prr-kit 1.1.3 → 1.2.0

package/src/prr/data/stacks/react.md

@@ -0,0 +1,104 @@
+# React — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.jsx` / `*.tsx` files, `from 'react'`, `useState`, `useEffect`, JSX syntax, `react` in package.json deps, `createRoot`, `use client`, `use server`
+
+---
+
+## Security
+
+- **[CRITICAL]** `dangerouslySetInnerHTML` with user-controlled content → XSS. Use text content or DOMPurify if HTML rendering truly needed.
+- **[CRITICAL]** `eval()` or `new Function()` called with user input inside component → remote code execution.
+- **[CRITICAL]** Server Actions (`'use server'`) not validating/authenticating caller → any client can invoke with arbitrary data.
+- **[HIGH]** `href` set to user-provided URL without protocol validation → `javascript:` XSS. Validate with allowlist `['http','https']`.
+- **[HIGH]** Storing auth tokens in `localStorage` / `sessionStorage` → accessible to any script on page. Use httpOnly cookies.
+- **[HIGH]** Third-party script loaded via `dangerouslySetInnerHTML` script tag → XSS vector outside React's tree.
+- **[HIGH]** `window.location.href = userInput` without validation → open redirect / XSS.
+- **[HIGH]** React Server Components fetching data with credentials from user-controlled params → IDOR.
+- **[MEDIUM]** Sensitive data in component state logged via `console.log` in dev → often shipped to production.
+- **[MEDIUM]** Missing sanitization on user input before storing in state that feeds rendered content.
+- **[MEDIUM]** `dangerouslySetInnerHTML` used for markdown rendering without a safe library (use `remark`/`rehype` with proper plugins).
+- **[MEDIUM]** User-controlled CSS via `style` prop with `content` property → CSS injection.
+- **[LOW]** React DevTools exposing component state with sensitive fields in development builds shipped to staging.
+
+---
+
+## Performance
+
+- **[CRITICAL]** `useEffect` with no dependency array AND side effects that trigger state → infinite re-render loop.
+- **[HIGH]** `useEffect` with object/array literal in deps (`deps: [{}]`, `deps: [[]]`) → new reference every render → infinite loop.
+- **[HIGH]** Missing `React.memo` on expensive pure child components receiving stable props → re-renders on every parent render.
+- **[HIGH]** Context provider with large value object created inline (`value={{ a, b, c }}`) → new reference every render → all consumers re-render. Split context or memoize value.
+- **[HIGH]** Event listener / timer / subscription / WebSocket not cleaned up in `useEffect` return → memory leak.
+- **[HIGH]** Large lists rendered without virtualization (react-window, TanStack Virtual) → DOM overload at 200+ items.
+- **[HIGH]** `useMemo`/`useCallback` dependencies including unstable references → memoization always invalidated, overhead with no benefit.
+- **[HIGH]** Server Components importing heavy client libraries unnecessarily → increases server bundle.
+- **[HIGH]** Missing `Suspense` boundaries → whole tree waits for slowest data fetch; waterfall instead of parallel.
+- **[MEDIUM]** Missing `useMemo` for expensive calculations (sort, filter, transform on large arrays) run every render.
+- **[MEDIUM]** Missing `useCallback` for handlers passed as props to memoized children → `React.memo` ineffective.
+- **[MEDIUM]** `React.lazy` not used for heavy route components → single large initial bundle.
+- **[MEDIUM]** Context split not done — single context with frequently-changing + rarely-changing data → all consumers re-render on any change.
+- **[MEDIUM]** `useTransition` not used for expensive state updates → UI blocked during transition.
+- **[MEDIUM]** Images not using `loading="lazy"` / `next/image` equivalent → blocking initial render.
+- **[LOW]** `key` changed unnecessarily on stable list items → forced remount instead of update.
+- **[LOW]** `React.StrictMode` disabled in dev to hide bugs → keep it on, fix double-invoke issues instead.
+- **[LOW]** `startTransition` wrapping urgent updates → deprioritizes UI that should be immediate.
+
+---
+
+## Architecture
+
+- **[HIGH]** Data fetching directly in component body → side effects in render → bugs and double fetching in StrictMode.
+- **[HIGH]** Custom hooks not prefixed with `use` → ESLint rules-of-hooks cannot protect them.
+- **[HIGH]** Directly mutating state: `state.items.push(x)` → UI out of sync, React does not detect change.
+- **[HIGH]** Prop drilling >3 levels for shared state → lift to Context or state manager.
+- **[HIGH]** Business logic mixed into JSX event handlers inline → untestable, bloated render.
+- **[HIGH]** `'use client'` on root layout/page → entire subtree opts out of RSC; be precise about boundaries.
+- **[HIGH]** Server Component importing client-only libraries (browser APIs) → build error or runtime crash.
+- **[HIGH]** Mixing `useState` for server-fetched data with local UI state → use TanStack Query / SWR for server state.
+- **[MEDIUM]** Multiple `useState` for closely related state → prefer `useReducer` for complex state transitions.
+- **[MEDIUM]** Component doing too many things (fetch + transform + render) → split container/presentational.
+- **[MEDIUM]** `useEffect` used for state derived from other state → compute inline or `useMemo`.
+- **[MEDIUM]** Context used for high-frequency updates (mouse position, scroll) → kills performance; use Zustand/Jotai.
+- **[MEDIUM]** Colocation not followed — component, hook, and test in separate far-away directories → hard to maintain.
+- **[MEDIUM]** `forwardRef` not used when parent needs DOM ref access to child → workaround via prop is anti-pattern.
+- **[LOW]** Global mutable variables (module-scope `let`) shared across component instances → state not isolated per mount.
+- **[LOW]** HOC pattern used where custom hook would be cleaner (React 16.8+).
+
+---
+
+## Code Quality
+
+- **[HIGH]** Missing `key` prop in list renders → broken reconciliation, wrong element reuse.
+- **[HIGH]** Array index as `key` in lists that reorder/delete → state/animation bugs.
+- **[HIGH]** `async` function passed directly to `useEffect` (`useEffect(async () => {...})`) → returns Promise not cleanup function. Use inner IIFE.
+- **[HIGH]** Stale closure in `useEffect` — reading state/props captured at creation time. Use functional state updates or `useRef` for latest value.
+- **[HIGH]** Missing `eslint-plugin-react-hooks` → violations not caught.
+- **[MEDIUM]** PropTypes not defined (non-TS projects) → no runtime prop validation.
+- **[MEDIUM]** `useImperativeHandle` overused → exposing too many internals via refs breaks encapsulation.
+- **[MEDIUM]** Component returning `null` for loading state instead of `<Suspense>` → no concurrent rendering benefit.
+- **[MEDIUM]** Boolean prop without value: `<Comp flag />` for false intent → always explicit `flag={true}`.
+- **[MEDIUM]** Ternary with JSX getting too deep (3+ levels) → extract to named variable or component.
+- **[LOW]** `displayName` missing on `forwardRef`/HOC → poor DevTools debugging.
+- **[LOW]** Default export for components → harder to refactor/rename; prefer named exports.
+- **[LOW]** Fragment shorthand `<>` vs `<Fragment key={...}>` confusion when key needed.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[CRITICAL]** `useEffect` dependency array missing variables used inside → stale data silently, linter off → add `react-hooks/exhaustive-deps`.
+- **[HIGH]** `setState` called after component unmounts → memory leak warning (pre-React 18) / noop (React 18+) but indicates cleanup missing.
+- **[HIGH]** `useEffect` cleanup function not returning properly → double subscription on StrictMode double-invoke.
+- **[HIGH]** Reading stale ref value inside `useEffect` → ref value at capture time, not current.
+- **[HIGH]** `useLayoutEffect` on server → SSR warning; wrap with check or replace with `useEffect`.
+- **[HIGH]** `React.use(promise)` called conditionally → violates rules of hooks (React 19).
+- **[HIGH]** Optimistic update not rolled back on error → UI shows wrong state permanently.
+- **[MEDIUM]** Double-rendering in StrictMode (dev only) breaks non-idempotent effects → effects must be idempotent.
+- **[MEDIUM]** `useContext` in component that does not need full context → re-renders on any context change; split context.
+- **[MEDIUM]** `key` reset trick used for component reset → intentional but must be documented.
+- **[MEDIUM]** `startTransition` callback not synchronous → async inside startTransition does not work.
+- **[MEDIUM]** Server Action called inside `useEffect` → should use event handlers or form actions.
+- **[MEDIUM]** `useOptimistic` update not matching final server response shape → causes flash.
+- **[LOW]** Missing `displayName` on memoized components → `React.memo(Component)` shows as "memo" in DevTools.
+- **[LOW]** `children` prop type not using `React.ReactNode` in TypeScript → too narrow or too broad.

