getdoorman 1.0.0

package/src/rules/quality/index.js

@@ -0,0 +1,3175 @@
+const JS_EXTENSIONS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isSourceFile(f) { return JS_EXTENSIONS.some(ext => f.endsWith(ext)); }
+function isTestFile(f) {
+  return /\.(test|spec)\.[jt]sx?$/.test(f) ||
+    f.includes('__tests__/') ||
+    f.includes('__mocks__/') ||
+    f.includes('/test/') ||
+    f.includes('/tests/');
+}
+
+const rules = [
+  // QUAL-001: console.log left in production code
+  {
+    id: 'QUAL-001',
+    category: 'quality',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'console.log left in production code',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (isTestFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          if (line.match(/\bconsole\.(log|debug|info)\s*\(/)) {
+            findings.push({
+              ruleId: 'QUAL-001', category: 'quality', severity: 'low',
+              title: 'console.log left in production code',
+              description: 'Remove console.log statements or replace with a proper logging library (winston, pino, etc.).',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-002: TODO/FIXME/HACK comments still in code
+  {
+    id: 'QUAL-002',
+    category: 'quality',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'TODO/FIXME/HACK comment in code',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/\b(TODO|FIXME|HACK|XXX)\b[:\s]*(.*)/i);
+          if (match) {
+            const tag = match[1].toUpperCase();
+            const detail = match[2] ? match[2].trim().substring(0, 80) : '';
+            findings.push({
+              ruleId: 'QUAL-002', category: 'quality', severity: 'low',
+              title: `${tag} comment found${detail ? ': ' + detail : ''}`,
+              description: 'Resolve or convert to a tracked issue before shipping to production.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-003: Functions over 50 lines long
+  {
+    id: 'QUAL-003',
+    category: 'quality',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Function exceeds 50 lines',
+    check({ files }) {
+      const findings = [];
+      const funcStartPattern = /^[ \t]*(export\s+)?(async\s+)?function\s+\w+|(?:const|let|var)\s+\w+\s*=\s*(async\s+)?\(|(?:const|let|var)\s+\w+\s*=\s*(async\s+)?function/;
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        let funcStart = -1;
+        let braceDepth = 0;
+        let inFunc = false;
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (!inFunc && funcStartPattern.test(line) && line.includes('{')) {
+            funcStart = i;
+            inFunc = true;
+            braceDepth = 0;
+          }
+          if (inFunc) {
+            for (const ch of line) {
+              if (ch === '{') braceDepth++;
+              if (ch === '}') braceDepth--;
+            }
+            if (braceDepth <= 0 && funcStart >= 0) {
+              const length = i - funcStart + 1;
+              if (length > 50) {
+                findings.push({
+                  ruleId: 'QUAL-003', category: 'quality', severity: 'medium',
+                  title: `Function is ${length} lines long (max recommended: 50)`,
+                  description: 'Break large functions into smaller, focused helper functions for readability and testability.',
+                  file: filepath, line: funcStart + 1, fix: null,
+                });
+              }
+              inFunc = false;
+              funcStart = -1;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-004: Deeply nested callbacks (callback hell - 4+ levels)
+  {
+    id: 'QUAL-004',
+    category: 'quality',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Deeply nested callbacks (callback hell)',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Count nesting by leading indentation relative to callback patterns
+          const callbackMatches = line.match(/(?:function\s*\(|=>\s*\{|\(\s*(?:err|error|result|data|res|req)\s*(?:,\s*\w+)*\)\s*(?:=>|{))/);
+          if (callbackMatches) {
+            // Count the brace depth at this line
+            let depth = 0;
+            for (let j = 0; j <= i; j++) {
+              for (const ch of lines[j]) {
+                if (ch === '{') depth++;
+                if (ch === '}') depth--;
+              }
+            }
+            if (depth >= 4) {
+              findings.push({
+                ruleId: 'QUAL-004', category: 'quality', severity: 'medium',
+                title: `Callback nested ${depth} levels deep`,
+                description: 'Refactor deeply nested callbacks using async/await, Promises, or extract into named functions.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-005: JS files in a TypeScript project
+  {
+    id: 'QUAL-005',
+    category: 'quality',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'JavaScript file in TypeScript project',
+    check({ files }) {
+      const findings = [];
+      const hasTsConfig = [...files.keys()].some(f => f.endsWith('tsconfig.json'));
+      if (!hasTsConfig) return findings;
+
+      const hasTsFiles = [...files.keys()].some(f => f.endsWith('.ts') || f.endsWith('.tsx'));
+      if (!hasTsFiles) return findings;
+
+      for (const [filepath] of files) {
+        if (!filepath.endsWith('.js') && !filepath.endsWith('.jsx')) continue;
+        // Skip config files, build output, and tooling
+        if (filepath.includes('node_modules/')) continue;
+        if (filepath.includes('/dist/')) continue;
+        if (filepath.includes('/build/')) continue;
+        if (filepath.match(/\.(config|setup|babel|eslint)\./)) continue;
+        if (filepath.endsWith('.config.js') || filepath.endsWith('.setup.js')) continue;
+
+        findings.push({
+          ruleId: 'QUAL-005', category: 'quality', severity: 'low',
+          title: 'JavaScript file in a TypeScript project',
+          description: 'Convert this .js/.jsx file to .ts/.tsx for consistent type safety across the project.',
+          file: filepath, line: 1, fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-006: Empty catch blocks
+  {
+    id: 'QUAL-006',
+    category: 'quality',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Empty catch block swallows errors',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Match catch followed by empty block on same line
+          if (line.match(/catch\s*\([^)]*\)\s*\{\s*\}/)) {
+            findings.push({
+              ruleId: 'QUAL-006', category: 'quality', severity: 'high',
+              title: 'Empty catch block swallows errors silently',
+              description: 'Log the error, rethrow it, or handle it explicitly. Silent failures make debugging very difficult.',
+              file: filepath, line: i + 1, fix: null,
+            });
+            continue;
+          }
+          // Match catch on one line with empty body on next line(s)
+          if (line.match(/catch\s*\([^)]*\)\s*\{\s*$/)) {
+            const nextLine = (lines[i + 1] || '').trim();
+            if (nextLine === '}') {
+              findings.push({
+                ruleId: 'QUAL-006', category: 'quality', severity: 'high',
+                title: 'Empty catch block swallows errors silently',
+                description: 'Log the error, rethrow it, or handle it explicitly. Silent failures make debugging very difficult.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-007: Magic numbers
+  {
+    id: 'QUAL-007',
+    category: 'quality',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Magic number in code',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (isTestFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          if (line.startsWith('//') || line.startsWith('*') || line.startsWith('/*')) continue;
+          // Skip import/require, const declarations with descriptive names, array indices
+          if (line.match(/^(import|require|export)\b/)) continue;
+
+          // Skip lines with crypto/security context — magic numbers there are intentional
+          if (line.match(/bcrypt|argon2|scrypt|pbkdf2|randomBytes|createCipher|createHash|crypto\.|salt.*round|round.*salt/i)) continue;
+          // Look for numeric literals in conditions and return statements
+          const conditionMatch = line.match(/(?:if|else if|while|case|return)\s.*\b(\d{2,})\b/);
+          if (conditionMatch) {
+            const num = parseInt(conditionMatch[1], 10);
+            // Allow common acceptable numbers: 0, 1, -1, 2, 10, 100, 1000 (powers of 10), HTTP status codes, common crypto sizes
+            const allowed = [0, 1, 2, 10, 12, 16, 24, 32, 48, 64, 100, 128, 256, 1000, 200, 201, 204, 301, 302, 304, 400, 401, 403, 404, 409, 422, 429, 500, 502, 503];
+            if (!allowed.includes(num)) {
+              findings.push({
+                ruleId: 'QUAL-007', category: 'quality', severity: 'low',
+                title: `Magic number ${num} used in logic`,
+                description: 'Extract numeric literals into named constants for clarity (e.g., const MAX_RETRIES = 3).',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-008: Duplicate string literals
+  {
+    id: 'QUAL-008',
+    category: 'quality',
+    severity: 'low',
+    confidence: 'likely',
+    title: 'Duplicate string literal',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (isTestFile(filepath)) continue;
+        const lines = content.split('\n');
+        const stringCounts = new Map();
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//') || line.trim().startsWith('*')) continue;
+          // Match string literals (single or double quoted, at least 6 chars)
+          const matches = line.match(/(['"])([^'"]{6,})\1/g);
+          if (matches) {
+            for (const m of matches) {
+              const str = m.slice(1, -1);
+              // Skip imports, requires, and common patterns
+              if (str.startsWith('./') || str.startsWith('../') || str.startsWith('http')) continue;
+              if (!stringCounts.has(str)) {
+                stringCounts.set(str, { count: 0, firstLine: i + 1 });
+              }
+              stringCounts.get(str).count++;
+            }
+          }
+        }
+
+        for (const [str, info] of stringCounts) {
+          if (info.count >= 3) {
+            findings.push({
+              ruleId: 'QUAL-008', category: 'quality', severity: 'low',
+              title: `String "${str.substring(0, 40)}${str.length > 40 ? '...' : ''}" repeated ${info.count} times`,
+              description: 'Extract repeated string literals into a shared constant to avoid typos and ease refactoring.',
+              file: filepath, line: info.firstLine, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-009: No test files found in project
+  {
+    id: 'QUAL-009',
+    category: 'quality',
+    severity: 'high',
+    confidence: 'suggestion',
+    title: 'No test files found',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const testLibs = ['jest', 'mocha', 'vitest', 'ava', 'tape', '@testing-library/react',
+        '@testing-library/jest-dom', 'cypress', 'playwright', '@playwright/test', 'jasmine'];
+      const hasTestDep = testLibs.some(lib => lib in allDeps);
+
+      const hasTestFiles = [...files.keys()].some(f => isTestFile(f));
+
+      if (!hasTestFiles) {
+        findings.push({
+          ruleId: 'QUAL-009', category: 'quality', severity: 'high',
+          title: 'No test files found in the project',
+          description: hasTestDep
+            ? `Test framework detected (${testLibs.find(l => l in allDeps)}) but no test files found. Add tests to ensure code correctness.`
+            : 'No test framework or test files found. Add a testing framework (jest, vitest, etc.) and write tests.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-010: File over 500 lines long
+  {
+    id: 'QUAL-010',
+    category: 'quality',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'File exceeds 500 lines',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lineCount = content.split('\n').length;
+        if (lineCount > 500) {
+          findings.push({
+            ruleId: 'QUAL-010', category: 'quality', severity: 'medium',
+            title: `File is ${lineCount} lines long (max recommended: 500)`,
+            description: 'Split large files into smaller, focused modules. Large files are harder to navigate, review, and test.',
+            file: filepath, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SMELL-001: eval() usage
+  { id: 'QUAL-SMELL-001', category: 'quality', severity: 'critical', confidence: 'likely', title: 'eval() Usage',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\beval\s*\(/) && !lines[i].trim().startsWith('//')) {
+            findings.push({ ruleId: 'QUAL-SMELL-001', category: 'quality', severity: 'critical',
+              title: 'eval() is dangerous and a security risk', description: 'Replace eval() with JSON.parse, static functions, or a safe expression evaluator.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SMELL-002: new Function() with dynamic string
+  { id: 'QUAL-SMELL-002', category: 'quality', severity: 'critical', confidence: 'likely', title: 'new Function() — Behaves Like eval()',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/new\s+Function\s*\(/) && !lines[i].trim().startsWith('//')) {
+            findings.push({ ruleId: 'QUAL-SMELL-002', category: 'quality', severity: 'critical',
+              title: 'new Function() executes dynamic code strings', description: 'new Function() has the same security risks as eval(). Use static functions instead.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SMELL-003: Function with too many parameters
+  { id: 'QUAL-SMELL-003', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Function With Too Many Parameters',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const m = lines[i].match(/function\s+\w+\s*\(([^)]{30,})\)/);
+          if (m) {
+            const count = m[1].split(',').length;
+            if (count > 5) {
+              findings.push({ ruleId: 'QUAL-SMELL-003', category: 'quality', severity: 'medium',
+                title: `Function has ${count} parameters — use an options object`, description: 'Functions with >5 parameters are hard to call and maintain. Consolidate into a single configuration object.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SMELL-004: setTimeout/setInterval with string
+  { id: 'QUAL-SMELL-004', category: 'quality', severity: 'high', confidence: 'likely', title: 'setTimeout/setInterval With String Argument',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/(?:setTimeout|setInterval)\s*\(\s*["'`]/)) {
+            findings.push({ ruleId: 'QUAL-SMELL-004', category: 'quality', severity: 'high',
+              title: 'setTimeout/setInterval with a string argument — behaves like eval()',
+              description: 'Use a function: setTimeout(() => doThing(), 1000)', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SMELL-005: Math.random for security purposes
+  { id: 'QUAL-SMELL-005', category: 'quality', severity: 'high', confidence: 'likely', title: 'Math.random for Security-Sensitive Value',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/Math\.random\s*\(/) && lines[i].match(/token|secret|password|key|nonce|salt/i)) {
+            findings.push({ ruleId: 'QUAL-SMELL-005', category: 'quality', severity: 'high',
+              title: 'Math.random() is not cryptographically secure', description: 'Use crypto.randomBytes() or crypto.randomUUID() for security tokens and IDs.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-001: TypeScript any type
+  { id: 'QUAL-TS-001', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript "any" Type Overuse',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const count = (c.match(/:\s*any\b|\bas\s+any\b/g) || []).length;
