prodlint 0.3.1 → 0.6.0

package/dist/cli.js

@@ -163,6 +163,133 @@ var NODE_BUILTINS = /* @__PURE__ */ new Set([
   // node: prefixed are handled separately
 ]);
 
+// src/utils/ast.ts
+import { parse } from "@babel/parser";
+function parseFile(content, fileName) {
+  const plugins = ["decorators"];
+  if (/\.tsx?$/.test(fileName)) {
+    plugins.push("typescript");
+  }
+  if (/\.[jt]sx$/.test(fileName)) {
+    plugins.push("jsx");
+  }
+  if (/\.(js|mjs|cjs)$/.test(fileName)) {
+    plugins.push("jsx");
+  }
+  try {
+    return parse(content, {
+      sourceType: "module",
+      allowImportExportEverywhere: true,
+      allowReturnOutsideFunction: true,
+      plugins
+    });
+  } catch {
+    return null;
+  }
+}
+function walkAST(node, visitor, parent = null) {
+  if (!node || typeof node !== "object") return;
+  visitor(node, parent);
+  for (const key of Object.keys(node)) {
+    if (key === "start" || key === "end" || key === "loc" || key === "type") continue;
+    const val = node[key];
+    if (Array.isArray(val)) {
+      for (const item of val) {
+        if (item && typeof item === "object" && item.type) {
+          walkAST(item, visitor, node);
+        }
+      }
+    } else if (val && typeof val === "object" && val.type) {
+      walkAST(val, visitor, node);
+    }
+  }
+}
+function isTaggedTemplateSql(node) {
+  const tag = node.tag;
+  if (tag.type === "Identifier" && tag.name === "sql") return true;
+  if (tag.type === "MemberExpression") {
+    const prop = tag.property;
+    if (prop.type === "Identifier" && (prop.name === "sql" || prop.name === "query" || prop.name === "raw")) {
+      return true;
+    }
+  }
+  return false;
+}
+function findLoopsAST(ast) {
+  const loops = [];
+  walkAST(ast.program, (node) => {
+    if (node.type === "ForStatement" || node.type === "ForInStatement" || node.type === "ForOfStatement" || node.type === "WhileStatement" || node.type === "DoWhileStatement") {
+      const loop = node;
+      const body = loop.body;
+      if (body.loc && node.loc) {
+        loops.push({
+          loopLine: node.loc.start.line - 1,
+          bodyStart: body.loc.start.line - 1,
+          bodyEnd: body.loc.end.line - 1
+        });
+      }
+    }
+    if (node.type === "CallExpression") {
+      const call = node;
+      if (call.callee.type === "MemberExpression" && call.callee.property.type === "Identifier" && (call.callee.property.name === "forEach" || call.callee.property.name === "map")) {
+        const callback = call.arguments[0];
+        if (callback && callback.loc && node.loc) {
+          loops.push({
+            loopLine: node.loc.start.line - 1,
+            bodyStart: callback.loc.start.line - 1,
+            bodyEnd: callback.loc.end.line - 1
+          });
+        }
+      }
+    }
+  });
+  return loops;
+}
+
+// src/utils/frameworks.ts
+var FRAMEWORK_SAFE_METHODS = {
+  prisma: ["contains", "startsWith", "endsWith", "has", "hasEvery", "hasSome", "isEmpty"],
+  supabase: ["contains", "containedBy", "overlaps", "eq", "neq", "gt", "gte", "lt", "lte"],
+  drizzle: ["arrayContains", "arrayContainedIn", "arrayOverlaps"],
+  lodash: ["flatten", "flattenDeep", "contains", "includes", "has"],
+  mongoose: ["contains"]
+};
+function isFrameworkSafeMethod(methodName, frameworks) {
+  for (const framework of frameworks) {
+    const safeMethods = FRAMEWORK_SAFE_METHODS[framework];
+    if (safeMethods && safeMethods.includes(methodName)) {
+      return true;
+    }
+  }
+  return false;
+}
+var DEPENDENCY_TO_FRAMEWORK = {
+  "@prisma/client": "prisma",
+  "prisma": "prisma",
+  "@supabase/supabase-js": "supabase",
+  "@supabase/ssr": "supabase",
+  "drizzle-orm": "drizzle",
+  "@trpc/server": "trpc",
+  "next-auth": "next-auth",
+  "@auth/nextjs": "next-auth",
+  "@auth/core": "next-auth",
+  "express": "express",
+  "fastify": "fastify",
+  "hono": "hono",
+  "lodash": "lodash",
+  "lodash-es": "lodash",
+  "underscore": "lodash",
+  "mongoose": "mongoose",
+  "typeorm": "typeorm",
+  "sequelize": "sequelize",
+  "knex": "knex",
+  "@upstash/ratelimit": "upstash-ratelimit",
+  "express-rate-limit": "express-rate-limit",
+  "rate-limiter-flexible": "rate-limiter-flexible"
+};
+var SQL_SAFE_ORMS = /* @__PURE__ */ new Set(["prisma", "drizzle", "knex", "typeorm", "sequelize"]);
+var RATE_LIMIT_FRAMEWORKS = /* @__PURE__ */ new Set(["upstash-ratelimit", "express-rate-limit", "rate-limiter-flexible"]);
+
 // src/utils/file-walker.ts
 var DEFAULT_IGNORES = [
   "**/node_modules/**",
@@ -187,8 +314,10 @@ var SCAN_EXTENSIONS = [
   "jsx",
   "mjs",
   "cjs",
-  "json"
+  "json",
+  "sql"
 ];
+var AST_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mjs", "cjs"]);
 var MAX_FILE_SIZE = 1024 * 1024;
 async function walkFiles(root, extraIgnores = []) {
   const patterns = SCAN_EXTENSIONS.map((ext) => `**/*.${ext}`);
@@ -213,14 +342,23 @@ async function readFileContext(root, relativePath) {
     if (fileStats.size > MAX_FILE_SIZE) return null;
     const content = await readFile(absolutePath, "utf-8");
     const lines = content.split(/\r?\n|\r/);
+    const ext = extname(relativePath).slice(1);
+    let ast = void 0;
+    if (AST_EXTENSIONS.has(ext)) {
+      try {
+        ast = parseFile(content, relativePath);
+      } catch {
+        ast = null;
+      }
+    }
     return {
       absolutePath,
       relativePath,
       content,
       lines,
-      ext: extname(relativePath).slice(1),
-      // remove leading dot
-      commentMap: buildCommentMap(lines)
+      ext,
+      commentMap: buildCommentMap(lines),
+      ast
     };
   } catch {
     return null;
@@ -231,6 +369,8 @@ async function buildProjectContext(root, files) {
   let declaredDependencies = /* @__PURE__ */ new Set();
   let tsconfigPaths = /* @__PURE__ */ new Set();
   let hasAuthMiddleware = false;
+  let hasRateLimiting = false;
+  const detectedFrameworks = /* @__PURE__ */ new Set();
   let gitignoreContent = null;
   let envInGitignore = false;
   try {
@@ -242,6 +382,18 @@ async function buildProjectContext(root, files) {
       ...packageJson?.peerDependencies ?? {}
     };
     declaredDependencies = new Set(Object.keys(deps));
+    for (const dep of declaredDependencies) {
+      const framework = DEPENDENCY_TO_FRAMEWORK[dep];
+      if (framework) {
+        detectedFrameworks.add(framework);
+      }
+    }
+    for (const framework of detectedFrameworks) {
+      if (RATE_LIMIT_FRAMEWORKS.has(framework)) {
+        hasRateLimiting = true;
+        break;
+      }
+    }
   } catch {
   }
   try {
@@ -285,6 +437,18 @@ async function buildProjectContext(root, files) {
     }
   } catch {
   }
+  if (!hasRateLimiting) {
+    for (const name of ["middleware.ts", "middleware.js", "src/middleware.ts", "src/middleware.js"]) {
+      try {
+        const content = await readFile(resolve(root, name), "utf-8");
+        if (/rateLimit/i.test(content) || /throttle/i.test(content)) {
+          hasRateLimiting = true;
+          break;
+        }
+      } catch {
+      }
+    }
+  }
   try {
     gitignoreContent = await readFile(resolve(root, ".gitignore"), "utf-8");
     envInGitignore = /^\.env$/m.test(gitignoreContent) || /^\.env\*$/m.test(gitignoreContent) || /^\.env\.\*$/m.test(gitignoreContent) || /^\.env\.local$/m.test(gitignoreContent);
@@ -296,6 +460,8 @@ async function buildProjectContext(root, files) {
     declaredDependencies,
     tsconfigPaths,
     hasAuthMiddleware,
+    hasRateLimiting,
+    detectedFrameworks,
     gitignoreContent,
     envInGitignore,
     allFiles: files
@@ -320,26 +486,58 @@ function getVersion() {
 
 // src/scorer.ts
 var CATEGORIES = ["security", "reliability", "performance", "ai-quality"];
+var CATEGORY_WEIGHTS = {
+  "security": 0.4,
+  "reliability": 0.3,
+  "performance": 0.15,
+  "ai-quality": 0.15
+};
 var DEDUCTIONS = {
-  critical: 10,
-  warning: 3,
-  info: 1
+  critical: 8,
+  warning: 2,
+  info: 0.5
+};
+var PER_RULE_CAP = {
+  critical: 1,
+  warning: 2,
+  info: 3
 };
 function calculateScores(findings) {
   const categoryScores = CATEGORIES.map((category) => {
     const categoryFindings = findings.filter((f) => f.category === category);
-    let score = 100;
+    const byRule = /* @__PURE__ */ new Map();
     for (const f of categoryFindings) {
-      score -= DEDUCTIONS[f.severity] ?? 0;
+      const arr = byRule.get(f.ruleId) ?? [];
+      arr.push(f);
+      byRule.set(f.ruleId, arr);
+    }
+    let totalDeduction = 0;
+    for (const [, ruleFindings] of byRule) {
+      const bySeverity = { critical: 0, warning: 0, info: 0 };
+      for (const f of ruleFindings) {
+        bySeverity[f.severity]++;
+      }
+      for (const sev of ["critical", "warning", "info"]) {
+        const count = Math.min(bySeverity[sev], PER_RULE_CAP[sev]);
+        totalDeduction += count * DEDUCTIONS[sev];
+      }
+    }
+    let effectiveDeduction;
+    if (totalDeduction <= 30) {
+      effectiveDeduction = totalDeduction;
+    } else if (totalDeduction <= 50) {
+      effectiveDeduction = 30 + (totalDeduction - 30) * 0.5;
+    } else {
+      effectiveDeduction = 30 + (50 - 30) * 0.5 + (totalDeduction - 50) * 0.25;
     }
     return {
       category,
-      score: Math.max(0, score),
+      score: Math.max(0, Math.round(100 - effectiveDeduction)),
       findingCount: categoryFindings.length
     };
   });
   const overallScore = Math.round(
-    categoryScores.reduce((sum, c) => sum + c.score, 0) / CATEGORIES.length
+    categoryScores.reduce((sum, c) => sum + c.score * CATEGORY_WEIGHTS[c.category], 0)
   );
   return { overallScore, categoryScores };
 }
@@ -510,25 +708,36 @@ var AUTH_PATTERNS = [
   /jwt\.verify\s*\(/,
   /createRouteHandlerClient/,
   /createServerComponentClient/,
+  /createMiddlewareClient/,
   /authorization/i,
-  /bearer/i
+  /getAuth\s*\(/,
+  /withPageAuth/,
+  /cookies\(\).*auth/s
 ];
