getdoorman 1.0.0

package/src/rules/cost/index.js

@@ -0,0 +1,1993 @@
+const JS_EXTENSIONS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isSourceFile(f) { return JS_EXTENSIONS.some(ext => f.endsWith(ext)); }
+
+const rules = [
+  // COST-001: AI API calls without caching
+  {
+    id: 'COST-001',
+    category: 'cost',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'AI API Calls Without Caching',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+
+        const hasAICall = content.match(/(?:openai|anthropic|chat\.completions|messages\.create|generateText)/i);
+        if (!hasAICall) continue;
+
+        // Check if it's in a request handler without caching
+        if ((filepath.includes('api/') || filepath.includes('route') || filepath.includes('handler')) &&
+            !content.includes('cache') && !content.includes('redis') && !content.includes('memoize')) {
+          findings.push({
+            ruleId: 'COST-001', category: 'cost', severity: 'high',
+            title: 'AI/LLM API call in request handler without caching',
+            description: 'Each request triggers a paid API call. Cache identical responses to reduce costs.',
+            file: filepath, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-002: AI call on every page load
+  {
+    id: 'COST-002',
+    category: 'cost',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'AI API Call on Page Load',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!filepath.match(/\.(jsx|tsx)$/)) continue;
+
+        // AI call inside a component or useEffect without caching
+        if (content.match(/(?:openai|anthropic|chat\.completions|messages\.create|generateText)/i)) {
+          if (content.includes('useEffect') || content.includes('getServerSideProps') || content.includes('loader')) {
+            findings.push({
+              ruleId: 'COST-002', category: 'cost', severity: 'high',
+              title: 'AI API call runs on every page load — very expensive at scale',
+              description: 'At 1,000 daily users, this could cost $100+/day. Cache results or pre-generate content.',
+              file: filepath, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-003: No token limit on AI calls
+  {
+    id: 'COST-003',
+    category: 'cost',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'No Token Limit on AI API Call',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+
+        if (content.match(/(?:chat\.completions\.create|messages\.create)/)) {
+          if (!content.includes('max_tokens') && !content.includes('maxTokens')) {
+            findings.push({
+              ruleId: 'COST-003', category: 'cost', severity: 'medium',
+              title: 'AI API call without max_tokens limit',
+              description: 'Without a token limit, a single request could generate a very long (expensive) response.',
+              file: filepath, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-004: Embedding generated on every request
+  {
+    id: 'COST-004',
+    category: 'cost',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Embeddings Generated Per-Request',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (content.match(/(?:embeddings\.create|embed|createEmbedding)/) &&
+            (filepath.includes('api/') || filepath.includes('route'))) {
+          if (!content.includes('cache') && !content.includes('stored')) {
+            findings.push({
+              ruleId: 'COST-004', category: 'cost', severity: 'medium',
+              title: 'Embeddings generated per-request instead of pre-computed',
+              description: 'Pre-compute and store embeddings instead of generating them on every request.',
+              file: filepath, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-005: CloudWatch logs without retention policy
+  { id: 'COST-005', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'CloudWatch Logs Without Retention Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(json|ya?ml|tf)$/)) continue;
+        if (c.match(/aws.*logs|cloudwatch.*logs|log.*group/i) && !c.match(/retention|retentionInDays/i)) {
+          findings.push({ ruleId: 'COST-005', category: 'cost', severity: 'medium',
+            title: 'CloudWatch log group without retention policy — logs accumulate forever',
+            description: 'Set retentionInDays (e.g., 30 for dev, 90 for prod) to avoid unbounded log storage costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-006: No multi-stage Docker build
+  { id: 'COST-006', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No Multi-Stage Docker Build',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\.\w+$/)) continue;
+        const fromCount = (c.match(/^\s*FROM\s+/gim) || []).length;
+        if (fromCount < 2) {
+          findings.push({ ruleId: 'COST-006', category: 'cost', severity: 'medium',
+            title: 'Single-stage Dockerfile includes dev dependencies in production image',
+            description: 'Multi-stage builds (FROM node AS build ... FROM node:alpine) reduce image size 50-80%, lowering storage and transfer costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-007: No dependency cache in CI
+  { id: 'COST-007', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No Dependency Cache in CI',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows') && !fp.includes('.gitlab-ci')) continue;
+        if ((c.includes('npm ci') || c.includes('npm install') || c.includes('yarn install')) &&
+            !c.match(/cache.*node_modules|actions\/cache|cache-dependency-path/)) {
+          findings.push({ ruleId: 'COST-007', category: 'cost', severity: 'medium',
+            title: 'CI pipeline installs dependencies without caching',
+            description: 'Add actions/cache for node_modules to cut CI time and runner costs by 50%+.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-008: No AI token usage tracking
+  { id: 'COST-008', category: 'cost', severity: 'high', confidence: 'likely', title: 'No AI Token Usage Tracking',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/openai|anthropic|chat\.completions|messages\.create/i)) {
+          if (!c.match(/usage\.|input_tokens|output_tokens|total_tokens|promptTokens/)) {
+            findings.push({ ruleId: 'COST-008', category: 'cost', severity: 'high',
+              title: 'AI API calls without tracking token usage',
+              description: 'Log usage.input_tokens and usage.output_tokens from AI responses to track per-request costs and identify expensive prompts.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-009: Most expensive model hardcoded
+  { id: 'COST-009', category: 'cost', severity: 'high', confidence: 'likely', title: 'Most Expensive AI Model Hardcoded',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/model\s*:\s*['"`](?:gpt-4(?!o-mini|-mini)|claude-opus-4(?!-5))/)) {
+            findings.push({ ruleId: 'COST-009', category: 'cost', severity: 'high',
+              title: 'Most expensive AI model hardcoded — cheaper alternatives available',
+              description: 'Route simple tasks to cheaper models (gpt-4o-mini, claude-haiku). Premium models cost 10-20x more.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-010: No S3 lifecycle policy
+  { id: 'COST-010', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No S3 Lifecycle Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (c.match(/s3.*bucket|aws.*s3/i) && !c.match(/lifecycle|intelligent.tiering|StorageClass/i)) {
+          findings.push({ ruleId: 'COST-010', category: 'cost', severity: 'medium',
+            title: 'S3 bucket without lifecycle policy — old objects stored at full price forever',
+            description: 'Add lifecycle rules to transition old objects to S3-IA/Glacier after 30/90 days. Can reduce storage costs by 70%+.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-011: Polling instead of webhooks
+  { id: 'COST-011', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Polling Instead of Webhooks/SSE',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/setInterval\s*\(.*(?:fetch|axios|http\.get)/)) {
+          findings.push({ ruleId: 'COST-011', category: 'cost', severity: 'medium',
+            title: 'Polling external API with setInterval — use webhooks or SSE',
+            description: 'Polling makes API calls even when nothing changes. Webhooks (push) eliminate unnecessary requests and their associated costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-012: No cost budget alerts
+  { id: 'COST-012', category: 'cost', severity: 'high', confidence: 'likely', title: 'No Cloud Cost Budget Alerts',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/budget.*alert|billing.*alert|cost.*anomaly/i));
+      if (!has && [...files.values()].some(c => c.match(/\baws\b|\bgcp\b|\bazure\b/i))) {
+        return [{ ruleId: 'COST-012', category: 'cost', severity: 'high',
+          title: 'No cloud cost budget alerts configured',
+          description: 'Set AWS Budgets or GCP Budget Alerts to notify you before costs spike. Unexpected bills of $10k+ are common without alerts.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // COST-013: No prompt caching for repeated system prompts
+  { id: 'COST-013', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'AI Prompt Caching Not Used',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/anthropic/) && c.match(/system.*prompt|systemPrompt/i)) {
+          if (!c.match(/cache_control|cacheControl/)) {
+            findings.push({ ruleId: 'COST-013', category: 'cost', severity: 'medium',
+              title: 'Anthropic API without prompt caching on long system prompts',
+              description: 'Add cache_control: { type: "ephemeral" } to system prompts. Prompt caching reduces costs 90% for repeated requests.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-014: Images served without optimization
+  { id: 'COST-014', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Images Without Optimization Pipeline',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasOpt = 'sharp' in allDeps || 'imagemin' in allDeps || stack.framework === 'nextjs';
+      const hasImages = [...files.keys()].some(f => f.match(/\.(jpg|jpeg|png)$/i));
+      if (hasImages && !hasOpt) {
+        findings.push({ ruleId: 'COST-014', category: 'cost', severity: 'medium',
+          title: 'No image optimization pipeline — serving full-size originals wastes bandwidth',
+          description: 'Use sharp or Next.js Image to compress and serve WebP. Unoptimized images can be 5-10x larger, multiplying CDN/bandwidth costs.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-015: Verbose debug logging in production
+  { id: 'COST-015', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Verbose Debug Logging in Production Code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const count = (c.match(/console\.debug|logger\.debug|log\.debug/g) || []).length;
+        if (count > 5) {
+          findings.push({ ruleId: 'COST-015', category: 'cost', severity: 'medium',
+            title: `${count} debug log statements — excessive logging inflates log storage costs`,
+            description: 'Set LOG_LEVEL=warn in production. Debug-level logging can multiply log volume and cost 5-10x.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-016: Synchronous file reads on every request
+  { id: 'COST-016', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Synchronous File Read on Every Request',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/readFileSync|existsSync/i) && !lines[i].match(/startup|init|bootstrap|config/i)) {
+            findings.push({ ruleId: 'COST-016', category: 'cost', severity: 'medium', title: 'Synchronous file I/O in request handler — blocks event loop, increases latency and CPU cost', description: 'Cache file contents at startup or use async readFile. Synchronous FS calls block all concurrent requests.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-017: No Lambda memory optimization
