getdoorman 1.0.0

package/src/rules/bugs/general.js

@@ -0,0 +1,361 @@
+// Bug detection: Universal patterns across all languages
+function isSource(f) {
+  return ['.js','.jsx','.ts','.tsx','.mjs','.cjs','.py','.rb','.go','.java','.cs','.php','.rs','.swift','.dart','.sh'].some(e => f.endsWith(e));
+}
+
+const rules = [
+  {
+    id: 'BUG-GEN-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'TODO/FIXME/HACK/BUG in production code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/\/\/\s*(TODO|FIXME|HACK|BUG|XXX|BROKEN)\b[:\s]*(.*)/i) ||
+                        lines[i].match(/#\s*(TODO|FIXME|HACK|BUG|XXX|BROKEN)\b[:\s]*(.*)/i);
+          if (match) {
+            const tag = match[1].toUpperCase();
+            const msg = match[2]?.trim() || '';
+            if (tag === 'FIXME' || tag === 'BUG' || tag === 'HACK' || tag === 'BROKEN' || tag === 'XXX') {
+              findings.push({
+                ruleId: 'BUG-GEN-001', category: 'bugs', severity: 'low',
+                title: `${tag} comment: ${msg.slice(0, 80) || 'needs attention'}`,
+                description: `A ${tag} comment indicates known incomplete or broken code. Address it before shipping.`,
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Division by zero without guard',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Skip comments, regex literals, imports, path strings
+          if (/^\s*\/\/|^\s*\*|^\s*\/\*|import\s|require\s*\(|['"`].*\/.*['"`]/.test(line)) continue;
+          // Match explicit arithmetic division: expr / variable
+          const divMatch = line.match(/\b(\w+)\s*\/\s*(\w+)\b/);
+          if (!divMatch) continue;
+          const [, , divisor] = divMatch;
+          // Must be a simple variable name, not a number, not in a comment
+          if (!/^[a-z][a-zA-Z0-9_]*$/.test(divisor)) continue;
+          if (/^(undefined|null|NaN|Infinity|true|false|this|Math|Date|JSON|Object|Array|String|Number)$/.test(divisor)) continue;
+          // Must be preceded by an arithmetic operator or assignment context (not a regex or path)
+          if (!/[=+\-*%(,]\s*\w+\s*\/\s*\w+/.test(line)) continue;
+          // Check for guards in surrounding context
+          const context = lines.slice(Math.max(0, i - 3), i + 1).join('\n');
+          if (/!==?\s*0|>\s*0|!= 0|> 0|\|\|\s*1|\?\?/.test(context)) continue;
+          if (new RegExp(`if\\s*\\(.*${divisor}`).test(context)) continue;
+          findings.push({
+            ruleId: 'BUG-GEN-002', category: 'bugs', severity: 'high',
+            title: `Potential division by zero — "${divisor}" not checked`,
+            description: 'This division could fail if the divisor is zero. Add a guard: if (divisor !== 0) or use a default value.',
+            file: fp, line: i + 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hardcoded credentials in source code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // password = "..." or api_key = "..." or secret = "..."
+          if (/(?:password|passwd|api_?key|secret_?key|auth_?token|access_?token)\s*[:=]\s*['"][^'"]{4,}['"]/i.test(line)) {
+            if (!/(?:example|test|mock|fake|dummy|placeholder|xxx|your_|change_me|TODO)/i.test(line) && !fp.includes('test') && !fp.includes('example')) {
+              findings.push({
+                ruleId: 'BUG-GEN-003', category: 'bugs', severity: 'high',
+                title: 'Hardcoded credential in source code',
+                description: 'Credentials should never be hardcoded. Use environment variables or a secrets manager.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Commented-out code — dead code left in codebase',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        let consecutiveCommented = 0;
+        let startLine = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          // Detect commented-out code (starts with // and looks like code)
+          const isCommentedCode = /^\/\/\s*(?:const|let|var|if|for|while|return|function|class|import|export|await|async|try|catch|switch)\b/.test(line) ||
+                                  /^#\s*(?:def|class|if|for|while|return|import|from|try|except|with)\b/.test(line);
+          if (isCommentedCode) {
+            if (consecutiveCommented === 0) startLine = i;
+            consecutiveCommented++;
+          } else {
+            if (consecutiveCommented >= 3) {
+              findings.push({
+                ruleId: 'BUG-GEN-004', category: 'bugs', severity: 'high',
