npm - prodlint - Versions diffs - 0.2.2 → 0.3.1 - Mend

prodlint 0.2.2 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/mcp.js CHANGED Viewed

@@ -76,6 +76,51 @@ function isLineSuppressed(lines, lineIndex, ruleId) {
   }
   return false;
 }
+function isTestFile(relativePath) {
+  return /\.(test|spec)\.[jt]sx?$/.test(relativePath) || /(?:^|\/)__tests__\//.test(relativePath) || /(?:^|\/)tests?\//.test(relativePath) || /(?:^|\/)fixtures?\//.test(relativePath) || /(?:^|\/)mocks?\//.test(relativePath);
+}
+function isScriptFile(relativePath) {
+  return /(?:^|\/)scripts?\//.test(relativePath);
+}
+function isConfigFile(relativePath) {
+  const name = relativePath.split("/").pop() ?? "";
+  return /\.config\.[jt]sx?$/.test(name) || /\.config\.(mjs|cjs)$/.test(name) || name.startsWith(".env") || name === "next.config.js" || name === "next.config.ts" || name === "next.config.mjs" || name === "tailwind.config.ts" || name === "tailwind.config.js" || name === "postcss.config.js" || name === "postcss.config.mjs" || name === "tsconfig.json" || name === "jest.config.ts" || name === "jest.config.js" || name === "vitest.config.ts" || name === "vitest.config.mts";
+}
+function findLoopBodies(lines, commentMap) {
+  const results = [];
+  for (let i = 0; i < lines.length; i++) {
+    if (commentMap[i]) continue;
+    const trimmed = lines[i].trim();
+    const isLoop = /^\s*(for\s*\(|for\s+await\s*\(|while\s*\()/.test(lines[i]) || /\.(forEach|map)\s*\(/.test(trimmed);
+    if (!isLoop) continue;
+    let braceCount = 0;
+    let bodyStart = -1;
+    let foundOpen = false;
+    for (let j = i; j < lines.length; j++) {
+      if (commentMap[j]) continue;
+      const line = lines[j];
+      for (let k = 0; k < line.length; k++) {
+        const ch = line[k];
+        if (ch === "{") {
+          if (!foundOpen) {
+            bodyStart = j;
+            foundOpen = true;
+          }
+          braceCount++;
+        } else if (ch === "}") {
+          braceCount--;
+          if (foundOpen && braceCount === 0) {
+            results.push({ loopLine: i, bodyStart, bodyEnd: j });
+            i = j;
+            j = lines.length;
+            break;
+          }
+        }
+      }
+    }
+  }
+  return results;
+}
 var NODE_BUILTINS = /* @__PURE__ */ new Set([
   "assert",
   "async_hooks",
@@ -409,6 +454,7 @@ var hallucinatedImportsRule = {
     if (!project.packageJson) return [];
     const findings = [];
     const seen = /* @__PURE__ */ new Set();
+    const isNonProd = isTestFile(file.relativePath) || isScriptFile(file.relativePath);
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
@@ -429,7 +475,7 @@ var hallucinatedImportsRule = {
           line: i + 1,
           column: match.index + 1,
           message: `Package "${pkgName}" is imported but not in package.json`,
-          severity: "critical",
+          severity: isNonProd ? "warning" : "critical",
           category: "reliability"
         });
       }
@@ -575,64 +621,31 @@ var envExposureRule = {
 var errorHandlingRule = {
   id: "error-handling",
   name: "Missing Error Handling",
-  description: "Detects API routes without try/catch and empty catch blocks",
+  description: "Detects API routes without try/catch",
   category: "reliability",
   severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
-    const findings = [];
-    if (isApiRoute(file.relativePath)) {
-      const hasTryCatch = /try\s*\{/.test(file.content);
-      if (!hasTryCatch) {
-        let handlerLine = 1;
-        for (let i = 0; i < file.lines.length; i++) {
-          if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
-            handlerLine = i + 1;
-            break;
-          }
-        }
-        findings.push({
-          ruleId: "error-handling",
-          file: file.relativePath,
-          line: handlerLine,
-          column: 1,
-          message: "API route handler has no try/catch block",
-          severity: "warning",
-          category: "reliability"
-        });
-      }
-    }
+    if (!isApiRoute(file.relativePath)) return [];
+    const hasFrameworkServe = /\bserve\s*\(/.test(file.content) || /createTRPCHandle/.test(file.content) || /fetchRequestHandler/.test(file.content);
+    const hasTryCatch = /try\s*\{/.test(file.content);
+    if (hasTryCatch || hasFrameworkServe) return [];
+    let handlerLine = 1;
     for (let i = 0; i < file.lines.length; i++) {
-      if (isCommentLine(file.lines, i, file.commentMap)) continue;
-      const line = file.lines[i];
-      if (/catch\s*(\([^)]*\))?\s*\{\s*\}/.test(line)) {
-        findings.push({
-          ruleId: "error-handling",
-          file: file.relativePath,
-          line: i + 1,
-          column: line.indexOf("catch") + 1,
-          message: "Empty catch block silently swallows errors",
-          severity: "warning",
-          category: "reliability"
-        });
-        continue;
-      }
-      if (/catch\s*(\([^)]*\))?\s*\{\s*$/.test(line)) {
-        const nextLine = file.lines[i + 1]?.trim();
-        if (nextLine === "}") {
-          findings.push({
-            ruleId: "error-handling",
-            file: file.relativePath,
-            line: i + 1,
-            column: line.indexOf("catch") + 1,
-            message: "Empty catch block silently swallows errors",
-            severity: "warning",
-            category: "reliability"
-          });
-        }
+      if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
       }
     }
-    return findings;
+    return [{
+      ruleId: "error-handling",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "API route handler has no try/catch block",
+      severity: "warning",
+      category: "reliability"
+    }];
   }
 };
@@ -651,7 +664,11 @@ var VALIDATION_PATTERNS = [
   /ajv/i,
   /typebox/i,
   /valibot/i,
-  /typeof\s+.*body/
+  /typeof\s+.*body/,
+  // Inline guard clauses on parsed body/data (\b prevents matching inside metadata, database, etc.)
