prodlint 0.2.2 → 0.3.1

package/dist/index.js

@@ -67,6 +67,51 @@ function isLineSuppressed(lines, lineIndex, ruleId) {
   }
   return false;
 }
+function isTestFile(relativePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
+}
+function isScriptFile(relativePath) {
+  return /(?:^|\/)scripts?\//.test(relativePath);
+}
+function isConfigFile(relativePath) {
+  const name = relativePath.split("/").pop() ?? "";
+  return /\.config\.[jt]sx?$/.test(name) || /\.config\.(mjs|cjs)$/.test(name) || name.startsWith(".env") || name === "next.config.js" || name === "next.config.ts" || name === "next.config.mjs" || name === "tailwind.config.ts" || name === "tailwind.config.js" || name === "postcss.config.js" || name === "postcss.config.mjs" || name === "tsconfig.json" || name === "jest.config.ts" || name === "jest.config.js" || name === "vitest.config.ts" || name === "vitest.config.mts";
+}
+function findLoopBodies(lines, commentMap) {
+  const results = [];
+  for (let i = 0; i < lines.length; i++) {
+    if (commentMap[i]) continue;
+    const trimmed = lines[i].trim();
+    const isLoop = /^\s*(for\s*\(|for\s+await\s*\(|while\s*\()/.test(lines[i]) || /\.(forEach|map)\s*\(/.test(trimmed);
+    if (!isLoop) continue;
+    let braceCount = 0;
+    let bodyStart = -1;
+    let foundOpen = false;
+    for (let j = i; j < lines.length; j++) {
+      if (commentMap[j]) continue;
+      const line = lines[j];
+      for (let k = 0; k < line.length; k++) {
+        const ch = line[k];
+        if (ch === "{") {
+          if (!foundOpen) {
+            bodyStart = j;
+            foundOpen = true;
+          }
+          braceCount++;
+        } else if (ch === "}") {
+          braceCount--;
+          if (foundOpen && braceCount === 0) {
+            results.push({ loopLine: i, bodyStart, bodyEnd: j });
+            i = j;
+            j = lines.length;
+            break;
+          }
+        }
+      }
+    }
+  }
+  return results;
+}
 var NODE_BUILTINS = /* @__PURE__ */ new Set([
   "assert",
   "async_hooks",
@@ -400,6 +445,7 @@ var hallucinatedImportsRule = {
     if (!project.packageJson) return [];
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
+    const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -420,7 +466,7 @@ var hallucinatedImportsRule = {
           line: i + 1,
           column: match.index + 1,
           message: `Package "${pkgName}" is imported but not in package.json`,
-          severity: "critical",
+          severity: isNonProd ? "warning" : "critical",
           category: "reliability"
         });
       }
@@ -566,64 +612,31 @@ var envExposureRule = {
 var errorHandlingRule = {
   id: "error-handling",
   name: "Missing Error Handling",
-  description: "Detects API routes without try/catch and empty catch blocks",
+  description: "Detects API routes without try/catch",
   category: "reliability",
   severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
-    const findings = [];
-    if (isApiRoute(file.relativePath)) {
-      const hasTryCatch = /try\s*\{/.test(file.content);
-      if (!hasTryCatch) {
-        let handlerLine = 1;
-        for (let i = 0; i < file.lines.length; i++) {
-          if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
-            handlerLine = i + 1;
-            break;
-          }
-        }
-        findings.push({
-          ruleId: "error-handling",
-          file: file.relativePath,
-          line: handlerLine,
-          column: 1,
-          message: "API route handler has no try/catch block",
-          severity: "warning",
-          category: "reliability"
-        });
-      }
-    }
+    if (!isApiRoute(file.relativePath)) return [];
+    const hasFrameworkServe = /\bserve\s*\(/.test(file.content) || /createTRPCHandle/.test(file.content) || /fetchRequestHandler/.test(file.content);
+    const hasTryCatch = /try\s*\{/.test(file.content);
+    if (hasTryCatch || hasFrameworkServe) return [];
+    let handlerLine = 1;
     for (let i = 0; i < file.lines.length; i++) {
-      if (isCommentLine(file.lines, i, file.commentMap)) continue;
-      const line = file.lines[i];
-      if (/catch\s*(\([^)]*\))?\s*\{\s*\}/.test(line)) {
-        findings.push({
-          ruleId: "error-handling",
-          file: file.relativePath,
-          line: i + 1,
-          column: line.indexOf("catch") + 1,
-          message: "Empty catch block silently swallows errors",
-          severity: "warning",
-          category: "reliability"
-        });
-        continue;
-      }
-      if (/catch\s*(\([^)]*\))?\s*\{\s*$/.test(line)) {
-        const nextLine = file.lines[i + 1]?.trim();
-        if (nextLine === "}") {
-          findings.push({
-            ruleId: "error-handling",
-            file: file.relativePath,
-            line: i + 1,
-            column: line.indexOf("catch") + 1,
-            message: "Empty catch block silently swallows errors",
-            severity: "warning",
-            category: "reliability"
-          });
-        }
+      if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
       }
     }
-    return findings;
+    return [{
+      ruleId: "error-handling",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "API route handler has no try/catch block",
+      severity: "warning",
+      category: "reliability"
+    }];
   }
 };
 
@@ -642,7 +655,11 @@ var VALIDATION_PATTERNS = [
   /ajv/i,
   /typebox/i,
   /valibot/i,
-  /typeof\s+.*body/
+  /typeof\s+.*body/,
+  // Inline guard clauses on parsed body/data (\b prevents matching inside metadata, database, etc.)