+        if (count > 3) {
+          findings.push({ ruleId: 'QUAL-TS-001', category: 'quality', severity: 'medium',
+            title: `${count} uses of TypeScript "any" — defeats type safety`, description: 'Replace "any" with specific types, "unknown" + type guards, or generics.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-002: No strict mode in tsconfig
+  { id: 'QUAL-TS-002', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript Not in Strict Mode',
+    check({ files }) {
+      const entry = [...files.entries()].find(([f]) => f.endsWith('tsconfig.json'));
+      if (!entry) return [];
+      try {
+        const cfg = JSON.parse(entry[1]);
+        if (!cfg.compilerOptions?.strict) {
+          return [{ ruleId: 'QUAL-TS-002', category: 'quality', severity: 'medium',
+            title: 'TypeScript strict mode disabled', description: 'Add "strict": true to tsconfig.json. Strict mode catches null pointer errors, implicit any, and other common bugs.', fix: null }];
+        }
+      } catch {}
+      return [];
+    },
+  },
+
+  // QUAL-MAINT-001: No ESLint config
+  { id: 'QUAL-MAINT-001', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No ESLint Configuration',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.keys()].some(f => f.includes('.eslintrc') || f.endsWith('eslint.config.js') || f.endsWith('eslint.config.mjs'));
+      if (!has && !('eslint' in (stack.devDependencies || {}))) {
+        findings.push({ ruleId: 'QUAL-MAINT-001', category: 'quality', severity: 'medium',
+          title: 'No ESLint configuration found', description: 'Add ESLint to catch bugs and enforce code style automatically.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-002: No Prettier config
+  { id: 'QUAL-MAINT-002', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Prettier Configuration',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.keys()].some(f => f.includes('.prettierrc') || f.endsWith('prettier.config.js') || f.endsWith('prettier.config.mjs'));
+      if (!has) {
+        findings.push({ ruleId: 'QUAL-MAINT-002', category: 'quality', severity: 'low',
+          title: 'No Prettier code formatter configured', description: 'Add Prettier for automatic formatting. Eliminates style debates and noisy diffs in PRs.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-003: No pre-commit hooks
+  { id: 'QUAL-MAINT-003', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Pre-Commit Hooks',
+    check({ files, stack }) {
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const has = 'husky' in allDeps || 'lint-staged' in allDeps || 'lefthook' in allDeps ||
+        [...files.keys()].some(f => f.includes('.husky') || f.includes('lefthook'));
+      if (!has && stack.runtime === 'node') {
+        return [{ ruleId: 'QUAL-MAINT-003', category: 'quality', severity: 'low',
+          title: 'No pre-commit hooks (husky/lint-staged) configured', description: 'Pre-commit hooks catch lint errors and failed tests before they enter version control.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // QUAL-DOC-001: No README.md
+  { id: 'QUAL-DOC-001', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No README.md',
+    check({ files }) {
+      const has = [...files.keys()].some(f => f.match(/(?:^|\/)README\.md$/i));
+      if (!has) {
+        return [{ ruleId: 'QUAL-DOC-001', category: 'quality', severity: 'medium',
+          title: 'No README.md found', description: 'Add a README with project description, setup instructions, and usage examples.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // QUAL-DOC-002: No CHANGELOG
+  { id: 'QUAL-DOC-002', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No CHANGELOG',
+    check({ files }) {
+      const has = [...files.keys()].some(f => f.match(/CHANGELOG/i));
+      if (!has) {
+        return [{ ruleId: 'QUAL-DOC-002', category: 'quality', severity: 'low',
+          title: 'No CHANGELOG.md', description: 'Add a CHANGELOG to track what changed between releases. Use conventional commits and auto-generation tools.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // QUAL-SEC-001: Prototype pollution
+  { id: 'QUAL-SEC-001', category: 'quality', severity: 'high', confidence: 'likely', title: 'Prototype Pollution Risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\[['"]__proto__['"]\]|\.__proto__\s*=|\['constructor'\]/)) {
+            findings.push({ ruleId: 'QUAL-SEC-001', category: 'quality', severity: 'high',
+              title: 'Potential prototype pollution vulnerability', description: 'Validate object keys before property assignment. Block __proto__, constructor, and prototype as keys from user input.', file: fp, line: i + 1, fix: null });
+          }
+          // Bracket property assignment with user-controlled key
+          if (lines[i].match(/\w+\[\s*req\.(body|query|params)\.\w+\s*\]\s*=/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-SEC-001', category: 'quality', severity: 'high',
+              title: 'Bracket property assignment with user-controlled key — prototype pollution risk', description: 'Validate the key before use: reject __proto__, constructor, prototype. Unvalidated bracket assignment with user input is the primary prototype pollution vector.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-011: Missing return type on exported functions
+  { id: 'QUAL-TS-011', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Exported Function Without Return Type',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/) || fp.includes('test') || fp.includes('spec')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^export\s+(async\s+)?function\s+\w+\s*\([^)]*\)\s*\{/) && !lines[i].match(/\)\s*:/)) {
+            findings.push({ ruleId: 'QUAL-TS-011', category: 'quality', severity: 'low', title: 'Exported function missing explicit return type annotation', description: 'Add return type: export function foo(): Promise<User>. Explicit return types catch unintended changes to public API contracts.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-012: Non-null assertion overuse
+  { id: 'QUAL-TS-012', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Excessive Non-Null Assertions (!)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const count = (c.match(/[^!=]!/g) || []).filter(() => true).length;
+        if (count > 15) {
+          findings.push({ ruleId: 'QUAL-TS-012', category: 'quality', severity: 'medium', title: `${count} non-null assertions (!) — excessive use defeats TypeScript's null safety`, description: 'Replace ! with proper null checks or optional chaining. Each ! is a promise to TypeScript that could throw at runtime.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-003: Using Object type instead of specific type
+  { id: 'QUAL-TS-003', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Using Object or {} as TypeScript Type',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/:\s*Object\b|:\s*\{\}(?!\s*=>)/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-TS-003', category: 'quality', severity: 'low', title: "Using 'Object' or '{}' type — too broad, loses type safety", description: "Define a specific interface or use 'Record<string, unknown>'. '{}' accepts almost everything, nullifying type checking.", file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-004: Enum used where union type is better
+  { id: 'QUAL-TS-004', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'TypeScript Enum (prefer union types)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^enum\s+\w+|^export\s+enum\s+\w+/) && !lines[i].match(/const\s+enum/)) {
+            findings.push({ ruleId: 'QUAL-TS-004', category: 'quality', severity: 'low', title: 'TypeScript enum — prefer string union types or const enum', description: "Replace: type Status = 'active' | 'inactive'. String unions are erased at compile time, generate no JS, and are more flexible.", file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-005: Missing interface for props
+  { id: 'QUAL-TS-005', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'React Component Props Not Typed',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^(?:export\s+)?(?:default\s+)?function\s+[A-Z]\w*\s*\(\s*\{/) && !lines[i].match(/Props>/)) {
+            if (!lines[i - 1]?.match(/Props>/) && !lines[i].match(/:\s*[A-Z]\w*Props/)) {
+              findings.push({ ruleId: 'QUAL-TS-005', category: 'quality', severity: 'low', title: 'React component props not typed with interface', description: 'Define interface Props { ... } and type the component: function MyComp({ foo }: Props). Typed props prevent prop name typos.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-001: Dead code - commented out blocks
+  { id: 'QUAL-CODE-001', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Large Commented-Out Code Blocks',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        let commentBlock = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*\/\//)) commentBlock++;
+          else commentBlock = 0;
+          if (commentBlock === 10) {
+            findings.push({ ruleId: 'QUAL-CODE-001', category: 'quality', severity: 'low', title: '10+ consecutive commented-out lines — dead code accumulation', description: 'Remove commented-out code. Use git history to recover it. Dead code confuses future developers and triggers false positives in security scanners.', file: fp, line: i - 9, fix: null });
+            commentBlock = 0;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-002: Magic numbers
+  { id: 'QUAL-CODE-002', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Magic Numbers in Business Logic',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/[=><]\s*\d{3,}/) && !lines[i].match(/\/\/|port|PORT|status|Status|\.length|timeout|Timeout|1000|1024|8080|3000|443|80/)) {
+            findings.push({ ruleId: 'QUAL-CODE-002', category: 'quality', severity: 'low', title: 'Magic number in business logic — extract to named constant', description: 'Replace magic numbers with named constants: const MAX_RETRY_COUNT = 5. Makes intent clear and enables single-point changes.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-003: console.log left in production code
+  { id: 'QUAL-CODE-003', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'console.log in Production Code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.log\(/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-003', category: 'quality', severity: 'low', title: 'console.log() in production code — replace with structured logger', description: "Use a logger library (pino, winston) instead of console.log. Structured logging enables filtering, aggregation, and level control.", file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-004: Deeply nested callbacks (callback hell)
+  { id: 'QUAL-CODE-004', category: 'quality', severity: 'medium', confidence: 'likely', title: 'Deeply Nested Callbacks',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const indent = (lines[i].match(/^\s+/) || [''])[0].length;
+          if (indent > 24 && lines[i].match(/function|callback|=>/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-004', category: 'quality', severity: 'medium', title: 'Deeply nested callback — refactor to async/await or named functions', description: 'Use async/await to flatten nested callbacks. Deeply nested code (callback hell) is hard to read, test, and maintain.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-005: Function too long
+  { id: 'QUAL-CODE-005', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Function Exceeds 100 Lines',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        let funcStart = -1;
+        let braceDepth = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^(?:export\s+)?(?:async\s+)?function\s+\w+/) || lines[i].match(/^\s*(?:async\s+)?\w+\s*(?:=\s*(?:async\s+)?function|\([^)]*\)\s*(?::\s*\S+\s*)?\s*=>)/)) {
+            if (funcStart === -1) { funcStart = i; braceDepth = 0; }
+          }
+          braceDepth += (lines[i].match(/{/g) || []).length - (lines[i].match(/}/g) || []).length;
+          if (funcStart >= 0 && braceDepth <= 0 && i > funcStart) {
+            if (i - funcStart > 100) {
+              findings.push({ ruleId: 'QUAL-CODE-005', category: 'quality', severity: 'medium', title: `Function at line ${funcStart + 1} is ${i - funcStart} lines long — exceeds 100 line guideline`, description: 'Extract helper functions to keep each function under 50 lines. Long functions are hard to test and understand.', file: fp, line: funcStart + 1, fix: null });
+            }
+            funcStart = -1;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-006: Unused variables in TypeScript
+  { id: 'QUAL-CODE-006', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'TypeScript Configured Without Unused Variable Checks',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('tsconfig.json')) continue;
+        try {
+          const tsconfig = JSON.parse(c);
+          const opts = tsconfig.compilerOptions || {};
+          if (!opts.noUnusedLocals || !opts.noUnusedParameters) {
+            findings.push({ ruleId: 'QUAL-CODE-006', category: 'quality', severity: 'low', title: 'tsconfig.json missing noUnusedLocals/noUnusedParameters', description: 'Add "noUnusedLocals": true, "noUnusedParameters": true to compilerOptions. These flags catch dead code at compile time.', file: fp, fix: null });
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-007: Missing strictNullChecks
+  { id: 'QUAL-CODE-007', category: 'quality', severity: 'high', confidence: 'likely', title: 'TypeScript strictNullChecks Disabled',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('tsconfig.json')) continue;
+        try {
+          const tsconfig = JSON.parse(c);
+          const opts = tsconfig.compilerOptions || {};
+          if (opts.strictNullChecks === false || (opts.strict === false && !opts.strictNullChecks)) {
+            findings.push({ ruleId: 'QUAL-CODE-007', category: 'quality', severity: 'high', title: 'strictNullChecks disabled — null/undefined errors not caught at compile time', description: 'Enable strictNullChecks in tsconfig.json. This is the most valuable TypeScript check — prevents entire classes of null pointer exceptions.', file: fp, fix: null });
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TEST-001: No mock reset between tests
+  { id: 'QUAL-TEST-001', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No Mock Reset Between Tests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const hasMocks = c.match(/jest\.fn\(\)|sinon\.stub|vi\.fn\(\)|mock\(/i);
+        const hasReset = c.match(/clearAllMocks|resetAllMocks|restoreAllMocks|afterEach.*mock|mock.*reset|vi\.clearAllMocks/i);
+        if (hasMocks && !hasReset) {
+          findings.push({ ruleId: 'QUAL-TEST-001', category: 'quality', severity: 'medium', title: 'Mocks created without clearAllMocks/resetAllMocks in afterEach — test pollution', description: "Add jest.clearAllMocks() or vi.clearAllMocks() in afterEach(). Shared mock state between tests causes flaky, order-dependent tests.", file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TEST-002: Test with no describe block
+  { id: 'QUAL-TEST-002', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Test File Without Describe Block',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const hasIt = c.match(/\bit\s*\(|\btest\s*\(/);
+        const hasDescribe = c.match(/\bdescribe\s*\(/);
+        if (hasIt && !hasDescribe) {