+var MUTATION_EXPORT = /export\s+(?:async\s+)?function\s+(POST|PUT|PATCH|DELETE)\b/;
 var authChecksRule = {
   id: "auth-checks",
   name: "Missing Auth Checks",
   description: "Detects API routes that lack authentication checks",
   category: "security",
-  severity: "critical",
+  severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, project) {
     if (!isApiRoute(file.relativePath)) return [];
     for (const pattern of AUTH_EXEMPT_PATTERNS) {
       if (pattern.test(file.relativePath)) return [];
     }
-    const severity = project.hasAuthMiddleware ? "info" : "critical";
     for (const pattern of AUTH_PATTERNS) {
       if (pattern.test(file.content)) return [];
     }
+    let severity;
+    if (project.hasAuthMiddleware) {
+      severity = "info";
+    } else if (MUTATION_EXPORT.test(file.content)) {
+      severity = "critical";
+    } else {
+      severity = "info";
+    }
     let handlerLine = 1;
     for (let i = 0; i < file.lines.length; i++) {
       if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
@@ -625,7 +834,10 @@ var errorHandlingRule = {
     if (!isApiRoute(file.relativePath)) return [];
     const hasFrameworkServe = /\bserve\s*\(/.test(file.content) || /createTRPCHandle/.test(file.content) || /fetchRequestHandler/.test(file.content);
     const hasTryCatch = /try\s*\{/.test(file.content);
-    if (hasTryCatch || hasFrameworkServe) return [];
+    const hasCatchChain = /\.catch\s*\(/.test(file.content);
+    const hasOnError = /onError\s*[:(]/.test(file.content);
+    const hasNextResponseError = /NextResponse\.json\s*\([^)]*(?:error|status:\s*[45]\d{2})/.test(file.content);
+    if (hasTryCatch || hasFrameworkServe || hasCatchChain || hasOnError || hasNextResponseError) return [];
     let handlerLine = 1;
     for (let i = 0; i < file.lines.length; i++) {
       if (/export\s+(async\s+)?function\s+(GET|POST|PUT|PATCH|DELETE|handler)/i.test(file.lines[i])) {
@@ -730,10 +942,11 @@ var rateLimitingRule = {
   name: "Missing Rate Limiting",
   description: "Detects API routes without rate limiting",
   category: "security",
-  severity: "warning",
+  severity: "info",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
-  check(file, _project) {
+  check(file, project) {
     if (!isApiRoute(file.relativePath)) return [];
+    if (project.hasRateLimiting) return [];
     for (const pattern of EXEMPT_PATTERNS) {
       if (pattern.test(file.relativePath)) return [];
     }
@@ -753,7 +966,7 @@ var rateLimitingRule = {
       line: handlerLine,
       column: 1,
       message: "No rate limiting \u2014 anyone could spam this endpoint and run up your API costs",
-      severity: "warning",
+      severity: "info",
       category: "security"
     }];
   }
@@ -981,6 +1194,8 @@ var SQL_INJECTION_PATTERNS = [
   // .query() or .execute() with template literal
   { pattern: /\.(?:query|execute|raw)\s*\(\s*`[^`]*\$\{/, message: "Database query with template literal interpolation \u2014 use parameterized queries" }
 ];
+var TAGGED_TEMPLATE_PREFIX = /\b(?:sql|Prisma\.sql|db\.sql|db\.query)\s*`/;
+var PARAMETERIZED_QUERY = /\.(?:query|execute)\s*\([^,]+,\s*\[/;
 var sqlInjectionRule = {
   id: "sql-injection",
   name: "SQL Injection Risk",
@@ -988,20 +1203,42 @@ var sqlInjectionRule = {
   category: "security",
   severity: "critical",
   fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
-  check(file, _project) {
+  check(file, project) {
     const findings = [];
+    const safeTaggedLines = /* @__PURE__ */ new Set();
+    if (file.ast) {
+      try {
+        walkAST(file.ast.program, (node) => {
+          if (node.type === "TaggedTemplateExpression") {
+            const tagged = node;
+            if (isTaggedTemplateSql(tagged) && tagged.loc) {
+              for (let l = tagged.loc.start.line; l <= tagged.loc.end.line; l++) {
+                safeTaggedLines.add(l);
+              }
+            }
+          }
+        });
+      } catch {
+      }
+    }
+    const usesORM = [...project.detectedFrameworks].some((f) => SQL_SAFE_ORMS.has(f));
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
+      const lineNum = i + 1;
+      if (safeTaggedLines.has(lineNum)) continue;
+      if (!file.ast && TAGGED_TEMPLATE_PREFIX.test(line)) continue;
+      if (PARAMETERIZED_QUERY.test(line)) continue;
       for (const { pattern, message } of SQL_INJECTION_PATTERNS) {
         if (pattern.test(line)) {
+          const severity = usesORM ? "warning" : "critical";
           findings.push({
             ruleId: "sql-injection",
             file: file.relativePath,
-            line: i + 1,
+            line: lineNum,
             column: 1,
             message,
-            severity: "critical",
+            severity,
             category: "security"
           });
           break;
@@ -1023,7 +1260,7 @@ var PLACEHOLDERS = [
   { pattern: /['"]password123['"]/, label: 'Placeholder password "password123"' },
   { pattern: /['"]changeme['"]/, label: 'Placeholder value "changeme"' },
   { pattern: /['"]your-api-key-here['"]/, label: "Placeholder API key" },
-  { pattern: /['"]replace-with-['"]/, label: 'Placeholder "replace-with-" value' },
+  { pattern: /['"]replace-with-[^'"]*['"]/, label: 'Placeholder "replace-with-" value' },
   { pattern: /['"]xxx+['"]/, label: 'Placeholder "xxx" value' },
   { pattern: /['"]TODO:?\s*replace['"/]/i, label: "TODO replace placeholder" }
 ];
@@ -1063,13 +1300,13 @@ var placeholderContentRule = {
 // src/rules/stale-fallback.ts
 var STALE_PATTERNS = [
   { pattern: /['"]http:\/\/localhost:\d+['"]/, label: "Hardcoded localhost URL" },
-  { pattern: /['"]https?:\/\/127\.0\.0\.1[:'"]/, label: "Hardcoded 127.0.0.1 URL" },
-  { pattern: /['"]redis:\/\/localhost['"]/, label: "Hardcoded Redis localhost URL" },
-  { pattern: /['"]mongodb:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
-  { pattern: /['"]mongodb\+srv:\/\/localhost['"]/, label: "Hardcoded MongoDB localhost URL" },
-  { pattern: /['"]postgres:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
-  { pattern: /['"]postgresql:\/\/localhost['"]/, label: "Hardcoded Postgres localhost URL" },
-  { pattern: /['"]amqp:\/\/localhost['"]/, label: "Hardcoded AMQP localhost URL" }
+  { pattern: /['"]https?:\/\/127\.0\.0\.1[/:'"]/, label: "Hardcoded 127.0.0.1 URL" },
+  { pattern: /['"]redis:\/\/localhost[/'"]/, label: "Hardcoded Redis localhost URL" },
+  { pattern: /['"]mongodb:\/\/localhost[/'"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]mongodb\+srv:\/\/localhost[/'"]/, label: "Hardcoded MongoDB localhost URL" },
+  { pattern: /['"]postgres:\/\/localhost[/'"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]postgresql:\/\/localhost[/'"]/, label: "Hardcoded Postgres localhost URL" },
+  { pattern: /['"]amqp:\/\/localhost[/'"]/, label: "Hardcoded AMQP localhost URL" }
 ];
 var staleFallbackRule = {
   id: "stale-fallback",
@@ -1108,15 +1345,15 @@ var staleFallbackRule = {
 
 // src/rules/hallucinated-api.ts
 var HALLUCINATED_APIS = [
-  { pattern: /\.flatten\s*\(/, fix: "Use .flat() instead of .flatten()" },
-  { pattern: /\.contains\s*\(/, fix: "Use .includes() instead of .contains()" },
-  { pattern: /\.substr\s*\(/, fix: "Use .substring() or .slice() instead of deprecated .substr()" },
-  { pattern: /\.trimLeft\s*\(/, fix: "Use .trimStart() instead of deprecated .trimLeft()" },
-  { pattern: /\.trimRight\s*\(/, fix: "Use .trimEnd() instead of deprecated .trimRight()" },
-  { pattern: /response\.body\.json\s*\(/, fix: "Use response.json() instead of response.body.json()" },
-  { pattern: /fetch\.abort\s*\(/, fix: "Use AbortController instead of fetch.abort()" },
-  { pattern: /\.isArray\s*\(\s*\)/, fix: "Array.isArray() is static \u2014 use Array.isArray(value)" },
-  { pattern: /\.hasOwnProperty\s*\(/, fix: "Use Object.hasOwn() instead of .hasOwnProperty()" }
+  { pattern: /\.flatten\s*\(/, fix: "Use .flat() instead of .flatten()", methodName: "flatten" },
+  { pattern: /\.contains\s*\(/, fix: "Use .includes() instead of .contains()", methodName: "contains" },
+  { pattern: /\.substr\s*\(/, fix: "Use .substring() or .slice() instead of deprecated .substr()", methodName: "substr" },
+  { pattern: /\.trimLeft\s*\(/, fix: "Use .trimStart() instead of deprecated .trimLeft()", methodName: "trimLeft" },
+  { pattern: /\.trimRight\s*\(/, fix: "Use .trimEnd() instead of deprecated .trimRight()", methodName: "trimRight" },
+  { pattern: /response\.body\.json\s*\(/, fix: "Use response.json() instead of response.body.json()", methodName: "json" },
+  { pattern: /fetch\.abort\s*\(/, fix: "Use AbortController instead of fetch.abort()", methodName: "abort" },
+  { pattern: /\.isArray\s*\(\s*\)/, fix: "Array.isArray() is static \u2014 use Array.isArray(value)", methodName: "isArray" },
+  { pattern: /(?<!Object\.prototype)\.hasOwnProperty\s*\(/, fix: "Use Object.hasOwn() instead of .hasOwnProperty()", methodName: "hasOwnProperty" }
 ];
 var hallucinatedApiRule = {
   id: "hallucinated-api",
@@ -1125,14 +1362,16 @@ var hallucinatedApiRule = {
   category: "ai-quality",
   severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
-  check(file, _project) {
+  check(file, project) {
     const findings = [];
+    const frameworks = project.detectedFrameworks;
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
-      for (const { pattern, fix } of HALLUCINATED_APIS) {
+      for (const { pattern, fix, methodName } of HALLUCINATED_APIS) {
         const match = pattern.exec(line);
         if (match) {
+          if (isFrameworkSafeMethod(methodName, frameworks)) continue;
           findings.push({
             ruleId: "hallucinated-api",
             file: file.relativePath,
@@ -1150,7 +1389,7 @@ var hallucinatedApiRule = {
 };
 
 // src/rules/open-redirect.ts
-var CRITICAL_PATTERNS = [
+var DIRECT_INPUT_PATTERNS = [
   // redirect(searchParams.get(...)) or redirect(searchParams.get('x')!)