+  /if\s*\(\s*!\b(body|data)\b\./,
+  /\b(body|data)\b\?\.\w+\s*(!==|===)/,
+  /typeof\s+\b(body|data)\b/
 ];
 var BODY_ACCESS_PATTERNS = [
   /req\.body/,
@@ -739,7 +756,7 @@ var rateLimitingRule = {
       file: file.relativePath,
       line: handlerLine,
       column: 1,
-      message: "API route has no rate limiting",
+      message: "No rate limiting \u2014 anyone could spam this endpoint and run up your API costs",
       severity: "warning",
       category: "security"
     }];
@@ -820,6 +837,8 @@ var aiSmellsRule = {
   severity: "info",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
     const findings = [];
     let consoleLogCount = 0;
     let anyTypeCount = 0;
@@ -923,6 +942,14 @@ var unsafeHtmlRule = {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
       if (/dangerouslySetInnerHTML\s*=/.test(line) || /dangerouslySetInnerHTML\s*:/.test(line)) {
+        const context = [line];
+        for (let j = 1; j <= 2 && i + j < file.lines.length; j++) {
+          const nextLine = file.lines[i + j];
+          if (/^\s*<[^/]|^\s*(const|let|var|return|export|import)\s/.test(nextLine)) break;
+          context.push(nextLine);
+        }
+        const expr = context.join(" ");
+        if (/__html\s*:\s*JSON\.stringify/.test(expr)) continue;
         findings.push({
           ruleId: "unsafe-html",
           file: file.relativePath,
@@ -989,19 +1016,1031 @@ var sqlInjectionRule = {
   }
 };
+// src/rules/placeholder-content.ts
+var PLACEHOLDERS = [
+  { pattern: /Lorem ipsum/i, label: "Lorem ipsum placeholder text" },
+  { pattern: /example@example\.com/, label: 'Placeholder email "example@example.com"' },
+  { pattern: /user@example\.com/, label: 'Placeholder email "user@example.com"' },
+  { pattern: /test@test\.com/, label: 'Placeholder email "test@test.com"' },
+  { pattern: /['"]John Doe['"]/, label: 'Placeholder name "John Doe"' },
+  { pattern: /['"]Jane Doe['"]/, label: 'Placeholder name "Jane Doe"' },
+  { pattern: /['"]password123['"]/, label: 'Placeholder password "password123"' },
+  { pattern: /['"]changeme['"]/, label: 'Placeholder value "changeme"' },
+  { pattern: /['"]your-api-key-here['"]/, label: "Placeholder API key" },
+  { pattern: /['"]replace-with-['"]/, label: 'Placeholder "replace-with-" value' },
+  { pattern: /['"]xxx+['"]/, label: 'Placeholder "xxx" value' },
+  { pattern: /['"]TODO:?\s*replace['"/]/i, label: "TODO replace placeholder" }
+];
+var placeholderContentRule = {
+  id: "placeholder-content",
+  name: "Placeholder Content",
+  description: "Detects Lorem ipsum, example emails, placeholder names, and dummy values in non-test files",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, label } of PLACEHOLDERS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "placeholder-content",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: label,
+            severity: "info",
+            category: "ai-quality"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/stale-fallback.ts
+var STALE_PATTERNS = [
+  { pattern: /['"]http:\/\/localhost:\d+['"]/, label: "Hardcoded localhost URL" },
+  { pattern: /['"]https?:\/\/127\.0\.0\.1[:'"]/, label: "Hardcoded 127.0.0.1 URL" },
+  { pattern: /['"]redis:\/\/localhost['"]/, label: "Hardcoded Redis localhost URL" },
+  { pattern: /['"]mongodb:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]mongodb\+srv:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]postgres:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]postgresql:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]amqp:\/\/localhost['"]/, label: "Hardcoded AMQP localhost URL" }
+];
+var staleFallbackRule = {
+  id: "stale-fallback",
+  name: "Stale Fallback",
+  description: "Detects hardcoded localhost URLs in non-config, non-test files",
+  category: "ai-quality",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, label } of STALE_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "stale-fallback",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: `${label} \u2014 use environment variable instead`,
+            severity: "warning",
+            category: "ai-quality"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/hallucinated-api.ts
+var HALLUCINATED_APIS = [
+  { pattern: /\.flatten\s*\(/, fix: "Use .flat() instead of .flatten()" },
+  { pattern: /\.contains\s*\(/, fix: "Use .includes() instead of .contains()" },
+  { pattern: /\.substr\s*\(/, fix: "Use .substring() or .slice() instead of deprecated .substr()" },
+  { pattern: /\.trimLeft\s*\(/, fix: "Use .trimStart() instead of deprecated .trimLeft()" },
+  { pattern: /\.trimRight\s*\(/, fix: "Use .trimEnd() instead of deprecated .trimRight()" },
+  { pattern: /response\.body\.json\s*\(/, fix: "Use response.json() instead of response.body.json()" },
+  { pattern: /fetch\.abort\s*\(/, fix: "Use AbortController instead of fetch.abort()" },
+  { pattern: /\.isArray\s*\(\s*\)/, fix: "Array.isArray() is static \u2014 use Array.isArray(value)" },
+  { pattern: /\.hasOwnProperty\s*\(/, fix: "Use Object.hasOwn() instead of .hasOwnProperty()" }
+];
+var hallucinatedApiRule = {
+  id: "hallucinated-api",
+  name: "Hallucinated API",
+  description: "Detects non-existent or deprecated JavaScript/DOM APIs often generated by AI",
+  category: "ai-quality",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, fix } of HALLUCINATED_APIS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "hallucinated-api",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: fix,
+            severity: "warning",
+            category: "ai-quality"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/open-redirect.ts
+var CRITICAL_PATTERNS = [
+  // redirect(searchParams.get(...)) or redirect(searchParams.get('x')!)
