getdoorman 1.0.0

package/src/rules/bugs/ai-codegen.js

@@ -0,0 +1,365 @@
+// Bug detection: Patterns that AI code generators (Claude, GPT, Copilot) commonly produce wrong
+// These are the "looks right, works in demos, breaks in production" patterns.
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+function isPy(f) { return f.endsWith('.py'); }
+
+const rules = [
+  {
+    id: 'BUG-AI-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Placeholder error handling — catch block only logs',
+    description: 'AI often generates catch blocks that just console.log the error. In production, errors should be properly handled.',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\}\s*catch\s*\(\s*\w+\s*\)\s*\{/.test(lines[i]) || /catch\s*\(\s*\w+\s*\)\s*\{/.test(lines[i])) {
+            // Check if the catch block only has console.log/error and nothing else
+            let catchBody = '';
+            let braceDepth = 0;
+            let started = false;
+            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+              if (lines[j].includes('{')) { started = true; braceDepth += (lines[j].match(/\{/g) || []).length; }
+              if (started) {
+                catchBody += lines[j] + '\n';
+                braceDepth -= (lines[j].match(/\}/g) || []).length;
+                if (braceDepth <= 0) break;
+              }
+            }
+            const bodyLines = catchBody.split('\n').map(l => l.trim()).filter(l => l && l !== '{' && l !== '}' && !l.startsWith('//'));
+            if (bodyLines.length <= 2 && /console\.(log|error|warn)\s*\(/.test(catchBody) && !/throw\b|return\b|reject\b|next\s*\(|res\.\w+\(|process\.exit/.test(catchBody)) {
+              findings.push({
+                ruleId: 'BUG-AI-001', category: 'bugs', severity: 'high',
+                title: 'Catch block only logs error — no recovery, rethrow, or user feedback',
+                description: 'AI-generated catch blocks often just log and swallow errors. Add proper error handling: rethrow, return error response, or graceful degradation.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hardcoded localhost/port in non-config file',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) && !isPy(fp)) continue;
+        if (/config|\.env|constant|setting/i.test(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/['"`]https?:\/\/localhost:\d+/.test(lines[i]) || /['"`]https?:\/\/127\.0\.0\.1:\d+/.test(lines[i])) {
+            if (!/\/\/\s*(test|dev|example|TODO|FIXME)/.test(lines[i]) && !/\.test\.|\.spec\.|__test__/.test(fp)) {
+              findings.push({
+                ruleId: 'BUG-AI-002', category: 'bugs', severity: 'high',
+                title: 'Hardcoded localhost URL in source code',
+                description: 'AI generators default to localhost URLs that break in production. Use environment variables or config.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'TODO/placeholder left by AI generation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) && !isPy(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // AI-specific placeholder patterns
+          if (/\/\/\s*TODO:\s*(implement|add|replace|fix|handle|complete|fill|update)\s+(this|here|later|logic|code|implementation)/i.test(line) ||
+              /\/\/\s*\.\.\.\s*(rest|more|other|remaining)\s+(of|code|logic|implementation)/i.test(line) ||
+              /#\s*TODO:\s*(implement|add|replace|fix|handle|complete|fill)\s+(this|here|later|logic)/i.test(line) ||
+              /['"`]your[-_]?(api[-_]?key|secret|token|password|database[-_]?url)['"`]/i.test(line) ||
+              /['"`]sk-[\.x]+['"`]/.test(line) ||
+              /['"`]placeholder['"`]/i.test(line) && /=/.test(line)) {
+            findings.push({
+              ruleId: 'BUG-AI-003', category: 'bugs', severity: 'medium',
+              title: 'AI-generated placeholder/TODO not implemented',
+              description: 'AI code generators leave TODOs and placeholder values that must be replaced before production use.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Optimistic data fetching — no loading/error states',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        // Check for React components that fetch data but don't handle loading/error
+        if (!/use(State|Effect)/.test(content)) continue;
+        const lines = content.split('\n');
+        const hasDataFetch = /fetch\(|axios\.|\.get\(|\.post\(|useSWR|useQuery/.test(content);
+        const hasLoadingState = /loading|isLoading|pending|isFetching|skeleton|spinner/i.test(content);
+        const hasErrorState = /error|isError|errorMessage|onError|\.catch/.test(content);
+        if (hasDataFetch && !hasLoadingState && !hasErrorState) {
+          findings.push({
+            ruleId: 'BUG-AI-004', category: 'bugs', severity: 'high',
+            title: 'Data fetching without loading or error states',
+            description: 'AI-generated components often fetch data optimistically without handling loading and error states. Users see blank screens or stale data.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-005',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Copy-pasted code with inconsistent variable names',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) && !isPy(fp)) continue;
+        const lines = content.split('\n');
+        // Find functions/blocks that look very similar (AI often copy-pastes and partially edits)
+        const funcBodies = [];
+        let currentFunc = null;
+        let braceDepth = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const funcMatch = lines[i].match(/(?:function\s+(\w+)|(?:const|let|var)\s+(\w+)\s*=\s*(?:async\s*)?\()/);
