codesift-mcp 0.7.0 → 0.8.4

package/dist/tools/pattern-tools.js

@@ -1,6 +1,7 @@
 import { readFile } from "node:fs/promises";
 import { join } from "node:path";
 import { getCodeIndex } from "./index-tools.js";
+import { stripCommentsAndStrings } from "../utils/source-stripper.js";
 import { isTestFileStrict as isTestFile } from "../utils/test-file.js";
 // Built-in patterns inspired by CQ checklist + common React/TS anti-patterns
 // Exported for direct regex testing in unit tests.
@@ -8,128 +9,164 @@ export const BUILTIN_PATTERNS = {
     "useEffect-no-cleanup": {
         regex: /useEffect\s*\(\s*(?:async\s*)?\(\)\s*=>\s*\{(?:(?!return\s*\(\s*\)\s*=>|return\s+\(\)\s*=>|return\s*\(\s*\)\s*\{|return\s+function)[\s\S])*\}\s*,/,
         description: "useEffect without cleanup return — potential memory leak (CQ22)",
+        severity: "warning",
     },
     // --- React anti-patterns (Wave 2) ---
     "hook-in-condition": {
         regex: /\b(?:if|for|while|switch)\s*\([^)]*\)\s*\{[\s\S]{0,500}?\buse[A-Z]\w*\s*\(/,
         description: "React hook called inside if/for/while/switch — violates Rule of Hooks",
+        severity: "critical",
     },
     "useEffect-async": {
         regex: /useEffect\s*\(\s*async\s+(?:function\b|\(|[a-z_$])/,
         description: "async function directly in useEffect — use inner async wrapper (CQ22)",
+        severity: "warning",
     },
     "useEffect-object-dep": {
         regex: /useEffect\s*\([\s\S]*?,\s*\[[^\]]*[{[]/,
         description: "Object/array literal in useEffect dependency array — causes infinite re-renders",
+        severity: "warning",
     },
     "missing-display-name": {
         regex: /(?:React\.)?(?:memo|forwardRef)\s*\((?:(?!displayName)[\s\S]){0,500}$/,
         description: "React.memo/forwardRef without displayName nearby — harder to debug in DevTools",
+        severity: "style",
     },
     "index-as-key": {
         regex: /\.map\s*\(\s*\(\s*\w+\s*,\s*(index|idx|i)\b[^)]*\)\s*=>[\s\S]{0,400}?key\s*=\s*\{?\s*\1\b/,
         description: "Array index used as React key — causes incorrect reconciliation on reorder",
+        severity: "warning",
     },
     "inline-handler": {
         regex: /\bon[A-Z]\w*\s*=\s*\{\s*(?:\([^)]*\)|[a-z_$][\w$]*)\s*=>/,
         description: "Inline arrow function in JSX event handler — creates new reference every render (memoization killer)",
+        severity: "style",
     },
     "conditional-render-hook": {
         regex: /\breturn\s+[^;{]*;\s*\n[\s\S]*?\buse[A-Z]\w*\s*\(/,
         description: "React hook called after early return — violates Rule of Hooks",
+        severity: "critical",
     },
     // --- React anti-patterns (Wave 4b — additional) ---
     "dangerously-set-html": {
         regex: /dangerouslySetInnerHTML\s*=\s*\{/,
-        description: "dangerouslySetInnerHTML used — XSS risk unless content is sanitized (CQ24)",
+        description: "dangerouslySetInnerHTML used — XSS risk unless content is sanitized (CQ24). Comment/string-embedded mentions are stripped before matching.",
+        severity: "critical",
+        preprocess: "strip-comments-strings",
     },
     "direct-dom-access": {
         regex: /\bdocument\.(getElementById|querySelector|querySelectorAll|getElementsBy)\s*\(/,
-        description: "Direct DOM access in React component — use useRef instead (breaks SSR, bypasses virtual DOM)",
+        description: "Direct DOM access in React component — use useRef instead (breaks SSR, bypasses virtual DOM). Comment/string-embedded mentions stripped before matching.",
+        severity: "warning",
+        preprocess: "strip-comments-strings",
     },
     "unstable-default-value": {
         regex: /(?:function\s+[A-Z]\w*|const\s+[A-Z]\w*\s*=\s*(?:\([^)]*\)|[^=]*)\s*=>)\s*[\s\S]{0,100}(?:\{\s*[^}]*=\s*\[\s*\]|\{\s*[^}]*=\s*\{\s*\})/,
         description: "Default prop value [] or {} in component params — creates new reference every render, breaks memo/PureComponent",
+        severity: "warning",
     },
     "jsx-falsy-and": {
         regex: /\{\s*(?:count|length|size|num|total|amount)\s*&&\s*</,
         description: "Numeric variable used with && in JSX — renders '0' on screen when falsy. Use ternary or Boolean() (React gotcha)",
+        severity: "warning",
     },
     "nested-component-def": {
         regex: /(?:function\s+[A-Z]\w*\s*\([^)]*\)\s*\{|const\s+[A-Z]\w*\s*=\s*(?:\([^)]*\)|[\w$]*)\s*=>\s*\{)[\s\S]{0,1500}?\n\s{2,}(?:function\s+[A-Z]\w*\s*\(|const\s+[A-Z]\w*\s*=\s*\()/,
