@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/analyzers.js

@@ -12,6 +12,62 @@ const t = require("@babel/types");
 
 const { routeMatches } = require("./claims");
 const { matcherCoversPath } = require("./auth-truth");
+const {
+  getFrameworks,
+  hasFramework,
+  getFileContext,
+  isServerComponent,
+  isClientComponent,
+  isRouteHandler,
+  FRAMEWORKS,
+} = require("./engines/framework-detection");
+
+// V6: Bulletproof noise reduction and false positive prevention
+let noiseReduction, falsePositivePrevention;
+try {
+  noiseReduction = require("./engines/noise-reduction-engine");
+  falsePositivePrevention = require("./engines/false-positive-prevention");
+} catch {
+  // Engines not available - continue without them
+}
+
+/* ============================================================================
+ * STANDARD IGNORE PATTERNS
+ * Used by all analyzers to exclude non-production code
+ * ========================================================================== */
+const STANDARD_IGNORE_PATTERNS = [
+  // Core excludes
+  "**/node_modules/**",
+  "**/.next/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/*.d.ts",
+  "**/*.d.ts.map",
+  // Test files
+  "**/__tests__/**",
+  "**/tests/**",
+  "**/*.test.ts",
+  "**/*.test.tsx",
+  "**/*.test.js",
+  "**/*.spec.ts",
+  "**/*.spec.tsx",
+  "**/*.spec.js",
+  "**/fixtures/**",
+  // Internal tooling
+  "**/mcp-server/**",
+  "**/bin/**",
+  "**/packages/cli/**",
+  // Examples and templates
+  "**/examples/**",
+  "**/templates/**",
+  "**/docs/**",
+  // Cache and generated
+  "**/.guardrail/**",
+  "**/.cursor/**",
+  "**/.vibecheck/**",
+  "**/coverage/**",
+  "**/_archive/**",
+];
 
 /* ============================================================================
  * WORLD-CLASS INFRA HELPERS
@@ -914,7 +970,7 @@ function findFakeSuccess(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -925,6 +981,21 @@ function findFakeSuccess(repoRoot) {
     // relevant keywords (toast/push/navigate AND fetch/axios).
     const hasSuccessUI = /\b(toast|\.push|navigate)\b/.test(code);
     const hasNetworkCall = /\b(fetch|axios)\b/.test(code);
+    
+    // Enhanced: Also check for TanStack Query / React Query mutations
+    // These have built-in error handling via onError callback
+    const hasTanstackMutation = /\buseMutation\b/.test(code);
+    const hasTRPCMutation = /\.useMutation\b/.test(code);
+    
+    // Skip files that use TanStack Query mutations with onSuccess/onError
+    // These are properly handling async state
+    if (hasTanstackMutation || hasTRPCMutation) {
+      const hasProperCallbacks = /onSuccess\s*:|onError\s*:|onSettled\s*:/.test(code);
+      if (hasProperCallbacks) {
+        continue; // Properly handled
+      }
+    }
+    
     if (!hasSuccessUI || !hasNetworkCall) {
       continue;
     }
@@ -1013,18 +1084,58 @@ function findFakeSuccess(repoRoot) {
  * ========================================================================== */
 
 function looksSensitive(pathStr) {
-  const p = String(pathStr || "");
-  return (
-    p.startsWith("/api/admin") ||
-    p.startsWith("/api/billing") ||
-    p.startsWith("/api/stripe") ||
-    p.startsWith("/api/org") ||
-    p.startsWith("/api/team") ||
-    p.startsWith("/api/account") ||
-    p.startsWith("/api/settings") ||
-    p.startsWith("/api/users") ||
-    p.startsWith("/api/user")
-  );
+  const p = String(pathStr || "").toLowerCase();
+  
+  // Sensitive path prefixes
+  const sensitivePathPrefixes = [
+    "/api/admin",
+    "/api/billing",
+    "/api/stripe",
+    "/api/org",
+    "/api/team",
+    "/api/account",
+    "/api/settings",
+    "/api/users",
+    "/api/user",
+    "/api/profile",
+    "/api/dashboard",
+    "/api/private",
+    "/api/internal",
+    "/api/manage",
+    "/api/payment",
+    "/api/subscription",
+    "/api/checkout",
+    "/api/webhook", // Webhooks need verification
+    "/api/upload",
+    "/api/delete",
+    "/api/export",
+    "/api/import",
+  ];
+  
+  // Sensitive path patterns (regex)
+  const sensitivePathPatterns = [
+    /\/api\/.*\/admin/,
+    /\/api\/.*\/delete/,
+    /\/api\/.*\/edit/,
+    /\/api\/.*\/update/,
+    /\/api\/.*\/create/,
+    /\/api\/.*\/remove/,
+    /\/api\/.*\/modify/,
+    /\/api\/me\b/,
+    /\/api\/\[.*id\]/, // Dynamic user/resource routes
+  ];
+  
+  // Check prefixes
+  if (sensitivePathPrefixes.some(prefix => p.startsWith(prefix))) {
+    return true;
+  }
+  
+  // Check patterns
+  if (sensitivePathPatterns.some(pattern => pattern.test(p))) {
+    return true;
+  }
+  
+  return false;
 }
 