+  /redirect\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/,
+  // redirect(req.query.x) or redirect(request.nextUrl.searchParams.get(...))
+  /redirect\s*\(\s*req(?:uest)?\.(?:query|nextUrl\.searchParams\.get)\s*[.(]/,
+  // NextResponse.redirect(new URL(userInput))
+  /NextResponse\.redirect\s*\(\s*new\s+URL\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/
+];
+var WARNING_PATTERNS = [
+  /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination)\s*[,)]/
+];
+var openRedirectRule = {
+  id: "open-redirect",
+  name: "Open Redirect",
+  description: "Detects user-controlled input passed directly to redirect functions",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of CRITICAL_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "open-redirect",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "User input in redirect \u2014 validate against an allowlist to prevent open redirect",
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+      for (const pattern of WARNING_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          if (findings.some((f) => f.line === i + 1)) break;
+          findings.push({
+            ruleId: "open-redirect",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Possible user input in redirect \u2014 verify the URL is validated before use",
+            severity: "warning",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/no-sync-fs.ts
+var SYNC_FS_PATTERN = /(?:readFileSync|writeFileSync|existsSync|mkdirSync|readdirSync|statSync|unlinkSync|copyFileSync|renameSync|appendFileSync|accessSync)\s*\(/;
+var noSyncFsRule = {
+  id: "no-sync-fs",
+  name: "No Synchronous FS",
+  description: "Detects synchronous fs operations in API routes and server code",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (/(?:^|\/)scripts?\//.test(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = SYNC_FS_PATTERN.exec(line);
+      if (match) {
+        const fnName = match[0].replace(/\s*\($/, "");
+        const severity = isApiRoute(file.relativePath) ? "warning" : "info";
+        findings.push({
+          ruleId: "no-sync-fs",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `Synchronous ${fnName}() blocks the event loop \u2014 use async alternative`,
+          severity,
+          category: "performance"
+        });
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/no-n-plus-one.ts
+var DB_CALL_PATTERN = /(?:prisma\.\w+\.\w+\(|\.findUnique\s*\(|\.findFirst\s*\(|\.findMany\s*\(|\.insert\s*\(|\.upsert\s*\(|fetch\s*\()/;
+var noNPlusOneRule = {
+  id: "no-n-plus-one",
+  name: "No N+1 Queries",
+  description: "Detects database or fetch calls inside loops (N+1 query pattern)",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    const loops = findLoopBodies(file.lines, file.commentMap);
+    const reported = /* @__PURE__ */ new Set();
+    for (const loop of loops) {
+      if (reported.has(loop.loopLine)) continue;
+      for (let i = loop.bodyStart; i <= loop.bodyEnd; i++) {
+        if (isCommentLine(file.lines, i, file.commentMap)) continue;
+        const line = file.lines[i];
+        const match = DB_CALL_PATTERN.exec(line);
+        if (match) {
+          reported.add(loop.loopLine);
+          findings.push({
+            ruleId: "no-n-plus-one",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Database/fetch call inside loop \u2014 potential N+1 query, consider batching",
+            severity: "warning",
+            category: "performance"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/no-dynamic-import-loop.ts
+var DYNAMIC_IMPORT_PATTERN = /\bimport\s*\(/;
+var noDynamicImportLoopRule = {
+  id: "no-dynamic-import-loop",
+  name: "No Dynamic Import in Loop",
+  description: "Detects dynamic import() calls inside loops",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    const loops = findLoopBodies(file.lines, file.commentMap);
+    for (const loop of loops) {
+      for (let i = loop.bodyStart; i <= loop.bodyEnd; i++) {
+        if (isCommentLine(file.lines, i, file.commentMap)) continue;
+        const line = file.lines[i];
+        if (/^\s*import\s+/.test(line) && /\bfrom\b/.test(line)) continue;
+        const match = DYNAMIC_IMPORT_PATTERN.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "no-dynamic-import-loop",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Dynamic import() inside loop \u2014 move import outside or use Promise.all",
+            severity: "warning",
+            category: "performance"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/no-unbounded-query.ts
+var noUnboundedQueryRule = {
+  id: "no-unbounded-query",
+  name: "No Unbounded Query",
+  description: "Detects database queries without LIMIT/take constraints",
+  category: "performance",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/\.findMany\s*\(\s*\)/.test(line)) {
+        findings.push({
+          ruleId: "no-unbounded-query",
+          file: file.relativePath,