+          if (funcMatch) {
+            if (currentFunc && currentFunc.body.length > 3) {
+              funcBodies.push(currentFunc);
+            }
+            currentFunc = { name: funcMatch[1] || funcMatch[2], line: i + 1, body: [] };
+            braceDepth = 0;
+          }
+          if (currentFunc) {
+            currentFunc.body.push(lines[i]);
+            braceDepth += (lines[i].match(/\{/g) || []).length - (lines[i].match(/\}/g) || []).length;
+            if (braceDepth <= 0 && currentFunc.body.length > 1) {
+              funcBodies.push(currentFunc);
+              currentFunc = null;
+            }
+          }
+        }
+        // Compare function bodies for near-duplicates
+        for (let a = 0; a < funcBodies.length; a++) {
+          for (let b = a + 1; b < funcBodies.length; b++) {
+            if (funcBodies[a].body.length < 5) continue;
+            const lenDiff = Math.abs(funcBodies[a].body.length - funcBodies[b].body.length);
+            if (lenDiff > 3) continue;
+            // Normalize: remove variable names, keep structure
+            const normalize = (lines) => lines.map(l => l.replace(/\b[a-z]\w*\b/gi, '_').replace(/\s+/g, ' ').trim()).filter(l => l.length > 5).join('\n');
+            const na = normalize(funcBodies[a].body);
+            const nb = normalize(funcBodies[b].body);
+            if (na === nb && na.length > 50) {
+              findings.push({
+                ruleId: 'BUG-AI-005', category: 'bugs', severity: 'medium',
+                title: `Near-duplicate functions: "${funcBodies[a].name}" and "${funcBodies[b].name}"`,
+                description: 'AI generators often copy-paste functions with minor changes. This leads to maintenance burden and inconsistent behavior. Consider extracting shared logic.',
+                file: fp, line: funcBodies[b].line, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-006',
+    category: 'bugs',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'User input used directly in database query',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Template literal in query with req.body/req.params/req.query
+          if (/`.*\$\{.*req\.(body|params|query|headers)\b/.test(line) && /\b(query|execute|raw|sql)\s*\(/.test(line)) {
+            findings.push({
+              ruleId: 'BUG-AI-006', category: 'bugs', severity: 'high',
+              title: 'SQL injection — user input interpolated into query string',
+              description: 'AI generators often use template literals for SQL queries with user input. Use parameterized queries instead.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+          // String concatenation in query
+          if (/\b(query|execute)\s*\(\s*['"`].*\+\s*req\.(body|params|query)/.test(line)) {
+            findings.push({
+              ruleId: 'BUG-AI-006', category: 'bugs', severity: 'high',
+              title: 'SQL injection — user input concatenated into query string',
+              description: 'Never concatenate user input into SQL queries. Use parameterized queries ($1, ?, :param).',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-007',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Inconsistent error response format',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        if (!/express|fastify|koa|router/.test(content)) continue;
+        const lines = content.split('\n');
+        const errorFormats = new Set();
+        for (let i = 0; i < lines.length; i++) {
+          // Detect various error response patterns
+          if (/res\.\w*status\s*\(\s*(4|5)\d\d\s*\)/.test(lines[i])) {
+            const block = lines.slice(i, Math.min(i + 3, lines.length)).join(' ');
+            if (/\{\s*error\s*:/.test(block)) errorFormats.add('error');
+            else if (/\{\s*message\s*:/.test(block)) errorFormats.add('message');
+            else if (/\{\s*msg\s*:/.test(block)) errorFormats.add('msg');
+            else if (/\{\s*err\s*:/.test(block)) errorFormats.add('err');
+            else if (/\.send\s*\(\s*['"`]/.test(block)) errorFormats.add('string');
+          }
+        }
+        if (errorFormats.size > 2) {
+          findings.push({
+            ruleId: 'BUG-AI-007', category: 'bugs', severity: 'medium',
+            title: `${errorFormats.size} different error response formats (${[...errorFormats].join(', ')})`,
+            description: 'AI generates different error shapes in each handler. Clients can\'t reliably parse errors. Standardize on one format like { error: { message, code } }.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No input validation on API endpoint',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // POST/PUT/PATCH handler
+          if (/\.(post|put|patch)\s*\(\s*['"`]/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 25, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            // Uses req.body but no validation
+            if (/req\.body/.test(block) && !/validate|schema|joi|zod|yup|ajv|express-validator|check\s*\(|body\s*\(/.test(block)) {
+              // Check for at least basic checks
+              if (!/if\s*\(\s*!req\.body|typeof\s+req\.body|req\.body\.\w+\s*===|!req\.body\.\w+/.test(block)) {
+                findings.push({
+                  ruleId: 'BUG-AI-008', category: 'bugs', severity: 'high',
+                  title: 'API endpoint accepts req.body without any input validation',
