prr-kit 1.1.3 → 1.2.0

package/src/prr/data/stacks/svelte.md

@@ -0,0 +1,77 @@
+# Svelte / SvelteKit — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.svelte` files, `svelte.config.*`, `from 'svelte'`, `$store`, `+page.svelte`, `+layout.svelte`, `+server.ts`, `$app/`, `svelte:` tags
+
+---
+
+## Security
+
+- **[CRITICAL]** `{@html userContent}` with user-controlled data → XSS. Svelte escapes `{}` by default; `{@html}` bypasses this. Sanitize with DOMPurify first.
+- **[CRITICAL]** SvelteKit `load()` function returning sensitive data without auth check → serialized into HTML, sent to client.
+- **[HIGH]** `+server.ts` route missing authentication check → unprotected API endpoint.
+- **[HIGH]** `PUBLIC_` env prefix on secrets → exposed to browser. Non-public secrets use `$env/static/private` / `$env/dynamic/private`.
+- **[HIGH]** Form action mutation missing CSRF protection (SvelteKit handles this but `csrf.checkOrigin: false` config disables it).
+- **[HIGH]** `eval()` in Svelte component or action with user input → code injection.
+- **[HIGH]** User-controlled `<svelte:component this={...}>` → arbitrary component injection.
+- **[MEDIUM]** `event.locals` set in `hooks.server.ts` without proper auth validation → auth state not verified.
+- **[MEDIUM]** Sensitive data in `$page.data` (SvelteKit store) accessible in client-side devtools.
+- **[LOW]** XSS via `href={userUrl}` without protocol validation → `javascript:` injection.
+
+---
+
+## Performance
+
+- **[HIGH]** Svelte store subscriptions with manual `subscribe()` not unsubscribed in `onDestroy` → memory leak. Use `$store` auto-subscription.
+- **[HIGH]** `{#each}` on large arrays without `key` expression → O(n) DOM diffing. Use `{#each items as item (item.id)}`.
+- **[HIGH]** SvelteKit not using `+page.server.ts` for data fetching → client-side fetch waterfall.
+- **[HIGH]** Reactive declaration `$:` depending on entire object/array → recalculates on any nested change.
+- **[HIGH]** Heavy computation in `$:` reactive statement → runs synchronously on every dependency change.
+- **[MEDIUM]** Not using `svelte:fragment` → adding unnecessary wrapper DOM elements.
+- **[MEDIUM]** `{#if}` / `{/if}` on frequently toggling content → DOM destroy/recreate. Use CSS `visibility` for keep-alive.
+- **[MEDIUM]** Importing large libraries in `.svelte` file that could stay in `+page.server.ts`.
+- **[MEDIUM]** Svelte transitions/animations running on server → use `browser` guard from `$app/environment`.
+- **[LOW]** Missing `data-sveltekit-preload-data` on navigation links → no prefetching on hover.
+- **[LOW]** Unused CSS selectors not removed → Svelte warns, but increases style bundle.
+
+---
+
+## Architecture
+
+- **[HIGH]** Business logic in `.svelte` file → extract to `+page.ts` load function or service module.
+- **[HIGH]** Writable store mutated from multiple components without centralized actions → unpredictable state.
+- **[HIGH]** Calling `goto()` from non-browser context (SSR) → throws. Guard with `if (browser)`.
+- **[MEDIUM]** `setContext`/`getContext` across distant components instead of store → harder to track data flow.
+- **[MEDIUM]** Not using SvelteKit form actions for mutations → manual `fetch` + reloading.
+- **[MEDIUM]** `event.depends('key')` not used in load functions that need manual invalidation.
+- **[MEDIUM]** Stores defined at module level shared between SSR requests → user data leakage between requests.
+- **[LOW]** `on:click` instead of `<button>` for interactive elements → accessibility issue.
+- **[LOW]** Component dispatching events with non-prefixed names → conflicts with native DOM events.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `{#await promise}` without `:catch` block → rejected promise silently swallowed.
+- **[HIGH]** `bind:this={el}` without null-check before use → undefined on SSR.
+- **[MEDIUM]** `$:` reactive block with side effects (API calls) → runs on every dependency change, not just when needed.
+- **[MEDIUM]** Two-way `bind:value` on derived/computed value → binding non-reactive source.
+- **[MEDIUM]** Not using Svelte's `<svelte:head>` for page-specific meta tags → SEO issues.
+- **[MEDIUM]** Missing TypeScript types on component props via `export let prop: Type` → any type assumed.
+- **[MEDIUM]** `on:` event handlers not using TypeScript event types (`CustomEvent<T>`).
+- **[LOW]** Using `writable` when `readable` or `derived` is semantically correct.
+- **[LOW]** Not using `$effect` (Svelte 5 runes) when migrating from Svelte 4 → mixing APIs.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** Reactive `$:` not triggering because object reference unchanged (mutating array in place) → use spread/immutable update `items = [...items, newItem]`.
+- **[HIGH]** `onMount` / `onDestroy` called in SSR context → must guard with `browser` check.
+- **[HIGH]** SvelteKit load function returning non-serializable objects (class instances, functions) → hydration error.
+- **[HIGH]** `invalidate()` not called after form action mutation → stale `$page.data`.
+- **[MEDIUM]** Svelte store `$value` used in `<script>` (not template) → must use `get(store)` or manual subscribe.
+- **[MEDIUM]** Transition running on initial render when not desired → use `in:fade|local`.
+- **[MEDIUM]** `svelte:component this={null}` → renders nothing but may error in strict mode.
+- **[MEDIUM]** Props passed to child with `$$props` / `$$restProps` leaking internal props to DOM elements.
+- **[LOW]** `class:active={true}` always → static class, just use `class="active"`.