+  /if\s*\(\s*!\b(body|data)\b\./,
+  /\b(body|data)\b\?\.\w+\s*(!==|===)/,
+  /typeof\s+\b(body|data)\b/
 ];
 var BODY_ACCESS_PATTERNS = [
   /req\.body/,
@@ -730,7 +747,7 @@ var rateLimitingRule = {
       file: file.relativePath,
       line: handlerLine,
       column: 1,
-      message: "API route has no rate limiting",
+      message: "No rate limiting \u2014 anyone could spam this endpoint and run up your API costs",
       severity: "warning",
       category: "security"
     }];
@@ -811,6 +828,8 @@ var aiSmellsRule = {
   severity: "info",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
     const findings = [];
     let consoleLogCount = 0;
     let anyTypeCount = 0;
@@ -914,6 +933,14 @@ var unsafeHtmlRule = {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
       if (/dangerouslySetInnerHTML\s*=/.test(line) || /dangerouslySetInnerHTML\s*:/.test(line)) {
+        const context = [line];
+        for (let j = 1; j <= 2 && i + j < file.lines.length; j++) {
+          const nextLine = file.lines[i + j];
+          if (/^\s*<[^/]|^\s*(const|let|var|return|export|import)\s/.test(nextLine)) break;
+          context.push(nextLine);
+        }
+        const expr = context.join(" ");
+        if (/__html\s*:\s*JSON\.stringify/.test(expr)) continue;
         findings.push({
           ruleId: "unsafe-html",
           file: file.relativePath,
@@ -980,19 +1007,1031 @@ var sqlInjectionRule = {
   }
 };
 
+// src/rules/placeholder-content.ts
+var PLACEHOLDERS = [
+  { pattern: /Lorem ipsum/i, label: "Lorem ipsum placeholder text" },
+  { pattern: /example@example\.com/, label: 'Placeholder email "example@example.com"' },
+  { pattern: /user@example\.com/, label: 'Placeholder email "user@example.com"' },
+  { pattern: /test@test\.com/, label: 'Placeholder email "test@test.com"' },
+  { pattern: /['"]John Doe['"]/, label: 'Placeholder name "John Doe"' },
+  { pattern: /['"]Jane Doe['"]/, label: 'Placeholder name "Jane Doe"' },
+  { pattern: /['"]password123['"]/, label: 'Placeholder password "password123"' },
+  { pattern: /['"]changeme['"]/, label: 'Placeholder value "changeme"' },
+  { pattern: /['"]your-api-key-here['"]/, label: "Placeholder API key" },
+  { pattern: /['"]replace-with-['"]/, label: 'Placeholder "replace-with-" value' },
+  { pattern: /['"]xxx+['"]/, label: 'Placeholder "xxx" value' },
+  { pattern: /['"]TODO:?\s*replace['"/]/i, label: "TODO replace placeholder" }
+];
+var placeholderContentRule = {
+  id: "placeholder-content",
+  name: "Placeholder Content",
+  description: "Detects Lorem ipsum, example emails, placeholder names, and dummy values in non-test files",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, label } of PLACEHOLDERS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "placeholder-content",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: label,
+            severity: "info",
+            category: "ai-quality"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/stale-fallback.ts
+var STALE_PATTERNS = [
+  { pattern: /['"]http:\/\/localhost:\d+['"]/, label: "Hardcoded localhost URL" },
+  { pattern: /['"]https?:\/\/127\.0\.0\.1[:'"]/, label: "Hardcoded 127.0.0.1 URL" },
+  { pattern: /['"]redis:\/\/localhost['"]/, label: "Hardcoded Redis localhost URL" },
+  { pattern: /['"]mongodb:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]mongodb\+srv:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]postgres:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]postgresql:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]amqp:\/\/localhost['"]/, label: "Hardcoded AMQP localhost URL" }
+];
+var staleFallbackRule = {
+  id: "stale-fallback",
+  name: "Stale Fallback",
+  description: "Detects hardcoded localhost URLs in non-config, non-test files",
+  category: "ai-quality",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, label } of STALE_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "stale-fallback",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: `${label} \u2014 use environment variable instead`,
+            severity: "warning",
+            category: "ai-quality"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/hallucinated-api.ts
+var HALLUCINATED_APIS = [
+  { pattern: /\.flatten\s*\(/, fix: "Use .flat() instead of .flatten()" },
+  { pattern: /\.contains\s*\(/, fix: "Use .includes() instead of .contains()" },
+  { pattern: /\.substr\s*\(/, fix: "Use .substring() or .slice() instead of deprecated .substr()" },
+  { pattern: /\.trimLeft\s*\(/, fix: "Use .trimStart() instead of deprecated .trimLeft()" },
+  { pattern: /\.trimRight\s*\(/, fix: "Use .trimEnd() instead of deprecated .trimRight()" },
+  { pattern: /response\.body\.json\s*\(/, fix: "Use response.json() instead of response.body.json()" },
+  { pattern: /fetch\.abort\s*\(/, fix: "Use AbortController instead of fetch.abort()" },
+  { pattern: /\.isArray\s*\(\s*\)/, fix: "Array.isArray() is static \u2014 use Array.isArray(value)" },
+  { pattern: /\.hasOwnProperty\s*\(/, fix: "Use Object.hasOwn() instead of .hasOwnProperty()" }
+];
+var hallucinatedApiRule = {
+  id: "hallucinated-api",
+  name: "Hallucinated API",
+  description: "Detects non-existent or deprecated JavaScript/DOM APIs often generated by AI",
+  category: "ai-quality",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, fix } of HALLUCINATED_APIS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "hallucinated-api",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: fix,
+            severity: "warning",
+            category: "ai-quality"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/open-redirect.ts
+var CRITICAL_PATTERNS = [
+  // redirect(searchParams.get(...)) or redirect(searchParams.get('x')!)
