@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/analyzers.js

@@ -12,24 +12,6 @@ const t = require("@babel/types");
 
 const { routeMatches } = require("./claims");
 const { matcherCoversPath } = require("./auth-truth");
-const {
-  getFrameworks,
-  hasFramework,
-  getFileContext,
-  isServerComponent,
-  isClientComponent,
-  isRouteHandler,
-  FRAMEWORKS,
-} = require("./engines/framework-detection");
-
-// V6: Bulletproof noise reduction and false positive prevention
-let noiseReduction, falsePositivePrevention;
-try {
-  noiseReduction = require("./engines/noise-reduction-engine");
-  falsePositivePrevention = require("./engines/false-positive-prevention");
-} catch {
-  // Engines not available - continue without them
-}
 
 /* ============================================================================
  * STANDARD IGNORE PATTERNS
@@ -141,7 +123,22 @@ function rxTest(rx, s) {
   return rx.test(s);
 }
 
+// Try to use the engine's globalASTCache if available for better performance
+let _globalASTCache = null;
+try {
+  _globalASTCache = require("./engine/ast-cache").globalASTCache;
+} catch {
+  // Engine not available, will use direct parsing
+}
+
 function parseFile(code, fileAbsForErrors = "") {
+  // Use globalASTCache if available (engine v2 integration)
+  if (_globalASTCache) {
+    const result = _globalASTCache.parse(code, fileAbsForErrors);
+    if (result.ast) return result.ast;
+    // Fall through to direct parse if cache failed
+  }
+  
   // Error recovery avoids hard-failing on mixed TS/JS/JSX edge cases.
   return parser.parse(code, {
     sourceType: "unambiguous",
@@ -889,8 +886,11 @@ function findEnvGaps(truthpack) {
       confidence: isReallyRequired ? "high" : "low",
       evidence: v.references || [],
       fixHints: [
-        `Add ${v.name}= to .env.example (or .env.template).`,
-        "If optional, ensure there's an explicit fallback or guard (and document expected behavior).",
+        `Add to .env.example: ${v.name}=your_value_here`,
+        isReallyRequired
+          ? `Add fallback: const value = process.env.${v.name} ?? 'default';`
+          : `Guard usage: if (process.env.${v.name}) { /* use it */ }`,
+        "Docs: https://12factor.net/config",
       ],
     });
   }
@@ -981,21 +981,6 @@ function findFakeSuccess(repoRoot) {
     // relevant keywords (toast/push/navigate AND fetch/axios).
     const hasSuccessUI = /\b(toast|\.push|navigate)\b/.test(code);
     const hasNetworkCall = /\b(fetch|axios)\b/.test(code);
-    
-    // Enhanced: Also check for TanStack Query / React Query mutations
-    // These have built-in error handling via onError callback
-    const hasTanstackMutation = /\buseMutation\b/.test(code);
-    const hasTRPCMutation = /\.useMutation\b/.test(code);
-    
-    // Skip files that use TanStack Query mutations with onSuccess/onError
-    // These are properly handling async state
-    if (hasTanstackMutation || hasTRPCMutation) {
-      const hasProperCallbacks = /onSuccess\s*:|onError\s*:|onSettled\s*:/.test(code);
-      if (hasProperCallbacks) {
-        continue; // Properly handled
-      }
-    }
-    
     if (!hasSuccessUI || !hasNetworkCall) {
       continue;
     }
@@ -1031,7 +1016,16 @@ function findFakeSuccess(repoRoot) {
           IfStatement(p) {
             const test = p.node.test;
             const txt = code.slice(test.start || 0, test.end || 0);
+            // Check for response status validation (res.ok, status)
             if (/\b(res|response)\b/i.test(txt) && /\b(ok|status)\b/i.test(txt)) okChecks.push({ pos: p.node.start ?? 0 });
+            // Check for response body validation (data, error, success property checks)
+            if (/\b(data|result|response)\b/i.test(txt) && /\b(error|success|\.data|\.result)\b/i.test(txt)) okChecks.push({ pos: p.node.start ?? 0 });
+          },
+          // Also check for try-catch around the network call as a form of validation
+          TryStatement(tryPath) {
+            if (tryPath.node.handler) {
+              okChecks.push({ pos: tryPath.node.start ?? 0 });
+            }
           },
         });
 
@@ -1063,8 +1057,9 @@ function findFakeSuccess(repoRoot) {
             confidence: "med",
             evidence: ev ? [ev] : [],
             fixHints: [
-              "Await the network call (await fetch/await axios...).",
-              "Gate success UI behind res.ok / status checks; surface errors otherwise.",
+              "const res = await fetch(...); if (!res.ok) throw new Error('Request failed');",
+              "const data = await res.json(); if (data.success) toast.success('Done!'); else toast.error(data.error);",
+              "Use try-catch: try { await api(); toast.success(); } catch (e) { toast.error(e.message); }",
             ],
           });
         }
@@ -1084,58 +1079,18 @@ function findFakeSuccess(repoRoot) {
  * ========================================================================== */
 