+          findings.push({ ruleId: 'QUAL-TEST-002', category: 'quality', severity: 'low', title: 'Test file without describe() block — poor organization', description: 'Wrap related tests in describe() blocks. Groups tests logically and shows unit under test in failure messages.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TEST-003: Hardcoded test data (magic strings)
+  { id: 'QUAL-TEST-003', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Magic Strings in Test Assertions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const lines = c.split('\n');
+        let magicCount = 0;
+        for (const line of lines) {
+          if (line.match(/expect.*toBe\(['"][a-z0-9_]{20,}['"]/) || line.match(/assert.*equal.*['"][a-z0-9_]{20,}['"]/i)) {
+            magicCount++;
+          }
+        }
+        if (magicCount > 5) {
+          findings.push({ ruleId: 'QUAL-TEST-003', category: 'quality', severity: 'low', title: `${magicCount} hardcoded magic strings in test assertions — extract to constants`, description: 'Extract test fixtures to constants or factory functions. Magic strings make tests fragile and hard to understand.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TEST-004: Missing error case tests
+  { id: 'QUAL-TEST-004', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Tests Only Cover Happy Path',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const hasHappy = c.match(/\bit\s*\(|\btest\s*\(/);
+        const hasError = c.match(/throw|reject|error|Error|invalid|fail|400|401|403|404|500/i);
+        if (hasHappy && !hasError) {
+          findings.push({ ruleId: 'QUAL-TEST-004', category: 'quality', severity: 'medium', title: 'Test file appears to test only happy paths — add error/edge case tests', description: 'Add tests for: invalid inputs, boundary values, error conditions, and unauthorized access. Error paths are where bugs hide.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-001: Circular dependency risk
+  { id: 'QUAL-ARCH-001', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Potential Circular Import',
+    check({ files }) {
+      const findings = [];
+      const importMap = new Map();
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const imports = [];
+        const lines = c.split('\n');
+        for (const line of lines) {
+          const m = line.match(/(?:import|require)\s*(?:\(?\s*)?['"]([./][^'"]+)['"]/);
+          if (m) imports.push(m[1]);
+        }
+        importMap.set(fp, imports);
+      }
+      for (const [fp, imports] of importMap) {
+        for (const imp of imports) {
+          const resolved = imp.replace(/^\.\//, fp.substring(0, fp.lastIndexOf('/') + 1));
+          const impFile = [...importMap.keys()].find(k => k.startsWith(resolved));
+          if (impFile && importMap.get(impFile)?.some(i => fp.includes(i.replace(/^\.\//, '')))) {
+            findings.push({ ruleId: 'QUAL-ARCH-001', category: 'quality', severity: 'medium', title: `Potential circular import between ${fp.split('/').pop()} and ${impFile.split('/').pop()}`, description: 'Circular imports cause initialization order bugs. Refactor to break the cycle — extract shared types to a separate module.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-002: Business logic in route handler
+  { id: 'QUAL-ARCH-002', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Business Logic in HTTP Route Handler',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (!fp.match(/route|controller|handler|router/i)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/router\.(get|post|put|delete|patch)\s*\(/i)) {
+            const handler = lines.slice(i, i + 40).join('\n');
+            const dbCalls = (handler.match(/\.find|\.save|\.create|\.update|query|\.exec/gi) || []).length;
+            if (dbCalls > 3) {
+              findings.push({ ruleId: 'QUAL-ARCH-002', category: 'quality', severity: 'medium', title: 'Route handler contains business logic — extract to service layer', description: 'Move business logic to service classes. Route handlers should only: parse request, call service, return response. Enables testing without HTTP layer.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-003: Global state mutation
+  { id: 'QUAL-ARCH-003', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Global State Mutation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/global\.\w+\s*=|globalThis\.\w+\s*=/) && !lines[i].match(/global\.__express|global\.fetch|global\.TextEncoder/)) {
+            findings.push({ ruleId: 'QUAL-ARCH-003', category: 'quality', severity: 'medium', title: 'Global state mutation — causes test pollution and concurrency bugs', description: 'Use module-scoped variables or dependency injection. Global state mutations cause hard-to-trace bugs in concurrent environments.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-004: Hardcoded environment detection
+  { id: 'QUAL-ARCH-004', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Hardcoded Environment String Comparison',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/===?\s*['"]production['"]|===?\s*['"]staging['"]|===?\s*['"]development['"]/)) {
+            if (!lines[i].match(/NODE_ENV|APP_ENV|ENVIRONMENT/)) {
+              findings.push({ ruleId: 'QUAL-ARCH-004', category: 'quality', severity: 'medium', title: 'Hardcoded environment name comparison — fragile environment detection', description: "Use process.env.NODE_ENV === 'production'. Hardcoded environment strings scatter across codebase and miss new env names.", file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-015: TODO/FIXME without ticket reference
+  { id: 'QUAL-MAINT-015', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'TODO/FIXME Without Issue Tracker Reference',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/TODO|FIXME|HACK|XXX/i) && !lines[i].match(/#\d+|JIRA|https?:\/\/|ticket|issue/i)) {
+            findings.push({ ruleId: 'QUAL-MAINT-015', category: 'quality', severity: 'low', title: 'TODO/FIXME without issue tracker reference — may never be resolved', description: 'Add issue reference: // TODO(#123): Fix this. Untracked TODOs accumulate and are never resolved.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-016: Long files (>500 lines)
+  { id: 'QUAL-MAINT-016', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'File Exceeds 500 Lines',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const lineCount = c.split('\n').length;
+        if (lineCount > 500) {
+          findings.push({ ruleId: 'QUAL-MAINT-016', category: 'quality', severity: 'low', title: `File has ${lineCount} lines — consider splitting into modules`, description: 'Split large files into focused modules. Files over 500 lines suggest mixed responsibilities that should be separated.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-017: Inconsistent error handling (mix of throw and return null)
+  { id: 'QUAL-MAINT-017', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Inconsistent Error Handling Pattern',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const throwCount = (c.match(/throw new Error/g) || []).length;
+        const returnNullCount = (c.match(/return null|return undefined|return false/g) || []).length;
+        if (throwCount > 3 && returnNullCount > 3) {
+          findings.push({ ruleId: 'QUAL-MAINT-017', category: 'quality', severity: 'medium', title: `Mixed error handling: ${throwCount} throws and ${returnNullCount} return-null patterns`, description: 'Standardize error handling in this module. Choose either exceptions or Result types consistently. Mixed patterns confuse callers.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-004: No API versioning
+  { id: 'QUAL-MAINT-004', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No API Versioning',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasRoutes = allCode.match(/router\.(get|post|put|delete)|app\.(get|post|put|delete)/i);
+      const hasVersioning = allCode.match(/\/v1\/|\/v2\/|api.*version|versionedRouter|ApiVersion/i);
+      if (hasRoutes && !hasVersioning) {
+        findings.push({ ruleId: 'QUAL-MAINT-004', category: 'quality', severity: 'medium', title: 'API routes without versioning — breaking changes impossible without coordination', description: 'Version your API: /api/v1/users. Unversioned APIs force all clients to update simultaneously when you make breaking changes.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-005: No database schema documentation
+  { id: 'QUAL-MAINT-005', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Database Schema Documentation',
+    check({ files }) {
+      const findings = [];
+      const allPaths = [...files.keys()].join(' ');
+      const hasSchema = allPaths.match(/schema\.(sql|md|dbml)|erd\.|entity-relationship|database.*diagram/i);
+      const hasDB = [...files.values()].some(c => c.match(/CREATE TABLE|mongoose\.Schema|@Entity\(|@Table\(/i));
+      if (hasDB && !hasSchema) {
+        findings.push({ ruleId: 'QUAL-MAINT-005', category: 'quality', severity: 'low', title: 'Database schema without documentation', description: 'Add schema.dbml or schema.sql documentation. Consider dbdocs.io or Prisma ERD generator. Schema docs speed onboarding and catch design issues.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-008: Copy-paste code (duplicated logic)
+  { id: 'QUAL-CODE-008', category: 'quality', severity: 'medium', confidence: 'likely', title: 'Duplicated Validation Logic Across Files',
+    check({ files }) {
+      const findings = [];
+      const validationPatterns = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const patterns = c.match(/if\s*\(![\w.]+\)\s*\{?\s*(?:throw|return|res\.)/g) || [];
+        for (const p of patterns) {
+          if (validationPatterns.includes(p)) {
+            findings.push({ ruleId: 'QUAL-CODE-008', category: 'quality', severity: 'medium', title: 'Duplicated validation logic across files — extract to shared validator', description: 'Extract repeated validation to shared functions. Duplicated logic diverges over time, causing inconsistent behavior.', file: fp, fix: null });
+            break;
+          }
+        }
+        validationPatterns.push(...patterns.slice(0, 5));
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-009: Switch statement without default case
+  { id: 'QUAL-CODE-009', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Switch Statement Without Default Case',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        let inSwitch = false;
+        let braceDepth = 0;
+        let switchStart = -1;
+        let hasDefault = false;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\bswitch\s*\(/)) { inSwitch = true; switchStart = i; hasDefault = false; braceDepth = 0; }
+          if (inSwitch) {
+            braceDepth += (lines[i].match(/{/g) || []).length - (lines[i].match(/}/g) || []).length;
+            if (lines[i].match(/\bdefault\s*:/)) hasDefault = true;
+            if (braceDepth <= 0 && switchStart >= 0) {
+              if (!hasDefault) findings.push({ ruleId: 'QUAL-CODE-009', category: 'quality', severity: 'low', title: 'switch statement without default case — unhandled values silently ignored', description: 'Add default: throw new Error(`Unexpected value: ${value}`). Default cases prevent silent failures when new enum values are added.', file: fp, line: switchStart + 1, fix: null });
+              inSwitch = false; switchStart = -1;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-010: Using delete for cache clearing
+  { id: 'QUAL-CODE-010', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Using delete Operator on Object Properties',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\bdelete\s+\w+\.\w+/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-010', category: 'quality', severity: 'low', title: 'delete operator used on object property — de-optimizes V8 object shape', description: 'Set to undefined instead: obj.prop = undefined. Or use Reflect.deleteProperty. The delete operator causes V8 to fall back to slower property lookup.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-006: Type assertion (as any) overuse
+  { id: 'QUAL-TS-006', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Overuse of TypeScript Type Assertions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const count = (c.match(/\bas\s+(?:any|unknown)\b/g) || []).length;
+        if (count > 10) {
+          findings.push({ ruleId: 'QUAL-TS-006', category: 'quality', severity: 'medium', title: `${count} 'as any'/'as unknown' type assertions — undermines type safety`, description: 'Use proper type narrowing (type guards, generics) instead of as any. Each assertion is a runtime bug waiting to happen.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TS-007: Missing generic types on collections
+  { id: 'QUAL-TS-007', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Untyped Collections (Array/Map/Set without generics)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/:\s*Array(?!<)|:\s*Map(?!<)|:\s*Set(?!<)/) || lines[i].match(/new\s+Map\(\)|new\s+Set\(\)|new\s+Array\(\)/)) {
+            findings.push({ ruleId: 'QUAL-TS-007', category: 'quality', severity: 'low', title: 'Untyped collection — use generic parameters for type safety', description: 'Add generics: Map<string, User>, Set<number>, Array<Item>. Untyped collections accept any value and return unknown.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-005: Middleware applied globally instead of per-route
+  { id: 'QUAL-ARCH-005', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Expensive Middleware Applied Globally',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/app\.use\(/) && lines[i].match(/authenticate|authorize|checkPermission|requireAuth|jwtAuth/i)) {
+            const before = lines.slice(Math.max(0, i - 5), i).join('\n');
+            if (!before.match(/\/api\/|\/admin\/|router\./)) {
+              findings.push({ ruleId: 'QUAL-ARCH-005', category: 'quality', severity: 'low', title: 'Auth middleware applied globally — may affect public routes unexpectedly', description: 'Apply auth middleware per-route or per-router. Global auth middleware blocks health checks and public endpoints.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-006: No dependency injection
+  { id: 'QUAL-ARCH-006', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Hard Dependencies Instead of Dependency Injection',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/class\s+\w+/) && !fp.match(/index|app|server/i)) {
+            const classBody = lines.slice(i, i + 30).join('\n');
+            if (classBody.match(/new\s+(?:EmailService|UserRepository|DatabaseService|PaymentService|NotificationService)/)) {
+              findings.push({ ruleId: 'QUAL-ARCH-006', category: 'quality', severity: 'low', title: 'Class instantiates dependencies directly — hard to test and mock', description: 'Inject dependencies via constructor: constructor(private emailService: EmailService). Hard dependencies cannot be replaced in tests.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SEC-002: Insecure random for tokens
+  { id: 'QUAL-SEC-002', category: 'quality', severity: 'critical', confidence: 'likely', title: 'Math.random() Used for Security Tokens',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/Math\.random\(\)/) && lines[i].match(/token|secret|key|nonce|salt|id|code/i)) {
+            findings.push({ ruleId: 'QUAL-SEC-002', category: 'quality', severity: 'critical', title: 'Math.random() used for security token — cryptographically weak', description: 'Use crypto.randomBytes(32).toString("hex"). Math.random() is predictable and must never be used for tokens, nonces, or secrets.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SEC-003: Regex without anchors (partial match)