+  /redirect\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/,
+  // redirect(req.query.x) or redirect(request.nextUrl.searchParams.get(...))
+  /redirect\s*\(\s*req(?:uest)?\.(?:query|nextUrl\.searchParams\.get)\s*[.(]/,
+  // NextResponse.redirect(new URL(userInput))
+  /NextResponse\.redirect\s*\(\s*new\s+URL\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/
+];
+var WARNING_PATTERNS = [
+  /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination)\s*[,)]/
+];
+var openRedirectRule = {
+  id: "open-redirect",
+  name: "Open Redirect",
+  description: "Detects user-controlled input passed directly to redirect functions",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of CRITICAL_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "open-redirect",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "User input in redirect \u2014 validate against an allowlist to prevent open redirect",
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+      for (const pattern of WARNING_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          if (findings.some((f) => f.line === i + 1)) break;
+          findings.push({
+            ruleId: "open-redirect",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Possible user input in redirect \u2014 verify the URL is validated before use",
+            severity: "warning",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/no-sync-fs.ts
+var SYNC_FS_PATTERN = /(?:readFileSync|writeFileSync|existsSync|mkdirSync|readdirSync|statSync|unlinkSync|copyFileSync|renameSync|appendFileSync|accessSync)\s*\(/;
+var noSyncFsRule = {
+  id: "no-sync-fs",
+  name: "No Synchronous FS",
+  description: "Detects synchronous fs operations in API routes and server code",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (/(?:^|\/)scripts?\//.test(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = SYNC_FS_PATTERN.exec(line);
+      if (match) {
+        const fnName = match[0].replace(/\s*\($/, "");
+        const severity = isApiRoute(file.relativePath) ? "warning" : "info";
+        findings.push({
+          ruleId: "no-sync-fs",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `Synchronous ${fnName}() blocks the event loop \u2014 use async alternative`,
+          severity,
+          category: "performance"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/no-n-plus-one.ts
+var DB_CALL_PATTERN = /(?:prisma\.\w+\.\w+\(|\.findUnique\s*\(|\.findFirst\s*\(|\.findMany\s*\(|\.insert\s*\(|\.upsert\s*\(|fetch\s*\()/;
+var noNPlusOneRule = {
+  id: "no-n-plus-one",
+  name: "No N+1 Queries",
+  description: "Detects database or fetch calls inside loops (N+1 query pattern)",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    const loops = findLoopBodies(file.lines, file.commentMap);
+    const reported = /* @__PURE__ */ new Set();
+    for (const loop of loops) {
+      if (reported.has(loop.loopLine)) continue;
+      for (let i = loop.bodyStart; i <= loop.bodyEnd; i++) {
+        if (isCommentLine(file.lines, i, file.commentMap)) continue;
+        const line = file.lines[i];
+        const match = DB_CALL_PATTERN.exec(line);
+        if (match) {
+          reported.add(loop.loopLine);
+          findings.push({
+            ruleId: "no-n-plus-one",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Database/fetch call inside loop \u2014 potential N+1 query, consider batching",
+            severity: "warning",
+            category: "performance"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/no-dynamic-import-loop.ts
+var DYNAMIC_IMPORT_PATTERN = /\bimport\s*\(/;
+var noDynamicImportLoopRule = {
+  id: "no-dynamic-import-loop",
+  name: "No Dynamic Import in Loop",
+  description: "Detects dynamic import() calls inside loops",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    const loops = findLoopBodies(file.lines, file.commentMap);
+    for (const loop of loops) {
+      for (let i = loop.bodyStart; i <= loop.bodyEnd; i++) {
+        if (isCommentLine(file.lines, i, file.commentMap)) continue;
+        const line = file.lines[i];
+        if (/^\s*import\s+/.test(line) && /\bfrom\b/.test(line)) continue;
+        const match = DYNAMIC_IMPORT_PATTERN.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "no-dynamic-import-loop",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Dynamic import() inside loop \u2014 move import outside or use Promise.all",
+            severity: "warning",
+            category: "performance"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/no-unbounded-query.ts
+var noUnboundedQueryRule = {
+  id: "no-unbounded-query",
+  name: "No Unbounded Query",
+  description: "Detects database queries without LIMIT/take constraints",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/\.findMany\s*\(\s*\)/.test(line)) {
+        findings.push({
+          ruleId: "no-unbounded-query",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf(".findMany") + 1,
