getdoorman 1.0.0

package/src/rules/reliability/index.js

@@ -0,0 +1,3040 @@
+const JS_EXTENSIONS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isSourceFile(f) { return JS_EXTENSIONS.some(ext => f.endsWith(ext)); }
+
+const rules = [
+  // REL-001: No error handling on API routes
+  {
+    id: 'REL-001',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'API Route Without Error Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (!filepath.includes('api/') && !filepath.includes('route')) continue;
+
+        // Check if file has try/catch
+        if ((content.includes('export') || content.includes('handler')) &&
+            !content.includes('try') && !content.includes('catch')) {
+          findings.push({
+            ruleId: 'REL-001', category: 'reliability', severity: 'high',
+            title: 'API route has no error handling (try/catch)',
+            description: 'Unhandled errors will crash your server or return 500 errors with stack traces.',
+            file: filepath, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-002: No health check endpoint
+  {
+    id: 'REL-002',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Health Check Endpoint',
+    check({ files }) {
+      const findings = [];
+      const hasHealth = [...files.entries()].some(([filepath, content]) =>
+        filepath.includes('health') ||
+        content.includes('/health') ||
+        content.includes('/healthz') ||
+        content.includes('/readyz') ||
+        content.includes('/api/health')
+      );
+
+      if (!hasHealth) {
+        const hasApiRoutes = [...files.keys()].some(f => f.includes('/api/') || f.includes('routes'));
+        if (hasApiRoutes) {
+          findings.push({
+            ruleId: 'REL-002', category: 'reliability', severity: 'medium',
+            title: 'No /health or /healthz endpoint detected',
+            description: 'Health check endpoints let load balancers and monitoring tools know if your app is running.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-003: Unhandled promise rejections
+  {
+    id: 'REL-003',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unhandled Promise Rejection',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Async function or promise without catch
+          if (lines[i].match(/\.then\s*\(/) && !content.substring(content.indexOf(lines[i])).match(/\.catch\s*\(/)) {
+            // Simple heuristic: .then() without .catch() nearby
+            const nextLines = lines.slice(i, i + 5).join('\n');
+            if (!nextLines.includes('.catch')) {
+              findings.push({
+                ruleId: 'REL-003', category: 'reliability', severity: 'high',
+                title: 'Promise chain without .catch() — unhandled rejection risk',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-004: No graceful shutdown
+  {
+    id: 'REL-004',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Graceful Shutdown Handler',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      const hasGraceful = [...files.values()].some(content =>
+        content.includes('SIGTERM') || content.includes('SIGINT') || content.includes('graceful')
+      );
+
+      if (!hasGraceful) {
+        const hasServer = [...files.values()].some(content =>
+          content.includes('.listen(') || content.includes('createServer')
+        );
+        if (hasServer) {
+          findings.push({
+            ruleId: 'REL-004', category: 'reliability', severity: 'medium',
+            title: 'No SIGTERM/SIGINT handler — server won\'t shut down gracefully',
+            description: 'Handle SIGTERM to drain connections before shutdown. Important for containers and deployments.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-005: Empty catch blocks
+  {
+    id: 'REL-005',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Empty Catch Block — Silent Error',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/catch\s*\([^)]*\)\s*\{\s*\}/) ||
+              (lines[i].match(/catch\s*\([^)]*\)\s*\{/) && lines[i + 1]?.trim() === '}')) {
+            findings.push({
+              ruleId: 'REL-005', category: 'reliability', severity: 'medium',
+              title: 'Empty catch block — errors are silently swallowed',
+              description: 'At minimum, log the error. Silent failures make debugging impossible.',
+              file: filepath, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-006: No request timeouts
+  {
+    id: 'REL-006',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Request Timeouts',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      const hasTimeout = [...files.values()].some(content =>
+        content.includes('timeout') || content.includes('AbortController') || content.includes('signal')
+      );
+
+      const hasFetch = [...files.values()].some(content =>
+        content.includes('fetch(') || content.includes('axios') || content.includes('got(')
+      );
+
+      if (hasFetch && !hasTimeout) {
+        findings.push({
+          ruleId: 'REL-006', category: 'reliability', severity: 'medium',
+          title: 'External API calls without timeout configuration',
+          description: 'Requests without timeouts can hang forever, blocking your server. Set timeouts on all external calls.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // REL-007: No process-level uncaught exception handler
+  {
+    id: 'REL-007',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Uncaught Exception Handler',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+
+      const hasHandler = [...files.values()].some(content =>
+        content.includes('uncaughtException') || content.includes('unhandledRejection')
+      );
+
+      if (!hasHandler) {
+        const hasServer = [...files.values()].some(content =>
+          content.includes('.listen(') || content.includes('createServer')
+        );
+        if (hasServer) {
+          findings.push({
+            ruleId: 'REL-007', category: 'reliability', severity: 'high',
+            title: 'No process.on("uncaughtException") or process.on("unhandledRejection") handler',
+            description: 'Uncaught exceptions crash the process. Add handlers to log the error and shut down gracefully.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-008: No retry logic on external API calls
+  {
+    id: 'REL-008',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'No Retry Logic on External Calls',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const retryLibs = ['p-retry', 'async-retry', 'retry', 'axios-retry', 'got', 'ky'];
+      const hasRetryLib = retryLibs.some(lib => lib in allDeps);
+
+      if (!hasRetryLib) {
+        const hasRetryCode = [...files.values()].some(content =>
+          content.includes('retry') || content.includes('retries') || content.includes('backoff')
+        );
+        const hasFetch = [...files.values()].some(content =>
+          content.includes('fetch(') || content.includes('axios')
+        );
+        if (hasFetch && !hasRetryCode) {
+          findings.push({
+            ruleId: 'REL-008', category: 'reliability', severity: 'medium',
+            title: 'External API calls without retry logic',
+            description: 'Network calls can fail transiently. Add retry with exponential backoff (p-retry, axios-retry, etc.).',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-009: No circuit breaker pattern
+  {
+    id: 'REL-009',
+    category: 'reliability',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'No Circuit Breaker Pattern',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const cbLibs = ['opossum', 'cockatiel', 'brakes', 'circuit-breaker-js', 'mollitia'];
+      const hasCB = cbLibs.some(lib => lib in allDeps);
+
+      if (!hasCB) {
+        const hasCBCode = [...files.values()].some(content =>
+          content.includes('circuitBreaker') || content.includes('CircuitBreaker')
+        );
+        const hasMultipleExternalCalls = [...files.values()].filter(content =>
+          content.includes('fetch(') || content.includes('axios') || content.includes('got(')
+        ).length >= 3;
+        if (hasMultipleExternalCalls && !hasCBCode) {
+          findings.push({
+            ruleId: 'REL-009', category: 'reliability', severity: 'low',
+            title: 'Multiple external service calls without circuit breaker pattern',
+            description: 'Use a circuit breaker (opossum, cockatiel) to prevent cascading failures when external services go down.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-010: No structured logging
+  {
+    id: 'REL-010',
+    category: 'reliability',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'No Structured Logging',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const logLibs = ['winston', 'pino', 'bunyan', 'log4js', 'morgan', 'loglevel', 'roarr'];
+      const hasLogLib = logLibs.some(lib => lib in allDeps);
+
+      if (!hasLogLib) {
+        const usesConsoleLog = [...files.values()].some(content =>
+          content.includes('console.log') || content.includes('console.error')
+        );
+        const hasServer = [...files.values()].some(content =>
+          content.includes('.listen(') || content.includes('createServer')
+        );
+        if (usesConsoleLog && hasServer) {
+          findings.push({
+            ruleId: 'REL-010', category: 'reliability', severity: 'low',
+            title: 'Using console.log instead of a structured logging library',
+            description: 'Use pino, winston, or similar for JSON-formatted logs with levels, timestamps, and request context.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-011: No database migration system
+  {
+    id: 'REL-011',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Database Migration System',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      if (stack.orm === 'prisma') return findings; // Prisma has built-in migrations
+
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const migrationLibs = ['knex', 'sequelize-cli', 'typeorm', 'db-migrate', 'umzug', 'node-pg-migrate', 'drizzle-kit'];
+      const hasMigrationLib = migrationLibs.some(lib => lib in allDeps);
+
+      if (!hasMigrationLib) {
+        const hasDbAccess = [...files.values()].some(content =>
+          content.includes('CREATE TABLE') || content.includes('db.query') ||
+          content.includes('pool.query') || content.includes('.execute(')
+        );
+        const hasMigrationFiles = [...files.keys()].some(f =>
+          f.includes('migration') || f.includes('migrate')
+        );
+        if (hasDbAccess && !hasMigrationFiles) {
+          findings.push({
+            ruleId: 'REL-011', category: 'reliability', severity: 'medium',
+            title: 'Database access without a migration system',
+            description: 'Use a migration tool (knex, Prisma, db-migrate) to version-control schema changes and enable safe rollbacks.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-012: No monitoring / APM
+  {
+    id: 'REL-012',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Application Monitoring',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const apmLibs = [
+        'newrelic', '@sentry/node', '@sentry/nextjs', 'dd-trace', 'elastic-apm-node',
+        '@opentelemetry/sdk-node', '@opentelemetry/api', 'prom-client', 'appmetrics',
+        'applicationinsights', '@google-cloud/trace-agent', 'honeycomb-beeline',
+      ];
+      const hasAPM = apmLibs.some(lib => lib in allDeps);
+
+      if (!hasAPM) {
+        const hasServer = [...files.values()].some(content =>
+          content.includes('.listen(') || content.includes('createServer')
+        );
+        if (hasServer) {
+          findings.push({
+            ruleId: 'REL-012', category: 'reliability', severity: 'medium',
+            title: 'No application monitoring or APM detected',
+            description: 'Add Sentry, Datadog, New Relic, or OpenTelemetry to track errors and performance in production.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-001: No React Error Boundary
+  {
+    id: 'REL-EH-001',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No React Error Boundary',
+    check({ files, stack }) {
+      const findings = [];
+      if (!['react', 'nextjs'].includes(stack.framework)) return findings;
+      const hasErrorBoundary = [...files.values()].some(c =>
+        c.includes('ErrorBoundary') || c.includes('componentDidCatch') || c.includes('getDerivedStateFromError')
+      );
+      if (!hasErrorBoundary && [...files.keys()].some(f => f.match(/\.(jsx|tsx)$/))) {
+        findings.push({ ruleId: 'REL-EH-001', category: 'reliability', severity: 'high',
+          title: 'No React Error Boundary — render errors crash the entire app',
+          description: 'Add an ErrorBoundary component to show a fallback UI instead of a blank screen on render errors.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-002: JSON.parse without try/catch
+  {
+    id: 'REL-EH-002',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'JSON.parse Without Error Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/JSON\.parse\s*\(/) && !lines[i].trim().startsWith('//')) {
+            const ctx = lines.slice(Math.max(0, i - 4), i + 4).join('\n');
+            if (!ctx.includes('try') && !ctx.includes('catch')) {
+              findings.push({ ruleId: 'REL-EH-002', category: 'reliability', severity: 'medium',
+                title: 'JSON.parse without try/catch — throws SyntaxError on invalid input',
+                description: 'Wrap JSON.parse in try/catch or use a safe-parse utility.',
+                file: filepath, line: i + 1, fix: null });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-003: Express missing error handler
+  {
+    id: 'REL-EH-003',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Express Error Handler Middleware',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.framework !== 'express') return findings;
+      if (![...files.values()].some(c => c.includes('.listen('))) return findings;
+      const has4Arg = [...files.values()].some(c =>
+        c.match(/app\.use\s*\(\s*(?:function\s*)?\(\s*err\s*,\s*req\s*,\s*res\s*,\s*next\s*\)/) ||
+        c.match(/app\.use\s*\(\s*\(\s*err\s*,\s*req\s*,\s*res\s*,\s*next\s*\)\s*=>/)
+      );
+      if (!has4Arg) {
+        findings.push({ ruleId: 'REL-EH-003', category: 'reliability', severity: 'high',
+          title: 'No Express error handler (4-argument middleware) registered',
+          description: 'Add app.use((err, req, res, next) => { ... }) to centrally handle errors and return proper responses.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-004: Stream without error handler
+  {
+    id: 'REL-EH-004',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Stream Without Error Handler',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/createReadStream|createWriteStream/) && !lines[i].includes('pipeline')) {
+            const block = lines.slice(i, Math.min(i + 8, lines.length)).join('\n');
+            if (!block.includes(".on('error'") && !block.includes('.on("error"')) {
+              findings.push({ ruleId: 'REL-EH-004', category: 'reliability', severity: 'high',
+                title: "Stream without .on('error') handler — crashes process on error",
+                description: "Add .on('error', handler) or use the pipeline() utility which handles errors automatically.",
+                file: filepath, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-001: No test files
+  {
+    id: 'REL-TEST-001',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Test Files Found',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const hasTests = [...files.keys()].some(f =>
+        f.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/) || f.includes('__tests__') || f.includes('/test/')
+      );
+      if (!hasTests) {
+        findings.push({ ruleId: 'REL-TEST-001', category: 'reliability', severity: 'medium',
+          title: 'No test files found', description: 'Add unit tests. Untested code leads to undetected regressions in production.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-002: No e2e tests
+  {
+    id: 'REL-TEST-002',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No End-to-End Tests',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasE2E = ['playwright', '@playwright/test', 'cypress', 'puppeteer'].some(d => d in allDeps);
+      if (!hasE2E && [...files.keys()].some(f => f.match(/\.(jsx|tsx)$/))) {
+        findings.push({ ruleId: 'REL-TEST-002', category: 'reliability', severity: 'medium',
+          title: 'No end-to-end test framework detected',
+          description: 'Add Playwright or Cypress to test critical user flows (login, signup, checkout).', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-001: No error tracking
