
+  });
+
+  const engineFindings = analyzeCrossFile(files, repoRoot);
+  const findings = [];
+
+  for (const finding of engineFindings) {
+    findings.push({
+      id: stableId("F_CROSSFILE", `${finding.file}:${finding.type}`),
+      severity: finding.severity,
+      category: finding.category,
+      title: finding.title,
+      message: finding.message,
+      file: finding.file,
+      line: finding.line,
+      why: "Cross-file issues indicate architectural problems that can cause maintenance difficulties.",
+      confidence: finding.confidence,
+      evidence: [{ file: finding.file, reason: finding.title }],
+      fixHints: [
+        "Remove unused exports or mark them as internal.",
+        "Refactor to break circular dependencies.",
+        "Standardize import paths across the codebase.",
+      ],
+    });
+  }
+
+  return findings;
+}
+
+function findTypeSafetyIssues(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      // Use unified engines
+      const engineFindings = engines.analyzeTypeAware(code, fileRel);
+      
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_TYPE", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Type safety issues can lead to runtime errors and make code harder to maintain.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [
+            "Use proper TypeScript types instead of 'any'.",
+            "Fix underlying type errors instead of suppressing them.",
+            "Add explicit return type annotations.",
+          ],
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+function findAccessibilityIssues(repoRoot) {
+  const { analyzeAccessibility } = require("./engines/accessibility-engine");
+  const findings = [];
+  const files = fg.sync(["**/*.{tsx,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/tests/**",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = analyzeAccessibility(code, fileRel);
+      
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_A11Y", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Accessibility issues prevent users with disabilities from using your application.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [
+            "Add alt text to all images.",
+            "Ensure all interactive elements have accessible labels.",
+            "Add keyboard handlers for custom interactive elements.",
+            "Test with screen readers.",
+          ],
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+function findAPIConsistencyIssues(repoRoot) {
+  const { analyzeAPIConsistency } = require("./engines/api-consistency-engine");
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      "**/node_modules/**",
+      "**/.next/**",
+      "**/dist/**",
+      "**/build/**",
+      "**/*.d.ts",
+      "**/*.test.*",
+      "**/*.spec.*",
+      "**/tests/**",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = analyzeAPIConsistency(code, fileRel);
+      
+      for (const finding of engineFindings) {
+        findings.push({
+          id: stableId("F_API", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category,
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "API consistency issues make APIs harder to use and maintain.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [
+            "Standardize response formats across all API routes.",
+            "Add consistent error handling.",
+            "Always return explicit HTTP status codes.",
+          ],
+        });
+      }
+    } catch (err) {
+      continue;
     }
   }
 
@@ -1746,4 +2018,13 @@ module.exports = {
   findDeprecatedApis,
   findEmptyCatch,
   findUnsafeRegex,
+  // Enhanced analyzers
+  findSecurityVulnerabilities,
+  findPerformanceIssues,
+  findCodeQualityIssues,
+  // Advanced analyzers
+  findCrossFileIssues,
+  findTypeSafetyIssues,
+  findAccessibilityIssues,
+  findAPIConsistencyIssues,
 };