+          message: ".findMany() without take/limit \u2014 query may return unbounded results",
+          severity: "warning",
+          category: "performance"
+        });
+        continue;
+      }
+      if (/\.findMany\s*\(\s*\{/.test(line)) {
+        const context = file.lines.slice(i, Math.min(i + 6, file.lines.length)).join(" ");
+        if (!/\btake\s*:/.test(context) && !/\blimit\s*[:(]/.test(context)) {
+          findings.push({
+            ruleId: "no-unbounded-query",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf(".findMany") + 1,
+            message: ".findMany() without take \u2014 add pagination or limit",
+            severity: "warning",
+            category: "performance"
+          });
+        }
+        continue;
+      }
+      if (/\.select\s*\(\s*['"`]\*['"`]\s*\)/.test(line)) {
+        const context = file.lines.slice(Math.max(0, i - 2), Math.min(i + 4, file.lines.length)).join(" ");
+        const hasBound = /\.limit\s*\(/.test(context) || /\.range\s*\(/.test(context) || /LIMIT\s+\d/i.test(context) || /\.eq\s*\(/.test(context) || /\.single\s*\(/.test(context) || /\.maybeSingle\s*\(/.test(context) || /\.match\s*\(/.test(context);
+        if (!hasBound) {
+          findings.push({
+            ruleId: "no-unbounded-query",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf(".select") + 1,
+            message: ".select('*') without .limit() or filter \u2014 add pagination or a where clause",
+            severity: "warning",
+            category: "performance"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/unhandled-promise.ts
+var ASYNC_CALL_PATTERN = /(?:fetch\s*\(|prisma\.\w+\.\w+\(|\.findMany\s*\(|\.findFirst\s*\(|\.findUnique\s*\(|\.upsert\s*\()/;
+var HANDLED_PATTERNS = [
+  /\bawait\b/,
+  /\breturn\b/,
+  /\bconst\s+\w/,
+  /\blet\s+\w/,
+  /\bvar\s+\w/,
+  /=\s*(?:await\b)?/,
+  /\.then\s*\(/,
+  /\.catch\s*\(/,
+  /void\s+/,
+  /Promise\.all/,
+  /Promise\.allSettled/,
+  /Promise\.race/
+];
+var unhandledPromiseRule = {
+  id: "unhandled-promise",
+  name: "Unhandled Promise",
+  description: "Detects async calls (fetch, DB) without await, return, or assignment",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (/^\.\w/.test(trimmed)) continue;
+      if (/^['"`]/.test(trimmed)) continue;
+      const asyncMatch = ASYNC_CALL_PATTERN.exec(trimmed);
+      if (!asyncMatch) continue;
+      const isHandled = HANDLED_PATTERNS.some((p) => p.test(trimmed));
+      if (isHandled) continue;
+      let handledAbove = false;
+      for (let j = i - 1; j >= Math.max(0, i - 5); j--) {
+        const prevTrimmed = file.lines[j].trim();
+        if (prevTrimmed === "" || prevTrimmed.endsWith(";")) break;
+        if (/\bawait\b/.test(prevTrimmed) || /\bconst\s+\w/.test(prevTrimmed) || /\blet\s+\w/.test(prevTrimmed) || /=\s*await\b/.test(prevTrimmed)) {
+          handledAbove = true;
+          break;
+        }
+      }
+      if (handledAbove) continue;
+      const col = ASYNC_CALL_PATTERN.exec(line);
+      findings.push({
+        ruleId: "unhandled-promise",
+        file: file.relativePath,
+        line: i + 1,
+        column: col ? col.index + 1 : 1,
+        message: "Async call without await, return, or assignment \u2014 promise result is lost",
+        severity: "warning",
+        category: "reliability"
+      });
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-loading-state.ts
+var missingLoadingStateRule = {
+  id: "missing-loading-state",
+  name: "Missing Loading State",
+  description: "Detects client components with useEffect+fetch but no loading state",
+  category: "reliability",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx"],
+  check(file, _project) {
+    if (!isClientComponent(file.content)) return [];
+    const content = file.content;
+    if (!/\buseEffect\s*\(/.test(content)) return [];
+    const hasFetch = /\bfetch\s*\(/.test(content) || /\baxios\b/.test(content) || /\.get\s*\(/.test(content) || /\.post\s*\(/.test(content);
+    if (!hasFetch) return [];
+    const hasLoadingState = /\b(?:loading|isLoading|pending|isPending|isFetching)\b/.test(content) || /useState\s*<?\s*boolean\s*>?\s*\(\s*(?:true|false)\s*\)/.test(content) || /\bSkeleton\b/.test(content) || /\bSpinner\b/.test(content) || /\buseSWR\b/.test(content) || /\buseQuery\b/.test(content);
+    if (hasLoadingState) return [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/\buseEffect\s*\(/.test(file.lines[i])) {
+        return [{
+          ruleId: "missing-loading-state",
+          file: file.relativePath,
+          line: i + 1,
+          column: 1,
+          message: "useEffect with fetch but no loading/pending state \u2014 users see empty content during load",
+          severity: "info",
+          category: "reliability"
+        }];
+      }
+    }
+    return [];
+  }
+};
+