   /redirect\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/,
   // redirect(req.query.x) or redirect(request.nextUrl.searchParams.get(...))
@@ -1159,21 +1398,21 @@ var CRITICAL_PATTERNS = [
   /NextResponse\.redirect\s*\(\s*new\s+URL\s*\(\s*(?:searchParams|query|params)\s*\.get\s*\(/
 ];
 var WARNING_PATTERNS = [
-  /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination)\s*[,)]/
+  /redirect\s*\(\s*(?:url|returnUrl|returnTo|redirectUrl|redirectTo|next|callbackUrl|destination|redirect|goto|to|target|uri|href)\s*[,)]/
 ];
 var openRedirectRule = {
   id: "open-redirect",
   name: "Open Redirect",
   description: "Detects user-controlled input passed directly to redirect functions",
   category: "security",
-  severity: "critical",
+  severity: "warning",
   fileExtensions: ["ts", "tsx", "js", "jsx"],
   check(file, _project) {
     const findings = [];
     for (let i = 0; i < file.lines.length; i++) {
       if (isCommentLine(file.lines, i, file.commentMap)) continue;
       const line = file.lines[i];
-      for (const pattern of CRITICAL_PATTERNS) {
+      for (const pattern of DIRECT_INPUT_PATTERNS) {
         const match = pattern.exec(line);
         if (match) {
           findings.push({
@@ -1182,7 +1421,7 @@ var openRedirectRule = {
             line: i + 1,
             column: match.index + 1,
             message: "User input in redirect \u2014 validate against an allowlist to prevent open redirect",
-            severity: "critical",
+            severity: "warning",
             category: "security"
           });
           break;
@@ -1247,6 +1486,7 @@ var noSyncFsRule = {
 
 // src/rules/no-n-plus-one.ts
 var DB_CALL_PATTERN = /(?:prisma\.\w+\.\w+\(|\.findUnique\s*\(|\.findFirst\s*\(|\.findMany\s*\(|\.insert\s*\(|\.upsert\s*\(|fetch\s*\()/;
+var PROMISE_ALL_MAP = /Promise\.(?:all|allSettled)\s*\(\s*\w+\.map\s*\(/;
 var noNPlusOneRule = {
   id: "no-n-plus-one",
   name: "No N+1 Queries",
@@ -1257,14 +1497,33 @@ var noNPlusOneRule = {
   check(file, _project) {
     if (isTestFile(file.relativePath)) return [];
     if (isScriptFile(file.relativePath)) return [];
+    const promiseAllMapLines = /* @__PURE__ */ new Set();
+    for (let i = 0; i < file.lines.length; i++) {
+      if (PROMISE_ALL_MAP.test(file.lines[i])) {
+        for (let j = Math.max(0, i - 1); j < Math.min(file.lines.length, i + 20); j++) {
+          promiseAllMapLines.add(j);
+        }
+      }
+    }
     const findings = [];
-    const loops = findLoopBodies(file.lines, file.commentMap);
+    let loops;
+    if (file.ast) {
+      try {
+        loops = findLoopsAST(file.ast);
+      } catch {
+        loops = findLoopBodies(file.lines, file.commentMap);
+      }
+    } else {
+      loops = findLoopBodies(file.lines, file.commentMap);
+    }
     const reported = /* @__PURE__ */ new Set();
     for (const loop of loops) {
       if (reported.has(loop.loopLine)) continue;
+      if (promiseAllMapLines.has(loop.loopLine)) continue;
       for (let i = loop.bodyStart; i <= loop.bodyEnd; i++) {
         if (isCommentLine(file.lines, i, file.commentMap)) continue;
         const line = file.lines[i];
+        if (promiseAllMapLines.has(i)) continue;
         const match = DB_CALL_PATTERN.exec(line);
         if (match) {
           reported.add(loop.loopLine);
@@ -1398,6 +1657,10 @@ var HANDLED_PATTERNS = [
   /Promise\.allSettled/,
   /Promise\.race/
 ];
+var CHAIN_START_PATTERNS = [
+  /\.from\s*\(/,
+  /\.rpc\s*\(/
+];
 var unhandledPromiseRule = {
   id: "unhandled-promise",
   name: "Unhandled Promise",
@@ -1417,6 +1680,19 @@ var unhandledPromiseRule = {
       if (!asyncMatch) continue;
       const isHandled = HANDLED_PATTERNS.some((p) => p.test(trimmed));
       if (isHandled) continue;
+      const isChainContinuation = CHAIN_START_PATTERNS.some((p) => p.test(trimmed));
+      if (isChainContinuation) {
+        let chainHandled = false;
+        for (let j = i - 1; j >= Math.max(0, i - 10); j--) {
+          const prevTrimmed = file.lines[j].trim();
+          if (prevTrimmed === "" || prevTrimmed.endsWith(";")) break;
+          if (/\bawait\b/.test(prevTrimmed) || /\bconst\s+\w/.test(prevTrimmed) || /\blet\s+\w/.test(prevTrimmed) || /=\s*await\b/.test(prevTrimmed) || /\breturn\b/.test(prevTrimmed)) {
+            chainHandled = true;
+            break;
+          }
+        }
+        if (chainHandled) continue;
+      }
       let handledAbove = false;
       for (let j = i - 1; j >= Math.max(0, i - 5); j--) {
         const prevTrimmed = file.lines[j].trim();
@@ -1484,9 +1760,9 @@ var missingErrorBoundaryRule = {
   severity: "info",
   fileExtensions: ["tsx", "jsx", "ts", "js"],
   check(file, project) {
-    const match = file.relativePath.match(/^app\/(.+\/)layout\.(tsx?|jsx?)$/);
+    const match = file.relativePath.match(/^((?:src\/)?app\/)(.+\/)layout\.(tsx?|jsx?)$/);
     if (!match) return [];
-    const dir = "app/" + match[1];
+    const dir = match[1] + match[2];
     const hasErrorBoundary = project.allFiles.some(
       (f) => f.startsWith(dir) && /^error\.(tsx?|jsx?)$/.test(f.slice(dir.length))
     );
@@ -1664,7 +1940,8 @@ var deadExportsRule = {
       (f) => ["ts", "tsx", "js", "jsx"].includes(f.ext) && !isTestFile(f.relativePath) && !isScriptFile(f.relativePath)
     );
     const exports = /* @__PURE__ */ new Map();
-    const imports = /* @__PURE__ */ new Set();
+    const imports = /* @__PURE__ */ new Map();
+    const allImportedSymbols = /* @__PURE__ */ new Set();
     const importedFiles = /* @__PURE__ */ new Set();
     for (const file of sourceFiles) {
       if (isEntryPoint(file.relativePath)) continue;
@@ -1688,14 +1965,28 @@ var deadExportsRule = {
     for (const file of files) {
       for (const line of file.lines) {
         let match;
+        const fromMatch = line.match(/from\s+['"]([^'"]+)['"]/);
+        const fromBasename = fromMatch ? fromMatch[1].split("/").pop()?.replace(/\.\w+$/, "") ?? "" : "";
         const bracesRe = /import\s*(?:type\s*)?\{([^}]+)\}\s*from/g;
         while ((match = bracesRe.exec(line)) !== null) {
           const symbols = match[1].split(",").map((s) => s.trim().split(/\s+as\s+/)[0].trim()).filter(Boolean);
-          for (const sym of symbols) imports.add(sym);
+          for (const sym of symbols) {
+            allImportedSymbols.add(sym);
+            if (fromBasename) {
+              const set = imports.get(fromBasename) ?? /* @__PURE__ */ new Set();
+              set.add(sym);
+              imports.set(fromBasename, set);
+            }
+          }
         }
         const defaultRe = /import\s+(\w+)\s+from/g;
         while ((match = defaultRe.exec(line)) !== null) {
-          imports.add(match[1]);
+          allImportedSymbols.add(match[1]);
+          if (fromBasename) {
+            const set = imports.get(fromBasename) ?? /* @__PURE__ */ new Set();
+            set.add(match[1]);
+            imports.set(fromBasename, set);
+          }
         }
         const fromRe = /from\s+['"]([^'"]+)['"]/g;
         while ((match = fromRe.exec(line)) !== null) {
@@ -1706,7 +1997,10 @@ var deadExportsRule = {
     const deadByFile = /* @__PURE__ */ new Map();
     for (const [key, loc] of exports) {
       const symbolName = key.split("::")[1];
-      if (!imports.has(symbolName)) {
+      const exportFileBasename = loc.file.split("/").pop()?.replace(/\.\w+$/, "") ?? "";
+      const importSet = imports.get(exportFileBasename);
+      const isImported = importSet?.has(symbolName) ?? false;
+      if (!isImported && !allImportedSymbols.has(symbolName)) {
         deadByFile.set(loc.file, (deadByFile.get(loc.file) ?? 0) + 1);
       }
     }
@@ -1776,12 +2070,33 @@ var shallowCatchRule = {
       if (braceStart === -1) continue;
       let depth = 0;
       let bodyEnd = braceStart;
+      let inSingle = false;
+      let inDouble = false;
+      let inTemplate = false;
       for (let j = braceStart; j < file.lines.length; j++) {
         const line = file.lines[j];
         const startPos = j === braceStart ? line.indexOf("{") : 0;
         for (let k = startPos; k < line.length; k++) {
-          if (line[k] === "{") depth++;
-          if (line[k] === "}") {
+          const ch = line[k];
+          const prev = k > 0 ? line[k - 1] : "";
+          const escaped = prev === "\\" && (k < 2 || line[k - 2] !== "\\");
+          if (!escaped) {
+            if (ch === "'" && !inDouble && !inTemplate) {
+              inSingle = !inSingle;
+              continue;
+            }
+            if (ch === '"' && !inSingle && !inTemplate) {
+              inDouble = !inDouble;
+              continue;
+            }
+            if (ch === "`" && !inSingle && !inDouble) {
+              inTemplate = !inTemplate;
+              continue;
+            }
+          }
+          if (inSingle || inDouble || inTemplate) continue;
+          if (ch === "{") depth++;
+          if (ch === "}") {
             depth--;
             if (depth === 0) {
               bodyEnd = j;
@@ -1948,6 +2263,22 @@ var PHANTOM_PACKAGES = /* @__PURE__ */ new Set([
   "gpt-tokenizer"
   // exists but often confused
 ]);
+var KNOWN_SHORT_PACKAGES = /* @__PURE__ */ new Set([
+  "pg",
+  "ws",
+  "ms",
+  "qs",
+  "ip",
+  "is",
+  "he",
+  "ky",
+  "bl",
+  "rc",
+  "io",
+  "db",
+  "fp",
+  "rx"
+]);
 var SUSPICIOUS_PATTERNS = [
   /^[a-z]{1,2}$/,
   // 1-2 char names
@@ -1986,7 +2317,7 @@ var phantomDependencyRule = {
         });
       }
       for (const pattern of SUSPICIOUS_PATTERNS) {
-        if (pattern.test(name) && !name.startsWith("@")) {
+        if (pattern.test(name) && !name.startsWith("@") && !KNOWN_SHORT_PACKAGES.has(name)) {
           findings.push({
             ruleId: "phantom-dependency",
             file: "package.json",
@@ -2004,104 +2335,1385 @@ var phantomDependencyRule = {
   }
 };
 
-// src/rules/index.ts
-var rules = [
-  // Security
-  secretsRule,
-  authChecksRule,
-  envExposureRule,
-  inputValidationRule,
-  corsConfigRule,
-  unsafeHtmlRule,
-  sqlInjectionRule,
-  openRedirectRule,
-  rateLimitingRule,
-  phantomDependencyRule,
-  // Reliability
-  hallucinatedImportsRule,
-  errorHandlingRule,
-  unhandledPromiseRule,
-  shallowCatchRule,
-  missingLoadingStateRule,
-  missingErrorBoundaryRule,
-  // Performance
-  noSyncFsRule,
-  noNPlusOneRule,
-  noUnboundedQueryRule,
-  noDynamicImportLoopRule,
-  // AI Quality
-  aiSmellsRule,
-  placeholderContentRule,
-  hallucinatedApiRule,
-  staleFallbackRule,
-  comprehensionDebtRule,
-  codebaseConsistencyRule,
-  deadExportsRule