 function looksSensitive(pathStr) {
-  const p = String(pathStr || "").toLowerCase();
-  
-  // Sensitive path prefixes
-  const sensitivePathPrefixes = [
-    "/api/admin",
-    "/api/billing",
-    "/api/stripe",
-    "/api/org",
-    "/api/team",
-    "/api/account",
-    "/api/settings",
-    "/api/users",
-    "/api/user",
-    "/api/profile",
-    "/api/dashboard",
-    "/api/private",
-    "/api/internal",
-    "/api/manage",
-    "/api/payment",
-    "/api/subscription",
-    "/api/checkout",
-    "/api/webhook", // Webhooks need verification
-    "/api/upload",
-    "/api/delete",
-    "/api/export",
-    "/api/import",
-  ];
-  
-  // Sensitive path patterns (regex)
-  const sensitivePathPatterns = [
-    /\/api\/.*\/admin/,
-    /\/api\/.*\/delete/,
-    /\/api\/.*\/edit/,
-    /\/api\/.*\/update/,
-    /\/api\/.*\/create/,
-    /\/api\/.*\/remove/,
-    /\/api\/.*\/modify/,
-    /\/api\/me\b/,
-    /\/api\/\[.*id\]/, // Dynamic user/resource routes
-  ];
-  
-  // Check prefixes
-  if (sensitivePathPrefixes.some(prefix => p.startsWith(prefix))) {
-    return true;
-  }
-  
-  // Check patterns
-  if (sensitivePathPatterns.some(pattern => pattern.test(p))) {
-    return true;
-  }
-  
-  return false;
+  const p = String(pathStr || "");
+  return (
+    p.startsWith("/api/admin") ||
+    p.startsWith("/api/billing") ||
+    p.startsWith("/api/stripe") ||
+    p.startsWith("/api/org") ||
+    p.startsWith("/api/team") ||
+    p.startsWith("/api/account") ||
+    p.startsWith("/api/settings") ||
+    p.startsWith("/api/users") ||
+    p.startsWith("/api/user")
+  );
 }
 
 function hasRouteLevelProtection(routeDef) {
@@ -1148,69 +1103,11 @@ function handlerHasAuthSignal(repoRoot, handlerRel) {
   if (!fs.existsSync(abs)) return false;
   const code = readFileCached(abs);
 
-  // Next.js / NextAuth patterns
-  const nextAuthPatterns = [
-    /\bgetServerSession\b/,
-    /\bauth\(\)\b/,
-    /\bgetSession\b/,
-    /\buseSession\b/,
-    /\bgetToken\b/,
-  ];
-  
-  // Clerk patterns
-  const clerkPatterns = [
-    /\bclerk\b/i,
-    /@clerk\/nextjs/,
-    /\bauth\(\)\s*\.\s*userId/,
-    /\bcurrentUser\b/,
-    /\bgetAuth\b/,
-  ];
-  
-  // Supabase patterns
-  const supabasePatterns = [
-    /\bcreateRouteHandlerClient\b/,
-    /\bcreateServerComponentClient\b/,
-    /\bsupabase\b.*\bauth\b/i,
-    /@supabase/,
-    /\bgetUser\(\)/,
-  ];
-  
-  // General auth patterns
-  const generalAuthPatterns = [
-    /\b(jwtVerify|verifyToken|verifyJWT)\b/i,
-    /\bauthorization\b/i,
-    /\bbearer\s+token/i,
-    /\b(isAdmin|adminOnly|permissions|rbac)\b/i,
-    /\bauthenticated\b/i,
-    /\brequireAuth\b/i,
-    /\bprotectedProcedure\b/, // tRPC
-  ];
-  
-  // Next.js App Router specific patterns
-  const appRouterPatterns = [
-    /\bcookies\(\)\s*\.\s*get\s*\(\s*['"](?:session|token|auth)/i,
-    /\bheaders\(\)\s*\.\s*get\s*\(\s*['"]authorization/i,
-    /\bNextResponse\.redirect\s*\(.*(?:login|signin|unauthorized)/i,
-  ];
-  
-  // tRPC context patterns (context often has auth)
-  const trpcPatterns = [
-    /ctx\.session/,
-    /ctx\.user/,
-    /ctx\.auth/,
-    /\.protectedProcedure/,
-  ];
-  
-  const allPatterns = [
-    ...nextAuthPatterns,
-    ...clerkPatterns,
-    ...supabasePatterns,
-    ...generalAuthPatterns,
-    ...appRouterPatterns,
-    ...trpcPatterns,
-  ];
-  
-  return allPatterns.some(pattern => pattern.test(code));
+  return (
+    /\bgetServerSession\b|\bauth\(\)\b|\bclerk\b|@clerk\/nextjs|\bcreateRouteHandlerClient\b|@supabase/i.test(code) ||
+    /\b(jwtVerify|authorization|bearer|verifyToken|verifyJWT)\b/i.test(code) ||
+    /\b(isAdmin|adminOnly|permissions|rbac)\b/i.test(code)
+  );
 }
 
 function isProtectedByNextMiddleware(truthpack, routePath) {
@@ -1222,7 +1119,12 @@ function findGhostAuth(truthpack, repoRoot) {
   const findings = [];
   const server = truthpack?.routes?.server || [];
 
