lemmaly 0.1.0

package/cli/lemmaly.js

@@ -0,0 +1,162 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const RULES_DIR = path.join(__dirname, '..', 'rules');
+const IGNORED_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '.next', '.turbo', 'coverage', '__pycache__', '.venv', 'venv']);
+
+const COLOR = {
+  error: '\x1b[31m',
+  warning: '\x1b[33m',
+  info: '\x1b[36m',
+  dim: '\x1b[2m',
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+};
+
+function loadRules() {
+  const byExt = new Map();
+  const seen = new Set();
+  for (const f of fs.readdirSync(RULES_DIR)) {
+    if (!f.endsWith('.json')) continue;
+    const data = JSON.parse(fs.readFileSync(path.join(RULES_DIR, f), 'utf8'));
+    for (const ext of data.extensions) {
+      const list = byExt.get(ext) || [];
+      list.push(...data.rules);
+      byExt.set(ext, list);
+    }
+    for (const r of data.rules) seen.add(r.id);
+  }
+  return { byExt, total: seen.size };
+}
+
+function walk(target, out = []) {
+  const stat = fs.statSync(target);
+  if (stat.isFile()) { out.push(target); return out; }
+  for (const entry of fs.readdirSync(target, { withFileTypes: true })) {
+    if (entry.name.startsWith('.') && entry.name !== '.github') continue;
+    if (IGNORED_DIRS.has(entry.name)) continue;
+    const p = path.join(target, entry.name);
+    if (entry.isDirectory()) walk(p, out);
+    else out.push(p);
+  }
+  return out;
+}
+
+function lineOf(content, idx) {
+  let line = 1;
+  for (let i = 0; i < idx; i++) if (content.charCodeAt(i) === 10) line++;
+  return line;
+}
+
+function scanFile(file, byExt) {
+  const ext = path.extname(file).toLowerCase();
+  const rules = byExt.get(ext);
+  if (!rules || rules.length === 0) return [];
+  let content;
+  try { content = fs.readFileSync(file, 'utf8'); } catch { return []; }
+  const findings = [];
+  for (const rule of rules) {
+    let re;
+    try {
+      const flags = rule.flags || 'g';
+      re = new RegExp(rule.pattern, flags.includes('g') ? flags : flags + 'g');
+    } catch (e) {
+      console.error(`${COLOR.warning}rule ${rule.id} has invalid regex: ${e.message}${COLOR.reset}`);
+      continue;
+    }
+    for (const m of content.matchAll(re)) {
+      findings.push({ file, line: lineOf(content, m.index), rule });
+    }
+  }
+  return findings;
+}
+
+function printFindings(findings, rel) {
+  const counts = { error: 0, warning: 0, info: 0 };
+  for (const f of findings) counts[f.rule.severity] = (counts[f.rule.severity] || 0) + 1;
+
+  const order = { error: 0, warning: 1, info: 2 };
+  findings.sort((a, b) => {
+    const s = order[a.rule.severity] - order[b.rule.severity];
+    if (s !== 0) return s;
+    if (a.file !== b.file) return a.file.localeCompare(b.file);
+    return a.line - b.line;
+  });
+
+  for (const f of findings) {
+    const c = COLOR[f.rule.severity] || '';
+    const loc = `${rel(f.file)}:${f.line}`;
+    console.log(`${c}${f.rule.severity.toUpperCase().padEnd(7)}${COLOR.reset} ${loc}  ${COLOR.bold}${f.rule.id}${COLOR.reset}`);
+    console.log(`        ${f.rule.title}`);
+    if (f.rule.fix) console.log(`        ${COLOR.dim}-> ${f.rule.fix}${COLOR.reset}`);
+  }
+  return counts;
+}
+
+function main() {
+  const argv = process.argv.slice(2);
+  const cmd = argv[0];
+
+  if (!cmd || cmd === '-h' || cmd === '--help') {
+    console.log(`lemmaly — algorithmic anti-pattern scanner
+
+Usage:
+  lemmaly scan <path>        Scan a file or directory.
+  lemmaly rules              List all loaded rules.
+  lemmaly --help             Show this message.
+
+Exit codes:
+  0  no errors
+  1  one or more 'error'-severity findings`);
+    process.exit(0);
+  }
+
+  const { byExt, total } = loadRules();
+
+  if (cmd === 'rules') {
+    const printed = new Set();
+    for (const list of byExt.values()) {
+      for (const r of list) {
+        if (printed.has(r.id)) continue;
+        printed.add(r.id);
+        const c = COLOR[r.severity] || '';
+        console.log(`${c}${r.severity.padEnd(7)}${COLOR.reset} ${r.id.padEnd(34)} ${r.title}`);
+      }
+    }
+    console.log(`\n${printed.size} rules loaded.`);
+    process.exit(0);
+  }
+
+  if (cmd !== 'scan') {
+    console.error(`unknown command: ${cmd}`);
+    process.exit(2);
+  }
+
+  const target = path.resolve(argv[1] || '.');
+  if (!fs.existsSync(target)) {
+    console.error(`path not found: ${target}`);
+    process.exit(2);
+  }
+
+  const files = walk(target);
+  const findings = [];
+  for (const f of files) findings.push(...scanFile(f, byExt));
+
+  const rel = (p) => path.relative(process.cwd(), p) || p;
+  const counts = printFindings(findings, rel);
+
+  const totalFindings = (counts.error || 0) + (counts.warning || 0) + (counts.info || 0);
+  console.log('');
+  if (totalFindings === 0) {
+    console.log(`${COLOR.info}clean${COLOR.reset} — scanned ${files.length} files against ${total} rules.`);
+  } else {
+    const e = counts.error || 0, w = counts.warning || 0, i = counts.info || 0;
+    console.log(`${COLOR.error}${e} errors${COLOR.reset}, ${COLOR.warning}${w} warnings${COLOR.reset}, ${COLOR.info}${i} info${COLOR.reset} across ${files.length} files (${total} rules).`);
+  }
+  process.exit((counts.error || 0) > 0 ? 1 : 0);
+}
+
+main();