+// src/rules/missing-error-boundary.ts
+var missingErrorBoundaryRule = {
+  id: "missing-error-boundary",
+  name: "Missing Error Boundary",
+  description: "Detects Next.js layout files without a matching error.tsx in the same directory",
+  category: "reliability",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, project) {
+    const match = file.relativePath.match(/^app\/(.+\/)layout\.(tsx?|jsx?)$/);
+    if (!match) return [];
+    const dir = "app/" + match[1];
+    const hasErrorBoundary = project.allFiles.some(
+      (f) => f.startsWith(dir) && /^error\.(tsx?|jsx?)$/.test(f.slice(dir.length))
+    );
+    if (hasErrorBoundary) return [];
+    return [{
+      ruleId: "missing-error-boundary",
+      file: file.relativePath,
+      line: 1,
+      column: 1,
+      message: `Layout without error.tsx \u2014 errors in ${dir} will bubble up to parent error boundary`,
+      severity: "info",
+      category: "reliability"
+    }];
+  }
+};
+
+// src/rules/codebase-consistency.ts
+function tallyDimension(label, files, detector) {
+  const variants = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    const variant = detector(file);
+    if (variant) {
+      const list = variants.get(variant) ?? [];
+      list.push(file.relativePath);
+      variants.set(variant, list);
+    }
+  }
+  return { label, variants };
+}
+function detectNamingConvention(file) {
+  let camel = 0;
+  let snake = 0;
+  for (const line of file.lines) {
+    const match = line.match(/export\s+(?:function|const|let)\s+(\w+)/);
+    if (match) {
+      const name = match[1];
+      if (/[a-z][A-Z]/.test(name)) camel++;
+      else if (/_[a-z]/.test(name)) snake++;
+    }
+  }
+  if (camel > 0 && snake === 0) return "camelCase";
+  if (snake > 0 && camel === 0) return "snake_case";
+  if (camel > 0 && snake > 0) return "mixed";
+  return null;
+}
+function detectImportStyle(file) {
+  let esm = 0;
+  let cjs = 0;
+  for (const line of file.lines) {
+    if (/^\s*import\s+/.test(line)) esm++;
+    if (/\brequire\s*\(/.test(line)) cjs++;
+  }
+  if (esm > 0 && cjs === 0) return "ESM import";
+  if (cjs > 0 && esm === 0) return "CJS require";
+  if (esm > 0 && cjs > 0) return "mixed";
+  return null;
+}
+function detectHttpClient(file) {
+  const content = file.content;
+  if (/\baxios[\s.(]/.test(content)) return "axios";
+  if (/\bgot[\s.(]/.test(content) && /from\s+['"]got['"]/.test(content)) return "got";
+  if (/\bky[\s.(]/.test(content) && /from\s+['"]ky['"]/.test(content)) return "ky";
+  if (/\bfetch\s*\(/.test(content)) return "fetch";
+  return null;
+}
+function detectAsyncPattern(file) {
+  let awaits = 0;
+  let thens = 0;
+  let callbacks = 0;
+  for (const line of file.lines) {
+    if (/\bawait\b/.test(line)) awaits++;
+    if (/\.then\s*\(/.test(line)) thens++;
+    if (/,\s*(?:function\s*\(|(?:err|error|cb|callback)\s*=>)/.test(line)) callbacks++;
+  }
+  const total = awaits + thens + callbacks;
+  if (total === 0) return null;
+  if (awaits > 0 && thens === 0 && callbacks === 0) return "async/await";
+  if (thens > 0 && awaits === 0) return ".then() chains";
+  if (callbacks > 0 && awaits === 0 && thens === 0) return "callbacks";
+  if (awaits > 0 && thens > 0) return "mixed async";
+  return null;
+}
+function detectQuoteStyle(file) {
+  let single = 0;
+  let double = 0;
+  for (const line of file.lines) {
+    const imports = line.match(/from\s+(['"])/g);
+    if (imports) {
+      for (const m of imports) {
+        if (m.includes("'")) single++;
+        else double++;
+      }
+    }
+  }
+  if (single > 0 && double === 0) return "single quotes";
+  if (double > 0 && single === 0) return "double quotes";
+  if (single > 0 && double > 0) return "mixed quotes";
+  return null;
+}
+var codebaseConsistencyRule = {
+  id: "codebase-consistency",
+  name: "Codebase Consistency",
+  description: "Detects conflicting conventions across files \u2014 naming, imports, async patterns, HTTP clients",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: [],
+  check() {
+    return [];
+  },
+  checkProject(files, _project) {
+    const sourceFiles = files.filter(
+      (f) => ["ts", "tsx", "js", "jsx"].includes(f.ext) && !isTestFile(f.relativePath) && !isScriptFile(f.relativePath) && !isConfigFile(f.relativePath)
+    );
+    if (sourceFiles.length < 3) return [];
+    const dimensions = [
+      tallyDimension("Naming convention", sourceFiles, detectNamingConvention),
+      tallyDimension("Import style", sourceFiles, detectImportStyle),
+      tallyDimension("HTTP client", sourceFiles, detectHttpClient),
+      tallyDimension("Async pattern", sourceFiles, detectAsyncPattern),
+      tallyDimension("Quote style", sourceFiles, detectQuoteStyle)
+    ];
+    const findings = [];
+    for (const dim of dimensions) {
+      if (dim.variants.size < 2) continue;
+      let total = 0;
+      let dominant = "";
+      let dominantCount = 0;