         description: "Component defined inside another component — remounts on every parent render, loses all state. Hoist to module level.",
+        severity: "critical",
     },
     "usecallback-no-deps": {
         regex: /use(?:Callback|Memo)\s*\([\s\S]*?\)\s*\)\s*[;,]/,
         description: "useCallback/useMemo with only one argument (no dependency array) — useless memoization, value recreated every render",
+        severity: "warning",
     },
     // --- React 19 features (Tier 4 — Item 19) ---
     "react19-use-without-suspense": {
         regex: /\buse\s*\(\s*[a-zA-Z_$][\w$]*\s*\)/,
         description: "React 19 use(promise) — must be wrapped in <Suspense> or it throws. Verify Suspense boundary exists in parent.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "critical",
     },
     "react19-server-action-not-async": {
-        regex: /^[\s\S]{0,200}["']use server["'][\s\S]{0,500}?\bexport\s+(?!async)function\s+\w+\s*\(/m,
-        description: "React 19 Server Action: function in 'use server' file must be async (returns Promise). Synchronous functions break the action contract.",
+        // Tier 7 fix: matches `export function X`, `export const X = (...) =>`,
+        // AND `export default function X` (gemini finding — default exports were missed).
+        // 2000-char window for actions defined far from the directive.
+        regex: /^[\s\S]{0,200}["']use server["'][\s\S]{0,2000}?\bexport\s+(?:(?:const|let|var)\s+\w+\s*=\s+(?!async\b)(?:\([^)]*\)|\w+)\s*=>|default\s+(?!async\b)function(?:\s+\w+)?\s*\(|(?!async\b)function\s+\w+\s*\()/m,
+        description: "React 19 Server Action: function in 'use server' file must be async (returns Promise). Pattern detects `export function X`, `export const X = (...) =>` arrow, AND `export default function X` (default exports).",
         fileIncludePattern: /\.(tsx|jsx|ts|js)$/,
+        severity: "critical",
     },
     "react19-form-action-non-function": {
         regex: /<form\s+[^>]*\baction\s*=\s*["'][^"']/,
         description: "React 19 form action prop should be a function (Server Action), not a string URL. Use <form action={serverAction}> for progressive enhancement.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "react19-useoptimistic-no-transition": {
-        regex: /\buseOptimistic\s*\([\s\S]{0,300}?(?!useTransition|startTransition)/,
-        description: "React 19 useOptimistic should be paired with useTransition/startTransition for non-urgent updates. Without it, optimistic updates can be interrupted.",
+        // Tier 7 fix: \b boundary — myUseTransitionWrapper no longer suppresses match.
+        // Tier 8: preprocess strips comment/string content before lookahead — closes
+        // Tier 7 R-2.1 known limit (transition tokens in JSDoc/comments).
+        regex: /\buseOptimistic\s*\((?![\s\S]{0,1000}?\b(?:useTransition|startTransition)\b)/,
+        description: "React 19 useOptimistic should be paired with useTransition/startTransition for non-urgent updates. Comment/string-embedded mentions stripped before matching.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
+        preprocess: "strip-comments-strings",
     },
     // --- oxlint-inspired React rules (April 2026) ---
     "hook-usestate-destructure": {
         regex: /(?:^|\n)\s*useState\s*(?:<[^>]+>)?\s*\([^)]*\)\s*;/,
         description: "useState() called without destructuring [value, setter] — value is inaccessible. Use: const [value, setValue] = useState(initial). (oxlint react/hook-use-state)",
         fileIncludePattern: /\.(tsx|jsx|ts)$/,
+        severity: "critical",
     },
     "prefer-function-component": {
         regex: /class\s+\w+\s+extends\s+(?:React\.)?(?:Component|PureComponent)\b/,
         description: "Class component could be a function component — class components lack hook support, are harder to tree-shake, and React Compiler cannot optimize them. (oxlint react/prefer-function-component)",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "style",
     },
     // --- React Compiler bailout patterns (GA v1.0, Oct 2025 — Next.js 16 stable) ---
     "compiler-side-effect-in-render": {
         regex: /\b(?:console\.(?:log|warn|error|info)\s*\(|Math\.random\s*\(|Date\.now\s*\(|document\.(?:getElementById|querySelector|createElement)\s*\()/,
         description: "Side effect in render body — React Compiler silently skips memoization. Move to useEffect or event handler.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "compiler-ref-read-in-render": {