+  // Track mutation routes without CSRF protection
+  const mutationMethods = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+
   for (const r of server) {
+    const isMutation = mutationMethods.has(String(r.method).toUpperCase());
+    
     if (!looksSensitive(r.path)) continue;
 
     const middlewareProtected = isProtectedByNextMiddleware(truthpack, r.path);
@@ -1241,12 +1143,41 @@ function findGhostAuth(truthpack, repoRoot) {
         confidence: "med",
         evidence: (r.evidence || []).slice(0, 2),
         fixHints: [
-          "Add server-side auth verification (session/jwt).",
-          "Or protect the path via middleware matcher (verify it actually applies).",
-          "If Fastify: add preHandler/onRequest auth hook and ensure it's registered for this route.",
+          `Next.js: const session = await getServerSession(); if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });`,
+          `Fastify: fastify.addHook('preHandler', async (req, reply) => { if (!req.user) reply.code(401).send({ error: 'Unauthorized' }); });`,
+          "Or add to middleware.ts matcher: export const config = { matcher: ['/api/admin/:path*'] };",
+          "Docs: https://nextjs.org/docs/app/building-your-application/authentication",
         ],
       });
     }
+    
+    // Check for CSRF protection on mutations
+    if (isMutation && r.handler) {
+      const abs = path.join(repoRoot, r.handler);
+      if (fs.existsSync(abs)) {
+        const code = readFileCached(abs);
+        const hasCSRFCheck = /\b(csrf|csrfToken|_csrf|x-csrf-token|xsrf|anti-forgery)\b/i.test(code);
+        const isAPIRoute = r.path.startsWith("/api/");
+        
+        // Only warn for non-API routes (API routes typically use bearer tokens)
+        if (!hasCSRFCheck && !isAPIRoute) {
+          findings.push({
+            id: stableId("F_GHOST_AUTH_NO_CSRF", `${r.method} ${r.path}`),
+            severity: "WARN",
+            category: "GhostAuth",
+            title: `Mutation endpoint without CSRF protection: ${r.method} ${r.path}`,
+            why: "State-changing endpoints should verify CSRF tokens to prevent cross-site request forgery attacks.",
+            confidence: "low",
+            evidence: (r.evidence || []).slice(0, 2),
+            fixHints: [
+              "Add CSRF token validation for form submissions.",
+              "Or use SameSite cookies + Origin header validation.",
+              "API routes using bearer tokens are generally exempt.",
+            ],
+          });
+        }
+      }
+    }
   }
 
   const patterns = truthpack?.auth?.nextMatcherPatterns || [];
@@ -1494,7 +1425,7 @@ function findTodoFixme(repoRoot) {
             evidence: [],
             fixHints: [
               "Review and address high-priority TODOs before shipping.",
-              `Run: grep -rn "TODO\\|FIXME" --include="*.ts" --include="*.js" .`,
+              `Run: vibecheck scan --json | jq '.findings[] | select(.category == "TODO")'`,
             ],
           });
         } else {
@@ -2122,47 +2053,99 @@ function findAPIConsistencyIssues(repoRoot) {
 }
 
 /* ============================================================================
- * REACT PATTERNS ANALYZER
- * Only runs on .tsx/.jsx files for performance
+ * OPTIMISTIC NO ROLLBACK DETECTOR
+ * Finds optimistic UI updates that don't rollback on failure
  * ========================================================================== */
 