+  {
+    id: 'REL-MON-001',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Error Tracking Service',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const trackers = ['@sentry/node', '@sentry/nextjs', '@sentry/react', 'bugsnag', '@bugsnag/js', 'rollbar'];
+      if (!trackers.some(d => d in allDeps)) {
+        const hasServer = [...files.values()].some(c => c.includes('.listen(') || c.includes('createServer'));
+        if (hasServer) {
+          findings.push({ ruleId: 'REL-MON-001', category: 'reliability', severity: 'high',
+            title: 'No error tracking service (Sentry, Bugsnag, Rollbar) detected',
+            description: 'Production bugs will go unnoticed. Add Sentry to capture errors, alert your team, and track resolutions.',
+            fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-002: No uptime monitoring
+  {
+    id: 'REL-MON-002',
+    category: 'reliability',
+    severity: 'low',
+    confidence: 'suggestion',
+    confidence: 'likely',
+    title: 'No Uptime Monitoring',
+    check({ files }) {
+      const has = [...files.values()].some(c =>
+        c.includes('pingdom') || c.includes('uptimerobot') || c.includes('pagerduty') ||
+        c.includes('betteruptime') || c.includes('statuspage')
+      );
+      if (!has) {
+        return [{ ruleId: 'REL-MON-002', category: 'reliability', severity: 'high',
+          title: 'No uptime monitoring detected',
+          description: 'Add UptimeRobot or Better Uptime to alert you when the service goes down.', fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // REL-MON-003: No correlation IDs in logs
+  {
+    id: 'REL-MON-003',
+    category: 'reliability',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Request Correlation IDs',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c =>
+        c.includes('requestId') || c.includes('x-request-id') || c.includes('correlationId') || c.includes('traceId')
+      );
+      if (!has && [...files.values()].some(c => c.includes('.listen('))) {
+        findings.push({ ruleId: 'REL-MON-003', category: 'reliability', severity: 'medium',
+          title: 'No request correlation IDs in logs',
+          description: 'Attach a unique requestId to every log entry to trace requests across distributed systems.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-001: Related mutations without transaction
+  {
+    id: 'REL-DB-001',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Related DB Mutations Without Transaction',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (!(filepath.includes('api/') || filepath.includes('service') || filepath.includes('route'))) continue;
+        const mutations = (content.match(/\.(create|insert|save|update|delete|remove)\s*\(/g) || []).length;
+        const hasTx = content.includes('transaction') || content.includes('$transaction') || content.includes('BEGIN');
+        if (mutations >= 3 && !hasTx) {
+          findings.push({ ruleId: 'REL-DB-001', category: 'reliability', severity: 'high',
+            title: 'Multiple DB mutations without a transaction — inconsistent state risk',
+            description: 'Wrap related mutations in a transaction so either all succeed or all roll back.',
+            file: filepath, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-001: Hardcoded port
+  {
+    id: 'REL-OPS-001',
+    category: 'reliability',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Hardcoded Port Number',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.listen\s*\(\s*\d{4,5}/) && !lines[i].match(/process\.env/)) {
+            findings.push({ ruleId: 'REL-OPS-001', category: 'reliability', severity: 'low',
+              title: 'Hardcoded port in server.listen()',
+              description: 'Use process.env.PORT || 3000 to allow the port to be configured via environment variable.',
+              file: filepath, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-002: No env var validation at startup
+  {
+    id: 'REL-OPS-002',
+    category: 'reliability',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Environment Variable Validation at Startup',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasValidation = 'envalid' in allDeps || [...files.values()].some(c =>
+        c.match(/if\s*\(\s*!process\.env\.\w+/) || c.match(/process\.env\.\w+\s*\|\|\s*(?:throw|process\.exit)/)
+      );
+      const envVarCount = [...files.values()].reduce((n, c) => n + (c.match(/process\.env\.\w+/g) || []).length, 0);
+      if (envVarCount > 5 && !hasValidation) {
+        findings.push({ ruleId: 'REL-OPS-002', category: 'reliability', severity: 'high',
+          title: 'No startup validation for required environment variables',
+          description: 'Use envalid or validate env vars at startup to fail fast with a clear error instead of cryptic runtime failures.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-001: Payment without idempotency key
+  {
+    id: 'REL-RES-001',
+    category: 'reliability',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Payment API Call Without Idempotency Key',
+    check({ files }) {
+      const findings = [];
+      for (const [filepath, content] of files) {
+        if (!isSourceFile(filepath)) continue;
+        if (content.includes('stripe') || content.includes('paymentIntent') || content.includes('braintree')) {
+          if (content.match(/\.create\s*\(\s*\{/) && !content.includes('idempotencyKey') && !content.includes('idempotency_key')) {
+            findings.push({ ruleId: 'REL-RES-001', category: 'reliability', severity: 'critical',
+              title: 'Payment API call without idempotency key — double-charge risk on retry',
+              description: 'Pass idempotencyKey to Stripe API calls so retries due to timeouts do not create duplicate charges.',
+              file: filepath, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-003: Test file with no assertions
+  { id: 'REL-TEST-003', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Test File With No Assertions',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        if (!c.match(/expect\s*\(|assert\.|should\.|\.toBe|\.toEqual|\.toHaveBeenCalled/)) {
+          findings.push({ ruleId: 'REL-TEST-003', category: 'reliability', severity: 'medium',
+            title: 'Test file contains no assertions — tests always pass', description: 'Add expect()/assert() calls. A test with no assertions gives false confidence.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-004: No test coverage configuration
+  { id: 'REL-TEST-004', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Test Coverage Threshold',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      if (!Object.keys(allDeps).some(d => d.match(/jest|vitest|mocha|jasmine/))) return findings;
+      const hasCoverage = [...files.values()].some(c =>
+        c.match(/coverage.*threshold|statements.*\d+|branches.*\d+|coverageThreshold|c8/));
+      if (!hasCoverage) {
+        findings.push({ ruleId: 'REL-TEST-004', category: 'reliability', severity: 'medium',
+          title: 'No test coverage threshold configured', description: 'Set coverageThreshold in Jest/Vitest config to fail CI when coverage drops below e.g. 70%.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-005: No test for error paths
+  { id: 'REL-TEST-005', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Tests Only Cover Happy Path',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const hasErrorTest = c.match(/toThrow|rejects|error.*test|test.*error|should.*fail|expect.*reject/i);
+        if (!hasErrorTest && (c.match(/it\(|test\(|describe\(/) || []).length > 3) {
+          findings.push({ ruleId: 'REL-TEST-005', category: 'reliability', severity: 'medium',
+            title: 'Test file has no error case tests — only happy path covered', description: 'Add tests for error cases: invalid input, network failures, missing data. Error paths are where most production bugs hide.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-003: Long-running transactions
+  { id: 'REL-DB-003', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Long-Running Transactions Without Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/await.*transaction|BEGIN.*transaction|\$transaction/) && c.match(/await.*sleep|setTimeout.*await|delay/)) {
+          findings.push({ ruleId: 'REL-DB-003', category: 'reliability', severity: 'high',
+            title: 'Database transaction may be held open with a delay/sleep inside',
+            description: 'Never sleep inside a transaction. Held locks block other queries and can cause deadlocks and timeouts.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-004: No soft deletes for important records
+  { id: 'REL-DB-004', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Hard Deletes Without Soft Delete Option',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\.deleteOne\s*\(|\.deleteMany\s*\(|\.destroy\s*\(/) &&
+            !c.match(/deletedAt|deleted_at|isDeleted|soft.delete|paranoid/)) {
+          if (c.match(/user|order|payment|subscription|account/i)) {
+            findings.push({ ruleId: 'REL-DB-004', category: 'reliability', severity: 'medium',
+              title: 'Hard deleting user/order/payment records without soft-delete option',
+              description: 'Add a deletedAt column for soft deletes. Hard deletes make debugging, auditing, and compliance reporting impossible.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-005: Missing foreign key validation before insert
+  { id: 'REL-DB-005', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No FK Validation Before Insert',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if ((fp.includes('api/') || fp.includes('route')) && c.match(/userId|user_id|authorId|author_id/)) {
+          if (c.match(/\.create\s*\(\s*\{/) && !c.match(/findById|findOne|exists|findUnique.*userId|findFirst/)) {
+            findings.push({ ruleId: 'REL-DB-005', category: 'reliability', severity: 'medium',
+              title: 'Creating records with foreign key IDs without validating they exist',
+              description: 'Verify referenced entities exist before inserting. Rely on DB foreign key constraints AND validate at the application layer.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-003: No dead letter queue for failed jobs
+  { id: 'REL-RES-003', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No Dead Letter Queue for Failed Jobs',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasQueue = ['bullmq', 'bull', 'bee-queue', 'agenda'].some(d => d in allDeps);
+      if (hasQueue) {
+        const hasDLQ = [...files.values()].some(c => c.match(/deadLetter|dead.letter|failed.*queue|onFailed|failedQueue/i));
+        if (!hasDLQ) {
+          findings.push({ ruleId: 'REL-RES-003', category: 'reliability', severity: 'high',
+            title: 'Job queue without dead letter queue for failed jobs',
+            description: 'Configure a dead letter queue to capture jobs that fail after retries. Without it, failed jobs are silently dropped.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-004: Missing mutex for concurrent resource access
+  { id: 'REL-RES-004', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No Mutex for Concurrent Resource Access',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasMutex = 'async-mutex' in allDeps || 'redis-mutex' in allDeps || 'redlock' in allDeps || 'node-redlock' in allDeps;
+      const hasConcurrentAccess = [...files.values()].some(c =>
+        c.match(/read.*then.*write|check.*then.*update|findOne.*then.*save/i) &&
+        (c.includes('await ') && c.includes('await '))
+      );
+      if (hasConcurrentAccess && !hasMutex) {
+        findings.push({ ruleId: 'REL-RES-004', category: 'reliability', severity: 'high',
+          title: 'Read-then-write pattern without distributed lock — race condition risk',
+          description: 'Use Redlock or optimistic locking to prevent TOCTOU (time-of-check to time-of-use) race conditions in concurrent environments.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-004: No audit log for sensitive operations
+  { id: 'REL-MON-004', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Audit Log for Sensitive Operations',
+    check({ files }) {
+      const findings = [];
+      const hasSensitiveOps = [...files.values()].some(c =>
+        c.match(/deleteUser|banUser|changeRole|updatePermissions|adminAction/i) ||
+        c.match(/role.*admin|isAdmin.*true|permission.*update/i)
+      );
+      const hasAuditLog = [...files.values()].some(c =>
+        c.match(/auditLog|audit_log|AuditEvent|activityLog|logAction/i)
+      );
+      if (hasSensitiveOps && !hasAuditLog) {
+        findings.push({ ruleId: 'REL-MON-004', category: 'reliability', severity: 'medium',
+          title: 'Sensitive admin operations without audit logging',
+          description: 'Log who did what and when for all privilege changes, deletions, and admin actions. Required for SOC2 and incident investigations.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-005: Console.error not structured
+  { id: 'REL-MON-005', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'console.error Instead of Structured Logger',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasLogger = ['winston', 'pino', 'bunyan', 'log4js'].some(d => d in allDeps);
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        const count = (c.match(/console\.error\s*\(/g) || []).length;
+        if (count > 3 && !hasLogger) {
+          findings.push({ ruleId: 'REL-MON-005', category: 'reliability', severity: 'low',
+            title: `${count} console.error() calls — not structured or searchable in production logs`,
+            description: 'Use pino or winston for structured JSON logging with levels, timestamps, and context fields.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-004: Missing NODE_ENV in production config
+  { id: 'REL-OPS-004', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'NODE_ENV Not Set in Production Config',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows') && !fp.includes('docker-compose')) continue;
+        if (c.match(/production|prod.*deploy/) && !c.match(/NODE_ENV.*production|NODE_ENV:\s*production/)) {
+          findings.push({ ruleId: 'REL-OPS-004', category: 'reliability', severity: 'medium',
+            title: 'Production deployment without explicit NODE_ENV=production',
+            description: 'Set NODE_ENV=production in production environments. Many libraries (Express, React) have important optimizations gated on this.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-005: Server started without cluster/worker
+  { id: 'REL-OPS-005', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'Single-Process Node.js Server',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasCluster = 'pm2' in allDeps || [...files.values()].some(c =>
+        c.includes('cluster.fork') || c.includes('worker_threads') || c.match(/throng|@fastify\/cluster/)
+      );
+      if (!hasCluster && ![...files.keys()].some(f => f.includes('Dockerfile') || f.includes('kubernetes'))) {
+        const hasServer = [...files.values()].some(c => c.includes('.listen('));
+        if (hasServer) {
+          findings.push({ ruleId: 'REL-OPS-005', category: 'reliability', severity: 'low',
+            title: 'Single-process Node.js server — not utilizing all CPU cores',
+            description: 'Use PM2 cluster mode or the cluster module to spawn one worker per CPU core, improving throughput and fault isolation.', fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-006: No dependency health checks on startup
+  { id: 'REL-OPS-006', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Dependency Health Checks on Startup',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const hasDeps = stack.database || [...files.values()].some(c => c.match(/redis|mongodb|postgresql|mysql/i));
+      const hasHealthCheck = [...files.values()].some(c =>
+        c.match(/waitForDb|checkConnection|db\.connect.*catch|ping.*redis|mongoose\.connect.*catch/i)
+      );
+      if (hasDeps && !hasHealthCheck) {
+        findings.push({ ruleId: 'REL-OPS-006', category: 'reliability', severity: 'medium',
+          title: 'Server starts without verifying database/cache connectivity',
+          description: 'Verify all dependencies are reachable before accepting traffic. Fail fast on startup rather than crashing on first request.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-005: Async event listener without error handling
+  { id: 'REL-EH-005', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Async Event Listener Without Error Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.on\(['"].*['"],\s*async/) || lines[i].match(/\.on\(["`].*["`],\s*async/)) {