         regex: /(?:^|\n)\s*(?:const|let|var)\s+\w+\s*=\s*\w+Ref\.current\b/,
         description: "Reading ref.current during render — React Compiler cannot track ref mutations. Read refs in useEffect or event handlers only.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "compiler-prop-mutation": {
         regex: /\bprops\.\w+\.(?:push|pop|shift|unshift|splice|sort|reverse|fill)\s*\(/,
         description: "Mutating props object — breaks React Compiler immutability assumption. Clone before mutating: [...props.items, newItem].",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "compiler-state-mutation": {
         regex: /(?:^|\n)\s*\w+\.(?:push|pop|shift|unshift|splice|sort|reverse|fill)\s*\([\s\S]{0,200}?set[A-Z]\w*\s*\(\s*\w+\s*\)/,
         description: "Direct state mutation then setState with same reference — React Compiler assumes immutable updates. Use spread: setItems([...items, newItem]).",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "compiler-try-catch-bailout": {
         regex: /(?:function\s+[A-Z]\w*|const\s+[A-Z]\w*\s*=)[\s\S]{0,300}?\btry\s*\{[\s\S]{0,500}?\bcatch\s*\(/,
         description: "try/catch in component body — React Compiler may silently bail out (known issue #35644). Move error handling to useEffect or extract to a hook.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "compiler-redundant-memo": {
         regex: /\b(?:React\.)?memo\s*\(\s*(?:function\s+[A-Z]|(?:\([^)]*\)|[A-Z]\w*)\s*=>)/,
         description: "React.memo wrapping — React Compiler auto-memoizes, making manual memo redundant. Safe to remove after compiler adoption.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "style",
     },
     "compiler-redundant-usecallback": {
         regex: /\buseCallback\s*\(\s*(?:\([^)]*\)|[a-z_$][\w$]*)\s*=>/,
         description: "useCallback wrapping — React Compiler auto-memoizes callbacks, making manual useCallback redundant. Safe to remove after compiler adoption.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "style",
     },
     // --- RSC boundary serializability (Tier 4 — Item 18) ---
     "rsc-non-serializable-prop": {
@@ -139,22 +176,35 @@ export const BUILTIN_PATTERNS = {
         regex: /\b(?:onClick|onChange|onSubmit|onError|callback|handler|render)\s*=\s*\{\s*[a-z_$][\w$]*\s*\}/,
         description: "Function passed as prop across RSC boundary — must be a Server Action ('use server') or component must be Client Component ('use client'). Functions are not serializable.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "critical",
     },
     "rsc-date-prop": {
         regex: /\b\w+\s*=\s*\{\s*new\s+Date\s*\(/,
         description: "Date object passed as prop — Date is serializable in JSON but loses prototype across RSC boundary. Use ISO string + parse on client side.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     // --- useEffect pain points (37% of devs struggle — State of React 2025) ---
     "useEffect-missing-cleanup": {
         regex: /useEffect\s*\(\s*(?:\([^)]*\)|[a-z_$][\w$]*)\s*=>[\s\S]{0,800}?(?:addEventListener|setInterval|setTimeout|subscribe|on\s*\()(?:(?!return\s*(?:\(\s*\)\s*=>|function))[\s\S]){0,800}\}\s*,/,
         description: "useEffect with addEventListener/setInterval/subscribe but no cleanup return — memory leak. Return a cleanup function that removes the listener/clears the interval.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     "useEffect-setstate-loop": {
-        regex: /useEffect\s*\(\s*(?:\([^)]*\)|[a-z_$][\w$]*)\s*=>[\s\S]{0,500}?set([A-Z]\w*)\s*\([\s\S]{0,300}?\[\s*[\s\S]*?\b\1\b/i,
-        description: "setState inside useEffect with same state variable in dependency array — causes infinite render loop. Either remove from deps or use functional updater: setState(prev => ...).",
+        // Tier 7 fix (multiple gemini findings):
+        //  1. Original matched `[` in setState array literal arg → anchored on `}, [`.
+        //  2. Cross-effect bridging — non-greedy walk now bails on next `useEffect`.
+        //  3. Implicit-return arrows: alternation block-bodied OR concise.
+        //  4. `\1\b` matched `count` inside `props.count` — fixed by `(?<!\.)\b\1\b`.
+        //  5. Tier 7 review R-3: concise arm's first `\)` could close a NESTED call like
+        //     `setCount(getY())`. Fix: require concise-arm setState arg has NO inner `(`
+        //     by using `[^()]*` for the simple case (most real bugs); complex args fall
+        //     through to the block-bodied arm. Documented as known limit.