+          line: i + 1,
+          column: line.indexOf(".findMany") + 1,
+          message: ".findMany() without take/limit \u2014 query may return unbounded results",
+          severity: "warning",
+          category: "performance"
+        });
+        continue;
+      }
+      if (/\.findMany\s*\(\s*\{/.test(line)) {
+        const context = file.lines.slice(i, Math.min(i + 6, file.lines.length)).join(" ");
+        if (!/\btake\s*:/.test(context) && !/\blimit\s*[:(]/.test(context)) {
+          findings.push({
+            ruleId: "no-unbounded-query",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf(".findMany") + 1,
+            message: ".findMany() without take \u2014 add pagination or limit",
+            severity: "warning",
+            category: "performance"
+          });
+        }
+        continue;
+      }
+      if (/\.select\s*\(\s*['"`]\*['"`]\s*\)/.test(line)) {
+        const context = file.lines.slice(Math.max(0, i - 2), Math.min(i + 4, file.lines.length)).join(" ");
+        const hasBound = /\.limit\s*\(/.test(context) || /\.range\s*\(/.test(context) || /LIMIT\s+\d/i.test(context) || /\.eq\s*\(/.test(context) || /\.single\s*\(/.test(context) || /\.maybeSingle\s*\(/.test(context) || /\.match\s*\(/.test(context);
+        if (!hasBound) {
+          findings.push({
+            ruleId: "no-unbounded-query",
+            file: file.relativePath,
+            line: i + 1,
+            column: line.indexOf(".select") + 1,
+            message: ".select('*') without .limit() or filter \u2014 add pagination or a where clause",
+            severity: "warning",
+            category: "performance"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/unhandled-promise.ts
+var ASYNC_CALL_PATTERN = /(?:fetch\s*\(|prisma\.\w+\.\w+\(|\.findMany\s*\(|\.findFirst\s*\(|\.findUnique\s*\(|\.upsert\s*\()/;
+var HANDLED_PATTERNS = [
+  /\bawait\b/,
+  /\breturn\b/,
+  /\bconst\s+\w/,
+  /\blet\s+\w/,
+  /\bvar\s+\w/,
+  /=\s*(?:await\b)?/,
+  /\.then\s*\(/,
+  /\.catch\s*\(/,
+  /void\s+/,
+  /Promise\.all/,
+  /Promise\.allSettled/,
+  /Promise\.race/
+];
+var unhandledPromiseRule = {
+  id: "unhandled-promise",
+  name: "Unhandled Promise",
+  description: "Detects async calls (fetch, DB) without await, return, or assignment",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (/^\.\w/.test(trimmed)) continue;
+      if (/^['"`]/.test(trimmed)) continue;
+      const asyncMatch = ASYNC_CALL_PATTERN.exec(trimmed);
+      if (!asyncMatch) continue;
+      const isHandled = HANDLED_PATTERNS.some((p) => p.test(trimmed));
+      if (isHandled) continue;
+      let handledAbove = false;
+      for (let j = i - 1; j >= Math.max(0, i - 5); j--) {
+        const prevTrimmed = file.lines[j].trim();
+        if (prevTrimmed === "" || prevTrimmed.endsWith(";")) break;
+        if (/\bawait\b/.test(prevTrimmed) || /\bconst\s+\w/.test(prevTrimmed) || /\blet\s+\w/.test(prevTrimmed) || /=\s*await\b/.test(prevTrimmed)) {
+          handledAbove = true;
+          break;
+        }
+      }
+      if (handledAbove) continue;
+      const col = ASYNC_CALL_PATTERN.exec(line);
+      findings.push({
+        ruleId: "unhandled-promise",
+        file: file.relativePath,
+        line: i + 1,
+        column: col ? col.index + 1 : 1,
+        message: "Async call without await, return, or assignment \u2014 promise result is lost",
+        severity: "warning",
+        category: "reliability"
+      });
+    }
+    return findings;
+  }
+};
+// src/rules/missing-loading-state.ts
+var missingLoadingStateRule = {
+  id: "missing-loading-state",
+  name: "Missing Loading State",
+  description: "Detects client components with useEffect+fetch but no loading state",
+  category: "reliability",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx"],
+  check(file, _project) {
+    if (!isClientComponent(file.content)) return [];
+    const content = file.content;
+    if (!/\buseEffect\s*\(/.test(content)) return [];
+    const hasFetch = /\bfetch\s*\(/.test(content) || /\baxios\b/.test(content) || /\.get\s*\(/.test(content) || /\.post\s*\(/.test(content);
+    if (!hasFetch) return [];
+    const hasLoadingState = /\b(?:loading|isLoading|pending|isPending|isFetching)\b/.test(content) || /useState\s*<?\s*boolean\s*>?\s*\(\s*(?:true|false)\s*\)/.test(content) || /\bSkeleton\b/.test(content) || /\bSpinner\b/.test(content) || /\buseSWR\b/.test(content) || /\buseQuery\b/.test(content);
+    if (hasLoadingState) return [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/\buseEffect\s*\(/.test(file.lines[i])) {
+        return [{
+          ruleId: "missing-loading-state",
+          file: file.relativePath,
+          line: i + 1,
+          column: 1,
+          message: "useEffect with fetch but no loading/pending state \u2014 users see empty content during load",
+          severity: "info",
+          category: "reliability"
+        }];
+      }
+    }
+    return [];
+  }
+};