+      for (const [variant, fileList] of dim.variants) {
+        total += fileList.length;
+        if (fileList.length > dominantCount) {
+          dominantCount = fileList.length;
+          dominant = variant;
+        }
+      }
+      const consistency = Math.round(dominantCount / total * 100);
+      if (consistency >= 90) continue;
+      const minorities = [];
+      for (const [variant, fileList] of dim.variants) {
+        if (variant !== dominant) {
+          minorities.push(`${variant} (${fileList.length} files)`);
+        }
+      }
+      findings.push({
+        ruleId: "codebase-consistency",
+        file: "(project)",
+        line: 1,
+        column: 1,
+        message: `${dim.label}: ${consistency}% consistent \u2014 dominant: ${dominant} (${dominantCount} files), minority: ${minorities.join(", ")}`,
+        severity: consistency < 60 ? "warning" : "info",
+        category: "ai-quality"
+      });
+    }
+    return findings;
+  }
+};
+
+// src/rules/dead-exports.ts
+function isEntryPoint(relativePath) {
+  const name = relativePath.split("/").pop() ?? "";
+  return /^(page|layout|loading|error|not-found|route|middleware|instrumentation)\.(tsx?|jsx?)$/.test(name) || /^index\.(tsx?|jsx?)$/.test(name) || name === "global-error.tsx" || name === "global-error.jsx";
+}
+var THRESHOLD = 5;
+var deadExportsRule = {
+  id: "dead-exports",
+  name: "Dead Exports",
+  description: "Detects exported symbols never imported anywhere in the project \u2014 context pollution for AI tools",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: [],
+  check() {
+    return [];
+  },
+  checkProject(files, _project) {
+    const sourceFiles = files.filter(
+      (f) => ["ts", "tsx", "js", "jsx"].includes(f.ext) && !isTestFile(f.relativePath) && !isScriptFile(f.relativePath)
+    );
+    const exports = /* @__PURE__ */ new Map();
+    const imports = /* @__PURE__ */ new Set();
+    const importedFiles = /* @__PURE__ */ new Set();
+    for (const file of sourceFiles) {
+      if (isEntryPoint(file.relativePath)) continue;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        let match;
+        const namedRe = /export\s+(?:async\s+)?(?:function|const|let|class|enum)\s+(\w+)/g;
+        while ((match = namedRe.exec(line)) !== null) {
+          if (/export\s+(type|interface)\s/.test(line)) continue;
+          exports.set(`${file.relativePath}::${match[1]}`, { file: file.relativePath, line: i + 1 });
+        }
+        const braceRe = /export\s*\{([^}]+)\}/g;
+        while ((match = braceRe.exec(line)) !== null) {
+          const symbols = match[1].split(",").map((s) => s.trim().split(/\s+as\s+/).pop()?.trim()).filter(Boolean);
+          for (const sym of symbols) {
+            if (sym) exports.set(`${file.relativePath}::${sym}`, { file: file.relativePath, line: i + 1 });
+          }
+        }
+      }
+    }
+    for (const file of files) {
+      for (const line of file.lines) {
+        let match;
+        const bracesRe = /import\s*(?:type\s*)?\{([^}]+)\}\s*from/g;
+        while ((match = bracesRe.exec(line)) !== null) {
+          const symbols = match[1].split(",").map((s) => s.trim().split(/\s+as\s+/)[0].trim()).filter(Boolean);
+          for (const sym of symbols) imports.add(sym);
+        }
+        const defaultRe = /import\s+(\w+)\s+from/g;
+        while ((match = defaultRe.exec(line)) !== null) {
+          imports.add(match[1]);
+        }
+        const fromRe = /from\s+['"]([^'"]+)['"]/g;
+        while ((match = fromRe.exec(line)) !== null) {
+          importedFiles.add(match[1]);
+        }
+      }
+    }
+    const deadByFile = /* @__PURE__ */ new Map();
+    for (const [key, loc] of exports) {
+      const symbolName = key.split("::")[1];
+      if (!imports.has(symbolName)) {
+        deadByFile.set(loc.file, (deadByFile.get(loc.file) ?? 0) + 1);
+      }
+    }
+    const findings = [];
+    let totalDead = 0;
+    for (const [file, count] of deadByFile) {
+      totalDead += count;
+    }
+    if (totalDead >= THRESHOLD) {
+      const topFiles = [...deadByFile.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5).map(([f, c]) => `${f} (${c})`);
+      findings.push({
+        ruleId: "dead-exports",
+        file: "(project)",
+        line: 1,
+        column: 1,
+        message: `${totalDead} exported symbols never imported \u2014 dead exports pollute AI context. Top files: ${topFiles.join(", ")}`,
+        severity: totalDead > 20 ? "warning" : "info",
+        category: "ai-quality"
+      });
+    }
+    return findings;
+  }
+};
+
+// src/rules/shallow-catch.ts
+function scoreCatchBody(bodyLines) {
+  if (bodyLines.length === 0 || bodyLines.every((l) => l.trim() === "")) {
+    return { score: 0, label: "empty catch" };
+  }
+  const body = bodyLines.join("\n");
+  let score = 0;
+  if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
