prr-kit 1.1.2 → 1.2.0

package/src/prr/data/stacks/unity.md

@@ -0,0 +1,61 @@
+# Unity — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.cs` in Unity project, `UnityEngine`, `MonoBehaviour`, `using UnityEngine`, `Assets/`, `ProjectSettings/`, `.unity` scenes, `Awake()`, `Start()`, `Update()`
+
+---
+
+## Security
+- **[CRITICAL]** Deserializing untrusted data with `BinaryFormatter` → arbitrary code execution; replace with `JsonUtility` or a safe serializer and validate schemas before deserialization.
+- **[HIGH]** Downloading and executing AssetBundles from unverified URLs → malicious asset injection at runtime; verify bundle URLs against an allowlist and validate bundle hashes after download.
+- **[HIGH]** Storing sensitive data (auth tokens, purchase receipts) in `PlayerPrefs` → written as plaintext to disk and registry; use encrypted storage or OS keychain APIs instead.
+- **[HIGH]** Trusting client-reported game state without server-side validation → cheating via memory editors; authoritative game server must validate all state transitions.
+- **[HIGH]** WebGL builds exposing full game logic to browser DevTools → JavaScript decompilation trivial; obfuscate builds and never embed secrets in client code.
+- **[MEDIUM]** Sensitive save data written to `Application.persistentDataPath` without encryption → readable by any process with file access; encrypt with `AES` before writing.
+- **[MEDIUM]** Hardcoded API keys or credentials committed in C# scripts → exposed in version history and decompiled assemblies; load from environment or encrypted config at runtime.
+
+---
+
+## Performance
+- **[CRITICAL]** Heavy logic (physics queries, pathfinding, string operations) in `Update()` instead of event-driven patterns or coroutines → CPU overhead every frame at 60+ Hz; move to events, coroutines, or throttled polling.
+- **[HIGH]** `GameObject.Find()` or `FindObjectOfType()` called in `Update()` → O(n) linear scene search every frame; cache references in `Awake()` or `Start()`.
+- **[HIGH]** Frequent `Instantiate()`/`Destroy()` cycles for projectiles, particles, or enemies → GC pressure and frame spikes; implement an Object Pooling system.
+- **[HIGH]** Textures not compressed with platform-appropriate formats (DXT on Windows, ETC2 on Android, ASTC on iOS) → excessive VRAM usage and slower GPU sampling.
+- **[HIGH]** Component references retrieved via `GetComponent<T>()` every frame instead of cached `[SerializeField]` fields → repeated reflection-based lookups; cache in `Awake()`.
+- **[MEDIUM]** `Camera.main` accessed in `Update()` → performs an O(n) tag search each call; cache the camera reference in `Awake()`.
+- **[MEDIUM]** String concatenation or `string.Format()` in `Update()` → heap allocation every frame causing GC spikes; use `StringBuilder` or cached strings.
+- **[MEDIUM]** `FixedUpdate` rate not tuned for game type → too high wastes CPU, too low makes physics feel loose; set `Project Settings > Time > Fixed Timestep` appropriately.
+- **[LOW]** Release builds using Mono scripting backend instead of IL2CPP → lower runtime performance and easier decompilation; switch to IL2CPP for all shipping builds.
+
+---
+
+## Architecture
+- **[HIGH]** MonoBehaviour acting as a God Object handling input, AI, physics, UI, and networking → untestable and unresusable; decompose into focused components and use composition.
+- **[HIGH]** Inter-object communication via `Find`/`FindObjectOfType` instead of events, interfaces, or ScriptableObject channels → tight coupling that breaks on scene changes; use UnityEvents or ScriptableObject event channels.
+- **[HIGH]** Game state stored in static fields → impossible to reset cleanly without a full restart; use a dedicated game state class, ScriptableObjects, or a scene-reload strategy.
+- **[MEDIUM]** Shared configuration and data not using `ScriptableObject` assets → duplicated magic numbers across prefabs; centralize into ScriptableObject data containers.
+- **[MEDIUM]** Game logic tightly coupled to Unity lifecycle methods → cannot be unit tested outside the editor; separate pure logic into plain C# classes called from MonoBehaviours.
+- **[MEDIUM]** Large open-world scenes loaded as a single scene → long load times and no streaming; use additive scene loading with async `LoadSceneMode.Additive`.
+- **[LOW]** Legacy Input Manager still used (`Input.GetKey`) → deprecated path with no rebinding support; migrate to the new Input System package.
+
+---
+
+## Code Quality
+- **[HIGH]** Null checks using `if (component != null)` on destroyed GameObjects → Unity overrides `==` operator; a destroyed object is `== null` but not `is null`; use Unity's `==` and avoid `is null` or `?.` on UnityObjects.
+- **[HIGH]** Coroutines started with `StartCoroutine()` but never stopped → run indefinitely after the owning object is disabled or the scene changes; always pair with `StopCoroutine()` or stop on `OnDisable()`/`OnDestroy()`.
+- **[MEDIUM]** Layer mask indices and Animator parameter names as magic integers/strings → silent breakage on project changes; define named constants or use `Animator.StringToHash()`.
+- **[MEDIUM]** Missing `[RequireComponent(typeof(T))]` attribute when a MonoBehaviour always depends on another component → runtime NullReference when component is absent; declare the dependency explicitly.
+- **[MEDIUM]** Editor-only debugging code not wrapped in `#if UNITY_EDITOR` → shipped in builds and potentially crashing; guard all editor utilities.
+- **[LOW]** Public fields used for Inspector exposure instead of `[SerializeField] private` → breaks encapsulation; prefer `[SerializeField]` with private backing fields.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** Accessing a MonoBehaviour's properties or methods after `Destroy()` on the same frame → the object is destroyed at end-of-frame but references remain; null-check with Unity's `==` before access.
+- **[HIGH]** Starting a Coroutine on a disabled or inactive GameObject → Unity silently refuses to start it and no warning is shown; ensure the GameObject is active, or use a persistent manager object.
+- **[HIGH]** Event subscriptions (C# events, UnityEvents) added in `OnEnable()` not removed in `OnDisable()` or `OnDestroy()` → memory leaks and NullReferenceException callbacks after object destruction.
+- **[HIGH]** `Awake()` and `Start()` execution order between objects not controlled → initialization race conditions when object A depends on object B's `Awake()` having run; use Script Execution Order settings or deferred initialization.
+- **[MEDIUM]** Movement or animation speed not multiplied by `Time.deltaTime` → frame-rate dependent behaviour; always scale per-frame changes by `Time.deltaTime`.
+- **[MEDIUM]** `DontDestroyOnLoad` manager objects duplicated when reloading the scene that created them → multiple singletons fighting; enforce singleton pattern with scene-existence check in `Awake()`.
+- **[MEDIUM]** Physics queries (`Raycast`, `OverlapSphere`) using wrong layer masks → hitting unintended objects or missing targets; always specify a layer mask.
+- **[LOW]** Hot `Vector3` arithmetic in tight loops creating intermediate structs → excessive stack pressure; use `ref`-parameter overloads or operate on components directly for hot paths.