package/src/prr/data/stacks/sveltekit.md

@@ -0,0 +1,54 @@
+# SvelteKit — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.svelte`, `svelte.config.*`, `+page.svelte`, `+layout.svelte`, `+server.ts`, `from 'svelte'`, `$lib/`
+
+---
+
+## Security
+- **[CRITICAL]** `{@html}` used with user-controlled input → XSS allowing arbitrary script execution. Sanitize with DOMPurify or avoid `{@html}` entirely.
+- **[CRITICAL]** Missing auth check in `+server.ts` endpoints → unauthenticated API access. Validate session/token at the top of every handler before processing.
+- **[HIGH]** CSRF protection absent on form actions → state-changing requests forgeable. Use SvelteKit's built-in CSRF protection or add `csrf` check in hooks.
+- **[HIGH]** `load()` function returning sensitive fields (passwords, tokens, internal IDs) → data leaked to client serialization. Strip sensitive fields before returning from server `load()`.
+- **[HIGH]** Insecure direct object reference via route params (`/items/[id]`) without ownership check → users access other users' data. Verify `params.id` belongs to the authenticated user.
+- **[MEDIUM]** Secrets placed in `$env/static/public` instead of `$env/static/private` → exposed in client bundle. Move all secrets to `$env/static/private` and access only in server files.
+
+---
+
+## Performance
+- **[HIGH]** Data fetching in `+page.svelte` `onMount` instead of `+page.server.ts` `load()` → client-side waterfall after hydration. Move all initial data fetching to server-side `load()` functions.
+- **[HIGH]** Repeated DB queries across nested layout `load()` functions without caching → redundant round trips. Use `event.locals` or a request-scoped cache to share data between layouts.
+- **[HIGH]** Heavy libraries (e.g. chart.js, moment) imported client-side without dynamic import → large initial bundle. Use `import()` lazily or move processing to server-side `load()`.
+- **[MEDIUM]** Large images not using `<enhanced:img>` → unoptimized images shipped without resize/format conversion. Replace `<img>` with `<enhanced:img>` for automatic WebP conversion and srcset.
+- **[MEDIUM]** Slow non-critical data not using `defer` in `load()` → page blocked until all data resolves. Use `return { streamed: { data: fetchSlow() } }` with `{#await}` blocks.
+- **[LOW]** Missing `<link rel="preload">` hints for critical fonts/scripts → render-blocking discovery delay. Add preload hints in `<svelte:head>` for known critical resources.
+
+---
+
+## Architecture
+- **[CRITICAL]** Module-level Svelte stores used for request-scoped state → state leaks between SSR requests across users. Use `setContext`/`getContext` or per-request locals instead of module singletons.
+- **[HIGH]** Business logic (DB calls, validation) inside `+page.svelte` `<script>` → untestable, mixed concerns. Move to server `load()` functions or dedicated service modules in `$lib/server/`.
+- **[HIGH]** Client/server env variables not segregated (`$env/static/public` vs `$env/static/private`) → accidental secret exposure. Enforce that `$env/static/private` is only imported from `.server.ts` files.
+- **[HIGH]** Direct `fetch` mutations from component instead of form actions → loses progressive enhancement and CSRF protection. Use `+page.server.ts` form `actions` for all state mutations.
+- **[MEDIUM]** Deep prop drilling through layout hierarchy instead of Svelte stores or `setContext` → brittle coupling. Use `setContext`/`getContext` for layout-to-component data or a scoped store.
+- **[MEDIUM]** Route-specific logic placed in `+layout.server.ts` affecting unrelated child routes → unintended coupling. Scope data loading to the lowest applicable `+page.server.ts` or `+layout.server.ts`.
+
+---
+
+## Code Quality
+- **[HIGH]** Not importing `PageData`/`ActionData` types from `./$types` → loss of end-to-end type safety on `load()` return values. Use `export let data: PageData` and `export let form: ActionData` with generated types.
+- **[MEDIUM]** Form data parsed manually without schema validation (e.g. Zod, superforms) → runtime type errors and missing validation errors. Use `sveltekit-superforms` with Zod for typed, validated form handling.
+- **[MEDIUM]** Hardcoded absolute URLs instead of `base` from `$app/paths` → breaks when deployed to a sub-path. Use `import { base } from '$app/paths'` and prefix all internal links.
+- **[MEDIUM]** Missing `+error.svelte` at route or layout level → SvelteKit's default error page shown to users. Add `+error.svelte` with user-friendly messaging at each route group boundary.
+- **[MEDIUM]** `event.fetch` not used inside `load()` for internal API calls → misses cookie forwarding and SSR deduplication. Replace `fetch` with `event.fetch` inside all `load()` and server handlers.
+- **[LOW]** No TypeScript strict mode in `tsconfig.json` → type errors silently ignored. Enable `"strict": true` in tsconfig and resolve all resulting errors.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `onMount` code accessing browser APIs runs during SSR → hydration mismatch and server errors. Guard with `if (browser)` from `$app/environment` or move to `onMount` which already skips SSR.
+- **[HIGH]** Reactive statement `$: result = compute(value)` with side effects (fetch, DOM mutation) → infinite reactive loops. Move side-effectful reactive code into `$: { }` blocks or Svelte lifecycle hooks.
+- **[HIGH]** Svelte store subscription via `$store` syntax in a component never unsubscribed when created manually → memory leak. Use the `$` auto-subscribe syntax or manually call `unsubscribe()` in `onDestroy`.
+- **[HIGH]** `load()` returning class instances, `Date` objects, or functions → serialization failure when passing from server to client. Return only plain JSON-serializable objects; convert `Date` to ISO strings.
+- **[MEDIUM]** `goto()` called inside server-side code (`+server.ts`, `load()`) → no-op or runtime error. Use `redirect(303, url)` from `@sveltejs/kit` for server-side redirects.
+- **[MEDIUM]** `invalidate()` or `invalidateAll()` called without understanding which `load()` functions re-run → over-fetching or stale data. Understand dependency tracking via `event.depends()` before using invalidation.