+        regex: /useEffect\s*\(\s*(?:\([^)]*\)|[a-z_$][\w$]*)\s*=>\s*(?:\{(?:(?!\buseEffect\b)[\s\S]){0,800}?\bset([A-Z]\w*)\s*\((?:(?!\buseEffect\b)[\s\S]){0,300}?\}\s*,\s*\[[^\]]*?(?<!\.)\b\1\b|set([A-Z]\w*)\s*\([^()]{0,200}\)\s*,\s*\[[^\]]*?(?<!\.)\b\2\b)/i,
+        description: "setState inside useEffect with same state variable in dependency array — infinite render loop. Block-bodied form `() => { setX(); }, [x]` AND concise form `() => setX(arg), [x]` (concise arm requires non-nested arg). Bails out at next useEffect; rejects `props.count` property chains. Known limit: concise form with nested calls (setX(getY())) is not detected — block form covers it.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "critical",
     },
     "useEffect-missing-deps-identifier": {
         // Heuristic: useEffect with empty dep array [] but body references an
@@ -164,23 +214,27 @@ export const BUILTIN_PATTERNS = {
         regex: /useEffect\s*\(\s*\([^)]*\)\s*=>\s*\{[\s\S]{0,400}?\b(?:props\.\w+|[a-z][a-zA-Z]*(?:\.\w+)?)[\s\S]{0,400}?\}\s*,\s*\[\s*\]\s*\)/,
         description: "useEffect with empty deps array [] reads props/state identifiers in body — likely missing dependencies. If intentional, add // eslint-disable-next-line react-hooks/exhaustive-deps with reason.",
         fileIncludePattern: /\.(tsx|jsx)$/,
+        severity: "warning",
     },
     // --- Next.js 16 cache patterns ---
     "nextjs-use-cache-without-tag": {
         regex: /['"]use cache['"](?:(?!cacheTag\s*\()[\s\S]){0,1000}$/,
         description: "Next.js 16 'use cache' directive without cacheTag() call — cache entry is hard to invalidate. Add cacheTag('name') for targeted revalidation.",
         fileIncludePattern: /\.(tsx|jsx|ts)$/,
+        severity: "warning",
     },
     "nextjs-revalidatetag-deprecated": {
         regex: /\brevalidateTag\s*\(\s*['"][^'"]+['"]\s*\)/,
         description: "Next.js 16: revalidateTag() without cacheLife profile (second argument). Single-arg form deprecated — add cacheLife profile.",
         fileIncludePattern: /\.(tsx|jsx|ts)$/,
+        severity: "warning",
     },
     // --- TanStack Query patterns ---
     "tanstack-missing-invalidation": {
         regex: /\buseMutation\s*\((?:(?!invalidateQueries|invalidateQuery)[\s\S]){0,800}\}\s*\)/,
         description: "useMutation without invalidateQueries in onSuccess/onSettled — stale data remains in cache after mutation. Add queryClient.invalidateQueries() on success.",
         fileIncludePattern: /\.(tsx|jsx|ts)$/,
+        severity: "warning",
     },
     // --- React Tier 5 (May 2026) — derived state, stale closures, context perf, security ---
     "derived-state": {
@@ -228,17 +282,97 @@ export const BUILTIN_PATTERNS = {
         severity: "style",
         fileIncludePattern: /\.(tsx|jsx)$/,
     },
+    // --- React Tier 6 (May 2026) — extending Tier 5 coverage ---
+    "derived-state-reducer": {
+        regex: /useReducer\s*\([\s\S]{0,500}?\)[\s\S]{0,2000}?useEffect\s*\([\s\S]{0,500}?dispatch\s*\(\s*\{\s*type\s*:\s*['"][a-zA-Z_-]*sync/i,
+        description: "useReducer + useEffect dispatching a sync-typed action — derived state via reducer.",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "derived-state-custom-setter": {
+        regex: /useState\s*\(\s*props\.(\w+)\s*\)[\s\S]{0,2000}?useEffect\s*\([\s\S]{0,500}?set[A-Z]\w*\s*\(\s*props\.\1\s*\)/,
+        description: "useState(props.X) + useEffect with custom-named setter syncing props.X — derived state anti-pattern (custom setter naming variant).",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "stale-closure-toggle": {
+        regex: /const\s*\[\s*(\w+)\s*,\s*set([A-Z]\w*)\s*\]\s*=\s*useState[\s\S]{0,3000}?\bset\2\s*\(\s*!\s*\1\s*\)/,
+        description: "setX(!X) boolean toggle — risks stale closure. Use functional form: setX(prev => !prev).",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "stale-closure-broken-functional": {
+        // codex Run findings: regex must require updater param NAME ≠ state var name
+        // (e.g. `setCount(count => count + 1)` is correct shadowing, not the bug).
+        // Three-group form: \1 = state var, \3 = updater param. Match only when \3 != \1
+        // by requiring \1 ref AFTER updater param that's a distinct identifier.