package/src/prr/data/stacks/unreal.md

@@ -0,0 +1,58 @@
+# Unreal Engine — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.cpp`/`*.h` in Unreal project, `UCLASS()`, `UPROPERTY()`, `UFUNCTION()`, `AGameMode`, `UObject`, `FString`, `TArray`, `GEngine`, `.uproject`
+
+---
+
+## Security
+- **[HIGH]** Server RPC (`UFUNCTION(Server, Reliable)`) executing game-state changes without authority check → clients can call any server RPC arbitrarily; always verify `HasAuthority()` at the start of every server RPC.
+- **[HIGH]** Unvalidated client-reported game state accepted by server → cheating via modified clients; keep authoritative logic on server and treat all client input as untrusted.
+- **[HIGH]** Serialized save game data loaded without schema validation → malformed or tampered saves can crash the server or client; validate all fields before use after `LoadGameFromSlot`.
+- **[MEDIUM]** Server URLs, API keys, or backend endpoints hardcoded in Blueprint or C++ → visible in packaged builds via asset extraction; load secrets from server-side config or use backend relay.
+- **[MEDIUM]** UE_LOG calls and console commands (e.g., `cheats`, `showdebug`) accessible in Shipping builds → information leakage and cheat enablement; strip debug commands with `UE_BUILD_SHIPPING` guards.
+- **[MEDIUM]** `UFUNCTION(Client, Reliable)` used to send sensitive data from server to a specific client without ownership check → data sent to wrong client; verify `GetOwner() == PC` before client RPCs.
+- **[LOW]** Blueprint bytecode not protected in packaged build → decompilable with community tools; move security-critical logic to C++.
+
+---
+
+## Performance
+- **[CRITICAL]** `AActor::Tick` enabled on actors that do not need per-frame updates → unnecessary CPU cost for every actor in the scene; set `PrimaryActorTick.bCanEverTick = false` in constructor for non-ticking actors.
+- **[HIGH]** Garbage Collection hitches from large numbers of `UObject`-derived objects being allocated and released rapidly → GC pause spikes; pool objects and avoid frequent construction/destruction of UObjects.
+- **[HIGH]** Static meshes without LOD levels in complex scenes → excessive polygon count at distance; set up LOD groups or use Nanite (UE5) for static geometry.
+- **[HIGH]** Synchronous HTTP requests or blocking disk I/O executed on the game thread → frame stutter; use async task graph or UE's `FHttpModule` with async callbacks.
+- **[HIGH]** Blueprint VM executing hot-path logic (AI, physics math, per-tick calculations) → Blueprint is 10-100x slower than native C++; move performance-critical code to C++ and expose via `BlueprintCallable`.
+- **[MEDIUM]** Replication not gated by `NetUpdateFrequency` and `MinNetUpdateFrequency` → flooding the network with unnecessary updates; tune per-actor replication rates.
+- **[MEDIUM]** Shader complexity not profiled with `viewmode shadercomplexity` → overdraw and expensive materials going undetected; budget material instruction counts.
+- **[LOW]** Nanite not enabled for high-polygon static assets in UE5 → missed opportunity for virtualized geometry; enable Nanite on eligible meshes.
+
+---
+
+## Architecture
+- **[HIGH]** Game logic implemented in Blueprints that would benefit from C++ for performance and testability → Blueprint-only codebases are hard to refactor and slow at runtime; use C++ base classes with Blueprint subclasses for data.
+- **[HIGH]** Monolithic Actor classes handling movement, AI, UI, inventory, and audio → violates single responsibility; decompose into `UActorComponent` subclasses.
+- **[MEDIUM]** Not following Unreal's GameMode / GameState / PlayerState / PlayerController / Pawn separation → game rules and per-player data mixed into Actor classes; respect the intended roles of each framework class.
+- **[MEDIUM]** Hard references between assets (`UPROPERTY(EditAnywhere) UTexture2D*`) causing full asset load chains → large memory spikes; use `TSoftObjectPtr` and async loading for non-critical assets.
+- **[MEDIUM]** Global services implemented as static methods or global variables instead of Unreal Subsystems → difficult to test and replace; use `UGameInstanceSubsystem`, `UWorldSubsystem`, or `UEngineSubsystem`.
+- **[LOW]** Not using Unreal's Enhanced Input system (legacy `InputComponent` bindings deprecated in UE5) → missing rebinding and context-layered input support.
+
+---
+
+## Code Quality
+- **[HIGH]** Raw C++ pointers to `UObject`-derived objects stored without `UPROPERTY()` → Unreal GC does not see the reference and may collect the object → dangling pointer crash; always mark UObject pointers with `UPROPERTY()` or use `TWeakObjectPtr`.
+- **[HIGH]** `Cast<T>()` return value used without null check → returns `nullptr` on type mismatch; always null-check before dereferencing cast results.
+- **[HIGH]** Not using `IsValid()` before accessing a `UObject` pointer → object may be pending kill; use `IsValid(Ptr)` instead of `Ptr != nullptr`.
+- **[MEDIUM]** `FString` used for identifiers and map keys where `FName` is appropriate → FName is hashed and interned; use `FName` for asset names and identifiers, `FText` for display strings.
+- **[MEDIUM]** `TArray` modified (elements added/removed) while iterating with range-for → iterator invalidation and undefined behaviour; iterate a copy or use index-based loops with care.
+- **[LOW]** Unreal naming conventions not followed (prefix `A` for Actors, `U` for UObjects, `F` for structs, `I` for interfaces, `E` for enums) → reduces readability and breaks tooling assumptions.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** `UObject` pointer not marked with `UPROPERTY()` → Garbage Collector silently frees the object → crash on next access; add `UPROPERTY()` to every UObject pointer member.
+- **[HIGH]** Calling Blueprint-callable functions or virtual functions from a `UObject` constructor → object not fully initialized at construction time; defer initialization to `BeginPlay()` or `PostInitializeComponents()`.
+- **[HIGH]** Server RPC called from client code without the `Server` UFUNCTION specifier → call silently dropped; always pair `Server` specifier with `_Implementation` and `_Validate` methods.
+- **[HIGH]** `BeginPlay()` execution order across Actors not guaranteed → initialization dependencies between actors can fail silently; use deferred initialization or `PostBeginPlay` ordering.
+- **[MEDIUM]** Delegates and dynamic multicast delegates not unbound in `EndPlay()` or `BeginDestroy()` → stale references firing after object destruction.
+- **[MEDIUM]** Replication of a `TArray` relying on element-level delta → Unreal replicates the whole array on any change; use `FFastArraySerializer` for large replicated arrays.
+- **[LOW]** Hot Reload breaking native class changes (added/removed member variables) → corrupted class layout; always do a full compile after structural class changes.