-function findReactPatternIssues(repoRoot) {
-  const { analyzeReactPatterns } = require("./engines/react-patterns-engine");
+function findOptimisticNoRollback(repoRoot) {
   const findings = [];
-  
-  // Only scan React files for performance
-  const files = fg.sync(["**/*.{tsx,jsx}"], {
+  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
     absolute: true,
     ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
+    const code = readFileCached(fileAbs);
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    
+    // Fast path: skip files without optimistic patterns
+    const hasOptimisticUpdate = /\b(setOptimistic|optimisticUpdate|setState.*\bfetch|useMutation.*onMutate)\b/i.test(code);
+    const hasStateUpdate = /\b(setState|set[A-Z]\w*|dispatch|update[A-Z])\b/.test(code);
+    const hasNetworkCall = /\b(fetch|axios|useMutation|mutate)\b/.test(code);
+    
+    if (!hasStateUpdate || !hasNetworkCall) continue;
+    
+    let ast;
     try {
-      const code = readFileCached(fileAbs);
-      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      const engineFindings = analyzeReactPatterns(code, fileRel);
-      
-      // Only include BLOCK and WARN severity for performance
-      for (const finding of engineFindings) {
-        if (finding.severity === "INFO") continue;
-        
-        findings.push({
-          id: stableId("F_REACT", `${fileRel}:${finding.type}:${finding.line}`),
-          severity: finding.severity,
-          category: finding.category || "ReactPatterns",
-          title: finding.title,
-          message: finding.message,
-          file: finding.file,
-          line: finding.line,
-          why: "React anti-patterns can cause bugs, performance issues, and maintenance problems.",
-          confidence: finding.confidence,
-          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
-          fixHints: [finding.fixHint].filter(Boolean),
-        });
-      }
-    } catch (err) {
+      ast = parseFile(code, fileAbs);
+    } catch {
+      continue;
+    }
+
+    try {
+      traverse(ast, {
+        CallExpression(pathNode) {
+          const n = pathNode.node;
+          
+          // Look for setState/dispatch calls followed by fetch without catch/finally rollback
+          if (!t.isMemberExpression(n.callee)) return;
+          
+          const methodName = n.callee.property?.name || "";
+          const isStateUpdate = /^(setState|set[A-Z]|dispatch|update)/.test(methodName);
+          
+          if (!isStateUpdate) return;
+          
+          // Check if parent function has a try-catch with rollback
+          let parentFn = pathNode.findParent(p => p.isFunction());
+          if (!parentFn) return;
+          
+          let hasRollback = false;
+          let hasNetworkInSameBlock = false;
+          
+          parentFn.traverse({
+            CallExpression(inner) {
+              const callee = inner.node.callee;
+              if (isFetchCall(inner.node) || isAxiosCall(inner.node)) {
+                hasNetworkInSameBlock = true;
+              }
+            },
+            CatchClause(catchPath) {
+              // Check if catch has a state update (rollback)
+              catchPath.traverse({
+                CallExpression(rollbackCall) {
+                  if (t.isMemberExpression(rollbackCall.node.callee)) {
+                    const name = rollbackCall.node.callee.property?.name || "";
+                    if (/^(setState|set[A-Z]|dispatch|update)/.test(name)) {
+                      hasRollback = true;
+                    }
+                  }
+                }
+              });
+            }
+          });
+          
+          // If there's a state update, network call, but no rollback in catch
+          if (hasNetworkInSameBlock && !hasRollback) {
+            const loc = n.loc;
+            findings.push({
+              id: stableId("F_OPTIMISTIC_NO_ROLLBACK", `${fileRel}:${loc?.start?.line || 0}`),
+              severity: "WARN",
+              category: "OptimisticNoRollback",
+              title: "Optimistic update without rollback on failure",
+              why: "State is updated before network call completes, but there's no rollback if the request fails. Users see stale/incorrect data.",
+              confidence: "med",
+              evidence: [evidenceFromLoc(fileAbs, repoRoot, loc, "Optimistic state update")].filter(Boolean),
+              fixHints: [
+                "Add a catch block that reverts the state to previous value on failure.",
+                "Use react-query's onMutate/onError for automatic rollback.",
+                "Store previous state before update and restore it on error.",
+              ],
+            });
+          }
+        }
+      });
+    } catch {
       continue;
     }
   }
@@ -2171,12 +2154,11 @@ function findReactPatternIssues(repoRoot) {
 }
 
 /* ============================================================================
- * ERROR HANDLING ANALYZER
- * Checks error handling patterns across all JS/TS files
+ * SILENT CATCH DETECTOR (Enhanced)
+ * Finds catch blocks that swallow errors without logging or re-throwing
  * ========================================================================== */
 
-function findErrorHandlingIssues(repoRoot) {
-  const { analyzeErrorHandling } = require("./engines/error-handling-engine");
+function findSilentCatch(repoRoot) {
   const findings = [];
   const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
     cwd: repoRoot,
@@ -2185,31 +2167,91 @@ function findErrorHandlingIssues(repoRoot) {
   });
 