+            const handler = lines.slice(i, i + 20).join('\n');
+            if (!handler.match(/try\s*\{|\.catch\(|Promise\.reject/)) {
+              findings.push({ ruleId: 'REL-EH-005', category: 'reliability', severity: 'high', title: 'Async event listener without try/catch — unhandled promise rejection crashes Node', description: 'Wrap async event handlers in try/catch. Unhandled promise rejections in event listeners cause process crashes in Node.js.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-006: Missing finally in resource acquisition
+  { id: 'REL-EH-006', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Resource Acquired Without finally Block',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/await\s+\w+\.(connect|acquire|lock|begin|open)\(/i)) {
+            const block = lines.slice(i, i + 30).join('\n');
+            if (!block.match(/finally\s*\{/) && !block.match(/using\s+/)) {
+              findings.push({ ruleId: 'REL-EH-006', category: 'reliability', severity: 'medium', title: 'Resource acquired without finally block — resource leak on error', description: 'Use try/finally to ensure resources (connections, locks, file handles) are released even when exceptions occur.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-007: Empty catch block
+  { id: 'REL-EH-007', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Empty Catch Block (Swallowing Errors)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/}\s*catch\s*\(\w+\)\s*\{?\s*$/) || lines[i].match(/\}\s*catch\s*\{\s*$/)) {
+            const nextLine = lines[i + 1] || '';
+            if (nextLine.match(/^\s*\}/) || nextLine.trim() === '') {
+              findings.push({ ruleId: 'REL-EH-007', category: 'reliability', severity: 'high', title: 'Empty catch block — errors silently swallowed', description: 'Never use empty catch blocks. At minimum log the error. Silent failures make debugging nearly impossible.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-006: No integration tests
+  { id: 'REL-TEST-006', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Integration Tests',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasIntegration = [...files.keys()].some(f => f.match(/integration|e2e|api.*test|test.*api/i));
+      const hasSupertest = 'supertest' in allDeps;
+      const hasDB = stack.database || Object.keys(allDeps).some(d => d.match(/mongoose|sequelize|prisma|pg|mysql/i));
+      if (hasDB && !hasIntegration && !hasSupertest) {
+        findings.push({ ruleId: 'REL-TEST-006', category: 'reliability', severity: 'medium', title: 'No integration tests detected — API endpoints untested end-to-end', description: 'Add supertest integration tests that exercise the full request/response cycle including database. Unit tests alone miss integration bugs.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-007: Tests with hardcoded database URLs
+  { id: 'REL-TEST-007', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Hardcoded Database URL in Tests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(test|spec)\.(js|ts|jsx|tsx)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/mongodb:\/\/localhost|postgresql:\/\/localhost|mysql:\/\/localhost/)) {
+            findings.push({ ruleId: 'REL-TEST-007', category: 'reliability', severity: 'medium', title: 'Hardcoded database URL in test file — tests fail in CI without local DB', description: 'Use environment variables for DB URLs in tests. Use testcontainers or in-memory databases for portable test infrastructure.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-008: No load/stress test configuration
+  { id: 'REL-TEST-008', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'No Load Testing Configuration',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasLoadTest = ['k6', 'artillery', 'loadtest', 'autocannon', 'vegeta'].some(d => d in allDeps) || [...files.keys()].some(f => f.match(/k6|artillery|loadtest|stress/i));
+      if (!hasLoadTest && Object.keys(allDeps).length > 20) {
+        findings.push({ ruleId: 'REL-TEST-008', category: 'reliability', severity: 'low', title: 'No load testing tool detected — capacity limits unknown', description: 'Add k6 or Artillery load tests. Run against staging to find breaking points before production traffic hits them.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-006: No structured logging format
+  { id: 'REL-MON-006', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Structured Logging Library',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasStructured = ['pino', 'winston', 'bunyan', 'log4js', 'signale', '@aws-lambda-powertools/logger'].some(d => d in allDeps);
+      const hasConsoleOnly = [...files.values()].some(c => c.match(/console\.(log|error|warn|info)/));
+      if (!hasStructured && hasConsoleOnly) {
+        findings.push({ ruleId: 'REL-MON-006', category: 'reliability', severity: 'medium', title: 'Using console.log for logging — no structured logging library', description: 'Use pino or winston for structured JSON logging. console.log outputs unstructured text that cannot be queried in log aggregation tools.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-007: No request logging middleware
+  { id: 'REL-MON-007', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No HTTP Request Logging',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasLogger = ['morgan', 'pino-http', 'express-pino-logger', 'koa-logger', 'fastify-log'].some(d => d in allDeps) || [...files.values()].some(c => c.match(/morgan|pino-http|req\.log/i));
+      if (stack.framework && !hasLogger) {
+        findings.push({ ruleId: 'REL-MON-007', category: 'reliability', severity: 'medium', title: 'No HTTP request logging middleware — requests not logged', description: 'Add morgan or pino-http. Request logs are essential for debugging production issues and calculating error rates.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-008: No health check endpoint
+  { id: 'REL-MON-008', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Health Check Endpoint',
+    check({ files }) {
+      const findings = [];
+      const hasHealth = [...files.values()].some(c => c.match(/\/health|\/healthz|\/ping|\/status|healthcheck/i));
+      const hasApp = [...files.keys()].some(f => f.endsWith('package.json'));
+      if (hasApp && !hasHealth) {
+        findings.push({ ruleId: 'REL-MON-008', category: 'reliability', severity: 'medium', title: 'No health check endpoint — load balancers cannot detect unhealthy instances', description: 'Add GET /health endpoint returning 200 with status. Used by Kubernetes liveness probes, load balancers, and uptime monitors.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-009: No readiness check separate from liveness
+  { id: 'REL-MON-009', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'No Readiness Check Separate From Liveness',
+    check({ files }) {
+      const findings = [];
+      const hasHealth = [...files.values()].some(c => c.match(/\/healthz?|healthcheck/i));
+      const hasReady = [...files.values()].some(c => c.match(/\/ready|readiness|\/readyz/i));
+      if (hasHealth && !hasReady) {
+        findings.push({ ruleId: 'REL-MON-009', category: 'reliability', severity: 'low', title: 'No /ready endpoint — Kubernetes cannot distinguish initializing from failed pods', description: "Add /ready endpoint that checks database connectivity. Kubernetes uses /ready to decide whether to send traffic, /health to decide whether to restart.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-006: N+1 query in loop
+  { id: 'REL-DB-006', category: 'reliability', severity: 'high', confidence: 'likely', title: 'N+1 Query Pattern — Database Query in Loop',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/for\s*\(|forEach\s*\(|\.map\s*\(/) && !lines[i].match(/Promise\.all/)) {
+            const block = lines.slice(i, i + 10).join('\n');
+            if (block.match(/await.*\.find|await.*\.get|await.*\.query|await.*findById|await.*findOne/i)) {
+              findings.push({ ruleId: 'REL-DB-006', category: 'reliability', severity: 'high', title: 'Database query inside loop — N+1 query pattern', description: 'Load all related records with a single query using $in, JOIN, or include/populate. N+1 queries cause exponential performance degradation.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-007: No connection timeout
+  { id: 'REL-DB-007', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Database Connection Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/mongoose\.connect|new Pool|createPool|createConnection/i)) {
+          if (!c.match(/connectTimeoutMS|connectionTimeoutMillis|timeout|socketTimeout|idleTimeoutMillis/i)) {
+            findings.push({ ruleId: 'REL-DB-007', category: 'reliability', severity: 'medium', title: 'Database connection without timeout configuration', description: 'Set connectTimeoutMS and socketTimeoutMS. Without timeouts, hung connections block requests indefinitely.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-005: Missing circuit breaker for external calls
+  { id: 'REL-RES-005', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Circuit Breaker for External Service Calls',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasCircuitBreaker = ['opossum', 'cockatiel', 'retry', 'p-retry', 'axios-retry', 'resilience4j'].some(d => d in allDeps);
+      const hasExternalCalls = [...files.values()].some(c => c.match(/axios\.|fetch\(|got\.|superagent\.|https?\.request/i));
+      if (hasExternalCalls && !hasCircuitBreaker) {
+        findings.push({ ruleId: 'REL-RES-005', category: 'reliability', severity: 'medium', title: 'External HTTP calls without circuit breaker or retry logic', description: 'Add opossum or cockatiel for circuit breaking. When external services fail, circuit breakers prevent cascade failures across your entire system.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-006: No rate limiting on API client
+  { id: 'REL-RES-006', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Rate Limit Handling for External API Calls',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/axios\.|fetch\(|got\./i) && c.match(/openai|stripe|twilio|sendgrid|anthropic/i)) {
+          if (!c.match(/rate.*limit|429|retry.*after|backoff|throttle/i)) {
+            findings.push({ ruleId: 'REL-RES-006', category: 'reliability', severity: 'medium', title: 'External API calls without 429/rate-limit handling', description: 'Handle 429 responses with exponential backoff. External APIs impose rate limits — unhandled 429s cause service degradation.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-007: Synchronous file operations blocking event loop
+  { id: 'REL-RES-007', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Synchronous File I/O Blocking Event Loop',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/fs\.readFileSync|fs\.writeFileSync|fs\.appendFileSync|fs\.readdirSync/) && !lines[i].match(/startup|init|config|bootstrap/i)) {
+            findings.push({ ruleId: 'REL-RES-007', category: 'reliability', severity: 'high', title: 'Synchronous file operation in request handler — blocks event loop for all requests', description: 'Use async fs.readFile with await. Sync FS calls block the entire Node.js event loop, halting all concurrent requests.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-007: Hard restart instead of graceful shutdown
+  { id: 'REL-OPS-007', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Graceful Shutdown Handler',
+    check({ files }) {
+      const findings = [];
+      const hasShutdown = [...files.values()].some(c => c.match(/process\.on\(['"]SIGTERM|process\.on\(['"]SIGINT|graceful.*shutdown|server\.close/i));
+      const hasApp = [...files.values()].some(c => c.match(/express\(\)|fastify\(\)|http\.createServer|app\.listen/i));
+      if (hasApp && !hasShutdown) {
+        findings.push({ ruleId: 'REL-OPS-007', category: 'reliability', severity: 'medium', title: 'No SIGTERM/SIGINT handler — container stops abruptly, in-flight requests dropped', description: "Add process.on('SIGTERM', () => server.close()) to gracefully stop accepting new requests and finish in-flight ones before exit.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-008: No request timeout
+  { id: 'REL-OPS-008', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No HTTP Request Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/express\(\)|app\.use\(|router\./i)) {
+          if (!c.match(/timeout|requestTimeout|server\.setTimeout|helmet.*hsts/i)) {
+            findings.push({ ruleId: 'REL-OPS-008', category: 'reliability', severity: 'high', title: 'Express app without request timeout — slow requests hold connections indefinitely', description: 'Add connect-timeout middleware or server.setTimeout(). Without timeouts, slow DB queries hold connections and exhaust the connection pool.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-009: No readiness delay for K8s
+  { id: 'REL-OPS-009', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Startup Readiness Delay for Kubernetes',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*Deployment/) && c.match(/readinessProbe:/) && !c.match(/initialDelaySeconds:/)) {
+          findings.push({ ruleId: 'REL-OPS-009', category: 'reliability', severity: 'medium', title: 'Kubernetes readiness probe without initialDelaySeconds — may probe before app starts', description: 'Add initialDelaySeconds: 10 to readinessProbe. Without startup delay, probes fail before the app is ready, causing unnecessary pod restarts.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-010: Missing try/catch in async middleware
+  { id: 'REL-OPS-010', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Async Middleware Without Error Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/app\.(use|get|post|put|delete|patch)\s*\(.*async\s*(req|request)/)) {
+            const handler = lines.slice(i, i + 25).join('\n');
+            if (!handler.match(/try\s*\{|\.catch\(|asyncHandler|expressAsync|wrapAsync/)) {
+              findings.push({ ruleId: 'REL-OPS-010', category: 'reliability', severity: 'high', title: 'Async route handler without try/catch — unhandled rejection crashes Express', description: 'Wrap async handlers: app.use(asyncHandler(async (req, res) => { ... })). Or use express-async-errors package.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-008: Unhandled promise rejection in top-level code
+  { id: 'REL-EH-008', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Top-Level Async Code Without Error Handling',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^(?:const|let|var)?\s*\w+\s*\(\)\.then\(/)) {
+            if (!lines.slice(i, i + 10).join('\n').match(/\.catch\(|process\.on.*uncaughtRejection/)) {
+              findings.push({ ruleId: 'REL-EH-008', category: 'reliability', severity: 'high', title: 'Top-level promise chain without .catch() — unhandled rejection crashes Node', description: 'Add .catch(console.error) or process.on("unhandledRejection") handler. Unhandled promise rejections terminate Node.js processes.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-009: Rethrowing wrong error type
+  { id: 'REL-EH-009', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Catch Block Overwrites Original Error',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/catch\s*\(\s*(\w+)\s*\)/)) {
+            const errVar = lines[i].match(/catch\s*\(\s*(\w+)\s*\)/)[1];
+            const block = lines.slice(i, i + 10).join('\n');
+            if (block.match(new RegExp(`throw new \\w+Error.*${errVar}|throw new Error\\(`)) && !block.match(/cause:|${errVar}\.message|${errVar}\.stack/)) {
+              findings.push({ ruleId: 'REL-EH-009', category: 'reliability', severity: 'medium', title: 'Catch block creates new error without preserving original — stack trace lost', description: 'Preserve original error: throw new AppError("msg", { cause: err }). Loss of original stack trace makes debugging production issues very difficult.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-009: No contract testing for microservices
+  { id: 'REL-TEST-009', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Contract Testing for Service Integrations',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasMicroservices = [...files.values()].some(c => c.match(/axios\.|fetch\(|got\./i) && c.match(/internal|service|api\./i));
+      const hasContract = ['@pact-foundation/pact', 'pact', 'dredd'].some(d => d in allDeps);
+      if (hasMicroservices && !hasContract) {