package/src/prr/data/stacks/vite.md

@@ -0,0 +1,48 @@
+# Vite — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `vite.config.*`, `from 'vite'`, `import.meta.env`, `import.meta.hot`, `defineConfig` from vite
+
+---
+
+## Security
+- **[CRITICAL]** Any variable prefixed with `VITE_` is automatically embedded in the client bundle → ALL such values are publicly visible. Never store API keys, secrets, or credentials in `VITE_` variables; use server-side env vars for secrets.
+- **[CRITICAL]** `import.meta.env.VITE_API_KEY` used as an authentication secret → secret exposed to every browser visitor. Move secret usage to a backend proxy; expose only a public endpoint URL to the client.
+- **[HIGH]** `define` plugin option replacing `process.env.SECRET` in the bundle → inlined plaintext secret shipped to clients. Remove secret values from `define`; use runtime server-side configuration instead.
+- **[HIGH]** `server.fs.allow` set to `/` or overly broad path → dev server can serve any file on the system including `/etc/passwd`. Restrict `fs.allow` to the project root or specific necessary directories.
+- **[MEDIUM]** No Content Security Policy configured for the production build → XSS attacks not mitigated by browser. Add CSP headers via the hosting layer or a Vite plugin (e.g. `vite-plugin-csp`).
+
+---
+
+## Performance
+- **[HIGH]** `build.rollupOptions.output.manualChunks` not configured for large applications → single monolithic bundle with poor cache efficiency. Define `manualChunks` to separate vendor, framework, and feature code into cacheable chunks.
+- **[HIGH]** Dynamic `import()` not used for route-level or feature-level code splitting → entire app JS loaded on first page visit. Wrap route components and large features in `import('...')` for lazy loading.
+- **[HIGH]** Loading entire utility libraries (lodash, moment) without tree-shaking → dead code bloat. Import named exports from tree-shakeable equivalents (`lodash-es`, `date-fns`) or use specific subpath imports.
+- **[MEDIUM]** `build.sourcemap: true` in production config → large `.map` files deployed alongside bundles. Set `sourcemap: false` or `sourcemap: 'hidden'` for production to avoid exposing source to users.
+- **[MEDIUM]** No compression plugin configured → uncompressed JS/CSS served, missing 60-80% size reduction. Add `vite-plugin-compression` for gzip/brotli output or configure compression at the CDN/server layer.
+- **[LOW]** `optimizeDeps.exclude` incorrectly listing packages that should be pre-bundled → slow dev server cold starts and waterfall module requests. Only exclude packages that are truly incompatible with pre-bundling (e.g. those using `require.resolve`).
+
+---
+
+## Architecture
+- **[HIGH]** Plugins not ordered correctly in the `plugins` array → transform conflicts (e.g. TypeScript plugin must run before framework plugin). Review each plugin's documented order requirement; check plugin `enforce: 'pre'/'post'` settings.
+- **[HIGH]** `resolve.alias` overriding paths inside `node_modules` → breaks the package's own internal imports and causes hard-to-debug resolution errors. Only alias your own source paths (e.g. `@/` → `src/`); never alias into `node_modules`.
+- **[MEDIUM]** Single `vite.config.ts` handling all environments without using the `mode` parameter → environment-specific config mixed together, risk of dev-only settings leaking to production. Use `mode` to conditionally apply plugins: `if (mode === 'production') { ... }`.
+- **[MEDIUM]** Dev-only plugins (e.g. mock server, inspector) not guarded with `apply: 'serve'` → dev tooling included in production build. Add `apply: 'serve'` to all development-only plugins.
+
+---
+
+## Code Quality
+- **[MEDIUM]** Missing `/// <reference types="vite/client" />` in `vite-env.d.ts` → `import.meta.env`, `import.meta.hot`, and asset imports are untyped. Add the triple-slash reference to enable Vite's built-in type definitions.
+- **[MEDIUM]** `import.meta.glob()` used without explicit typing → returned module map is `Record<string, unknown>`. Type the glob call: `import.meta.glob<{ default: Component }>('./routes/*.tsx')`.
+- **[MEDIUM]** HMR custom handlers (`import.meta.hot.accept(...)`) written without checking `import.meta.hot` guard → fails in production build where HMR is stripped. Always guard: `if (import.meta.hot) { import.meta.hot.accept(...) }`.
+- **[LOW]** `defineConfig` used without TypeScript, relying on plain JS config without type checking → mistyped config options silently ignored. Rename config to `vite.config.ts` and use TypeScript for type-checked configuration.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `process.env.VAR` used in client code (React/Vue habit from CRA/webpack) → `process` is undefined in Vite's browser environment; build fails or returns `undefined`. Replace all client-side `process.env` references with `import.meta.env.VITE_VAR`.
+- **[HIGH]** SSR build missing `resolve.conditions: ['node']` or `ssr: true` in build options → wrong package entry points resolved, browser bundles used on server. Configure separate SSR build with `build.ssr` and proper resolve conditions.
+- **[MEDIUM]** Relative imports breaking after changing the `base` config option → asset URLs and router base paths misalign. Audit all hardcoded `/` paths and use `import.meta.env.BASE_URL` for dynamic base-relative URLs.
+- **[MEDIUM]** CSS Modules class name collisions because `generateScopedName` not configured → two modules produce the same hashed class. Configure `css.modules.generateScopedName` with a pattern that includes the filename for uniqueness.
+- **[MEDIUM]** Files in `publicDir` served without content hash in filename → CDN or browser caches stale version after update. Files in `publicDir` are never hashed by Vite; use `src/assets/` with `import` for hash-fingerprinted assets.