+                title: `${consecutiveCommented} lines of commented-out code`,
+                description: 'Commented-out code creates noise and confusion. If it\'s needed, restore it. If not, delete it — git has the history.',
+                file: fp, line: startLine + 1, fix: null,
+              });
+            }
+            consecutiveCommented = 0;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-005',
+    category: 'bugs',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Magic number — unexplained numeric literal',
+    check({ files }) {
+      const findings = [];
+      const common = new Set([100, 200, 201, 204, 301, 302, 400, 401, 403, 404, 500, 502, 503, 1000, 1024, 2048, 4096, 8080, 3000, 5000, 8000, 8443, 9090, 65535, 86400, 3600, 60000, 30000, 10000, 5000, 1000]);
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Skip comments, imports, test files, config files
+          if (/^\s*\/\/|^\s*\*|^\s*#|import\s|require\(/.test(line)) continue;
+          if (/test|spec|config|constant|fixture|mock|seed|migration/i.test(fp)) continue;
+          // Only flag numbers used inline in function calls or arithmetic (not in declarations, objects, arrays, or returns)
+          const match = line.match(/[^.\w'"$](\d{4,})[^.\w\d]/);
+          if (match) {
+            const num = parseInt(match[1], 10);
+            if (common.has(num)) continue;
+            // Skip if line has descriptive context
+            if (/(?:const|let|var|=|port|status|code|http|timeout|max|min|limit|size|width|height|delay|interval|version|offset|index|count|length|ms|seconds|minutes|hours|days|bytes|kb|mb|gb|pixels|px|margin|padding|duration|priority|weight|capacity)/i.test(line)) continue;
+            // Skip array/object literal positions, return statements
+            if (/^\s*\d|^\s*return\s|^\s*[\[{]/.test(line)) continue;
+            findings.push({
+              ruleId: 'BUG-GEN-005', category: 'bugs', severity: 'low',
+              title: `Magic number ${num} — extract to named constant`,
+              description: 'Unnamed numeric literals make code harder to understand and maintain. Give it a descriptive constant name.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'console.log/print left in production code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        if (fp.includes('test') || fp.includes('debug') || fp.includes('logger')) continue;
+        const lines = content.split('\n');
+        let debugCount = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          if (/^console\.log\s*\(/.test(line) || /^print\s*\((?!.*file\s*=)/.test(line)) {
+            debugCount++;
+          }
+        }
+        if (debugCount >= 3) {
+          findings.push({
+            ruleId: 'BUG-GEN-006', category: 'bugs', severity: 'high',
+            title: `${debugCount} debug print statements left in code`,
+            description: 'Multiple console.log/print statements suggest debugging leftovers. Replace with a proper logger or remove them.',
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-007',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Duplicate function/method definition — second overwrites first',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        const funcNames = {};
+        for (let i = 0; i < lines.length; i++) {
+          const jsMatch = lines[i].match(/^\s*(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(/);
+          const pyMatch = lines[i].match(/^\s*def\s+(\w+)\s*\(/);
+          const match = jsMatch || pyMatch;
+          if (match) {
+            const name = match[1];
+            if (funcNames[name] !== undefined) {
+              findings.push({
+                ruleId: 'BUG-GEN-007', category: 'bugs', severity: 'high',
+                title: `Duplicate function "${name}" — redefined on line ${i + 1}, first on line ${funcNames[name]}`,
+                description: 'The second definition silently overwrites the first. One of them is dead code or a copy-paste bug.',
+                file: fp, line: i + 1, fix: null,
+              });
+            } else {
+              funcNames[name] = i + 1;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Regex without anchors used for validation — partial match passes',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/\.test\s*\(/.test(line) || /\.match\s*\(/.test(line) || /re\.match\s*\(/.test(line)) {
+            // Check if regex is used for validation (near "valid", "email", "phone", etc.)