+// src/rules/insecure-cookie.ts
+var SENSITIVE_COOKIE_NAMES = /['"](?:session|token|auth|sid|jwt)['"]|\.set\s*\(\s*['"](?:session|token|auth|sid|jwt)['"]/i;
+var COOKIE_SET_PATTERNS = [
+  /cookies\(\)\s*\.set\s*\(/,
+  /res\.cookie\s*\(/,
+  /response\.cookies\.set\s*\(/
 ];
-
-// src/scanner.ts
-import { resolve as resolve3 } from "path";
-async function scan(options) {
-  const start = performance.now();
-  const root = resolve3(options.path);
-  const filePaths = await walkFiles(root, options.ignore);
-  const project = await buildProjectContext(root, filePaths);
-  const findings = [];
-  const allFiles = [];
-  for (const relativePath of filePaths) {
-    const file = await readFileContext(root, relativePath);
-    if (!file) continue;
-    allFiles.push(file);
-    for (const rule of rules) {
-      if (rule.fileExtensions.length > 0 && !rule.fileExtensions.includes(file.ext)) {
-        continue;
-      }
-      const ruleFindings = rule.check(file, project);
-      for (const finding of ruleFindings) {
-        if (!isLineSuppressed(file.lines, finding.line - 1, finding.ruleId)) {
-          findings.push(finding);
-        }
+var SECURE_OPTIONS = [
+  /httpOnly\s*:\s*true/,
+  /secure\s*:\s*true/,
+  /sameSite\s*:/
+];
+var insecureCookieRule = {
+  id: "insecure-cookie",
+  name: "Insecure Cookie",
+  description: "Detects sensitive cookies set without httpOnly, secure, or sameSite options",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const isCookieSet = COOKIE_SET_PATTERNS.some((p) => p.test(line));
+      if (!isCookieSet) continue;
+      if (!SENSITIVE_COOKIE_NAMES.test(line)) continue;
+      const block = file.lines.slice(i, Math.min(i + 8, file.lines.length)).join("\n");
+      const missingOptions = SECURE_OPTIONS.filter((p) => !p.test(block));
+      if (missingOptions.length > 0) {
+        const missing = [];
+        if (!/httpOnly\s*:\s*true/.test(block)) missing.push("httpOnly");
+        if (!/secure\s*:\s*true/.test(block)) missing.push("secure");
+        if (!/sameSite\s*:/.test(block)) missing.push("sameSite");
+        findings.push({
+          ruleId: "insecure-cookie",
+          file: file.relativePath,
+          line: i + 1,
+          column: 1,
+          message: `Sensitive cookie missing security options: ${missing.join(", ")}`,
+          severity: "warning",
+          category: "security",
+          fix: "Add { httpOnly: true, secure: true, sameSite: 'lax' } to cookie options"
+        });
       }
     }
+    return findings;
   }
-  for (const rule of rules) {
-    if (rule.checkProject) {
-      const projectFindings = rule.checkProject(allFiles, project);
-      findings.push(...projectFindings);
+};
+
+// src/rules/leaked-env-in-logs.ts
+var CONSOLE_WITH_ENV = /console\.(log|warn|error|info|debug)\s*\([^)]*process\.env\./;
+var leakedEnvInLogsRule = {
+  id: "leaked-env-in-logs",
+  name: "Leaked Env in Logs",
+  description: "Detects process.env values logged to console \u2014 potential secret exposure",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = CONSOLE_WITH_ENV.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "leaked-env-in-logs",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "process.env value in console output \u2014 may leak secrets in production logs",
+          severity: "warning",
+          category: "security",
+          fix: "Remove process.env.* from console output \u2014 log a redacted summary instead"
+        });
+      }
     }
+    return findings;
   }
-  const { overallScore, categoryScores } = calculateScores(findings);
-  const summary = summarizeFindings(findings);
-  return {
-    version: getVersion(),
-    scannedPath: options.path,
-    filesScanned: filePaths.length,
-    scanDurationMs: Math.round(performance.now() - start),
-    findings,
-    overallScore,
-    categoryScores,
-    summary
-  };
-}
-
-// src/reporter.ts
-import pc from "picocolors";
-var SEVERITY_COLORS = {
-  critical: pc.red,
-  warning: pc.yellow,
-  info: pc.blue
 };
-var SEVERITY_LABELS = {
-  critical: "CRIT",
-  warning: "WARN",
-  info: "INFO"
+
+// src/rules/insecure-random.ts
+var SECURITY_VAR_NAMES = /(?:token|secret|nonce|key|password|salt|session|csrf|otp|pin|code)/i;
+var MATH_RANDOM = /Math\.random\s*\(\)/;
+var insecureRandomRule = {
+  id: "insecure-random",
+  name: "Insecure Random",
+  description: "Detects Math.random() used near security-sensitive variable names",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = MATH_RANDOM.exec(line);
+      if (!match) continue;
+      const context = file.lines.slice(Math.max(0, i - 2), i + 1).join("\n");
+      if (SECURITY_VAR_NAMES.test(context)) {
+        findings.push({
+          ruleId: "insecure-random",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "Math.random() used in security-sensitive context \u2014 not cryptographically secure",
+          severity: "warning",
+          category: "security",
+          fix: "Use crypto.randomUUID() or crypto.getRandomValues() for security-sensitive values"
+        });
+      }
+    }
+    return findings;
+  }
 };
-function scoreColor(score) {
-  if (score >= 80) return pc.green;
-  if (score >= 50) return pc.yellow;
-  return pc.red;
-}
-function groupByFile(findings) {
+
+// src/rules/next-server-action-validation.ts
+var USE_SERVER = /['"]use server['"]/;
+var FORM_DATA_GET = /formData\.get\s*\(/;
+var VALIDATION_PATTERNS2 = [
+  /\.parse\s*\(/,
+  /\.safeParse\s*\(/,
+  /\bvalidate\s*\(/,
+  /\.parseAsync\s*\(/,
+  /\.safeParseAsync\s*\(/
+];
+var nextServerActionValidationRule = {
+  id: "next-server-action-validation",
+  name: "Next.js Server Action Validation",
+  description: "Detects server actions using formData without schema validation \u2014 unvalidated user input",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER.test(file.content)) return [];
+    if (!FORM_DATA_GET.test(file.content)) return [];
+    const hasValidation = VALIDATION_PATTERNS2.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (FORM_DATA_GET.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "next-server-action-validation",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action reads formData without schema validation \u2014 unvalidated user input",
+      severity: "critical",
+      category: "security",
+      fix: "Validate with Zod: const data = schema.safeParse(Object.fromEntries(formData))"
+    }];
+  }
+};
+
+// src/rules/missing-transaction.ts
+var PRISMA_WRITE_OPS = /prisma\.\w+\.(?:create|update|delete|upsert|createMany|updateMany|deleteMany)\s*\(/;
+var PRISMA_TRANSACTION = /\$transaction\s*\(/;
+var missingTransactionRule = {
+  id: "missing-transaction",
+  name: "Missing Transaction",
+  description: "Detects multiple Prisma write operations without $transaction \u2014 atomicity risk",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isScriptFile(file.relativePath)) return [];
+    if (!project.declaredDependencies.has("@prisma/client") && !project.detectedFrameworks.has("prisma")) return [];
+    let writeCount = 0;
+    let firstWriteLine = -1;
+    const hasTransaction = PRISMA_TRANSACTION.test(file.content);
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      if (PRISMA_WRITE_OPS.test(file.lines[i])) {
+        writeCount++;
+        if (firstWriteLine === -1) firstWriteLine = i;
+      }
+    }
+    if (writeCount < 2 || hasTransaction) return [];
+    return [{
+      ruleId: "missing-transaction",
+      file: file.relativePath,
+      line: firstWriteLine + 1,
+      column: 1,
+      message: `${writeCount} Prisma write operations without $transaction \u2014 partial writes may leave inconsistent state`,
+      severity: "warning",
+      category: "reliability",
+      fix: "Wrap sequential writes in prisma.$transaction([...]) for atomicity"
+    }];
+  }
+};
+
+// src/rules/redirect-in-try-catch.ts
+var redirectInTryCatchRule = {
+  id: "redirect-in-try-catch",
+  name: "Redirect Inside Try/Catch",
+  description: "Detects Next.js redirect() inside try/catch blocks \u2014 redirect throws internally and the catch swallows it",
+  category: "reliability",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!/redirect\s*\(/.test(file.content)) return [];
+    const findings = [];
+    let tryDepth = 0;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const trimmed = line.trim();
+      if (/\btry\s*\{/.test(trimmed) || trimmed === "try {") {
+        tryDepth++;
+      }
+      if (/\}\s*catch\s*[\s(]/.test(trimmed)) {
+      }
+      if (tryDepth > 0) {
+        const match = /\bredirect\s*\(/.exec(line);
+        if (match && !/\/\//.test(line.slice(0, match.index))) {
+          findings.push({
+            ruleId: "redirect-in-try-catch",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "redirect() inside try/catch \u2014 Next.js redirect throws internally, the catch block will intercept it",
+            severity: "critical",
+            category: "reliability",
+            fix: 'Move redirect() outside the try/catch block, or re-throw redirect errors in the catch: if (e instanceof Error && e.message === "NEXT_REDIRECT") throw e'
+          });
+        }
+      }
+      for (const ch of trimmed) {
+        if (ch === "{" && tryDepth > 0) {
+        }
+      }
+      if (tryDepth > 0 && /^\}\s*$/.test(trimmed)) {
+        let nextLine = "";
+        for (let j = i + 1; j < file.lines.length; j++) {
+          nextLine = file.lines[j].trim();
+          if (nextLine) break;
+        }
+        if (!/^catch\b/.test(nextLine) && !/^finally\b/.test(nextLine)) {
+          tryDepth--;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-revalidation.ts
+var USE_SERVER2 = /['"]use server['"]/;
+var DB_MUTATIONS = [
+  /\.insert\s*\(/,
+  /\.update\s*\(/,
+  /\.delete\s*\(/,
+  /\.upsert\s*\(/,
+  /\.create\s*\(/,
+  /\.createMany\s*\(/,
+  /\.updateMany\s*\(/,
+  /\.deleteMany\s*\(/,
+  /\.remove\s*\(/,
+  /\.save\s*\(/,
+  /\.destroy\s*\(/
+];
+var REVALIDATION = [
+  /revalidatePath\s*\(/,
+  /revalidateTag\s*\(/,
+  /redirect\s*\(/
+];
+var missingRevalidationRule = {
+  id: "missing-revalidation",
+  name: "Missing Revalidation After Mutation",
+  description: "Detects server actions that mutate data without calling revalidatePath or revalidateTag \u2014 UI shows stale data",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER2.test(file.content)) return [];
+    const hasMutation = DB_MUTATIONS.some((p) => p.test(file.content));
+    if (!hasMutation) return [];
+    const hasRevalidation = REVALIDATION.some((p) => p.test(file.content));