package/src/prr/data/stacks/vue3.md

@@ -0,0 +1,95 @@
+# Vue 3 — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.vue` files, `from 'vue'`, `<script setup>`, `defineComponent`, `vite.config.*` with vue plugin, `pinia` or `vuex` in deps, `defineProps`, `defineEmits`
+
+---
+
+## Security
+
+- **[CRITICAL]** `v-html` with user-controlled data → stored/reflected XSS. Use `{{ }}` text interpolation. If HTML required, sanitize with DOMPurify first.
+- **[CRITICAL]** Dynamic `:is` binding with user-controlled string → arbitrary component injection. Only allow from known safe component map.
+- **[CRITICAL]** Server-side template injection in SSR (Nuxt) via user-controlled template strings.
+- **[HIGH]** `href` bound to user input without URL validation → `javascript:` protocol injection. Validate protocol allowlist.
+- **[HIGH]** Missing `@submit.prevent` on forms calling APIs → unintended page reloads bypassing client validation.
+- **[HIGH]** `eval()` / `new Function()` in component logic with user input → code injection.
+- **[HIGH]** Pinia store persisted to localStorage via `pinia-plugin-persistedstate` with sensitive data → plaintext exposure.
+- **[MEDIUM]** Sensitive store state (tokens, passwords) exposed in template → visible in Vue DevTools. Keep server-side.
+- **[MEDIUM]** Missing CSRF protection with cookie-based auth on mutations.
+- **[MEDIUM]** `useRoute().query` used without sanitization in templates.
+- **[LOW]** Vue DevTools enabled in production build → state and component tree exposed.
+
+---
+
+## Performance
+
+- **[HIGH]** `watchEffect` / `watch` starting async without `onCleanup` → memory leak and race condition on unmount mid-flight.
+- **[HIGH]** `v-for` on large lists without virtual scrolling (vue-virtual-scroller) → DOM overload at 500+ items.
+- **[HIGH]** `computed` depending on entire store object (`todoStore`) instead of specific fields → re-runs on any store change.
+- **[HIGH]** `watch` with `deep: true` on large nested objects → expensive deep traversal every change; use targeted watchers.
+- **[HIGH]** Component not using `v-once` for truly static content → re-evaluates on every render.
+- **[HIGH]** `reactive()` used for large arrays with frequent push → Vue 3 tracks every index.
+- **[MEDIUM]** `v-for` using array index as `:key` → broken reconciliation on reorder/delete; use stable unique IDs.
+- **[MEDIUM]** Missing `:key` on `v-for` entirely → Vue warns, falls back to index behavior.
+- **[MEDIUM]** Heavy computation directly in template expressions → runs on every render; move to `computed`.
+- **[MEDIUM]** `shallowRef` not used for large read-only data blobs → Vue tracks deep reactivity unnecessarily.
+- **[MEDIUM]** `onMounted` doing expensive synchronous work → UI freeze on first render; use async with loading state.
+- **[MEDIUM]** `defineAsyncComponent` not used for heavy components → included in initial bundle.
+- **[MEDIUM]** `v-show` vs `v-if` misuse: `v-if` on frequently toggled elements → DOM destroy/recreate overhead.
+- **[LOW]** `provide`/`inject` at root for frequently changing values → all descendants potentially affected.
+- **[LOW]** Unnecessarily large `watch` source (full array) when only length matters.
+
+---
+
+## Architecture
+
+- **[HIGH]** Direct store state mutation outside action: `store.items.push(...)` → bypasses Pinia devtools and action tracking.
+- **[HIGH]** `useStore()` called outside `setup()` (module scope, plain function) → loses reactivity context.
+- **[HIGH]** Props mutation inside child component (`props.value = x`) → violates one-way data flow, Vue warning.
+- **[HIGH]** `defineExpose()` leaking internal reactive refs to parent without intent → tight coupling.
+- **[HIGH]** Business logic (API calls, transformation) in template or event handlers → move to store actions or composables.
+- **[HIGH]** Pinia store importing another store's internals directly → cross-store coupling; use store actions.
+- **[HIGH]** Composable modifying global state without clearly documented side effects.
+- **[MEDIUM]** Monolithic component >400 lines → decompose into container + presentational.
+- **[MEDIUM]** `provide/inject` without TypeScript injection keys → no type safety, silent undefined at runtime.
+- **[MEDIUM]** Async component loading without `<Suspense>` boundary → unhandled loading/error states.
+- **[MEDIUM]** Composable not returning reactive refs → consumers lose reactivity after destructuring.
+- **[MEDIUM]** Router navigation guard doing data fetching → use `onBeforeRouteUpdate` inside component or store action.
+- **[LOW]** Missing `defineOptions({ name: 'ComponentName' })` → harder debugging in Vue DevTools.
+- **[LOW]** Global event bus (`mitt`) used for parent-child communication → use props/emits; bus for truly global events only.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `defineProps` without TypeScript types or runtime validators → silent prop misuse.
+- **[HIGH]** Missing `defineEmits` declaration → uncaught typo event names, no IDE support.
+- **[HIGH]** `defineProps` with required prop not having default and not checked → undefined access crash.
+- **[MEDIUM]** Mixing Options API with Composition API in same component → confusing, lint may miss issues.
+- **[MEDIUM]** `ref()` vs `reactive()` inconsistency across codebase → pick one convention and document.
+- **[MEDIUM]** `<script setup>` importing unused components → increases bundle size.
+- **[MEDIUM]** `v-model` without explicit `:modelValue` / `@update:modelValue` contract on custom component.
+- **[MEDIUM]** Template ref (`ref="el"`) typed as `any` in TypeScript → defeats type safety.
+- **[MEDIUM]** Async composable not handling error state → calling component has no error boundary.
+- **[LOW]** Single-word component name (`<Header>`) → conflicts with native HTML elements.
+- **[LOW]** Missing default value for optional props → runtime undefined access.
+- **[LOW]** `defineProps` `withDefaults` not used when defaults needed → verbose manual checking.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `async setup()` rendering before data resolves without `<Suspense>` → UI flash with undefined data.
+- **[HIGH]** `reactive()` object destructured into local variables → reactivity lost silently (`const { name } = reactive(obj)`).
+- **[HIGH]** `toRef` / `toRefs` not used when extracting from `reactive` → stale values after store changes.
+- **[HIGH]** `watch` source is a reactive object property accessed directly → watch not triggered (`watch(obj.prop, ...)` vs `watch(() => obj.prop, ...)`).
+- **[HIGH]** Pinia action not awaited → dependent UI renders before state updated.
+- **[HIGH]** `onUnmounted` cleanup not added for `setInterval`/`setTimeout` → leak on route change.
+- **[HIGH]** `watchEffect` running before DOM is ready → access to template refs returns null.
+- **[MEDIUM]** `watch` missing `immediate: true` when logic should run on mount.
+- **[MEDIUM]** `computed` with setter missing → silently fails on two-way binding.
+- **[MEDIUM]** `nextTick` not awaited before DOM-dependent logic after state change → stale DOM.
+- **[MEDIUM]** `v-for` over Pinia store array → `v-for` on reactive proxy — mutations outside actions break reactivity.
+- **[MEDIUM]** `<Teleport>` target not existing in DOM when component mounts → silent fail.
+- **[LOW]** `onActivated`/`onDeactivated` hooks not used with `<KeepAlive>` → side effects not managed on cache toggle.
+- **[LOW]** `$attrs` fallthrough not disabled when manually forwarding → double attribute application.