+        regex: /const\s*\[\s*(\w+)\s*,\s*set([A-Z]\w*)\s*\]\s*=\s*useState[\s\S]{0,3000}?\bset\2\s*\(\s*(?!(?:\1\b))(\w+)\s*=>\s*[\s\S]{0,200}?\b\1\b/,
+        description: "Functional updater that references the outer state var instead of the prev parameter (e.g., setCount(prev => count + 1)) — still stale-closure-prone. NOTE: correctly skips intentional shadowing (setCount(count => count + 1)).",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "context-provider-value-via-variable": {
+        // gemini findings: original lookbehind was syntactically broken; missed arrays.
+        // Fix: drop lookbehind (negation handled via word `useMemo` exclusion in identifier
+        // value-source), accept both {object} and [array] literal sources.
+        regex: /\b(?:const|let|var)\s+(\w+)\s*=\s*(?!useMemo\b)[{\[][\s\S]{0,500}?[}\]]\s*;[\s\S]{0,500}?<\w+\.Provider\s+[^>]*\bvalue\s*=\s*\{\s*\1\s*\}/,
+        description: "Context.Provider value passed via local variable assigned to inline object/array literal — new reference every render. Wrap in useMemo: const ctx = useMemo(() => ({...}), [deps]). Detects both {} and [] forms; correctly skips useMemo-wrapped values.",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "context-provider-value-inline-destructured": {
+        regex: /const\s*\{\s*([A-Z]\w*Provider\w*|Provider)\s*\}\s*=\s*\w+[\s\S]{0,2000}?<\1\s+[^>]*\bvalue\s*=\s*\{\s*[\{\[]/,
+        description: "Destructured Provider with inline object/array literal value — same perf problem as <Ctx.Provider value={{...}}>. Wrap in useMemo.",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "react-lazy-no-suspense-same-file": {
+        // Tier 6 Item 1 — single-file approximation. Cross-file detection (Suspense in router parent)
+        // requires interprocedural analysis — deferred to Tier 7.
+        // Codex/gemini findings:
+        //  - <React.Suspense> form must be matched (was bypassable with `import * as React`)
+        //  - Suspense placed BEFORE lazy() in file was missed (forward-only lookahead)
+        // Fix: from-start-of-file negation `((?!<(?:React\.)?Suspense\b)[\s\S])*` + same trailing.
+        regex: /^((?!<(?:React\.)?Suspense\b)[\s\S])*(?:const|let|var)\s+[A-Z]\w*\s*=\s*(?:React\.)?lazy\s*\(((?!<(?:React\.)?Suspense\b)[\s\S]){0,3000}?export\s+default/,
+        description: "React.lazy() in entrypoint file (has `export default`) without any <Suspense> or <React.Suspense> anywhere in the same file — likely missing Suspense boundary. NOTE: heuristic only — Suspense in router parent file is a known false-positive case (cross-file detection deferred to Tier 7).",
+        severity: "style",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "error-boundary-incomplete": {
+        // Tier 6 Item 14 — ErrorBoundary coverage (partial). True coverage analysis
+        // (which routes wrapped) requires cross-file scope — Tier 7. This pattern detects
+        // class components that DEFINE one of the two ErrorBoundary lifecycle methods but
+        // not the other, indicating incomplete error handling.
+        // Match strategy: class with componentDidCatch but no getDerivedStateFromError in same body
+        // (or vice versa) is an incomplete ErrorBoundary.
+        regex: /class\s+\w+\s+extends\s+(?:React\.)?(?:Component|PureComponent)\b[\s\S]{0,3000}?(?:componentDidCatch\s*\([\s\S]{0,2000}?\}(?![\s\S]{0,2000}?getDerivedStateFromError)|getDerivedStateFromError\s*\([\s\S]{0,2000}?\}(?![\s\S]{0,2000}?componentDidCatch))/,
+        description: "ErrorBoundary class component has componentDidCatch but not getDerivedStateFromError (or vice versa). React requires BOTH lifecycle methods for a complete ErrorBoundary: getDerivedStateFromError to render fallback UI, componentDidCatch to log the error.",
+        severity: "warning",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
+    "rsc-non-serializable-prop-deep": {
+        // Tier 6 Item 11 — deep RSC serializability. Detects common non-serializable types
+        // passed across RSC boundary: Map, Set, Class instances (PascalCase constructor),
+        // Symbol(). Complements rsc-non-serializable-prop which catches function refs only.