+  { id: 'QUAL-SEC-003', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Email/URL Validation Regex Without Anchors',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\/.*@.*\.\w+\//) && !lines[i].match(/\/\^.*\$\/|test|validate|email/i)) {
+            findings.push({ ruleId: 'QUAL-SEC-003', category: 'quality', severity: 'medium', title: 'Validation regex without ^ and $ anchors — partial string match may pass invalid input', description: 'Add ^ and $ anchors to validation regexes. Without anchors, "evil@evil.com.hacker.com" would match /\\w+@\\w+\\.\\w+/.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SEC-004: Using innerHTML to build DOM
+  { id: 'QUAL-SEC-004', category: 'quality', severity: 'high', confidence: 'likely', title: 'DOM Built via innerHTML Concatenation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/innerHTML\s*\+=|innerHTML\s*=\s*['"`][^'"`]*\$\{/)) {
+            findings.push({ ruleId: 'QUAL-SEC-004', category: 'quality', severity: 'high', title: 'DOM built via innerHTML string concatenation — XSS risk', description: 'Use document.createElement() and textContent for dynamic DOM. Or use DOMPurify.sanitize() if HTML is required. innerHTML + interpolation = XSS.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-011: Overly broad try/catch
+  { id: 'QUAL-CODE-011', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Overly Broad try/catch Block',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*try\s*\{/)) {
+            let braces = 0, tryEnd = -1;
+            for (let j = i; j < Math.min(lines.length, i + 80); j++) {
+              braces += (lines[j].match(/{/g) || []).length - (lines[j].match(/}/g) || []).length;
+              if (j > i && braces <= 0) { tryEnd = j; break; }
+            }
+            if (tryEnd > i + 30) {
+              findings.push({ ruleId: 'QUAL-CODE-011', category: 'quality', severity: 'medium', title: `try block spans ${tryEnd - i} lines — too broad, catches unexpected errors`, description: 'Keep try blocks small (3-5 lines). Wrap only the specific operation that can throw. Broad catches hide bugs in unrelated code.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-012: Boolean parameter anti-pattern
+  { id: 'QUAL-CODE-012', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Boolean Parameter Anti-Pattern (Flag Argument)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/function\s+\w+\s*\([^)]*(?:,\s*(?:is|has|should|can)\w+\s*(?:=\s*(?:true|false))?|,\s*(?:true|false))/)) {
+            findings.push({ ruleId: 'QUAL-CODE-012', category: 'quality', severity: 'low', title: 'Function with boolean flag parameter — split into two functions', description: 'Replace doThing(true) with doThingSync() / doThingAsync(). Boolean flags indicate the function does two different things.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-013: Nested ternary
+  { id: 'QUAL-CODE-013', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Nested Ternary Operators',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const ternaryCount = (lines[i].match(/\?(?!=)/g) || []).length;
+          if (ternaryCount >= 2) {
+            findings.push({ ruleId: 'QUAL-CODE-013', category: 'quality', severity: 'medium', title: 'Nested ternary operators — hard to read and debug', description: 'Replace nested ternaries with if/else or a lookup table. Nested ternaries cause logic errors when conditions change.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-014: console.error without structured data
+  { id: 'QUAL-CODE-014', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'console.error Without Error Object',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/console\.error\s*\(\s*['"`]/) && !lines[i].match(/err|error|e\b/i)) {
+            findings.push({ ruleId: 'QUAL-CODE-014', category: 'quality', severity: 'low', title: 'console.error called with string but no error object', description: 'Pass the error: console.error("Failed:", err). Without the error object, stack trace is lost making production debugging impossible.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-007: Config values in source code
+  { id: 'QUAL-ARCH-007', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Configuration Values Hardcoded in Source',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('config')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/const\s+\w*(?:url|host|endpoint|domain)\w*\s*=\s*['"]https?:\/\//i)) {
+            findings.push({ ruleId: 'QUAL-ARCH-007', category: 'quality', severity: 'medium', title: 'URL/endpoint hardcoded in source — not configurable per environment', description: 'Extract URLs to config/environment: process.env.API_URL. Hardcoded URLs require code changes to switch environments.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-ARCH-008: Service accessing another service's database directly
+  { id: 'QUAL-ARCH-008', category: 'quality', severity: 'high', confidence: 'likely', title: 'Cross-Service Direct Database Access',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/service[A-Z]|serviceA|serviceB/i) && c.match(/mongoose\.connect|new Pool|createConnection/i)) {
+          const dbUrls = c.match(/mongodb:\/\/.*\/(\w+)|postgresql:\/\/.*\/(\w+)/g) || [];
+          if (dbUrls.length > 1) {
+            findings.push({ ruleId: 'QUAL-ARCH-008', category: 'quality', severity: 'high', title: 'Service connecting to multiple databases — possible cross-service coupling', description: 'Each service should own its database. Cross-service DB access creates tight coupling. Use APIs or events to communicate between services.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-TEST-005: Snapshot tests without review
+  { id: 'QUAL-TEST-005', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Overuse of Snapshot Tests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const snapshots = (c.match(/toMatchSnapshot\(\)|toMatchInlineSnapshot/g) || []).length;
+        const assertions = (c.match(/expect\(/g) || []).length;
+        if (snapshots > 5 || (snapshots > 0 && assertions > 0 && snapshots / assertions > 0.8)) {
+          findings.push({ ruleId: 'QUAL-TEST-005', category: 'quality', severity: 'low', title: `${snapshots} snapshot tests — snapshots are often accepted blindly`, description: 'Replace snapshot tests with explicit assertions where possible. Snapshots catch changes but do not assert correctness. Use for complex output only.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SEC-005: Hardcoded JWT secret
+  { id: 'QUAL-SEC-005', category: 'quality', severity: 'critical', confidence: 'likely', title: 'Hardcoded JWT Secret',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/jwt\.(sign|verify)\s*\(/) && lines[i].match(/['"][a-zA-Z0-9]{8,}['"]/)) {
+            if (!lines[i].match(/process\.env\.|config\./)) {
+              findings.push({ ruleId: 'QUAL-SEC-005', category: 'quality', severity: 'critical', title: 'JWT signed/verified with hardcoded secret', description: 'Use process.env.JWT_SECRET and rotate regularly. Hardcoded secrets committed to git are permanently compromised.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-SEC-006: open redirect vulnerability
+  { id: 'QUAL-SEC-006', category: 'quality', severity: 'high', confidence: 'likely', title: 'Open Redirect Vulnerability',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/res\.redirect\s*\(/) && lines[i].match(/req\.(query|params|body)\./)) {
+            if (!lines[i].match(/allowedHosts|whitelist|startsWith\(['"]\/|isInternal/)) {
+              findings.push({ ruleId: 'QUAL-SEC-006', category: 'quality', severity: 'high', title: 'Open redirect: res.redirect() with user-supplied URL', description: 'Validate redirect URLs against allowlist. Open redirects enable phishing attacks where malicious sites appear to come from your domain.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-006: Inconsistent naming conventions
+  { id: 'QUAL-MAINT-006', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Mixed Naming Conventions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test')) continue;
+        const camelCaseVars = (c.match(/(?:const|let|var)\s+[a-z][a-zA-Z0-9]*[A-Z][a-zA-Z0-9]*/g) || []).length;
+        const snakeCaseVars = (c.match(/(?:const|let|var)\s+[a-z][a-z0-9]*_[a-z][a-z0-9]*/g) || []).length;
+        if (camelCaseVars > 5 && snakeCaseVars > 5) {
+          findings.push({ ruleId: 'QUAL-MAINT-006', category: 'quality', severity: 'low', title: `Mixed camelCase (${camelCaseVars}) and snake_case (${snakeCaseVars}) — inconsistent naming`, description: 'Pick one convention and enforce with ESLint camelcase rule. Mixing naming styles reduces readability and makes search harder.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-007: No linting for new team members
+  { id: 'QUAL-MAINT-007', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No Editor Config File',
+    check({ files }) {
+      const findings = [];
+      const hasEditorConfig = [...files.keys()].some(f => f.endsWith('.editorconfig'));
+      const hasManyFiles = [...files.keys()].filter(f => f.match(/\.(js|ts|jsx|tsx)$/)).length > 10;
+      if (!hasEditorConfig && hasManyFiles) {
+        findings.push({ ruleId: 'QUAL-MAINT-007', category: 'quality', severity: 'medium', title: 'No .editorconfig — inconsistent indentation and line endings across editors', description: 'Add .editorconfig with indent_style, indent_size, end_of_line settings. Ensures consistency across VSCode, IntelliJ, Vim, and other editors.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-MAINT-008: No API documentation
+  { id: 'QUAL-MAINT-008', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No API Documentation (OpenAPI/Swagger)',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasAPIDocs = ['swagger-jsdoc', 'swagger-ui-express', '@nestjs/swagger', 'fastify-swagger', 'hapi-swagger', 'openapi-generator', 'tsoa'].some(d => d in allDeps) || [...files.keys()].some(f => f.match(/openapi\.(ya?ml|json)|swagger\.(ya?ml|json)/));
+      const hasAPI = stack.framework;
+      if (hasAPI && !hasAPIDocs) {
+        findings.push({ ruleId: 'QUAL-MAINT-008', category: 'quality', severity: 'medium', title: 'No OpenAPI/Swagger documentation for API', description: 'Add swagger-jsdoc or use tsoa to generate OpenAPI docs. API docs reduce integration time for consumers and enable automated testing.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // QUAL-CODE-015: Using arguments object instead of rest params
+  { id: 'QUAL-CODE-015', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Using arguments Object (Prefer Rest Parameters)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\barguments\[|\barguments\.length|\barguments\.caller/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-015', category: 'quality', severity: 'low', title: "Using 'arguments' object — use rest parameters (...args) instead", description: 'Replace with rest params: function foo(...args). arguments is not available in arrow functions and lacks Array methods without spread.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-016: Mutable default parameter
+  { id: 'QUAL-CODE-016', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Mutable Object/Array as Default Parameter',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/function\s+\w+\s*\([^)]*=\s*(?:\[\]|\{\})/)) {
+            findings.push({ ruleId: 'QUAL-CODE-016', category: 'quality', severity: 'medium', title: 'Mutable default parameter ([] or {}) — shared between calls in some cases', description: 'While JS recreates default params each call (unlike Python), this pattern is confusing. Use null and default inside: options = options ?? {}', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-017: Conditional assignment instead of short circuit
+  { id: 'QUAL-CODE-017', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Verbose Conditional Assignment Pattern',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const count = (c.match(/if\s*\(\w+\s*===?\s*null\s*\|\|\s*\w+\s*===?\s*undefined\)/g) || []).length;
+        if (count > 5) {
+          findings.push({ ruleId: 'QUAL-CODE-017', category: 'quality', severity: 'low', title: `${count} verbose null/undefined checks — use nullish coalescing (??)`, description: 'Replace: if (x === null || x === undefined) x = default; with: x ??= default. Nullish coalescing is more concise and intention-revealing.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-TS-008: Index signature typed as any
+  { id: 'QUAL-TS-008', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript Index Signature Typed as any',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(ts|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\[key:\s*string\]:\s*any/)) {
+            findings.push({ ruleId: 'QUAL-TS-008', category: 'quality', severity: 'medium', title: "TypeScript index signature typed as [key: string]: any", description: 'Use [key: string]: unknown or define specific types. Index signature: any disables all type checking on object access.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-ARCH-009: Using global require() in module
+  { id: 'QUAL-ARCH-009', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Dynamic require() Inside Function Body',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s{2,}(?:const|let|var)\s+\w+\s*=\s*require\s*\(/)) {
+            findings.push({ ruleId: 'QUAL-ARCH-009', category: 'quality', severity: 'low', title: 'Dynamic require() inside function — deferred module loading', description: 'Move require() to the top of the file. Inline requires cause require() to run on each call and prevent static analysis of dependencies.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-SEC-007: Command injection via exec
+  { id: 'QUAL-SEC-007', category: 'quality', severity: 'critical', confidence: 'likely', title: 'Command Injection via exec/spawn',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/exec\s*\(`|exec\s*\(.*\$\{|spawn\s*\(.*\$\{/i)) {
+            findings.push({ ruleId: 'QUAL-SEC-007', category: 'quality', severity: 'critical', title: 'Command injection risk: template literal in exec/spawn', description: 'Use execFile() with separate args array: execFile(cmd, [arg1, arg2]). Template literals in exec enable shell injection if any value comes from user input.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-TEST-006: No performance test for critical paths
+  { id: 'QUAL-TEST-006', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Performance Assertions in Critical Path Tests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        if (c.match(/checkout|payment|search|login|auth/i) && !c.match(/timeout|duration|elapsed|performance\.now|Date\.now.*time/i)) {
+          findings.push({ ruleId: 'QUAL-TEST-006', category: 'quality', severity: 'low', title: 'Critical path tests without performance assertions', description: 'Add timing assertions for critical flows: expect(duration).toBeLessThan(200). Performance regression tests catch slowdowns before deployment.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-MAINT-009: No auto-format on commit
+  { id: 'QUAL-MAINT-009', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Auto-Format on Git Commit',
+    check({ files }) {
+      const findings = [];
+      const hasHusky = [...files.keys()].some(f => f.match(/\.husky\/|husky\s+install/));
+      const hasLintStaged = [...files.keys()].some(f => f.match(/\.lintstagedrc|lint-staged/));
+      if (!hasHusky && !hasLintStaged) {