 function hasRouteLevelProtection(routeDef) {
@@ -1037,11 +1148,69 @@ function handlerHasAuthSignal(repoRoot, handlerRel) {
   if (!fs.existsSync(abs)) return false;
   const code = readFileCached(abs);
 
-  return (
-    /\bgetServerSession\b|\bauth\(\)\b|\bclerk\b|@clerk\/nextjs|\bcreateRouteHandlerClient\b|@supabase/i.test(code) ||
-    /\b(jwtVerify|authorization|bearer|verifyToken|verifyJWT)\b/i.test(code) ||
-    /\b(isAdmin|adminOnly|permissions|rbac)\b/i.test(code)
-  );
+  // Next.js / NextAuth patterns
+  const nextAuthPatterns = [
+    /\bgetServerSession\b/,
+    /\bauth\(\)\b/,
+    /\bgetSession\b/,
+    /\buseSession\b/,
+    /\bgetToken\b/,
+  ];
+  
+  // Clerk patterns
+  const clerkPatterns = [
+    /\bclerk\b/i,
+    /@clerk\/nextjs/,
+    /\bauth\(\)\s*\.\s*userId/,
+    /\bcurrentUser\b/,
+    /\bgetAuth\b/,
+  ];
+  
+  // Supabase patterns
+  const supabasePatterns = [
+    /\bcreateRouteHandlerClient\b/,
+    /\bcreateServerComponentClient\b/,
+    /\bsupabase\b.*\bauth\b/i,
+    /@supabase/,
+    /\bgetUser\(\)/,
+  ];
+  
+  // General auth patterns
+  const generalAuthPatterns = [
+    /\b(jwtVerify|verifyToken|verifyJWT)\b/i,
+    /\bauthorization\b/i,
+    /\bbearer\s+token/i,
+    /\b(isAdmin|adminOnly|permissions|rbac)\b/i,
+    /\bauthenticated\b/i,
+    /\brequireAuth\b/i,
+    /\bprotectedProcedure\b/, // tRPC
+  ];
+  
+  // Next.js App Router specific patterns
+  const appRouterPatterns = [
+    /\bcookies\(\)\s*\.\s*get\s*\(\s*['"](?:session|token|auth)/i,
+    /\bheaders\(\)\s*\.\s*get\s*\(\s*['"]authorization/i,
+    /\bNextResponse\.redirect\s*\(.*(?:login|signin|unauthorized)/i,
+  ];
+  
+  // tRPC context patterns (context often has auth)
+  const trpcPatterns = [
+    /ctx\.session/,
+    /ctx\.user/,
+    /ctx\.auth/,
+    /\.protectedProcedure/,
+  ];
+  
+  const allPatterns = [
+    ...nextAuthPatterns,
+    ...clerkPatterns,
+    ...supabasePatterns,
+    ...generalAuthPatterns,
+    ...appRouterPatterns,
+    ...trpcPatterns,
+  ];
+  
+  return allPatterns.some(pattern => pattern.test(code));
 }
 