package/commands/benchmark.md

@@ -0,0 +1,40 @@
+---
+description: Write and run a micro-benchmark that produces a real, reproducible number for a code path.
+---
+
+# /benchmark <path>
+
+No number without measurement. This command produces the number.
+
+## Procedure
+
+1. **Identify the unit under test.** A function, an endpoint, a query. Smaller is better.
+2. **Pick a runner.**
+   - JS/TS: `tinybench` or hand-rolled `performance.now()` with warmup.
+   - Python: `pytest-benchmark` or `timeit` with N runs.
+   - SQL: `EXPLAIN ANALYZE` against a realistic dataset.
+3. **Generate a representative fixture.** Size, distribution, and shape matching production. State the `n`.
+4. **Warm up.** At least 10 throwaway iterations before measuring (JIT, cache).
+5. **Run >= 30 iterations.** Report median + p95, not mean.
+6. **State the environment.** Node/Python version, machine, whether other load was running.
+
+## Output format
+
+```
+benchmark: getUserFeed
+fixture:   n=10,000 posts, 50 follows, warm DB
+runs:      100
+median:    142 ms
+p95:       189 ms
+env:       Node 22.4, M3 Pro, idle
+
+variant A (sequential)   median 142 ms / p95 189 ms
+variant B (Promise.all)  median  47 ms / p95  63 ms  ← 3.0x median
+```
+
+## Forbidden
+
+- Reporting a single run.
+- Reporting mean without p95 (means lie about tails).
+- Comparing variants on different fixtures or different machines.
+- Rounding to make a number prettier.