   for (const fileAbs of files) {
+    const code = readFileCached(fileAbs);
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    
+    // Fast path: skip files without try-catch
+    if (!/\bcatch\s*\(/.test(code)) continue;
+    
+    let ast;
     try {
-      const code = readFileCached(fileAbs);
-      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      const engineFindings = analyzeErrorHandling(code, fileRel);
-      
-      // Only include BLOCK and WARN severity
-      for (const finding of engineFindings) {
-        if (finding.severity === "INFO") continue;
-        
-        findings.push({
-          id: stableId("F_ERROR", `${fileRel}:${finding.type}:${finding.line}`),
-          severity: finding.severity,
-          category: finding.category || "ErrorHandling",
-          title: finding.title,
-          message: finding.message,
-          file: finding.file,
-          line: finding.line,
-          why: "Poor error handling leads to silent failures, security issues, and hard-to-debug problems.",
-          confidence: finding.confidence,
-          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
-          fixHints: [finding.fixHint].filter(Boolean),
-        });
-      }
-    } catch (err) {
+      ast = parseFile(code, fileAbs);
+    } catch {
+      continue;
+    }
+
+    try {
+      traverse(ast, {
+        CatchClause(pathNode) {
+          const catchBody = pathNode.node.body;
+          const catchParam = pathNode.node.param?.name || "error";
+          
+          // Check if catch body is empty or only has comments
+          if (!catchBody.body || catchBody.body.length === 0) {
+            // Empty catch - already covered by findEmptyCatch
+            return;
+          }
+          
+          // Check if catch actually handles the error
+          let logsError = false;
+          let rethrowsError = false;
+          let showsUserError = false;
+          let hasConditionalReturn = false;
+          
+          pathNode.traverse({
+            CallExpression(inner) {
+              const callee = inner.node.callee;
+              const args = inner.node.arguments;
+              
+              // Check for console.error, console.log, logger.error, etc.
+              if (t.isMemberExpression(callee)) {
+                const obj = callee.object?.name || "";
+                const prop = callee.property?.name || "";
+                if ((obj === "console" || /logger|log/i.test(obj)) && /error|warn|log/.test(prop)) {
+                  // Check if it logs the error variable
+                  const argsStr = args.map(a => code.slice(a.start, a.end)).join(",");
+                  if (argsStr.includes(catchParam) || argsStr.includes("error") || argsStr.includes("err")) {
+                    logsError = true;
+                  }
+                }
+                // Check for toast.error, notification.error, etc.
+                if (/toast|notification|alert|message/i.test(obj) && /error|warn|fail/.test(prop)) {
+                  showsUserError = true;
+                }
+              }
+            },
+            ThrowStatement() {
+              rethrowsError = true;
+            },
+            ReturnStatement(ret) {
+              // Returning early might be intentional error handling
+              const ifParent = ret.findParent(p => p.isIfStatement());
+              if (ifParent) hasConditionalReturn = true;
+            }
+          });
+          
+          // Silent catch: doesn't log, doesn't rethrow, doesn't show user error
+          if (!logsError && !rethrowsError && !showsUserError && !hasConditionalReturn) {
+            const loc = pathNode.node.loc;
+            findings.push({
+              id: stableId("F_SILENT_CATCH", `${fileRel}:${loc?.start?.line || 0}`),
+              severity: "WARN",
+              category: "SilentCatch",
+              title: "Catch block swallows error silently",
+              why: "Errors are caught but not logged, reported, or shown to users. This makes debugging nearly impossible and hides failures.",
+              confidence: "med",
+              evidence: [evidenceFromLoc(fileAbs, repoRoot, loc, "Silent catch block")].filter(Boolean),
+              fixHints: [
+                `Add console.error(${catchParam}) or a logger call.`,
+                "Show user-friendly error message (toast, alert, etc.).",
+                "Re-throw the error if it should propagate.",
+                "If intentionally ignoring, add a comment explaining why.",
+              ],
+            });
+          }
+        }
+      });
+    } catch {
       continue;
     }
   }
@@ -2218,176 +2260,199 @@ function findErrorHandlingIssues(repoRoot) {
 }
 
 /* ============================================================================
- * DATABASE PATTERNS ANALYZER
- * Only runs when ORM usage is detected (Prisma, Drizzle, etc.)
+ * METHOD MISMATCH DETECTOR
+ * Finds client-side GET requests to POST-only endpoints and vice versa
  * ========================================================================== */
 
-function findDatabasePatternIssues(repoRoot) {
-  const { analyzeDatabasePatterns, detectORM } = require("./engines/database-patterns-engine");
-  const findings = [];
+function findMethodMismatch(truthpack) {
+  if (!truthpack?.routes) return [];
   
-  // Quick check: only run if an ORM is likely in use
-  const packageJsonPath = path.join(repoRoot, "package.json");
-  let hasORM = false;
+  const findings = [];
+  const serverRoutes = truthpack.routes.server || [];
+  const clientRefs = truthpack.routes.clientRefs || [];
   
-  try {
-    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf8"));
-    const deps = { ...packageJson.dependencies, ...packageJson.devDependencies };
-    const ormPackages = ["@prisma/client", "drizzle-orm", "typeorm", "sequelize", "mongoose", "knex"];
-    hasORM = ormPackages.some(pkg => deps[pkg]);
-  } catch (err) {
-    // No package.json or can't read - check files for ORM patterns
-    hasORM = true; // Fall back to checking files
+  // Build a map of route -> allowed methods
+  const routeMethodMap = new Map();
+  for (const route of serverRoutes) {
+    const key = normalizeRoutePath(route.path);
+    if (!routeMethodMap.has(key)) {
+      routeMethodMap.set(key, new Set());
+    }
+    if (route.method) {
+      routeMethodMap.get(key).add(route.method.toUpperCase());
+    }
   }
   