+        findings.push({ ruleId: 'QUAL-MAINT-009', category: 'quality', severity: 'low', title: 'No pre-commit hooks (husky + lint-staged) — unformatted code can be committed', description: 'Add husky + lint-staged to auto-format and lint on commit. Prevents style inconsistencies and catches issues before CI.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-MAINT-010: No OpenAPI/Swagger spec
+  { id: 'QUAL-MAINT-010', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No API Documentation (OpenAPI/Swagger)',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasSwagger = ['swagger-ui-express', '@nestjs/swagger', 'fastify-swagger', 'express-openapi'].some(d => d in allDeps) || [...files.keys()].some(f => f.match(/swagger|openapi/i));
+      const hasRoutes = [...files.values()].some(c => c.match(/router\.(get|post|put|delete|patch)\s*\(/));
+      if (hasRoutes && !hasSwagger) {
+        findings.push({ ruleId: 'QUAL-MAINT-010', category: 'quality', severity: 'medium', title: 'No OpenAPI/Swagger documentation for API routes', description: 'Add swagger-ui-express or @nestjs/swagger. Undocumented APIs slow down integration, increase support burden, and make onboarding harder.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-MAINT-011: Inconsistent async/await vs promise chains
+  { id: 'QUAL-MAINT-011', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Mixed async/await and Promise Chain Styles',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const hasAsync = (c.match(/async\s+function|async\s*\(|async\s*\w+\s*=>/g) || []).length;
+        const hasThen = (c.match(/\.then\s*\(/g) || []).length;
+        if (hasAsync > 5 && hasThen > 5) {
+          findings.push({ ruleId: 'QUAL-MAINT-011', category: 'quality', severity: 'low', title: 'Mixed async/await and .then() chains in same file', description: 'Choose one async style and stick to it. Mixing styles makes code harder to read, debug, and refactor.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-MAINT-012: No changelog maintained
+  { id: 'QUAL-MAINT-012', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No CHANGELOG File',
+    check({ files }) {
+      const findings = [];
+      const hasChangelog = [...files.keys()].some(f => f.match(/CHANGELOG|CHANGES|HISTORY/i));
+      const hasConventionalCommits = [...files.keys()].some(f => f.match(/\.commitlintrc|commitlint\.config/));
+      if (!hasChangelog && !hasConventionalCommits) {
+        findings.push({ ruleId: 'QUAL-MAINT-012', category: 'quality', severity: 'low', title: 'No CHANGELOG — release history not tracked', description: 'Maintain a CHANGELOG.md or use conventional commits with standard-version/release-please. Changelogs communicate changes to users and stakeholders.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-018: String concatenation instead of template literals
+  { id: 'QUAL-CODE-018', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'String Concatenation Instead of Template Literals',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/"[^"]*"\s*\+\s*\w+\s*\+\s*"[^"]*"/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-018', category: 'quality', severity: 'low', title: 'String concatenation — use template literals instead', description: 'Replace string concatenation with template literals. Template literals are more readable and reduce quote-escaping errors.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-019: Using var instead of let/const
+  { id: 'QUAL-CODE-019', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Using var Instead of let/const',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*var\s+\w/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-019', category: 'quality', severity: 'medium', title: 'var declaration — use let or const', description: 'Replace var with let or const. var has function scope and hoisting behavior that causes subtle bugs. const/let have block scope.', file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-020: Deep object destructuring
+  { id: 'QUAL-CODE-020', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Deep Nested Object Access Without Destructuring',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\w+\.\w+\.\w+\.\w+\.\w+/) && !lines[i].match(/\/\/|import |require\(/)) {
+            findings.push({ ruleId: 'QUAL-CODE-020', category: 'quality', severity: 'low', title: 'Deep property access chain — consider destructuring', description: 'Use destructuring for deeply nested properties. Reduces repetition and makes the intent clearer.', file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-021: Synchronous sleep/delay pattern
+  { id: 'QUAL-CODE-021', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Synchronous Busy-Wait Sleep Pattern',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/while\s*\(.*Date\.now|for\s*\(.*Date\.now/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-021', category: 'quality', severity: 'medium', title: 'Busy-wait loop using Date.now() — blocks event loop', description: 'Use async sleep with setTimeout promise. Busy-wait loops block the Node.js event loop, preventing all other requests from being processed.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-022: Error swallowing with empty .catch()
+  { id: 'QUAL-CODE-022', category: 'quality', severity: 'high', confidence: 'likely', title: 'Empty .catch() Swallows Errors Silently',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.catch\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}|\\.catch\s*\(\s*\(\s*_\s*\)\s*=>\s*\{\s*\}|\\.catch\s*\(\s*\(\s*e\s*\)\s*=>\s*\{\s*\}/) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-CODE-022', category: 'quality', severity: 'high', title: 'Empty .catch() silently swallows errors', description: 'Always log or rethrow in .catch(). Silent error swallowing hides failures and makes debugging extremely difficult.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-TEST-007: No test coverage threshold configured
+  { id: 'QUAL-TEST-007', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No Test Coverage Threshold Configured',
+    check({ files }) {
+      const findings = [];
+      const hasTests = [...files.keys()].some(f => f.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/));
+      const hasCoverage = [...files.values()].some(c => c.match(/coverage.*threshold|coverageThreshold|branches.*\d|lines.*\d.*functions/));
+      if (hasTests && !hasCoverage) {
+        findings.push({ ruleId: 'QUAL-TEST-007', category: 'quality', severity: 'medium', title: 'No coverage threshold — test coverage may silently degrade', description: 'Set coverageThreshold in jest.config.js. Without a minimum threshold, coverage silently degrades and technical debt accumulates.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-TEST-008: No mutation testing
+  { id: 'QUAL-TEST-008', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Mutation Testing Configuration',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasUnitTests = [...files.keys()].some(f => f.match(/\.(test|spec)\.(js|ts)$/));
+      const hasMutation = ['stryker-cli', '@stryker-mutator/core', 'stryker'].some(d => d in allDeps);
+      if (hasUnitTests && !hasMutation) {
+        findings.push({ ruleId: 'QUAL-TEST-008', category: 'quality', severity: 'low', title: 'No mutation testing — tests may not actually verify behavior', description: 'Consider adding Stryker for mutation testing. Mutation testing reveals tests that pass even when code is broken, catching inadequate assertions.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-ARCH-010: No feature flag system
+  { id: 'QUAL-ARCH-010', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No Feature Flag System',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasFlags = ['launchdarkly-node-server-sdk', '@unleash/client', 'flagsmith', 'posthog-node', 'split-node-sdk'].some(d => d in allDeps) || [...files.values()].some(c => c.match(/featureFlag|feature_flag|isFeatureEnabled|getFlag/i));
+      const hasMultipleEnvs = [...files.values()].some(c => c.match(/NODE_ENV.*production.*staging|staging.*production/));
+      if (!hasFlags && hasMultipleEnvs) {
+        findings.push({ ruleId: 'QUAL-ARCH-010', category: 'quality', severity: 'low', title: 'No feature flag system — risky big-bang releases', description: 'Add LaunchDarkly, Unleash, or Flagsmith. Feature flags enable safe progressive rollouts, instant rollbacks, and A/B testing without code deploys.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-ARCH-011: Route handlers with no input validation middleware
+  { id: 'QUAL-ARCH-011', category: 'quality', severity: 'high', confidence: 'likely', title: 'Route Handler Without Validation Middleware',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/router\.(post|put|patch)\s*\(\s*['"`]/) && !lines[i].match(/validate|schema|joi|yup|zod/i)) {
+            const hasValidation = lines.slice(Math.max(0, i - 2), i + 5).some(l => l.match(/validate|schema|joi|yup|zod|celebrate|express-validator/i));
+            if (!hasValidation) {
+              findings.push({ ruleId: 'QUAL-ARCH-011', category: 'quality', severity: 'high', title: 'POST/PUT route without visible input validation', description: 'Add validation middleware (Joi, Zod, express-validator). Unvalidated inputs are the root cause of injection attacks and data corruption bugs.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-ARCH-012: Hardcoded pagination limit
+  { id: 'QUAL-ARCH-012', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No Maximum Pagination Limit Enforced',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/limit\s*=\s*req\.(query|body)\.limit|parseInt.*req\.(query|body)\.limit/) && !lines[i].match(/Math\.min|> \d+|<= \d+|maximum|maxLimit/i)) {
+            findings.push({ ruleId: 'QUAL-ARCH-012', category: 'quality', severity: 'medium', title: 'Pagination limit taken from user input without maximum cap', description: 'Add Math.min(userLimit, MAX_LIMIT). Unbounded pagination allows users to dump entire tables in a single request.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-TS-009: Missing interface for function parameters
+  { id: 'QUAL-TS-009', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Inline Object Types Instead of Named Interfaces',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.ts') && !fp.endsWith('.tsx')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/function\s+\w+\s*\(\s*\{[^}]{50,}/) || lines[i].match(/=>\s*\{\s*$/) && lines[i - 1]?.match(/\(\s*\{[^}]{50,}/)) {
+            findings.push({ ruleId: 'QUAL-TS-009', category: 'quality', severity: 'low', title: 'Long inline destructured parameter — extract to named interface', description: 'Extract complex parameter types to named interfaces. Named interfaces are reusable, improve IDE navigation, and self-document function contracts.', file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-TS-010: Missing discriminated union
+  { id: 'QUAL-TS-010', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Union Type Without Discriminant Property',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.ts') && !fp.endsWith('.tsx')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/type\s+\w+\s*=\s*\{[^}]+\}\s*\|\s*\{/) && !lines[i].match(/type:\s*['"`]/)) {
+            findings.push({ ruleId: 'QUAL-TS-010', category: 'quality', severity: 'low', title: 'Union type without discriminant — use discriminated union', description: 'Add a type or kind literal property to each union member. Discriminated unions enable exhaustive type narrowing and better TypeScript inference.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-SEC-008: Missing rate-limit on authentication endpoints
+  { id: 'QUAL-SEC-008', category: 'quality', severity: 'high', confidence: 'likely', title: 'Auth Endpoint Without Rate Limiting',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/router\.(post|get)\s*\(\s*['"`].*\/(login|signin|auth|token|password)/i)) {
+            const context = lines.slice(Math.max(0, i - 5), i + 10).join('\n');
+            if (!context.match(/rateLimit|rate-limit|express-rate-limit|throttle/i)) {
+              findings.push({ ruleId: 'QUAL-SEC-008', category: 'quality', severity: 'high', title: 'Authentication route without rate limiting — brute-force attack possible', description: 'Add express-rate-limit on auth routes. Without rate limiting, an attacker can try millions of passwords per second against login endpoints.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-SEC-009: Sensitive data in URL query parameters
+  { id: 'QUAL-SEC-009', category: 'quality', severity: 'high', confidence: 'likely', title: 'Sensitive Data Passed in URL Query Parameters',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/[?&](token|api_key|apikey|password|secret|auth)=/i) && !lines[i].match(/\/\//)) {
+            findings.push({ ruleId: 'QUAL-SEC-009', category: 'quality', severity: 'high', title: 'Sensitive data in URL query params — logged in server/proxy access logs', description: 'Use POST body or Authorization header for sensitive values. URL query parameters are logged in server logs, proxy logs, browser history, and referer headers.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-SEC-010: Using eval() with user-controlled input
+  { id: 'QUAL-SEC-010', category: 'quality', severity: 'critical', confidence: 'likely', title: 'eval() Used with Potentially User-Controlled Data',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\beval\s*\(/) && !lines[i].match(/\/\//) && lines[i].match(/req\.|user\.|body\.|query\.|param\.|input/i)) {
+            findings.push({ ruleId: 'QUAL-SEC-010', category: 'quality', severity: 'critical', title: 'eval() with user-influenced data — remote code execution vulnerability', description: 'Never use eval() with user data. Use JSON.parse for data, or a proper expression parser for formulas. eval() allows arbitrary code execution.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-MAINT-013: No README in project root
+  { id: 'QUAL-MAINT-013', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No README.md in Project Root',
+    check({ files }) {
+      const findings = [];
+      const hasReadme = [...files.keys()].some(f => f.match(/^README\.md$|^readme\.md$/i));
+      if (!hasReadme) {
+        findings.push({ ruleId: 'QUAL-MAINT-013', category: 'quality', severity: 'low', title: 'No README.md — project setup and purpose undocumented', description: 'Add a README with project purpose, setup instructions, and architecture overview. Missing README increases onboarding time and reduces contributor confidence.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-ARCH-013: No request ID for distributed tracing
+  { id: 'QUAL-ARCH-013', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No Request ID Propagation for Distributed Tracing',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasRequestId = ['express-request-id', 'cls-hooked', 'async-local-storage', '@opentelemetry/api'].some(d => d in allDeps) || [...files.values()].some(c => c.match(/requestId|request_id|x-request-id|correlationId|traceId/i));
+      const hasExpressOrFastify = 'express' in allDeps || 'fastify' in allDeps || 'koa' in allDeps;
+      if (hasExpressOrFastify && !hasRequestId) {
+        findings.push({ ruleId: 'QUAL-ARCH-013', category: 'quality', severity: 'medium', title: 'No request ID — cannot correlate logs for a single request', description: 'Add request ID middleware (express-request-id or uuid v4 in middleware). Include requestId in all log statements to trace a request through all services and log entries.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // QUAL-CODE-023: Using for...in on arrays