+// src/rules/missing-error-boundary.ts
+var missingErrorBoundaryRule = {
+  id: "missing-error-boundary",
+  name: "Missing Error Boundary",
+  description: "Detects Next.js layout files without a matching error.tsx in the same directory",
+  category: "reliability",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, project) {
+    const match = file.relativePath.match(/^app\/(.+\/)layout\.(tsx?|jsx?)$/);
+    if (!match) return [];
+    const dir = "app/" + match[1];
+    const hasErrorBoundary = project.allFiles.some(
+      (f) => f.startsWith(dir) && /^error\.(tsx?|jsx?)$/.test(f.slice(dir.length))
+    );
+    if (hasErrorBoundary) return [];
+    return [{
+      ruleId: "missing-error-boundary",
+      file: file.relativePath,
+      line: 1,
+      column: 1,
+      message: `Layout without error.tsx \u2014 errors in ${dir} will bubble up to parent error boundary`,
+      severity: "info",
+      category: "reliability"
+    }];
+  }
+};
+// src/rules/codebase-consistency.ts
+function tallyDimension(label, files, detector) {
+  const variants = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    const variant = detector(file);
+    if (variant) {
+      const list = variants.get(variant) ?? [];
+      list.push(file.relativePath);
+      variants.set(variant, list);
+    }
+  }
+  return { label, variants };
+}
+function detectNamingConvention(file) {
+  let camel = 0;
+  let snake = 0;
+  for (const line of file.lines) {
+    const match = line.match(/export\s+(?:function|const|let)\s+(\w+)/);
+    if (match) {
+      const name = match[1];
+      if (/[a-z][A-Z]/.test(name)) camel++;
+      else if (/_[a-z]/.test(name)) snake++;
+    }
+  }
+  if (camel > 0 && snake === 0) return "camelCase";
+  if (snake > 0 && camel === 0) return "snake_case";
+  if (camel > 0 && snake > 0) return "mixed";
+  return null;
+}
+function detectImportStyle(file) {
+  let esm = 0;
+  let cjs = 0;
+  for (const line of file.lines) {
+    if (/^\s*import\s+/.test(line)) esm++;
+    if (/\brequire\s*\(/.test(line)) cjs++;
+  }
+  if (esm > 0 && cjs === 0) return "ESM import";
+  if (cjs > 0 && esm === 0) return "CJS require";
+  if (esm > 0 && cjs > 0) return "mixed";
+  return null;
+}
+function detectHttpClient(file) {
+  const content = file.content;
+  if (/\baxios[\s.(]/.test(content)) return "axios";
+  if (/\bgot[\s.(]/.test(content) && /from\s+['"]got['"]/.test(content)) return "got";
+  if (/\bky[\s.(]/.test(content) && /from\s+['"]ky['"]/.test(content)) return "ky";
+  if (/\bfetch\s*\(/.test(content)) return "fetch";
+  return null;
+}
+function detectAsyncPattern(file) {
+  let awaits = 0;
+  let thens = 0;
+  let callbacks = 0;
+  for (const line of file.lines) {
+    if (/\bawait\b/.test(line)) awaits++;
+    if (/\.then\s*\(/.test(line)) thens++;
+    if (/,\s*(?:function\s*\(|(?:err|error|cb|callback)\s*=>)/.test(line)) callbacks++;
+  }
+  const total = awaits + thens + callbacks;
+  if (total === 0) return null;
+  if (awaits > 0 && thens === 0 && callbacks === 0) return "async/await";
+  if (thens > 0 && awaits === 0) return ".then() chains";
+  if (callbacks > 0 && awaits === 0 && thens === 0) return "callbacks";
+  if (awaits > 0 && thens > 0) return "mixed async";
+  return null;
+}
+function detectQuoteStyle(file) {
+  let single = 0;
+  let double = 0;
+  for (const line of file.lines) {
+    const imports = line.match(/from\s+(['"])/g);
+    if (imports) {
+      for (const m of imports) {
+        if (m.includes("'")) single++;
+        else double++;
+      }
+    }
+  }
+  if (single > 0 && double === 0) return "single quotes";
+  if (double > 0 && single === 0) return "double quotes";
+  if (single > 0 && double > 0) return "mixed quotes";
+  return null;
+}
+var codebaseConsistencyRule = {
+  id: "codebase-consistency",
+  name: "Codebase Consistency",
+  description: "Detects conflicting conventions across files \u2014 naming, imports, async patterns, HTTP clients",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: [],
+  check() {
+    return [];
+  },
+  checkProject(files, _project) {
+    const sourceFiles = files.filter(
+      (f) => ["ts", "tsx", "js", "jsx"].includes(f.ext) && !isTestFile(f.relativePath) && !isScriptFile(f.relativePath) && !isConfigFile(f.relativePath)
+    );
+    if (sourceFiles.length < 3) return [];
+    const dimensions = [
+      tallyDimension("Naming convention", sourceFiles, detectNamingConvention),
+      tallyDimension("Import style", sourceFiles, detectImportStyle),
+      tallyDimension("HTTP client", sourceFiles, detectHttpClient),
+      tallyDimension("Async pattern", sourceFiles, detectAsyncPattern),
+      tallyDimension("Quote style", sourceFiles, detectQuoteStyle)
+    ];
+    const findings = [];
+    for (const dim of dimensions) {
+      if (dim.variants.size < 2) continue;
+      let total = 0;
+      let dominant = "";
+      let dominantCount = 0;
+      for (const [variant, fileList] of dim.variants) {