+        findings.push({ ruleId: 'REL-TEST-009', category: 'reliability', severity: 'medium', title: 'Microservice integrations without contract testing', description: 'Add Pact contract tests for service-to-service APIs. Contract tests catch breaking API changes before they reach production.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-010: No P95/P99 latency tracking
+  { id: 'REL-MON-010', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Percentile Latency Tracking',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasMetrics = ['prom-client', 'hot-shots', 'node-statsd', 'datadog-metrics', '@opentelemetry/sdk-metrics'].some(d => d in allDeps);
+      if (!hasMetrics && Object.keys({ ...stack.dependencies }).length > 10) {
+        findings.push({ ruleId: 'REL-MON-010', category: 'reliability', severity: 'medium', title: 'No metrics library for P95/P99 latency tracking', description: 'Add prom-client and expose /metrics endpoint. Alert on P99 latency, not just averages. Averages hide tail latency that affects 1% of users.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-011: No alerting on error rate
+  { id: 'REL-MON-011', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Error Rate Alerting',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasErrorAlert = allCode.match(/error.*rate|error.*threshold|5xx|error_count.*alert|sentry.*alert/i);
+      if (!hasErrorAlert) {
+        findings.push({ ruleId: 'REL-MON-011', category: 'reliability', severity: 'medium', title: 'No error rate alerting configured', description: 'Alert when error rate exceeds 1% of requests. Error rate spikes indicate incidents before users report them. Configure in Datadog, PagerDuty, or CloudWatch.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-008: Optimistic locking not used for concurrent updates
+  { id: 'REL-DB-008', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Optimistic Locking for Concurrent Updates',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/update|UPDATE/i) && c.match(/balance|inventory|stock|quantity|count/i)) {
+          if (!c.match(/version|lock|transaction|FOR UPDATE|optimistic|rowVersion/i)) {
+            findings.push({ ruleId: 'REL-DB-008', category: 'reliability', severity: 'medium', title: 'Updating numeric counter/balance without optimistic locking', description: 'Use UPDATE ... WHERE version = $v or SELECT FOR UPDATE. Without locking, concurrent updates cause lost updates (race condition).', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-009: Cascade delete without soft delete
+  { id: 'REL-DB-009', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Cascade Delete Without Soft Delete Fallback',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) && !fp.match(/\.(sql|prisma)$/)) continue;
+        if (c.match(/ON DELETE CASCADE|onDelete.*CASCADE|cascade.*true/i)) {
+          if (!c.match(/deletedAt|soft_delete|paranoid/i)) {
+            findings.push({ ruleId: 'REL-DB-009', category: 'reliability', severity: 'high', title: 'Cascade delete without soft delete — deleting parent permanently destroys children', description: 'Add soft delete (deletedAt column) before cascades. Accidental parent deletion cannot be undone without cascade if using hard deletes.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-008: No exponential backoff on retry
+  { id: 'REL-RES-008', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Retry Without Exponential Backoff',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/retry|retries|maxRetry/i) && !lines[i].match(/\/\//)) {
+            const block = lines.slice(i, i + 15).join('\n');
+            if (!block.match(/backoff|exponential|Math\.pow|2\s*\*\*|delay.*\*.*\d/i)) {
+              findings.push({ ruleId: 'REL-RES-008', category: 'reliability', severity: 'medium', title: 'Retry logic without exponential backoff — retries amplify overload', description: 'Use exponential backoff: delay = Math.min(1000 * 2 ** attempt, 30000). Fixed-interval retries can amplify load on a struggling service.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-009: No fallback for failed CDN resources
+  { id: 'REL-RES-009', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Fallback for CDN Script Failure',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(html)$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/<script[^>]+src=["']https?:\/\/cdn/i)) {
+            if (!lines.slice(i + 1, i + 5).join('\n').match(/window\.\w+\s*\|\|/)) {
+              findings.push({ ruleId: 'REL-RES-009', category: 'reliability', severity: 'medium', title: 'CDN script without local fallback — CDN outage breaks your app', description: 'Add local fallback: window.jQuery || document.write(). CDN outages happen; local fallbacks maintain availability.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-011: No connection pool monitoring
+  { id: 'REL-OPS-011', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Database Pool Size Monitoring',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasPool = allCode.match(/pool:|poolSize|connectionLimit|pg\.Pool/i);
+      const hasPoolMonitoring = allCode.match(/pool\.totalCount|pool\.idleCount|pool\.waitingCount|pool.*size.*metric|pool.*exhausted/i);
+      if (hasPool && !hasPoolMonitoring) {
+        findings.push({ ruleId: 'REL-OPS-011', category: 'reliability', severity: 'medium', title: 'Connection pool configured without pool size monitoring', description: 'Monitor pool utilization: expose pool.totalCount, pool.idleCount, pool.waitingCount as metrics. Pool exhaustion causes request timeouts.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-012: Server port hardcoded
+  { id: 'REL-OPS-012', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'Server Port Hardcoded',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\.listen\s*\(\s*\d{4,5}\s*[,)]/i) && !lines[i].match(/process\.env\.|PORT/)) {
+            findings.push({ ruleId: 'REL-OPS-012', category: 'reliability', severity: 'low', title: 'Server listening on hardcoded port — not configurable per environment', description: 'Use process.env.PORT || 3000. Hardcoded ports conflict with other services in local dev and cannot be configured in container orchestration.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-010: No process-level uncaught exception handler
+  { id: 'REL-EH-010', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No Process-Level Uncaught Exception Handler',
+    check({ files }) {
+      const findings = [];
+      const hasHandler = [...files.values()].some(c => c.match(/process\.on\(['"]uncaughtException|process\.on\(['"]unhandledRejection/));
+      const hasApp = [...files.values()].some(c => c.match(/express\(\)|http\.createServer|app\.listen/i));
+      if (hasApp && !hasHandler) {
+        findings.push({ ruleId: 'REL-EH-010', category: 'reliability', severity: 'high', title: 'No process.on("uncaughtException") handler — unhandled errors crash the process silently', description: "Add process.on('uncaughtException', (err) => { logger.error(err); process.exit(1); }). Log the error before exiting so it's captured in logs.", fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-TEST-010: No snapshot testing for complex outputs
+  { id: 'REL-TEST-010', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'No Tests for Edge Cases in Data Transformers',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        if (!fp.match(/transformer|serializer|mapper|formatter|converter/i)) continue;
+        const hasTest = [...files.keys()].some(tf => tf.includes(fp.split('/').pop().replace(/\.(js|ts)$/, '')) && tf.match(/test|spec/));
+        if (!hasTest) {
+          findings.push({ ruleId: 'REL-TEST-010', category: 'reliability', severity: 'low', title: 'Data transformer/serializer without associated test file', description: 'Add tests for transformers with: null input, empty arrays, missing fields, boundary values. Transformers are subtle — tests catch regressions when data format changes.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-DB-010: Missing database health check in liveness probe
+  { id: 'REL-DB-010', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Health Endpoint Does Not Check Database',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\/health|\/healthz/i)) {
+          const lines = c.split('\n');
+          let inHealth = false;
+          for (let i = 0; i < lines.length; i++) {
+            if (lines[i].match(/\/health|\/healthz/i)) inHealth = true;
+            if (inHealth && lines[i].match(/res\.(json|send)\s*\(\s*\{/)) {
+              if (!c.slice(c.indexOf('/health'), c.indexOf('/health') + 500).match(/db\.|pool\.|mongoose\.|prisma\.|redis\./i)) {
+                findings.push({ ruleId: 'REL-DB-010', category: 'reliability', severity: 'medium', title: 'Health endpoint does not verify database connectivity', description: 'Check DB: await db.query("SELECT 1") in health handler. Kubernetes will keep sending traffic to pods with dead DB connections if health only returns 200.', file: fp, line: i + 1, fix: null });
+              }
+              inHealth = false;
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-RES-010: No timeout for database queries
+  { id: 'REL-RES-010', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No Query Timeout Configured',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/\.query\(|\.findAll\(|\.findMany\(/i)) {
+          if (!c.match(/timeout|statement_timeout|query_timeout|commandTimeout|maxQueryExecutionTime/i)) {
+            findings.push({ ruleId: 'REL-RES-010', category: 'reliability', severity: 'high', title: 'Database queries without timeout configuration', description: 'Set query timeout: SET statement_timeout TO 5000; or { commandTimeout: 5000 } in Prisma. Slow queries hold connections and eventually exhaust the pool.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-013: No CPU/memory limits for Node
+  { id: 'REL-OPS-013', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Node.js Memory Limit Set',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/Dockerfile|docker-compose|\.sh$|package\.json/) ) continue;
+        if (c.match(/node\s+(?!--)/i) && !c.match(/--max-old-space-size|--max_old_space_size/i)) {
+          findings.push({ ruleId: 'REL-OPS-013', category: 'reliability', severity: 'medium', title: 'Node.js started without --max-old-space-size — OOM kill without warning', description: 'Add --max-old-space-size=2048 (or appropriate value). Without it, Node uses default heap limit and gets OOM-killed without graceful shutdown.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-014: Single point of failure — no replication
+  { id: 'REL-OPS-014', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Single Database Instance (No Replication)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.tf$/)) continue;
+        if (c.match(/aws_db_instance\b/i) && !c.match(/multi_az\s*=\s*true|read_replica|replica/i)) {
+          findings.push({ ruleId: 'REL-OPS-014', category: 'reliability', severity: 'high', title: 'RDS without Multi-AZ or read replica — single point of failure', description: 'Enable multi_az = true for production RDS. Single-AZ databases have ~0.1% monthly downtime; Multi-AZ reduces to <0.01% with automatic failover.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-OPS-015: No auto-restart policy for containers
+  { id: 'REL-OPS-015', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Container Without Restart Policy',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/docker-compose\.ya?ml/i)) continue;
+        const lines = c.split('\n');
+        let inService = false;
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s{2}\w+:/) && !lines[i].match(/image:|build:|ports:|volumes:|environment:/)) inService = true;
+          if (inService && lines[i].match(/restart:/)) inService = false;
+        }
+        if (inService) {
+          findings.push({ ruleId: 'REL-OPS-015', category: 'reliability', severity: 'medium', title: 'Docker Compose service without restart policy — crashes not recovered', description: 'Add restart: unless-stopped to production services. Without restart policy, crashed containers stay down until manually restarted.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-012: No tracing for distributed requests
+  { id: 'REL-MON-012', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Distributed Tracing',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasTracing = ['@opentelemetry/sdk-node', '@opentelemetry/auto-instrumentations-node', 'dd-trace', 'newrelic', 'jaeger-client', 'zipkin'].some(d => d in allDeps);
+      const hasMultipleServices = [...files.values()].some(c => c.match(/axios\.|fetch\(|got\./i) && c.match(/microservice|service.*url|API_URL/i));
+      if (hasMultipleServices && !hasTracing) {
+        findings.push({ ruleId: 'REL-MON-012', category: 'reliability', severity: 'medium', title: 'Service makes external calls without distributed tracing', description: 'Add OpenTelemetry or Datadog APM. Without tracing, debugging latency across multiple services requires guessing which service is slow.', fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // REL-MON-013: Log levels not environment-aware
+  { id: 'REL-MON-013', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'Log Level Not Configurable via Environment',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (c.match(/winston|pino|bunyan|log4js/i)) {
+          if (c.match(/level:\s*['"]debug['"]/) && !c.match(/process\.env\.\w*LOG.*LEVEL|process\.env\.\w*LOG_LEVEL/i)) {
+            findings.push({ ruleId: 'REL-MON-013', category: 'reliability', severity: 'low', title: 'Logger configured with hardcoded level — not adjustable in production', description: 'Use process.env.LOG_LEVEL || "info". Hardcoded debug level in production floods logs and increases storage costs.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // REL-EH-011: Missing error boundary in React app
+  { id: 'REL-EH-011', category: 'reliability', severity: 'high', confidence: 'likely', title: 'React App Without Error Boundaries',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasReact = 'react' in allDeps;
+      const hasErrorBoundary = [...files.values()].some(c => c.match(/componentDidCatch|ErrorBoundary|react-error-boundary/i));
+      if (hasReact && !hasErrorBoundary) {
+        findings.push({ ruleId: 'REL-EH-011', category: 'reliability', severity: 'medium', title: 'React application without error boundary', description: 'Wrap major UI sections in ErrorBoundary components. Without error boundaries, a single component error unmounts the entire React tree.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-TEST-011: No test for authentication middleware
+  { id: 'REL-TEST-011', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Authentication Middleware Without Tests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp) || fp.includes('test') || fp.includes('spec')) continue;
+        if (!fp.match(/auth|middleware/i)) continue;
+        if (c.match(/authenticate|authorize|verifyToken|requireAuth/i)) {
+          const testFile = [...files.keys()].find(tf => tf.includes(fp.split('/').pop().replace(/\.(js|ts)$/, '')) && tf.match(/test|spec/));
+          if (!testFile) {
+            findings.push({ ruleId: 'REL-TEST-011', category: 'reliability', severity: 'high', title: 'Authentication middleware without test file', description: 'Add tests for auth middleware: valid token, expired token, missing token, tampered token. Auth bugs in untested middleware allow security bypasses.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-DB-011: Prisma without error handling on migrations
+  { id: 'REL-DB-011', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Database Migrations Without Rollback Script',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/migration/i)) continue;
+        if (c.match(/ALTER TABLE|DROP COLUMN|RENAME COLUMN|DROP TABLE/i)) {
+          if (!c.match(/DOWN|rollback|revert|UNDO/i)) {
+            findings.push({ ruleId: 'REL-DB-011', category: 'reliability', severity: 'medium', title: 'Destructive migration without rollback/down script', description: 'Add a down() migration for every up() that makes destructive changes. Without rollback, failed deploys require manual database recovery.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-OPS-016: No container OOM kill monitoring
+  { id: 'REL-OPS-016', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No OOM Kill Detection',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/kind:\s*Deployment/i) && c.match(/memory:/i)) {
+          if (!c.match(/oomKillPolicy|OOMKill|memory.*alert|oom.*monitor/i)) {