+  { id: 'COST-017', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda Without Memory Optimization',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/serverless\.ya?ml|sam\.ya?ml|lambda.*\.tf|\.aws\/template/i)) continue;
+        if (c.match(/MemorySize:\s*1024|MemorySize:\s*2048|MemorySize:\s*3008/)) {
+          findings.push({ ruleId: 'COST-017', category: 'cost', severity: 'low', title: 'Lambda configured with high memory — consider profiling with AWS Lambda Power Tuning', description: 'Use AWS Lambda Power Tuning to find the optimal memory setting. Higher memory costs more but completes faster — balance for your workload.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-018: DynamoDB scan instead of query
+  { id: 'COST-018', category: 'cost', severity: 'high', confidence: 'likely', title: 'DynamoDB Full Table Scan',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/dynamoDB?\.scan\(|documentClient\.scan\(|\.scan\(\{.*TableName/i)) {
+            findings.push({ ruleId: 'COST-018', category: 'cost', severity: 'high', title: 'DynamoDB Scan reads entire table — exponential cost at scale', description: 'Use Query with a key condition or add a GSI (Global Secondary Index). Table scans read every item and cost full throughput.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-019: No CloudFront for static assets
+  { id: 'COST-019', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No CloudFront for Static Assets',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const isAWS = [...files.keys()].some(f => f.match(/aws|lambda|s3|dynamodb/i)) || ['aws-sdk', '@aws-sdk/client-s3'].some(d => d in allDeps);
+      if (!isAWS) return findings;
+      const allCode = [...files.values()].join('\n');
+      if (!allCode.match(/CloudFront|cloudfront|cdn\.|CDN|aws_cloudfront/i)) {
+        findings.push({ ruleId: 'COST-019', category: 'cost', severity: 'medium', title: 'No CloudFront CDN detected for AWS project — serving assets from origin is expensive', description: 'Add CloudFront in front of S3 and API Gateway. CDN reduces origin bandwidth costs 60-90% and improves latency globally.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-020: No connection reuse in Lambda
+  { id: 'COST-020', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Database Connection Not Reused Across Lambda Invocations',
+    check({ files, stack }) {
+      const findings = [];
+      if (!stack.runtime) return findings;
+      const allCode = [...files.values()].join('\n');
+      const isLambda = allCode.match(/exports\.handler|module\.exports\.handler|lambda|serverless/i);
+      if (!isLambda) return findings;
+      const hasConnectionOutsideHandler = allCode.match(/mongoose\.connect|new Pool|createConnection/i) && !allCode.match(/if\s*\(.*connected|cached.*connection|global\.__/i);
+      if (hasConnectionOutsideHandler) {
+        findings.push({ ruleId: 'COST-020', category: 'cost', severity: 'medium', title: 'Lambda opens new DB connection per invocation — use connection caching', description: 'Cache DB connections in module scope outside the handler. Lambda reuses the execution environment — connections persist between warm invocations.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-021: No auto-scaling configured
+  { id: 'COST-021', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No Auto-Scaling Configuration',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        if (c.match(/aws_instance|EC2|ECS|Fargate/i) && !c.match(/autoscaling|auto_scaling|AutoScaling|HorizontalPodAutoscaler|hpa/i)) {
+          findings.push({ ruleId: 'COST-021', category: 'cost', severity: 'medium', title: 'Compute resources without auto-scaling — over-provisioned or under-provisioned', description: 'Configure auto-scaling to match capacity to demand. Fixed-size fleets waste money at low traffic and fail at peak.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-022: No spot/preemptible instances for batch workloads
+  { id: 'COST-022', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Batch Workloads Without Spot Instances',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        if (c.match(/batch|worker|job|cron/i) && c.match(/aws_instance|instance_type/i) && !c.match(/spot|preemptible|Spot|interruptible/i)) {
+          findings.push({ ruleId: 'COST-022', category: 'cost', severity: 'low', title: 'Batch/worker jobs using on-demand instances — spot instances save 60-90%', description: 'Use EC2 Spot or GCP Preemptible instances for fault-tolerant batch jobs. Design for interruption with checkpointing.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-023: SQS polling with WaitTimeSeconds=0
+  { id: 'COST-023', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'SQS Short Polling (WaitTimeSeconds=0)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/receiveMessage|ReceiveMessage/i) && !lines[i].match(/WaitTimeSeconds.*[1-9]|waitTimeSeconds.*[1-9]/)) {
+            const nearby = lines.slice(i, i + 10).join('\n');
+            if (!nearby.match(/WaitTimeSeconds.*[1-9]|waitTimeSeconds.*[1-9]/)) {
+              findings.push({ ruleId: 'COST-023', category: 'cost', severity: 'medium', title: 'SQS receiving without long polling — short polling costs 10x more', description: 'Set WaitTimeSeconds: 20 for long polling. Short polling returns immediately even when queue is empty, multiplying API call costs.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-024: No gzip/brotli response compression
+  { id: 'COST-024', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No Response Compression',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasCompression = ['compression', 'shrink-ray-current', 'fastify-compress'].some(d => d in allDeps);
+      const allCode = [...files.values()].some(c => c.match(/compress|gzip|deflate|brotli/i));
+      if (!hasCompression && !allCode && stack.framework) {
+        findings.push({ ruleId: 'COST-024', category: 'cost', severity: 'medium', title: 'No response compression — API responses uncompressed, increasing bandwidth costs', description: 'Add compression middleware (npm install compression). Gzip typically reduces JSON response sizes by 70-90%.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-025: Large base64 payloads in responses
+  { id: 'COST-025', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Large Base64 Payloads in API Responses',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.toString\(['"]base64['"]\)|toBase64\(/) && lines[i].match(/res\.(json|send)|response/i)) {
+            findings.push({ ruleId: 'COST-025', category: 'cost', severity: 'medium', title: 'Base64 encoding binary data in API responses — 33% larger than binary transfer', description: 'Serve binary files via S3 presigned URLs. Base64 in JSON responses inflates payload size by 33% and is not cached separately.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-026: Over-fetching with SELECT *
+  { id: 'COST-026', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'SELECT * Fetches Unnecessary Columns',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/SELECT\s+\*/i) || lines[i].match(/findAll\(\)|findMany\(\)/) && !lines[i].match(/select:|attributes:/)) {
+            findings.push({ ruleId: 'COST-026', category: 'cost', severity: 'medium', title: 'Fetching all columns when only subset needed — wasted I/O and bandwidth', description: 'Specify the exact columns: SELECT id, name FROM users. Use { select: { id: true, name: true } } in Prisma or { attributes: [] } in Sequelize.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-027: Sending email on every event instead of batching
+  { id: 'COST-027', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Email Sent on Every Event Instead of Batching',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/sendEmail|sendMail|send\(|transporter\./i) && lines[i].match(/forEach|for\s*\(|\.map\(/)) {
+            findings.push({ ruleId: 'COST-027', category: 'cost', severity: 'low', title: 'Email API called in a loop — use batch send API to reduce costs', description: 'Use SES SendBulkTemplatedEmail or Postmark batch API. Per-email API calls have per-request overhead; bulk APIs are cheaper.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-028: No Elastic IP released when not attached
+  { id: 'COST-028', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Elastic IPs May Not Be Released',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml)$/)) continue;
+        const eipCount = (c.match(/aws_eip\b|ElasticIP|EIP/g) || []).length;
+        if (eipCount > 2) {
+          findings.push({ ruleId: 'COST-028', category: 'cost', severity: 'low', title: `${eipCount} Elastic IPs allocated — unattached EIPs incur hourly charges`, description: 'Release Elastic IPs when not attached to a running instance. AWS charges for unattached EIPs. Use DNS names instead where possible.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-029: No request deduplication / idempotency caching
+  { id: 'COST-029', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'No Request Deduplication for Expensive Operations',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/openai|anthropic|cohere|gpt|claude/i) && lines[i].match(/create|complete|generate|invoke/i)) {
+            const nearby = lines.slice(Math.max(0, i - 5), i + 5).join('\n');
+            if (!nearby.match(/cache|idempotency|dedup|hash/i)) {
+              findings.push({ ruleId: 'COST-029', category: 'cost', severity: 'low', title: 'AI API call without request deduplication — identical prompts billed multiple times', description: 'Cache AI responses by prompt hash. Use idempotency keys where supported. Even short TTL caches significantly reduce costs for repeated queries.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-030: No reserved capacity for predictable workloads
+  { id: 'COST-030', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'No Reserved Instances for Predictable Workloads',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/)) continue;
+        const hasRDS = c.match(/aws_db_instance|RDSDBInstance|AWS::RDS/i);
+        const hasEC2 = c.match(/aws_instance\b|EC2Instance|AWS::EC2::Instance/i);
+        const hasReserved = c.match(/reserved_instance|ReservedDB|instance_class.*reserved|savings_plan/i);
+        if ((hasRDS || hasEC2) && !hasReserved) {
+          findings.push({ ruleId: 'COST-030', category: 'cost', severity: 'low', title: 'RDS/EC2 using on-demand pricing — Reserved Instances save 30-60%', description: 'Purchase 1-year Reserved Instances for stable production workloads. RI pricing saves 30-60% vs on-demand for predictable usage.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-031: Large webpack bundles without code splitting
+  { id: 'COST-031', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No Code Splitting in Webpack Config',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/webpack\.config\./)) continue;
+        if (!c.match(/splitChunks|SplitChunksPlugin|import\(.*\/\*.*chunk/i)) {
+          findings.push({ ruleId: 'COST-031', category: 'cost', severity: 'medium', title: 'Webpack config without code splitting — large bundles increase CDN egress costs', description: 'Configure SplitChunksPlugin and dynamic import() for route-based code splitting. Reduces initial bundle size and bandwidth.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-032: No TTL on DynamoDB items
+  { id: 'COST-032', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'DynamoDB Items Without TTL',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const hasDynamo = c.match(/DynamoDB|dynamoDB|documentClient/i);