 function isProtectedByNextMiddleware(truthpack, routePath) {
@@ -1205,7 +1374,7 @@ function findOwnerModeBypass(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: ["**/node_modules/**", "**/.next/**", "**/dist/**", "**/build/**"],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   const patterns = [
@@ -1250,17 +1419,7 @@ function findMockData(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-      "**/test/**",
-      "**/__tests__/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1311,13 +1470,7 @@ function findTodoFixme(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1384,13 +1537,7 @@ function findConsoleLogs(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1436,16 +1583,7 @@ function findHardcodedSecrets(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx,json}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/package*.json",
-      "**/*.test.*",
-      "**/tests/**",
-      "**/*.d.ts",
-    ],
+    ignore: [...STANDARD_IGNORE_PATTERNS, "**/package*.json"],
   });
 
   for (const fileAbs of files) {
@@ -1502,13 +1640,7 @@ function findDeadCode(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1554,13 +1686,7 @@ function findDeprecatedApis(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1606,13 +1732,7 @@ function findEmptyCatch(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1658,13 +1778,7 @@ function findUnsafeRegex(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1712,13 +1826,7 @@ function findSecurityVulnerabilities(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1762,13 +1870,7 @@ function findPerformanceIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1813,13 +1915,7 @@ function findCodeQualityIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1865,16 +1961,7 @@ function findCrossFileIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   const engineFindings = analyzeCrossFile(files, repoRoot);
@@ -1909,13 +1996,7 @@ function findTypeSafetyIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -1959,16 +2040,7 @@ function findAccessibilityIssues(repoRoot) {
   const files = fg.sync(["**/*.{tsx,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -2012,16 +2084,7 @@ function findAPIConsistencyIssues(repoRoot) {
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
-    ignore: [
-      "**/node_modules/**",
-      "**/.next/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.d.ts",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/tests/**",
-    ],
+    ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
@@ -2058,14 +2121,397 @@ function findAPIConsistencyIssues(repoRoot) {
   return findings;
 }
 