+            findings.push({ ruleId: 'REL-OPS-016', category: 'reliability', severity: 'medium', title: 'Memory limits set without OOM kill monitoring', description: 'Alert on container OOM kills: monitor kube_pod_container_status_last_terminated_reason = OOMKilled. OOM kills indicate memory leaks or undersized limits.', file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-MON-014: No uptime monitoring with alerting
+  { id: 'REL-MON-014', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'No External Uptime Monitoring',
+    check({ files }) {
+      const findings = [];
+      const allCode = [...files.values()].join('\n');
+      const hasUptimeMonitor = allCode.match(/pingdom|uptime.*robot|statuspage|better.*uptime|pagerduty.*monitor|freshping|checkly/i);
+      if (!hasUptimeMonitor) {
+        findings.push({ ruleId: 'REL-MON-014', category: 'reliability', severity: 'medium', title: 'No external uptime monitoring detected', description: 'Add Pingdom, UptimeRobot, or Checkly. Internal health checks cannot detect DNS failures, BGP routing issues, or CDN outages that affect real users.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-RES-011: No dead letter queue for failed background jobs
+  { id: 'REL-RES-011', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No Dead Letter Queue for Failed Jobs',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasQueue = ['bull', 'bullmq', 'bee-queue', 'kue', 'agenda', 'node-resque'].some(d => d in allDeps);
+      const hasDLQ = [...files.values()].some(c => c.match(/failed.*queue|dlq|dead.*letter|on.*failed.*|maxAttempts|removeOnFail.*false/i));
+      if (hasQueue && !hasDLQ) {
+        findings.push({ ruleId: 'REL-RES-011', category: 'reliability', severity: 'high', title: 'Job queue without dead letter queue or failure handling', description: 'Configure a failed jobs queue: { removeOnFail: false, attempts: 3, backoff: { type: "exponential" } }. Failed jobs should be inspectable and retryable.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-OPS-017: Log rotation not configured
+  { id: 'REL-OPS-017', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Log Rotation Configuration',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasFileLogging = [...files.values()].some(c => c.match(/winston.*file|createWriteStream.*log|pino.*destination|log.*\/var\/log/i));
+      const hasRotation = ['winston-daily-rotate-file', 'rotating-file-stream', 'logrotate'].some(d => d in allDeps) || [...files.values()].some(c => c.match(/rotate|maxFiles|maxSize|datePattern/i));
+      if (hasFileLogging && !hasRotation) {
+        findings.push({ ruleId: 'REL-OPS-017', category: 'reliability', severity: 'medium', title: 'File-based logging without rotation — log files grow until disk is full', description: 'Use winston-daily-rotate-file or configure logrotate. Unrotated log files exhaust disk space and crash the application.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-EH-012: Unhandled promise in Express route
+  { id: 'REL-EH-012', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Express Route Without Async Error Wrapper',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/router\.(get|post|put|patch|delete)\s*\(.*async\s*(req|function)/)) {
+            const context = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+            if (!context.match(/try\s*\{|asyncHandler|catchAsync|wrapAsync/)) {
+              findings.push({ ruleId: 'REL-EH-012', category: 'reliability', severity: 'high', title: 'Async Express route handler without try/catch or error wrapper', description: 'Wrap async route handlers with express-async-errors or a catchAsync wrapper. Uncaught async errors in Express routes cause unhandled rejections and crash or hang requests.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-EH-013: No error classification (operational vs programmer errors)
+  { id: 'REL-EH-013', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Error Classification System',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasErrorClass = [...files.values()].some(c => c.match(/class.*extends.*Error|AppError|OperationalError|HttpError/));
+      const hasRoutes = [...files.values()].some(c => c.match(/express|fastify|koa/i));
+      const hasErrorMiddleware = [...files.values()].some(c => c.match(/err.*req.*res.*next|error.*middleware/i));
+      if (hasRoutes && hasErrorMiddleware && !hasErrorClass) {
+        findings.push({ ruleId: 'REL-EH-013', category: 'reliability', severity: 'medium', title: 'No custom Error classes — cannot distinguish operational vs programmer errors', description: 'Create AppError class extending Error with isOperational flag. Operational errors (404, validation) should return user-friendly messages; programmer errors should crash and restart.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-TEST-012: No smoke tests after deployment
+  { id: 'REL-TEST-012', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Post-Deployment Smoke Tests',
+    check({ files }) {
+      const findings = [];
+      const hasCICD = [...files.keys()].some(f => f.match(/\.github\/workflows|\.gitlab-ci|Jenkinsfile|\.circleci/));
+      const hasSmokeTest = [...files.values()].some(c => c.match(/smoke.*test|post.?deploy.*test|deployment.*verify|health.*check.*deploy/i));
+      if (hasCICD && !hasSmokeTest) {
+        findings.push({ ruleId: 'REL-TEST-012', category: 'reliability', severity: 'medium', title: 'No smoke tests after deployment — broken deployments not caught automatically', description: 'Add post-deployment smoke tests that verify critical paths (login, main API calls). Catch deployment failures within minutes instead of from user complaints.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-MON-015: No business metrics tracking
+  { id: 'REL-MON-015', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Business Metrics Instrumentation',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasBusinessMetrics = [...files.values()].some(c => c.match(/increment\s*\(|gauge\s*\(|histogram\s*\(|counter\s*\(|track\s*\(.*event/i)) || ['prom-client', 'datadog-metrics', 'statsd', '@segment/analytics-node'].some(d => d in allDeps);
+      const hasRoutes = [...files.values()].some(c => c.match(/router\.(get|post|put|delete)\s*\(/));
+      if (hasRoutes && !hasBusinessMetrics) {
+        findings.push({ ruleId: 'REL-MON-015', category: 'reliability', severity: 'medium', title: 'No business metrics tracking — cannot measure feature health', description: 'Track key business events (signups, orders, failures) with prom-client or Datadog. Technical metrics alone do not tell you if the business is functioning correctly.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-DB-012: No database migration version control
+  { id: 'REL-DB-012', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No Database Migration System',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasMigrations = ['knex', 'sequelize', 'typeorm', 'prisma', 'db-migrate', 'flyway', 'liquibase', 'umzug'].some(d => d in allDeps) || [...files.keys()].some(f => f.match(/migrations?\/|migration\./i));
+      const hasDB = ['pg', 'mysql', 'mysql2', 'mongoose', 'sqlite3', 'mssql'].some(d => d in allDeps);
+      if (hasDB && !hasMigrations) {
+        findings.push({ ruleId: 'REL-DB-012', category: 'reliability', severity: 'high', title: 'Database used without migration system — schema changes not tracked', description: 'Use Knex, Prisma, or TypeORM migrations. Without a migration system, schema changes are applied manually and inconsistently across environments, leading to drift and outages.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-RES-012: HTTP requests without timeout
+  { id: 'REL-RES-012', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Outbound HTTP Request Without Timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/axios\.(get|post|put|delete|patch)\s*\(|fetch\s*\(/) && !lines[i].match(/timeout:|AbortSignal|signal:/)) {
+            const context = lines.slice(Math.max(0, i - 2), i + 5).join('\n');
+            if (!context.match(/timeout|AbortController|signal/)) {
+              findings.push({ ruleId: 'REL-RES-012', category: 'reliability', severity: 'high', title: 'HTTP request without timeout — hangs indefinitely on unresponsive service', description: 'Always set a timeout on outbound HTTP requests. Without timeouts, a slow or unresponsive downstream service causes request threads to hang indefinitely, exhausting resources.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-OPS-018: Server process without cluster mode
+  { id: 'REL-OPS-018', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Node.js Server Not Using Cluster Mode',
+    check({ files, stack }) {
+      const findings = [];
+      const hasCluster = [...files.values()].some(c => c.match(/require\(['"]cluster['"]|import.*['"]cluster['"]|throng|pm2.*instances|cluster_mode/i));
+      const isServer = [...files.values()].some(c => c.match(/app\.listen|server\.listen/));
+      const isPM2 = [...files.keys()].some(f => f.match(/ecosystem\.config|pm2\./)) && [...files.values()].some(c => c.match(/instances.*\d|exec_mode.*cluster/i));
+      if (isServer && !hasCluster && !isPM2) {
+        findings.push({ ruleId: 'REL-OPS-018', category: 'reliability', severity: 'medium', title: 'Node.js server running as single process — not utilizing all CPU cores', description: 'Use PM2 cluster mode or Node.js cluster module. Single-process Node.js uses only one CPU core. Cluster mode improves throughput and resilience on multi-core servers.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-OPS-019: No dependency health check endpoint
+  { id: 'REL-OPS-019', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Health Check Endpoint Does Not Check Dependencies',
+    check({ files }) {
+      const findings = [];
+      const hasHealth = [...files.values()].some(c => c.match(/\/health|\/healthz|\/ping/i));
+      const checksDeps = [...files.values()].some(c => c.match(/\/health.*db|\/health.*redis|\/health.*queue|mongoose.*isConnected|pg.*query.*1/i));
+      if (hasHealth && !checksDeps) {
+        findings.push({ ruleId: 'REL-OPS-019', category: 'reliability', severity: 'medium', title: 'Health check exists but does not verify database/cache connectivity', description: 'Include dependency checks (DB ping, Redis ping) in health endpoint. A shallow health check that only returns 200 gives false confidence during partial outages.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-EH-014: Promise.all without individual error handling
+  { id: 'REL-EH-014', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Promise.all Fails Completely on Single Rejection',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/Promise\.all\s*\(\[/) && !lines[i].match(/Promise\.allSettled/)) {
+            const context = lines.slice(Math.max(0, i - 2), i + 5).join('\n');
+            if (!context.match(/\.catch\s*\(|try\s*\{/)) {
+              findings.push({ ruleId: 'REL-EH-014', category: 'reliability', severity: 'medium', title: 'Promise.all without error handling — single failure cancels all operations', description: 'Use Promise.allSettled() if partial results are acceptable, or add .catch() to individual promises. Promise.all rejects immediately on the first rejection, discarding other results.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-RES-013: Missing fallback for external service unavailability
+  { id: 'REL-RES-013', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No Fallback for Third-Party Service Calls',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/stripe\.|sendgrid\.|twilio\.|braintree\.|paypal\./i)) {
+            const context = lines.slice(Math.max(0, i - 5), i + 15).join('\n');
+            if (!context.match(/catch|fallback|retry|circuit|queue/i)) {
+              findings.push({ ruleId: 'REL-RES-013', category: 'reliability', severity: 'medium', title: 'Third-party payment/communication call without retry or fallback', description: 'Add retry logic with exponential backoff for external service calls. Transient failures in Stripe, SendGrid, or Twilio should not cause unrecoverable errors.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-TEST-013: No API contract testing
+  { id: 'REL-TEST-013', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No API Contract Tests Between Services',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasPact = ['@pact-foundation/pact', 'pactum', 'dredd'].some(d => d in allDeps) || [...files.keys()].some(f => f.match(/pact|contract.*test/i));
+      const hasMultipleServices = [...files.values()].some(c => c.match(/microservice|service.*discovery|consul|kubernetes.*service/i));
+      if (hasMultipleServices && !hasPact) {
+        findings.push({ ruleId: 'REL-TEST-013', category: 'reliability', severity: 'medium', title: 'Microservices without contract tests — API breaking changes not caught before deployment', description: 'Add Pact.js for consumer-driven contract testing. Without contract tests, API changes between services cause production failures that integration tests miss.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-OPS-020: Application startup errors not fatal
+  { id: 'REL-OPS-020', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Startup Configuration Errors Not Causing Fatal Exit',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        if (!c.match(/app\.listen|server\.listen/)) continue;
+        const hasFatalOnMissingEnv = c.match(/process\.exit\s*\(|throw.*required|missing.*env|env.*required/i);
+        const hasMissingEnvCheck = c.match(/process\.env\.\w+\s*\|\|\s*['"`]|!process\.env\.\w+/);
+        if (hasMissingEnvCheck && !hasFatalOnMissingEnv) {
+          findings.push({ ruleId: 'REL-OPS-020', category: 'reliability', severity: 'high', title: 'Missing required env vars fall back to empty string instead of crashing', description: 'Validate all required environment variables at startup and call process.exit(1) if any are missing. Silent fallbacks cause hard-to-debug runtime errors.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-DB-013: Missing index on foreign key columns
+  { id: 'REL-DB-013', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Foreign Key Without Database Index',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/references\s*\(|REFERENCES\s+\w+|belongsTo|hasMany|hasOne/i) && !lines[i].match(/\/\//)) {
+            const ctx = lines.slice(Math.max(0, i - 5), i + 10).join('\n');
+            if (!ctx.match(/index:\s*true|addIndex|INDEX\s+\w+\s+\(|\.index\s*\(/i)) {
+              findings.push({ ruleId: 'REL-DB-013', category: 'reliability', severity: 'medium', title: 'Foreign key relationship without explicit index', description: 'Add an index on foreign key columns. Without an index, queries joining on or filtering by a foreign key perform full table scans that degrade as data grows.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-MON-016: No SLO/SLA definition
+  { id: 'REL-MON-016', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'No SLO/SLA Defined for Service',
+    check({ files }) {
+      const findings = [];
+      const hasSLO = [...files.keys()].some(f => f.match(/slo|sla|service.?level/i)) || [...files.values()].some(c => c.match(/availabilityTarget|errorBudget|slo:|sla:|uptime.*\d{2,3}%/i));
+      const hasMonitoring = [...files.values()].some(c => c.match(/cloudwatch|datadog|prometheus|grafana|pagerduty|opsgenie/i));
+      if (hasMonitoring && !hasSLO) {
+        findings.push({ ruleId: 'REL-MON-016', category: 'reliability', severity: 'low', title: 'Monitoring configured without documented SLOs', description: 'Define Service Level Objectives (e.g., 99.9% uptime, p99 < 500ms). SLOs make reliability goals measurable and drive alert threshold decisions. Document them in a README or runbook.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-RES-014: Job queue without dead-letter queue
+  { id: 'REL-RES-014', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Job Queue Without Dead-Letter Queue Configuration',
+    check({ files, stack }) {
+      const findings = [];
+      const allDeps = { ...stack.dependencies, ...stack.devDependencies };
+      const hasQueue = ['bull', 'bullmq', 'bee-queue', 'agenda', 'kue'].some(d => d in allDeps);
+      const hasDLQ = [...files.values()].some(c => c.match(/deadLetter|dead_letter|failedQueue|onFailed|failed.*queue|dlq/i));
+      if (hasQueue && !hasDLQ) {
+        findings.push({ ruleId: 'REL-RES-014', category: 'reliability', severity: 'high', title: 'Job queue without dead-letter queue — failed jobs silently discarded', description: 'Configure a dead-letter queue and onFailed handler. Without DLQ, failed jobs are lost after max retries with no ability to inspect failures or replay messages.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-EH-015: Unchecked null from .find() / .get()