package/commands/budget.md

@@ -0,0 +1,53 @@
+---
+description: Define a measurable performance budget for a surface so future changes can be checked against it.
+---
+
+# /budget <surface>
+
+Without a budget, "fast enough" is a vibe. With a budget, it's a checkable claim.
+
+## Procedure
+
+1. **Pick the surface.** A page, an endpoint, a job. One at a time.
+2. **Pick the right metrics for it.**
+
+   | Surface | Metrics |
+   |---------|---------|
+   | Page (web) | LCP, INP, CLS, JS bundle KB, # of requests |
+   | API endpoint | p50, p95, p99 latency under target RPS; allocations/request |
+   | Background job | wall-clock per batch; memory peak; rows/sec |
+   | Database query | EXPLAIN cost; rows examined; whether an index is used |
+
+3. **Set numeric thresholds.** Tied to user-facing target.
+   - "INP < 200ms p95 at 4G throttling."
+   - "POST /orders < 250ms p99 at 200 RPS warm."
+4. **Write the budget into a file** at `perf-budgets/<surface>.md` so `/ship-check` can read it. Include date and rationale.
+
+## Output template
+
+```markdown
+# Budget: POST /api/orders
+Set: 2026-05-22
+Owner: morse
+
+Target users: 95% should see < 250ms p99 at peak (200 RPS).
+
+Budget:
+  latency p50  <= 80ms
+  latency p95  <= 180ms
+  latency p99  <= 250ms
+  DB queries per request  <= 4
+  allocations per request <= 50 KB
+
+Rationale:
+  Peak measured at 180 RPS, growing 30%/quarter. Headroom for 2x.
+
+Measured today (median of 100 runs):
+  p50 62ms, p95 140ms, p99 210ms — within budget.
+```
+
+## Reject
+
+- Budgets stated as percentages ("30% faster") without absolute numbers.
+- Budgets without a measurement method.
+- Budgets set without acknowledging current measured baseline.

package/commands/complexity.md

@@ -0,0 +1,26 @@
+---
+description: Declare time and space complexity before writing the body. Force the cost into comments first.
+---
+
+# /complexity <signature>
+
+State the cost before the code exists. No "should be O(log n)" without a derivation.
+
+## Procedure
+
+1. **Read the signature.** Identify the input that drives `n`. If there are several, name them (`n` users × `m` events).
+2. **Derive time complexity.** Walk every loop, recursion, and library call. Sum the dominant term.
+3. **Derive space complexity.** Count allocations that scale with `n`. Constant-size temporaries don't count.
+4. **Name the data structure.** Set, Map, heap, deque — declare what shape the data sits in before the loop.
+5. **State the loop invariant.** One sentence: what stays true on every iteration.
+6. **Write three header comments** at the top of the body:
+   - `// Time: O(?)  Space: O(?)`
+   - `// Structure: <name> for <reason>`
+   - `// Invariant: <what stays true>`
+7. **Only then write the body.**
+
+## Forbidden
+
+- Writing the body first and back-filling the comments.
+- "Should be O(log n)" without naming the recurrence.
+- Choosing a structure by reflex (`Array.includes` for membership, nested `for` for joins).

package/commands/cut.md

@@ -0,0 +1,27 @@
+---
+description: Apply the corrective playbook to slow code. Match the pattern, lower the dominant term, re-derive cost.
+---
+
+# /cut <function-or-path>
+
+Cut the dominant term. One change. Re-derive the cost. Keep the output identical.
+
+## Procedure
+
+1. **Read the current code.** State current time and space complexity.
+2. **Match the anti-pattern.** Common shapes:
+   - Nested scan over two collections → **index the inner sequence, scan the outer once.**
+   - `Array.includes` / `indexOf` inside a loop → **Set/Map for O(1) lookup.**
+   - Repeated query inside a loop → **batched `IN (...)` or a join.**
+   - Recursive scan with repeated subproblems → **memoize or convert to iterative DP.**
+   - Sort inside a hot path → **sort once, reuse.**
+3. **Apply the playbook.** One change. Don't bundle. Don't "while I was in there."
+4. **Re-derive cost.** Write `// Was: O(?) · Now: O(?)` as a header comment.
+5. **Prove same output.** Run the existing tests, or write one if none exists.
+6. **Hand to `/benchmark`** to confirm the win is real before claiming it.
+
+## Forbidden
+
+- Speculative micro-optimizations that don't move the dominant term.
+- Changing the function's contract while "fixing" it.
+- Claiming the cut worked without a measurement.