package/src/prr/data/stacks/swift.md

@@ -0,0 +1,61 @@
+# Swift Stack Rules
+
+## Detection Signals
+`*.swift` files · `import UIKit` · `import SwiftUI` · `import Foundation` · `Package.swift` · `*.xcodeproj` · `Podfile` · `*.xcworkspace`
+
+---
+
+## Security
+
+**[CRITICAL]** Sensitive data (passwords, tokens, keys) stored in UserDefaults → not encrypted, included in device backups, and readable on jailbroken devices. Use Keychain via Security framework or KeychainAccess library for all sensitive values.
+
+**[CRITICAL]** Certificate validation disabled via custom URLSession delegate returning .useCredential for all challenges → MITM attack intercepts all network traffic in cleartext. Never bypass certificate validation; implement pinning correctly using SecTrustEvaluateWithError.
+
+**[HIGH]** WKWebView loading user-controlled URLs without scheme/host validation → open redirect, XSS from malicious web content reaching native bridges. Validate and allowlist URL schemes and hosts before loading.
+
+**[HIGH]** WebView with JavaScript enabled loading untrusted content → XSS in web content can access native message handlers and call Swift code. Disable JavaScript for untrusted content or use WKContentWorld isolation for message handlers.
+
+**[HIGH]** Hardcoded API keys, secrets, or connection strings in Swift source files → extractable from compiled binary using strings tool or Hopper. Use environment-specific xcconfig files, obfuscation, or a backend proxy for secrets.
+
+**[HIGH]** SQL injection via raw SQLite query constructed with string interpolation of user input → arbitrary SQL executed against local database. Use parameterized queries with sqlite3_bind_* functions instead of string interpolation.
+
+**[HIGH]** Sensitive content written to UIPasteboard.general without expiry date → pasteboard data persists across apps and is accessible to any app the user switches to. Set expirationDate on sensitive pasteboard items or clear after use.
+
+**[HIGH]** No jailbreak detection for high-security operations in banking or health apps → jailbroken device can bypass Keychain security, intercept traffic, and inspect memory. Implement jailbreak detection checks for sensitive operations in high-security contexts.
+
+**[MEDIUM]** Sensitive screens not protected from screenshots in app switcher → app switcher captures a snapshot of the last screen, potentially exposing sensitive data. Add a privacy overlay in applicationWillResignActive and remove it in applicationDidBecomeActive.
+
+**[MEDIUM]** Log statements containing sensitive data (tokens, PII, passwords) → visible in Xcode console during development and in device system logs. Use compile-time or runtime flags to strip sensitive log statements from release builds.
+
+**[MEDIUM]** try! on network or cryptographic operations → any failure crashes the app with a fatal error rather than being handled gracefully. Use do/catch for all throwing operations and handle errors explicitly.
+
+**[LOW]** Hardcoded bundle IDs or environment URLs in source code → changing environments requires source changes and recompilation. Use xcconfig files with per-scheme settings for bundle ID, URLs, and other environment-specific values.
+---
+
+## Performance
+
+**[CRITICAL]** Retain cycle in closure where self is captured strongly without [weak self] or [unowned self] → ARC never releases the object, memory leaks accumulate over the session lifetime. Always capture self weakly in escaping closures stored as properties.
+
+**[HIGH]** @Published property updated from a background thread → SwiftUI requires all UI updates on the main thread; background updates cause runtime warnings and undefined rendering behavior. Wrap background updates with DispatchQueue.main.async or mark the class @MainActor.