+    if (hasRevalidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (DB_MUTATIONS.some((p) => p.test(file.lines[i]))) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-revalidation",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action mutates data without revalidatePath() or revalidateTag() \u2014 UI will show stale data",
+      severity: "warning",
+      category: "reliability",
+      fix: 'Add revalidatePath("/affected-route") after the mutation'
+    }];
+  }
+};
+
+// src/rules/use-client-overuse.ts
+var CLIENT_APIS = [
+  /\buseState\b/,
+  /\buseEffect\b/,
+  /\buseRef\b/,
+  /\buseReducer\b/,
+  /\buseCallback\b/,
+  /\buseMemo\b/,
+  /\buseContext\b/,
+  /\buseLayoutEffect\b/,
+  /\buseInsertionEffect\b/,
+  /\buseTransition\b/,
+  /\buseDeferredValue\b/,
+  /\buseSyncExternalStore\b/,
+  /\buseFormStatus\b/,
+  /\buseFormState\b/,
+  /\buseOptimistic\b/,
+  /\bonClick\b\s*[=:]/,
+  /\bonChange\b\s*[=:]/,
+  /\bonSubmit\b\s*[=:]/,
+  /\bonBlur\b\s*[=:]/,
+  /\bonFocus\b\s*[=:]/,
+  /\bonKeyDown\b\s*[=:]/,
+  /\bonKeyUp\b\s*[=:]/,
+  /\bonMouseDown\b\s*[=:]/,
+  /\bonMouseUp\b\s*[=:]/,
+  /\bonScroll\b\s*[=:]/,
+  /\bonInput\b\s*[=:]/,
+  /\bonDrag\b/,
+  /\bonDrop\b/,
+  /\bonTouchStart\b/,
+  /\bcreateContext\b/,
+  /\bwindow\./,
+  /\bdocument\./,
+  /\blocalStorage\b/,
+  /\bsessionStorage\b/,
+  /\bnavigator\b/,
+  /\bIntersectionObserver\b/,
+  /\bResizeObserver\b/,
+  /\bMutationObserver\b/
+];
+var useClientOveruseRule = {
+  id: "use-client-overuse",
+  name: '"use client" Overuse',
+  description: `Detects files with "use client" that don't use any client-side APIs \u2014 unnecessary client rendering`,
+  category: "ai-quality",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isConfigFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    const usesClientApi = CLIENT_APIS.some((p) => p.test(file.content));
+    if (usesClientApi) return [];
+    return [{
+      ruleId: "use-client-overuse",
+      file: file.relativePath,
+      line: 1,
+      column: 1,
+      message: '"use client" directive but no client-side APIs (hooks, event handlers, browser APIs) \u2014 this component could be a server component',
+      severity: "info",
+      category: "ai-quality",
+      fix: 'Remove "use client" to let Next.js render this as a server component for better performance'
+    }];
+  }
+};
+
+// src/rules/env-fallback-secret.ts
+var SENSITIVE_ENV = /process\.env\.(JWT_SECRET|SECRET_KEY|AUTH_SECRET|SESSION_SECRET|ENCRYPTION_KEY|API_SECRET|PRIVATE_KEY|SIGNING_KEY|NEXTAUTH_SECRET|TOKEN_SECRET|APP_SECRET|COOKIE_SECRET|HASH_SECRET)\s*(?:\|\||&&|\?\?)\s*['"`]/i;
+var ENV_FALLBACK = /process\.env\.\w*(SECRET|KEY|PASSWORD|TOKEN)\w*\s*(?:\|\||\?\?)\s*['"`]/i;
+var envFallbackSecretRule = {
+  id: "env-fallback-secret",
+  name: "Secret with Fallback Value",
+  description: "Detects security-sensitive env vars with hardcoded fallback values \u2014 if the env var is missing, the fallback becomes the production secret",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const directMatch = SENSITIVE_ENV.exec(line);
+      if (directMatch) {
+        findings.push({
+          ruleId: "env-fallback-secret",
+          file: file.relativePath,
+          line: i + 1,
+          column: directMatch.index + 1,
+          message: `Secret env var has a hardcoded fallback \u2014 if ${directMatch[1] || "the var"} is unset, this literal becomes the production secret`,
+          severity: "critical",
+          category: "security",
+          fix: 'Throw an error if the env var is missing: const secret = process.env.SECRET ?? (() => { throw new Error("SECRET is required") })()'
+        });
+        continue;
+      }
+      const genericMatch = ENV_FALLBACK.exec(line);
+      if (genericMatch && !isConfigFile(file.relativePath)) {
+        findings.push({
+          ruleId: "env-fallback-secret",
+          file: file.relativePath,
+          line: i + 1,
+          column: genericMatch.index + 1,
+          message: "Security-sensitive env var has a hardcoded fallback \u2014 defaults to a literal string when missing",
+          severity: "warning",
+          category: "security",
+          fix: "Fail fast when required env vars are missing instead of falling back to a default value"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/verbose-error-response.ts
+var ERROR_LEAK_PATTERNS = [
+  { pattern: /error\.stack/, msg: "error.stack exposed \u2014 leaks internal file paths and code structure" },
+  { pattern: /error\.message/, msg: "error.message may leak internal details to clients" }
+];
+var verboseErrorResponseRule = {
+  id: "verbose-error-response",
+  name: "Verbose Error Response",
+  description: "Detects error details (stack traces, error messages) sent directly in API responses",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of ERROR_LEAK_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          const severity = pattern.source.includes("stack") ? "warning" : "info";
+          findings.push({
+            ruleId: "verbose-error-response",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity,
+            category: "security",
+            fix: 'Return a generic error message: { error: "Internal server error" }. Log the real error server-side.'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-webhook-verification.ts
+var WEBHOOK_PATH = /webhook/i;
+var VERIFICATION_PATTERNS = [
+  /constructEvent\s*\(/,
+  // Stripe
+  /webhooks\.verify\s*\(/,
+  // Clerk, GitHub
+  /verify\s*\(/,
+  // Generic
+  /verifySignature\s*\(/,
+  // Generic
+  /validateWebhook\s*\(/,
+  // Generic
+  /svix.*verify/i,
+  // Svix (used by Clerk, Resend)
+  /crypto\.timingSafeEqual\s*\(/,
+  // Manual HMAC comparison
+  /hmac/i,
+  // HMAC verification
+  /x-hub-signature/i,
+  // GitHub webhooks
+  /stripe-signature/i,
+  // Stripe signature header
+  /svix-signature/i,
+  // Svix signature header
+  /webhook-secret/i
+];
+var missingWebhookVerificationRule = {
+  id: "missing-webhook-verification",
+  name: "Missing Webhook Verification",
+  description: "Detects webhook endpoints without signature verification \u2014 anyone can send fake events",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath)) return [];
+    if (!WEBHOOK_PATH.test(file.relativePath)) return [];
+    const hasVerification = VERIFICATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasVerification) return [];
+    let handlerLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (/export\s+(async\s+)?function\s+POST\b/.test(file.lines[i])) {
+        handlerLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-webhook-verification",
+      file: file.relativePath,
+      line: handlerLine,
+      column: 1,
+      message: "Webhook endpoint has no signature verification \u2014 anyone can forge events to this route",
+      severity: "critical",
+      category: "security",
+      fix: "Verify the webhook signature before processing. For Stripe: stripe.webhooks.constructEvent(body, sig, secret)"
+    }];
+  }
+};
+
+// src/rules/server-action-auth.ts
+var USE_SERVER3 = /['"]use server['"]/;
+var AUTH_PATTERNS2 = [
+  /getServerSession\s*\(/,
+  /getSession\s*\(/,
+  /\.auth\.getUser\s*\(/,
+  /auth\(\)/,
+  /authenticate\s*\(/,
+  /isAuthenticated/,
+  /requireAuth/,
+  /withAuth/,
+  /getToken\s*\(/,
+  /verifyToken\s*\(/,
+  /jwt\.verify\s*\(/,
+  /createServerComponentClient/,
+  /currentUser\s*\(/,
+  /getAuth\s*\(/,
+  /cookies\(\).*auth/s,
+  /session/i
+];
+var PUBLIC_ACTION_NAMES = [
+  /contact/i,
+  /subscribe/i,
+  /newsletter/i,
+  /feedback/i,
+  /signup/i,
+  /login/i,
+  /register/i
+];
+var serverActionAuthRule = {
+  id: "server-action-auth",
+  name: "Server Action Without Auth",
+  description: "Detects server actions that perform mutations without any authentication check",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!USE_SERVER3.test(file.content)) return [];
+    if (project.hasAuthMiddleware) return [];
+    for (const p of PUBLIC_ACTION_NAMES) {
+      if (p.test(file.relativePath)) return [];
+    }
+    const hasAuth = AUTH_PATTERNS2.some((p) => p.test(file.content));
+    if (hasAuth) return [];
+    const hasMutation = /\.(insert|update|delete|create|upsert|remove|destroy|save|push|set)\s*\(/i.test(file.content) || /\b(INSERT|UPDATE|DELETE)\b/.test(file.content);
+    if (!hasMutation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (USE_SERVER3.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "server-action-auth",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "Server action performs mutations without any authentication check \u2014 anyone can call this action",
+      severity: "warning",
+      category: "security",
+      fix: 'Add auth check: const session = await auth(); if (!session) throw new Error("Unauthorized")'
+    }];
+  }
+};
+
+// src/rules/eval-injection.ts
+var EVAL_PATTERNS = [
+  { pattern: /\beval\s*\(/, msg: "eval() executes arbitrary code \u2014 never use with dynamic input" },
+  { pattern: /\bnew\s+Function\s*\(/, msg: "new Function() is equivalent to eval \u2014 avoid dynamic code execution" },
+  { pattern: /\bsetTimeout\s*\(\s*['"`]/, msg: "setTimeout with a string argument is eval \u2014 pass a function instead" },
+  { pattern: /\bsetInterval\s*\(\s*['"`]/, msg: "setInterval with a string argument is eval \u2014 pass a function instead" }
+];
+var evalInjectionRule = {
+  id: "eval-injection",
+  name: "Eval / Code Injection",
+  description: "Detects eval(), new Function(), and string arguments to setTimeout/setInterval",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of EVAL_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "eval-injection",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity: "critical",
+            category: "security"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-useeffect-cleanup.ts
+var NEEDS_CLEANUP = [
+  /\bsetInterval\s*\(/,
+  /\baddEventListener\s*\(/,
+  /\.subscribe\s*\(/,
+  /\.on\s*\(\s*['"`]/,
+  /new\s+WebSocket\s*\(/,
+  /new\s+EventSource\s*\(/,
+  /new\s+IntersectionObserver\s*\(/,
+  /new\s+ResizeObserver\s*\(/,
+  /new\s+MutationObserver\s*\(/
+];
+var missingUseEffectCleanupRule = {
+  id: "missing-useeffect-cleanup",
+  name: "Missing useEffect Cleanup",
+  description: "Detects useEffect hooks with subscriptions or timers but no cleanup return function \u2014 causes memory leaks",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    if (!/useEffect/.test(file.content)) return [];
+    const findings = [];