package/src/prr/data/stacks/vulkan.md

@@ -0,0 +1,53 @@
+# Vulkan — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `vulkan`, `vk::`, `VkInstance`, `VkDevice`, `vkCreateInstance`, `vulkan.h`, `VK_`, SPIR-V, `*.spv`
+
+---
+
+## Security
+- **[HIGH]** Validation layers disabled in debug builds to "improve performance" → API misuse, undefined behavior, and driver crashes go undetected during development; always enable `VK_LAYER_KHRONOS_validation` in debug and CI builds.
+- **[HIGH]** Persistently mapped buffer memory (`vkMapMemory`) written by the CPU while simultaneously read by the GPU without synchronization → data corruption and undefined behavior; use proper pipeline barriers or semaphores to ensure CPU-GPU ordering before unmapping or flushing.
+- **[MEDIUM]** SPIR-V shader binaries loaded from user-controlled file paths without validation → malformed SPIR-V can crash drivers or trigger undefined behavior; validate with `spirv-val` at build time and load only from bundled, pre-validated binaries.
+- **[LOW]** Debug messenger (`VK_EXT_debug_utils`) not set up during development → Vulkan API misuse produces no diagnostic output; always install a debug messenger callback that logs all validation messages in non-shipping builds.
+
+---
+
+## Performance
+- **[CRITICAL]** One `vkQueueSubmit` call issued per draw call → extreme CPU overhead from queue submission synchronization; record all draw commands into a single command buffer and submit once per frame.
+- **[CRITICAL]** `VkFence` and `VkSemaphore` synchronization used incorrectly (e.g., waiting on a fence that was never signaled, signaling a semaphore that is never waited on) → GPU hangs, CPU deadlock, or undefined frame ordering; follow the canonical acquire-render-present synchronization pattern with per-frame fences and semaphores.
+- **[HIGH]** Pipeline barriers specified with `VK_PIPELINE_STAGE_ALL_COMMANDS_BIT` as source or destination stage → unnecessarily broad barrier stalls the entire GPU pipeline; narrow to the precise pipeline stages that produce and consume the resource.
+- **[HIGH]** Device memory allocated individually per resource with `vkAllocateMemory()` → drivers have a hard limit on allocation count (often 4096); use a GPU memory allocator library (VMA — Vulkan Memory Allocator) to suballocate from large blocks.
+- **[HIGH]** Tile-based GPU architecture (mobile) not using render pass subpasses for on-chip framebuffer operations → intermediate render targets written to and read back from main memory; use `vkCmdNextSubpass` with input attachments to keep data on-chip.
+- **[MEDIUM]** Descriptor sets allocated individually per frame per object → descriptor pool fragmentation and allocation overhead; pre-allocate descriptor sets for the maximum number of objects and rotate through them per frame.
+- **[MEDIUM]** Command buffers re-recorded every frame for static scene geometry → unnecessary CPU work; pre-record static geometry command buffers once and only re-record when scene state changes.
+- **[LOW]** Small per-draw-call data (model matrix, material index) passed via descriptor sets instead of push constants → unnecessary descriptor set update overhead; use `vkCmdPushConstants` for data up to 128 bytes that changes per draw call.
+
+---
+
+## Architecture
+- **[HIGH]** Vulkan objects (Instance, Device, Swapchain, RenderPass) created without a clear ownership and lifecycle policy → objects destroyed in wrong order or leaked; establish a deterministic teardown order that is the reverse of creation order.
+- **[HIGH]** Validation layers treated as optional rather than mandatory for development → bugs caught only by production GPU crashes on customer hardware; treat validation layer warnings as build-breaking errors in CI.
+- **[MEDIUM]** Swapchain recreation on window resize not implemented → resize causes `VK_ERROR_OUT_OF_DATE_KHR` return from `vkQueuePresentKHR`, which crashes the application; handle `VK_ERROR_OUT_OF_DATE_KHR` and `VK_SUBOPTIMAL_KHR` by recreating the swapchain.
+- **[MEDIUM]** Raw Vulkan API calls not abstracted behind a renderer interface → every backend detail exposed to application code; wrap in a renderer class that exposes high-level operations (beginFrame, drawMesh, endFrame).
+- **[LOW]** Queue family indices hardcoded as `0` instead of queried from `vkGetPhysicalDeviceQueueFamilyProperties()` → code breaks on GPUs where graphics and present queues are different families; always query and select queue families by capability.
+
+---
+
+## Code Quality
+- **[CRITICAL]** Return values of Vulkan API calls not checked against `VK_SUCCESS` → failures produce invalid handles that cause crashes or corruption far from the error site; check every Vulkan return code and handle or propagate errors immediately.
+- **[HIGH]** `srcAccessMask` / `dstAccessMask` or `srcStageMask` / `dstStageMask` in `VkImageMemoryBarrier` / `VkBufferMemoryBarrier` set incorrectly → memory hazards where GPU reads stale data or races with writes; consult the Vulkan synchronization table and set exact access and stage masks.
+- **[HIGH]** `VK_NULL_HANDLE` not checked after object creation → using a null handle crashes the driver; verify every created handle is non-null before storing or using it.
+- **[MEDIUM]** SPIR-V shader binaries not validated with `spirv-val` before inclusion in the build → invalid SPIR-V silently rejected by some drivers, crashes others; add `spirv-val` as a build step for all shader binaries.
+- **[MEDIUM]** Frame-in-flight count not matched between swapchain image count and synchronization primitive arrays → out-of-bounds access into fence/semaphore arrays; derive all per-frame array sizes from the swapchain image count.
+- **[LOW]** Viewport and scissor not set as dynamic state before draw calls when `VK_DYNAMIC_STATE_VIEWPORT` / `VK_DYNAMIC_STATE_SCISSOR` is used in the pipeline → validation error and undefined draw behavior; always call `vkCmdSetViewport` and `vkCmdSetScissor` before every draw that uses dynamic state.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** Vulkan object used after the corresponding `vkDestroy*` or `vkFree*` call → use-after-free crash, often deferred until the next GPU submission; enforce strict RAII ownership so destruction is automatic and sequenced correctly.
+- **[HIGH]** Image layout transition not performed before using an image in a render pass or shader → validation error and undefined sampling or attachment behavior; always transition image layout with a barrier to the correct `VkImageLayout` before first use.
+- **[HIGH]** Framebuffer created referencing swapchain image views that are then recreated on resize without recreating the framebuffer → framebuffer holds stale image view handles → crash on next render; recreate framebuffers whenever the swapchain is recreated.
+- **[MEDIUM]** Semaphore signaled by `vkQueueSubmit` but never waited on by a subsequent submit or present → Vulkan requires every signal operation to have a matching wait; track all semaphore signal/wait pairs to ensure they are balanced.
+- **[MEDIUM]** Depth/stencil image layout not transitioned from `VK_IMAGE_LAYOUT_UNDEFINED` before first render pass use → contents undefined, depth test produces garbage results; include an initial layout transition in the render pass `VkAttachmentDescription.initialLayout` or a preceding barrier.
+- **[LOW]** `vkDeviceWaitIdle()` called every frame to avoid synchronization complexity → serializes CPU and GPU completely, destroying all parallelism; use per-frame fences with `vkWaitForFences` for proper double/triple buffering.