package/commands/hotpath.md

@@ -0,0 +1,22 @@
+---
+description: Drill into a single hot path and propose a concrete optimization with measured before/after.
+---
+
+# /hotpath <name-or-path>
+
+Focus on one path. Don't drift.
+
+## Procedure
+
+1. **Read the path end-to-end.** Trace every I/O, allocation, and loop.
+2. **State current complexity.** Time and space, in terms of the path's `n`.
+3. **State the bottleneck in one sentence.** "Dominated by N sequential DB queries inside the items loop."
+4. **Propose ONE change.** The smallest change that moves the dominant term. No bundles.
+5. **Write a benchmark.** Use `/benchmark` to capture before/after with the same input fixture.
+6. **Report measured delta.** Refuse to claim improvement without numbers.
+
+## Forbidden
+
+- Speculative micro-optimizations after the dominant term is fixed.
+- "While I was in there" refactors.
+- "This is faster" without a benchmark.

package/commands/invariant.md

@@ -0,0 +1,22 @@
+---
+description: State loop invariant, base case, and termination measure before writing the body of a loop or recursion.
+---
+
+# /invariant <function-or-loop>
+
+Prove the loop is correct on paper before running a single test.
+
+## Procedure
+
+1. **Identify the iterative structure.** A loop, a recursion, or a fold.
+2. **State the invariant.** One sentence describing a property that holds **before each iteration**. Example: "`seen` contains every element of `xs[0..i)`."
+3. **State the base case.** What is true at iteration zero, or at the recursion's bottom. Cover empty input, single-element input, and unreachable branches.
+4. **State the termination measure.** A non-negative integer that strictly decreases each iteration. Example: "`hi - lo` decreases on every step."
+5. **Write all three as comments above the body.**
+6. **Sanity-check the boundary.** Walk the last iteration by hand. Off-by-one errors die here.
+
+## Forbidden
+
+- Recursion without a stated base case.
+- "Obviously terminates" — name the measure.
+- Skipping the empty-input case because "it won't happen in practice."

package/commands/n-plus-one.md

@@ -0,0 +1,20 @@
+---
+description: Find N+1 query / I/O patterns in the current path or repo, ranked by severity.
+---
+
+# /n-plus-one
+
+Find loops that issue one DB / HTTP / FS call per item. Load `references/n-plus-one.md` before reporting.
+
+## Procedure
+
+1. **Scan for I/O-in-loop patterns.** `for`/`forEach`/`map`/`while` with any of: `await db.`, `await fetch`, `await prisma.`, `.objects.get`, `session.query`, `User.find`, `axios.`, `fs.readFile`.
+2. **Classify each hit:**
+   - **Confirmed N+1** — issues one round-trip per iteration.
+   - **Hidden N+1** — `Promise.all(items.map(fetchOne))` still hits the backend N times.
+   - **False positive** — bounded `n <= 5`, or different backend per call, or comment explains why.
+3. **Output:** file:line — pattern — proposed fix (eager-load / IN-batch / DataLoader).
+
+## Refuse to "fix" inline
+
+Don't rewrite code in this command. Report. Let the user pick which to fix with `/hotpath`.