+    const lines = file.lines;
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!/\buseEffect\s*\(/.test(line)) continue;
+      let braceDepth = 0;
+      let effectStart = -1;
+      let effectEnd = -1;
+      let started = false;
+      for (let j = i; j < lines.length && j < i + 100; j++) {
+        for (const ch of lines[j]) {
+          if (ch === "(") {
+            if (!started) {
+              started = true;
+            }
+            braceDepth++;
+          } else if (ch === ")") {
+            braceDepth--;
+            if (started && braceDepth === 0) {
+              effectEnd = j;
+              break;
+            }
+          } else if (ch === "{" && effectStart === -1 && started) {
+            effectStart = j;
+          }
+        }
+        if (effectEnd !== -1) break;
+      }
+      if (effectStart === -1 || effectEnd === -1) continue;
+      const effectBody = lines.slice(effectStart, effectEnd + 1).join("\n");
+      const needsCleanup = NEEDS_CLEANUP.some((p) => p.test(effectBody));
+      if (!needsCleanup) continue;
+      const hasReturn = /return\s*(?:\(\s*\)\s*=>|function|\(\))/.test(effectBody) || /return\s*\(\s*\)\s*\{/.test(effectBody) || /return\s+\w+\s*;?\s*$/.test(effectBody);
+      if (!hasReturn) {
+        const hasCleanupReturn = /return\s+(?:\(\)|(?:\(\s*\)\s*=>)|(?:function))/.test(effectBody);
+        if (!hasCleanupReturn) {
+          findings.push({
+            ruleId: "missing-useeffect-cleanup",
+            file: file.relativePath,
+            line: i + 1,
+            column: 1,
+            message: "useEffect with subscription/timer but no cleanup return \u2014 will leak memory on unmount",
+            severity: "warning",
+            category: "reliability",
+            fix: "Return a cleanup function: useEffect(() => { const id = setInterval(...); return () => clearInterval(id); }, [])"
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/next-public-sensitive.ts
+var SENSITIVE_PATTERN = /NEXT_PUBLIC_\w*(SECRET|PRIVATE|PASSWORD|DATABASE_URL|SERVICE_ROLE|SERVICE_KEY|ADMIN_KEY|sk_live|sk_test|SIGNING|ENCRYPTION)/i;
+var nextPublicSensitiveRule = {
+  id: "next-public-sensitive",
+  name: "Sensitive Env Var with NEXT_PUBLIC_ Prefix",
+  description: "Detects NEXT_PUBLIC_ prefix on environment variables that should be server-only \u2014 exposes secrets to the browser",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "env", "env.local", "env.production"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = SENSITIVE_PATTERN.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "next-public-sensitive",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: `NEXT_PUBLIC_ prefix on a sensitive env var \u2014 this value will be embedded in the client-side JavaScript bundle`,
+          severity: "critical",
+          category: "security",
+          fix: "Remove the NEXT_PUBLIC_ prefix. Access this value only in server components, API routes, or server actions."
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/ssrf-risk.ts
+var USER_INPUT_IN_FETCH = [
+  /fetch\s*\(\s*(?:req|request)\.(?:body|query|params|nextUrl)/,
+  /fetch\s*\(\s*(?:url|href|endpoint|target|link|src)\s*[,)]/,
+  /fetch\s*\(\s*searchParams\.get\s*\(/,
+  /fetch\s*\(\s*formData\.get\s*\(/,
+  /new\s+URL\s*\(\s*(?:req|request)\.(?:body|query)/,
+  /axios\s*[.(]\s*(?:req|request)\.(?:body|query)/,
+  /axios\.get\s*\(\s*(?:url|href|endpoint|target|link)\s*[,)]/
+];
+var VALIDATION_PATTERNS3 = [
+  /allowlist/i,
+  /allowedUrls/i,
+  /allowedHosts/i,
+  /allowedDomains/i,
+  /whitelist/i,
+  /validUrl/i,
+  /validateUrl/i,
+  /URL\.canParse/,
+  /new\s+URL\s*\(.*\)\.host/,
+  /\.startsWith\s*\(\s*['"]https?:\/\//,
+  /\.hostname\s*[!=]==?\s*['"`]/
+];
+var ssrfRiskRule = {
+  id: "ssrf-risk",
+  name: "SSRF Risk",
+  description: "Detects fetch/HTTP calls with user-controlled URLs without validation \u2014 allows attackers to probe internal services",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const hasValidation = VALIDATION_PATTERNS3.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of USER_INPUT_IN_FETCH) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "ssrf-risk",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "User-controlled URL passed to fetch \u2014 validate against an allowlist to prevent SSRF",
+            severity: "warning",
+            category: "security",
+            fix: "Validate the URL against an allowlist of permitted domains before making the request"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/path-traversal.ts
+var FS_WITH_USER_INPUT = [
+  { pattern: /(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File read with user-controlled path \u2014 allows reading arbitrary files" },
+  { pattern: /(?:readFile|readFileSync|createReadStream)\s*\(\s*(?:filePath|fileName|path|file|name)\s*[,)]/, msg: "File read with potentially user-controlled path \u2014 validate before use" },
+  { pattern: /(?:writeFile|writeFileSync|createWriteStream)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File write with user-controlled path \u2014 allows writing arbitrary files" },
+  { pattern: /(?:unlink|unlinkSync|rm|rmSync)\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "File delete with user-controlled path \u2014 allows deleting arbitrary files" },
+  { pattern: /path\.join\s*\([^)]*(?:req|request)\.(?:query|body|params)/, msg: "path.join with user input \u2014 still vulnerable to traversal with ../" },
+  { pattern: /\.sendFile\s*\(\s*(?:req|request)\.(?:query|body|params)/, msg: "express.sendFile with user-controlled path \u2014 validate against a base directory" }
+];
+var SANITIZATION_PATTERNS = [
+  /path\.resolve\s*\(.*\)\.startsWith/,
+  /\.replace\s*\(\s*['"]\.\.['"],?\s*['"].*['"]\s*\)/,
+  /\.includes\s*\(\s*['"]\.\.['"].*\)/,
+  /normalize/,
+  /sanitize/i,
+  /realpath/
+];
+var pathTraversalRule = {
+  id: "path-traversal",
+  name: "Path Traversal",
+  description: "Detects filesystem operations with user-controlled paths \u2014 allows reading/writing arbitrary files via ../ sequences",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const hasSanitization = SANITIZATION_PATTERNS.some((p) => p.test(file.content));
+    if (hasSanitization) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const { pattern, msg } of FS_WITH_USER_INPUT) {
+        const match = pattern.exec(line);
+        if (match) {
+          const severity = /req|request/.test(match[0]) ? "critical" : "warning";
+          findings.push({
+            ruleId: "path-traversal",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity,
+            category: "security",
+            fix: "Validate the resolved path starts with an expected base directory: path.resolve(base, input).startsWith(path.resolve(base))"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/hydration-mismatch.ts
+var BROWSER_ONLY_PATTERNS = [
+  { pattern: /\bwindow\./, msg: "window access in server-rendered code \u2014 will differ between server and client" },
+  { pattern: /\bdocument\./, msg: "document access in server-rendered code \u2014 undefined on the server" },
+  { pattern: /\blocalStorage\b/, msg: "localStorage in render path \u2014 undefined on server, causes hydration mismatch" },
+  { pattern: /\bsessionStorage\b/, msg: "sessionStorage in render path \u2014 undefined on server, causes hydration mismatch" },
+  { pattern: /\bnavigator\./, msg: "navigator access in render path \u2014 undefined on server" }
+];
+var NONDETERMINISTIC_PATTERNS = [
+  { pattern: /\bnew\s+Date\s*\(\s*\)/, msg: "new Date() in render path \u2014 server and client will have different timestamps, causing hydration mismatch" },
+  { pattern: /\bDate\.now\s*\(\s*\)/, msg: "Date.now() in render path \u2014 different on server vs client" },
+  { pattern: /\bMath\.random\s*\(\s*\)/, msg: "Math.random() in render path \u2014 produces different values on server vs client" }
+];
+var hydrationMismatchRule = {
+  id: "hydration-mismatch",
+  name: "Hydration Mismatch Risk",
+  description: "Detects browser-only APIs and non-deterministic calls in server component render paths",
+  category: "reliability",
+  severity: "warning",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isClientComponent(file.content)) return [];
+    if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
+    if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    const findings = [];
+    let insideUseEffect = false;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      if (/\buseEffect\s*\(/.test(line)) {
+        insideUseEffect = true;
+      }
+      if (insideUseEffect) {
+        if (/^\s*\}\s*,\s*\[/.test(line) || /^\s*\}\s*\)\s*;?\s*$/.test(line)) {
+          insideUseEffect = false;
+        }
+        continue;
+      }
+      for (const { pattern, msg } of [...BROWSER_ONLY_PATTERNS, ...NONDETERMINISTIC_PATTERNS]) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "hydration-mismatch",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: msg,
+            severity: "warning",
+            category: "reliability",
+            fix: 'Move this to a useEffect hook, or add "use client" if this component needs browser APIs'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/server-component-fetch-self.ts
+var SELF_FETCH_PATTERNS = [
+  /fetch\s*\(\s*['"`]\/api\//,
+  /fetch\s*\(\s*['"`]http:\/\/localhost/,
+  /fetch\s*\(\s*['"`]https?:\/\/localhost/,
+  /fetch\s*\(\s*`\$\{.*\}\/api\//,
+  /fetch\s*\(\s*(?:process\.env\.\w+\s*\+\s*)?['"`]\/api\//
+];
+var serverComponentFetchSelfRule = {
+  id: "server-component-fetch-self",
+  name: "Server Component Fetching Own API",
+  description: "Detects server components that fetch their own API routes instead of calling data logic directly \u2014 unnecessary network roundtrip",
+  category: "performance",
+  severity: "info",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (isClientComponent(file.content)) return [];
+    if (!/(?:^|\/)(?:src\/)?app\//.test(file.relativePath)) return [];
+    if (/route\.[jt]sx?$/.test(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      for (const pattern of SELF_FETCH_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "server-component-fetch-self",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Server component fetches its own API route \u2014 call the data logic directly instead of making a network request to yourself",
+            severity: "info",
+            category: "performance",
+            fix: 'Import and call the data function directly instead of fetch("/api/...")'