package/src/prr/data/stacks/wasm.md

@@ -0,0 +1,49 @@
+# WebAssembly (WASM) — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.wasm`, `*.wat`, `WebAssembly`, `wasm-pack`, `wasm-bindgen`, `emscripten`, `#[wasm_bindgen]`, `wasm32-unknown-unknown`
+
+---
+
+## Security
+- **[HIGH]** User-supplied WASM modules executed without sandboxing → sandbox escape via WASI filesystem or network capabilities. Validate modules with `WebAssembly.validate()` and restrict WASI capabilities to the minimum required set.
+- **[HIGH]** WASM linear memory directly accessible from JavaScript → JS can read and write all WASM heap memory including sensitive data. Keep secrets in WASM-side memory only when necessary, zero them after use, and never expose the raw `memory` export to untrusted JS.
+- **[HIGH]** WASM module loaded from untrusted CDN without a Subresource Integrity hash → module swapped for malicious payload. Add `integrity="sha384-..."` to all `<script>` tags and `fetch` calls that load WASM.
+- **[HIGH]** Secrets hardcoded in WASM binary → extractable via `wasm-decompile` or `wasm2wat`. Store secrets server-side and pass them as runtime parameters; never embed them in the binary.
+- **[MEDIUM]** Cross-origin WASM loading without CORP/COEP headers when using `SharedArrayBuffer` → `SharedArrayBuffer` unavailable or cross-origin data leaks. Set `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp` on all pages using shared memory.
+- **[MEDIUM]** WASM module not validated with `WebAssembly.validate()` before instantiation → malformed module causes unhandled exception. Always validate untrusted WASM bytes before calling `WebAssembly.instantiate()`.
+
+---
+
+## Performance
+- **[HIGH]** Large WASM binaries served without gzip or brotli compression → slow initial load on every visit. Enable brotli compression at the CDN/server level; a 1 MB WASM binary typically compresses to ~250 KB.
+- **[HIGH]** JS–WASM boundary crossed too frequently in tight loops → per-call overhead accumulates to measurable latency. Batch work on the WASM side and exchange results in bulk; prefer passing typed arrays over individual calls.
+- **[HIGH]** WASM binary not compiled with optimization (`-O3` / `wasm-opt -O3`) → 2–5× larger and slower than optimized output. Always run `wasm-opt -O3` as a post-build step and set `-C opt-level=3` in Rust/Zig builds.
+- **[HIGH]** Not using `SharedArrayBuffer` and Web Workers for parallel WASM execution → single-threaded throughput ceiling. Use `wasm-bindgen-rayon` or manual worker pools for data-parallel workloads.
+- **[MEDIUM]** WASM memory not pre-allocated → frequent `memory.grow` operations stall execution. Use `--initial-memory` / `INITIAL_MEMORY` flags to pre-allocate expected working set at startup.
+- **[MEDIUM]** WASM instantiation performed on the main thread → blocks UI during parsing and compilation. Instantiate asynchronously via `WebAssembly.instantiateStreaming()` in a Worker and `postMessage` the exports back.
+
+---
+
+## Architecture
+- **[HIGH]** Many small WASM→JS calls instead of batching work on the WASM side → call overhead dominates execution time. Design APIs that transfer bulk data (typed arrays, shared memory regions) rather than scalar values per call.
+- **[HIGH]** WASM used for operations where JavaScript already performs adequately → added complexity without throughput gain. Reserve WASM for CPU-bound algorithms, codecs, parsers, and cryptography; profile before migrating.
+- **[MEDIUM]** WASM module not cached via Service Worker → full re-download on every cold load. Cache the `.wasm` file with a content-hashed URL and serve from cache on repeat visits.
+- **[LOW]** WASM binary not code-split → entire module loaded even when only a subset is needed. Use dynamic `import()` or lazy `WebAssembly.instantiateStreaming()` to defer loading of optional functionality.
+
+---
+
+## Code Quality
+- **[HIGH]** Manual `malloc`/`free` in C/Emscripten WASM not tracked → heap corruption or leaks invisible to browser dev tools. Use ASAN (`-fsanitize=address`) during development and run `valgrind`-equivalent checks in CI.
+- **[MEDIUM]** `wasm-bindgen` types not properly annotated with `#[wasm_bindgen]` → JS type coercion produces unexpected `undefined` or wrong values. Annotate all public FFI types and verify with `wasm-pack test --headless`.
+- **[MEDIUM]** Not using `wasm-pack test` for browser-side WASM tests → logic tested only in native mode, missing WASM-specific bugs. Run `wasm-pack test --headless --chrome` in CI to catch binding and memory issues.
+- **[LOW]** WASM binary not stripped of debug symbols for production → binary 3–10× larger than necessary. Use `wasm-strip` or `wasm-opt --strip-debug` in the production build pipeline.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Stack overflow in WASM (default 1 MB stack) → cryptic `unreachable` trap with no useful stack trace. Increase the stack via `-z stack-size` for recursive algorithms or rewrite as iterative with an explicit stack.
+- **[HIGH]** `i64` values passed between WASM and JavaScript → JS `Number` can only represent 53-bit integers exactly, silently truncating larger values. Use `BigInt` on the JS side and `wasm-bindgen`'s `#[wasm_bindgen]` `i64` support.
+- **[MEDIUM]** Pointer passed to JS becomes invalid after `memory.grow` detaches the underlying `ArrayBuffer` → stale typed array views cause silent reads of zeroed memory. Re-create JS views of WASM memory after every `memory.grow` operation.
+- **[MEDIUM]** WASM function table not large enough for indirect function pointer calls → trap at runtime during `call_indirect`. Set `--table-base` / initial table size to cover all function pointer targets.
+- **[LOW]** `WebAssembly.instantiateStreaming()` `await`ed incorrectly → race conditions accessing exports before the module is ready. Always `await` the full `instantiateStreaming()` promise before accessing `instance.exports`.

package/src/prr/data/stacks/webpack.md

@@ -0,0 +1,48 @@
+# Webpack — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `webpack.config.*`, `from 'webpack'`, `module.exports` with `entry`/`output`, `loader:`, `HtmlWebpackPlugin`
+
+---
+
+## Security
+- **[CRITICAL]** `devtool: 'eval'` or `devtool: 'eval-source-map'` used in production build → full source code exposed via `eval()` strings in the bundle. Set `devtool: false` or `devtool: 'source-map'` for production; use `eval` only in development.
+- **[CRITICAL]** `require()` called with user-controlled path input → path traversal allowing arbitrary file reads from the server filesystem. Never pass user input to `require()`; use a whitelist map for dynamic module loading.
+- **[HIGH]** Secrets inlined via `DefinePlugin` with `process.env.SECRET` → secrets embedded as plaintext in the client bundle. Only inline non-sensitive build-time constants; load secrets at runtime from a server endpoint.
+- **[HIGH]** `externals` loading libraries from a CDN without Subresource Integrity (SRI) hashes → CDN compromise injects malicious code. Add SRI `integrity` and `crossorigin` attributes to all CDN `<script>` tags.
+- **[MEDIUM]** `devServer.proxy` forwarding requests without stripping or validating auth headers → credentials forwarded to unintended upstream services. Configure proxy to only forward necessary headers; validate target URLs.
+
+---
+
+## Performance
+- **[HIGH]** `optimization.splitChunks` not configured → everything bundled into a single file, no cache reuse across deploys. Configure `splitChunks: { chunks: 'all' }` and define `cacheGroups` for vendor separation.
+- **[HIGH]** `TerserPlugin` not used in production (`mode: 'production'` does this automatically, but custom configs may omit it) → unminified output, 3-5x larger bundle. Ensure `optimization.minimize: true` with `TerserPlugin` in all production configs.
+- **[HIGH]** Tree-shaking disabled because packages not marked `sideEffects: false` in `package.json` → dead code included in bundle. Mark your app's `package.json` with `"sideEffects": false` and use ES module imports.
+- **[HIGH]** Entire lodash imported (`import _ from 'lodash'`) instead of tree-shakeable `lodash-es` or per-method imports → ~70KB dead weight. Replace with `import { debounce } from 'lodash-es'` or `import debounce from 'lodash/debounce'`.
+- **[MEDIUM]** `babel-loader` without `cacheDirectory: true` → Babel re-transpiles every file on every rebuild. Add `options: { cacheDirectory: true }` to `babel-loader` to persist transpile cache between builds.
+
+---
+
+## Architecture
+- **[HIGH]** Single monolithic `webpack.config.js` mixing development and production configuration → dev-only settings risk leaking to production. Split into `webpack.common.js`, `webpack.dev.js`, `webpack.prod.js` and merge with `webpack-merge`.
+- **[HIGH]** Circular dependencies between modules not detected → subtle initialization order bugs and failed tree-shaking. Add `circular-dependency-plugin` to the build and fix or document any true circular dependencies.
+- **[HIGH]** Hardcoded absolute or relative paths instead of `path.resolve(__dirname, '...')` → config breaks when run from a different working directory. Use `path.resolve(__dirname, 'src')` for all path resolution in config.
+- **[MEDIUM]** Loaders and plugins not organized with comments or grouping by concern → config becomes unreadable as it grows. Group by: asset loaders, style loaders, script loaders, optimization plugins, with section comments.
+- **[LOW]** Webpack config not committed to version control or `.gitignore`d → team members use different build settings. Commit all config variants; use environment variables only for secrets.
+
+---
+
+## Code Quality
+- **[MEDIUM]** Deprecated `require.ensure` used for code splitting instead of dynamic `import()` → `require.ensure` is legacy, not supported in ESM or modern bundlers. Replace with `import('path/to/module').then(...)` for dynamic splitting.
+- **[MEDIUM]** Inline loader syntax (`require('style-loader!css-loader!./style.css')`) in source files → couples application code to build tooling. Configure all loaders exclusively in `module.rules`; never use inline loader strings in source.
+- **[MEDIUM]** `module.rules` with overly broad `test` regex matching unintended file types → files processed by wrong loader silently. Make `test` patterns precise and add `include`/`exclude` to constrain loader scope.
+- **[LOW]** Config lacks comments explaining non-obvious plugin options or loader combinations → next developer cannot understand intent. Add inline comments for any non-default configuration decision.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `output.publicPath` misconfigured or missing → asset URLs in the HTML resolve to wrong paths, causing 404s for JS/CSS/images. Set `output.publicPath` to the CDN base URL in production or `'/'` for root-relative serving.
+- **[HIGH]** `HotModuleReplacementPlugin` included in the production build (common when config is not split) → HMR runtime added to production bundle, unnecessary code and overhead. Guard `HotModuleReplacementPlugin` with `if (isDev)` or remove from shared/production config.
+- **[HIGH]** Loader order reversed in `module.rules` `use` array (webpack processes right-to-left) → CSS not processed correctly, e.g. `css-loader` running before `sass-loader`. Order loaders right-to-left: `['style-loader', 'css-loader', 'sass-loader']`.
+- **[MEDIUM]** `resolve.extensions` missing file extensions commonly used in the project → imports without extensions fail or resolve to wrong file. List all used extensions: `resolve: { extensions: ['.ts', '.tsx', '.js', '.jsx', '.json'] }`.
+- **[MEDIUM]** CSS ordering non-deterministic when `mini-css-extract-plugin` extracts styles from multiple async chunks → visual inconsistencies across deploys. Set `optimization.moduleIds: 'deterministic'` and review CSS import order for consistency.