+  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+    score = 3;
+  }
+  const labels = {
+    0: "empty catch",
+    1: "catch only logs (no recovery or propagation)",
+    2: "catch logs error but does not propagate or recover",
+    3: "catch handles error properly"
+  };
+  return { score, label: labels[score] };
+}
+var shallowCatchRule = {
+  id: "shallow-catch",
+  name: "Shallow Error Handler",
+  description: "Detects catch blocks that exist but do nothing useful \u2014 decorative error handling",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const trimmed = file.lines[i].trim();
+      if (!/\bcatch\s*\(/.test(trimmed) && !/\bcatch\s*\{/.test(trimmed)) continue;
+      let braceStart = -1;
+      for (let j = i; j < Math.min(i + 3, file.lines.length); j++) {
+        if (file.lines[j].includes("{")) {
+          braceStart = j;
+          break;
+        }
+      }
+      if (braceStart === -1) continue;
+      let depth = 0;
+      let bodyEnd = braceStart;
+      for (let j = braceStart; j < file.lines.length; j++) {
+        const line = file.lines[j];
+        const startPos = j === braceStart ? line.indexOf("{") : 0;
+        for (let k = startPos; k < line.length; k++) {
+          if (line[k] === "{") depth++;
+          if (line[k] === "}") {
+            depth--;
+            if (depth === 0) {
+              bodyEnd = j;
+              break;
+            }
+          }
+        }
+        if (depth === 0) break;
+      }
+      const bodyLines = file.lines.slice(braceStart + 1, bodyEnd);
+      const { score, label } = scoreCatchBody(bodyLines);
+      if (score <= 1) {
+        findings.push({
+          ruleId: "shallow-catch",
+          file: file.relativePath,
+          line: i + 1,
+          column: file.lines[i].indexOf("catch") + 1,
+          message: score === 0 ? "Empty catch block \u2014 errors are silently swallowed" : `Decorative error handler: ${label}`,
+          severity: score === 0 ? "warning" : "info",
+          category: "reliability"
+        });
+      }
+      i = bodyEnd;
+    }
+    return findings;
+  }
+};
+
+// src/rules/comprehension-debt.ts
+var MAX_FUNCTION_LENGTH = 80;
+var MAX_NESTING_DEPTH = 5;
+var MAX_PARAMS = 5;
+function isContentFile(relativePath) {
+  return /(?:^|\/)content\//.test(relativePath) || /(?:^|\/)blog\//.test(relativePath) || /\(legal\)\//.test(relativePath);
+}
+var comprehensionDebtRule = {
+  id: "comprehension-debt",
+  name: "Comprehension Debt",
+  description: "Detects code that is hard to understand \u2014 long functions, deep nesting, excessive parameters",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (isContentFile(file.relativePath)) return [];
+    const findings = [];
+    let fnStart = -1;
+    let fnName = "";
+    let braceDepth = 0;
+    let maxDepthInFn = 0;
+    let fnBraceStart = -1;
+    let inFunction = false;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      const fnMatch = trimmed.match(/(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/) ?? trimmed.match(/(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?:=>|:)/);
+      if (fnMatch && !inFunction) {
+        fnName = fnMatch[1];
+        fnStart = i;
+        const params = fnMatch[2].split(",").filter((p) => p.trim()).length;
+        if (params > MAX_PARAMS) {
+          findings.push({
+            ruleId: "comprehension-debt",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message: `${fnName}() has ${params} parameters (max ${MAX_PARAMS}) \u2014 hard to call correctly`,
+            severity: "info",
+            category: "ai-quality"
+          });
+        }
+      }
+      for (const ch of line) {
+        if (ch === "{") {
+          braceDepth++;
+          if (fnStart >= 0 && fnBraceStart === -1) {
+            fnBraceStart = braceDepth;
+            inFunction = true;
+          }
+          if (inFunction && braceDepth - fnBraceStart > maxDepthInFn) {
+            maxDepthInFn = braceDepth - fnBraceStart;
+          }
+        }
+        if (ch === "}") {
+          braceDepth--;
+          if (inFunction && braceDepth < fnBraceStart) {
+            const length = i - fnStart + 1;
+            if (length > MAX_FUNCTION_LENGTH) {
+              findings.push({
+                ruleId: "comprehension-debt",
+                file: file.relativePath,
+                line: fnStart + 1,
+                column: 1,
+                message: `${fnName}() is ${length} lines long (max ${MAX_FUNCTION_LENGTH}) \u2014 consider splitting`,
+                severity: "info",
+                category: "ai-quality"
+              });
+            }
+            if (maxDepthInFn > MAX_NESTING_DEPTH) {
+              findings.push({
+                ruleId: "comprehension-debt",
+                file: file.relativePath,
+                line: fnStart + 1,
+                column: 1,