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/unsafe-file-upload.ts
+var UPLOAD_PATTERNS = [
+  /\.get\s*\(\s*['"`]file['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]image['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]upload['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]attachment['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]document['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]avatar['"`]\s*\)/,
+  /\.get\s*\(\s*['"`]photo['"`]\s*\)/,
+  /\.type\s*===?\s*['"`]file['"`]/,
+  /req\.file\b/,
+  /multer/i,
+  /busboy/i,
+  /formidable/i
+];
+var VALIDATION_PATTERNS4 = [
+  /\.type\b.*(?:image|video|audio|pdf|text)\//,
+  /content-type/i,
+  /mime/i,
+  /\.size\s*[><!]/,
+  /maxFileSize/i,
+  /maxSize/i,
+  /fileSizeLimit/i,
+  /allowedTypes/i,
+  /acceptedTypes/i,
+  /fileFilter/i,
+  /\.endsWith\s*\(\s*['"`]\./,
+  /\.extension/i
+];
+var unsafeFileUploadRule = {
+  id: "unsafe-file-upload",
+  name: "Unsafe File Upload",
+  description: "Detects file upload handlers without type or size validation",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    const hasUpload = UPLOAD_PATTERNS.some((p) => p.test(file.content));
+    if (!hasUpload) return [];
+    const hasValidation = VALIDATION_PATTERNS4.some((p) => p.test(file.content));
+    if (hasValidation) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (UPLOAD_PATTERNS.some((p) => p.test(file.lines[i]))) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "unsafe-file-upload",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "File upload without type or size validation \u2014 accepts any file type and size",
+      severity: "warning",
+      category: "security",
+      fix: "Validate file type (check MIME type, not just extension) and enforce a size limit before processing"
+    }];
+  }
+};
+
+// src/rules/supabase-missing-rls.ts
+var CREATE_TABLE = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?(\w+)/gi;
+var ENABLE_RLS = /ALTER\s+TABLE\s+(?:(?:public|"public")\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi;
+var supabaseMissingRlsRule = {
+  id: "supabase-missing-rls",
+  name: "Missing Row-Level Security",
+  description: "Detects SQL migrations that create tables without enabling Row-Level Security \u2014 all data is publicly accessible",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["sql"],
+  check(file, project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!/migration|supabase|schema/i.test(file.relativePath)) return [];
+    const content = file.content;
+    const findings = [];
+    const tables = [];
+    CREATE_TABLE.lastIndex = 0;
+    let match;
+    while ((match = CREATE_TABLE.exec(content)) !== null) {
+      const name = match[1];
+      if (name.startsWith("_") || name === "schema_migrations") continue;
+      const beforeMatch = content.slice(0, match.index);
+      const line = beforeMatch.split("\n").length;
+      tables.push({ name, line });
+    }
+    if (tables.length === 0) return [];
+    const rlsTables = /* @__PURE__ */ new Set();
+    ENABLE_RLS.lastIndex = 0;
+    while ((match = ENABLE_RLS.exec(content)) !== null) {
+      rlsTables.add(match[1].toLowerCase());
+    }
+    for (const filePath of project.allFiles) {
+      if (!filePath.endsWith(".sql")) continue;
+      if (filePath === file.relativePath) continue;
+    }
+    for (const table of tables) {
+      if (!rlsTables.has(table.name.toLowerCase())) {
+        findings.push({
+          ruleId: "supabase-missing-rls",
+          file: file.relativePath,
+          line: table.line,
+          column: 1,
+          message: `Table "${table.name}" created without ENABLE ROW LEVEL SECURITY \u2014 all rows are publicly accessible via the Supabase API`,
+          severity: "critical",
+          category: "security",
+          fix: `Add: ALTER TABLE ${table.name} ENABLE ROW LEVEL SECURITY; and create appropriate policies`
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/deprecated-oauth-flow.ts
+var IMPLICIT_GRANT = /response_type\s*[=:]\s*['"`]?token['"`]?/;
+var deprecatedOauthFlowRule = {
+  id: "deprecated-oauth-flow",
+  name: "Deprecated OAuth Flow",
+  description: "Detects OAuth Implicit Grant flow (response_type=token) \u2014 deprecated in OAuth 2.1, vulnerable to token interception",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = IMPLICIT_GRANT.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "deprecated-oauth-flow",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "OAuth Implicit Grant flow (response_type=token) is deprecated \u2014 tokens are exposed in the URL fragment",
+          severity: "warning",
+          category: "security",
+          fix: "Use Authorization Code flow with PKCE: response_type=code with code_challenge and code_verifier"
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/jwt-no-expiry.ts
+var JWT_SIGN = /jwt\.sign\s*\(/;
+var HAS_EXPIRY = [
+  /expiresIn/,
+  /exp\s*:/,
+  /expirationTime/,
+  /maxAge/
+];
+var jwtNoExpiryRule = {
+  id: "jwt-no-expiry",
+  name: "JWT Without Expiration",
+  description: "Detects jwt.sign() calls without an expiresIn option \u2014 tokens never expire, compromised tokens are valid forever",
+  category: "security",
+  severity: "warning",
+  fileExtensions: ["ts", "tsx", "js", "jsx", "mjs", "cjs"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!JWT_SIGN.test(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      const line = file.lines[i];
+      const match = JWT_SIGN.exec(line);
+      if (!match) continue;
+      const context = file.lines.slice(i, i + 6).join("\n");
+      const hasExpiry = HAS_EXPIRY.some((p) => p.test(context));
+      if (!hasExpiry) {
+        findings.push({
+          ruleId: "jwt-no-expiry",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "jwt.sign() without expiresIn \u2014 tokens never expire, a compromised token is valid forever",
+          severity: "warning",
+          category: "security",
+          fix: 'Add expiration: jwt.sign(payload, secret, { expiresIn: "1h" })'
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/client-side-auth-only.ts
+var CLIENT_AUTH_PATTERNS = [
+  /localStorage\.(?:get|set)Item\s*\(\s*['"`](?:token|auth|session|jwt|access_token|user)['"`]/,
+  /sessionStorage\.(?:get|set)Item\s*\(\s*['"`](?:token|auth|session|jwt|access_token|user)['"`]/
+];
+var PASSWORD_CHECK = /(?:password|passwd)\s*[!=]==?\s*['"`]/;
+var clientSideAuthOnlyRule = {
+  id: "client-side-auth-only",
+  name: "Client-Side Auth Only",
+  description: "Detects authentication logic implemented only in client-side code \u2014 easily bypassed via browser DevTools",
+  category: "security",
+  severity: "critical",
+  fileExtensions: ["tsx", "jsx", "ts", "js"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isClientComponent(file.content)) return [];
+    const findings = [];
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      const match = PASSWORD_CHECK.exec(line);
+      if (match) {
+        findings.push({
+          ruleId: "client-side-auth-only",
+          file: file.relativePath,
+          line: i + 1,
+          column: match.index + 1,
+          message: "Password comparison in client-side code \u2014 the password is visible in the JavaScript bundle",
+          severity: "critical",
+          category: "security",
+          fix: "Move authentication logic to a server action or API route"
+        });
+      }
+    }
+    for (let i = 0; i < file.lines.length; i++) {
+      const line = file.lines[i];
+      for (const pattern of CLIENT_AUTH_PATTERNS) {
+        const match = pattern.exec(line);
+        if (match) {
+          findings.push({
+            ruleId: "client-side-auth-only",
+            file: file.relativePath,
+            line: i + 1,
+            column: match.index + 1,
+            message: "Auth token in localStorage \u2014 accessible to any script on the page (XSS risk). Use httpOnly cookies instead.",
+            severity: "warning",
+            category: "security",
+            fix: "Store auth tokens in httpOnly cookies set by the server, not in localStorage"
+          });
+          break;
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/rules/missing-abort-controller.ts
+var FETCH_CALL = /\bfetch\s*\(/;
+var HAS_TIMEOUT = [
+  /AbortController/,
+  /abort/i,
+  /signal\s*:/,
+  /timeout/i,
+  /setTimeout.*abort/s
+];
+var missingAbortControllerRule = {
+  id: "missing-abort-controller",
+  name: "Missing Abort Controller",
+  description: "Detects fetch calls in API routes without timeout or AbortController \u2014 requests can hang indefinitely",
+  category: "performance",
+  severity: "info",
+  fileExtensions: ["ts", "tsx", "js", "jsx"],
+  check(file, _project) {
+    if (isTestFile(file.relativePath)) return [];
+    if (!isApiRoute(file.relativePath) && !/['"]use server['"]/.test(file.content)) return [];
+    if (!FETCH_CALL.test(file.content)) return [];
+    const hasTimeout = HAS_TIMEOUT.some((p) => p.test(file.content));
+    if (hasTimeout) return [];
+    let reportLine = 1;
+    for (let i = 0; i < file.lines.length; i++) {
+      if (isCommentLine(file.lines, i, file.commentMap)) continue;
+      if (FETCH_CALL.test(file.lines[i])) {
+        reportLine = i + 1;
+        break;
+      }
+    }
+    return [{
+      ruleId: "missing-abort-controller",
+      file: file.relativePath,
+      line: reportLine,