+            if (/(?:valid|email|phone|url|ip|date|format|check|verify)/i.test(line)) {
+              // Check if regex has anchors
+              const regexMatch = line.match(/\/([^/]+)\//) || line.match(/['"](\^?[^'"]+\$?)['"]/)
+              if (regexMatch && !regexMatch[1].startsWith('^') && !regexMatch[1].endsWith('$')) {
+                findings.push({
+                  ruleId: 'BUG-GEN-008', category: 'bugs', severity: 'high',
+                  title: 'Validation regex without anchors — partial matches pass',
+                  description: 'Without ^ and $ anchors, "valid@email.com.evil" would pass an email regex. Add ^...$ anchors for validation.',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-009',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Resource opened but never closed — file/connection leak',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // JS: fs.openSync, createReadStream, createConnection without close
+          if (/(?:openSync|createReadStream|createWriteStream|createConnection|createServer)\s*\(/.test(line)) {
+            const rest = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+            if (!rest.includes('.close') && !rest.includes('.end') && !rest.includes('.destroy') && !rest.includes('finally')) {
+              findings.push({
+                ruleId: 'BUG-GEN-009', category: 'bugs', severity: 'high',
+                title: 'Resource opened but never closed — potential leak',
+                description: 'Opened files, streams, and connections should be closed in a finally block or using using/with patterns.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+          // Python: open() without with statement
+          if (fp.endsWith('.py') && /\w+\s*=\s*open\s*\(/.test(line)) {
+            if (!/^\s*with\b/.test(line)) {
+              const rest = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+              if (!rest.includes('.close()') && !rest.includes('finally')) {
+                findings.push({
+                  ruleId: 'BUG-GEN-009', category: 'bugs', severity: 'high',
+                  title: 'File opened without "with" statement — may not be closed on error',
+                  description: 'Use "with open(path) as f:" to ensure the file is closed even if an exception occurs.',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GEN-010',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Identical branches in if/else — copy-paste bug',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length - 2; i++) {
+          // Simple heuristic: if block and else block have identical single-line bodies
+          if (/\bif\b.*\{?\s*$/.test(lines[i])) {
+            const ifBody = lines[i + 1]?.trim();
+            // Find the else
+            for (let j = i + 2; j < Math.min(lines.length, i + 6); j++) {
+              if (/\belse\b.*\{?\s*$/.test(lines[j]) && lines[j + 1]) {
+                const elseBody = lines[j + 1]?.trim();
+                if (ifBody && elseBody && ifBody === elseBody && ifBody.length > 5 && !ifBody.startsWith('//') && !ifBody.startsWith('#')) {
+                  findings.push({
+                    ruleId: 'BUG-GEN-010', category: 'bugs', severity: 'medium',
+                    title: 'if/else branches have identical code — likely copy-paste bug',
+                    description: 'Both branches do the same thing, making the condition useless. Fix one branch or remove the condition.',
+                    file: fp, line: i + 1, fix: null,
+                  });
+                }
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/go-bugs.js

@@ -0,0 +1,279 @@
+// Bug detection: Go-specific patterns — concurrency, error handling, common traps
+function isGo(f) { return f.endsWith('.go'); }
+
+const rules = [
+  {
+    id: 'BUG-GO-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Goroutine leak — goroutine started without cancellation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*go\s+func\s*\(/.test(lines[i]) || /^\s*go\s+\w+\(/.test(lines[i])) {
+            // Check surrounding context for context/cancel/done
+            const context = lines.slice(Math.max(0, i - 5), Math.min(i + 15, lines.length)).join('\n');
+            if (!/context|ctx|cancel|Done\(\)|select\s*\{|time\.After|timer/.test(context)) {
+              findings.push({
+                ruleId: 'BUG-GO-001', category: 'bugs', severity: 'high',
+                title: 'Goroutine started without context or cancellation mechanism',
+                description: 'Goroutines without context.Context or done channels can leak forever. Pass a context and select on ctx.Done().',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Error not checked after function call',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // result, _ := someFunc() or someFunc() without checking err
+          if (/\w+\s*,\s*_\s*:?=\s*\w+/.test(lines[i]) && !/range\b|import/.test(lines[i])) {
+            // Check if the ignored value is likely an error
+            const funcCall = lines[i].match(/\w+\s*,\s*_\s*:?=\s*(\w+)/);
+            if (funcCall) {
+              findings.push({
+                ruleId: 'BUG-GO-002', category: 'bugs', severity: 'high',
+                title: 'Error return value discarded with _ — errors must be handled',
+                description: 'Ignoring errors with _ hides failures. Always check: if err != nil { return err }.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'defer inside loop — deferred calls pile up',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        let inLoop = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*for\b/.test(lines[i])) inLoop = 20;
+          if (inLoop > 0) {
+            inLoop--;
+            if (/^\s*defer\b/.test(lines[i])) {
+              findings.push({
+                ruleId: 'BUG-GO-003', category: 'bugs', severity: 'high',
+                title: 'defer inside loop — deferred calls accumulate until function returns',