package/commands/profile.md

@@ -0,0 +1,34 @@
+---
+description: Locate the hot paths in this code/repo and rank them by expected impact.
+---
+
+# /profile
+
+Find what runs most, scales worst, and matters most. Do not optimize — only locate.
+
+## Procedure
+
+1. **Identify entry points.** HTTP routes, queue handlers, cron jobs, React page components, CLI commands.
+2. **For each entry point, classify:**
+   - Frequency: per request? per render? per frame? per startup?
+   - `n` it iterates over (ask the user if unknown — do not guess).
+   - I/O fan-out (DB queries, HTTP calls, file reads).
+3. **Rank by `frequency * n * cost-per-op`.** Output a ranked table.
+4. **Output, don't fix.** End with: "Use `/hotpath <name>` to drill into one."
+
+## Output format
+
+```
+HOT PATHS (ranked)
+
+#1  POST /api/orders.create
+    frequency:  per request, ~2k/min peak
+    n:          line_items (median 3, p99 40)
+    fan-out:    1 user lookup + 1 insert per item + 1 inventory check per item  ← N+1 risk
+    hypothesis: O(n) DB roundtrips, dominated by network
+
+#2  <UserListPage>
+    ...
+```
+
+Refuse to start optimizing in this command. Optimization is `/hotpath`.

package/commands/regress.md

@@ -0,0 +1,43 @@
+---
+description: Diff performance characteristics of a path before and after a change. Flag regressions.
+---
+
+# /regress <path>
+
+A regression is a measured slowdown vs a baseline. This command produces the diff.
+
+## Procedure
+
+1. **Identify the baseline.** A git ref (commit, branch, tag) where the path was acceptable.
+2. **Run `/benchmark` on baseline.** Capture median + p95 with a stated fixture.
+3. **Run `/benchmark` on HEAD.** Same fixture. Same machine. Same load.
+4. **Compute deltas.**
+   - Absolute: `HEAD - baseline` in ms.
+   - Relative: `(HEAD - baseline) / baseline` as a percentage.
+5. **Decide.**
+   - Slower by > 10% or > budget threshold → regression. Block.
+   - Slower within noise (< 5%) → flag, allow.
+   - Faster → record the new number as the next baseline.
+
+## Output format
+
+```
+path: GET /api/users/:id
+fixture: warm DB, n_friends=200, n_posts=500
+runs: 100 each
+
+                 baseline   HEAD     delta
+median           28 ms      41 ms    +13 ms (+46%)   ← REGRESSION
+p95              42 ms      78 ms    +36 ms (+86%)   ← REGRESSION
+DB queries       3          14                       ← N+1 introduced
+
+Likely cause:
+  commit abc1234 added per-friend profile fetch.
+  See user-service.ts:84 — `for (const f of friends) await getProfile(f.id)`.
+```
+
+## Forbidden
+
+- Comparing runs across different machines or load conditions.
+- Calling something "noise" without running enough iterations to establish the noise floor (>= 30 runs).
+- "Acceptable regression" without an explicit user-visible justification.

package/commands/scale-check.md

@@ -0,0 +1,37 @@
+---
+description: Project this code to 10x its current scale and name what breaks first.
+---
+
+# /scale-check
+
+What works at today's `n` may not at 10x. This command names the first thing to break.
+
+## Procedure
+
+1. **Ask: "What is `n` today, and what's 10x?"** If the user doesn't know, refuse to speculate — ask them to estimate.
+2. **For each operation in the path, compute cost at 10x.**
+   - O(n) at n=1k → 10ms turns into 100ms.
+   - O(n^2) at n=1k → seconds turn into minutes.
+   - O(n) DB roundtrips at 50 → 500 → connection pool exhausted, not just slower.
+3. **Identify the first breaking constraint.**
+   - Latency budget exceeded?
+   - Memory pressure (RSS / heap)?
+   - DB connection pool / query timeout?
+   - Rate limit on an external service?
+   - Event-loop blocked > 200ms?
+4. **Output: ONE thing to fix first.** Plus what becomes the next bottleneck after that.
+
+## Output template
+
+```
+At 1x (n = 5k):  total ~120ms, fine.
+At 10x (n = 50k): total ~2.1s, REQUEST TIMEOUT.
+
+First failure mode:
+  N+1 queries in items loop → connection pool exhausted at ~200 concurrent reqs.
+
+Fix: batch with `WHERE id IN (...)`.
+
+After the fix, next bottleneck:
+  JSON.stringify of full result on response — ~150ms blocking. Stream the response.
+```