+                  description: 'AI-generated endpoints often trust req.body blindly. Add validation (zod, joi, or manual checks) to prevent crashes and security issues.',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-009',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Unused import or variable from AI generation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        // Find simple imports: import X from 'y' or const X = require('y')
+        for (let i = 0; i < lines.length; i++) {
+          let importName = null;
+          const defaultImport = lines[i].match(/^import\s+(\w+)\s+from\s+/);
+          const requireImport = lines[i].match(/^(?:const|let|var)\s+(\w+)\s*=\s*require\s*\(/);
+          if (defaultImport) importName = defaultImport[1];
+          else if (requireImport) importName = requireImport[1];
+          if (!importName) continue;
+          // Check if the import is used in the rest of the file
+          const rest = lines.slice(i + 1).join('\n');
+          const usageRe = new RegExp(`\\b${importName}\\b`);
+          if (!usageRe.test(rest)) {
+            findings.push({
+              ruleId: 'BUG-AI-009', category: 'bugs', severity: 'medium',
+              title: `Unused import: "${importName}" imported but never used`,
+              description: 'AI generators often add imports they don\'t end up using. Dead imports bloat bundles and cause confusion.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-AI-010',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing CORS configuration in API server',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        // Is this a server entry point?
+        if (!/express\(\)|createServer|fastify\(\)|new Koa/.test(content)) continue;
+        if (!/\.(get|post|put|delete)\s*\(/.test(content)) continue;
+        // Check for CORS setup
+        if (!/cors\(|Access-Control-Allow|\.use\(\s*cors/.test(content)) {
+          findings.push({
+            ruleId: 'BUG-AI-010', category: 'bugs', severity: 'high',
+            title: 'API server without CORS configuration — frontend requests will fail',
+            description: 'AI often generates separate frontend and backend but forgets CORS. Browsers block cross-origin requests without proper headers.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/code-smell-bugs.js

@@ -0,0 +1,247 @@
+// Bug detection: Code smell patterns — off-by-one, path confusion, counter bugs
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const PY_EXT = ['.py'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+function isPy(f) { return PY_EXT.some(e => f.endsWith(e)); }
+function isSource(f) {
+  return ['.js','.jsx','.ts','.tsx','.mjs','.cjs','.py','.go','.java','.cs','.rb','.php','.rs','.swift','.dart'].some(e => f.endsWith(e));
+}
+
+const rules = [
+  // BUG-SMELL-001: Hardcoded slice index on dynamic string (off-by-one risk)
+  {
+    id: 'BUG-SMELL-001',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Hardcoded .slice() offset on dynamic string — off-by-one risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Pattern: variable.slice(hardcoded_number, ...) where the number > 1
+          // Suggests the offset was calculated by hand instead of dynamically
+          const match = line.match(/(\w+)\.slice\(\s*(\d+)\s*,/);
+          if (match) {
+            const offset = parseInt(match[2], 10);
+            // Only flag larger hardcoded offsets that look like manual string math
+            if (offset >= 4 && !/\.slice\(\s*\d+\s*,\s*-?\d+\s*\)/.test(line)) {
+              // Skip if the variable is a known literal context like a regex match or array
+              if (/match|split|entries|keys|values|args|argv/.test(match[1])) continue;
+              findings.push({
+                ruleId: 'BUG-SMELL-001', category: 'bugs', severity: 'medium',
+                title: `Hardcoded .slice(${offset}) — use indexOf/dynamic offset instead`,
+                description: `Hardcoding slice offset ${offset} is fragile. If the string format changes, the offset will be wrong. Use .indexOf() or .search() to find the position dynamically.`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SMELL-002: Counter incremented twice in loop (double-increment bug)
+  {
+    id: 'BUG-SMELL-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Counter variable incremented twice — possible double-increment bug',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Find counter++ or counter += 1
+          const incMatch = line.match(/\b(\w+)\s*(?:\+\+|\+=\s*1)/);
+          if (!incMatch) continue;
+          const varName = incMatch[1];
+          // Check if same counter is incremented again within the next 10 lines
+          for (let j = i + 1; j < Math.min(lines.length, i + 10); j++) {
+            const nextLine = lines[j];
+            if (nextLine.trim().startsWith('//')) continue;
+            // Check for same variable incremented again
+            const re = new RegExp(`\\b${varName}\\s*(?:\\+\\+|\\+=\\s*1)`);
+            if (re.test(nextLine)) {
+              // Check if there's a conditional (if/else) between them — that's OK
+              const between = lines.slice(i + 1, j).join(' ');
+              if (/\bif\s*\(/.test(between) || /\belse\b/.test(between) || /\bcontinue\b/.test(between)) break;
+              findings.push({
+                ruleId: 'BUG-SMELL-002', category: 'bugs', severity: 'high',
+                title: `"${varName}" incremented twice without condition — double-increment bug`,
+                description: `Counter "${varName}" is incremented on line ${i + 1} and again on line ${j + 1} without any condition. This usually means the counter advances faster than intended.`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SMELL-003: File path used as directory (join(filePath, ...))