+  { id: 'QUAL-CODE-023', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'for...in Loop Used on Array',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/for\s*\(\s*(?:var|let|const)?\s*\w+\s+in\s+\w+/) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 15), i + 3).join('\n');
+            if (ctx.match(/\[[\d'"]|Array\s*\(|new Array|\.push\s*\(|\.map\s*\(|\.filter\s*\(|=\s*\[/)) {
+              findings.push({ ruleId: 'QUAL-CODE-023', category: 'quality', severity: 'medium', title: 'for...in used on array — iterates inherited properties', description: 'Use for...of, .forEach(), or indexed for loop for arrays. for...in iterates all enumerable properties including inherited ones, and does not guarantee order.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-TEST-009: Tests with no assertions
+  { id: 'QUAL-TEST-009', category: 'quality', severity: 'high', confidence: 'likely', title: 'Test Without Any Assertions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const lines = c.split('\n');
+        let inTest = false;
+        let testStart = 0;
+        let braceDepth = 0;
+        let testContent = '';
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\bit\s*\(|\btest\s*\(/)) {
+            inTest = true;
+            testStart = i;
+            braceDepth = 0;
+            testContent = '';
+          }
+          if (inTest) {
+            testContent += lines[i];
+            braceDepth += (lines[i].match(/\{/g) || []).length - (lines[i].match(/\}/g) || []).length;
+            if (braceDepth <= 0 && testStart !== i) {
+              if (!testContent.match(/expect\s*\(|assert\.|should\.|toBe|toEqual|toHave|toMatch|toThrow|toReturn/)) {
+                findings.push({ ruleId: 'QUAL-TEST-009', category: 'quality', severity: 'high', title: 'Test with no assertions — always passes regardless of behavior', description: 'Add at least one expect() assertion. Tests without assertions pass even when the code under test is broken, providing false confidence.', file: fp, line: testStart + 1, fix: null });
+              }
+              inTest = false;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-MAINT-014: Unused exported function
+  { id: 'QUAL-MAINT-014', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Dead Export — Exported Function Never Imported',
+    check({ files }) {
+      const findings = [];
+      const exportedNames = new Set();
+      const importedNames = new Set();
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        for (const m of c.matchAll(/export\s+(?:const|function|class)\s+(\w+)/g)) exportedNames.add(m[1]);
+        for (const m of c.matchAll(/import\s+\{([^}]+)\}/g)) m[1].split(',').forEach(n => importedNames.add(n.trim()));
+        for (const m of c.matchAll(/require\(['"`][^'"`]+['"`]\)\s*\.\s*(\w+)/g)) importedNames.add(m[1]);
+      }
+      for (const name of exportedNames) {
+        if (!importedNames.has(name) && !['default', 'handler', 'routes', 'router', 'app', 'server', 'middleware'].includes(name)) {
+          findings.push({ ruleId: 'QUAL-MAINT-014', category: 'quality', severity: 'low', title: `Exported '${name}' appears to be unused — consider removing dead export`, description: 'Remove unused exports to reduce bundle size and improve codebase clarity. Dead exports create confusion about what surface area is intentionally public.', fix: null });
+          if (findings.length >= 3) break;
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-SEC-011: Insecure deserialization
+  { id: 'QUAL-SEC-011', category: 'quality', severity: 'critical', confidence: 'likely', title: 'Insecure Deserialization with node-serialize',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      if ('node-serialize' in allDeps || 'serialize-javascript' in allDeps) {
+        for (const [fp, c] of files) {
+          if (!isSourceFile(fp)) continue;
+          if (c.match(/unserialize\s*\(|deserialize\s*\(/)) {
+            findings.push({ ruleId: 'QUAL-SEC-011', category: 'quality', severity: 'critical', title: 'Potentially unsafe deserialization — possible RCE via IIFE in serialized data', description: 'Avoid node-serialize for untrusted data. node-serialize executes IIFEs embedded in serialized objects, enabling remote code execution. Use JSON.parse or a safe alternative.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // QUAL-ARCH-014: No input sanitization before DB queries
+  { id: 'QUAL-ARCH-014', category: 'quality', severity: 'critical', confidence: 'likely', title: 'String Template Used in Database Query',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/`SELECT|`INSERT|`UPDATE|`DELETE|`CREATE/) && lines[i].match(/\$\{.*req\.|template.*sql|query.*\`.*\$\{/i)) {
+            findings.push({ ruleId: 'QUAL-ARCH-014', category: 'quality', severity: 'critical', title: 'SQL query built with template literal containing user input — SQL injection', description: 'Use parameterized queries or an ORM. Never interpolate user input into SQL strings. SQL injection is the #1 web application security risk (OWASP A03:2021).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// QUAL-015: TypeScript 'any' type overuse
+rules.push({
+  id: 'QUAL-015', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript "any" type used — disables type checking',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/:\s*any\b|as\s+any\b|<any>/.test(lines[i]) && !/\/\/.*any|@ts-ignore/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-015', category: 'quality', severity: 'medium', title: '"any" type used — defeats TypeScript type safety', description: 'The "any" type disables type checking for that value. Use specific types, generics, or "unknown" with type narrowing instead.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-016: Missing TypeScript strict mode
+rules.push({
+  id: 'QUAL-016', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript project without strict mode enabled',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/tsconfig.*\.json$/)) continue;
+      try {
+        const config = JSON.parse(c);
+        if (!config?.compilerOptions?.strict) {
+          findings.push({ ruleId: 'QUAL-016', category: 'quality', severity: 'medium', title: 'tsconfig.json without "strict": true — many safety checks disabled', description: 'Enable strict mode in tsconfig.json to catch null/undefined errors, implicit any, and other common issues at compile time.', file: fp, fix: null });
+        }
+      } catch {}
+    }
+    return findings;
+  },
+});
+
+// QUAL-017: Deep nesting (> 4 levels)
+rules.push({
+  id: 'QUAL-017', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Code nested more than 4 levels deep — hard to read and test',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const indent = (lines[i].match(/^(\s*)/) || ['', ''])[1].length;
+        if (indent >= 20) { // 4+ levels of 4-space indentation, or 5+ levels of 2-space
+          findings.push({ ruleId: 'QUAL-017', category: 'quality', severity: 'low', title: 'Code nested >4 levels — refactor with early returns or extract functions', description: 'Deep nesting makes code hard to read, test, and maintain. Use early returns (guard clauses) or extract logic into smaller functions.', file: fp, line: i + 1, fix: null });
+          i += 10; // Skip ahead to avoid flooding
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-018: Function too long (> 100 lines)
+rules.push({
+  id: 'QUAL-018', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Function longer than 100 lines — violates single responsibility',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:function\s+\w+|const\s+\w+\s*=\s*(?:async\s*)?\([^)]*\)\s*=>)\s*\{/.test(lines[i])) {
+          let depth = 0;
+          let end = i;
+          for (let j = i; j < lines.length; j++) {
+            depth += (lines[j].match(/\{/g) || []).length;
+            depth -= (lines[j].match(/\}/g) || []).length;
+            if (j > i && depth <= 0) { end = j; break; }
+          }
+          if (end - i > 100) {
+            findings.push({ ruleId: 'QUAL-018', category: 'quality', severity: 'low', title: `Function is ${end - i} lines long — break into smaller functions`, description: 'Functions over 100 lines are hard to understand and test. Extract logical sections into well-named helper functions.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-019: Switch without default case
+rules.push({
+  id: 'QUAL-019', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'switch statement without default case',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\bswitch\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 50)).join('\n');
+          if (!/\bdefault\s*:/.test(block)) {
+            findings.push({ ruleId: 'QUAL-019', category: 'quality', severity: 'low', title: 'switch without default case — unhandled values silently ignored', description: 'Add a default case to handle unexpected values. At minimum, log a warning or throw an error for unexpected input.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-020: TODO/FIXME without issue tracker reference
+rules.push({
+  id: 'QUAL-020', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'TODO/FIXME comment without issue tracker reference',
+  check({ files }) {
+    const findings = [];
+    const todoPattern = /\/\/\s*(?:TODO|FIXME|HACK|XXX|BUG)\b(?!.*(?:#\d+|https?:\/\/|JIRA|TICKET|GH-))/i;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (todoPattern.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-020', category: 'quality', severity: 'low', title: 'TODO/FIXME without issue tracker link — technical debt untracked', description: 'Reference an issue tracker ticket in TODO comments so technical debt is visible and prioritized: // TODO(GH-123): fix this.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-021: Shadowed variable
+rules.push({
+  id: 'QUAL-021', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Variable shadows outer scope variable',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      const outerVars = new Set();
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const topLevel = lines[i].match(/^(?:const|let|var)\s+(\w+)/);
+        if (topLevel) outerVars.add(topLevel[1]);
+        const innerDecl = lines[i].match(/^\s{4,}(?:const|let|var)\s+(\w+)/);
+        if (innerDecl && outerVars.has(innerDecl[1])) {
+          findings.push({ ruleId: 'QUAL-021', category: 'quality', severity: 'low', title: `Variable '${innerDecl[1]}' shadows outer scope variable`, description: 'Shadowed variables cause confusion and bugs. Rename the inner variable to something more specific.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-022: Missing null coalescing (|| with falsy risk)
+rules.push({
+  id: 'QUAL-022', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Logical OR used as default — may discard falsy but valid values (0, "")',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Detect: const x = someValue || defaultValue where 0 or "" might be valid
+        if (/(?:const|let)\s+\w+\s*=\s*\w+(?:\.\w+)?\s*\|\|\s*(?:\d+|['"][^'"]*['"])/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-022', category: 'quality', severity: 'low', title: 'Logical || for default value — use ?? to preserve 0 and empty string', description: 'x || default returns the default when x is 0, "", or false — which may be valid. Use x ?? default (nullish coalescing) to only fall back on null/undefined.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-023: Unused import
+rules.push({
+  id: 'QUAL-023', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Potentially unused import',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const m = lines[i].match(/^import\s+(?:\{\s*(\w+)\s*\}|(\w+))\s+from\s+['"][^'"]+['"]/);
+        if (m) {
+          const name = m[1] || m[2];
+          if (name && name !== '_') {
+            const rest = c.slice(c.indexOf(lines[i]) + lines[i].length);
+            const usageCount = (rest.match(new RegExp(`\\b${name}\\b`, 'g')) || []).length;
+            if (usageCount === 0) {
+              findings.push({ ruleId: 'QUAL-023', category: 'quality', severity: 'low', title: `Import '${name}' may be unused — remove to reduce bundle size`, description: 'Unused imports increase bundle size and create confusion. Remove imports that are never referenced in the file.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-024: console.error without stack trace
+rules.push({
+  id: 'QUAL-024', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'console.error() called without error object — stack trace lost',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/console\.error\s*\(\s*['"`]/.test(lines[i]) && !/\berr\b|\berror\b|\be\b/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-024', category: 'quality', severity: 'low', title: 'console.error() with string only — pass the error object for stack trace', description: 'console.error("message") loses the original error and stack trace. Use console.error("message", err) to preserve debugging information.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-025: Magic numbers without named constants
+rules.push({
+  id: 'QUAL-025', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Magic number used inline — extract to named constant',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Numbers > 9 that aren't version numbers, port numbers in obvious places, or array indexes
+        const m = lines[i].match(/[^'"a-zA-Z\d.]\b([1-9]\d{3,})\b/);
+        if (m && !/CONST|const\s+[A-Z]|port|PORT|timeout|TIMEOUT|version/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-025', category: 'quality', severity: 'low', title: `Magic number ${m[1]} — extract to a named constant`, description: 'Magic numbers make code hard to understand and maintain. Extract to a named constant: const MAX_RETRY_COUNT = 3000.', file: fp, line: i + 1, fix: null });
+          break; // Only one per line
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-026: Type assertion without runtime check
+rules.push({
+  id: 'QUAL-026', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript type assertion (as X) without runtime validation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\bas\s+\w+(?:<[^>]+>)?\b/.test(lines[i]) && !/as\s+const\b|as\s+(?:string|number|boolean|any|unknown)/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join('\n');
+          if (/JSON\.parse|fetch|axios|req\.body/.test(ctx)) {
+            findings.push({ ruleId: 'QUAL-026', category: 'quality', severity: 'medium', title: 'Type assertion on parsed/external data without runtime validation', description: 'TypeScript type assertions don\'t validate at runtime. Use Zod, io-ts, or manual validation before asserting types on external data.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-027: Missing return type annotation on exported function
+rules.push({
+  id: 'QUAL-027', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Exported function without explicit return type annotation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^export\s+(?:async\s+)?function\s+\w+\s*\([^)]*\)\s*\{/.test(lines[i]) && !/\):\s*\w/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-027', category: 'quality', severity: 'low', title: 'Exported function missing explicit return type — inferred type may widen unintentionally', description: 'Explicit return types serve as documentation and prevent unintended changes to the public API. Add return type annotations to exported functions.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-028: Non-null assertion operator overuse
+rules.push({
+  id: 'QUAL-028', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript non-null assertion (!) used — runtime null error risk',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Match patterns like obj!.property or value!