+        regex: /\b(?:onClick|onChange|onSubmit|onError|callback|handler|render|data|value|state)\s*=\s*\{\s*new\s+(?:Map|Set|WeakMap|WeakSet|Symbol|RegExp|Promise|[A-Z]\w*)\s*\(/,
+        description: "Non-serializable type passed as prop across RSC boundary — Map/Set/Class instance/Symbol/RegExp/Promise are NOT JSON-serializable. Convert to plain object/array on server, reconstruct on client.",
+        severity: "critical",
+        fileIncludePattern: /\.(tsx|jsx)$/,
+    },
     "empty-catch": {
         regex: /catch\s*\([^)]*\)\s*\{\s*\}/,
-        description: "Empty catch block — swallowed error (CQ8)",
+        description: "Empty catch block — swallowed error (CQ8). Comment/string-embedded mentions stripped before matching.",
+        preprocess: "strip-comments-strings",
     },
     "any-type": {
         regex: /:\s*any\b|as\s+any\b/,
-        description: "Usage of 'any' type — lose type safety",
+        description: "Usage of 'any' type — lose type safety. Comment/string-embedded mentions stripped before matching.",
+        preprocess: "strip-comments-strings",
     },
     "console-log": {
         regex: /console\.(log|debug|info)\s*\(/,
-        description: "console.log in production code — use structured logger (CQ13)",
+        description: "console.log in production code — use structured logger (CQ13). Comment/string-embedded mentions stripped before matching.",
+        preprocess: "strip-comments-strings",
     },
     "await-in-loop": {
         regex: /for\s*\([\s\S]*?\)\s*\{[\s\S]*?await\s/,
@@ -340,6 +474,128 @@ export const BUILTIN_PATTERNS = {
         regex: /createCommand\s*\(\s*["'][^"']*\$\{?\w+/,
         description: "Yii2 createCommand with string interpolation — SQL injection risk",
     },
+    // --- Yii2 / PHP additional security & quality patterns (Sprint 2) ---
+    "yii-csrf-disabled": {
+        // Property assignment OR rule override that disables CSRF on a controller.
+        // Common false positive: test-only configs intentionally disable CSRF.
+        // We exclude config/test*.php at the search-pattern level via fileIncludePattern.
+        regex: /\benableCsrfValidation\s*=\s*false\b/,
+        description: "CSRF validation explicitly disabled on a controller — accepts forged requests for state-changing actions (Yii2)",
+        fileIncludePattern: /\.php$/,
+    },
+    "yii-debug-mode-prod": {
+        // Hard-coded `define('YII_DEBUG', true)` in web/index.php is a deploy
+        // disaster — full stack traces leak into production HTTP responses.
+        // The pattern intentionally matches both `define()` and `defined() and`
+        // forms, since both are legal Yii2 entry-point styles.
+        regex: /\b(?:define|defined)\s*\(\s*['"]YII_DEBUG['"][^)]*(?:,\s*true|\)\s*(?:and|&&)\s*YII_DEBUG\s*===?\s*true)/,
+        description: "YII_DEBUG enabled — leaks full stack traces, file paths, and variable contents in HTTP responses (Yii2)",
+    },
+    "yii-cookie-no-validation": {
+        // Empty / placeholder cookie validation key disables HMAC integrity on
+        // signed cookies. Matches blank string or obvious placeholder values.
+        regex: /['"]cookieValidationKey['"]\s*=>\s*['"](?:|change[-_]?me|TODO|xxx+|FIXME|placeholder|insert[-_]?key)['"]/i,
+        description: "cookieValidationKey is empty or placeholder — signed cookies have no HMAC integrity check (Yii2)",
+    },
+    "yii-mass-assignment-unsafe": {
+        // ->setAttributes($_POST) / ->setAttributes($request->post()) — usually
+        // unsafe unless paired with safeAttributes()/scenarios(). We can't tell
+        // statically that the class has scenarios(); flag as MEDIUM and let the
+        // reviewer make the call.
+        regex: /->setAttributes\s*\(\s*(?:\$_(?:POST|GET|REQUEST)\b|Yii::\$app->request->(?:post|get)\(\s*\))/,
+        description: "setAttributes() called with raw user input — bypasses scenarios() guards if not paired with safeAttributes (Yii2)",
+    },
+    "yii-raw-sql-where": {
+        // ActiveQuery->where("col = $var") — string interpolation in WHERE.
+        // Matches both single and double quotes. Yii2 supports param-binding
+        // via array form `['=', 'col', $var]` which is the safe alternative.
+        regex: /->where\s*\(\s*["'][^"']*\$\{?[a-zA-Z_]/,
+        description: "ActiveQuery->where() with string concatenation — bypasses Yii2 parameter binding (Yii2 SQL injection risk)",
+    },
+    "php-md5-password": {
+        // md5/sha1 applied to anything that smells like a password/secret.
+        // High false-positive risk on legitimate hash use; severity HIGH because
+        // when it IS a password hash it's a CVE-class bug.
+        regex: /\b(?:md5|sha1)\s*\(\s*\$(?:password|hasl|haslo|pwd|pass|secret|token|hash)\b/i,
+        description: "md5() or sha1() used on password/secret — both are broken for password hashing. Use password_hash() / Yii::\\$app->security->generatePasswordHash() (PHP)",
+    },
+    "php-rand-token": {
+        // rand() / mt_rand() / uniqid() on a variable named like a token/secret.