package/src/prr/data/stacks/redis.md

@@ -0,0 +1,76 @@
+# Redis — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `ioredis` / `redis` in deps · `createClient()` · `HSET` / `GET` / `SET` · `redis://` connection strings · `RedisTemplate` (Spring) · `EXPIRE` · `SCAN`
+
+---
+
+## Security
+
+- **[CRITICAL]** Redis bound to `0.0.0.0` without `requirepass` or firewall → anyone on network reads/writes/deletes all data and runs `CONFIG SET`.
+- **[CRITICAL]** `EVAL` with user-controlled Lua script content → arbitrary code execution on Redis server.
+- **[HIGH]** Sensitive data (session tokens, PII, payment info) stored without encryption → plaintext in memory, RDB snapshots, AOF logs.
+- **[HIGH]** Redis connection without TLS (`rediss://`) on non-loopback → data in transit unencrypted.
+- **[HIGH]** Default `nopass` ACL user in production → any client with network access has full access.
+- **[HIGH]** `CONFIG SET` / `DEBUG` commands not disabled → attacker can reconfigure Redis, write to disk.
+- **[MEDIUM]** Overly permissive ACLs → use Redis ACLs to restrict commands per application role.
+- **[MEDIUM]** Redis used as session store without secure session ID generation → session fixation.
+- **[LOW]** Redis admin port accessible from application servers that don't need admin access.
+
+---
+
+## Performance
+
+- **[CRITICAL]** `KEYS pattern` in production → O(n) over all keys, blocks single-threaded server. Use `SCAN` with cursor.
+- **[HIGH]** No TTL on cache/session keys → unbounded memory growth, hot data evicted by `maxmemory` policy.
+- **[HIGH]** Sequential commands where pipelining / `MULTI/EXEC` works → N round-trips instead of 1.
+- **[HIGH]** New connection per request → connection overhead. Use connection pool (`maxRetriesPerRequest`, `enableOfflineQueue`).
+- **[HIGH]** Storing large JSON blobs as string → entire object deserialized for partial read. Use `HSET` for field access.
+- **[MEDIUM]** `HGETALL` on very large hashes → loads entire hash. Use `HSCAN` or separate keys.
+- **[MEDIUM]** `LRANGE 0 -1` on large list → full list loaded into memory.
+- **[MEDIUM]** Not using Redis Cluster for large datasets → single node bottleneck.
+- **[MEDIUM]** `SUBSCRIBE` / `PSUBSCRIBE` on same connection handling requests → blocking subscriber connection.
+- **[LOW]** `DEL` on many keys in loop → use `UNLINK` (async) for large deletes.
+- **[LOW]** Not using `OBJECT ENCODING` to verify compact encoding used for small hashes/sets.
+
+---
+
+## Architecture
+
+- **[HIGH]** Redis as primary durable database without proper persistence config → data loss on crash. Use PostgreSQL for source of truth.
+- **[HIGH]** Check-then-set race condition without `WATCH` + `MULTI/EXEC` or Lua → lost update under concurrency.
+- **[HIGH]** Cache invalidation not implemented → stale data served indefinitely after DB update.
+- **[HIGH]** Pub/Sub used for guaranteed message delivery → Redis Pub/Sub is fire-and-forget. Use Redis Streams or a proper message queue.
+- **[MEDIUM]** No namespace/key prefix → collisions between services sharing Redis instance. Use `service:entity:id` pattern.
+- **[MEDIUM]** TTL not refreshed on cache hit (sliding expiration) when needed → cache expires despite active use.
+- **[MEDIUM]** Redis Cluster not configured for multi-key operations → `MGET`/`MSET` across slots fails.
+- **[MEDIUM]** Not using Redis Streams for event sourcing/audit log → losing ordered event history.
+- **[LOW]** Using `SORT` on large sets without LIMIT → expensive full sort.
+- **[LOW]** Not using `OBJECT FREQ` with `allkeys-lfu` eviction for smart caching.
+
+---
+
+## Code Quality
+
+- **[HIGH]** Error handling missing on Redis commands → connection failure crashes entire request.
+- **[HIGH]** `SET key value` then `EXPIRE key n` → not atomic; crash between commands = no TTL. Use `SET key value EX n`.
+- **[MEDIUM]** `nil` return from `GET` treated as empty string → key doesn't exist vs empty string confusion.
+- **[MEDIUM]** Hardcoded key strings scattered across codebase → create key builder functions.
+- **[MEDIUM]** Not using `MULTI/EXEC` transaction for related operations → partial state on failure.
+- **[LOW]** `DEL` return value not checked → 0 means key didn't exist, may indicate logic error.
+- **[LOW]** Not using `DEBUG OBJECT` / `MEMORY USAGE` for memory profiling large keys.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `nil` from `GET` used without null check → NullPointerException / undefined behavior.
+- **[HIGH]** `INCR` on non-existent key → creates with 0 and increments to 1 (by design, but surprising).
+- **[HIGH]** `EXPIRE` with negative TTL → immediately deletes key. Validate TTL before calling.
+- **[HIGH]** Lua script error mid-execution → Lua is atomic but partial state changes before error persist.
+- **[MEDIUM]** `WATCH` not retried on `MULTI/EXEC` nil response → optimistic lock failed, operation silently skipped.
+- **[MEDIUM]** Connection lost mid-pipeline → partial commands sent, partial responses received → state corruption.
+- **[MEDIUM]** `EXPIRE` called on non-existent key → returns 0 (no error), silently fails.
+- **[MEDIUM]** Key type mismatch (`LPUSH` on string key) → `WRONGTYPE` error at runtime.
+- **[LOW]** `KEYS *` used in development → habits carry to production.
+- **[LOW]** Not monitoring `redis-cli --latency` → latency spikes from blocking operations undetected.