+        if (/\w+!\.\w+|\w+!\s*[;,)]/.test(lines[i]) && !/\/\/|['"`]/.test(lines[i].split('!')[0].slice(-1))) {
+          findings.push({ ruleId: 'QUAL-028', category: 'quality', severity: 'medium', title: 'Non-null assertion (!) bypasses null safety — add proper null check', description: 'The ! operator tells TypeScript to trust you that a value is not null, but provides no runtime safety. Use optional chaining (?.) or explicit null checks instead.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-029: Inconsistent async error handling
+rules.push({
+  id: 'QUAL-029', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Mixed async error handling patterns in same file',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const hasTryCatch = /try\s*\{[\s\S]*?\}\s*catch/.test(c);
+      const hasPromiseCatch = /\.catch\s*\(/.test(c) && /async\s+function|async\s*\(/.test(c);
+      const hasCallback = /callback|cb\)\s*\{|\(err,/.test(c) && /async\s+function|async\s*\(/.test(c);
+      if (hasTryCatch && hasPromiseCatch && hasCallback) {
+        findings.push({ ruleId: 'QUAL-029', category: 'quality', severity: 'medium', title: 'Mixed try/catch, .catch(), and callback error handling patterns', description: 'Mixing three error handling styles makes code unpredictable. Choose one: async/await with try/catch for new code, and refactor legacy callbacks with promisify().', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-030: Floating point equality comparison
+rules.push({
+  id: 'QUAL-030', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Direct floating-point equality comparison — unreliable',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:===|==)\s*0\.\d+|0\.\d+\s*(?:===|==)/.test(lines[i]) || /\.\d+\s*===\s*\.\d+/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-030', category: 'quality', severity: 'low', title: 'Floating-point direct equality — use Math.abs(a-b) < epsilon', description: 'Floating-point arithmetic is imprecise. Use Math.abs(a - b) < Number.EPSILON or a tolerance threshold for float comparisons.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-031: Hardcoded file paths
+rules.push({
+  id: 'QUAL-031', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Hardcoded absolute file path — not portable across environments',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/['"](\/home\/\w+|\/Users\/\w+|C:\\\\)/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-031', category: 'quality', severity: 'low', title: 'Hardcoded absolute path — use path.join(__dirname, ...) or config', description: 'Hardcoded absolute paths break on other machines and in containers. Use path.join(__dirname, "relative/path") or an environment-based config.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-032 through QUAL-058: Additional quality rules
+
+// QUAL-032: Deeply nested callbacks (callback hell)
+rules.push({
+  id: 'QUAL-032', category: 'quality', severity: 'medium', confidence: 'likely', title: 'Deeply nested callbacks — callback hell pattern',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const indent = (lines[i].match(/^(\s*)/) || ['', ''])[1].length;
+        if (indent >= 24 && /function\s*\(|=>\s*\{/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-032', category: 'quality', severity: 'medium', title: 'Deeply nested callbacks — refactor with async/await or Promises', description: 'Callback nesting beyond 4 levels (callback hell) makes code unmaintainable. Refactor using async/await or Promise chains.', file: fp, line: i + 1, fix: null });
+          i += 15;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-033: Missing type guard function
+rules.push({
+  id: 'QUAL-033', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Type narrowing via typeof only — consider proper type guard',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Pattern: (value as SomeType).property — unsafe assertion on complex type
+        if (/\)\s+as\s+[A-Z]\w+\s*\)\./.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-033', category: 'quality', severity: 'low', title: 'Chained type assertion — use type guard function instead', description: 'Create a type guard: function isUser(v: unknown): v is User { return typeof v === "object" && v !== null && "id" in v; }', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-034: Mutable exports
+rules.push({
+  id: 'QUAL-034', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Exported mutable variable — external code can modify module state',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^export\s+let\s+/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-034', category: 'quality', severity: 'low', title: '"export let" — mutable export allows external mutation of module state', description: 'Use "export const" for exported values. Mutable exports let external modules change your module\'s internal state unexpectedly.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-035: Object mutation in place
+rules.push({
+  id: 'QUAL-035', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Direct mutation of function parameter object',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Detect param mutation: param.x = something or delete param.x
+        if (/(?:delete\s+\w+\.\w+|\w+\s*\.\s*\w+\s*=)/.test(lines[i])) {
+          const fnCtx = lines.slice(Math.max(0, i - 10), i).join('\n');
+          const fnMatch = fnCtx.match(/function\s+\w+\s*\((\w+)/);
+          if (fnMatch) {
+            const paramName = fnMatch[1];
+            if (lines[i].match(new RegExp(`\\b${paramName}\\s*\\.\\s*\\w+\\s*=`))) {
+              findings.push({ ruleId: 'QUAL-035', category: 'quality', severity: 'low', title: 'Function parameter mutated directly — use immutable patterns', description: 'Mutating function parameters creates side effects. Return a new object: return { ...param, field: newValue } instead of param.field = newValue.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-036: Missing default export
+rules.push({
+  id: 'QUAL-036', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Module exports only named exports but no default — inconsistent import patterns',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(js|ts)$/) || isTestFile(fp)) continue;
+      if (c.match(/^export\s+(?:const|function|class|type|interface)/m) && !c.match(/^export\s+default/m)) {
+        const exportCount = (c.match(/^export\s+(?:const|function|class)/gm) || []).length;
+        if (exportCount === 1) {
+          findings.push({ ruleId: 'QUAL-036', category: 'quality', severity: 'low', title: 'Single named export without default — consider adding default export for easier importing', description: 'Files with a single primary export benefit from a default export, allowing cleaner import syntax: import MyClass from "./myClass".', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-037: No JSDoc on complex public functions
+rules.push({
+  id: 'QUAL-037', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Exported function without documentation comment',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 1; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^export\s+(?:async\s+)?function\s+\w+\s*\([^)]{20,}\)/.test(lines[i])) {
+          if (!/\/\*\*|\/\//.test(lines[i - 1])) {
+            findings.push({ ruleId: 'QUAL-037', category: 'quality', severity: 'low', title: 'Complex exported function without JSDoc', description: 'Add JSDoc comments to exported functions with multiple parameters to document their purpose, parameters, and return values.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-038: Overly broad catch clause
+rules.push({
+  id: 'QUAL-038', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Catch clause catches all errors without type narrowing',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\}\s*catch\s*\(\s*e\s*\)\s*\{|\}\s*catch\s*\(\s*error\s*\)\s*\{/.test(lines[i])) {
+          const body = lines.slice(i + 1, Math.min(lines.length, i + 8)).join('\n');
+          if (!/instanceof|e\s+as|error\s+as|typeof.*error/.test(body)) {
+            findings.push({ ruleId: 'QUAL-038', category: 'quality', severity: 'low', title: 'Catch-all error handler without instanceof check — may mask programming errors', description: 'Use instanceof to distinguish expected errors from unexpected ones: if (error instanceof NetworkError) { ... } else throw error;', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-039: Boolean parameters
+rules.push({
+  id: 'QUAL-039', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Function with boolean flag parameter — consider separate functions',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^(?:export\s+)?(?:async\s+)?function\s+\w+\s*\([^)]*,\s*(?:is\w+|has\w+|should\w+|enable\w+)\s*[,:)]/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-039', category: 'quality', severity: 'low', title: 'Boolean flag parameter in function — consider two separate functions', description: 'Boolean flag parameters like isAdmin or shouldCache indicate the function does two things. Split into two focused functions for clarity.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-040: Using Date.now() for performance measurement
+rules.push({
+  id: 'QUAL-040', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Date.now() used for performance timing — use performance.now() instead',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/Date\.now\s*\(\s*\)/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 2)).join('\n');
+          if (/elapsed|duration|timing|bench|perf|measure/i.test(ctx)) {
+            findings.push({ ruleId: 'QUAL-040', category: 'quality', severity: 'low', title: 'Date.now() for performance timing — use performance.now() for higher precision', description: 'performance.now() returns a DOMHighResTimeStamp with sub-millisecond precision. Date.now() has only millisecond resolution and can be affected by system clock adjustments.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-041: Using var instead of let/const
+rules.push({
+  id: 'QUAL-041', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'var declaration — use let or const instead',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^\s*var\s+\w+/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-041', category: 'quality', severity: 'low', title: '"var" declaration — use "let" or "const" for block scoping', description: 'var is function-scoped and hoisted, leading to subtle bugs. Use const for values that don\'t change and let for mutable variables.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-042 through QUAL-062
+
+// QUAL-042: Missing async/await error handling
+rules.push({
+  id: 'QUAL-042', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Async arrow function without error boundary',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/const\s+\w+\s*=\s*async\s*\([^)]*\)\s*=>/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+          if (/await\s+/.test(block) && !/try\s*\{/.test(block)) {
+            findings.push({ ruleId: 'QUAL-042', category: 'quality', severity: 'medium', title: 'Async function with await but no try/catch', description: 'Async functions that await without try/catch will cause unhandled rejections on failure. Wrap in try/catch or add error handling.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-043: Long parameter list
+rules.push({
+  id: 'QUAL-043', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Function with too many parameters — use options object instead',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const m = lines[i].match(/function\s+\w+\s*\(([^)]+)\)/);
+        if (m) {
+          const params = m[1].split(',').filter(p => p.trim());
+          if (params.length > 5) {
+            findings.push({ ruleId: 'QUAL-043', category: 'quality', severity: 'low', title: `Function with ${params.length} parameters — refactor to options object`, description: 'Functions with many parameters are hard to call correctly. Refactor to accept a single options object: function foo({ a, b, c, d, e }).', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-044: Duplicate code blocks
+rules.push({
+  id: 'QUAL-044', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Repeated code pattern detected — extract to reusable function',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      // Simple heuristic: same multi-line patterns repeated
+      const tryCatchCount = (c.match(/try\s*\{[\s\S]*?\}\s*catch/g) || []).length;
+      if (tryCatchCount > 5) {
+        findings.push({ ruleId: 'QUAL-044', category: 'quality', severity: 'low', title: `${tryCatchCount} try/catch blocks — consider a centralized error handler`, description: 'Many try/catch blocks indicate repeated error handling logic. Extract common error handling into a shared utility or middleware.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-045: Missing return statement in non-void function
+rules.push({
+  id: 'QUAL-045', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Function with conditional return — may return undefined',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.tsx?$/)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^(?:export\s+)?function\s+\w+\s*\([^)]*\):\s*\w+/.test(lines[i]) && !/\):\s*void\b|\):\s*Promise<void>/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          const returnCount = (body.match(/\breturn\s+/g) || []).length;
+          if (returnCount > 0 && body.match(/\bif\s*\(/) && !body.match(/return\s+[^;]+;\s*$/m)) {
+            findings.push({ ruleId: 'QUAL-045', category: 'quality', severity: 'medium', title: 'Function with typed return but conditional returns — may return undefined', description: 'Ensure all code paths in non-void TypeScript functions return a value. Add a default return or throw at the end.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-046: Too many files in single directory
+rules.push({
+  id: 'QUAL-046', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Too many files in single directory — consider restructuring',
+  check({ files }) {
+    const findings = [];
+    const dirCounts = {};
+    for (const fp of files.keys()) {
+      const dir = fp.replace(/\/[^/]+$/, '');
+      dirCounts[dir] = (dirCounts[dir] || 0) + 1;
+    }
+    for (const [dir, count] of Object.entries(dirCounts)) {
+      if (count > 30 && !dir.match(/node_modules|dist|build/)) {
+        findings.push({ ruleId: 'QUAL-046', category: 'quality', severity: 'low', title: `Directory "${dir}" has ${count} files — consider domain-based restructuring`, description: 'Large directories are hard to navigate. Organize files by domain or feature: src/users/, src/payments/, src/notifications/.', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-047: Object destructuring in tight loops
+rules.push({
+  id: 'QUAL-047', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Complex destructuring inside loop — consider simplifying',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      let loopDepth = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\b(?:for|while)\s*\(/.test(lines[i])) loopDepth++;
+        if (/^\s*\}/.test(lines[i]) && loopDepth > 0) loopDepth--;
+        if (loopDepth > 0 && /const\s*\{\s*\w+\s*,\s*\w+\s*,\s*\w+.*\}\s*=/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-047', category: 'quality', severity: 'low', title: 'Deep destructuring inside loop — creates new bindings each iteration', description: 'Complex destructuring in loops creates multiple variable bindings each iteration. Consider extracting to a function call outside the loop.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-048: Magic numbers without named constants
+rules.push({
+  id: 'QUAL-048', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Magic number used directly in code — use named constant',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:===|!==|==|!=|>=|<=|>|<)\s*\d{3,}|\d{3,}\s*(?:===|!==|==|!=|>=|<=|>|<)/.test(lines[i]) && !/const\s+[A-Z_]+\s*=/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-048', category: 'quality', severity: 'low', title: 'Magic number in comparison — extract to named constant', description: 'Define numeric constants with descriptive names: const MAX_RETRY_COUNT = 3.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-049: Overly complex ternary expressions
+rules.push({
+  id: 'QUAL-049', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Nested ternary expressions — hard to read',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const ternaries = (lines[i].match(/\?[^:]+:/g) || []).length;
+        if (ternaries >= 2) findings.push({ ruleId: 'QUAL-049', category: 'quality', severity: 'low', title: 'Nested ternary expressions — use if/else for readability', description: 'Replace nested ternary expressions with if/else statements or a switch for clarity.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-050: Long lines exceeding 120 characters
+rules.push({
+  id: 'QUAL-050', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Line exceeds 120 characters — reduces readability',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      let count = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (lines[i].length > 120 && !/^\s*(\/\/|\/\*|\*)/.test(lines[i]) && !/https?:\/\//.test(lines[i])) {
+          if (count === 0) findings.push({ ruleId: 'QUAL-050', category: 'quality', severity: 'low', title: `Line ${i + 1} is ${lines[i].length} characters — exceeds 120 char limit`, description: 'Break long lines to improve readability. Configure a line length limit in ESLint/prettier.', file: fp, line: i + 1, fix: null });
+          count++;
+          if (count >= 3) break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-051: Commented-out code blocks
+rules.push({