+        regex: /\$(?:token|nonce|csrf|secret|api[_-]?key|reset[_-]?key)\s*=\s*(?:rand|mt_rand|uniqid)\s*\(/i,
+        description: "rand()/mt_rand()/uniqid() used to generate token/secret — not cryptographically secure. Use random_bytes() / Yii::\\$app->security->generateRandomString() (PHP)",
+    },
+    "php-loose-comparison-secret": {
+        // == on hash/token comparison — timing attack. Very narrow regex;
+        // requires explicit variable naming.
+        regex: /\b(?:==|!=)\s*\$(?:hash|token|signature|hmac|expected[_-]?hash|secret)\b|\$(?:hash|token|signature|hmac)\s*(?:==|!=)\s*[\$"']/i,
+        description: "Loose comparison on secret/hash/token — timing-attack vulnerable. Use hash_equals() (PHP)",
+    },
+    "yii-rbac-cached-permission": {
+        // ->can() inside a foreach loop — DbManager hits the DB per call site,
+        // O(n) DB roundtrips on a list view. Match foreach + ->can within a
+        // bounded window so we don't false-flag unrelated calls in long files.
+        regex: /\bforeach\s*\([^{]*\{[\s\S]{0,800}?->can\s*\(/,
+        description: "->can() called inside foreach — Yii2 DbManager hits the DB per call. Cache permissions or use checkAccess() once outside the loop (Yii2)",
+    },
+    "yii-no-row-level-locking": {
+        // beginTransaction in the same function as findOne/find()->one()
+        // without ->forUpdate() — concurrency bug in incentive/payment flows.
+        // Bounded window prevents false positives on long methods that legitimately
+        // separate the transaction from the read.
+        regex: /->beginTransaction\s*\(\s*\)[\s\S]{0,1500}?(?:::findOne\s*\(|->one\s*\(\s*\))(?![\s\S]{0,200}->forUpdate\b)/,
+        description: "Transaction reads a row without SELECT FOR UPDATE — concurrent writers can race and produce duplicate state mutations (Yii2)",
+    },
+    "yii-config-hardcoded-secret": {
+        // Hardcoded literal in 'cookieValidationKey' / 'apiKey' / 'jwtSecret'.
+        // Hex/base64 strings of >=20 chars are strong signal. We allow common
+        // env() / getenv() lookups as escape hatch.
+        regex: /['"](?:cookieValidationKey|apiKey|jwtSecret|secretKey|app[_-]?secret|stripe[_-]?secret)['"]\s*=>\s*['"][A-Za-z0-9+\/_=-]{20,}['"]/,
+        description: "Hardcoded secret in config array — should come from env var or runtime/config-local.php that is gitignored (Yii2)",
+    },
+    "yii-unbounded-all": {
+        // Find()-builder ending in ->all() inside a console controller. We can't
+        // easily restrict via path in regex, so use file include pattern. The
+        // pattern matches any `find()...all()` chain that doesn't use ->limit().
+        regex: /::find\s*\([^)]*\)[\s\S]{0,400}?->all\s*\(\s*\)(?![\s\S]{0,100}->limit\b)/,
+        description: "ActiveQuery->all() without ->limit() — loads the entire result set into memory. Use ->batch()/->each() for cron/console flows (Yii2 perf)",
+        fileIncludePattern: /(?:commands|console)\/[^/]+Controller\.php$/,
+    },
+    // --- Sprint 7 perf patterns (sourced from tgm-panel performance-audit findings) ---
+    "yii-translate-in-loop": {
+        // Yii::t() inside a foreach. Costly when paired with DbMessageSource and
+        // no message cache (which IS the tgm-panel perf-audit P1 finding). 800-char
+        // window after the foreach captures typical loop bodies; nested loops
+        // matched separately by global /g.
+        regex: /\bforeach\s*\([^{]*\{[\s\S]{0,800}?\\?\bYii::t\s*\(/,
+        description: "Yii::t() inside foreach — expensive when DbMessageSource caching is off. Move translation outside the loop OR enable enableCaching on the message source (Yii2 perf)",
+    },
+    "yii-dbtarget-info-level": {
+        // DbTarget log target with 'levels' including info/trace/profile.
+        // Writes setting often left from local dev; writes to DB on every
+        // request hits hard at scale. Bounded window captures the array.
+        regex: /['"]class['"]\s*=>\s*['"][^'"]*DbTarget['"][\s\S]{0,400}?['"]levels['"]\s*=>\s*\[[^\]]*\b(?:info|trace|profile)\b/,
+        description: "DbTarget logging info/trace/profile to DB on every request — moves the logger off the hot path (Yii2 perf)",
+    },
+    "yii-find-with-large-then-filter": {
+        // ->find()->all() followed by `array_filter` / `array_map` on the result —
+        // pull-then-filter pattern that should be ->where()->all() instead.