package/src/prr/data/stacks/redux.md

@@ -0,0 +1,107 @@
+# Redux Stack Rules
+
+## Detection Signals
+`redux` or `@reduxjs/toolkit` in deps · `createSlice` · `configureStore` · `useSelector` · `useDispatch` · `createAsyncThunk` · `createSelector` · RTK Query
+
+---
+
+## Security
+
+**[HIGH]** Sensitive data (auth tokens, PII, payment info) stored in Redux store → Redux DevTools extension serializes and exposes entire store to anyone with browser devtools. Store tokens in HttpOnly cookies or memory-only variables outside Redux.
+
+**[HIGH]** Redux Persist writing sensitive store slices to localStorage → plaintext in browser storage, readable by any XSS payload on the same origin. Exclude sensitive slices from persistence using a blacklist, or encrypt with redux-persist-transform-encrypt.
+
+**[MEDIUM]** Redux DevTools enabled in production build → exposes full action history and state snapshots to any user with browser devtools installed. Disable DevTools in production via the devTools flag in configureStore.
+
+**[MEDIUM]** Action payloads logged to console or external logger without sanitization → tokens or PII visible to log aggregators and third-party logging services. Sanitize sensitive fields before logging actions.
+
+**[LOW]** Third-party Redux middleware with unknown provenance included in store → middleware has full access to all actions and state, including sensitive data. Audit middleware source code and pin dependency versions.
+---
+
+## Performance
+
+**[CRITICAL]** Selector not memoized with `createSelector` (Reselect) → selector recomputes on every render whenever any part of store state changes, even unrelated slices. Memoize all derived or filtered data with createSelector.
+
+**[HIGH]** `useSelector` selecting entire slice: `useSelector(state => state.users)` → component re-renders on any change to any field in the slice, even fields it does not use. Select the minimal required value or field.
+
+**[HIGH]** `dispatch` called inside `useEffect` without correct dependency array → infinite dispatch loop or missing updates when dependencies are stale. Audit effect dependency arrays and add exhaustive-deps lint rule.
+
+**[HIGH]** Multiple sequential dispatches for related state changes → each dispatch triggers a full render cycle, so N dispatches cause N renders. Batch related updates with a single combined action or the RTK batch() helper.
+
+**[HIGH]** Not using RTK Query for server-side data fetching → manually reimplementing caching, deduplication, invalidation, and loading states in every feature. Adopt RTK Query for all API interactions.
+
+**[MEDIUM]** Storing derived or computed data in Redux (filtered lists, formatted values) → sync issues when source data changes and redundant state to keep consistent. Compute with memoized selectors instead of storing computed results.
+
+**[MEDIUM]** `createSelector` input selector returning a new object or array on every call → memoization cache always misses, selector recomputes on every render. Return primitive values or stable references from input selectors.
+
+**[MEDIUM]** `useSelector` called in parent component and result passed as prop to children → parent re-renders on any state change even if children do not use the changed data. Move `useSelector` calls into the child components that actually use the data.
+
+**[MEDIUM]** Not normalizing relational data with `createEntityAdapter` → duplicate data across list and detail views leads to inconsistent updates and O(n) lookups by id. Use EntityAdapter for all list-type state.
+
+**[LOW]** Overly normalized state requiring many selector joins to render a single view → excessive computation on every render in read-heavy components. Denormalize read-heavy slices using createEntityAdapter selectors or derived selectors.
+---
+
+## Architecture
+
+**[CRITICAL]** Direct state mutation in reducer outside RTK/Immer context → Redux requires immutability for change detection; mutations cause missed re-renders and stale UI. Use spread operators or RTK with Immer which handles immutability automatically.
+
+**[HIGH]** Non-serializable values in Redux state (functions, class instances, Map, Set, Promise, Date objects) → Redux DevTools breaks, persistence fails, and RTK middleware emits serialization warnings. Use plain serializable values only.
+
+**[HIGH]** All application state stored in Redux including form state, modal open/closed, and local UI toggles → unnecessary complexity and boilerplate for ephemeral state. Use local useState for UI-only state that no other component needs.
+
+**[HIGH]** Redux Thunk used for all async operations instead of RTK Query → verbose code with no built-in caching, deduplication, or invalidation; every feature reimplements the same patterns. Use RTK Query for server data and Thunk only for complex multi-step async logic.
+
+**[HIGH]** Selectors defined inline inside component functions instead of in slice files → not reusable across components, not memoizable with createSelector, not independently testable. Define all selectors in the slice file using createSelector.
+
+**[MEDIUM]** `createAsyncThunk` result not handled with `.unwrap()` in the calling component → errors from rejected thunks are silently swallowed at the call site. Use dispatch(thunk()).unwrap() and catch the promise to surface errors.
+
+**[MEDIUM]** Missing loading, error, and success state tracking for async operations → UI cannot show loading spinners or error messages, user has no feedback on async progress. Handle all three lifecycle states (pending, fulfilled, rejected) in extraReducers.
+
+**[MEDIUM]** Action type strings not namespaced (SET_USER instead of users/setUser) → collision risk in large applications with many slices. RTK slices auto-namespace actions; migrate hand-written action types to createSlice.
+
+**[MEDIUM]** Store shape not typed with RootState and AppDispatch exports → useSelector returns any type, typed dispatch not enforced, runtime type errors in reducers. Export RootState type from store and use TypedUseSelectorHook in a typed hooks file.
+
+**[LOW]** Large switch statement reducers not migrated to `createSlice` → verbose, error-prone string action types, and manual immutable update logic. Migrate to RTK createSlice for automatic action creators and Immer-powered reducers.
+---
+
+## Code Quality
+
+**[HIGH]** `extraReducers` missing pending and rejected cases for async thunks → no loading or error state tracked in the slice, UI cannot reflect async progress. Handle all three lifecycle states for every createAsyncThunk.
+
+**[HIGH]** Large switch statement reducer instead of `createSlice` → verbose action type strings, error-prone manual immutability, no automatic action creators. Migrate to RTK createSlice.
+
+**[HIGH]** Accessing `action.payload` without type guard in manually typed reducers → runtime error if payload shape differs from expectation. Use RTK createSlice with typed PayloadAction or add explicit type guards.
+
+**[MEDIUM]** Slice actions exported incorrectly or forgotten from the slice file → action creator not available in components, dispatch(undefined) silently fails or throws. Always export actions from slice.actions and verify imports.
+
+**[MEDIUM]** `combineReducers` not typed → implicit any on slice reducers, no autocomplete for state shape. Use TypedUseSelectorHook with explicit RootState type.
+
+**[MEDIUM]** Not using `createEntityAdapter` for list-type state → manual CRUD operations on arrays are verbose, error-prone, and hard to keep normalized. Use EntityAdapter for all collections with id-keyed access.
+
+**[MEDIUM]** RTK Query endpoint tags not defined on query endpoints → cache is never invalidated after mutations, stale data shown indefinitely after writes. Define providesTags on queries and invalidatesTags on mutations.
+
+**[MEDIUM]** RTK Query not using providesTags and invalidatesTags for cache management → manual refetch needed after every mutation; users see outdated data. Define tag relationships to enable automatic cache invalidation.
+
+**[LOW]** initialState with undefined values instead of explicit null → undefined vs null causes subtle comparison bugs in reducers and selectors. Use explicit null for absent optional values in initialState.
+
+**[LOW]** Store configured with middleware array spread accidentally removed → default middleware (thunk, DevTools, serializability check) silently removed when middleware array is not spread correctly. Always spread getDefaultMiddleware() when adding custom middleware.
+
+---
+
+## Common Bugs & Pitfalls
+
+**[HIGH]** Immer reducer mixes mutation and new object return: state.items.push(x); return {...state} → Immer error at runtime; you must either mutate the draft or return a new value, never both. Do one or the other, never mix in the same reducer case.
+
+**[HIGH]** Action creator called without dispatch: fetchUser(id) instead of dispatch(fetchUser(id)) → action object created but never dispatched, state never updates, no error thrown. Always call dispatch() around every action creator or thunk.
+
+**[HIGH]** `useSelector` called outside React component tree (in event handler or module scope) → stale closure value, not reactive to state changes, potential runtime error. Always call useSelector inside a React function component or custom hook.
+
+**[HIGH]** RTK Query hook called conditionally (inside if/switch before other hooks) → violates React hook rules, causes runtime error on conditional renders. All hook calls must be at the top level of the component unconditionally.
+
+**[MEDIUM]** `createSelector` not given stable input selectors → recomputes every render because input reference changes each call, memoization never hits. Ensure input selectors are stable functions defined outside the component.
+
+**[MEDIUM]** RTK Query optimistic update not rolled back on error → UI shows updated state even after server rejects the mutation, permanently out of sync. Implement onQueryStarted with patchResult.undo() in the catch block.
+
+**[MEDIUM]** `useDispatch` result incorrectly added to useEffect dependency array → useDispatch returns a stable reference; adding it to deps is harmless but misleading and can cause confusion. Remove dispatch from effect deps arrays.
+
+**[LOW]** Redux state shape deeply nested (more than 3 levels) → verbose spread operators required for immutable updates, easy to accidentally mutate. Flatten state shape or use createEntityAdapter to eliminate nesting.