+        const hasTTL = c.match(/TimeToLive|ttl|expiresAt|expiry/i);
+        if (hasDynamo && !hasTTL) {
+          findings.push({ ruleId: 'COST-032', category: 'cost', severity: 'low', title: 'DynamoDB tables without TTL — stale items accumulate, increasing storage costs', description: 'Enable TTL on DynamoDB tables for ephemeral data (sessions, temp tokens). DynamoDB storage is billed per GB stored.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-033: Excessive Lambda timeout
+  { id: 'COST-033', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda Timeout Too High',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/serverless\.ya?ml|sam\.ya?ml|lambda.*\.tf/i)) continue;
+        const match = c.match(/Timeout:\s*(\d+)/);
+        if (match && parseInt(match[1]) > 60) {
+          findings.push({ ruleId: 'COST-033', category: 'cost', severity: 'low', title: `Lambda timeout set to ${match[1]}s — high timeout means billing continues on hung invocations`, description: 'Set the minimum viable timeout. A Lambda that should take 5s but times out after 900s wastes 895s of compute billing.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-034: CloudWatch Logs with no retention (infinite retention)
+  { id: 'COST-034', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'CloudWatch Logs Group No Retention Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tf|ya?ml|json)$/) && !fp.match(/cloudformation|cdk/i)) continue;
+        if (c.match(/aws_cloudwatch_log_group|CloudWatchLogs|LogGroup/i) && !c.match(/retention_in_days|RetentionInDays/i)) {
+          findings.push({ ruleId: 'COST-034', category: 'cost', severity: 'medium', title: 'CloudWatch Log Group without retention policy — logs stored forever at $0.03/GB', description: 'Set retentionInDays: 30 (or appropriate value). CloudWatch Logs are expensive at scale without expiry.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-035: Image assets not WebP/AVIF
+  { id: 'COST-035', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'No Next-Gen Image Format (WebP/AVIF)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html|jsx|tsx|vue)$/)) continue;
+        const jpgCount = (c.match(/\.(jpg|jpeg|png)['"]/gi) || []).length;
+        if (jpgCount > 3 && !c.match(/\.webp|\.avif|next\/image|<Image|picture.*source/i)) {
+          findings.push({ ruleId: 'COST-035', category: 'cost', severity: 'low', title: `${jpgCount} images using JPEG/PNG — WebP/AVIF reduces bandwidth 25-50%`, description: 'Convert images to WebP or AVIF. Use <picture> with format fallbacks or Next.js Image component for automatic optimization.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-036: No connection keep-alive for HTTP clients
+  { id: 'COST-036', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'HTTP Client Without Keep-Alive',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/https?\.request|new https?\.Agent|axios\.create/i) && !c.match(/keepAlive.*true|keep-alive|maxSockets/i)) {
+          findings.push({ ruleId: 'COST-036', category: 'cost', severity: 'medium', title: 'HTTP client without keep-alive — new TCP connection per request', description: 'Enable keep-alive: new https.Agent({ keepAlive: true }). Each new TCP connection adds latency and CPU overhead. Keep-alive reuses connections.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-037: No pagination on data export
+  { id: 'COST-037', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Data Export Without Streaming/Pagination',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/export|download/i) && lines[i].match(/csv|xlsx|json/i)) {
+            const handler = lines.slice(i, i + 20).join('\n');
+            if (handler.match(/findAll\(\)|find\(\)|findMany\(\)/) && !handler.match(/stream|cursor|chunk|batch|limit|offset/)) {
+              findings.push({ ruleId: 'COST-037', category: 'cost', severity: 'medium', title: 'Data export loads all records at once — memory spike and timeout risk', description: 'Stream exports using database cursors: db.query().stream(). Loading millions of rows into memory causes OOM errors and timeouts.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-038: CloudWatch detailed monitoring always on
+  { id: 'COST-038', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'EC2 Detailed Monitoring Always Enabled',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_instance/i) && c.match(/monitoring\s*=\s*true/)) {
+          findings.push({ ruleId: 'COST-038', category: 'cost', severity: 'low', title: 'EC2 detailed monitoring enabled — $2.10/instance/month additional cost', description: 'Use basic monitoring (default) for non-critical instances. Detailed monitoring (1-min intervals) is only needed for critical instances.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-039: No S3 Intelligent Tiering
+  { id: 'COST-039', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'S3 Bucket Without Intelligent Tiering',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_s3_bucket\b/i) && !c.match(/intelligent.*tiering|INTELLIGENT_TIERING|lifecycle|transition/i)) {
+          findings.push({ ruleId: 'COST-039', category: 'cost', severity: 'low', title: 'S3 bucket without lifecycle/Intelligent Tiering — paying full price for infrequent objects', description: 'Add S3 Intelligent Tiering lifecycle rule. Objects not accessed for 30 days auto-move to IA tier (40% savings), then Glacier (68% savings).', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-040: Unused Elastic Load Balancer
+  { id: 'COST-040', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Load Balancer With Single Target',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_lb\b|aws_alb\b/i) && !c.match(/aws_lb_target_group_attachment.*count|for_each|count\s*=\s*[2-9]/i)) {
+          findings.push({ ruleId: 'COST-040', category: 'cost', severity: 'medium', title: 'Load balancer with single target — $16+/month with no HA benefit', description: 'Remove the ALB for single-instance setups (use ECS directly or API Gateway). An ALB only provides value with multiple targets.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-041: NAT Gateway in each AZ
+  { id: 'COST-041', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Multiple NAT Gateways (Consider Single for Dev)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const natCount = (c.match(/aws_nat_gateway\b/gi) || []).length;
+        if (natCount > 1 && c.match(/dev|staging|non.*prod/i)) {
+          findings.push({ ruleId: 'COST-041', category: 'cost', severity: 'medium', title: `${natCount} NAT Gateways in non-production — $32/gateway/month × ${natCount}`, description: 'Use a single NAT Gateway for dev/staging environments. Only production needs per-AZ NAT for resilience. Single NAT saves $64+/month in a 3-AZ setup.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-042: No AI response streaming
+  { id: 'COST-042', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'AI API Without Response Streaming',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/openai|anthropic|claude|gpt/i) && c.match(/create|complete|generate|message/i)) {
+          if (!c.match(/stream.*true|streaming.*true|stream:/i)) {
+            findings.push({ ruleId: 'COST-042', category: 'cost', severity: 'low', title: 'AI API called without streaming — users wait for full response before seeing output', description: 'Enable streaming for LLM APIs. Streaming improves UX by showing tokens as they generate and prevents request timeouts for long responses.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-043: Storing media files in database BLOBs
+  { id: 'COST-043', category: 'cost', severity: 'high', confidence: 'likely', title: 'Media Files Stored as Database BLOBs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/BLOB|bytea|binary|image.*data|file.*data/i) && lines[i].match(/save|insert|create|store/i)) {
+            findings.push({ ruleId: 'COST-043', category: 'cost', severity: 'high', title: 'Media/binary files stored in database — expensive, slow, and unscalable', description: 'Store files in S3 or object storage. Save only the URL in the database. Database storage costs 100x more than S3 for large files.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-044: No request timeout on fetch/axios
+  { id: 'COST-044', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'HTTP Requests Without Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/fetch\(|axios\.(get|post|put|delete|patch)\(/i)) {
+            const block = lines.slice(i, i + 5).join('\n');
+            if (!block.match(/timeout|signal.*AbortSignal|AbortController/i)) {
+              findings.push({ ruleId: 'COST-044', category: 'cost', severity: 'medium', title: 'HTTP request without timeout — hung requests consume connections and memory', description: 'Add timeout: 5000 to axios or use AbortController with setTimeout for fetch. Hung HTTP requests leak connections and inflate cost.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-045: Unused Lambda functions
+  { id: 'COST-045', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda Functions Without Invocation Tracking',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/serverless\.ya?ml|sam\.ya?ml/i)) continue;
+        const funcCount = (c.match(/^\s+\w+:\s*$/mg) || []).length;
+        const hasMetrics = c.match(/cloudwatch|metrics|monitoring/i);
+        if (funcCount > 10 && !hasMetrics) {
+          findings.push({ ruleId: 'COST-045', category: 'cost', severity: 'low', title: `${funcCount} Lambda functions without invocation monitoring — unused functions accumulate`, description: 'Monitor invocation counts with CloudWatch. Review and remove Lambda functions not invoked for 30+ days.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-046: No ECR image lifecycle policy
+  { id: 'COST-046', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'ECR Repository Without Lifecycle Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_ecr_repository\b/i) && !c.match(/aws_ecr_lifecycle_policy|lifecycle_policy/i)) {
+          findings.push({ ruleId: 'COST-046', category: 'cost', severity: 'low', title: 'ECR repository without lifecycle policy — old images accumulate at $0.10/GB/month', description: 'Add lifecycle policy to keep only last 10 images. Each pushed image is stored forever without a policy, accumulating storage costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-047: GraphQL without query depth limiting
+  { id: 'COST-047', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'GraphQL Without Query Depth/Cost Limiting',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasGraphQL = 'graphql' in allDeps || '@apollo/server' in allDeps;
+      const hasDepthLimit = ['graphql-depth-limit', 'graphql-query-complexity', 'graphql-cost-analysis'].some(d => d in allDeps);
+      if (hasGraphQL && !hasDepthLimit) {
+        findings.push({ ruleId: 'COST-047', category: 'cost', severity: 'medium', title: 'GraphQL without query depth or complexity limiting', description: 'Add graphql-depth-limit and graphql-query-complexity. Deeply nested or complex queries can cause exponential DB load and bill spikes.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-048: No request size limit
+  { id: 'COST-048', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No Request Body Size Limit',
+    check({ files }) {
+      const findings = [];
+      const hasLimit = [...files.values()].some(c => c.match(/limit.*['"]\d+\w*['"]|bodyLimit|maxBodySize|body-parser.*limit|express\.json.*limit/i));
+      const hasExpress = [...files.values()].some(c => c.match(/express\(\)|fastify\(\)/i));
+      if (hasExpress && !hasLimit) {