+  {
+    id: 'BUG-SMELL-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'File path used as directory in path.join() — ENOTDIR crash risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Pattern: join(somePath, 'filename') where somePath could be a file
+          // Check if the function validates the path is a directory first
+          const joinMatch = line.match(/\bjoin\s*\(\s*(\w+)\s*,\s*['"]([^'"]+)['"]\s*\)/);
+          if (!joinMatch) continue;
+          const [, pathVar, filename] = joinMatch;
+          // Only flag if the filename looks like a config/cache file
+          if (!/\.(json|yml|yaml|toml|lock|log|cache|tmp|config)$/.test(filename)) continue;
+          // Check if there's a statSync/isDirectory check nearby
+          const context = lines.slice(Math.max(0, i - 5), i).join(' ');
+          if (/isDirectory|statSync|lstatSync/.test(context)) continue;
+          findings.push({
+            ruleId: 'BUG-SMELL-003', category: 'bugs', severity: 'high',
+            title: `path.join(${pathVar}, "${filename}") — crashes if ${pathVar} is a file, not a directory`,
+            description: `If "${pathVar}" is a file path instead of a directory, join() creates an invalid path (e.g., /file.js/${filename}). Add a check: statSync(${pathVar}).isDirectory() or use dirname(${pathVar}).`,
+            file: fp, line: i + 1,
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SMELL-004: String split result assumed to have N elements
+  {
+    id: 'BUG-SMELL-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Accessing split() result by index without length check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Pattern: str.split(x)[N] where N >= 1
+          const match = line.match(/\.split\s*\([^)]+\)\s*\[\s*(\d+)\s*\]/);
+          if (match) {
+            const idx = parseInt(match[1], 10);
+            if (idx >= 2) {
+              findings.push({
+                ruleId: 'BUG-SMELL-004', category: 'bugs', severity: 'medium',
+                title: `.split()[${idx}] without length check — undefined if not enough parts`,
+                description: `Accessing index ${idx} of split() result returns undefined if the string has fewer delimiters than expected. Add a length check or use a default: .split(x)[${idx}] ?? ''`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SMELL-005: Regex constructed from user input without escaping
+  {
+    id: 'BUG-SMELL-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'RegExp constructed from variable without escaping — ReDoS and crash risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // new RegExp(variable) without escaping
+          const match = line.match(/new\s+RegExp\s*\(\s*(\w+)/);
+          if (match) {
+            const varName = match[1];
+            // Skip if it's a string literal
+            if (/^['"`]/.test(varName)) continue;
+            // Check context for escaping
+            const context = lines.slice(Math.max(0, i - 3), i + 1).join(' ');
+            if (/escape|sanitize|replace\s*\(\s*\/\[/.test(context)) continue;
+            findings.push({
+              ruleId: 'BUG-SMELL-005', category: 'bugs', severity: 'high',
+              title: `new RegExp(${varName}) — unescaped input can crash or cause ReDoS`,
+              description: 'Building a regex from "' + varName + '" without escaping special characters can cause SyntaxError crashes or ReDoS attacks. Escape special chars before constructing the RegExp.',
+              file: fp, line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-SMELL-006: Circular reference in object (extends: self-name)
+  {
+    id: 'BUG-SMELL-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Object contains self-referencing extends/inherits property',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        // Track current object name
+        let currentObj = null;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Track const/let/var objectName = {
+          const objMatch = line.match(/(?:const|let|var)\s+(\w+)\s*=\s*\{/);
+          if (objMatch) currentObj = objMatch[1];
+          // Check for extends/inherits pointing to same name
+          if (currentObj) {
+            const extendsMatch = line.match(/extends\s*:\s*['"](\w+)['"]/);
+            if (extendsMatch && extendsMatch[1] === currentObj) {
+              findings.push({
+                ruleId: 'BUG-SMELL-006', category: 'bugs', severity: 'medium',
+                title: `Object "${currentObj}" extends itself — circular reference`,
+                description: `The "${currentObj}" object has extends: '${currentObj}' which creates a circular reference. This will cause infinite loops if extends is resolved recursively.`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+          // Reset on closing brace at depth 0
+          if (/^\};?\s*$/.test(line)) currentObj = null;
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;