+        regex: /->find\s*\([^)]*\)[\s\S]{0,200}?->all\s*\(\s*\)\s*;\s*[^\n]{0,200}?\barray_(?:filter|map)\s*\(/,
+        description: "ActiveQuery->all() into array_filter/array_map — push the filter into the WHERE clause to reduce I/O (Yii2 perf)",
+    },
+    "yii-cache-no-ttl": {
+        // Yii::$app->cache->set('key', $value)  — no TTL argument means cache
+        // entry persists indefinitely. Often the deliberate choice, but on
+        // user-keyed caches it's a memory bomb.
+        regex: /\\?\bYii::\$app->cache->set\s*\(\s*[^,]+,\s*[^,)]+\)/,
+        description: "cache->set without TTL — entry persists indefinitely. Add a third TTL argument unless caching a global config value (Yii2 perf)",
+    },
+    "yii-no-batch-on-large": {
+        // Same as yii-unbounded-all but applies to non-controller files (services,
+        // jobs/, components/). Together they cover 95% of unbounded reads.
+        regex: /::find\s*\([^)]*\)[\s\S]{0,400}?->all\s*\(\s*\)(?![\s\S]{0,100}->(?:limit|batch|each)\b)/,
+        description: "find()->all() in service/job code without ->limit() / ->batch() / ->each() — risk of OOM on growing tables (Yii2 perf)",
+        fileIncludePattern: /(?:components|services|jobs|workers|tasks)\/[^/]+\.php$/,
+    },
     // NestJS anti-patterns
     "nest-circular-inject": {
         regex: /@Inject\s*\(\s*forwardRef\s*\(/,
@@ -717,6 +973,7 @@ export async function searchPatterns(repo, pattern, options) {
     let fileExcludePattern;
     let fileIncludePattern;
     let postFilter;
+    let preprocess;
     const builtin = BUILTIN_PATTERNS[pattern];
     if (builtin) {
         regex = builtin.regex;
@@ -724,6 +981,7 @@ export async function searchPatterns(repo, pattern, options) {
         fileExcludePattern = builtin.fileExcludePattern;
         fileIncludePattern = builtin.fileIncludePattern;
         postFilter = builtin.postFilter;
+        preprocess = builtin.preprocess;
     }
     else {
         try {
@@ -751,14 +1009,21 @@ export async function searchPatterns(repo, pattern, options) {
         if (fileIncludePattern && !fileIncludePattern.test(sym.file))
             continue;
         scanned++;
-        const match = regex.exec(sym.source);
+        // Tier 8 — preprocess source if pattern opts in. Strip preserves positions
+        // so line/column math below remains accurate.
+        const scanSource = preprocess === "strip-comments-strings"
+            ? stripCommentsAndStrings(sym.source)
+            : sym.source;
+        const match = regex.exec(scanSource);
         if (match) {
             if (!shouldKeepPostFilterMatch(pattern, match[0], postFilter))
                 continue;
             // Extract context: the matching line(s)
             const matchStart = match.index;
             const linesBefore = sym.source.slice(0, matchStart).split("\n").length;
-            const matchedText = match[0].split("\n")[0]; // First line of match
+            // Use ORIGINAL source for the displayed context line, not stripped.
+            const origLine = sym.source.slice(matchStart, sym.source.indexOf("\n", matchStart) === -1 ? sym.source.length : sym.source.indexOf("\n", matchStart));
+            const matchedText = origLine.length > 0 ? origLine : match[0].split("\n")[0];
             matches.push({
                 name: sym.name,
                 kind: sym.kind,
@@ -795,12 +1060,19 @@ export async function searchPatterns(repo, pattern, options) {
                 continue;
             }
             scanned++;
-            const match = regex.exec(content);
+            // Tier 8 — preprocess source if pattern opts in.
+            const scanContent = preprocess === "strip-comments-strings"
+                ? stripCommentsAndStrings(content)
+                : content;
+            const match = regex.exec(scanContent);
             if (match) {
                 if (!shouldKeepPostFilterMatch(pattern, match[0], postFilter))
                     continue;
                 const linesBefore = content.slice(0, match.index).split("\n").length;
-                const matchedText = match[0].split("\n")[0];
+                // Display original line, not stripped
+                const lineEnd = content.indexOf("\n", match.index);
+                const origLine = content.slice(match.index, lineEnd === -1 ? content.length : lineEnd);
+                const matchedText = origLine.length > 0 ? origLine : match[0].split("\n")[0];
                 matches.push({
                     name: fileEntry.path.split("/").pop() ?? fileEntry.path,
                     kind: "function", // file-level match has no symbol kind