+        findings.push({ ruleId: 'COST-048', category: 'cost', severity: 'medium', title: 'No request body size limit — large payloads consume bandwidth and memory', description: 'Add body size limit: express.json({ limit: "1mb" }). Without limits, a single request with a 1GB body can exhaust server memory and incur bandwidth costs.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-049: Audit logging to same DB (expensive queries)
+  { id: 'COST-049', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Audit Logs Written to Main Database',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/auditLog|audit_log|AuditLog/i) && c.match(/save|insert|create/i)) {
+          if (!c.match(/elasticsearch|cloudwatch|s3|bigquery|separate.*db|audit.*db/i)) {
+            findings.push({ ruleId: 'COST-049', category: 'cost', severity: 'low', title: 'Audit logs written to main application database', description: 'Send audit logs to CloudWatch Logs, Elasticsearch, or a separate database. Audit logs in main DB bloat storage, slow queries, and inflate backup sizes.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // COST-050: No idle resource detection
+  { id: 'COST-050', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'No Cloud Cost Anomaly Detection',
+    check({ files }) {
+      const findings = [];
+      const isCloud = [...files.values()].some(c => c.match(/aws_|AWS::|azure|gcp|google.*cloud/i));
+      const hasCostAlert = [...files.values()].some(c => c.match(/aws_budgets|CostBudget|billing.*alert|cost.*anomaly|aws_ce_anomaly/i));
+      if (isCloud && !hasCostAlert) {
+        findings.push({ ruleId: 'COST-050', category: 'cost', severity: 'low', title: 'No cloud cost budget alerts configured', description: 'Add AWS Budgets or GCP billing alerts. Without alerts, runaway costs from misconfigurations or attacks go unnoticed until the monthly bill.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // COST-051: API call in rendering loop
+  { id: 'COST-051', category: 'cost', severity: 'high', confidence: 'likely', title: 'API Call Inside Rendering Loop',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:for|forEach|map|while)\s*\(/) && !lines[i].match(/Promise\.all/)) {
+            const block = lines.slice(i, i + 8).join('\n');
+            if (block.match(/fetch\(|axios\.|got\.|https?\./i)) {
+              findings.push({ ruleId: 'COST-051', category: 'cost', severity: 'high', title: 'HTTP API call inside a loop — N requests instead of 1 batch request', description: 'Batch API calls outside the loop. Use bulk endpoints or batch processing. N sequential API calls cost N × (latency + per-request overhead).', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-052: No CloudFront cache behavior for API
+  { id: 'COST-052', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'CloudFront Without Cache Behaviors for GET APIs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_cloudfront_distribution/i) && c.match(/origin.*api/i)) {
+          if (!c.match(/cache_behavior|ordered_cache_behavior/i)) {
+            findings.push({ ruleId: 'COST-052', category: 'cost', severity: 'medium', title: 'CloudFront fronting API without cache behaviors — all requests hit origin', description: 'Add cache_behavior for cacheable GET endpoints. Cache-Control: max-age=60 on GET /products reduces origin requests 90% for popular endpoints.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-053: Database query result not paginated
+  { id: 'COST-053', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Database Query Returns Unbounded Results',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/SELECT\s+\*\s+FROM|\.find\(\{?\}\)|\.findAll\(\)/i)) {
+            if (!lines.slice(i, i + 5).join('\n').match(/LIMIT|limit:|take:|first:|paginate/i)) {
+              findings.push({ ruleId: 'COST-053', category: 'cost', severity: 'medium', title: 'Database query without LIMIT — returns all rows', description: 'Add LIMIT to all queries: SELECT * FROM users LIMIT 100. Unbounded queries can return millions of rows, exhausting memory and bandwidth.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-054: No HTTP conditional requests (ETags)
+  { id: 'COST-054', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'API Does Not Support ETags/Conditional Requests',
+    check({ files }) {
+      const findings = [];
+      const hasETags = [...files.values()].some(c => c.match(/ETag|etag|If-None-Match|Last-Modified|If-Modified-Since/i));
+      const hasAPI = [...files.values()].some(c => c.match(/router\.get|app\.get/i));
+      if (hasAPI && !hasETags) {
+        findings.push({ ruleId: 'COST-054', category: 'cost', severity: 'low', title: 'API does not support ETags — clients cannot use conditional requests', description: 'Add ETag support: res.set("ETag", hash(data)). Conditional requests let clients cache responses and receive 304 Not Modified instead of full responses.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COST-055: No RDS proxy for Lambda connections
+  { id: 'COST-055', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Lambda Connecting Directly to RDS (No Proxy)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_lambda_function/i) && c.match(/aws_db_instance|aws_rds_cluster/i)) {
+          if (!c.match(/aws_db_proxy|rds_proxy|RDSProxy/i)) {
+            findings.push({ ruleId: 'COST-055', category: 'cost', severity: 'medium', title: 'Lambda connecting directly to RDS — connection exhaustion at scale', description: 'Add RDS Proxy between Lambda and RDS. Lambda bursts create thousands of connections that RDS cannot handle. RDS Proxy pools and reuses connections.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-056: N+1 database queries inflating query costs
+  { id: 'COST-056', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'N+1 Query Pattern Inflating Database Costs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/for\s*\(|forEach\s*\(|\.map\s*\(/) && !lines[i].match(/\/\//)) {
+            const loopBody = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (loopBody.match(/await.*\.(findOne|findById|query|execute|select)\s*\(/) ) {
+              findings.push({ ruleId: 'COST-056', category: 'cost', severity: 'medium', title: 'Database query inside loop — N+1 queries increasing DB costs', description: 'Use batch queries, JOIN, or DataLoader to fetch related data in bulk. N+1 queries make hundreds of DB calls instead of one, inflating RDS costs and slowing response times.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-057: Uncompressed API responses
+  { id: 'COST-057', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'API Responses Not Compressed (gzip/brotli)',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasCompression = ['compression', '@fastify/compress', 'koa-compress'].some(d => d in allDeps) || [...files.values()].some(c => c.match(/compression\s*\(\s*\)|brotli|gzip.*res|Content-Encoding/i));
+      const hasExpress = 'express' in allDeps || 'fastify' in allDeps || 'koa' in allDeps;
+      if (hasExpress && !hasCompression) {
+        findings.push({ ruleId: 'COST-057', category: 'cost', severity: 'medium', title: 'No HTTP response compression — excess bandwidth costs', description: 'Add compression middleware (npm compression). Gzip typically reduces JSON responses by 70-80%, directly reducing data transfer costs and improving performance.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COST-058: Lambda function with overly large deployment package
+  { id: 'COST-058', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Lambda Deployment Package Not Optimized',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('serverless.yml') && !fp.match(/serverless\.yaml$/)) continue;
+        if (!c.match(/exclude:|individually:\s*true|layers:/i)) {
+          findings.push({ ruleId: 'COST-058', category: 'cost', severity: 'medium', title: 'Serverless function without package exclusions — cold starts inflated by large packages', description: 'Use package.patterns excludes and Lambda Layers for shared dependencies. Smaller deployment packages reduce Lambda cold start time (proportional to package size) and storage costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-059: Chatty microservice communication
+  { id: 'COST-059', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Chatty Inter-Service Communication Pattern',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        let serviceCallCount = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/await\s+(axios|fetch|got|superagent)\.(get|post)\s*\(/)) serviceCallCount++;
+        }
+        if (serviceCallCount > 10) {
+          findings.push({ ruleId: 'COST-059', category: 'cost', severity: 'medium', title: `${serviceCallCount} outbound HTTP calls in one file — chatty service communication`, description: 'Batch or aggregate service calls. Each HTTP call has network overhead. A GraphQL gateway or API aggregation layer reduces inter-service call volume and associated data transfer costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-060: Sending large payloads over SQS/SNS
+  { id: 'COST-060', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Large Payload Sent Directly via SQS/SNS',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/sendMessage|publish\s*\(.*Message/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (ctx.match(/JSON\.stringify|payload|data|body/i) && !ctx.match(/s3.*key|S3.*pointer|reference/i)) {
+              findings.push({ ruleId: 'COST-060', category: 'cost', severity: 'low', title: 'Large data sent directly via SQS/SNS — use S3 pointer pattern', description: 'Store large payloads in S3 and pass only the S3 key in the SQS/SNS message. SQS charges per API call and has a 256KB message limit. Large payloads should use the S3 extended library.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-061: Polling instead of event-driven architecture
+  { id: 'COST-061', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Polling Pattern Instead of Event-Driven',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/setInterval\s*\(/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (ctx.match(/fetch|axios|db\.|query|findAll|getItem/i)) {
+              findings.push({ ruleId: 'COST-061', category: 'cost', severity: 'medium', title: 'setInterval polling database/API — continuous unnecessary compute and API costs', description: 'Replace polling with webhooks, WebSockets, or message queue consumers. Polling makes API calls regardless of whether data changed, wasting compute and incurring API costs.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-062: No pagination on list queries
+  { id: 'COST-062', category: 'cost', severity: 'high', confidence: 'likely', title: 'List API Returns All Records Without Pagination',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.findAll\s*\(\s*\)|\.find\s*\(\s*\)|\.scan\s*\(\s*\)/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 2), i + 5).join('\n');
+            if (!ctx.match(/limit|skip|offset|take|page|cursor|LIMIT/i)) {
+              findings.push({ ruleId: 'COST-062', category: 'cost', severity: 'high', title: 'findAll() without limit — full table scan on every list request', description: 'Add LIMIT/take to all list queries. Fetching all records on every request wastes DB compute, increases memory, and slows response times proportional to table size.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-063: Redundant CloudWatch log ingestion
+  { id: 'COST-063', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Verbose Logging Increasing CloudWatch Ingestion Costs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        let verboseLogCount = 0;
+        for (const line of lines) {
+          if (line.match(/console\.log\s*\(|logger\.(debug|verbose|silly)\s*\(/) && !line.match(/\/\//)) verboseLogCount++;
+        }
+        if (verboseLogCount > 20) {