+
+**[HIGH]** Synchronous URLSession call on main thread using dataTask with semaphore wait → UI freezes for the duration of the network call, watchdog kills the app after a few seconds. Always use async/await or completion handlers on a background queue.
+
+**[HIGH]** Full-resolution image decoded in memory for thumbnail display → a 12MP JPEG decoded at full resolution uses hundreds of MB of memory, causing OOM and app termination. Use ImageIO with kCGImageSourceThumbnailMaxPixelSize to downsample at decode time.
+
+**[HIGH]** Core Data fetch request executed on the main thread with large datasets → UI freezes during the fetch; large datasets can cause ANR and app termination. Perform fetches using performAndWait on a background managed object context.
+
+**[HIGH]** Not using Swift Concurrency (async/await) for concurrent tasks → GCD DispatchQueue nesting creates callback pyramids, no structured cancellation, hard to reason about. Migrate to async/await with Task and TaskGroup for structured concurrency.
+
+**[MEDIUM]** DispatchQueue.main.sync called from the main thread → deadlock; the main thread blocks waiting for itself to complete the sync block. Always use DispatchQueue.main.async when dispatching to main from the main thread.
+
+**[MEDIUM]** Large Codable model decoded synchronously on the main thread → JSON decoding of large payloads freezes the UI noticeably. Decode on a background Task or DispatchQueue.global and update state on main.
+
+**[MEDIUM]** SwiftUI View body performing expensive computation (sorting, filtering large arrays) on every render → runs on every state change even for unrelated properties, causing jank. Cache results in @State or compute in ViewModel with @Published.
+
+**[MEDIUM]** Not using LazyVStack or LazyHStack for long lists in SwiftUI → all rows computed and laid out upfront even if off-screen, wasting memory and CPU. Use LazyVStack inside ScrollView or List for large collections.
+
+**[MEDIUM]** Heavy objects allocated inside SwiftUI View body initializer → recreated on every render cycle because View structs are value types. Move expensive objects to @StateObject or @EnvironmentObject so they survive re-renders.
+
+**[LOW]** Array used for membership testing in hot paths → contains() on Array is O(n); with large arrays called frequently this causes measurable performance degradation. Use Set for O(1) membership testing.
+
+**[LOW]** NotificationCenter callback performing UI work without main thread dispatch → notifications are delivered on the posting thread which may be a background thread, causing crashes or undefined UI behavior. Always dispatch UI work to DispatchQueue.main inside notification handlers.

package/src/prr/data/stacks/tailwindcss.md

@@ -0,0 +1,10 @@
+# Tailwind CSS — Stack-Specific Review Rules
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `tailwind.config.*`, `@tailwind` directives in CSS, `@apply`, utility class patterns (`flex`, `grid`, `text-`, `bg-`, `p-`, `m-`), `tw` template tag
+
+## Security
+
+- **[HIGH]** `url()` in arbitrary value with user-controlled content: `bg-[url(${userUrl})]` → CSS injection loading external resources. Never interpolate user data into Tailwind classes or CSS `url()`.
+- **[MEDIUM]** Missing Content-Security-Policy `style-src` → injected inline styles from XSS not blocked. CSP must cover `style-src 'self'` or nonce-based.
+- **[MEDIUM]** Dynamic class construction with user-provided values → classes not in safelist not generated, silent styling failure. Sanitize and allowlist user-provided class values.
+- **[LOW]** Tailwind's `theme()` function in CSS exposing design tokens via CSS custom properties → design system values readable by JS. Document intentionally or restrict.