+        total += fileList.length;
+        if (fileList.length > dominantCount) {
+          dominantCount = fileList.length;
+          dominant = variant;
+        }
+      }
+      const consistency = Math.round(dominantCount / total * 100);
+      if (consistency >= 90) continue;
+      const minorities = [];
+      for (const [variant, fileList] of dim.variants) {
+        if (variant !== dominant) {
+          minorities.push(`${variant} (${fileList.length} files)`);
+        }
+      }
+      findings.push({
+        ruleId: "codebase-consistency",
+        file: "(project)",
+        line: 1,
+        column: 1,
+        message: `${dim.label}: ${consistency}% consistent \u2014 dominant: ${dominant} (${dominantCount} files), minority: ${minorities.join(", ")}`,
+        severity: consistency < 60 ? "warning" : "info",
+        category: "ai-quality"
+      });
+    }
+    return findings;
+  }
+};
+// src/rules/dead-exports.ts
+function isEntryPoint(relativePath) {
+  const name = relativePath.split("/").pop() ?? "";
+  return /^(page|layout|loading|error|not-found|route|middleware|instrumentation)\.(tsx?|jsx?)$/.test(name) || /^index\.(tsx?|jsx?)$/.test(name) || name === "global-error.tsx" || name === "global-error.jsx";
+}
+var THRESHOLD = 5;
+var deadExportsRule = {
+  id: "dead-exports",
+  name: "Dead Exports",
+  description: "Detects exported symbols never imported anywhere in the project \u2014 context pollution for AI tools",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: [],
+  check() {
+    return [];
+  },
+  checkProject(files, _project) {
+    const sourceFiles = files.filter(
+      (f) => ["ts", "tsx", "js", "jsx"].includes(f.ext) && !isTestFile(f.relativePath) && !isScriptFile(f.relativePath)
+    );
+    const exports = /* @__PURE__ */ new Map();
+    const imports = /* @__PURE__ */ new Set();
+    const importedFiles = /* @__PURE__ */ new Set();
+    for (const file of sourceFiles) {
+      if (isEntryPoint(file.relativePath)) continue;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        let match;
+        const namedRe = /export\s+(?:async\s+)?(?:function|const|let|class|enum)\s+(\w+)/g;
+        while ((match = namedRe.exec(line)) !== null) {
+          if (/export\s+(type|interface)\s/.test(line)) continue;
+          exports.set(`${file.relativePath}::${match[1]}`, { file: file.relativePath, line: i + 1 });
+        }
+        const braceRe = /export\s*\{([^}]+)\}/g;
+        while ((match = braceRe.exec(line)) !== null) {
+          const symbols = match[1].split(",").map((s) => s.trim().split(/\s+as\s+/).pop()?.trim()).filter(Boolean);
+          for (const sym of symbols) {
+            if (sym) exports.set(`${file.relativePath}::${sym}`, { file: file.relativePath, line: i + 1 });
+          }
+        }
+      }
+    }
+    for (const file of files) {
+      for (const line of file.lines) {
+        let match;
+        const bracesRe = /import\s*(?:type\s*)?\{([^}]+)\}\s*from/g;
+        while ((match = bracesRe.exec(line)) !== null) {
+          const symbols = match[1].split(",").map((s) => s.trim().split(/\s+as\s+/)[0].trim()).filter(Boolean);
+          for (const sym of symbols) imports.add(sym);
+        }
+        const defaultRe = /import\s+(\w+)\s+from/g;
+        while ((match = defaultRe.exec(line)) !== null) {
+          imports.add(match[1]);
+        }
+        const fromRe = /from\s+['"]([^'"]+)['"]/g;
+        while ((match = fromRe.exec(line)) !== null) {
+          importedFiles.add(match[1]);
+        }
+      }
+    }
+    const deadByFile = /* @__PURE__ */ new Map();
+    for (const [key, loc] of exports) {
+      const symbolName = key.split("::")[1];
+      if (!imports.has(symbolName)) {
+        deadByFile.set(loc.file, (deadByFile.get(loc.file) ?? 0) + 1);
+      }
+    }
+    const findings = [];
+    let totalDead = 0;
+    for (const [file, count] of deadByFile) {
+      totalDead += count;
+    }
+    if (totalDead >= THRESHOLD) {
+      const topFiles = [...deadByFile.entries()].sort((a, b) => b[1] - a[1]).slice(0, 5).map(([f, c]) => `${f} (${c})`);
+      findings.push({
+        ruleId: "dead-exports",
+        file: "(project)",
+        line: 1,
+        column: 1,
+        message: `${totalDead} exported symbols never imported \u2014 dead exports pollute AI context. Top files: ${topFiles.join(", ")}`,
+        severity: totalDead > 20 ? "warning" : "info",
+        category: "ai-quality"
+      });
+    }
+    return findings;
+  }
+};
+// src/rules/shallow-catch.ts
+function scoreCatchBody(bodyLines) {
+  if (bodyLines.length === 0 || bodyLines.every((l) => l.trim() === "")) {
+    return { score: 0, label: "empty catch" };
+  }
+  const body = bodyLines.join("\n");
+  let score = 0;
+  if (/console\.(log|warn|error|info)\s*\(/.test(body)) score = 1;
+  if (/console\.(error|warn)\s*\(/.test(body) && /\b(err|error|e)\b/.test(body)) score = 2;