+  { id: 'REL-EH-015', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Result of .find() Used Without Null Check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/=\s*\w+\.find\s*\(/) && !lines[i].match(/\/\//)) {
+            const varMatch = lines[i].match(/(?:const|let|var)\s+(\w+)\s*=/);
+            if (varMatch) {
+              const varName = varMatch[1];
+              const nextLines = lines.slice(i + 1, i + 5).join('\n');
+              if (nextLines.match(new RegExp(`${varName}\\.\\w+`)) && !nextLines.match(new RegExp(`if\\s*\\(!?${varName}|${varName}\\?\\.|${varName}\\s*&&`))) {
+                findings.push({ ruleId: 'REL-EH-015', category: 'reliability', severity: 'medium', title: `.find() result used without null check — TypeError when item not found`, description: 'Check that .find() returned a value before accessing its properties. Array.find() returns undefined if no match is found, causing "Cannot read property of undefined" errors.', file: fp, line: i + 1, fix: null });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-TEST-014: Missing database seed for tests
+  { id: 'REL-TEST-014', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Integration Tests Without Database Seeding',
+    check({ files }) {
+      const findings = [];
+      const hasIntegrationTests = [...files.keys()].some(f => f.match(/integration|e2e|\.test\.(js|ts)$/));
+      const hasSeeding = [...files.values()].some(c => c.match(/seed|fixture|factory|beforeEach.*insert|beforeAll.*create/i));
+      if (hasIntegrationTests && !hasSeeding) {
+        findings.push({ ruleId: 'REL-TEST-014', category: 'reliability', severity: 'medium', title: 'Integration tests without database seeding — tests depend on pre-existing data', description: 'Use database factories or seed functions in beforeEach/beforeAll. Tests that depend on pre-existing data are fragile and non-deterministic.', fix: null });
+      }
+      return findings;
+    },
+  },
+  // REL-OPS-021: No dependency on stable external services
+  { id: 'REL-OPS-021', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Hard Dependency on Single DNS/Service Without Fallback',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const hardcodedEndpoints = (c.match(/https?:\/\/[a-z0-9-]+\.[a-z]{2,}(?::\d+)?\/[^\s'"`]+/gi) || []);
+        if (hardcodedEndpoints.length > 3) {
+          findings.push({ ruleId: 'REL-OPS-021', category: 'reliability', severity: 'medium', title: 'Multiple hardcoded external endpoints — consider service discovery', description: 'Move external service URLs to environment variables. Hardcoded URLs prevent environment-specific configuration and make switching or load-balancing endpoints impossible without code changes.', file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+  // REL-DB-014: Using TRUNCATE in application code
+  { id: 'REL-DB-014', category: 'reliability', severity: 'high', confidence: 'likely', title: 'TRUNCATE Statement in Application Code',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!isSourceFile(fp)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/TRUNCATE\s+TABLE|truncate\s*\(/i) && !lines[i].match(/\/\/|test|spec|seed|migration/i)) {
+            if (!fp.match(/test|spec|seed|migration/i)) {
+              findings.push({ ruleId: 'REL-DB-014', category: 'reliability', severity: 'high', title: 'TRUNCATE in application code — irrecoverable data loss if called accidentally', description: 'Avoid TRUNCATE in production application code. If data deletion is required, use DELETE with a WHERE clause. TRUNCATE removes all rows instantly with no rollback path.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;
+
+// REL-015: Missing process.on('uncaughtException')
+rules.push({
+  id: 'REL-015', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No uncaughtException handler — process will crash on unhandled errors',
+  check({ files }) {
+    const findings = [];
+    const hasMainEntry = [...files.keys()].some(f => f.match(/(?:^|\/)(?:index|server|app|main)\.[jt]s$/));
+    const hasUncaught = [...files.values()].some(c => /process\.on\s*\(\s*['"]uncaughtException['"]/.test(c));
+    if (hasMainEntry && !hasUncaught) {
+      findings.push({ ruleId: 'REL-015', category: 'reliability', severity: 'high', title: 'No process.on("uncaughtException") handler — unhandled errors crash the process', description: 'Without an uncaughtException handler, any thrown synchronous error not caught will terminate Node.js. Add a handler to log and gracefully shut down.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-016: Missing unhandledRejection handler
+rules.push({
+  id: 'REL-016', category: 'reliability', severity: 'high', confidence: 'likely', title: 'No unhandledRejection handler — silent promise failures',
+  check({ files }) {
+    const findings = [];
+    const hasMainEntry = [...files.keys()].some(f => f.match(/(?:^|\/)(?:index|server|app|main)\.[jt]s$/));
+    const hasHandler = [...files.values()].some(c => /process\.on\s*\(\s*['"]unhandledRejection['"]/.test(c));
+    if (hasMainEntry && !hasHandler) {
+      findings.push({ ruleId: 'REL-016', category: 'reliability', severity: 'high', title: 'No process.on("unhandledRejection") — failed promises silently ignored', description: 'Unhandled promise rejections cause silent data corruption or incomplete operations. Add process.on("unhandledRejection") to log and handle failures.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-017: while(true) without break condition
+rules.push({
+  id: 'REL-017', category: 'reliability', severity: 'high', confidence: 'likely', title: 'while(true) loop without visible break/return — infinite loop risk',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/while\s*\(\s*true\s*\)/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/\bbreak\b|\breturn\b|\bthrow\b/.test(body)) {
+            findings.push({ ruleId: 'REL-017', category: 'reliability', severity: 'high', title: 'while(true) with no break/return visible — infinite loop risk', description: 'Infinite loops without a visible exit condition may hang the process. Ensure a break, return, or throw is reachable within the loop.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-018: Missing finally block for resource cleanup
+rules.push({
+  id: 'REL-018', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Resource opened in try block without finally cleanup',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\btry\s*\{/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          if (/(?:open|connect|acquire|lock|createWriteStream|createReadStream)/.test(block) && !/finally\s*\{/.test(block)) {
+            findings.push({ ruleId: 'REL-018', category: 'reliability', severity: 'medium', title: 'Resource opened in try without finally — leak on exception', description: 'File handles, DB connections, and locks opened in try blocks must be closed in finally to prevent resource leaks on exceptions.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-019: Missing graceful shutdown (SIGTERM handler)
+rules.push({
+  id: 'REL-019', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No SIGTERM handler — container/k8s restarts without graceful shutdown',
+  check({ files }) {
+    const findings = [];
+    const hasServer = [...files.values()].some(c => /(?:app|server)\.listen\s*\(/.test(c));
+    const hasSigterm = [...files.values()].some(c => /process\.on\s*\(\s*['"]SIGTERM['"]/.test(c));
+    if (hasServer && !hasSigterm) {
+      findings.push({ ruleId: 'REL-019', category: 'reliability', severity: 'medium', title: 'Server without SIGTERM handler — Kubernetes rolling deploys will drop in-flight requests', description: 'Handle SIGTERM to finish in-flight requests before exiting. Kubernetes sends SIGTERM before SIGKILL during rolling updates.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-020: setTimeout without clearTimeout — memory leak
+rules.push({
+  id: 'REL-020', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'setInterval used without clearInterval — perpetual timer leak',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const setCount = (c.match(/setInterval\s*\(/g) || []).length;
+      const clearCount = (c.match(/clearInterval\s*\(/g) || []).length;
+      if (setCount > 0 && clearCount === 0) {
+        findings.push({ ruleId: 'REL-020', category: 'reliability', severity: 'medium', title: `setInterval() called ${setCount} time(s) without clearInterval`, description: 'Intervals not cleared prevent garbage collection and may cause duplicate operations after reinitialization. Store the interval ID and call clearInterval in cleanup.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-021: Promise resolve/reject called multiple times
+rules.push({
+  id: 'REL-021', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Potential multiple resolve/reject calls in Promise constructor',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/new\s+Promise\s*\(/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          const resolveCount = (body.match(/\bresolve\s*\(/g) || []).length;
+          const rejectCount = (body.match(/\breject\s*\(/g) || []).length;
+          if (resolveCount + rejectCount > 2) {
+            findings.push({ ruleId: 'REL-021', category: 'reliability', severity: 'high', title: 'Multiple resolve/reject paths in Promise — only first call wins, rest silently ignored', description: 'Only the first resolve() or reject() call has effect. Multiple calls indicate logic errors. Use return after each settlement.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-022: Missing null check before property access
+rules.push({
+  id: 'REL-022', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Property accessed on potentially null/undefined value',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Pattern: req.body.x.y without optional chaining
+        if (/req\.(?:body|params|query)\.\w+\.\w+/.test(lines[i]) && !/req\.(?:body|params|query)\?\.\w+/.test(lines[i])) {
+          findings.push({ ruleId: 'REL-022', category: 'reliability', severity: 'medium', title: 'Deep property access on req.body/params without null check', description: 'Accessing nested properties on req.body without validation throws "Cannot read properties of undefined". Use optional chaining (?.) or validate with Joi/Zod first.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-023: Deprecated Node.js API usage
+rules.push({
+  id: 'REL-023', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Deprecated Node.js API used',
+  check({ files }) {
+    const findings = [];
+    const deprecated = /new\s+Buffer\s*\(|require\s*\(\s*['"]sys['"]\)|require\s*\(\s*['"]punycode['"]\)|crypto\.createCredentials|domain\.create/;
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (deprecated.test(lines[i])) {
+          findings.push({ ruleId: 'REL-023', category: 'reliability', severity: 'medium', title: 'Deprecated Node.js API — may be removed in future version', description: 'Replace deprecated APIs: new Buffer() → Buffer.from/alloc/allocUnsafe; require("sys") → require("util"); require("punycode") → use third-party module.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-024: Unbounded recursion risk
+rules.push({
+  id: 'REL-024', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Recursive function without depth limit — stack overflow risk',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        const fnMatch = lines[i].match(/function\s+(\w+)\s*\([^)]*\)/);
+        if (fnMatch) {
+          const fnName = fnMatch[1];
+          // Skip React components (PascalCase) and common non-recursive patterns
+          if (/^[A-Z]/.test(fnName)) continue;  // React components are PascalCase
+          if (/^(use[A-Z]|get[A-Z]|set[A-Z]|handle[A-Z]|on[A-Z])/.test(fnName)) continue;  // Hooks, handlers
+          const body = lines.slice(i + 1, Math.min(lines.length, i + 40)).join('\n');
+          // Must call itself directly (not just appear as a reference)
+          const callPattern = new RegExp(`\\b${fnName}\\s*\\(`);
+          if (callPattern.test(body) && !/depth|maxDepth|level|maxLevel|limit/.test(body)) {
+            findings.push({ ruleId: 'REL-024', category: 'reliability', severity: 'high', title: `Recursive function '${fnName}' without depth guard — stack overflow on deep input`, description: 'Add a depth parameter with a maximum limit. Large or adversarial inputs can exhaust the call stack.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-025: EventEmitter without setMaxListeners
+rules.push({
+  id: 'REL-025', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'EventEmitter without setMaxListeners — Node.js memory leak warning',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/EventEmitter|\.emit\s*\(|\.on\s*\(/.test(c) && !/setMaxListeners/.test(c)) {
+        const addCount = (c.match(/\.on\s*\(/g) || []).length;
+        if (addCount > 10) {
+          findings.push({ ruleId: 'REL-025', category: 'reliability', severity: 'low', title: 'Many event listeners without setMaxListeners — potential leak warning', description: 'Node.js warns about memory leaks when an EventEmitter has more than 10 listeners. Call emitter.setMaxListeners(n) to suppress false positives or fix actual leaks.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-026: Database query without error handling
+rules.push({
+  id: 'REL-026', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Database query without try/catch or .catch()',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/await\s+(?:db\.|prisma\.|sequelize\.|mongoose\.|knex\.)/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 5)).join('\n');
+          if (!/try\s*\{|\.catch\s*\(/.test(ctx)) {
+            findings.push({ ruleId: 'REL-026', category: 'reliability', severity: 'high', title: 'DB query without error handling — unhandled rejection on connection failure', description: 'Database queries can fail due to connection issues, constraints, or timeouts. Always wrap in try/catch or chain .catch().', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-027: Async function called without await or .catch
+rules.push({
+  id: 'REL-027', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Floating promise — async function called without await or .catch()',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Detect patterns like: someAsyncFn(); without await/catch
+        if (/^\s*\w+(?:\.\w+)*\s*\([^)]*\)\s*;/.test(lines[i]) && !/await|\.catch|\.then|return/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 3), i + 1).join('\n');
+          if (/async\s+function|async\s*\(/.test(ctx.split('\n')[0]) || /await/.test(ctx)) continue;
+          // Check if the function being called is likely async (common patterns)
+          if (/(?:save|create|update|delete|fetch|load|init|connect|send|emit|publish|process)\s*\(/i.test(lines[i]) && /async/.test(c.substring(0, c.indexOf(lines[i])))) {
+            findings.push({ ruleId: 'REL-027', category: 'reliability', severity: 'high', title: 'Potential floating promise — async call without await or error handling', description: 'Calling async functions without await or .catch() silently swallows errors. Always await or handle the returned promise.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-028: Missing connection timeout
+rules.push({
+  id: 'REL-028', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'HTTP/DB connection without timeout configured',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:fetch|axios)\s*\(|new\s+(?:Pool|Client)\s*\(/.test(lines[i])) {
+          const ctx = lines.slice(i, Math.min(lines.length, i + 8)).join('\n');
+          if (!/timeout\s*:|connectTimeout|requestTimeout/.test(ctx)) {
+            findings.push({ ruleId: 'REL-028', category: 'reliability', severity: 'medium', title: 'HTTP/DB client without timeout — hangs indefinitely on unresponsive server', description: 'Network calls without timeouts hang forever if the server is slow or unresponsive. Set connectTimeout and requestTimeout options.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-029: Missing retry logic for transient failures
+rules.push({
+  id: 'REL-029', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'External API call without retry logic',
+  check({ files }) {
+    const findings = [];
+    const hasFetch = [...files.values()].some(c => /fetch\s*\(|axios\s*\(/.test(c));
+    const hasRetry = [...files.values()].some(c => /retry|p-retry|axios-retry|backoff|exponential/i.test(c));
+    if (hasFetch && !hasRetry) {
+      findings.push({ ruleId: 'REL-029', category: 'reliability', severity: 'low', title: 'External HTTP calls without retry logic — no resilience to transient failures', description: 'Network calls fail transiently. Implement retry with exponential backoff using p-retry or axios-retry for resilient external service calls.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-030: Catch block swallowing errors silently