package/src/prr/data/stacks/tanstack-query.md

@@ -0,0 +1,48 @@
+# TanStack Query (React Query) — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from '@tanstack/react-query'`, `from 'react-query'`, `useQuery`, `useMutation`, `QueryClient`, `QueryClientProvider`
+
+---
+
+## Security
+- **[CRITICAL]** Single `QueryClient` instance shared across SSR requests (module-level singleton) → cached data from user A served to user B. Create a new `QueryClient` per server request; only share client-side.
+- **[HIGH]** Query cache not cleared on user logout → stale authenticated data (PII, private content) accessible to the next user of the same browser session. Call `queryClient.clear()` on logout before redirecting.
+- **[HIGH]** `queryFn` making requests without attaching auth headers or cookies → unauthenticated API calls returning empty or error responses. Centralize auth header attachment in a shared fetch wrapper passed to all `queryFn`s.
+- **[MEDIUM]** Sensitive PII cached with `gcTime: Infinity` or very long `staleTime` → private data persists in memory longer than the session. Set conservative `gcTime` and `staleTime` for queries containing PII; clear on logout.
+
+---
+
+## Performance
+- **[HIGH]** `staleTime` not set (defaults to `0`) → data refetched on every component mount and every window focus event. Set `staleTime` based on data volatility: `staleTime: 60_000` for semi-static data.
+- **[HIGH]** `refetchInterval` set aggressively (< 5s) for non-real-time data → unnecessary server load and bandwidth consumption. Use WebSockets or SSE for real-time data; set `refetchInterval` to the minimum meaningful update frequency.
+- **[HIGH]** Parallel independent queries not using `useQueries` → multiple `useQuery` hooks cause sequential waterfall in some renderers. Combine parallel queries with `useQueries([{ queryKey, queryFn }, ...])` for concurrent execution.
+- **[MEDIUM]** `select` option not used to derive/transform data → entire raw response stored in cache and components re-render on any field change. Use `select: (data) => transform(data)` to subscribe only to the derived slice.
+- **[MEDIUM]** `gcTime: Infinity` set globally or on large queries → memory grows unboundedly in long-running SPAs. Use the default `gcTime` (5 minutes) or set it explicitly; never use `Infinity` for large datasets.
+- **[LOW]** Prefetching not used for predictable navigation (hover, visible links) → users wait for data fetch after every navigation. Use `queryClient.prefetchQuery` on hover or route anticipation to pre-warm the cache.
+
+---
+
+## Architecture
+- **[HIGH]** Query key arrays defined as inline literals across multiple files (`['users', id]`) → typos cause cache misses and broken invalidation. Centralize query keys in a factory: `userKeys.detail(id)` returning `['users', 'detail', id]`.
+- **[HIGH]** `queryFn` containing business logic (data transformation, error mapping) instead of pure data fetching → logic untestable in isolation. Keep `queryFn` as a thin fetch wrapper; transform data in `select` or a separate utility.
+- **[MEDIUM]** Overly broad query key used for invalidation (e.g. `['users']` invalidating all user queries) → unnecessary refetches for unrelated components. Use scoped keys and targeted invalidation: `queryClient.invalidateQueries({ queryKey: userKeys.detail(id) })`.
+- **[MEDIUM]** Mutations missing optimistic updates for latency-sensitive UI interactions (like/dislike, reorder) → UI lags behind user action. Implement `onMutate`/`onError`/`onSettled` pattern for optimistic updates on interactive mutations.
+- **[MEDIUM]** Dependent queries not using the `enabled` flag → query fires immediately with `undefined` params, causing spurious 400/404 errors. Use `enabled: !!userId` to prevent a query from running until its dependencies are ready.
+
+---
+
+## Code Quality
+- **[HIGH]** `useQuery` called without TypeScript generics (`useQuery<TData, TError>`) → data and error typed as `unknown`, losing type safety throughout the component. Always provide generics or use a typed query factory that infers them.
+- **[HIGH]** `error` state not handled in every `useQuery` consumer → components render loading or empty state indefinitely on error. Destructure `error` and `isError` and render an appropriate error UI in every query consumer.
+- **[MEDIUM]** `queryKey` as inline array literal (`['posts', id]`) → referential instability causes unnecessary cache misses in `useQuery` comparisons. Define query keys via factory functions that return stable arrays.
+- **[LOW]** `QueryClient` default options not configured globally → each query re-specifies the same `staleTime`, `retry`, and `refetchOnWindowFocus` options. Set sensible app-wide defaults in `new QueryClient({ defaultOptions: { queries: { ... } } })`.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** Cached query data mutated directly (`data.items.push(newItem)`) instead of using `setQueryData` → bypasses TanStack Query's immutability contract, causing unpredictable re-renders and cache corruption. Always produce new objects: `queryClient.setQueryData(key, old => ({ ...old, items: [...old.items, newItem] }))`.
+- **[CRITICAL]** `useQuery` called conditionally (inside an `if` or after an early return) → violates React Rules of Hooks, causing runtime error. Always call `useQuery` unconditionally at the top level; use the `enabled` option to control when fetching occurs.
+- **[HIGH]** `onSuccess` callback used in TanStack Query v5 (`useQuery` no longer supports it) → silent no-op, invalidation or side effects never run. Migrate to `mutation.isSuccess` in render or use `useEffect` watching `isSuccess`.
+- **[HIGH]** `queryKey` not including all variables the query depends on (e.g. filters, page number omitted) → stale data served when variables change, cache never invalidated correctly. Include every variable that affects the query result in the key array.
+- **[HIGH]** SSR dehydration/hydration with non-serializable data (`Date`, `Map`, `Set`) in cached queries → hydration mismatch or JSON serialization failure. Use `superjson` as the serializer for `dehydrate`/`hydrate`, or convert to serializable types before caching.