+          findings.push({ ruleId: 'COST-063', category: 'cost', severity: 'low', title: `${verboseLogCount} verbose log statements — high CloudWatch log ingestion cost`, description: 'Remove or reduce verbose logging in production code. CloudWatch charges $0.50/GB ingested. Debug-level logging in production can exceed production traffic data costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-064: Downloading full S3 objects when only metadata needed
+  { id: 'COST-064', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Downloading Full S3 Objects to Check Metadata',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/getObject\s*\(/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (ctx.match(/\.size|\.lastModified|\.contentType|Content-Length|Last-Modified/i) && !ctx.match(/headObject|getObjectAttributes/i)) {
+              findings.push({ ruleId: 'COST-064', category: 'cost', severity: 'medium', title: 'Downloading S3 object to check metadata — use headObject instead', description: 'Use S3 HeadObject to check size, content-type, and last-modified without downloading the object. GetObject charges per GB downloaded; HeadObject only charges per request.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-065: Generating thumbnails/transforms on every request
+  { id: 'COST-065', category: 'cost', severity: 'high', confidence: 'likely', title: 'Image/Media Transformed on Every Request',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasTransform = ['sharp', 'jimp', 'imagemagick', 'gm'].some(d => d in allDeps);
+      const cachesTransform = [...files.values()].some(c => c.match(/cache.*resize|resize.*cache|s3.*thumbnail|cloudfront.*image/i));
+      if (hasTransform && !cachesTransform) {
+        findings.push({ ruleId: 'COST-065', category: 'cost', severity: 'high', title: 'Image transformations not cached — reprocessing same image on every request', description: 'Cache transformed images in S3 or use CloudFront with Lambda@Edge for on-demand image resizing. Reprocessing the same image on every request wastes CPU and memory.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COST-066: Secrets Manager called on every request
+  { id: 'COST-066', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'AWS Secrets Manager Called on Every Request',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/getSecretValue|GetSecretValue/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 10), i + 5).join('\n');
+            if (!ctx.match(/cache|cached|module\.exports|singleton|startup|initialize/i) && ctx.match(/req\.|handler\s*=|router\./)) {
+              findings.push({ ruleId: 'COST-066', category: 'cost', severity: 'medium', title: 'Secrets Manager called per-request — excessive API costs', description: 'Cache Secrets Manager values at startup or in a module-level variable with refresh interval. AWS Secrets Manager charges $0.05 per 10,000 API calls. Per-request calls quickly add up.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-067: Multi-AZ deployment for non-production environments
+  { id: 'COST-067', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Multi-AZ Enabled in Non-Production Environment',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|\.yaml$|\.yml$/)) continue;
+        if (fp.match(/dev|staging|test|qa/i) && c.match(/multi_az\s*=\s*true|MultiAZ.*true|multi-az.*true/i)) {
+          findings.push({ ruleId: 'COST-067', category: 'cost', severity: 'low', title: 'Multi-AZ RDS enabled in non-production — double the cost with no benefit', description: 'Disable Multi-AZ for dev/staging environments. Multi-AZ doubles RDS costs and is only needed for production uptime. Use single-AZ for cost savings in non-production.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-068: Sending transactional email synchronously in request handler
+  { id: 'COST-068', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Transactional Email Sent Synchronously in Request Handler',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasEmail = ['nodemailer', '@sendgrid/mail', 'mailgun-js', 'postmark', 'ses'].some(d => d in allDeps);
+      if (!hasEmail) return findings;
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/await.*sendMail|await.*send\s*\(.*subject|await.*transporter/i) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 10), i).join('\n');
+            if (ctx.match(/router\.(post|get|put|patch)|req\.|res\./)) {
+              findings.push({ ruleId: 'COST-068', category: 'cost', severity: 'medium', title: 'Email sent synchronously in request handler — slows response and blocks retries', description: 'Enqueue email sending to a background job (Bull, SQS). Sending email inline with the request adds 200-500ms latency, blocks the response if email service is slow, and prevents cost-efficient batching.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-069: Over-provisioned ElastiCache cluster
+  { id: 'COST-069', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'ElastiCache Cluster Configured Without Auto-Scaling',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_elasticache_cluster|aws_elasticache_replication_group/i)) {
+          if (!c.match(/num_cache_nodes\s*=\s*1|automatic_failover_enabled\s*=\s*false/i)) {
+            const hasScaling = c.match(/aws_appautoscaling|auto_minor_version|serverless.*cache/i);
+            if (!hasScaling) {
+              findings.push({ ruleId: 'COST-069', category: 'cost', severity: 'low', title: 'ElastiCache cluster without scaling configuration', description: 'Consider ElastiCache Serverless for variable workloads or right-size your node type. Over-provisioned cache clusters run at full cost even at low utilization.', file: fp, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-070: Downloading full file before processing
+  { id: 'COST-070', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'File Fully Downloaded Before Processing (No Streaming)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/readFileSync|readFile\s*\(/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+            if (ctx.match(/split\s*\(|forEach\s*\(|map\s*\(|filter\s*\(/) && !ctx.match(/stream|pipe\s*\(/)) {
+              findings.push({ ruleId: 'COST-070', category: 'cost', severity: 'medium', title: 'File fully loaded into memory before processing', description: 'Use readable streams for large file processing. Loading large files fully into memory is expensive. Streams process data incrementally with constant memory overhead.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-071: SQS queue without message visibility timeout
+  { id: 'COST-071', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'SQS Queue Without Appropriate Visibility Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|\.yaml$|\.yml$/)) continue;
+        if (c.match(/aws_sqs_queue|Type.*SQS::Queue/i)) {
+          if (!c.match(/visibility_timeout_seconds|VisibilityTimeout/i)) {
+            findings.push({ ruleId: 'COST-071', category: 'cost', severity: 'medium', title: 'SQS queue without explicit visibility timeout — messages reprocessed unnecessarily', description: 'Set visibility_timeout_seconds to at least 6x your Lambda/consumer processing time. Too short causes duplicate processing; too long delays failure detection. Both waste SQS costs.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-072: No HTTP connection keep-alive
+  { id: 'COST-072', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Outbound HTTP Requests Without Connection Keep-Alive',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasAxios = 'axios' in allDeps || 'got' in allDeps;
+      const hasKeepAlive = [...files.values()].some(c => c.match(/keepAlive:\s*true|keep-alive|KeepAliveAgent|https\.Agent\s*\(/));
+      if (hasAxios && !hasKeepAlive) {
+        findings.push({ ruleId: 'COST-072', category: 'cost', severity: 'medium', title: 'HTTP client without keep-alive — new TCP connection per request', description: 'Configure axios with a keepAlive HTTP agent. Without keep-alive, every outbound HTTP request opens a new TCP connection, adding 50-200ms overhead and increasing compute costs.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COST-073: Lambda zip deployment vs container image for large packages
+  { id: 'COST-073', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Large Lambda Function Could Benefit from Container Image',
+    check({ files, stack }) {
+      const findings = [];
+      const hasBinaryDeps = ['sharp', 'puppeteer', 'canvas', 'aws-sdk', 'ffmpeg'].some(d => d in (stack.dependencies || {}));
+      const isLambda = [...files.keys()].some(f => f.match(/serverless\.yml|lambda.*handler|handler.*lambda/i));
+      const usesContainer = [...files.values()].some(c => c.match(/ecr.*lambda|lambda.*container|image.*uri|package_type.*image/i));
+      if (hasBinaryDeps && isLambda && !usesContainer) {
+        findings.push({ ruleId: 'COST-073', category: 'cost', severity: 'low', title: 'Lambda with large native dependencies — consider container image deployment', description: 'Lambda container images support up to 10GB vs 250MB for zip packages. Large native dependencies (sharp, puppeteer, canvas) fit better as container images, reducing cold start failures.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COST-074: No cache-busting for static assets
+  { id: 'COST-074', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Static Assets Without Cache-Busting Hash in Filename',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/webpack\.config|vite\.config|rollup\.config/)) continue;
+        if (!c.match(/contenthash|chunkhash|hash\]|fingerprint/i)) {
+          findings.push({ ruleId: 'COST-074', category: 'cost', severity: 'medium', title: 'Static assets without content hash in filename — prevents effective CDN caching', description: 'Add [contenthash] to output filenames in webpack/vite. Without content hashing, you must use short cache TTLs (or no cache) to avoid serving stale assets, increasing CDN origin requests and costs.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-075: Unused CloudWatch metric filters
+  { id: 'COST-075', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'CloudWatch Metric Filters on High-Volume Log Groups',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        const filterCount = (c.match(/aws_cloudwatch_log_metric_filter/g) || []).length;
+        if (filterCount > 10) {
+          findings.push({ ruleId: 'COST-075', category: 'cost', severity: 'low', title: `${filterCount} CloudWatch metric filters — evaluate if all are needed`, description: 'CloudWatch charges $0.02 per metric filter per month. Audit metric filters for active use; remove unused ones. Consider using CloudWatch Logs Insights for ad-hoc analysis instead.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-076: Provisioned Throughput for low-traffic API Gateway
+  { id: 'COST-076', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'API Gateway with Unnecessary Caching Configuration',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|serverless\.yml|serverless\.yaml$/)) continue;
+        if (c.match(/aws_api_gateway_stage|apiGateway:/i) && c.match(/cache_cluster_enabled\s*=\s*true|caching.*Enabled.*true/i)) {
+          if (!c.match(/cache_cluster_size\s*=\s*0\.|0\.5/i)) {
+            findings.push({ ruleId: 'COST-076', category: 'cost', severity: 'low', title: 'API Gateway cache cluster enabled — costs $15-$70/month per stage', description: 'Evaluate if API Gateway caching is cost-effective vs CloudFront. API Gateway caching charges per hour regardless of hits; CloudFront charges per request. For most APIs, CloudFront is cheaper.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-077: Missing timeout on long-running database queries