+rules.push({
+  id: 'REL-030', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Empty catch block swallows errors silently',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\}\s*catch\s*\([^)]*\)\s*\{/.test(lines[i])) {
+          const catchBody = lines.slice(i + 1, Math.min(lines.length, i + 5)).join('\n');
+          if (/^\s*\}/.test(catchBody.trim().split('\n')[0]) || /^\s*\/\/.*\n\s*\}/.test(catchBody)) {
+            findings.push({ ruleId: 'REL-030', category: 'reliability', severity: 'medium', title: 'Empty catch block — errors silently swallowed', description: 'An empty catch block hides errors and makes debugging impossible. At minimum, log the error: catch(e) { logger.error(e); throw e; }', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-031 through REL-055: Additional reliability rules
+
+// REL-031: Missing health check route
+rules.push({
+  id: 'REL-031', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No /health endpoint in Express app',
+  check({ files }) {
+    const findings = [];
+    const hasExpress = [...files.values()].some(c => /require.*express|from.*express/i.test(c));
+    const hasHealth = [...files.values()].some(c => /\/health|\/healthz|\/ping/i.test(c));
+    if (hasExpress && !hasHealth) {
+      findings.push({ ruleId: 'REL-031', category: 'reliability', severity: 'medium', title: 'No /health endpoint — load balancers and Kubernetes cannot check liveness', description: 'Add a /health endpoint that returns 200 OK when the service is ready. Required by most orchestration platforms for health checking.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-032: Missing database transaction for multi-step operation
+rules.push({
+  id: 'REL-032', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Multi-step DB operations without transaction',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      let createCount = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/await.*(?:create|update|delete|save)\s*\(/i.test(lines[i])) createCount++;
+        if (createCount > 1 && !/transaction|BEGIN|COMMIT|prisma\.\$transaction/i.test(c)) {
+          findings.push({ ruleId: 'REL-032', category: 'reliability', severity: 'high', title: 'Multiple DB write operations without transaction — partial failure leaves inconsistent state', description: 'Wrap multiple related write operations in a transaction to ensure atomicity. If any step fails, the transaction rolls back.', file: fp, line: i + 1, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-033: Async forEach (await inside forEach)
+rules.push({
+  id: 'REL-033', category: 'reliability', severity: 'high', confidence: 'likely', title: 'await used inside Array.forEach — async not properly awaited',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\.forEach\s*\(\s*async/.test(lines[i])) {
+          findings.push({ ruleId: 'REL-033', category: 'reliability', severity: 'high', title: 'async function inside .forEach() — awaiting forEach() does not wait for async callbacks', description: 'Array.forEach() ignores promise return values. Use for...of with await, or Promise.all(arr.map(async item => ...)) instead.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-034: Missing error boundary in React
+rules.push({
+  id: 'REL-034', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'React application without error boundary',
+  check({ files }) {
+    const findings = [];
+    const hasReact = [...files.values()].some(c => /from.*['"]react['"]/i.test(c));
+    const hasErrorBoundary = [...files.values()].some(c => /componentDidCatch|ErrorBoundary|error.*boundary/i.test(c));
+    if (hasReact && !hasErrorBoundary) {
+      findings.push({ ruleId: 'REL-034', category: 'reliability', severity: 'medium', title: 'No React error boundary — component errors unmount entire app', description: 'Add ErrorBoundary components to catch React rendering errors and display fallback UI instead of crashing the whole application.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-035: Missing cleanup in useEffect
+rules.push({
+  id: 'REL-035', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'useEffect with subscription/listener but no cleanup return',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!fp.match(/\.(jsx|tsx)$/)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/useEffect\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (/(addEventListener|subscribe|setInterval|\.on\s*\()/.test(block) && !/return\s*\(?\s*\(\s*\)\s*=>/.test(block)) {
+            findings.push({ ruleId: 'REL-035', category: 'reliability', severity: 'medium', title: 'useEffect with subscription but no cleanup — memory leak on unmount', description: 'useEffect with event listeners, subscriptions, or intervals must return a cleanup function to prevent memory leaks when the component unmounts.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-036: Unhandled promise in route handler
+rules.push({
+  id: 'REL-036', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Async route handler without error catching',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/(?:router|app)\.\w+\s*\([^,]+,\s*async\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/try\s*\{|\.catch\s*\(|asyncHandler|catchAsync/.test(block)) {
+            findings.push({ ruleId: 'REL-036', category: 'reliability', severity: 'high', title: 'Async route handler without try/catch — unhandled rejection crashes server', description: 'Wrap async route handlers in try/catch or use an asyncHandler() wrapper to ensure errors are passed to Express error middleware.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-037: Missing SIGINT handler
+rules.push({
+  id: 'REL-037', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'No SIGINT handler — Ctrl+C does not gracefully shutdown',
+  check({ files }) {
+    const findings = [];
+    const hasServer = [...files.values()].some(c => /(?:app|server)\.listen\s*\(/.test(c));
+    const hasSigint = [...files.values()].some(c => /process\.on\s*\(\s*['"]SIGINT['"]/.test(c));
+    if (hasServer && !hasSigint) {
+      findings.push({ ruleId: 'REL-037', category: 'reliability', severity: 'low', title: 'No SIGINT handler — development Ctrl+C does not drain connections', description: 'Handle SIGINT to close the server gracefully during development. Without it, in-flight requests are abruptly terminated.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-038: Constructor throwing error
+rules.push({
+  id: 'REL-038', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Constructor with async initialization — use factory pattern instead',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/constructor\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+          if (/await\s+/.test(block)) {
+            findings.push({ ruleId: 'REL-038', category: 'reliability', severity: 'medium', title: 'await inside constructor — constructors cannot be async', description: 'Constructors cannot be async. Move async initialization to a static async factory method: static async create() { const obj = new Class(); await obj.init(); return obj; }', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-039: Missing connection error handler
+rules.push({
+  id: 'REL-039', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Database connection without error event handler',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/mongoose\.connect|createPool|MongoClient\.connect/i.test(c)) {
+        if (!c.match(/\.on\s*\(\s*['"]error['"]|\.catch\s*\(/)) {
+          findings.push({ ruleId: 'REL-039', category: 'reliability', severity: 'high', title: 'DB connection without error handler — connection errors crash unhandled', description: 'Add an error event handler to database connections to handle connection drops and authentication failures gracefully.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-040: Hardcoded retry count without jitter
+rules.push({
+  id: 'REL-040', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'Retry logic without jitter — thundering herd on recovery',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/retry|retryCount|maxRetries/i.test(c) && !/jitter|Math\.random|randomDelay/i.test(c)) {
+        findings.push({ ruleId: 'REL-040', category: 'reliability', severity: 'low', title: 'Retry without jitter — coordinated retries create thundering herd', description: 'Add random jitter to retry delays to prevent synchronized retries from overwhelming a recovering service: delay = baseDelay * 2^attempt + Math.random() * 1000.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-041: Missing rate limit error handling
+rules.push({
+  id: 'REL-041', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'External API call without handling 429 rate limit response',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/(fetch|axios)\s*\(/.test(c) && !/status.*429|statusCode.*429|429|TooManyRequests|rate.?limit/i.test(c)) {
+        if (/openai|stripe|twilio|sendgrid|github.*api/i.test(c)) {
+          findings.push({ ruleId: 'REL-041', category: 'reliability', severity: 'medium', title: 'Third-party API call without 429 rate limit handling', description: 'External APIs may return 429 Too Many Requests. Handle this response by implementing exponential backoff and respecting Retry-After headers.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-042 through REL-062: More reliability rules
+
+// REL-042: Promise.all without individual error handling
+rules.push({
+  id: 'REL-042', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Promise.all without per-promise error isolation',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/Promise\.all\s*\(/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 5)).join('\n');
+          if (!/Promise\.allSettled|\.catch/.test(ctx)) {
+            findings.push({ ruleId: 'REL-042', category: 'reliability', severity: 'medium', title: 'Promise.all rejects entirely if any promise fails — use Promise.allSettled for independent operations', description: 'Promise.all fails fast if any promise rejects, cancelling all results. Use Promise.allSettled when each operation is independent and partial results are acceptable.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-043: Missing database index on soft delete field
+rules.push({
+  id: 'REL-043', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Soft delete pattern without index on deletedAt field',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/deletedAt|deleted_at|softDelete/i.test(c) && /findMany|findAll|SELECT/i.test(c)) {
+        if (!/@@index.*deletedAt|index.*deleted_at|deletedAt.*@index/i.test(c)) {
+          findings.push({ ruleId: 'REL-043', category: 'reliability', severity: 'medium', title: 'Soft delete pattern without index on deletedAt — WHERE deletedAt IS NULL causes full scan', description: 'Add a database index on deletedAt to optimize queries that filter soft-deleted records. Without it, every query scans all rows.', file: fp, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-044: Missing input validation on env variables
+rules.push({
+  id: 'REL-044', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Environment variables used without validation',
+  check({ files }) {
+    const findings = [];
+    const usesEnv = [...files.values()].some(c => /process\.env\.\w+/i.test(c));
+    const hasEnvValidation = [...files.values()].some(c => /envalid|env-schema|zod.*env|dotenv.*safe|joi.*env|validateEnv/i.test(c));
+    if (usesEnv && !hasEnvValidation) {
+      findings.push({ ruleId: 'REL-044', category: 'reliability', severity: 'medium', title: 'Environment variables used without validation — missing vars cause runtime crashes', description: 'Validate all required environment variables at startup using envalid, dotenv-safe, or a Zod schema. This catches missing configs before they cause production failures.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-045: Mutating shared state across requests
+rules.push({
+  id: 'REL-045', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Module-level mutable state shared across requests',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (!fp.match(/(?:route|handler|controller|middleware)/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        // Module-level let array/object that gets pushed/modified in handler
+        if (/^let\s+\w+\s*=\s*\[\s*\]|^let\s+\w+\s*=\s*\{/.test(lines[i])) {
+          const varName = (lines[i].match(/^let\s+(\w+)/) || [])[1];
+          if (varName) {
+            const rest = c.slice(c.indexOf(lines[i]) + lines[i].length);
+            if (rest.match(new RegExp(`\\b${varName}\\s*\\.\\s*push|${varName}\\s*\\[`)) && rest.match(/req,\s*res|handler|router\./)) {
+              findings.push({ ruleId: 'REL-045', category: 'reliability', severity: 'high', title: `Module-level mutable "${varName}" modified in request handler — shared across all requests`, description: 'Module-level state is shared across all concurrent requests. Use request-scoped storage or database for per-request state.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-046: setTimeout used for time-sensitive operations
+rules.push({
+  id: 'REL-046', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'setTimeout used for time-sensitive operation — imprecise timing',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/setTimeout\s*\(/.test(lines[i])) {
+          const ctx = lines.slice(i, Math.min(lines.length, i + 5)).join('\n');
+          if (/payment|charge|expire|session.*timeout|lock.*timeout/i.test(ctx)) {
+            findings.push({ ruleId: 'REL-046', category: 'reliability', severity: 'medium', title: 'setTimeout for time-sensitive payment/session/lock operation — use DB-persisted expiry', description: 'setTimeout is not reliable for critical timeouts — it resets on restart and drifts. Use a database-persisted expiry timestamp instead.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-047: Missing circuit breaker for external services
+rules.push({
+  id: 'REL-047', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'External service calls without circuit breaker pattern',
+  check({ files }) {
+    const findings = [];
+    const hasExternalCalls = [...files.values()].some(c => /fetch|axios|http\.request/i.test(c));
+    const hasCircuitBreaker = [...files.values()].some(c => /opossum|brakes|circuit.?breaker|CircuitBreaker|hystrix/i.test(c));
+    if (hasExternalCalls && !hasCircuitBreaker) {
+      findings.push({ ruleId: 'REL-047', category: 'reliability', severity: 'medium', title: 'External HTTP calls without circuit breaker — cascading failures possible', description: 'Implement the circuit breaker pattern using opossum or similar library. When an external service fails repeatedly, open the circuit to fail fast rather than queue up timeouts.', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-048: Missing .finally() on critical promises
+rules.push({
+  id: 'REL-048', category: 'reliability', severity: 'low', confidence: 'suggestion', title: 'Promise chain without .finally() for cleanup',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/\.then\s*\([^)]+\)\.catch\s*\(/.test(lines[i]) && /lock|mutex|connection|transaction|acquire/i.test(lines[i])) {
+          if (!/\.finally\s*\(/.test(lines[i])) {
+            findings.push({ ruleId: 'REL-048', category: 'reliability', severity: 'low', title: 'Promise with lock/connection but no .finally() cleanup', description: 'Add .finally() to release locks and connections even if the promise rejects. Avoids resource leaks on failure.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-049: Unconditional throw in middleware
+rules.push({
+  id: 'REL-049', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Middleware that always throws — will break all routes',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (!fp.match(/middleware/i)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/^\s*(\/\/|\/\*|\*)/.test(lines[i])) continue;
+        if (/^\s*throw\s+new\s+\w+/.test(lines[i])) {
+          const ctx = lines.slice(Math.max(0, i - 5), i).join('\n');
+          if (!/if\s*\(|catch\s*\(|\?\s*/.test(ctx)) {
+            findings.push({ ruleId: 'REL-049', category: 'reliability', severity: 'medium', title: 'Unconditional throw in middleware — always throws regardless of condition', description: 'An unconditional throw in middleware will break all requests handled by it. Wrap in a condition to only throw when the error condition is met.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-050: Missing database connection check
+rules.push({