+/* ============================================================================
+ * REACT PATTERNS ANALYZER
+ * Only runs on .tsx/.jsx files for performance
+ * ========================================================================== */
+
+function findReactPatternIssues(repoRoot) {
+  const { analyzeReactPatterns } = require("./engines/react-patterns-engine");
+  const findings = [];
+  
+  // Only scan React files for performance
+  const files = fg.sync(["**/*.{tsx,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE_PATTERNS,
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = analyzeReactPatterns(code, fileRel);
+      
+      // Only include BLOCK and WARN severity for performance
+      for (const finding of engineFindings) {
+        if (finding.severity === "INFO") continue;
+        
+        findings.push({
+          id: stableId("F_REACT", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category || "ReactPatterns",
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "React anti-patterns can cause bugs, performance issues, and maintenance problems.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [finding.fixHint].filter(Boolean),
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+/* ============================================================================
+ * ERROR HANDLING ANALYZER
+ * Checks error handling patterns across all JS/TS files
+ * ========================================================================== */
+
+function findErrorHandlingIssues(repoRoot) {
+  const { analyzeErrorHandling } = require("./engines/error-handling-engine");
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE_PATTERNS,
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = analyzeErrorHandling(code, fileRel);
+      
+      // Only include BLOCK and WARN severity
+      for (const finding of engineFindings) {
+        if (finding.severity === "INFO") continue;
+        
+        findings.push({
+          id: stableId("F_ERROR", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category || "ErrorHandling",
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Poor error handling leads to silent failures, security issues, and hard-to-debug problems.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [finding.fixHint].filter(Boolean),
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+/* ============================================================================
+ * DATABASE PATTERNS ANALYZER
+ * Only runs when ORM usage is detected (Prisma, Drizzle, etc.)
+ * ========================================================================== */
+
+function findDatabasePatternIssues(repoRoot) {
+  const { analyzeDatabasePatterns, detectORM } = require("./engines/database-patterns-engine");
+  const findings = [];
+  
+  // Quick check: only run if an ORM is likely in use
+  const packageJsonPath = path.join(repoRoot, "package.json");
+  let hasORM = false;
+  
+  try {
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
+    const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
+    const ormPackages = ["@prisma/client", "drizzle-orm", "typeorm", "sequelize", "mongoose", "knex"];
+    hasORM = ormPackages.some(pkg => deps[pkg]);
+  } catch (err) {
+    // No package.json or can't read - check files for ORM patterns
+    hasORM = true; // Fall back to checking files
+  }
+  
+  if (!hasORM) return findings;
+  
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE_PATTERNS,
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      // Skip files without ORM imports for performance
+      const orm = detectORM(code);
+      if (!orm) continue;
+      
+      const engineFindings = analyzeDatabasePatterns(code, fileRel);
+      
+      // Only include BLOCK and WARN severity
+      for (const finding of engineFindings) {
+        if (finding.severity === "INFO") continue;
+        
+        findings.push({
+          id: stableId("F_DB", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category || "DatabasePatterns",
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Database anti-patterns cause performance issues, data integrity problems, and security vulnerabilities.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [finding.fixHint].filter(Boolean),
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+/* ============================================================================
+ * ASYNC PATTERNS ANALYZER
+ * Detects Promise and async/await anti-patterns
+ * ========================================================================== */
+
+function findAsyncPatternIssues(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
+  if (!engines.analyzeAsyncPatterns) return [];
+  
+  const findings = [];
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: STANDARD_IGNORE_PATTERNS,
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = engines.analyzeAsyncPatterns(code, fileRel);
+      
+      // Only include BLOCK and WARN severity
+      for (const finding of engineFindings) {
+        if (finding.severity === "INFO") continue;
+        
+        findings.push({
+          id: stableId("F_ASYNC", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category || "AsyncPatterns",
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Async anti-patterns cause race conditions, memory leaks, and hard-to-debug failures.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [finding.fixHint].filter(Boolean),
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+/* ============================================================================
+ * BUNDLE SIZE ANALYZER
+ * Only runs on client-side code to detect heavy imports
+ * ========================================================================== */
+
+function findBundleSizeIssues(repoRoot) {
+  const engines = require("./engines/vibecheck-engines");
+  if (!engines.bundleSizeEngine?.analyzeBundleSize) return [];
+  
+  const findings = [];
+  
+  // Focus on likely client-side code paths
+  const files = fg.sync([
+    "**/app/**/*.{ts,tsx,js,jsx}",
+    "**/pages/**/*.{ts,tsx,js,jsx}",
+    "**/src/**/*.{ts,tsx,js,jsx}",
+    "**/components/**/*.{ts,tsx,js,jsx}",
+  ], {
+    cwd: repoRoot,
+    absolute: true,
+    ignore: [
+      ...STANDARD_IGNORE_PATTERNS,
+      "**/api/**", // Skip API routes (server-side)
+      "**/server/**",
+      "**/lib/server/**",
+    ],
+  });
+
+  for (const fileAbs of files) {
+    try {
+      const code = readFileCached(fileAbs);
+      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+      
+      const engineFindings = engines.bundleSizeEngine.analyzeBundleSize(code, fileRel);
+      
+      // Only include BLOCK and WARN severity
+      for (const finding of engineFindings) {
+        if (finding.severity === "INFO") continue;
+        
+        findings.push({
+          id: stableId("F_BUNDLE", `${fileRel}:${finding.type}:${finding.line}`),
+          severity: finding.severity,
+          category: finding.category || "BundleSize",
+          title: finding.title,
+          message: finding.message,
+          file: finding.file,
+          line: finding.line,
+          why: "Large bundles slow down page load and hurt user experience.",
+          confidence: finding.confidence,
+          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
+          fixHints: [finding.fixHint].filter(Boolean),
+        });
+      }
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return findings;
+}
+
+/* ============================================================================
+ * V6: BULLETPROOF FINDINGS FILTER
+ * Applies noise reduction and false positive prevention to any findings array
+ * ========================================================================== */
+
+/**
+ * Apply bulletproof filtering to findings
+ * @param {Array} findings - Raw findings from analyzers
+ * @param {Object} options - Configuration options
+ * @returns {Object} { findings, stats }
+ */
+function bulletproofFindings(findings, options = {}) {
+  const {
+    projectPath = ".",
+    projectStats = {},
+    config = {},
+    minConfidence = 0.4,
+    minQualityScore = 0.35,
+    verbose = false,
+  } = options;
+  
+  let processed = [...findings];
+  const stats = {
+    input: findings.length,
+    afterFalsePositiveFilter: 0,
+    afterNoiseReduction: 0,
+    output: 0,
+  };
+  
+  // Step 1: Filter false positives
+  if (falsePositivePrevention?.filterFalsePositives) {
+    const fpResult = falsePositivePrevention.filterFalsePositives(processed, {
+      projectPath,
+      minConfidence,
+    });
+    processed = fpResult.findings;
+    stats.afterFalsePositiveFilter = processed.length;
+    
+    if (verbose && fpResult.removed.length > 0) {
+      console.log(`  [FP Filter] Removed ${fpResult.removed.length} false positives`);
+    }
+  } else {
+    stats.afterFalsePositiveFilter = processed.length;
+  }
+  
+  // Step 2: Apply noise reduction
+  if (noiseReduction?.reduceNoise) {
+    const nrResult = noiseReduction.reduceNoise(processed, {
+      projectStats,
+      config,
+      minQualityScore,
+      verbose,
+    });
+    processed = nrResult.findings;
+    stats.afterNoiseReduction = processed.length;
+    stats.noiseStats = nrResult.stats;
+  } else {
+    stats.afterNoiseReduction = processed.length;
+  }
+  
+  stats.output = processed.length;
+  stats.reduction = Math.round((1 - stats.output / Math.max(stats.input, 1)) * 100);
+  
+  return { findings: processed, stats };
+}
+
+/**
+ * Get project statistics for adaptive caps
+ */
+function getProjectStats(projectPath) {
+  let fileCount = 0;
+  let lineCount = 0;
+  
+  try {
+    const files = fg.sync(["**/*.{ts,tsx,js,jsx,mjs,cjs}"], {
+      cwd: projectPath,
+      absolute: true,
+      ignore: STANDARD_IGNORE_PATTERNS,
+    });
+    
+    fileCount = files.length;
+    
+    // Sample line count from up to 100 files for performance
+    const sampleFiles = files.slice(0, 100);
+    let sampleLines = 0;
+    for (const file of sampleFiles) {
+      try {
+        const content = fs.readFileSync(file, "utf8");
+        sampleLines += content.split("\n").length;
+      } catch {
+        // Ignore errors
+      }
+    }
+    
+    // Extrapolate line count
+    if (sampleFiles.length > 0) {
+      lineCount = Math.round((sampleLines / sampleFiles.length) * fileCount);
+    }
+  } catch {
+    // Ignore errors
+  }
+  
+  return { fileCount, lineCount };
+}
+
 module.exports = {
+  // V6: Bulletproof filtering (apply to any findings array)
+  bulletproofFindings,
+  getProjectStats,
+  
   // V3: Cache management - call after scan completes to prevent memory leaks
   clearFileCache,
   