-  if (!hasORM) return findings;
-  
-  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: STANDARD_IGNORE_PATTERNS,
-  });
-
-  for (const fileAbs of files) {
-    try {
-      const code = readFileCached(fileAbs);
-      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      // Skip files without ORM imports for performance
-      const orm = detectORM(code);
-      if (!orm) continue;
-      
-      const engineFindings = analyzeDatabasePatterns(code, fileRel);
-      
-      // Only include BLOCK and WARN severity
-      for (const finding of engineFindings) {
-        if (finding.severity === "INFO") continue;
-        
-        findings.push({
-          id: stableId("F_DB", `${fileRel}:${finding.type}:${finding.line}`),
-          severity: finding.severity,
-          category: finding.category || "DatabasePatterns",
-          title: finding.title,
-          message: finding.message,
-          file: finding.file,
-          line: finding.line,
-          why: "Database anti-patterns cause performance issues, data integrity problems, and security vulnerabilities.",
-          confidence: finding.confidence,
-          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
-          fixHints: [finding.fixHint].filter(Boolean),
-        });
-      }
-    } catch (err) {
-      continue;
+  // Check client refs for method mismatches
+  for (const ref of clientRefs) {
+    if (!ref.method || !ref.path) continue;
+    
+    const clientMethod = ref.method.toUpperCase();
+    const normalizedPath = normalizeRoutePath(ref.path);
+    
+    // Find matching server route
+    const allowedMethods = routeMethodMap.get(normalizedPath);
+    
+    if (allowedMethods && allowedMethods.size > 0 && !allowedMethods.has(clientMethod)) {
+      // Method mismatch found
+      const allowed = Array.from(allowedMethods).join(", ");
+      findings.push({
+        id: stableId("F_METHOD_MISMATCH", `${ref.file || "unknown"}:${ref.line || 0}:${ref.path}`),
+        severity: "BLOCK",
+        category: "MethodMismatch",
+        title: `${clientMethod} request to ${allowed}-only endpoint: ${ref.path}`,
+        why: `Client makes ${clientMethod} request but server only accepts ${allowed}. This will fail with 405 Method Not Allowed.`,
+        confidence: "high",
+        evidence: ref.file ? [{
+          file: ref.file,
+          line: ref.line,
+          reason: `Client ${clientMethod} to ${allowed}-only route`,
+        }] : [],
+        fixHints: [
+          `Change client request method from ${clientMethod} to ${allowed}.`,
+          `Add ${clientMethod} handler to the server route.`,
+          "Verify the API contract matches documentation.",
+        ],
+      });
     }
   }
-
+  
   return findings;
 }
 
+// Helper to normalize route paths for comparison
+function normalizeRoutePath(routePath) {
+  if (!routePath) return "";
+  return routePath
+    .replace(/\[([^\]]+)\]/g, ":$1")  // [id] -> :id
+    .replace(/\/+/g, "/")              // multiple slashes -> single
+    .replace(/\/$/, "")                // remove trailing slash
+    .toLowerCase();
+}
+
 /* ============================================================================
- * ASYNC PATTERNS ANALYZER
- * Detects Promise and async/await anti-patterns
+ * DEAD UI DETECTOR (Enhanced)
+ * Finds buttons, forms, and links that do nothing
  * ========================================================================== */
 
-function findAsyncPatternIssues(repoRoot) {
-  const engines = require("./engines/vibecheck-engines");
-  if (!engines.analyzeAsyncPatterns) return [];
-  
+function findDeadUI(repoRoot) {
   const findings = [];
-  const files = fg.sync(["**/*.{ts,tsx,js,jsx}"], {
+  const files = fg.sync(["**/*.{tsx,jsx}"], {
     cwd: repoRoot,
     absolute: true,
     ignore: STANDARD_IGNORE_PATTERNS,
   });
 
   for (const fileAbs of files) {
+    const code = readFileCached(fileAbs);
+    const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
+    
+    // Fast path: skip files without interactive elements
+    if (!/<(button|Button|form|Form|a|Link)\b/.test(code)) continue;
+    
+    let ast;
     try {
-      const code = readFileCached(fileAbs);
-      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      const engineFindings = engines.analyzeAsyncPatterns(code, fileRel);
-      
-      // Only include BLOCK and WARN severity
-      for (const finding of engineFindings) {
-        if (finding.severity === "INFO") continue;
-        
-        findings.push({
-          id: stableId("F_ASYNC", `${fileRel}:${finding.type}:${finding.line}`),
-          severity: finding.severity,
-          category: finding.category || "AsyncPatterns",
-          title: finding.title,
-          message: finding.message,
-          file: finding.file,
-          line: finding.line,
-          why: "Async anti-patterns cause race conditions, memory leaks, and hard-to-debug failures.",
-          confidence: finding.confidence,
-          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
-          fixHints: [finding.fixHint].filter(Boolean),
-        });
-      }
-    } catch (err) {
+      ast = parseFile(code, fileAbs);
+    } catch {
       continue;
     }
-  }
-
-  return findings;
-}
 