package/src/prr/data/stacks/zig.md

@@ -0,0 +1,51 @@
+# Zig — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.zig`, `const std = @import("std")`, `pub fn main()`, `@allocator`, `comptime`, `zig build`, `build.zig`
+
+---
+
+## Security
+- **[CRITICAL]** `@ptrCast` without bounds validation → memory safety violation that bypasses Zig's safety checks. Always validate pointer alignment and bounds before casting; prefer safe alternatives like `std.mem.bytesAsValue`.
+- **[HIGH]** `undefined` values used without initialization before first read → undefined behavior in ReleaseFast; reads garbage data in Debug. Initialize all values explicitly or use `std.mem.zeroes()`.
+- **[HIGH]** Allocator errors not handled → unhandled `error.OutOfMemory` causes a panic or silent data corruption. Always propagate or handle allocator errors with `try` or explicit `catch`.
+- **[HIGH]** C interop via `@cImport` with unsafe C APIs without bounds checking → buffer overflows from C side invisible to Zig's safety. Wrap all C calls in a safe Zig layer that validates sizes and return values.
+- **[MEDIUM]** Integer overflow not using `@addWithOverflow` or checked math → wraps silently in ReleaseFast, panics in Debug. Use `std.math.add` or `@addWithOverflow` for arithmetic on external data.
+- **[MEDIUM]** Unsafe type punning via `@bitCast` on incompatible types → undefined behavior when alignment or size mismatches. Use `std.mem.bytesAsValue` with explicit alignment checks.
+
+---
+
+## Performance
+- **[HIGH]** Allocator calls inside hot loops instead of fixed buffers or arena allocators → per-iteration syscall overhead and fragmentation. Use a stack buffer (`var buf: [N]u8 = undefined`) or `std.heap.ArenaAllocator` for loop-scoped allocations.
+- **[HIGH]** Comptime-known computations not evaluated at `comptime` → runtime overhead for constants. Annotate with `comptime` to move computation to compile time.
+- **[HIGH]** Heap allocation where stack allocation suffices → unnecessary allocator pressure and pointer indirection. Prefer local arrays and slices; reserve heap for runtime-sized or long-lived data.
+- **[MEDIUM]** Not using `@Vector` for data-parallel operations on numeric arrays → leaving SIMD throughput unused. Use `@Vector(N, T)` and let the backend auto-vectorize.
+- **[MEDIUM]** Untagged union field accessed for the wrong active tag → misinterpretation of bit patterns with no runtime check. Use tagged unions (`union(enum)`) and switch exhaustively on the tag.
+- **[LOW]** Build mode not set to `ReleaseFast` or `ReleaseSafe` for production → unnecessary safety overhead or missed optimizations. Set `optimize` in `build.zig` explicitly and document the choice.
+
+---
+
+## Architecture
+- **[HIGH]** Error handling not using Zig's error union (`!T`) pattern consistently → callers must guess whether a function can fail. Return `!T` for all fallible functions and propagate with `try`.
+- **[HIGH]** `defer` not used for resource cleanup → resources leaked on early returns or errors. Add `defer resource.deinit()` immediately after successful acquisition.
+- **[MEDIUM]** Custom allocators not used for subsystem memory isolation → one subsystem's leak affects global heap. Pass allocators explicitly and use arena or fixed-buffer allocators to scope lifetimes.
+- **[MEDIUM]** `comptime` overused for logic that varies at runtime → code harder to follow and debug. Reserve `comptime` for type-level generics and compile-time constants; document non-obvious uses.
+- **[LOW]** Not using Zig's build system (`build.zig`) for cross-platform builds → relying on shell scripts that break on Windows or non-standard targets. Express all build steps in `build.zig`.
+
+---
+
+## Code Quality
+- **[HIGH]** `unreachable` in code paths that can actually be reached → illegal behavior in ReleaseFast, panic in Debug. Replace with an explicit `else` branch that returns an error or asserts loudly in tests.
+- **[HIGH]** Ignoring error union by discarding with `_ = try expr` without handling → silent swallowing of errors. Explicitly handle or log the error; use `catch |err| std.log.err(...)` pattern.
+- **[MEDIUM]** Slice bounds not checked before indexing → potential panic or out-of-bounds access. Assert `index < slice.len` or use `slice[index..]` range checks explicitly.
+- **[MEDIUM]** Not using `std.testing` module for unit tests → missing coverage and no integration with `zig test`. Write tests in `test` blocks and run them with `zig build test`.
+- **[LOW]** Not following Zig naming conventions → camelCase for functions/variables, PascalCase for types, SCREAMING_SNAKE for comptime constants. Inconsistency impedes readability; enforce via code review.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Pointer to stack-allocated memory returned from a function → dangling pointer after frame unwinds. Never return pointers to local variables; heap-allocate or pass a caller-owned buffer.
+- **[HIGH]** Slice created from pointer with incorrect length → buffer over-read or under-read. Always derive length from the same source as the pointer; prefer passing slices (`[]T`) over raw pointers.
+- **[MEDIUM]** Optional (`?T`) unwrapped with `.?` without prior null check → panic in safe modes, undefined in unsafe. Use `if (opt) |val|` or `orelse` to handle the null case explicitly.
+- **[MEDIUM]** Integer type mismatch in arithmetic → unexpected truncation or sign extension. Use explicit casts (`@intCast`, `@truncate`) with documented intent rather than implicit coercion.
+- **[LOW]** `@field(obj, comptime_str)` with a string not validated at comptime → compile error surfaced at the call site with a confusing message. Validate field names with `std.meta.fields` and provide a clear comptime error.