package/src/prr/data/stacks/remix.md

@@ -0,0 +1,51 @@
+# Remix — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `remix.config.*`, `from '@remix-run/react'`, `from '@remix-run/node'`, `loader`, `action` exports, `app/routes/`
+
+---
+
+## Security
+- **[CRITICAL]** `loader` returning sensitive data without authentication check → any user can access protected resources. Add session validation at the top of every `loader` before touching data.
+- **[CRITICAL]** SQL injection via unvalidated `params` or `request.formData()` values passed directly to queries → database compromise. Validate and sanitize all input with Zod or similar before use in queries.
+- **[CRITICAL]** `dangerouslySetInnerHTML` with user-controlled content → XSS. Replace with safe text rendering; sanitize with DOMPurify if HTML is required.
+- **[HIGH]** Missing CSRF protection on `action` mutations → cross-site request forgery. Use `remix-utils` CSRF helpers or validate `Origin`/`Referer` headers in actions.
+- **[HIGH]** Session data trusted without server-side re-validation → privilege escalation if session is tampered. Re-fetch user role/permissions from DB in loader rather than trusting session fields.
+- **[HIGH]** Environment secrets accessed via `window.ENV` pattern without restricting which vars are exposed → secrets in client bundle. Only inject non-sensitive config to client; keep secrets server-only.
+
+---
+
+## Performance
+- **[HIGH]** `loader` returning large JSON payloads not needed by the UI → slow TTFB and large JS hydration cost. Select only fields consumed by the route component; use projection queries.
+- **[HIGH]** Missing HTTP caching headers (`Cache-Control`) in `loader` responses → every request hits the server. Return `headers` with appropriate `Cache-Control` from loaders for cacheable data.
+- **[HIGH]** N+1 queries in nested route loaders each hitting the DB independently → multiplicative query count. Use `Promise.all` for parallel queries or a DataLoader/batching layer.
+- **[MEDIUM]** Sequential `loader` + `useFetcher` calls creating client-side waterfall → delayed content display. Move secondary data into the route `loader` or use parallel `Promise.all` fetches.
+- **[MEDIUM]** Non-critical data not using `defer()` + `<Await>` → page blocked on slow data before render. Wrap slow, non-essential fetches in `defer()` and render with `<Suspense>`/`<Await>`.
+
+---
+
+## Architecture
+- **[HIGH]** Business logic (validation, DB calls, external API) written directly inside `loader`/`action` → untestable, bloated route files. Extract to a service/model layer and call from loaders/actions.
+- **[HIGH]** Client-side `fetch` calls for data that should come through `loader` → bypasses Remix data flow, breaks SSR. Move all initial data fetching into `loader`; use `useFetcher` only for non-navigating updates.
+- **[HIGH]** Missing `ErrorBoundary` export on routes → unhandled loader/action errors bubble to root with no context. Export an `ErrorBoundary` component from every route that fetches data.
+- **[MEDIUM]** Not using Remix nested routing for shared UI (nav, sidebar) → duplicated layout markup across routes. Leverage parent route layouts with `<Outlet>` to share chrome and loaders.
+- **[MEDIUM]** Overusing `clientLoader` when a server `loader` suffices → unnecessary client JS and loss of server caching. Reserve `clientLoader` for browser-only data (localStorage, IndexedDB).
+
+---
+
+## Code Quality
+- **[HIGH]** Missing `LoaderFunctionArgs`/`ActionFunctionArgs` types → untyped `request` and `params`, runtime surprises. Type every `loader` and `action` with the appropriate Remix args type.
+- **[HIGH]** `action` without input schema validation (e.g. Zod) → invalid data silently processed. Parse `formData` through a Zod schema and return field errors on failure.
+- **[MEDIUM]** `useFetcher` not used for non-navigating mutations (e.g. like button) → full navigation triggered on submit. Use `fetcher.Form` or `fetcher.submit` for in-place mutations.
+- **[MEDIUM]** Inline `fetch` inside React component for data available in `loader` → duplicate request, hydration mismatch. Use `useLoaderData()` to consume data already fetched server-side.
+- **[MEDIUM]** Not using `json()` helper for loader responses → missing default `Content-Type` and status code control. Wrap all loader return values with the `json()` helper from `@remix-run/node`.
+- **[LOW]** Route files exceeding 300 lines with mixed concerns → hard to review and maintain. Split into co-located component, loader, action, and service files.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `useLoaderData()` called outside its route module (e.g. in a child component) → returns `undefined` or wrong route's data. Pass data as props or use `useRouteLoaderData(routeId)` for ancestor data.
+- **[HIGH]** Cookies not set with `httpOnly` and `secure` flags → session cookies accessible via JS and sent over HTTP. Always create cookies with `{ httpOnly: true, secure: process.env.NODE_ENV === 'production' }`.
+- **[HIGH]** `defer` data error state not handled inside `<Await>` `errorElement` prop → unhandled promise rejection in UI. Always provide `errorElement` to every `<Await>` wrapping deferred data.
+- **[MEDIUM]** `action` returning a redirect without `303` status code → browser may cache the redirect or re-POST on back. Use `redirect(url, { status: 303 })` after successful mutations.
+- **[MEDIUM]** Using `<form>` (native HTML) instead of Remix `<Form>` → loses progressive enhancement, pending state, and revalidation. Use Remix `<Form>` for all route-level form submissions.