+  id: 'QUAL-051', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Large commented-out code block — should be removed',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      let commentCount = 0;
+      let startLine = -1;
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*\/\/\s*(?:const|let|var|function|if|for|return|import|export)/.test(lines[i])) {
+          if (commentCount === 0) startLine = i;
+          commentCount++;
+        } else {
+          if (commentCount >= 5) findings.push({ ruleId: 'QUAL-051', category: 'quality', severity: 'low', title: `${commentCount} consecutive commented-out code lines — remove dead code`, description: 'Remove commented-out code. Version control preserves history if you need to recover it.', file: fp, line: startLine + 1, fix: null });
+          commentCount = 0;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-052: Missing JSDoc on exported functions
+rules.push({
+  id: 'QUAL-052', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Exported function without JSDoc comment',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp) || !fp.match(/\.[jt]s$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^export\s+(?:async\s+)?function\s+\w+/.test(lines[i])) {
+          const prevLine = i > 0 ? lines[i-1] : '';
+          if (!/\*\//.test(prevLine) && !/@param|@returns|@description/.test(prevLine)) {
+            findings.push({ ruleId: 'QUAL-052', category: 'quality', severity: 'low', title: 'Exported function without JSDoc documentation', description: 'Add JSDoc comments to exported functions to document parameters, return values, and purpose.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-053: Circular dependency detection
+rules.push({
+  id: 'QUAL-053', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Potential circular dependency — module imports itself indirectly',
+  check({ files }) {
+    const findings = [];
+    const importMap = new Map();
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const imports = [];
+      const lines = c.split('\n');
+      for (const line of lines) {
+        const m = line.match(/(?:import|require)\s*(?:\([^)]*\)|['"]([^'"]+)['"])/);
+        if (m && m[1] && m[1].startsWith('.')) imports.push(m[1]);
+      }
+      importMap.set(fp, imports);
+    }
+    for (const [fp, imports] of importMap) {
+      for (const imp of imports) {
+        if (imp.includes(fp.replace(/\.[jt]sx?$/, '').split('/').pop() || '')) {
+          findings.push({ ruleId: 'QUAL-053', category: 'quality', severity: 'medium', title: 'Possible circular dependency detected', description: 'Refactor to break circular dependencies. Use dependency injection or event emitters to decouple modules.', file: fp, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-054: Boolean parameters (boolean traps)
+rules.push({
+  id: 'QUAL-054', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Function with multiple boolean parameters — boolean trap',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const m = lines[i].match(/function\s+\w+\s*\(([^)]+)\)/);
+        if (m) {
+          const boolParams = (m[1].match(/\bbool\b|\bisActive\b|\bisEnabled\b|\bforce\b|\bskip\b/g) || []).length;
+          if (boolParams >= 2) findings.push({ ruleId: 'QUAL-054', category: 'quality', severity: 'low', title: 'Function with multiple boolean parameters — use options object instead', description: 'Replace boolean flags with a named options object: processData({ force: true, skip: false }).', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-055: Empty catch block
+rules.push({
+  id: 'QUAL-055', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Empty catch block — error silently swallowed',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/\}\s*catch\s*\([^)]*\)\s*\{/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 3)).join('\n');
+          if (/catch[^{]*\{\s*\}/.test(block)) findings.push({ ruleId: 'QUAL-055', category: 'quality', severity: 'medium', title: 'Empty catch block — error is silently swallowed', description: 'Handle caught errors: log them, rethrow, or add a comment explaining why they are intentionally ignored.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-056: Function reassignment (var being reassigned)
+rules.push({
+  id: 'QUAL-056', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'var used instead of const/let — avoid mutable bindings',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp) || !fp.match(/\.[jt]sx?$/)) continue;
+      const lines = c.split('\n');
+      let count = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*var\s+\w+/.test(lines[i]) && !/^\s*(\/\/|\/\*)/.test(lines[i])) {
+          count++;
+        }
+      }
+      if (count > 3) findings.push({ ruleId: 'QUAL-056', category: 'quality', severity: 'medium', title: `${count} var declarations — use const or let instead`, description: 'Replace var with const for immutable bindings and let for mutable ones. Enables block scoping and prevents hoisting issues.', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// QUAL-057: Switch statement without default case
+rules.push({
+  id: 'QUAL-057', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Switch statement without default case',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*switch\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          if (!/\bdefault\s*:/.test(block)) findings.push({ ruleId: 'QUAL-057', category: 'quality', severity: 'low', title: 'Switch statement without default case — unhandled values', description: 'Add a default case to switch statements to handle unexpected values gracefully.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-058: Inconsistent return types in function
+rules.push({
+  id: 'QUAL-058', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Function returns different types in different code paths',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp) || !fp.match(/\.[jt]s$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^(?:export\s+)?(?:async\s+)?function\s+\w+/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          const returns = body.match(/\breturn\s+(.+?);/g) || [];
+          const types = new Set(returns.map(r => {
+            if (/return\s+null/.test(r)) return 'null';
+            if (/return\s+(?:true|false)/.test(r)) return 'boolean';
+            if (/return\s+\d/.test(r)) return 'number';
+            if (/return\s+['"`]/.test(r)) return 'string';
+            if (/return\s+\[/.test(r)) return 'array';
+            if (/return\s+\{/.test(r)) return 'object';
+            return 'other';
+          }).filter(t => t !== 'other'));
+          if (types.size >= 3) findings.push({ ruleId: 'QUAL-058', category: 'quality', severity: 'medium', title: 'Function returns multiple different types — inconsistent interface', description: 'Ensure functions return consistent types. Consider using TypeScript for type safety.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-059: No unit tests for utility functions
+rules.push({
+  id: 'QUAL-059', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Utility module without corresponding test file',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      if (!fp.match(/util|helper|service|lib/i)) continue;
+      const base = fp.replace(/\.[jt]sx?$/, '');
+      const hasTest = [...files.keys()].some(f => f.includes(base.split('/').pop() || '') && isTestFile(f));
+      if (!hasTest && /^export\s+/m.test(c)) {
+        findings.push({ ruleId: 'QUAL-059', category: 'quality', severity: 'medium', title: 'Utility module without test file — exported functions untested', description: 'Add unit tests for utility/helper modules to ensure correctness and prevent regressions.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-060: Missing input validation in service layer
+rules.push({
+  id: 'QUAL-060', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Service function without input validation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp) || !fp.match(/service|Service/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^(?:export\s+)?(?:async\s+)?function\s+\w+\s*\([^)]+\)/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+          if (!/if\s*\(|throw|validate|assert|schema\./i.test(body)) {
+            findings.push({ ruleId: 'QUAL-060', category: 'quality', severity: 'medium', title: 'Service function without input validation — invalid data may propagate to database', description: 'Validate service function inputs at the service layer to enforce business rules.', file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-061: Function doing too many things (high line count)
+rules.push({
+  id: 'QUAL-061', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Very long function — violates single responsibility principle',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^(?:export\s+)?(?:async\s+)?function\s+\w+|(?:const|let)\s+\w+\s*=\s*(?:async\s+)?\(/.test(lines[i])) {
+          let depth = 0;
+          let end = i;
+          for (let j = i; j < Math.min(lines.length, i + 200); j++) {
+            depth += (lines[j].match(/\{/g) || []).length;
+            depth -= (lines[j].match(/\}/g) || []).length;
+            if (depth <= 0 && j > i) { end = j; break; }
+          }
+          if (end - i > 80) findings.push({ ruleId: 'QUAL-061', category: 'quality', severity: 'medium', title: `Function at line ${i+1} is ${end-i} lines long — consider breaking it up`, description: 'Functions longer than 80 lines should be refactored into smaller, focused functions.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-062: Missing error messages in validation
+rules.push({
+  id: 'QUAL-062', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Validation error thrown without descriptive message',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/throw\s+new\s+Error\s*\(\s*\)/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-062', category: 'quality', severity: 'low', title: 'throw new Error() without message — unhelpful for debugging', description: 'Always provide a descriptive error message: throw new Error("Expected userId to be a string").', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-063: Hardcoded URLs in source code
+rules.push({
+  id: 'QUAL-063', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'Hardcoded URL in source code — should be configuration',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/['"`]https?:\/\/(?!localhost|127\.0\.0\.1)[^'"`]+\.(?:com|io|org|net)[^'"`]*['"`]/.test(lines[i]) && !/process\.env|config\.|comment|doc|link/.test(lines[i])) {
+          findings.push({ ruleId: 'QUAL-063', category: 'quality', severity: 'medium', title: 'Hardcoded external URL — use environment variable or configuration', description: 'Extract URLs to environment variables or configuration files for flexibility across environments.', file: fp, line: i + 1, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-064: Missing index.js barrel exports
+rules.push({
+  id: 'QUAL-064', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Module directory without index.js barrel file',
+  check({ files }) {
+    const findings = [];
+    const dirs = new Map();
+    for (const [fp] of files) {
+      if (!isSourceFile(fp)) continue;
+      const dir = fp.replace(/\/[^/]+$/, '');
+      if (!dirs.has(dir)) dirs.set(dir, []);
+      dirs.get(dir).push(fp);
+    }
+    for (const [dir, dirFiles] of dirs) {
+      if (dirFiles.length >= 3 && !dirFiles.some(f => f.endsWith('/index.js') || f.endsWith('/index.ts'))) {
+        findings.push({ ruleId: 'QUAL-064', category: 'quality', severity: 'low', title: `Directory with ${dirFiles.length} files but no index.js barrel — imports are verbose`, description: 'Add an index.js/ts barrel file to re-export module contents for cleaner import paths.', file: dir + '/', fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-065: Inconsistent error handling style
+rules.push({
+  id: 'QUAL-065', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Mixed async patterns (callbacks and Promises) in same file',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const hasCallback = /function\s*\([^)]*callback|function\s*\([^)]*cb,|\.then\s*\(\s*function/.test(c);
+      const hasAsync = /async\s+function|await\s+\w+/.test(c);
+      if (hasCallback && hasAsync) findings.push({ ruleId: 'QUAL-065', category: 'quality', severity: 'low', title: 'Mixed callback and async/await patterns in same file', description: 'Standardize on async/await for consistency. Wrap callback-based APIs with util.promisify().', file: fp, fix: null });
+    }
+    return findings;
+  },
+});
+
+// QUAL-066: No TypeScript strict mode
+rules.push({
+  id: 'QUAL-066', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'TypeScript project without strict mode enabled',
+  check({ files }) {
+    const findings = [];
+    const tsconfigFile = [...files.keys()].find(f => f.endsWith('tsconfig.json'));
+    if (!tsconfigFile) return findings;
+    const c = files.get(tsconfigFile) || '';
+    if (/"strict"\s*:\s*false/.test(c) || (!/["']strict["']/.test(c) && !/["']noImplicitAny["']/.test(c))) {
+      findings.push({ ruleId: 'QUAL-066', category: 'quality', severity: 'medium', title: 'TypeScript without strict mode — many type safety benefits disabled', description: 'Enable "strict": true in tsconfig.json to catch type errors, null reference bugs, and implicit any types.', file: tsconfigFile, fix: null });
+    }
+    return findings;
+  },
+});
+
+// QUAL-067: Missing .editorconfig for consistent formatting
+rules.push({
+  id: 'QUAL-067', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No .editorconfig file — inconsistent formatting across editors',
+  check({ files }) {
+    const findings = [];
+    const hasEditorconfig = [...files.keys()].some(f => f.endsWith('.editorconfig'));
+    const hasPrettier = [...files.keys()].some(f => f.endsWith('.prettierrc') || f.includes('prettier.config'));
+    if (!hasEditorconfig && !hasPrettier) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'QUAL-067', category: 'quality', severity: 'low', title: 'No .editorconfig or prettier config — inconsistent formatting across team', description: 'Add .editorconfig or .prettierrc to enforce consistent code style across all editors.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});
+
+// QUAL-068: Missing test coverage threshold
+rules.push({
+  id: 'QUAL-068', category: 'quality', severity: 'medium', confidence: 'suggestion', title: 'No test coverage threshold configured',
+  check({ files }) {
+    const findings = [];
+    const hasCoverageThreshold = [...files.values()].some(c => /coverageThreshold|coverage.threshold|--coverage.*threshold/i.test(c));
+    if (!hasCoverageThreshold) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) {
+        const c = files.get(pkgJson) || '';
+        if (/jest|vitest|nyc|istanbul/i.test(c)) findings.push({ ruleId: 'QUAL-068', category: 'quality', severity: 'medium', title: 'Test framework without coverage threshold — coverage may decrease unnoticed', description: 'Configure a minimum coverage threshold in jest/vitest configuration to enforce test coverage standards.', file: pkgJson, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-069: Shadowed variable names
+rules.push({
+  id: 'QUAL-069', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'Variable name shadows outer scope variable',
+  check({ files }) {
+    const findings = [];
+    const commonShadows = ['data', 'error', 'result', 'response', 'user', 'event', 'item'];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        for (const name of commonShadows) {
+          const outer = new RegExp(`^(?:const|let|var)\\s+${name}\\s*=`);
+          const inner = new RegExp(`\\(.*\\b${name}\\b.*\\)|(?:const|let|var)\\s+${name}\\s*=`);
+          if (i > 5 && outer.test(lines[i-5] || '') && inner.test(lines[i])) {
+            findings.push({ ruleId: 'QUAL-069', category: 'quality', severity: 'low', title: `Variable '${name}' shadows outer scope — may cause confusion`, description: 'Use distinct variable names to avoid shadowing outer scope variables.', file: fp, line: i + 1, fix: null });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-070: Async function not awaited (fire and forget without handling)
+rules.push({
+  id: 'QUAL-070', category: 'quality', severity: 'high', confidence: 'likely', title: 'Async function called without await — unhandled promise',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp) || isTestFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(?!await|return|const|let|var|throw|if|while|for)[a-zA-Z_$][\w$]*(?:\.\w+)*\s*\(/.test(lines[i]) && !/\/\/|=|:/.test(lines[i])) {
+          if (/Async\s*\(|async\s+\w+\s*\(/.test(lines[Math.max(0, i-5)] + lines[i])) {
+            findings.push({ ruleId: 'QUAL-070', category: 'quality', severity: 'high', title: 'Async function may be called without await — rejected promise unhandled', description: 'Always await async function calls or explicitly handle the returned promise with .catch().', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// QUAL-071: Missing README documentation
+rules.push({
+  id: 'QUAL-071', category: 'quality', severity: 'low', confidence: 'suggestion', title: 'No README.md file — project documentation missing',
+  check({ files }) {
+    const findings = [];
+    const hasReadme = [...files.keys()].some(f => /README\.md|readme\.md/i.test(f));
+    if (!hasReadme) {
+      const pkgJson = [...files.keys()].find(f => f.endsWith('package.json'));
+      if (pkgJson) findings.push({ ruleId: 'QUAL-071', category: 'quality', severity: 'low', title: 'No README.md — project missing documentation', description: 'Add a README.md with setup instructions, usage examples, and contribution guidelines.', file: pkgJson, fix: null });
+    }
+    return findings;
+  },
+});