   // V3: Entropy helper - exported for testing/reuse
   getShannonEntropy,
   
-  // Analyzers
+  // Core analyzers (route integrity, env, auth)
   findMissingRoutes,
   findEnvGaps,
   findFakeSuccess,
@@ -2073,6 +2519,8 @@ module.exports = {
   findStripeWebhookViolations,
   findPaidSurfaceNotEnforced,
   findOwnerModeBypass,
+  
+  // Code quality analyzers (mock, TODO, console, etc.)
   findMockData,
   findTodoFixme,
   findConsoleLogs,
@@ -2081,13 +2529,22 @@ module.exports = {
   findDeprecatedApis,
   findEmptyCatch,
   findUnsafeRegex,
-  // Enhanced analyzers
+  
+  // Enhanced analyzers (security, performance, quality)
   findSecurityVulnerabilities,
   findPerformanceIssues,
   findCodeQualityIssues,
+  
   // Advanced analyzers
   findCrossFileIssues,
   findTypeSafetyIssues,
   findAccessibilityIssues,
   findAPIConsistencyIssues,
+  
+  // V5: New pattern analyzers (integrated, not separate commands)
+  findReactPatternIssues,     // React best practices (BLOCK/WARN only)
+  findErrorHandlingIssues,    // Error handling patterns
+  findDatabasePatternIssues,  // N+1, transactions, raw queries
+  findAsyncPatternIssues,     // Promise/async anti-patterns
+  findBundleSizeIssues,       // Heavy imports, bundle bloat
 };