package/src/prr/data/stacks/tauri.md

@@ -0,0 +1,52 @@
+# Tauri — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `tauri`, `tauri.conf.json`, `from '@tauri-apps/api'`, `#[tauri::command]`, `src-tauri/`, `Cargo.toml` with tauri
+
+---
+
+## Security
+- **[CRITICAL]** Tauri `allowlist` set to `all: true` or broad permission groups → entire Tauri API surface exposed to the frontend JavaScript context. Enable only the specific API namespaces required by the application.
+- **[CRITICAL]** `shell` allowlist enabled without an explicit `scope` allowlist → frontend JavaScript can execute arbitrary shell commands on the user's machine. Define an exact command allowlist with fixed arguments in `tauri.conf.json`.
+- **[HIGH]** Frontend loads remote URLs (not `tauri://localhost`) without a strict Content Security Policy → XSS in remote content gains access to enabled Tauri APIs. Set a restrictive `csp` in `tauri.conf.json` and avoid loading remote content.
+- **[HIGH]** Tauri command handler accepts user-supplied input and passes it to file system, shell, or SQL operations without validation → injection attacks. Validate and sanitize all inputs inside the Rust command handler before use.
+- **[HIGH]** `fs` allowlist scope too broad (e.g., `$HOME`) → frontend can read or write arbitrary files. Restrict `fs` scope to `$APPDATA`, `$APPCONFIG`, or specific subdirectories the application actually needs.
+- **[MEDIUM]** `invoke()` commands for sensitive operations (delete, export, admin) not verifying session state or caller context → any frontend code can trigger privileged commands. Add session validation inside each sensitive Tauri command.
+
+---
+
+## Performance
+- **[HIGH]** Long-running or CPU-bound work performed synchronously inside a Tauri command → blocks the async runtime thread pool. Mark commands `async` and use `tokio::spawn` for truly parallel work or `tokio::task::spawn_blocking` for blocking operations.
+- **[HIGH]** Large data payloads (images, binary files) passed across the IPC boundary as base64 JSON → high serialization overhead and memory doubling. Use Tauri's resource system or write to a temp file and pass the path instead.
+- **[MEDIUM]** Tauri updater not configured with delta updates → full application binary downloaded on every update. Enable delta updates via the updater plugin to minimize update size.
+- **[MEDIUM]** Application window created and shown immediately at startup before content is ready → blank white flash on launch. Use `visible: false` in window config and call `appWindow.show()` after the frontend signals readiness.
+- **[MEDIUM]** All application logic kept in the frontend bundle → no benefit from Rust's performance for compute-heavy tasks. Move computation-intensive operations (crypto, parsing, compression) to Tauri commands.
+- **[LOW]** System tray not used for background tasks → main window kept open solely to maintain a background process. Use `tauri-plugin-system-tray` with a hidden window for background daemon behaviour.
+
+---
+
+## Architecture
+- **[HIGH]** All business logic implemented in the frontend JavaScript → security controls and data access fully bypassable from DevTools. Move trust boundaries, validation, and data access to Rust Tauri commands.
+- **[MEDIUM]** Tauri commands not organized into logical Rust modules → all commands in one file, hard to navigate. Group commands by domain into separate modules and register them with `generate_handler!`.
+- **[MEDIUM]** Shared mutable state managed as a Rust `Mutex<Option<T>>` global instead of Tauri's `State<T>` → not integrated with Tauri's lifecycle. Use `tauri::Builder::manage()` to register state and `State<T>` in command signatures.
+- **[MEDIUM]** Frontend communicates with Rust exclusively through synchronous `invoke()` calls → no event-driven updates from Rust to frontend. Use `window.emit()` from Rust for push notifications (progress, background events) to the frontend.
+- **[LOW]** Common functionality (file watching, HTTP, shell) reimplemented manually instead of using official Tauri plugins → duplicated effort and missed security fixes. Use `tauri-plugin-fs`, `tauri-plugin-http`, and other official plugins where available.
+
+---
+
+## Code Quality
+- **[HIGH]** `unwrap()` or `expect()` used inside Tauri command handlers → panics surface as untyped errors on the frontend with no actionable information. Define a custom error enum implementing `serde::Serialize` and return `Result<T, AppError>` from all commands.
+- **[MEDIUM]** Tauri command errors not typed with a serializable enum → frontend receives a plain string and cannot programmatically distinguish error types. Create an `AppError` enum with `#[derive(Debug, Serialize)]` and map all error types to it.
+- **[MEDIUM]** Commands not registered via `generate_handler!` macro → commands silently missing at runtime with no compile-time error. Ensure all public command functions are listed in `generate_handler!` in `main.rs`.
+- **[MEDIUM]** Window configuration (title, min/max size, decorations) not specified in `tauri.conf.json` → window appears with OS defaults that may not match application design. Define window properties explicitly in the config.
+- **[LOW]** Rust dependencies in `Cargo.toml` not version-pinned → `cargo update` may introduce breaking changes. Pin dependencies to exact versions and review `Cargo.lock` in version control.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Content Security Policy blocks `tauri://localhost` or `ipc://localhost` → Tauri's IPC bridge is non-functional and `invoke()` calls silently fail. Ensure the CSP `connect-src` directive includes `tauri://localhost` and `ipc://localhost`.
+- **[HIGH]** `async` Tauri command performing blocking I/O with `std::fs` or `std::thread::sleep` → starves the async runtime. Replace with `tokio::fs`, `tokio::time::sleep`, and other async-compatible alternatives.
+- **[MEDIUM]** Two windows created with the same `label` → Tauri panics or silently fails to open the second window. Use unique labels per window and check for existing windows with `app.get_window()` before creating.
+- **[MEDIUM]** File paths constructed with string concatenation instead of `std::path::PathBuf` → path separator mismatches on Windows (`\` vs `/`). Always use `PathBuf` and `.join()` for cross-platform path construction.
+- **[MEDIUM]** Tauri `beforeMount` or `DOMContentLoaded` events used to call `invoke()` before the IPC bridge is ready → race condition causing failed invocations on startup. Wait for the `tauri://window-created` event before making IPC calls.
+- **[LOW]** macOS code signing and notarization not configured in EAS/CI → Gatekeeper blocks the app on first launch. Configure `signingIdentity` and Apple notarization credentials in the build pipeline.