-/* ============================================================================
- * BUNDLE SIZE ANALYZER
- * Only runs on client-side code to detect heavy imports
- * ========================================================================== */
-
-function findBundleSizeIssues(repoRoot) {
-  const engines = require("./engines/vibecheck-engines");
-  if (!engines.bundleSizeEngine?.analyzeBundleSize) return [];
-  
-  const findings = [];
-  
-  // Focus on likely client-side code paths
-  const files = fg.sync([
-    "**/app/**/*.{ts,tsx,js,jsx}",
-    "**/pages/**/*.{ts,tsx,js,jsx}",
-    "**/src/**/*.{ts,tsx,js,jsx}",
-    "**/components/**/*.{ts,tsx,js,jsx}",
-  ], {
-    cwd: repoRoot,
-    absolute: true,
-    ignore: [
-      ...STANDARD_IGNORE_PATTERNS,
-      "**/api/**", // Skip API routes (server-side)
-      "**/server/**",
-      "**/lib/server/**",
-    ],
-  });
-
-  for (const fileAbs of files) {
     try {
-      const code = readFileCached(fileAbs);
-      const fileRel = path.relative(repoRoot, fileAbs).replace(/\\/g, "/");
-      
-      const engineFindings = engines.bundleSizeEngine.analyzeBundleSize(code, fileRel);
-      
-      // Only include BLOCK and WARN severity
-      for (const finding of engineFindings) {
-        if (finding.severity === "INFO") continue;
-        
-        findings.push({
-          id: stableId("F_BUNDLE", `${fileRel}:${finding.type}:${finding.line}`),
-          severity: finding.severity,
-          category: finding.category || "BundleSize",
-          title: finding.title,
-          message: finding.message,
-          file: finding.file,
-          line: finding.line,
-          why: "Large bundles slow down page load and hurt user experience.",
-          confidence: finding.confidence,
-          evidence: [{ file: fileRel, reason: finding.title, line: finding.line }],
-          fixHints: [finding.fixHint].filter(Boolean),
-        });
-      }
-    } catch (err) {
+      traverse(ast, {
+        JSXElement(pathNode) {
+          const opening = pathNode.node.openingElement;
+          const tagName = opening.name?.name || opening.name?.property?.name || "";
+          
+          // Check for buttons, forms, links
+          if (!/^(button|Button|form|Form|a|Link)$/i.test(tagName)) return;
+          
+          const attrs = opening.attributes || [];
+          let hasOnClick = false;
+          let hasOnSubmit = false;
+          let hasHref = false;
+          let hasAction = false;
+          let hasType = false;
+          let isDisabled = false;
+          
+          for (const attr of attrs) {
+            if (!t.isJSXAttribute(attr)) continue;
+            const name = attr.name?.name || "";
+            
+            if (name === "onClick" || name === "onPress") hasOnClick = true;
+            if (name === "onSubmit") hasOnSubmit = true;
+            if (name === "href" || name === "to") hasHref = true;
+            if (name === "action") hasAction = true;
+            if (name === "type") hasType = true;
+            if (name === "disabled") isDisabled = true;
+          }
+          
+          // Button without onClick (unless it's a submit button or disabled)
+          if (/button/i.test(tagName) && !hasOnClick && !isDisabled) {
+            const isSubmitType = attrs.some(a => 
+              t.isJSXAttribute(a) && 
+              a.name?.name === "type" && 
+              t.isStringLiteral(a.value) && 
+              a.value.value === "submit"
+            );
+            
+            if (!isSubmitType) {
+              const loc = opening.loc;
+              findings.push({
+                id: stableId("F_DEAD_UI", `${fileRel}:${loc?.start?.line || 0}:button`),
+                severity: "WARN",
+                category: "DeadUI",
+                title: "Button without onClick handler",
+                why: "This button does nothing when clicked. Users expect buttons to perform actions.",
+                confidence: "med",
+                evidence: [evidenceFromLoc(fileAbs, repoRoot, loc, "Dead button")].filter(Boolean),
+                fixHints: [
+                  "<Button onClick={() => handleAction()}>Click Me</Button>",
+                  "For submit: <Button type=\"submit\">Submit</Button>",
+                  "For disabled: <Button disabled>Coming Soon</Button>",
+                ],
+              });
+            }
+          }
+          
+          // Form without onSubmit or action
+          if (/form/i.test(tagName) && !hasOnSubmit && !hasAction) {
+            const loc = opening.loc;
+            findings.push({
+              id: stableId("F_DEAD_UI", `${fileRel}:${loc?.start?.line || 0}:form`),
+              severity: "WARN",
+              category: "DeadUI",
+              title: "Form without onSubmit or action",
+              why: "This form does nothing when submitted. Form data won't be processed.",
+              confidence: "med",
+              evidence: [evidenceFromLoc(fileAbs, repoRoot, loc, "Dead form")].filter(Boolean),
+              fixHints: [
+                "Add an onSubmit handler to process form data.",
+                "Or add an action attribute for server-side submission.",
+              ],
+            });
+          }
+          
+          // Link without href
+          if (/^(a|Link)$/i.test(tagName) && !hasHref) {
+            const loc = opening.loc;
+            findings.push({
+              id: stableId("F_DEAD_UI", `${fileRel}:${loc?.start?.line || 0}:link`),
+              severity: "WARN",
+              category: "DeadUI",
+              title: "Link without href or to prop",
+              why: "This link goes nowhere. Users expect links to navigate somewhere.",
+              confidence: "med",
+              evidence: [evidenceFromLoc(fileAbs, repoRoot, loc, "Dead link")].filter(Boolean),
+              fixHints: [
+                "Add href prop with the target URL.",
+                "If using Next.js Link, ensure href is provided.",
+                "If it's a button styled as link, use a button element instead.",
+              ],
+            });
+          }
+        }
+      });
+    } catch {
       continue;
     }
   }
@@ -2395,123 +2460,14 @@ function findBundleSizeIssues(repoRoot) {
   return findings;
 }
 