+  if (/\bthrow\b/.test(body) || /\breturn\b.*(?:error|err|status|Response|NextResponse|json)/.test(body) || /\bset\w*Error\s*\(/.test(body) || /\bres\.\w+\s*\(/.test(body)) {
+    score = 3;
+  }
+  const labels = {
+    0: "empty catch",
+    1: "catch only logs (no recovery or propagation)",
+    2: "catch logs error but does not propagate or recover",
+    3: "catch handles error properly"
+  };
+  return { score, label: labels[score] };
+}
+var shallowCatchRule = {
+  id: "shallow-catch",
+  name: "Shallow Error Handler",
+  description: "Detects catch blocks that exist but do nothing useful \u2014 decorative error handling",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const trimmed = file.lines[i].trim();
+      if (!/\bcatch\s*\(/.test(trimmed) && !/\bcatch\s*\{/.test(trimmed)) continue;
+      let braceStart = -1;
+      for (let j = i; j < Math.min(i + 3, file.lines.length); j++) {
+        if (file.lines[j].includes("{")) {
+          braceStart = j;
+          break;
+        }
+      }
+      if (braceStart === -1) continue;
+      let depth = 0;
+      let bodyEnd = braceStart;
+      for (let j = braceStart; j < file.lines.length; j++) {
+        const line = file.lines[j];
+        const startPos = j === braceStart ? line.indexOf("{") : 0;
+        for (let k = startPos; k < line.length; k++) {
+          if (line[k] === "{") depth++;
+          if (line[k] === "}") {
+            depth--;
+            if (depth === 0) {
+              bodyEnd = j;
+              break;
+            }
+          }
+        }
+        if (depth === 0) break;
+      }
+      const bodyLines = file.lines.slice(braceStart + 1, bodyEnd);
+      const { score, label } = scoreCatchBody(bodyLines);
+      if (score <= 1) {
+        findings.push({
+          ruleId: "shallow-catch",
+          file: file.relativePath,
+          line: i + 1,
+          column: file.lines[i].indexOf("catch") + 1,
+          message: score === 0 ? "Empty catch block \u2014 errors are silently swallowed" : `Decorative error handler: ${label}`,
+          severity: score === 0 ? "warning" : "info",
+          category: "reliability"
+        });
+      }
+      i = bodyEnd;
+    }
+    return findings;
+  }
+};
+// src/rules/comprehension-debt.ts
+var MAX_FUNCTION_LENGTH = 80;
+var MAX_NESTING_DEPTH = 5;
+var MAX_PARAMS = 5;
+function isContentFile(relativePath) {
+  return /(?:^|\/)content\//.test(relativePath) || /(?:^|\/)blog\//.test(relativePath) || /\(legal\)\//.test(relativePath);
+}
+var comprehensionDebtRule = {
+  id: "comprehension-debt",
+  name: "Comprehension Debt",
+  description: "Detects code that is hard to understand \u2014 long functions, deep nesting, excessive parameters",
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (isContentFile(file.relativePath)) return [];
+    const findings = [];
+    let fnStart = -1;
+    let fnName = "";
+    let braceDepth = 0;
+    let maxDepthInFn = 0;
+    let fnBraceStart = -1;
+    let inFunction = false;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      const fnMatch = trimmed.match(/(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/) ?? trimmed.match(/(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?:=>|:)/);
+      if (fnMatch && !inFunction) {
+        fnName = fnMatch[1];
+        fnStart = i;
+        const params = fnMatch[2].split(",").filter((p) => p.trim()).length;
+        if (params > MAX_PARAMS) {
+          findings.push({
+            ruleId: "comprehension-debt",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message: `${fnName}() has ${params} parameters (max ${MAX_PARAMS}) \u2014 hard to call correctly`,
+            severity: "info",
+            category: "ai-quality"
+          });
+        }
+      }
+      for (const ch of line) {
+        if (ch === "{") {
+          braceDepth++;
+          if (fnStart >= 0 && fnBraceStart === -1) {
+            fnBraceStart = braceDepth;
+            inFunction = true;
+          }
+          if (inFunction && braceDepth - fnBraceStart > maxDepthInFn) {
+            maxDepthInFn = braceDepth - fnBraceStart;
+          }
+        }
+        if (ch === "}") {
+          braceDepth--;
+          if (inFunction && braceDepth < fnBraceStart) {
+            const length = i - fnStart + 1;
+            if (length > MAX_FUNCTION_LENGTH) {
+              findings.push({
+                ruleId: "comprehension-debt",
+                file: file.relativePath,
+                line: fnStart + 1,
+                column: 1,
+                message: `${fnName}() is ${length} lines long (max ${MAX_FUNCTION_LENGTH}) \u2014 consider splitting`,
+                severity: "info",
+                category: "ai-quality"
+              });
+            }
+            if (maxDepthInFn > MAX_NESTING_DEPTH) {
+              findings.push({
+                ruleId: "comprehension-debt",
+                file: file.relativePath,
+                line: fnStart + 1,
+                column: 1,