package/commands/ship-check.md

@@ -0,0 +1,26 @@
+---
+description: Pre-deploy performance audit. Block the ship if a critical issue is unaddressed.
+---
+
+# /ship-check
+
+Run before merging or deploying changes that touch a hot path.
+
+## Checklist (the model must answer each, on the record)
+
+1. **Touched hot paths.** Which routes / components / queries changed?
+2. **N+1 audit.** Did you scan changed files with `/n-plus-one`? Result?
+3. **Complexity statement.** For each non-trivial new function: time + space, in terms of `n`. Pasted above the function.
+4. **Bench numbers.** Any claim of "faster"/"same"/"acceptable" backed by a `/benchmark` run? Number pasted.
+5. **Scale check.** What breaks first at 10x? (`/scale-check`)
+6. **Memory.** New unbounded caches? New listeners without cleanup? New large buffers?
+7. **Frontend specifically.** New inline objects/functions as memoized-child props? Effects with object deps? Lists > 200 items not virtualized?
+8. **Budget.** Does this fit the `/budget` set for this surface?
+
+## Severity gates
+
+- **Block ship:** confirmed N+1 in a request handler, unbounded cache keyed by user input, sync block > 200ms on main thread, no benchmark for a performance-justified change.
+- **Warn, ship allowed:** "fine at today's n, breaks at 10x" with a tracking issue filed.
+- **OK:** all of the above answered and either green or accepted with a comment.
+
+Refuse to give a green light if (4) is missing for any change pitched as a performance win.

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "lemmaly",
+  "version": "0.1.0",
+  "description": "Algorithm-first discipline layer that makes AI coding assistants think like a computer scientist before writing code. Catches O(n^2) loops, N+1 queries, missed base cases, brute-force solutions, and unjustified complexity claims. Pairs with mathguard, invariant-guard, and complexity-cuts.",
+  "bin": {
+    "lemmaly": "cli/lemmaly.js"
+  },
+  "scripts": {
+    "scan": "node cli/lemmaly.js scan .",
+    "test": "node test/run.js && node test/consistency.js && node tests/skill-triggering/run.js",
+    "test:rules": "node test/run.js",
+    "test:consistency": "node test/consistency.js",
+    "test:triggering": "node tests/skill-triggering/run.js",
+    "gen:rule-docs": "node cli/gen-rule-docs.js",
+    "gen:agents-md": "node cli/gen-agents-md.js",
+    "gen": "npm run gen:rule-docs && npm run gen:agents-md"
+  },
+  "keywords": [
+    "algorithms",
+    "complexity",
+    "big-o",
+    "performance",
+    "claude",
+    "cursor",
+    "skill",
+    "linter",
+    "static-analysis",
+    "n-plus-one",
+    "computer-science"
+  ],
+  "author": "Morse Chimwai",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/morsechimwai/lemmaly"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "cli/",
+    "rules/",
+    "skills/",
+    "commands/",
+    "README.md",
+    "LICENSE"
+  ]
+}