package/src/prr/data/stacks/rust.md

@@ -0,0 +1,88 @@
+# Rust — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.rs` files · `Cargo.toml` · `Cargo.lock` · `fn main()` · `use std::` · `impl` · `cargo` commands · `tokio` · `async fn`
+
+---
+
+## Security
+
+- **[CRITICAL]** `unsafe` block without safety comment explaining invariants → makes auditing impossible. Every `unsafe` MUST document WHY it's safe.
+- **[CRITICAL]** `unsafe` used to bypass borrow checker for mutable aliasing → undefined behavior, data races.
+- **[HIGH]** `unwrap()` / `expect()` on user-facing code paths or library public API → panic = DoS for caller. Return `Result<>`.
+- **[HIGH]** Deserializing untrusted input with `serde` without value validation → `#[derive(Deserialize)]` checks structure, not semantics (ranges, lengths).
+- **[HIGH]** `std::fs::read_to_string(user_path)` without path canonicalization → path traversal.
+- **[HIGH]** `Command::new("sh").arg("-c").arg(user_input)` → command injection. Use arg list, never shell string.
+- **[HIGH]** Integer cast `as usize` from signed type without range check → negative wraps to huge `usize` → out-of-bounds.
+- **[MEDIUM]** Sensitive data (secrets, tokens) stored in heap `String` → may not be zeroed on drop. Use `zeroize` crate.
+- **[MEDIUM]** `transmute` between types of different sizes → undefined behavior crash.
+- **[MEDIUM]** `std::process::exit()` used → bypasses `Drop`, skips cleanup and zeroize.
+- **[LOW]** Logging user-provided strings without sanitization → log injection.
+
+---
+
+## Performance
+
+- **[HIGH]** `.clone()` where borrow suffices → unnecessary heap allocation. Audit every `.clone()`.
+- **[HIGH]** `String::from()` / `.to_string()` / `.to_owned()` in hot path where `&str` would work → allocates.
+- **[HIGH]** Blocking I/O (`std::fs`, `std::net`, `std::thread::sleep`) inside `async fn` → stalls tokio runtime worker thread. Use `tokio::fs`, `tokio::net`, `tokio::time::sleep`.
+- **[HIGH]** `Arc<Mutex<T>>` with long-held lock across `.await` points → deadlock or starvation under async.
+- **[HIGH]** `.collect::<Vec<_>>()` before iterating once → unnecessary heap allocation. Chain iterators.
+- **[HIGH]** `Box<dyn Trait>` (dynamic dispatch) where generics / `impl Trait` work → vtable + heap overhead.
+- **[MEDIUM]** `Mutex<T>` where `RwLock<T>` fits (many readers, rare writes) → unnecessary read contention.
+- **[MEDIUM]** `HashMap` with default hasher in security-sensitive context → HashDoS. Use `ahash` for performance or `BTreeMap` for determinism.
+- **[MEDIUM]** `format!("{}", x)` in hot path → allocates. Use `write!` to pre-allocated buffer.
+- **[MEDIUM]** `Vec::push` in tight loop without `reserve()` → multiple reallocations.
+- **[MEDIUM]** Not using `#[inline]` on small hot functions called across crate boundaries.
+- **[LOW]** `String::new()` + repeated `push_str` → use `String::with_capacity()`.
+- **[LOW]** Not using `Cow<'a, str>` where sometimes owned, sometimes borrowed.
+
+---
+
+## Architecture
+
+- **[HIGH]** `.unwrap()` in library code → caller cannot handle error. Always return `Result<T, E>`.
+- **[HIGH]** `Arc<Mutex<T>>` shared widely across many tasks → lock contention + deadlock risk. Prefer message passing via `tokio::sync::mpsc`.
+- **[HIGH]** Mixing `async` and sync code without `spawn_blocking` for sync I/O → executor starvation.
+- **[HIGH]** Error type is `Box<dyn std::error::Error>` or `String` in library public API → poor ergonomics. Use `thiserror`.
+- **[HIGH]** `panic!` / `unwrap()` in `Drop` → if another panic is unwinding, double-panic aborts.
+- **[MEDIUM]** `async fn` in trait without boxing (pre-stable RPIT in traits) → compile error or `Box<dyn Future>` overhead.
+- **[MEDIUM]** `pub` fields on public struct → breaks encapsulation, prevents future refactoring. Use methods.
+- **[MEDIUM]** Global `static mut` → requires `unsafe` to access, data race in multithreaded code. Use `OnceLock`, `LazyLock`, or `Mutex`.
+- **[MEDIUM]** Not using workspace (`Cargo.toml` `[workspace]`) in multi-crate project → dependency version drift.
+- **[MEDIUM]** Shared mutable state via `RefCell` in multi-threaded context → panics at runtime on borrow violation.
+- **[LOW]** Not using feature flags to gate optional heavy dependencies.
+- **[LOW]** Not using `#[non_exhaustive]` on public enums/structs → breaking changes when adding variants.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `#[allow(dead_code)]` / `#[allow(unused_variables)]` without explanation → suppresses meaningful warnings.
+- **[HIGH]** `let _ = some_result` → silently ignores `Result` or `Option`. Use `if let`, `match`, or `?`.
+- **[HIGH]** `unwrap()` / `expect()` in tests without descriptive message → cryptic panic output on failure.
+- **[HIGH]** Not using `?` operator for error propagation → verbose `match` chains.
+- **[MEDIUM]** Missing `#[derive(Debug)]` on public types → `{:?}` doesn't work, poor debuggability.
+- **[MEDIUM]** Not using `clippy` in CI → many best-practice violations undetected.
+- **[MEDIUM]** `match` arm with `_` catch-all prevents exhaustiveness when new variants added.
+- **[MEDIUM]** `impl From<X> for Y` not implemented → `.into()` / `.from()` not usable, manual conversions everywhere.
+- **[MEDIUM]** `pub use` re-exports not organized → messy crate public API.
+- **[LOW]** Not using `rustfmt` → inconsistent formatting.
+- **[LOW]** Long `impl` blocks → consider splitting concerns into multiple traits.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `Rc<RefCell<T>>` in async code → `Rc` is not `Send`, compile error across `.await`. Use `Arc<Mutex<T>>`.
+- **[HIGH]** Integer overflow: debug builds panic, release builds silently wrap → use `checked_add`/`saturating_add` for user values.
+- **[HIGH]** Lifetime annotation outliving actual data → `'static` bound used when shorter lifetime is correct → dangling reference.
+- **[HIGH]** Futures not polled → `async fn` does nothing until `.await`ed. Spawning required for concurrent execution.
+- **[HIGH]** `tokio::spawn` task panics → panic not propagated to spawner, silently dropped unless `JoinHandle` checked.
+- **[MEDIUM]** `Vec::iter()` vs `Vec::into_iter()` confusion → `iter()` borrows, `into_iter()` consumes.
+- **[MEDIUM]** `HashMap` with `String` keys and `&str` lookup requires `.to_string()` → use `.get("key")` via `Borrow<str>`.
+- **[MEDIUM]** `&str` borrowed from temporary `String` doesn't live long enough → lifetime error.
+- **[MEDIUM]** Shared reference to `Mutex` dropped before lock used → deadlock on reacquire.
+- **[MEDIUM]** `async move` closure capturing `Arc` → clone before move or wrap in `Arc`.
+- **[LOW]** `match` on `String` requires `str::as_str()` → match `&*s` or `s.as_str()`.
+- **[LOW]** Not using `Cow<'_, str>` where conditionally cloning → always-clone is wasteful.