package/src/prr/data/stacks/zustand.md

@@ -0,0 +1,56 @@
+# Zustand — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from 'zustand'`, `create()`, `useStore`, `persist` middleware, `immer` middleware, `zustand/middleware`
+
+---
+
+## Security
+- **[CRITICAL]** Persisting sensitive data (tokens, passwords) to localStorage via `persist` middleware without encryption → credentials readable by any script on the page. Encrypt before persisting or store in httpOnly cookies.
+- **[HIGH]** Store reference exported and accessed globally outside React context → no access control, any module can read or mutate state. Expose only hooks, not the raw store object.
+- **[HIGH]** Derived actions not validating input before mutating state → malformed data enters store and propagates to all subscribers. Add input validation at action boundaries.
+- **[MEDIUM]** `devtools` middleware enabled in production builds → full state history exposed via Redux DevTools browser extension. Gate behind `process.env.NODE_ENV !== 'production'`.
+- **[MEDIUM]** Shared store state across SSR requests in server environments → one user's data leaks into another's response. Use request-scoped store instances on the server.
+- **[LOW]** Store actions accepting raw event objects → unintentional data captured if `event.target.value` extraction is skipped. Extract primitives before passing to actions.
+
+---
+
+## Performance
+- **[HIGH]** Subscribing to entire store with `const state = useStore()` instead of a selector → component re-renders on every store change regardless of relevance. Use `useStore(s => s.specificField)`.
+- **[HIGH]** Inline selector functions `useStore(s => s.items.filter(...))` returning new reference every render → triggers re-render loop. Memoize with `useMemo` or use `useShallow` for shallow comparison.
+- **[HIGH]** `useShallow` not used when selector returns an object or array → structural equality not checked, re-renders on every state change even when values are identical.
+- **[MEDIUM]** Large arrays stored in Zustand without normalization (keyed map) → O(n) scans on every selector call. Normalize to `{ ids: [], entities: {} }` shape.
+- **[MEDIUM]** Not using `subscribeWithSelector` middleware for external (non-React) subscriptions → manual subscription does not support granular field tracking.
+- **[MEDIUM]** Single massive store with no slice separation → any action update triggers all selectors to re-evaluate. Split into domain slices combined at root.
+- **[LOW]** Storing derived/computed values in state instead of computing in selectors → stale derived data when dependencies change. Keep store minimal, derive in selectors.
+
+---
+
+## Architecture
+- **[HIGH]** Async logic (`fetch`, `axios`) inside actions without error handling or loading state → promise rejection silently ignored, UI stuck in loading. Handle `try/catch` and set error state explicitly.
+- **[HIGH]** Mixing UI state (modal open, tab index) and server/async state in the same store → cache invalidation and loading logic collide. Use TanStack Query or SWR for server state.
+- **[MEDIUM]** Monolithic store file with all state and actions in one object → hard to test and maintain. Apply the slices pattern: `create<StoreType>()((...a) => ({ ...authSlice(...a), ...cartSlice(...a) }))`.
+- **[MEDIUM]** Store action directly importing and calling another store's `getState()` → tight coupling between stores. Compose at the component or service layer instead.
+- **[MEDIUM]** Not using `immer` middleware for nested state updates → verbose and error-prone manual spread chains. Add `immer` middleware and mutate draft directly in actions.
+- **[LOW]** Store file exporting multiple unrelated stores → implicit coupling and unclear ownership. One store per domain concern, one file per store.
+
+---
+
+## Code Quality
+- **[HIGH]** Store typed as `any` or without an explicit interface → no TypeScript safety on state shape or action signatures. Define and apply a store interface: `create<StoreState & StoreActions>()`.
+- **[HIGH]** Actions mutating state by directly modifying the object outside `set()` → bypasses Zustand's update mechanism, subscribers not notified. All mutations must go through `set()` or `immer` draft.
+- **[MEDIUM]** Async actions reading store state via closure rather than `getState()` → stale closure captures old state snapshot. Use `get()` (second argument to store creator) inside async actions.
+- **[MEDIUM]** Selectors not co-located with the store → business logic for data shape scattered across components. Export named selector functions from the store file.
+- **[LOW]** `persist` configuration missing `name` field → defaults to generic key, collides across apps on the same domain. Always set an explicit, namespaced storage key.
+- **[LOW]** Store file exporting the raw `useStore` hook without aliased named hooks → consumers must know internal structure. Export named hooks like `useCount`, `useUser`.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Selector returning a new object or array literal on every call `useStore(s => ({ a: s.a, b: s.b }))` → infinite re-render loop. Use `useShallow` or restructure to return primitives.
+- **[HIGH]** `persist` with `partialize` not excluding non-serializable values (functions, class instances, Sets, Maps) → JSON serialization fails silently or corrupts stored state. Explicitly filter non-serializable fields in `partialize`.
+- **[HIGH]** Async action not setting error state on failure → store stuck in `loading: true` with no way to recover. Always set `loading: false` and an `error` field in the catch block.
+- **[MEDIUM]** `immer` producer both mutating the draft and returning a new value → undefined behavior, Zustand ignores one. Either mutate draft in place or return a new state object, never both.
+- **[MEDIUM]** `devtools` middleware placement in middleware chain → `devtools` must be the outermost wrapper; placing it inside `persist` or `immer` breaks time-travel debugging.
+- **[MEDIUM]** Hydration mismatch in SSR when `persist` rehydrates from localStorage after server render → causes React hydration errors. Use `onRehydrateStorage` callback and delay rendering until rehydrated.
+- **[LOW]** Missing version field in `persist` config → schema changes cause corrupt old data to be loaded. Add `version` and a `migrate` function to handle upgrades.

package/src/prr/workflows/1-discover/select-pr/steps/step-05-confirm.md

@@ -42,6 +42,7 @@ Recommended reviews for this PR:
   [SR] Security Review — if auth/API/user data touched
   [PR] Performance Review — if DB/async/frontend affected
   [AR] Architecture Review — if new patterns/structure added
+  [BR] Business Review — for feature PRs, data migrations, or any high-risk change
 ```
 
 ### 2. Write PR Context File

package/src/prr/workflows/1-discover/select-pr/workflow.md

@@ -29,7 +29,7 @@ This uses **step-file architecture** with sequential orchestration:
 
 Load config from `{main_config}` and resolve:
 - `project_name`, `target_repo`, `user_name`, `communication_language`
-- `review_output`, `github_repo`, `date` (system-generated)
+- `review_output`, `platform_repo`, `date` (system-generated)
 
 ## EXECUTION