+                message: `${fnName}() has nesting depth ${maxDepthInFn} (max ${MAX_NESTING_DEPTH}) \u2014 flatten with early returns`,
+                severity: "info",
+                category: "ai-quality"
+              });
+            }
+            inFunction = false;
+            fnStart = -1;
+            fnBraceStart = -1;
+            maxDepthInFn = 0;
+            fnName = "";
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/phantom-dependency.ts
+var PHANTOM_PACKAGES = /* @__PURE__ */ new Set([
+  "huggingface-cli",
+  // hallucinated, real: huggingface_hub
+  "flask-hierarchical",
+  // hallucinated
+  "beautifulsoup",
+  // real is beautifulsoup4
+  "python-dotenv",
+  // real is python-dotenv (this one exists but confusable)
+  "openai-sdk",
+  // hallucinated, real: openai
+  "anthropic-sdk",
+  // hallucinated, real: @anthropic-ai/sdk
+  "langchain-core",
+  // confusable with @langchain/core
+  "react-native-utils",
+  // hallucinated generic
+  "next-middleware",
+  // hallucinated
+  "supabase-client",
+  // hallucinated, real: @supabase/supabase-js
+  "stripe-sdk",
+  // hallucinated, real: stripe
+  "prisma-client",
+  // hallucinated, real: @prisma/client
+  "tailwind-utils",
+  // hallucinated
+  "express-validator-v2",
+  // hallucinated
+  "node-postgres-pool",
+  // hallucinated, real: pg
+  "mongo-client",
+  // hallucinated, real: mongodb
+  "redis-client",
+  // hallucinated, real: redis or ioredis
+  "aws-s3-upload",
+  // hallucinated
+  "gpt-tokenizer"
+  // exists but often confused
+]);
+var SUSPICIOUS_PATTERNS = [
+  /^[a-z]{1,2}$/,
+  // 1-2 char names
+  /-js$/,
+  // redundant -js suffix often hallucinated
+  /^(the|my|simple|easy|fast|super|mega|ultra)-/
+  // vanity prefixes
+];
+var phantomDependencyRule = {
+  id: "phantom-dependency",
+  name: "Phantom Dependency",
+  description: "Detects commonly hallucinated or suspicious package names \u2014 slopsquatting prevention",
+  category: "security",
+  severity: "warning",
+  fileExtensions: [],
+  check() {
+    return [];
+  },
+  checkProject(_files, project) {
+    if (!project.packageJson) return [];
+    const findings = [];
+    const deps = {
+      ...project.packageJson.dependencies ?? {},
+      ...project.packageJson.devDependencies ?? {}
+    };
+    for (const [name, _version] of Object.entries(deps)) {
+      if (PHANTOM_PACKAGES.has(name)) {
+        findings.push({
+          ruleId: "phantom-dependency",
+          file: "package.json",
+          line: 1,
+          column: 1,
+          message: `"${name}" is a commonly hallucinated package name \u2014 verify it exists and is the correct package`,
+          severity: "warning",
+          category: "security"
+        });
+      }
+      for (const pattern of SUSPICIOUS_PATTERNS) {
+        if (pattern.test(name) && !name.startsWith("@")) {
+          findings.push({
+            ruleId: "phantom-dependency",
+            file: "package.json",
+            line: 1,
+            column: 1,
+            message: `"${name}" has a suspicious package name pattern \u2014 verify it's legitimate`,
+            severity: "info",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
 // src/rules/index.ts
 var rules = [
+  // Security
   secretsRule,
-  hallucinatedImportsRule,
   authChecksRule,
   envExposureRule,
-  errorHandlingRule,
   inputValidationRule,
-  rateLimitingRule,
   corsConfigRule,
-  aiSmellsRule,
   unsafeHtmlRule,
-  sqlInjectionRule
+  sqlInjectionRule,
+  openRedirectRule,
+  rateLimitingRule,
+  phantomDependencyRule,
+  // Reliability
+  hallucinatedImportsRule,
+  errorHandlingRule,
+  unhandledPromiseRule,
+  shallowCatchRule,
+  missingLoadingStateRule,
+  missingErrorBoundaryRule,
+  // Performance
+  noSyncFsRule,
+  noNPlusOneRule,
+  noUnboundedQueryRule,
+  noDynamicImportLoopRule,
+  // AI Quality
+  aiSmellsRule,
+  placeholderContentRule,
+  hallucinatedApiRule,
+  staleFallbackRule,
+  comprehensionDebtRule,
+  codebaseConsistencyRule,
+  deadExportsRule
 ];
 
 // src/scanner.ts
@@ -1003,9 +2042,11 @@ async function scan(options) {
   const filePaths = await walkFiles(root, options.ignore);
   const project = await buildProjectContext(root, filePaths);
   const findings = [];
+  const allFiles = [];
   for (const relativePath of filePaths) {
     const file = await readFileContext(root, relativePath);
     if (!file) continue;
+    allFiles.push(file);
     for (const rule of rules) {
       if (rule.fileExtensions.length > 0 && !rule.fileExtensions.includes(file.ext)) {
         continue;
@@ -1018,6 +2059,12 @@ async function scan(options) {
       }
     }
   }
+  for (const rule of rules) {
+    if (rule.checkProject) {
+      const projectFindings = rule.checkProject(allFiles, project);
+      findings.push(...projectFindings);
+    }
+  }
   const { overallScore, categoryScores } = calculateScores(findings);
   const summary = summarizeFindings(findings);
   return {