+  { id: 'COST-077', category: 'cost', severity: 'high', confidence: 'likely', title: 'Database Queries Without Statement Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const hasLongOps = c.match(/GROUP BY|aggregat|COUNT\s*\(|SUM\s*\(|AVG\s*\(|JOIN.*JOIN/i);
+        const hasTimeout = c.match(/statement_timeout|query_timeout|commandTimeout|lock_timeout|statement.*timeout/i);
+        if (hasLongOps && !hasTimeout) {
+          findings.push({ ruleId: 'COST-077', category: 'cost', severity: 'high', title: 'Complex aggregation queries without statement timeout', description: 'Set statement_timeout on complex queries. Unbounded aggregation queries can run for minutes, consuming expensive RDS compute and blocking other queries.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-078: Generating PDF/reports on every request
+  { id: 'COST-078', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'PDF/Report Generation Not Cached',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasPDF = ['puppeteer', 'playwright', 'pdfkit', 'jspdf', 'html-pdf', 'wkhtmltopdf'].some(d => d in allDeps);
+      const cachesPDF = [...files.values()].some(c => c.match(/cache.*pdf|pdf.*cache|s3.*report|cloudfront.*pdf/i));
+      if (hasPDF && !cachesPDF) {
+        findings.push({ ruleId: 'COST-078', category: 'cost', severity: 'medium', title: 'PDF/report generation without caching — recomputed on every request', description: 'Cache generated PDFs in S3 and serve via CloudFront. Headless browser PDF generation uses 512MB+ RAM and takes 2-5 seconds. Regenerating the same report repeatedly wastes significant compute cost.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // COST-079: Lambda functions triggered by S3 events on entire bucket
+  { id: 'COST-079', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda S3 Trigger Without Prefix Filter',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$|serverless\.yml|\.yaml$/)) continue;
+        if (c.match(/s3.*events|events.*s3|S3Event|existing_s3/i)) {
+          if (!c.match(/prefix:|filter_prefix|rules:\s*\n\s*-\s*prefix|filterRules/i)) {
+            findings.push({ ruleId: 'COST-079', category: 'cost', severity: 'low', title: 'S3 Lambda trigger without prefix filter — triggered by every object in bucket', description: 'Add a prefix filter to S3 event notifications. Without filtering, the Lambda is triggered by all bucket events including intermediate processing files, multiplying invocation costs.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // COST-080: Large WebSocket messages instead of binary protocol
+  { id: 'COST-080', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'WebSocket Using JSON for High-Frequency Messages',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasWS = ['ws', 'socket.io', 'uWebSockets.js'].some(d => d in allDeps);
+      const hasBinaryProtocol = [...files.values()].some(c => c.match(/protobuf|msgpack|binary.*socket|Buffer.*send|BINARY/i));
+      const hasHighFreqWS = [...files.values()].some(c => c.match(/emit\s*\(.*position|emit\s*\(.*update|emit\s*\(.*sensor|broadcast.*data/i));
+      if (hasWS && hasHighFreqWS && !hasBinaryProtocol) {
+        findings.push({ ruleId: 'COST-080', category: 'cost', severity: 'low', title: 'High-frequency WebSocket events using JSON — consider binary protocol', description: 'Use MessagePack or Protocol Buffers for high-frequency real-time data. Binary protocols are 50-70% smaller than JSON, reducing data transfer costs for real-time applications.', fix: null });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// COST-081: Lambda sync invocation in loop
+rules.push({
+  id: 'COST-081', category: 'cost', severity: 'high', confidence: 'likely', title: 'Lambda invoked synchronously in a loop — high latency and cost',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      let inLoop = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\b(?:for|while)\s*\(/.test(lines[i])) inLoop++;
+        if (/^\s*\}/.test(lines[i]) && inLoop > 0) inLoop--;
+        if (inLoop > 0 && /lambda\.invoke|lambda\.invokeAsync|InvocationType.*RequestResponse/i.test(lines[i])) {
+          findings.push({ ruleId: 'COST-081', category: 'cost', severity: 'high', title: 'Lambda invoked inside loop — N sequential Lambda calls, use batch or async', description: 'Invoking Lambda synchronously in a loop multiplies cost and latency linearly. Use Lambda.invokeAsync with Event invocation type or batch with SQS for parallel processing.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-082: Missing Lambda concurrency limit
+rules.push({
+  id: 'COST-082', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Lambda without reserved concurrency limit — runaway cost risk',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$|serverless\.ya?ml$|serverless\.ts$|\.json$/)) continue;
+      if (!c.match(/aws_lambda_function|lambda.*handler|functions:/i)) continue;
+      if (!c.match(/reserved_concurrent_executions|reservedConcurrencyConfig|reservedConcurrency/i)) {
+        findings.push({ ruleId: 'COST-082', category: 'cost', severity: 'medium', title: 'Lambda without reserved concurrency — traffic spike can exhaust account limit and explode costs', description: 'Set reserved_concurrent_executions to cap maximum concurrency. Without a limit, a traffic spike can spawn thousands of concurrent executions, resulting in unexpected costs.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-083: Missing CDN for static assets
+rules.push({
+  id: 'COST-083', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Static assets served from origin without CDN',
+  check({ files }) {
+    const findings = [];
+    const hasStatic = [...files.values()].some(c => /express\.static|serve-static|sendFile.*public|readFile.*static/i.test(c));
+    const hasCDN = [...files.values()].some(c => /cloudfront|cloudflare|cdn\.|fastly|akamai|CDN_URL/i.test(c));
+    if (hasStatic && !hasCDN) {
+      findings.push({ ruleId: 'COST-083', category: 'cost', severity: 'medium', title: 'Static assets served from origin without CDN — high bandwidth cost', description: 'Serving static assets directly from your server wastes bandwidth and compute. Use CloudFront, Cloudflare, or similar CDN to cache assets at edge locations.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-084: Uncompressed API responses
+rules.push({
+  id: 'COST-084', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'API responses not compressed (no gzip/brotli)',
+  check({ files }) {
+    const findings = [];
+    const hasExpress = [...files.values()].some(c => /require.*express|from.*express/i.test(c));
+    const hasCompression = [...files.values()].some(c => /compression\s*\(\)|compress\s*\(\)|gzip|brotli|zlib/i.test(c));
+    if (hasExpress && !hasCompression) {
+      findings.push({ ruleId: 'COST-084', category: 'cost', severity: 'medium', title: 'Express app without compression middleware — full-size responses increase bandwidth cost', description: 'Add compression middleware: app.use(require("compression")()). Gzip/Brotli typically reduces response size by 60-80%, reducing bandwidth costs and improving latency.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-085: Polling instead of webhooks
+rules.push({
+  id: 'COST-085', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Polling loop instead of webhooks or Server-Sent Events',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/setInterval\s*\(\s*(?:async\s*)?\(/.test(lines[i])) {
+          const ctx = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+          if (/fetch\s*\(|axios\.|http\.request/.test(ctx)) {
+            findings.push({ ruleId: 'COST-085', category: 'cost', severity: 'medium', title: 'Polling with setInterval + HTTP request — replace with webhooks or SSE', description: 'Periodic polling makes unnecessary API calls even when there\'s no new data. Use webhooks (push model), Server-Sent Events, or WebSockets for real-time updates.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-086: N+1 queries in GraphQL resolvers
+rules.push({
+  id: 'COST-086', category: 'cost', severity: 'high', confidence: 'likely', title: 'N+1 query pattern in GraphQL resolver',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:resolve|Query|Mutation)\s*[:=]/.test(lines[i]) || /resolver/.test(fp)) {
+          const ctx = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+          if (/\.findById\s*\(|\.findOne\s*\(/.test(ctx) && /\.map\s*\(|forEach/.test(ctx) && !/DataLoader|dataloader|batch/i.test(ctx)) {
+            findings.push({ ruleId: 'COST-086', category: 'cost', severity: 'high', title: 'N+1 query in resolver — use DataLoader for batching', description: 'A DB query inside a list resolver fires once per list item (N+1 queries). Use DataLoader to batch and cache: return userLoader.load(parent.userId).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-087: Uncached expensive computation per request
+rules.push({
+  id: 'COST-087', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Expensive computation repeated per request without caching',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:sort\s*\(|aggregate\s*\(|GROUP BY|SUM\s*\(|COUNT\s*\()/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 8), i).join('\n');
+          if (/router\.|app\.(get|post)|handler|req,\s*res/.test(ctx) && !/cache|redis|memcache/i.test(ctx)) {
+            findings.push({ ruleId: 'COST-087', category: 'cost', severity: 'medium', title: 'Aggregate/sort query in request handler without caching', description: 'Running aggregation queries on every request is expensive. Cache results in Redis or memory for frequently requested but infrequently changed data.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-088: S3 GET/PUT in tight loop
+rules.push({
+  id: 'COST-088', category: 'cost', severity: 'high', confidence: 'likely', title: 'S3 GET/PUT called in a loop — high request count and cost',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      let inLoop = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\b(?:for|while)\s*\(/.test(lines[i])) inLoop++;
+        if (/^\s*\}/.test(lines[i]) && inLoop > 0) inLoop--;
+        if (inLoop > 0 && /s3\.(?:getObject|putObject|upload|getSignedUrl)/i.test(lines[i])) {
+          findings.push({ ruleId: 'COST-088', category: 'cost', severity: 'high', title: 'S3 API called in loop — use bulk operations or presigned URL batch', description: 'S3 API calls inside loops incur per-request costs and throttling. Use S3 batch operations, multipart upload, or generate multiple presigned URLs in one call.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-089: Over-provisioned Lambda memory
+rules.push({
+  id: 'COST-089', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda configured with very high memory (>=3008 MB)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$|serverless\.ya?ml$|\.json$/)) continue;
+      const m = c.match(/memory(?:_size)?\s*[:=]\s*(\d{4,})/i);
+      if (m && parseInt(m[1]) >= 3008) {
+        findings.push({ ruleId: 'COST-089', category: 'cost', severity: 'low', title: `Lambda memory set to ${m[1]}MB — verify this is necessary`, description: 'Lambda cost is proportional to memory × duration. Measure actual memory usage with AWS Lambda Power Tuning and right-size to reduce costs.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-090: No pagination on expensive queries
+rules.push({
+  id: 'COST-090', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Expensive query without pagination — unbounded result set',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\.findMany\s*\(\s*\)|\.findAll\s*\(\s*\)|SELECT \* FROM/i.test(lines[i])) {
+          findings.push({ ruleId: 'COST-090', category: 'cost', severity: 'medium', title: 'Query with no filters or pagination — full table scan', description: 'Queries that return all records increase DB compute cost and data transfer costs linearly with table growth. Always paginate with take/limit.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-091: Missing CloudWatch log retention