package/src/prr/data/stacks/sass.md

@@ -0,0 +1,51 @@
+# Sass/SCSS — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.scss`, `*.sass`, `from 'sass'`, `$variable`, `@mixin`, `@include`, `@extend`, `@use`, `@forward`
+
+---
+
+## Security
+- **[HIGH]** User-controlled values interpolated into `url()` via `#{}` in Sass → path traversal or injection in the compiled CSS `url()` function. Never interpolate unvalidated user input into `url()` calls; use only static or config-defined paths.
+- **[MEDIUM]** Server-rendered Sass variables populated from user input before compilation → CSS injection allowing layout manipulation or data exfiltration via CSS. Treat Sass compilation as server-side code; never pass user input into the Sass variable pipeline.
+- **[MEDIUM]** Sensitive asset paths exposed in Sass `@import` or `@use` error messages in development → internal directory structure revealed in browser console or build output. Suppress detailed Sass error output in production builds.
+- **[LOW]** `@import` of external Sass files from user-configurable URLs → arbitrary remote Sass executed during build. Restrict `@import`/`@use` to local paths only; validate any configurable paths.
+
+---
+
+## Performance
+- **[HIGH]** Nesting depth exceeding 4 levels → over-specific CSS selectors in output, large stylesheet, and slow browser style recalculation. Limit nesting to 3 levels maximum; use BEM or component-scoped class names to avoid deep nesting.
+- **[HIGH]** `@extend` used with widely-used class selectors (not placeholders) → all matched selectors grouped in the output CSS, causing unintended selector combinations and bloated output. Use `%placeholder` selectors with `@extend`, or prefer `@include` with mixins.
+- **[MEDIUM]** `@import` used instead of `@use`/`@forward` → `@import` causes all variables, mixins, and functions to be re-evaluated and duplicated in every file that imports them. Migrate to `@use`/`@forward` to deduplicate compiled output.
+- **[MEDIUM]** `background-image: url("#{$var}")` in frequently rendered components → prevents CSS-level optimization and HTTP/2 push hints. Use static `url()` values in Sass and inject dynamic values via CSS custom properties at runtime.
+- **[LOW]** `outputStyle: 'compressed'` not enabled in production Sass compilation → unminified CSS increases file size and parse time. Set `style: 'compressed'` in the Sass compiler options for production builds.
+- **[LOW]** Unused Sass variables and mixins not removed → dead code inflates the source, and some Sass configurations may include them in output. Audit and prune unused abstractions.
+
+---
+
+## Architecture
+- **[HIGH]** `@import` used in a modern Sass codebase instead of `@use`/`@forward` → global namespace pollution where all variables/mixins are available everywhere, `@import` is deprecated and will be removed. Replace all `@import` with `@use 'module'` and expose public APIs via `@forward`.
+- **[HIGH]** Design tokens (colors, spacing, typography) defined in multiple files without a single canonical source → values diverge across files causing visual inconsistency. Define all tokens in one `_tokens.scss` or `_variables.scss` partial and `@forward` it from an index.
+- **[MEDIUM]** Presentation mixins mixed with logic helpers (`@if`, `@each`, `@for`) in the same file → hard to locate specific abstractions. Separate utility/logic mixins from visual/component mixins into distinct partials.
+- **[MEDIUM]** Partial files not following the `_partial.scss` underscore naming convention → Sass compiler treats them as standalone entry points and compiles them to individual CSS files. Prefix all partials with `_` to signal they are not standalone entry points.
+- **[LOW]** No clear decision on when to use mixins vs `%placeholders` vs utility classes → inconsistent approach across the codebase. Document and enforce the team's chosen abstraction strategy.
+
+---
+
+## Code Quality
+- **[HIGH]** `!important` used inside mixins or component styles → creates an unresolvable specificity arms race as every override also requires `!important`. Remove `!important` from reusable code; use specificity or cascade order to resolve conflicts.
+- **[MEDIUM]** Magic numbers used inline instead of extracted to named variables → values like `24px`, `1.5`, `#3a86ff` appear without explanation and must be updated in multiple places. Extract all repeated or meaningful values to named Sass variables or CSS custom properties.
+- **[MEDIUM]** Vendor prefix mixins maintained manually instead of using Autoprefixer → manually added prefixes become outdated and no-ops, while newer prefixes are missed. Remove manual vendor prefixes and integrate Autoprefixer as a PostCSS step.
+- **[MEDIUM]** `@extend` used across different partial files → creates brittle coupling where changes to one file's placeholder affect compiled output in unrelated files. Restrict `@extend` to within the same partial; prefer `@include` for cross-file reuse.
+- **[LOW]** `@mixin` defined with required arguments not documented with comments → consumers must read implementation to understand usage. Add JSDoc-style comments above each mixin describing parameters, types, and usage.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `@use 'module'` statement not placed at the top of the file before any other rules → Sass throws a compile error. `@use` and `@forward` must be the first statements in a file, before any CSS rules, variables, or mixins.
+- **[HIGH]** Division using the `/` operator `$value / 2` → Sass treats this as ambiguous CSS division in newer versions and issues a deprecation warning or compiles incorrectly. Replace with `math.div($value, 2)` after `@use 'sass:math'`, or use `calc()` for runtime division.
+- **[MEDIUM]** Local variable inside a mixin or block shadowing a module-level variable of the same name → unexpected value used in nested context with no warning. Use the `!global` flag intentionally when writing to module scope, and prefix local variables distinctly.
+- **[MEDIUM]** `@mixin` with default argument of `null` used without checking before passing to a CSS property → `property: null` outputs `property: ` which is invalid CSS and may cause parse errors. Guard with `@if $param != null { property: $param; }`.
+- **[MEDIUM]** `@each` loop over a map generating utility classes not purged by CSS purge tools → tools like PurgeCSS cannot detect dynamically generated class names. Document generated class patterns or safelist them in the PurgeCSS configuration.
+- **[LOW]** Compiled CSS class order differing from expected source order when using `@extend` → `@extend` groups selectors at the location of the placeholder, not the `@extend` call. Understand that `@extend` changes class order in output; use `@include` when cascade order matters.
+- **[LOW]** `@use` namespace collision when two modules share the same filename → `@use 'utils/colors'` and `@use 'theme/colors'` both default to `colors.variable`. Use `@use 'path' as alias` to avoid namespace conflicts.