package/src/prr/data/stacks/terraform.md

@@ -0,0 +1,53 @@
+# Terraform — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.tf` files · `terraform {` block · `resource "` · `provider "` · `variable "` · `module "` · `terraform.tfvars` · `.terraform/` directory
+
+---
+
+## Security
+
+- **[CRITICAL]** Sensitive values (passwords, private keys, connection strings) hardcoded in `.tf` files → committed to version control. Use `sensitive = true` variables + secrets manager or environment variable injection.
+- **[HIGH]** `sensitive = false` on variables containing passwords or keys → value printed in `terraform plan` output and stored in state file in plaintext. Mark as `sensitive = true`.
+- **[HIGH]** State file in unencrypted S3 bucket or stored locally → Terraform state contains all resource attributes including secrets. Enable server-side encryption and restrict bucket access.
+- **[HIGH]** Overly permissive IAM policies: `"Action": "*"` or `"Resource": "*"` → violates least-privilege. Grant only the specific actions and resources needed.
+- **[MEDIUM]** `terraform.tfvars` or `*.auto.tfvars` with secrets committed to version control → add to `.gitignore`, use environment variables or vault integration.
+- **[MEDIUM]** Publicly accessible S3 bucket, RDS instance, or security group with `0.0.0.0/0` ingress on sensitive ports → review each resource for unintended exposure.
+
+---
+
+## Performance
+
+- **[HIGH]** `count` used for resource iteration when `for_each` is more appropriate → with `count`, inserting at index N causes destroy/recreate of all resources after N. Use `for_each` with a map or set for stable addressing.
+- **[MEDIUM]** Monolithic root module with hundreds of resources → slow `terraform plan` (all providers refreshed) and hard to review. Split into composable child modules.
+- **[MEDIUM]** Missing `depends_on` for resources with implicit ordering requirements not expressible through attribute references → apply may fail on first run, succeed on retry.
+- **[LOW]** Unused `data` sources or `local` values → increases plan time. Remove unused blocks.
+
+---
+
+## Architecture
+
+- **[HIGH]** No remote backend configured → state is local, not shared with team, no state locking. Configure `backend "s3"`, `backend "azurerm"`, or Terraform Cloud.
+- **[HIGH]** Applying directly to production without reviewing `terraform plan` output first → risk of unintended `destroy` or `replace` operations.
+- **[MEDIUM]** Hardcoded region, account ID, or environment name in module → module not reusable. Parameterize with variables.
+- **[MEDIUM]** Resources without tags for environment, owner, and cost-center → no governance, no cost attribution in billing dashboards.
+- **[LOW]** Circular module dependencies → Terraform cannot resolve the dependency graph. Restructure modules or use data sources.
+
+---
+
+## Code Quality
+
+- **[HIGH]** Variable declared without a `type` constraint → implicit `any` type; type errors surface at `apply` time, not `validate` or `plan` time.
+- **[MEDIUM]** `lifecycle { prevent_destroy = true }` missing on critical resources (RDS, S3, load balancers) → accidental `terraform destroy` or resource replacement deletes data.
+- **[MEDIUM]** Large inline `user_data` or `metadata_startup_script` → hard to review, can't be linted. Extract to a `templatefile()` call referencing an external `.sh` / `.tpl` file.
+- **[LOW]** No `description` field on `variable` or `output` blocks → other team members can't understand the module interface without reading all `.tf` files.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[CRITICAL]** Running `terraform destroy` without `-target` on a shared environment → destroys ALL resources in the state, including shared infrastructure.
+- **[HIGH]** `terraform plan` shows "forces replacement" on a critical resource (RDS, EKS cluster) but change is applied anyway → downtime or data loss. Understand the cause before applying.
+- **[MEDIUM]** Forgetting `terraform init` after adding a new provider or module source → `provider not installed` error at plan/apply time.
+- **[MEDIUM]** `output { sensitive = false }` on an output that references a `sensitive` variable → Terraform 0.15+ will error. Mark output as `sensitive = true`.
+- **[LOW]** `.terraform.lock.hcl` not committed to version control → non-reproducible provider versions across team members and CI.