+                message: `${fnName}() has nesting depth ${maxDepthInFn} (max ${MAX_NESTING_DEPTH}) \u2014 flatten with early returns`,
+                severity: "info",
+                category: "ai-quality"
+              });
+            }
+            inFunction = false;
+            fnStart = -1;
+            fnBraceStart = -1;
+            maxDepthInFn = 0;
+            fnName = "";
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+// src/rules/phantom-dependency.ts
+var PHANTOM_PACKAGES = /* @__PURE__ */ new Set([
+  "huggingface-cli",
+  // hallucinated, real: huggingface_hub
+  "flask-hierarchical",
+  // hallucinated
+  "beautifulsoup",
+  // real is beautifulsoup4
+  "python-dotenv",
+  // real is python-dotenv (this one exists but confusable)
+  "openai-sdk",
+  // hallucinated, real: openai
+  "anthropic-sdk",
+  // hallucinated, real: @anthropic-ai/sdk
+  "langchain-core",
+  // confusable with @langchain/core
+  "react-native-utils",
+  // hallucinated generic
+  "next-middleware",
+  // hallucinated
+  "supabase-client",
+  // hallucinated, real: @supabase/supabase-js
+  "stripe-sdk",
+  // hallucinated, real: stripe
+  "prisma-client",
+  // hallucinated, real: @prisma/client
+  "tailwind-utils",
+  // hallucinated
+  "express-validator-v2",
+  // hallucinated
+  "node-postgres-pool",
+  // hallucinated, real: pg
+  "mongo-client",
+  // hallucinated, real: mongodb
+  "redis-client",
+  // hallucinated, real: redis or ioredis
+  "aws-s3-upload",
+  // hallucinated
+  "gpt-tokenizer"
+  // exists but often confused
+]);
+var SUSPICIOUS_PATTERNS = [
+  /^[a-z]{1,2}$/,
+  // 1-2 char names
+  /-js$/,
+  // redundant -js suffix often hallucinated
+  /^(the|my|simple|easy|fast|super|mega|ultra)-/
+  // vanity prefixes
+];
+var phantomDependencyRule = {
+  id: "phantom-dependency",
+  name: "Phantom Dependency",
+  description: "Detects commonly hallucinated or suspicious package names \u2014 slopsquatting prevention",
+  category: "security",
+  severity: "warning",
+  fileExtensions: [],
+  check() {
+    return [];
+  },
+  checkProject(_files, project) {
+    if (!project.packageJson) return [];
+    const findings = [];
+    const deps = {
+      ...project.packageJson.dependencies ?? {},
+      ...project.packageJson.devDependencies ?? {}
+    };
+    for (const [name, _version] of Object.entries(deps)) {
+      if (PHANTOM_PACKAGES.has(name)) {
+        findings.push({
+          ruleId: "phantom-dependency",
+          file: "package.json",
+          line: 1,
+          column: 1,
+          message: `"${name}" is a commonly hallucinated package name \u2014 verify it exists and is the correct package`,
+          severity: "warning",
+          category: "security"
+        });
+      }
+      for (const pattern of SUSPICIOUS_PATTERNS) {
+        if (pattern.test(name) && !name.startsWith("@")) {
+          findings.push({
+            ruleId: "phantom-dependency",
+            file: "package.json",
+            line: 1,
+            column: 1,
+            message: `"${name}" has a suspicious package name pattern \u2014 verify it's legitimate`,
+            severity: "info",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
 // src/rules/index.ts
 var rules = [
+  // Security
   secretsRule,
-  hallucinatedImportsRule,
   authChecksRule,
   envExposureRule,
-  errorHandlingRule,
   inputValidationRule,
-  rateLimitingRule,
   corsConfigRule,
-  aiSmellsRule,
   unsafeHtmlRule,
-  sqlInjectionRule
+  sqlInjectionRule,
+  openRedirectRule,
+  rateLimitingRule,
+  phantomDependencyRule,
+  // Reliability
+  hallucinatedImportsRule,
+  errorHandlingRule,
+  unhandledPromiseRule,
+  shallowCatchRule,
+  missingLoadingStateRule,
+  missingErrorBoundaryRule,
+  // Performance
+  noSyncFsRule,
+  noNPlusOneRule,
+  noUnboundedQueryRule,
+  noDynamicImportLoopRule,
+  // AI Quality
+  aiSmellsRule,
+  placeholderContentRule,
+  hallucinatedApiRule,
+  staleFallbackRule,
+  comprehensionDebtRule,
+  codebaseConsistencyRule,
+  deadExportsRule
 ];
 // src/scanner.ts
@@ -1012,9 +2051,11 @@ async function scan(options) {
   const filePaths = await walkFiles(root, options.ignore);
   const project = await buildProjectContext(root, filePaths);
   const findings = [];
+  const allFiles = [];
   for (const relativePath of filePaths) {
     const file = await readFileContext(root, relativePath);
     if (!file) continue;
+    allFiles.push(file);
     for (const rule of rules) {
       if (rule.fileExtensions.length > 0 && !rule.fileExtensions.includes(file.ext)) {
         continue;
@@ -1027,6 +2068,12 @@ async function scan(options) {
       }
     }
   }
+  for (const rule of rules) {
+    if (rule.checkProject) {
+      const projectFindings = rule.checkProject(allFiles, project);
+      findings.push(...projectFindings);
+    }
+  }
   const { overallScore, categoryScores } = calculateScores(findings);
   const summary = summarizeFindings(findings);
   return {