package/src/prr/data/stacks/scala.md

@@ -0,0 +1,50 @@
+# Scala — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.scala`, `import scala.`, `object `, `case class`, `trait `, `def `, `implicit`, `Future`, `sbt`, `build.sbt`
+
+---
+
+## Security
+- **[HIGH]** Deserialization with Java's `ObjectInputStream` on untrusted data → arbitrary code execution via gadget chains. Use a type-safe serialization library (Circe, uPickle, Protobuf) and never deserialize from untrusted sources with Java's native mechanism.
+- **[HIGH]** SQL injection via string interpolation in Slick/Doobie raw queries (`sql"SELECT ... $userInput"`) → database compromise. Use typed interpolators (`sql"... ${param}"` with Doobie's parameterized queries) which bind values safely.
+- **[HIGH]** `sys.process` constructed from user-controlled strings → command injection. Use the sequence form (`Seq("cmd", "--flag", userValue).!`) which bypasses shell interpretation.
+- **[MEDIUM]** `Future` failure cases not handled with `recover` or `recoverWith` → unhandled exceptions surface as `Future.failed` silently swallowed by callers. Attach `recover`/`onComplete` at every boundary; log and report failures explicitly.
+- **[MEDIUM]** Akka HTTP or Play exposing internal exception messages in HTTP responses → information disclosure of stack traces and class names. Catch all `Throwable` at route boundaries and return sanitized error DTOs.
+
+---
+
+## Performance
+- **[HIGH]** Blocking operations (`Await.result`, JDBC, blocking IO) inside a `Future` without a dedicated blocking execution context → thread starvation on the default `ExecutionContext`. Wrap blocking calls in `blocking { ... }` or dispatch to a fixed-thread-pool EC.
+- **[HIGH]** `List` used for large collections requiring random access → `List` access is O(n). Use `Vector` (effectively O(log n)) or `ArrayBuffer` for indexed access patterns.
+- **[HIGH]** Chaining `flatMap`/`map` on large in-memory collections → intermediate collection allocated at each step. Use `Iterator`, `LazyList`, or `fs2.Stream` to process elements lazily without intermediates.
+- **[MEDIUM]** Non-exhaustive pattern match inside a `match` expression → `MatchError` thrown at runtime for unhandled cases. Enable `-Wunreachable-code` and `-Wexhaustive` compiler flags; seal all ADT base traits.
+- **[MEDIUM]** Complex implicit resolution chains → compilation slowdowns of 10–100×. Prefer explicit type class summoning (`implicitly[TC[A]]`), use `given`/`using` in Scala 3, and minimize implicit scope pollution.
+- **[LOW]** Deep recursion without tail call optimization → stack overflow on large inputs. Annotate with `@tailrec` to get compile-time verification; convert non-tail recursion to trampolining with `cats.free.Trampoline`.
+
+---
+
+## Architecture
+- **[HIGH]** Mutable `var` state in business logic when immutable design is feasible → shared mutable state causes race conditions and reasoning difficulty. Model state transitions explicitly with immutable case classes and `State` monad or `Ref` from Cats Effect.
+- **[HIGH]** Exceptions used for control flow instead of `Either`/`Try`/`Option` → callers unaware a function can fail; exceptions cross `Future` boundaries unpredictably. Return `Either[Error, A]` or `IO[A]` for all fallible operations.
+- **[MEDIUM]** Cake pattern or deeply nested implicit hierarchies instead of explicit dependency injection → difficult to understand, test, and refactor. Use constructor injection with a DI framework (ZIO layers, Koin, or simple manual wiring).
+- **[MEDIUM]** `Future` chains without `.recover` or `.recoverWith` at service boundaries → errors propagate as unhandled `Future.failed` to the API layer. Add recovery at each service boundary to translate domain errors to typed responses.
+- **[LOW]** Not using Cats, Cats Effect, or ZIO for effect management in applications with concurrency → ad hoc `Future` usage becomes hard to reason about. Adopt a consistent effect system and its resource management (`Resource`, `ZIO.acquireRelease`).
+
+---
+
+## Code Quality
+- **[HIGH]** Non-exhaustive pattern match without a wildcard catch-all → `MatchError` in production for unhandled ADT variants. Seal all base traits/classes and enable the `-Wunreachable-code` compiler warning.
+- **[HIGH]** `Option.get` called without an `isDefined` guard → `NoSuchElementException` at runtime. Use `getOrElse`, `fold`, `for`-comprehension, or pattern match; never call `.get` directly.
+- **[MEDIUM]** Implicit conversions causing unexpected type coercions → code behaves differently than it reads. Limit implicit conversions to extension methods; avoid `implicit def` that transforms one type to another silently.
+- **[MEDIUM]** Recursive function not annotated with `@tailrec` when intended to be tail-recursive → JVM does not optimize, causing stack overflow. Add `@tailrec` to get a compile error if the recursion is not in tail position.
+- **[LOW]** `toString` not overridden on domain classes → log output shows unhelpful `MyClass@1a2b3c`. Override `toString` or use `case class` which auto-generates a meaningful representation.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `Future` created without an implicit `ExecutionContext` in scope → compile error, or the wrong global EC used inadvertently. Always import or pass an explicit `ExecutionContext`; use `ExecutionContext.parasitic` for pure transformations.
+- **[HIGH]** `==` used on Java-interop objects → Scala forwards `==` to `equals()` for non-primitives, but Java objects may not override `equals()`, falling back to reference equality. Check Java API docs and use `.equals()` or wrap in a Scala case class.
+- **[MEDIUM]** `for`-comprehension mixing monads of different types (e.g., `Option` and `Future`) → type mismatch compile error with a confusing message. Keep all generator types consistent; use `OptionT[Future, A]` from Cats to combine.
+- **[MEDIUM]** `null` returned from Java interop method used directly in Scala code → `NullPointerException`. Wrap all Java interop results with `Option(javaValue)` immediately at the boundary.
+- **[LOW]** `Unit` return type not explicitly annotated on a method that should return `Unit` → inferred as a more specific type if the last expression is non-unit, masking a logic error. Annotate all side-effecting methods with `: Unit` explicitly.