+                description: 'defer runs at function exit, not loop iteration end. In a loop, deferred calls pile up and may exhaust resources. Close resources explicitly in the loop body.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-004',
+    category: 'bugs',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Race condition — shared variable in goroutine without sync',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*go\s+func\s*\(/.test(lines[i])) {
+            // Check if the goroutine captures variables from outer scope
+            let goBlock = '';
+            let braceDepth = 0;
+            for (let j = i; j < Math.min(i + 20, lines.length); j++) {
+              goBlock += lines[j] + '\n';
+              braceDepth += (lines[j].match(/\{/g) || []).length - (lines[j].match(/\}/g) || []).length;
+              if (braceDepth <= 0 && j > i) break;
+            }
+            // Check for writes to captured vars without mutex/atomic/channel
+            const hasMutex = /\.Lock\(\)|\.Unlock\(\)|atomic\.|sync\.|<-/.test(goBlock);
+            const writesShared = /\w+\s*[+\-*/]?=(?!=)/.test(goBlock) && !/^\s*\w+\s*:=/.test(goBlock);
+            if (!hasMutex && writesShared && /\b(count|total|result|sum|data|shared|state|cache)\b/.test(goBlock)) {
+              findings.push({
+                ruleId: 'BUG-GO-004', category: 'bugs', severity: 'high',
+                title: 'Goroutine writes to shared variable without synchronization',
+                description: 'Concurrent writes without mutex, atomic, or channels cause data races. Use sync.Mutex, atomic operations, or channels.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Loop variable captured in goroutine closure',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*for\s+.*(?::=\s*range|;\s*\w+\s*<)/.test(lines[i])) {
+            const loopVar = lines[i].match(/for\s+(?:_\s*,\s*)?(\w+)/)?.[1];
+            if (!loopVar) continue;
+            for (let j = i + 1; j < Math.min(i + 15, lines.length); j++) {
+              if (/^\s*go\s+func\s*\(/.test(lines[j])) {
+                // Check if goroutine uses loop var without passing as parameter
+                let goBlock = '';
+                for (let k = j; k < Math.min(j + 10, lines.length); k++) {
+                  goBlock += lines[k] + '\n';
+                }
+                const usesVar = new RegExp(`\\b${loopVar}\\b`).test(goBlock);
+                // Check if passed as argument: go func(v Type) { ... }(loopVar)
+                const passedAsArg = new RegExp(`\\}\\s*\\(\\s*${loopVar}\\s*\\)`).test(goBlock);
+                if (usesVar && !passedAsArg) {
+                  findings.push({
+                    ruleId: 'BUG-GO-005', category: 'bugs', severity: 'high',
+                    title: `Loop variable "${loopVar}" captured by goroutine — all goroutines see last value`,
+                    description: 'In Go <1.22, loop variables are shared. Pass the variable as a goroutine argument: go func(v T) { ... }(loopVar).',
+                    file: fp, line: j + 1, fix: null,
+                  });
+                }
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'HTTP response body not closed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/http\.(Get|Post|Do|Head)\s*\(/.test(lines[i]) || /client\.(Get|Post|Do)\s*\(/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            if (!/resp\.Body\.Close|defer.*Body\.Close|ioutil\.ReadAll|io\.ReadAll/.test(block)) {
+              findings.push({
+                ruleId: 'BUG-GO-006', category: 'bugs', severity: 'high',
+                title: 'HTTP response body not closed — leaks connections',
+                description: 'Always close HTTP response bodies: defer resp.Body.Close(). Unclosed bodies leak TCP connections.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-007',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'nil map assignment — panics at runtime',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // var m map[...]... without make()
+          if (/^\s*var\s+(\w+)\s+map\[/.test(lines[i])) {
+            const mapVar = lines[i].match(/var\s+(\w+)/)[1];
+            // Check if make() is called before first assignment
+            let madeOrAssigned = false;
+            for (let j = i + 1; j < Math.min(i + 15, lines.length); j++) {
+              if (new RegExp(`${mapVar}\\s*=\\s*(?:make|map)\\b`).test(lines[j])) {
+                madeOrAssigned = true;
+                break;
+              }
+              if (new RegExp(`${mapVar}\\s*\\[`).test(lines[j]) && /=/.test(lines[j])) {
+                if (!madeOrAssigned) {
+                  findings.push({
+                    ruleId: 'BUG-GO-007', category: 'bugs', severity: 'medium',
+                    title: `Nil map "${mapVar}" assigned to — panics at runtime`,
+                    description: 'A declared but uninitialized map is nil. Assigning to a nil map causes a runtime panic. Use make(map[K]V) first.',
+                    file: fp, line: j + 1, fix: null,
+                  });
+                }
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-GO-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'WaitGroup used incorrectly',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isGo(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // wg.Add inside goroutine instead of before it
+          if (/^\s*go\s+func/.test(lines[i])) {
+            let goBlock = '';
+            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+              goBlock += lines[j] + '\n';
+            }
+            if (/wg\.Add\s*\(/.test(goBlock)) {
+              findings.push({
+                ruleId: 'BUG-GO-008', category: 'bugs', severity: 'high',
+                title: 'WaitGroup.Add() called inside goroutine — race with Wait()',
+                description: 'wg.Add() must be called before the goroutine starts, not inside it. Otherwise Wait() may return before Add() runs.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;