-/* ============================================================================
- * V6: BULLETPROOF FINDINGS FILTER
- * Applies noise reduction and false positive prevention to any findings array
- * ========================================================================== */
-
-/**
- * Apply bulletproof filtering to findings
- * @param {Array} findings - Raw findings from analyzers
- * @param {Object} options - Configuration options
- * @returns {Object} { findings, stats }
- */
-function bulletproofFindings(findings, options = {}) {
-  const {
-    projectPath = ".",
-    projectStats = {},
-    config = {},
-    minConfidence = 0.4,
-    minQualityScore = 0.35,
-    verbose = false,
-  } = options;
-  
-  let processed = [...findings];
-  const stats = {
-    input: findings.length,
-    afterFalsePositiveFilter: 0,
-    afterNoiseReduction: 0,
-    output: 0,
-  };
-  
-  // Step 1: Filter false positives
-  if (falsePositivePrevention?.filterFalsePositives) {
-    const fpResult = falsePositivePrevention.filterFalsePositives(processed, {
-      projectPath,
-      minConfidence,
-    });
-    processed = fpResult.findings;
-    stats.afterFalsePositiveFilter = processed.length;
-    
-    if (verbose && fpResult.removed.length > 0) {
-      console.log(`  [FP Filter] Removed ${fpResult.removed.length} false positives`);
-    }
-  } else {
-    stats.afterFalsePositiveFilter = processed.length;
-  }
-  
-  // Step 2: Apply noise reduction
-  if (noiseReduction?.reduceNoise) {
-    const nrResult = noiseReduction.reduceNoise(processed, {
-      projectStats,
-      config,
-      minQualityScore,
-      verbose,
-    });
-    processed = nrResult.findings;
-    stats.afterNoiseReduction = processed.length;
-    stats.noiseStats = nrResult.stats;
-  } else {
-    stats.afterNoiseReduction = processed.length;
-  }
-  
-  stats.output = processed.length;
-  stats.reduction = Math.round((1 - stats.output / Math.max(stats.input, 1)) * 100);
-  
-  return { findings: processed, stats };
-}
-
-/**
- * Get project statistics for adaptive caps
- */
-function getProjectStats(projectPath) {
-  let fileCount = 0;
-  let lineCount = 0;
-  
-  try {
-    const files = fg.sync(["**/*.{ts,tsx,js,jsx,mjs,cjs}"], {
-      cwd: projectPath,
-      absolute: true,
-      ignore: STANDARD_IGNORE_PATTERNS,
-    });
-    
-    fileCount = files.length;
-    
-    // Sample line count from up to 100 files for performance
-    const sampleFiles = files.slice(0, 100);
-    let sampleLines = 0;
-    for (const file of sampleFiles) {
-      try {
-        const content = fs.readFileSync(file, "utf8");
-        sampleLines += content.split("\n").length;
-      } catch {
-        // Ignore errors
-      }
-    }
-    
-    // Extrapolate line count
-    if (sampleFiles.length > 0) {
-      lineCount = Math.round((sampleLines / sampleFiles.length) * fileCount);
-    }
-  } catch {
-    // Ignore errors
-  }
-  
-  return { fileCount, lineCount };
-}
-
 module.exports = {
-  // V6: Bulletproof filtering (apply to any findings array)
-  bulletproofFindings,
-  getProjectStats,
-  
   // V3: Cache management - call after scan completes to prevent memory leaks
   clearFileCache,
   
   // V3: Entropy helper - exported for testing/reuse
   getShannonEntropy,
   
-  // Core analyzers (route integrity, env, auth)
+  // Analyzers
   findMissingRoutes,
   findEnvGaps,
   findFakeSuccess,
@@ -2519,8 +2475,6 @@ module.exports = {
   findStripeWebhookViolations,
   findPaidSurfaceNotEnforced,
   findOwnerModeBypass,
-  
-  // Code quality analyzers (mock, TODO, console, etc.)
   findMockData,
   findTodoFixme,
   findConsoleLogs,
@@ -2529,22 +2483,18 @@ module.exports = {
   findDeprecatedApis,
   findEmptyCatch,
   findUnsafeRegex,
-  
-  // Enhanced analyzers (security, performance, quality)
+  // Enhanced analyzers
   findSecurityVulnerabilities,
   findPerformanceIssues,
   findCodeQualityIssues,
-  
   // Advanced analyzers
   findCrossFileIssues,
   findTypeSafetyIssues,
   findAccessibilityIssues,
   findAPIConsistencyIssues,
-  
-  // V5: New pattern analyzers (integrated, not separate commands)
-  findReactPatternIssues,     // React best practices (BLOCK/WARN only)
-  findErrorHandlingIssues,    // Error handling patterns
-  findDatabasePatternIssues,  // N+1, transactions, raw queries
-  findAsyncPatternIssues,     // Promise/async anti-patterns
-  findBundleSizeIssues,       // Heavy imports, bundle bloat
+  // NEW: AI Hallucination Detectors
+  findOptimisticNoRollback,
+  findSilentCatch,
+  findMethodMismatch,
+  findDeadUI,
 };