+rules.push({
+  id: 'COST-091', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'CloudWatch log group without retention policy',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_cloudwatch_log_group/) && !c.match(/retention_in_days/)) {
+        findings.push({ ruleId: 'COST-091', category: 'cost', severity: 'low', title: 'CloudWatch log group without retention — logs stored indefinitely', description: 'CloudWatch logs stored indefinitely accrue significant storage costs. Set retention_in_days to 30, 60, or 90 days depending on compliance requirements.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-092: DynamoDB scan instead of query
+rules.push({
+  id: 'COST-092', category: 'cost', severity: 'high', confidence: 'likely', title: 'DynamoDB Scan operation used — reads entire table',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/dynamodb\.\s*scan\s*\(|DynamoDB.*\.scan\s*\(/i.test(lines[i])) {
+          findings.push({ ruleId: 'COST-092', category: 'cost', severity: 'high', title: 'DynamoDB Scan — reads every item, O(table size) cost', description: 'DynamoDB Scan reads every item in the table, consuming read capacity proportional to table size. Use Query with a partition key, or add a GSI for access patterns.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-093: No request deduplication for idempotent operations
+rules.push({
+  id: 'COST-093', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'External API calls without deduplication or request coalescing',
+  check({ files }) {
+    const findings = [];
+    const hasFetch = [...files.values()].some(c => /fetch\s*\(|axios\.get\s*\(/.test(c));
+    const hasDedup = [...files.values()].some(c => /dedup|coalesce|dataloader|cache.*request|request.*cache|memoize/i.test(c));
+    if (hasFetch && !hasDedup) {
+      findings.push({ ruleId: 'COST-093', category: 'cost', severity: 'low', title: 'No request deduplication — simultaneous identical requests make multiple API calls', description: 'Use DataLoader or a request cache to deduplicate identical concurrent requests. This reduces external API costs and improves performance under load.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-094 through COST-120: Additional cost rules
+
+// COST-094: SQS long polling not enabled
+rules.push({
+  id: 'COST-094', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'SQS queue without long polling — excess API calls',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_sqs_queue/) && !c.match(/receive_wait_time_seconds\s*=\s*[1-9]\d*/)) {
+        findings.push({ ruleId: 'COST-094', category: 'cost', severity: 'low', title: 'SQS queue without long polling (receive_wait_time_seconds) — excessive ReceiveMessage API calls', description: 'Set receive_wait_time_seconds = 20 to enable long polling. Short polling checks for messages even when the queue is empty, incurring unnecessary API charges.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-095: Unoptimized Docker image size
+rules.push({
+  id: 'COST-095', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Dockerfile not using slim or alpine base image',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/Dockerfile/i)) continue;
+      const fromLine = c.match(/^FROM\s+node:(\d+)\s*$/m);
+      if (fromLine) {
+        findings.push({ ruleId: 'COST-095', category: 'cost', severity: 'low', title: 'Using full node image — use node:XX-alpine or node:XX-slim to reduce image size', description: 'Full node images are 350MB+. Alpine-based images are ~50MB. Smaller images reduce ECR storage costs, data transfer costs, and deployment time.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-096: S3 lifecycle policy missing
+rules.push({
+  id: 'COST-096', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'S3 bucket without lifecycle policy — old objects accumulate indefinitely',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/resource\s+["']aws_s3_bucket["']/) && !c.match(/aws_s3_bucket_lifecycle_configuration|lifecycle_rule/)) {
+        findings.push({ ruleId: 'COST-096', category: 'cost', severity: 'medium', title: 'S3 bucket without lifecycle policy — storage costs grow unbounded', description: 'Add S3 lifecycle rules to transition old objects to cheaper storage classes (Glacier) and expire objects that are no longer needed.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-097: EC2 instance type not cost-optimized
+rules.push({
+  id: 'COST-097', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'EC2 instance type may be over-provisioned',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/instance_type\s*=\s*["'](?:m5\.4xlarge|m5\.8xlarge|c5\.4xlarge|r5\.4xlarge|m4\.4xlarge|c4\.4xlarge)/)) {
+        findings.push({ ruleId: 'COST-097', category: 'cost', severity: 'low', title: 'Large EC2 instance type — verify utilization and consider downsizing', description: 'Large instance types significantly increase compute costs. Use AWS Compute Optimizer to analyze actual CPU/memory usage and right-size your instances.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-098: No reserved capacity for steady-state workloads
+rules.push({
+  id: 'COST-098', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'No Reserved Instances or Savings Plans — paying on-demand rates',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const hasReserved = [...files.values()].some(c => /aws_reserved_instance|savings_plan|aws_ec2_capacity_reservation/i.test(c));
+    const hasSignificantInfra = [...files.values()].some(c => /aws_instance|aws_ecs_service|aws_eks_node_group/i.test(c));
+    if (hasTF && hasSignificantInfra && !hasReserved) {
+      findings.push({ ruleId: 'COST-098', category: 'cost', severity: 'low', title: 'EC2/ECS/EKS without Reserved Instances or Savings Plans — paying on-demand premium', description: 'For steady-state workloads running 24/7, Compute Savings Plans or Reserved Instances save 40-60% compared to on-demand pricing.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-099: Multiple small Lambda functions that could be consolidated
+rules.push({
+  id: 'COST-099', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Many small Lambda functions — consider consolidation',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const lambdaCount = [...files.values()].reduce((n, c) => n + (c.match(/resource\s+["']aws_lambda_function["']/g) || []).length, 0);
+    if (hasTF && lambdaCount > 20) {
+      findings.push({ ruleId: 'COST-099', category: 'cost', severity: 'low', title: `${lambdaCount} Lambda functions — consider consolidating infrequently-called functions`, description: 'Many small Lambda functions each have their own cold start overhead and management cost. Consider consolidating with routing logic or moving to container-based deployment.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-100: Using synchronous external calls in high-traffic endpoints
+rules.push({
+  id: 'COST-100', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Synchronous external API calls in high-traffic endpoint — latency multiplies cost',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/await\s+(?:fetch|axios)\s*\(/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 8), i).join('\n');
+          if (/router\.(get|post|put)|app\.(get|post)|handler/i.test(ctx)) {
+            const endpointCtx = lines.slice(Math.max(0, i - 8), i + 2).join('\n');
+            if (!/cache|redis|cached/.test(endpointCtx)) {
+              findings.push({ ruleId: 'COST-100', category: 'cost', severity: 'medium', title: 'Synchronous external HTTP call in request handler without caching', description: 'External API calls in request handlers add latency cost to every request. Cache responses where possible to reduce both latency and upstream API costs.', file: fp, line: i + 1, fix: null });
+              break;
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-101 through COST-120
+
+// COST-101: Missing auto-scaling configuration
+rules.push({
+  id: 'COST-101', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'No auto-scaling configured — over-provisioned for off-peak',
+  check({ files }) {
+    const findings = [];
+    const hasTF = [...files.keys()].some(f => f.match(/\.tf$/));
+    const hasEC2orECS = [...files.values()].some(c => /aws_instance|aws_ecs_service/i.test(c));
+    const hasScaling = [...files.values()].some(c => /aws_autoscaling|aws_appautoscaling|minCapacity|maxCapacity|desired_capacity/i.test(c));
+    if (hasTF && hasEC2orECS && !hasScaling) {
+      findings.push({ ruleId: 'COST-101', category: 'cost', severity: 'medium', title: 'EC2/ECS without auto-scaling — manually fixed capacity wastes money during off-peak', description: 'Configure auto-scaling to scale in during low-traffic periods. ECS Service Auto Scaling can reduce costs significantly for variable workloads.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-102: Unnecessary console.log in production bundle
+rules.push({
+  id: 'COST-102', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'console.log in production code increases log volume costs',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+      const logCount = (c.match(/console\.(?:log|debug|info)\s*\(/g) || []).length;
+      if (logCount > 10) {
+        findings.push({ ruleId: 'COST-102', category: 'cost', severity: 'low', title: `${logCount} console.log calls — verbose logging increases CloudWatch/log storage costs`, description: 'Excessive logging increases log storage and ingestion costs. Use structured logging with log levels and disable DEBUG logging in production.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-103: Lambda with too many layers
+rules.push({
+  id: 'COST-103', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda function with many layers — larger cold starts',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$|serverless\.ya?ml$/)) continue;
+      const layerCount = (c.match(/aws_lambda_layer_version|layers:/g) || []).length;
+      if (layerCount > 5) {
+        findings.push({ ruleId: 'COST-103', category: 'cost', severity: 'low', title: 'Lambda with many layers — increases package size and cold start duration', description: 'Lambda supports up to 5 layers but each adds to the total package size. Consolidate layers to reduce cold start time and storage costs.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-104: HTTP keep-alive not configured
+rules.push({
+  id: 'COST-104', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'HTTP connections not using keep-alive — overhead per request',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/new\s+https?\.Agent\s*\(\s*\)/.test(c) && !/keepAlive\s*:\s*true/.test(c)) {
+        findings.push({ ruleId: 'COST-104', category: 'cost', severity: 'low', title: 'HTTP Agent without keepAlive: true — TCP connection overhead per request', description: 'Configure HTTP agents with { keepAlive: true } to reuse TCP connections and reduce latency and server resource usage for multiple requests.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-105: Missing spot instances for batch workloads
+rules.push({
+  id: 'COST-105', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Batch/background jobs on on-demand instances — use Spot',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tf$/)) continue;
+      if (c.match(/aws_ecs_task_definition/) && c.match(/worker|batch|job|cron/i) && !c.match(/spot|FARGATE_SPOT|capacity_provider.*SPOT/i)) {
+        findings.push({ ruleId: 'COST-105', category: 'cost', severity: 'low', title: 'Batch/worker tasks without Spot instances — 70% cost savings available', description: 'Use FARGATE_SPOT or EC2 Spot instances for fault-tolerant batch jobs and background workers. Spot pricing is 70-90% cheaper than on-demand.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-106: No connection reuse for database