+  id: 'REL-050', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Application starts without verifying database connection',
+  check({ files }) {
+    const findings = [];
+    const hasDB = [...files.values()].some(c => /mongoose\.connect|sequelize\.|pg\.Pool|mysql\.createPool/i.test(c));
+    const hasConnCheck = [...files.values()].some(c => /\.authenticate\s*\(\)|\.ping\s*\(\)|\.connect\s*\(\).*\.then|db\.ready/i.test(c));
+    const hasServerListen = [...files.values()].some(c => /app\.listen|server\.listen/i.test(c));
+    if (hasDB && hasServerListen && !hasConnCheck) {
+      findings.push({ ruleId: 'REL-050', category: 'reliability', severity: 'medium', title: 'Server starts without verifying database connectivity', description: 'Verify the database connection before starting the HTTP server to fail fast on misconfiguration. Call db.authenticate() or a health query before app.listen().', fix: null });
+    }
+    return findings;
+  },
+});
+
+// REL-051: Missing error handling in Express middleware
+rules.push({
+  id: 'REL-051', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Express middleware without try/catch — unhandled async errors',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:router|app)\.use\s*\(\s*async\s+function|\bapp\.use\s*\(\s*async\s+\(/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/try\s*\{|\.catch\s*\(/.test(body)) findings.push({ ruleId: 'REL-051', category: 'reliability', severity: 'high', title: 'Async Express middleware without try/catch — errors not forwarded to next(err)', description: 'Wrap async middleware in try/catch and call next(err) on failure.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-052: Promise rejection in event listener not handled
+rules.push({
+  id: 'REL-052', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Async event listener without error handling',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/\.on\s*\(['"][^'"]+['"]\s*,\s*async\s+/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+          if (!/try\s*\{|\.catch\s*\(/.test(body)) findings.push({ ruleId: 'REL-052', category: 'reliability', severity: 'high', title: 'Async event listener without try/catch — unhandled promise rejection', description: 'Wrap async event handlers in try/catch to prevent silent failures.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-053: Missing graceful shutdown on database
+rules.push({
+  id: 'REL-053', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'No database disconnect on process SIGTERM',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/mongoose\.connect|pg\.Pool|redis\.createClient|sequelize\s*=\s*new/i.test(c) && !/SIGTERM/.test(c)) {
+        findings.push({ ruleId: 'REL-053', category: 'reliability', severity: 'medium', title: 'Database connection without SIGTERM cleanup', description: 'Add SIGTERM handler to gracefully close database connections before process exit.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-054: Missing validation on environment variables at startup
+rules.push({
+  id: 'REL-054', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Required environment variables not validated at startup',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/process\.env\.\w+/.test(c) && !/(?:joi|zod|yup|envalid|dotenv-safe)/.test(c) && /app\.listen|server\.listen|createServer/.test(c) && !/process\.env\.\w+\s*\|\|.*throw|if\s*\(\s*!process\.env/.test(c)) {
+        findings.push({ ruleId: 'REL-054', category: 'reliability', severity: 'high', title: 'Environment variables used without validation — app may fail silently on missing config', description: 'Validate all required environment variables at startup using envalid, joi, or zod.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-055: Unhandled stream error events
+rules.push({
+  id: 'REL-055', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Stream created without error event handler',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:createReadStream|createWriteStream|pipe)\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+          if (!/\.on\s*\(\s*['"]error['"]/.test(block)) findings.push({ ruleId: 'REL-055', category: 'reliability', severity: 'high', title: 'Stream without error handler — unhandled error may crash process', description: 'Always attach an error event handler to streams: stream.on("error", handler).', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-056: Using deprecated crypto.createCipher
+rules.push({
+  id: 'REL-056', category: 'reliability', severity: 'high', confidence: 'likely', title: 'crypto.createCipher is deprecated — use createCipheriv',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/crypto\.createCipher\s*\((?!iv)/.test(lines[i])) findings.push({ ruleId: 'REL-056', category: 'reliability', severity: 'high', title: 'crypto.createCipher() is deprecated — use createCipheriv() with explicit IV', description: 'Replace crypto.createCipher() with crypto.createCipheriv() which requires an explicit IV parameter.', file: fp, line: i + 1, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-057: Callback called multiple times
+rules.push({
+  id: 'REL-057', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Callback may be invoked multiple times in function',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const m = lines[i].match(/function\s*\w*\s*\([^)]*(?:callback|cb|done|next)\b/);
+        if (m) {
+          const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          const cbName = (lines[i].match(/\b(callback|cb|done|next)\b/) || [])[1];
+          if (cbName) {
+            const calls = (body.match(new RegExp(`\\b${cbName}\\s*\\(`, 'g')) || []).length;
+            if (calls >= 3) findings.push({ ruleId: 'REL-057', category: 'reliability', severity: 'high', title: `Callback '${cbName}' may be called multiple times — double invocation bug`, description: 'Use return after each callback invocation to prevent the function from continuing execution.', file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-058: No timeout on external HTTP requests
+rules.push({
+  id: 'REL-058', category: 'reliability', severity: 'high', confidence: 'likely', title: 'HTTP request to external service without timeout',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/axios\.(?:get|post|put|delete|request)\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 5)).join('\n');
+          if (!/timeout/.test(block)) findings.push({ ruleId: 'REL-058', category: 'reliability', severity: 'high', title: 'axios request without timeout — may hang indefinitely', description: 'Add a timeout option to all axios requests: axios.get(url, { timeout: 5000 }).', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-059: Global state mutation in request handler
+rules.push({
+  id: 'REL-059', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Module-level variable mutated in request handler — shared state',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const topVars = [];
+      const lines = c.split('\n');
+      let inHandler = false;
+      for (let i = 0; i < lines.length; i++) {
+        const varMatch = lines[i].match(/^(?:let|var)\s+(\w+)\s*=/);
+        if (varMatch && i < 50) topVars.push(varMatch[1]);
+        if (/(?:router|app)\.(?:get|post|put|delete)\s*\(/.test(lines[i])) inHandler = true;
+        if (inHandler && topVars.some(v => new RegExp(`\\b${v}\\s*(?:[+\\-*]=|=(?!=))`).test(lines[i]))) {
+          findings.push({ ruleId: 'REL-059', category: 'reliability', severity: 'high', title: 'Module-level variable mutated in request handler — race condition under concurrent requests', description: 'Avoid mutating module-level state in request handlers. Use request-scoped variables or a proper data store.', file: fp, line: i + 1, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-060: Missing connection error handler on Redis client
+rules.push({
+  id: 'REL-060', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Redis client without error event handler',
+  check({ files, stack }) {
+    if (!stack.dependencies?.['redis'] && !stack.dependencies?.['ioredis']) return [];
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/createClient\s*\(|new\s+Redis\s*\(/.test(c) && !/\.on\s*\(\s*['"]error['"]/.test(c)) {
+        findings.push({ ruleId: 'REL-060', category: 'reliability', severity: 'high', title: 'Redis client without error handler — connection errors will crash process', description: 'Add client.on("error", handler) to handle Redis connection errors gracefully.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-061: Mongoose connection without error handler
+rules.push({
+  id: 'REL-061', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Mongoose connection without error event handler',
+  check({ files, stack }) {
+    if (!stack.dependencies?.['mongoose']) return [];
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/mongoose\.connect\s*\(/.test(c) && !/mongoose\.connection\.on\s*\(\s*['"]error['"]|\.catch\s*\(/.test(c)) {
+        findings.push({ ruleId: 'REL-061', category: 'reliability', severity: 'high', title: 'mongoose.connect() without error handling', description: 'Add .catch() or mongoose.connection.on("error") to handle connection failures.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-062: Missing null check on configuration values
+rules.push({
+  id: 'REL-062', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Configuration value used without null/undefined guard',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/config\.\w+\.\w+/.test(lines[i]) && !/config\?\.|config\.\w+\?\./.test(lines[i]) && !/if\s*\(config|config &&/.test(lines[i])) {
+          findings.push({ ruleId: 'REL-062', category: 'reliability', severity: 'medium', title: 'Config property access without null guard — may throw on missing config', description: 'Use optional chaining (config?.section?.key) or validate config at startup.', file: fp, line: i + 1, fix: null });
+          break;
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-063: Unclosed database cursor/transaction
+rules.push({
+  id: 'REL-063', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Database transaction started without try/finally',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:beginTransaction|startTransaction|transaction\.begin|sequelize\.transaction)\s*\(/.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+          if (!/finally\s*\{/.test(body)) findings.push({ ruleId: 'REL-063', category: 'reliability', severity: 'high', title: 'Database transaction without try/finally — may not rollback on error', description: 'Wrap transactions in try/catch/finally and call rollback() in the finally block.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-064: Missing fallback value for external service response
+rules.push({
+  id: 'REL-064', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'External API response used without fallback/default',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/const\s+\{[^}]+\}\s*=\s*(?:await\s+)?axios\./.test(lines[i]) || /const\s+\w+\s*=\s*(?:await\s+)?axios\./.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 5)).join('\n');
+          if (!/\|\||fallback|default|catch|try/.test(block)) findings.push({ ruleId: 'REL-064', category: 'reliability', severity: 'medium', title: 'External service response without fallback — may fail without graceful degradation', description: 'Add default values or fallback behavior for external API responses.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-065: Missing port conflict handling
+rules.push({
+  id: 'REL-065', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Server listen() without EADDRINUSE error handler',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/\.listen\s*\(/.test(c) && !/EADDRINUSE|address already in use/i.test(c)) {
+        findings.push({ ruleId: 'REL-065', category: 'reliability', severity: 'medium', title: 'server.listen() without EADDRINUSE handler — port conflicts cause unhandled crash', description: 'Add server.on("error") handler to detect EADDRINUSE and either retry on another port or exit cleanly.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-066: Child process spawn without error handling
+rules.push({
+  id: 'REL-066', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Child process without error event handler',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:spawn|fork|execFile)\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+          if (!/\.on\s*\(\s*['"]error['"]|\.catch\s*\(/.test(block)) findings.push({ ruleId: 'REL-066', category: 'reliability', severity: 'high', title: 'Child process without error handler — spawn errors are silently ignored', description: 'Add child.on("error") handler to detect spawn failures.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-067: Race condition with shared file access
+rules.push({
+  id: 'REL-067', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'File existence check followed by operation — TOCTOU race condition',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/fs\.(?:existsSync|access(?:Sync)?)\s*\(/.test(lines[i])) {
+          const block = lines.slice(i, Math.min(lines.length, i + 5)).join('\n');
+          if (/fs\.(?:readFile|writeFile|unlink|rename)/.test(block)) findings.push({ ruleId: 'REL-067', category: 'reliability', severity: 'medium', title: 'Check-then-act file pattern — TOCTOU race condition', description: 'Avoid check-then-act patterns with files. Use try/catch on the operation directly instead of pre-checking existence.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-068: Lack of idempotency in critical operations
+rules.push({
+  id: 'REL-068', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Payment/billing operation without idempotency key',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/stripe\.|paypal\.|braintree\./i.test(c) && !/idempotency|idempotencyKey|idempotent/i.test(c)) {
+        findings.push({ ruleId: 'REL-068', category: 'reliability', severity: 'medium', title: 'Payment API calls without idempotency key — duplicate charges on retry', description: 'Pass idempotency keys to payment API calls to prevent duplicate transactions on network retries.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-069: Missing dead letter queue configuration
+rules.push({
+  id: 'REL-069', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Message queue consumer without dead letter queue',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      if (/(?:sqs|rabbitmq|amqp|kafka)\b/i.test(c) && /consume|subscribe|consumer/i.test(c) && !/dead.?letter|dlq|DLQ|deadletter/i.test(c)) {
+        findings.push({ ruleId: 'REL-069', category: 'reliability', severity: 'medium', title: 'Message queue consumer without dead letter queue configuration', description: 'Configure a dead letter queue for failed messages to prevent infinite retry loops and data loss.', file: fp, fix: null });
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-070: Missing input validation on webhook payloads
+rules.push({
+  id: 'REL-070', category: 'reliability', severity: 'high', confidence: 'likely', title: 'Webhook handler without payload signature verification',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:router|app)\.post\s*\([^)]*webhook/i.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 20)).join('\n');
+          if (!/signature|hmac|secret|x-hub-signature|stripe-signature|verify/i.test(body)) findings.push({ ruleId: 'REL-070', category: 'reliability', severity: 'high', title: 'Webhook endpoint without signature verification', description: 'Verify webhook payloads using HMAC signatures to prevent spoofed events.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});
+
+// REL-071: Missing health check dependencies
+rules.push({
+  id: 'REL-071', category: 'reliability', severity: 'medium', confidence: 'likely', title: 'Health check endpoint does not check DB/cache connectivity',
+  check({ files }) {
+    const findings = [];
+    for (const [fp, c] of files) {
+      if (!isSourceFile(fp)) continue;
+      const lines = c.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:router|app)\.get\s*\([^)]*(?:health|ping|status)['"]/i.test(lines[i])) {
+          const body = lines.slice(i, Math.min(lines.length, i + 15)).join('\n');
+          if (!/db\.|mongoose\.|redis\.|sequelize\.|pool\.|ping/i.test(body)) findings.push({ ruleId: 'REL-071', category: 'reliability', severity: 'medium', title: 'Health check endpoint does not verify dependency connectivity', description: 'Include database and cache connectivity checks in health endpoints for accurate load balancer health status.', file: fp, line: i + 1, fix: null });
+        }
+      }
+    }
+    return findings;
+  },
+});