package/rules/cpp.json

@@ -0,0 +1,46 @@
+{
+  "language": "cpp",
+  "extensions": [".cpp", ".cc", ".cxx", ".hpp", ".hh", ".hxx"],
+  "rules": [
+    {
+      "id": "cpp-vector-push-no-reserve",
+      "severity": "info",
+      "title": "vector push_back in loop without reserve() — log-amortized reallocation",
+      "pattern": "std::vector<[^>]+>\\s+(\\w+)\\s*;(?:(?!\\.reserve\\s*\\()[\\s\\S]){0,300}?\\bfor\\s*\\([^{]*\\)\\s*\\{[\\s\\S]{0,200}?\\1\\.push_back\\s*\\(",
+      "flags": "g",
+      "fix": "Call `v.reserve(n)` before the loop when n is known."
+    },
+    {
+      "id": "cpp-string-concat-in-loop",
+      "severity": "warning",
+      "title": "std::string += inside loop — O(n^2) without reserve()",
+      "pattern": "std::string\\s+\\w+\\s*;[\\s\\S]{0,200}?\\bfor\\s*\\([^{]*\\)\\s*\\{[\\s\\S]{0,200}?\\w+\\s*\\+=\\s*",
+      "flags": "g",
+      "fix": "Call `s.reserve(total)` once if size known, or accumulate into a `std::ostringstream` and call `.str()` at the end."
+    },
+    {
+      "id": "cpp-raw-new",
+      "severity": "warning",
+      "title": "Raw `new` outside of smart-pointer ctor — manual delete, exception-unsafe",
+      "pattern": "\\bnew\\s+[A-Za-z_][\\w:]*\\s*(?:\\(|\\[)",
+      "flags": "g",
+      "fix": "Use `std::make_unique<T>(...)` or `std::make_shared<T>(...)`. Reserve raw `new` for placement-new or interop with C APIs."
+    },
+    {
+      "id": "cpp-range-loop-copy",
+      "severity": "info",
+      "title": "Range-for `auto x` copies each element — use `const auto&` for non-trivial types",
+      "pattern": "for\\s*\\(\\s*auto\\s+\\w+\\s*:\\s*\\w+\\s*\\)",
+      "flags": "g",
+      "fix": "Prefer `for (const auto& x : container)` unless you intentionally need a copy."
+    },
+    {
+      "id": "cpp-map-double-lookup",
+      "severity": "info",
+      "title": "map.count(k) then map[k] — two lookups; use find()",
+      "pattern": "\\.count\\s*\\(\\s*(\\w+)\\s*\\)[\\s\\S]{0,80}?\\[\\s*\\1\\s*\\]",
+      "flags": "g",
+      "fix": "Use `auto it = m.find(k); if (it != m.end()) use(it->second);` — one lookup."
+    }
+  ]
+}

package/rules/csharp.json

@@ -0,0 +1,38 @@
+{
+  "language": "csharp",
+  "extensions": [".cs"],
+  "rules": [
+    {
+      "id": "cs-string-concat-in-loop",
+      "severity": "warning",
+      "title": "string += inside loop — O(n^2) on immutable string",
+      "pattern": "\\bfor(?:each)?\\s*\\([^{]*\\)\\s*\\{[\\s\\S]{0,300}?\\b\\w+\\s*\\+=\\s*[\"'\\w]",
+      "flags": "g",
+      "fix": "Use StringBuilder: `var sb = new StringBuilder(); foreach (...) sb.Append(x); sb.ToString();`"
+    },
+    {
+      "id": "cs-list-contains-in-loop",
+      "severity": "warning",
+      "title": "List.Contains inside LINQ/loop — O(n*m); use HashSet<T>",
+      "pattern": "\\.(Where|Select|Any|All|Count)\\s*\\([\\s\\S]{0,200}?\\.Contains\\s*\\(",
+      "flags": "g",
+      "fix": "Convert to HashSet once: `var s = new HashSet<T>(list); s.Contains(x);`"
+    },
+    {
+      "id": "cs-async-void",
+      "severity": "error",
+      "title": "async void — exceptions are unobserved and crash the process",
+      "pattern": "\\b(?:public|private|protected|internal|static)\\s+(?:[a-zA-Z]+\\s+)*async\\s+void\\s+(?!On[A-Z])",
+      "flags": "g",
+      "fix": "Return Task. async void is only acceptable for true event handlers (OnClick, etc.)."
+    },
+    {
+      "id": "cs-disposable-no-using",
+      "severity": "warning",
+      "title": "IDisposable allocated without using — leak on exception",
+      "pattern": "(?<!using\\s)(?<!using\\s+var\\s+\\w+\\s*=\\s*)\\bnew\\s+(?:FileStream|StreamReader|StreamWriter|SqlConnection|HttpClient|MemoryStream)\\s*\\(",
+      "flags": "g",
+      "fix": "Wrap in `using var x = new ...;` or `using (var x = ...) { }`."
+    }
+  ]
+}