+      column: 1,
+      message: "fetch() without timeout or AbortController \u2014 request will hang indefinitely if the upstream server doesn't respond",
+      severity: "info",
+      category: "performance",
+      fix: "Add a timeout: const controller = new AbortController(); setTimeout(() => controller.abort(), 10000); fetch(url, { signal: controller.signal })"
+    }];
+  }
+};
+
+// src/rules/index.ts
+var rules = [
+  // Security
+  secretsRule,
+  authChecksRule,
+  envExposureRule,
+  inputValidationRule,
+  corsConfigRule,
+  unsafeHtmlRule,
+  sqlInjectionRule,
+  openRedirectRule,
+  rateLimitingRule,
+  phantomDependencyRule,
+  insecureCookieRule,
+  leakedEnvInLogsRule,
+  insecureRandomRule,
+  nextServerActionValidationRule,
+  envFallbackSecretRule,
+  verboseErrorResponseRule,
+  missingWebhookVerificationRule,
+  serverActionAuthRule,
+  evalInjectionRule,
+  nextPublicSensitiveRule,
+  ssrfRiskRule,
+  pathTraversalRule,
+  unsafeFileUploadRule,
+  supabaseMissingRlsRule,
+  deprecatedOauthFlowRule,
+  jwtNoExpiryRule,
+  clientSideAuthOnlyRule,
+  // Reliability
+  hallucinatedImportsRule,
+  errorHandlingRule,
+  unhandledPromiseRule,
+  shallowCatchRule,
+  missingLoadingStateRule,
+  missingErrorBoundaryRule,
+  missingTransactionRule,
+  redirectInTryCatchRule,
+  missingRevalidationRule,
+  missingUseEffectCleanupRule,
+  hydrationMismatchRule,
+  // Performance
+  noSyncFsRule,
+  noNPlusOneRule,
+  noUnboundedQueryRule,
+  noDynamicImportLoopRule,
+  serverComponentFetchSelfRule,
+  missingAbortControllerRule,
+  // AI Quality
+  aiSmellsRule,
+  placeholderContentRule,
+  hallucinatedApiRule,
+  staleFallbackRule,
+  comprehensionDebtRule,
+  codebaseConsistencyRule,
+  deadExportsRule,
+  useClientOveruseRule
+];
+
+// src/scanner.ts
+import { resolve as resolve3 } from "path";
+async function scan(options) {
+  const start = performance.now();
+  const root = resolve3(options.path);
+  const filePaths = await walkFiles(root, options.ignore);
+  const project = await buildProjectContext(root, filePaths);
+  const findings = [];
+  const allFiles = [];
+  for (const relativePath of filePaths) {
+    const file = await readFileContext(root, relativePath);
+    if (!file) continue;
+    allFiles.push(file);
+    for (const rule of rules) {
+      if (rule.fileExtensions.length > 0 && !rule.fileExtensions.includes(file.ext)) {
+        continue;
+      }
+      const ruleFindings = rule.check(file, project);
+      for (const finding of ruleFindings) {
+        if (!isLineSuppressed(file.lines, finding.line - 1, finding.ruleId)) {
+          findings.push(finding);
+        }
+      }
+    }
+  }
+  for (const rule of rules) {
+    if (rule.checkProject) {
+      const projectFindings = rule.checkProject(allFiles, project);
+      findings.push(...projectFindings);
+    }
+  }
+  const { overallScore, categoryScores } = calculateScores(findings);
+  const summary = summarizeFindings(findings);
+  return {
+    version: getVersion(),
+    scannedPath: options.path,
+    filesScanned: filePaths.length,
+    scanDurationMs: Math.round(performance.now() - start),
+    findings,
+    overallScore,
+    categoryScores,
+    summary
+  };
+}
+
+// src/reporter.ts
+import pc from "picocolors";
+var SEVERITY_COLORS = {
+  critical: pc.red,
+  warning: pc.yellow,
+  info: pc.blue
+};
+var SEVERITY_LABELS = {
+  critical: "CRIT",
+  warning: "WARN",
+  info: "INFO"
+};
+function scoreColor(score) {
+  if (score >= 80) return pc.green;
+  if (score >= 50) return pc.yellow;
+  return pc.red;
+}
+function groupByFile(findings) {
   const map = /* @__PURE__ */ new Map();
   for (const f of findings) {
     const group = map.get(f.file) ?? [];
@@ -2110,11 +3722,16 @@ function groupByFile(findings) {
   }
   return map;
 }
-function reportPretty(result) {
+function reportPretty(result, opts = {}) {
   const lines = [];
+  const { critical, warning, info } = result.summary;
   lines.push("");
   lines.push(pc.bold("  prodlint") + pc.dim(` v${result.version}`));
-  lines.push(pc.dim(`  Scanned ${result.filesScanned} files in ${result.scanDurationMs}ms`));
+  const headerParts = [`Scanned ${result.filesScanned} files`];
+  if (critical > 0) headerParts.push(`${critical} critical`);
+  if (warning > 0) headerParts.push(`${warning} warnings`);
+  if (info > 0) headerParts.push(`${info} info`);
+  lines.push(pc.dim(`  ${headerParts.join(" \xB7 ")}`));
   lines.push("");
   if (result.findings.length > 0) {
     const grouped = groupByFile(result.findings);
@@ -2126,6 +3743,9 @@ function reportPretty(result) {
         lines.push(
           `  ${pc.dim(`${f.line}:${f.column}`)}  ${color(label)}  ${f.message}  ${pc.dim(f.ruleId)}`
         );
+        if (f.fix) {
+          lines.push(`  ${pc.dim(`      \u21B3 ${f.fix}`)}`);
+        }
       }
       lines.push("");
     }
@@ -2140,22 +3760,23 @@ function reportPretty(result) {
   const overallColor = scoreColor(result.overallScore);
   lines.push(pc.bold(`  Overall: ${overallColor(String(result.overallScore))}/100`));
   lines.push("");
-  const { critical, warning, info } = result.summary;
-  const parts = [];
-  if (critical > 0) parts.push(pc.red(`${critical} critical`));
-  if (warning > 0) parts.push(pc.yellow(`${warning} warnings`));
-  if (info > 0) parts.push(pc.blue(`${info} info`));
-  if (parts.length === 0) {
+  const summaryParts = [];
+  if (critical > 0) summaryParts.push(pc.red(`${critical} critical`));
+  if (warning > 0) summaryParts.push(pc.yellow(`${warning} warnings`));
+  if (info > 0) summaryParts.push(pc.blue(`${info} info`));
+  if (summaryParts.length === 0) {
     lines.push(pc.green("  No issues found!"));
   } else {
-    lines.push(`  ${parts.join(pc.dim(" \xB7 "))}`);
+    lines.push(`  ${summaryParts.join(pc.dim(" \xB7 "))}`);
   }
   lines.push("");
-  const badgeColor = result.overallScore >= 80 ? "brightgreen" : result.overallScore >= 60 ? "yellow" : "red";
-  const badgeUrl = `https://img.shields.io/badge/prodlint-${result.overallScore}%2F100-${badgeColor}`;
-  lines.push(pc.dim("  Add to your README:"));
-  lines.push(pc.dim(`  [![prodlint](${badgeUrl})](https://prodlint.com)`));
-  lines.push("");
+  if (!opts.quiet) {
+    const badgeColor = result.overallScore >= 80 ? "brightgreen" : result.overallScore >= 60 ? "yellow" : "red";
+    const badgeUrl = `https://img.shields.io/badge/prodlint-${result.overallScore}%2F100-${badgeColor}`;
+    lines.push(pc.dim("  Add to your README:"));
+    lines.push(pc.dim(`  [![prodlint](${badgeUrl})](https://prodlint.com)`));
+    lines.push("");
+  }
   return lines.join("\n");
 }
 function reportJson(result) {
@@ -2170,12 +3791,15 @@ function renderBar(score) {
 }
 
 // src/cli.ts
+var SEVERITY_RANK = { critical: 3, warning: 2, info: 1 };
 async function main() {
   const { values, positionals } = parseArgs({
     allowPositionals: true,
     options: {
       json: { type: "boolean", default: false },
       ignore: { type: "string", multiple: true, default: [] },
+      "min-severity": { type: "string", default: "info" },
+      quiet: { type: "boolean", default: false },
       help: { type: "boolean", short: "h", default: false },
       version: { type: "boolean", short: "v", default: false }
     }
@@ -2189,14 +3813,17 @@ async function main() {
     process.exit(0);
   }
   const targetPath = positionals[0] ?? ".";
+  const minSeverity = values["min-severity"] ?? "info";
   const result = await scan({
     path: targetPath,
     ignore: values.ignore
   });
+  const minRank = SEVERITY_RANK[minSeverity] ?? 1;
+  result.findings = result.findings.filter((f) => SEVERITY_RANK[f.severity] >= minRank);
   if (values.json) {
     console.log(reportJson(result));
   } else {
-    console.log(reportPretty(result));
+    console.log(reportPretty(result, { quiet: values.quiet }));
   }
   if (result.summary.critical > 0) {
     process.exit(1);
@@ -2204,22 +3831,26 @@ async function main() {
 }
 function printHelp() {
   console.log(`
-  prodlint - Scan AI-generated projects for production readiness issues
+  prodlint - The linter for vibe-coded apps
 
   Usage:
     npx prodlint [path] [options]
 
   Options:
-    --json             Output results as JSON
-    --ignore <pattern> Glob patterns to ignore (can be repeated)
-    -h, --help         Show this help message
-    -v, --version      Show version
+    --json                    Output results as JSON
+    --ignore <pattern>        Glob patterns to ignore (can be repeated)
+    --min-severity <level>    Minimum severity to show: critical, warning, info (default: info)
+    --quiet                   Suppress badge and summary
+    -h, --help                Show this help message
+    -v, --version             Show version
 
   Examples:
-    npx prodlint                    Scan current directory
-    npx prodlint ./my-app           Scan specific path
-    npx prodlint --json             JSON output
-    npx prodlint --ignore "*.test"  Ignore test files
+    npx prodlint                              Scan current directory
+    npx prodlint ./my-app                     Scan specific path
+    npx prodlint --json                       JSON output
+    npx prodlint --ignore "*.test"            Ignore test files
+    npx prodlint --min-severity warning       Only warnings and criticals
+    npx prodlint --quiet                      No badge output
 `);
 }
 main().catch((err) => {