package/src/prr/data/stacks/scikit-learn.md

@@ -0,0 +1,53 @@
+# scikit-learn — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from sklearn`, `import sklearn`, `sklearn.`, `fit(`, `predict(`, `Pipeline(`, `GridSearchCV`
+
+---
+
+## Security
+- **[HIGH]** `joblib.load()` or `pickle.load()` used to load models from untrusted or user-supplied file paths → arbitrary Python code executed on deserialization. Only load model files from trusted, integrity-verified sources; consider ONNX export for untrusted distribution.
+- **[HIGH]** Production model trained on data containing user PII without anonymization or differential privacy → model can memorize and leak training data. Apply anonymization, aggregation, or differential privacy techniques before training on personal data.
+- **[MEDIUM]** Feature names or column names exposed in model metadata, error messages, or API responses → internal data structure leakage that aids inference attacks. Sanitize error messages and abstract feature names in API-facing layers.
+- **[MEDIUM]** Model prediction endpoint not authenticated or rate limited → API open to abuse, model extraction attacks, or denial-of-service via expensive inference. Apply authentication and rate limiting to all prediction endpoints.
+- **[LOW]** Model artifacts stored in version control with Git LFS not configured → large binary files bloat repository history. Store model artifacts in object storage (S3, GCS) and reference them by hash in version control.
+
+---
+
+## Performance
+- **[HIGH]** Estimators that support parallel execution (RandomForest, GridSearchCV, cross_val_score) called without `n_jobs=-1` → only one CPU core used for embarrassingly parallel work. Set `n_jobs=-1` to use all available cores.
+- **[HIGH]** `GridSearchCV` used with an exhaustive parameter grid over many combinations → combinatorial explosion in search time. Use `RandomizedSearchCV` with `n_iter` budget, or Bayesian optimisation with `optuna`.
+- **[HIGH]** `StandardScaler` or `OneHotEncoder` fitted on the full dataset before train/test split → data leakage: test set statistics influence the scaler, producing optimistically biased evaluation metrics. Split data first; fit transformers only on the training set.
+- **[MEDIUM]** Preprocessing steps applied manually outside a `Pipeline` → transforms applied inconsistently between training and inference. Wrap all preprocessing + estimator steps in `Pipeline` to ensure identical transforms at inference.
+- **[MEDIUM]** Entire dataset loaded into memory as a dense NumPy array → out-of-memory for large datasets. Use sparse matrices for high-cardinality categorical data; use `partial_fit` estimators for incremental learning.
+- **[LOW]** Expensive feature transformations recomputed on every cross-validation fold → slow CV. Use `joblib.Memory` caching with `Pipeline`'s `memory` parameter to cache intermediate transform outputs.
+
+---
+
+## Architecture
+- **[CRITICAL]** Preprocessing fitted on the full dataset (train + test) before the train/test split → data leakage causes inflated and unreliable evaluation metrics. Always split data before any fitting, without exception.
+- **[HIGH]** Model evaluated on training data only → accuracy appears near-perfect, masking severe overfitting. Always evaluate on a held-out test set and use cross-validation for hyperparameter selection.
+- **[HIGH]** Preprocessing steps applied outside a `Pipeline` during cross-validation → test fold data leaks into scaler fit during CV, producing misleadingly optimistic CV scores. Encapsulate all steps in `Pipeline` before passing to `cross_val_score` or `GridSearchCV`.
+- **[MEDIUM]** Model not persisted with `joblib.dump()` or `pickle` after training → model retrained from scratch on every application restart. Serialize the fitted pipeline and load it at serving time.
+- **[MEDIUM]** Single train/test split used instead of cross-validation for model selection → evaluation highly sensitive to the random split. Use k-fold cross-validation for more reliable model selection.
+- **[LOW]** Hyperparameters hardcoded in the script → reproducibility and experimentation require editing source files. Define hyperparameters in a config file (YAML, JSON) or pass them via CLI arguments.
+
+---
+
+## Code Quality
+- **[HIGH]** Model metrics computed only on the training set → misleading evaluation reported as model performance. Always report metrics on the test set; include precision, recall, and F1 alongside accuracy.
+- **[HIGH]** Class imbalance not addressed for classification tasks → model biased toward the majority class with high accuracy but poor minority-class recall. Apply `class_weight='balanced'`, oversampling (SMOTE), or undersampling as appropriate.
+- **[MEDIUM]** Feature importance or coefficients not inspected after training → model behaviour opaque and potential data leakage features go undetected. Log `feature_importances_` or `coef_` and review top features before deployment.
+- **[MEDIUM]** `set_output(transform='pandas')` not used when downstream code expects DataFrames → transform output is a NumPy array, losing column names. Call `set_output(transform='pandas')` on the pipeline for DataFrame-compatible output.
+- **[MEDIUM]** Evaluation metric not aligned with the business objective → optimising accuracy for a cost-sensitive problem ignores the cost of false negatives vs false positives. Choose metrics (ROC-AUC, average precision, custom cost function) that reflect real-world consequences.
+- **[LOW]** `random_state` not set on estimators and splitters → results not reproducible across runs. Set `random_state` to a fixed integer on all stochastic components.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** Scaler, encoder, or imputer fitted on the combined dataset before splitting → optimistic test metrics that overestimate production performance. This is the single most common ML mistake; always fit on train only and transform test separately.
+- **[HIGH]** `predict_proba()` output used as calibrated probabilities without calibration → raw scikit-learn probabilities are often poorly calibrated for SVMs and boosted trees. Apply `CalibratedClassifierCV` when probabilities are used for decision-making.
+- **[MEDIUM]** Categorical features passed to tree-based models as raw strings → most sklearn estimators do not accept string features. Apply `OrdinalEncoder` or `OneHotEncoder` before fitting; use `ColumnTransformer` inside a `Pipeline`.
+- **[MEDIUM]** `SimpleImputer` fitted on the full dataset before the train/test split → imputation statistics computed from the test set leak into the model. Include the imputer as the first step in a `Pipeline` fitted only on training data.
+- **[MEDIUM]** `LabelEncoder` used to encode feature columns → `LabelEncoder` is designed for target labels and raises an error on unseen categories at inference. Use `OrdinalEncoder` for ordinal features and `OneHotEncoder` for nominal features.
+- **[LOW]** `cross_val_score` used with a regression metric string for a classifier or vice versa → wrong scoring produces meaningless numbers without an error. Pass the correct `scoring` parameter explicitly and verify it matches the estimator type.