+rules.push({
+  id: 'COST-106', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Database connection not reused between Lambda invocations',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      // Lambda handler that creates DB connection inside handler
+      if (/exports\.handler|module\.exports.*handler|async.*event.*context/.test(c)) {
+        if (/new\s+(?:Pool|Client|Sequelize|MongoClient)\s*\(/.test(c)) {
+          const handlerIdx = c.match(/exports\.handler|module\.exports.*handler/)?.index || 0;
+          const connectIdx = c.search(/new\s+(?:Pool|Client|Sequelize|MongoClient)\s*\(/);
+          if (connectIdx > handlerIdx) {
+            findings.push({ ruleId: 'COST-106', category: 'cost', severity: 'medium', title: 'DB connection created inside Lambda handler — new connection per invocation', description: 'Create DB connections outside the handler function to reuse them across warm invocations. Connection overhead adds latency and connection count to your database.', file: fp, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-107: Unused SQS messages not deleted
+rules.push({
+  id: 'COST-107', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'SQS messages received but not deleted — incurs repeated polling costs',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/receiveMessage|sqs\.receive/i.test(c) && !/deleteMessage|sqs\.delete/i.test(c)) {
+        findings.push({ ruleId: 'COST-107', category: 'cost', severity: 'medium', title: 'SQS messages received without deleteMessage call — messages reprocessed and cost multiplied', description: 'Always call sqs.deleteMessage() after successfully processing a message to avoid re-delivery charges.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-108: CloudFront without price class optimization
+rules.push({
+  id: 'COST-108', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'CloudFront distribution using all edge locations (PriceClass_All)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_cloudfront_distribution"/.test(c) && /PriceClass_All/.test(c)) findings.push({ ruleId: 'COST-108', category: 'cost', severity: 'low', title: 'CloudFront using PriceClass_All — most expensive option', description: 'Consider PriceClass_100 or PriceClass_200 if you only serve specific geographic regions.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-109: RDS instance without reserved instance tags
+rules.push({
+  id: 'COST-109', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Long-running RDS instance without Reserved Instance consideration',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_db_instance"/.test(c) && !/reserved|lifecycle/.test(c) && /instance_class\s*=\s*"db\./.test(c)) findings.push({ ruleId: 'COST-109', category: 'cost', severity: 'medium', title: 'RDS instance without Reserved Instance planning — up to 60% savings available', description: 'For stable workloads, purchase Reserved Instances for RDS to save up to 60% over on-demand pricing.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-110: Lambda without ARM64 architecture
+rules.push({
+  id: 'COST-110', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Lambda function not using ARM64 (Graviton2) — 20% cost savings available',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_lambda_function"/.test(c) && !/architectures\s*=\s*\["arm64"\]/.test(c)) findings.push({ ruleId: 'COST-110', category: 'cost', severity: 'low', title: 'Lambda function using x86_64 instead of ARM64 — Graviton2 is ~20% cheaper', description: 'Set architectures = ["arm64"] in Lambda configuration for ~20% cost reduction with similar or better performance.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-111: Missing S3 intelligent-tiering
+rules.push({
+  id: 'COST-111', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'S3 bucket without Intelligent-Tiering lifecycle rule',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_s3_bucket"/.test(c) && !/INTELLIGENT_TIERING|intelligent_tiering/.test(c) && !/lifecycle/.test(c)) findings.push({ ruleId: 'COST-111', category: 'cost', severity: 'low', title: 'S3 bucket without lifecycle policy — data stored in Standard tier indefinitely', description: 'Add S3 lifecycle rules to transition infrequently accessed objects to cheaper storage tiers.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-112: ECS service with no auto-scaling
+rules.push({
+  id: 'COST-112', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'ECS service without auto-scaling — always running maximum capacity',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_ecs_service"/.test(c) && !/aws_appautoscaling_target|autoscaling/.test(c)) findings.push({ ruleId: 'COST-112', category: 'cost', severity: 'medium', title: 'ECS service without auto-scaling — wastes resources during low-traffic periods', description: 'Configure Application Auto Scaling for ECS services to scale based on CPU/memory metrics.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-113: Multiple await calls instead of Promise.all
+rules.push({
+  id: 'COST-113', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Sequential await calls for independent operations — parallelize to reduce latency and cost',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.match(/\.[jt]sx?$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length - 1; i++) {
+        const awaitMatch = lines[i].match(/^\s*(?:const|let|var)\s+\w+\s*=\s*await\s+\w+\s*\(/);
+        const nextAwait = lines[i+1].match(/^\s*(?:const|let|var)\s+\w+\s*=\s*await\s+\w+\s*\(/);
+        if (awaitMatch && nextAwait) {
+          findings.push({ ruleId: 'COST-113', category: 'cost', severity: 'medium', title: 'Sequential awaits for independent operations — use Promise.all() for parallel execution', description: 'Replace sequential await calls with Promise.all([op1, op2]) to run operations in parallel.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-114: Over-fetching GraphQL fields
+rules.push({
+  id: 'COST-114', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'GraphQL query requesting all fields (may over-fetch data)',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts') && !fp.match(/\.[jt]sx?$/) && !fp.endsWith('.graphql') && !fp.endsWith('.gql')) continue;
+      if (/\.\.\.\s*on\s+\w+\s*\{[\s\S]{0,50}__typename[\s\S]{0,50}\}/.test(c)) continue;
+      if (/query\s*\w*\s*\{[\s\S]{0,50}\w+\s*\{[\s\S]{0,20}__typename/.test(c)) {
+        findings.push({ ruleId: 'COST-114', category: 'cost', severity: 'medium', title: 'GraphQL query may be over-fetching data — request only needed fields', description: 'Only request fields you actually use in GraphQL queries to reduce data transfer and processing costs.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-115: No API response compression
+rules.push({
+  id: 'COST-115', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Express API without response compression — higher data transfer costs',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.js') && !fp.endsWith('.ts')) continue;
+      if (/app\.listen|createServer/.test(c) && !/compression\s*\(\)|require.*compression|from.*compression|brotli|gzip/i.test(c)) {
+        findings.push({ ruleId: 'COST-115', category: 'cost', severity: 'medium', title: 'Express server without compression middleware — uncompressed responses increase bandwidth costs', description: 'Add compression middleware: app.use(require("compression")()) to reduce response sizes by 60-80%.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-116: Excessive Lambda memory allocation
+rules.push({
+  id: 'COST-116', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Lambda function with very high memory allocation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf') && !fp.endsWith('.json') && !fp.endsWith('.yml') && !fp.endsWith('.yaml')) continue;
+      const m = c.match(/memory_size\s*=\s*(\d+)|MemorySize['":\s]+(\d+)/);
+      if (m) {
+        const mem = parseInt(m[1] || m[2]);
+        if (mem >= 3008) findings.push({ ruleId: 'COST-116', category: 'cost', severity: 'medium', title: `Lambda with ${mem}MB memory — use AWS Lambda Power Tuning to find optimal allocation`, description: 'Run AWS Lambda Power Tuning to find the most cost-effective memory configuration.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// COST-117: NAT Gateway for low-traffic use case
+rules.push({
+  id: 'COST-117', category: 'cost', severity: 'medium', confidence: 'suggestion', title: 'Terraform NAT Gateway without considering VPC Endpoints',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_nat_gateway"/.test(c) && !/aws_vpc_endpoint/.test(c)) findings.push({ ruleId: 'COST-117', category: 'cost', severity: 'medium', title: 'NAT Gateway used without VPC Endpoints — S3/DynamoDB traffic should use free VPC endpoints', description: 'Create VPC Endpoints for S3 and DynamoDB to avoid NAT Gateway charges for AWS service traffic.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-118: Unused Elastic IP addresses
+rules.push({
+  id: 'COST-118', category: 'cost', severity: 'low', confidence: 'likely', title: 'Terraform Elastic IP without association — idle EIP incurs charges',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      if (/resource\s+"aws_eip"/.test(c) && !/association|instance\s*=/.test(c)) findings.push({ ruleId: 'COST-118', category: 'cost', severity: 'low', title: 'Unattached Elastic IP address — idle EIPs incur $0.005/hour charge', description: 'Release unneeded Elastic IP addresses or associate them with running instances.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-119: No connection pooling for serverless DB
+rules.push({
+  id: 'COST-119', category: 'cost', severity: 'high', confidence: 'likely', title: 'Serverless function without database connection pooling proxy',
+  check({ files, stack }) {
+    const findings = [];
+    const hasLambda = [...files.keys()].some(f => /lambda|serverless|handler\.js/.test(f));
+    if (!hasLambda) return findings;
+    if ((stack.dependencies?.['mongoose'] || stack.dependencies?.['pg'] || stack.dependencies?.['mysql2']) && !/rds.proxy|pgBouncer|planetscale|aurora.serverless/i.test([...files.values()].join('\n'))) {
+      const dbFiles = [...files.keys()].filter(f => (f.endsWith('.js') || f.endsWith('.ts')) && /db|database|model/.test(f));
+      if (dbFiles.length > 0) findings.push({ ruleId: 'COST-119', category: 'cost', severity: 'high', title: 'Serverless function connecting directly to RDS — use RDS Proxy to reduce connection costs', description: 'Use RDS Proxy or PgBouncer to pool database connections from serverless functions.', file: dbFiles[0], fix: null });
+    }
+    return findings;
+  },
+});
+
+// COST-120: Terraform resources without lifecycle prevent_destroy
+rules.push({
+  id: 'COST-120', category: 'cost', severity: 'low', confidence: 'suggestion', title: 'Critical resources without Terraform lifecycle prevent_destroy',
+  check({ files }) {
+    const findings = [];
+    const criticalResources = ['aws_db_instance', 'aws_elasticache_cluster', 'aws_s3_bucket', 'aws_dynamodb_table'];
+    for (const [fp, c] of files) {
+      if (!fp.endsWith('.tf')) continue;
+      for (const res of criticalResources) {
+        if (new RegExp(`resource\\s+"${res}"`).test(c) && !/prevent_destroy/.test(c)) {
+          findings.push({ ruleId: 'COST-120', category: 'cost', severity: 'low', title: `Critical resource ${res} without prevent_destroy — accidental deletion risk`, description: 'Add lifecycle { prevent_destroy = true } to critical resources to prevent accidental deletion.', file: fp, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});