package/src/prr/data/stacks/three.md

@@ -0,0 +1,53 @@
+# Three.js — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from 'three'`, `THREE.`, `WebGLRenderer`, `Scene`, `PerspectiveCamera`, `AnimationMixer`, `from '@react-three/fiber'`
+
+---
+
+## Security
+- **[HIGH]** Loading 3D models (GLTF, OBJ, FBX) from user-supplied URLs without validation → SSRF, loading of malicious files from internal network. Validate URLs against an allowlist and load only from trusted origins.
+- **[HIGH]** Executing code stored in `userData` property of loaded 3D objects → arbitrary code execution from untrusted model files. Never `eval` or invoke functions sourced from loaded model metadata.
+- **[MEDIUM]** Cross-origin textures loaded with `THREE.TextureLoader` without explicit CORS policy on the asset server → WebGL security error or silent failure. Set `crossOrigin = 'anonymous'` on the loader and ensure the asset server sends CORS headers.
+- **[MEDIUM]** Renderer canvas element accessible and writable by untrusted third-party scripts on the page → canvas poisoning or pixel data theft via `getImageData`. Apply Content Security Policy and isolate the canvas from third-party script access.
+- **[LOW]** Debug helpers (`AxesHelper`, `GridHelper`, `Stats`) left in production builds → scene structure and performance metrics exposed. Gate all helpers behind a `DEBUG` flag.
+
+---
+
+## Performance
+- **[CRITICAL]** Geometries, materials, and textures not disposed when objects are removed from the scene → GPU memory leak that grows indefinitely. Always call `geometry.dispose()`, `material.dispose()`, and `texture.dispose()` before removing objects, and call `renderer.dispose()` on teardown.
+- **[HIGH]** Animation loop running without `requestAnimationFrame` (e.g., `setInterval`) → uncapped frame rate, excessive CPU/GPU usage, and frame timing drift. Always drive the render loop with `requestAnimationFrame` or R3F's `useFrame`.
+- **[HIGH]** `castShadow` and `receiveShadow` enabled on all objects indiscriminately → shadow map recalculated for every shadow-casting object each frame. Enable shadows only on objects that require them and use `renderer.shadowMap.autoUpdate = false` for static scenes.
+- **[HIGH]** High-polygon geometry without Level of Detail (LOD) → frame budget exceeded for distant or small objects. Implement `THREE.LOD` with reduced-poly meshes at increasing distances.
+- **[HIGH]** Uncompressed textures (PNG/JPEG) loaded directly → excessive VRAM usage and long load times. Use KTX2/Basis compressed textures via `KTX2Loader` for GPU-native formats.
+- **[MEDIUM]** New `THREE.Vector3`, `THREE.Color`, or `THREE.Matrix4` instantiated inside the animation loop → garbage collection pauses causing frame drops. Pre-allocate reusable objects outside the loop and use `.set()` to update values.
+- **[MEDIUM]** No frustum culling awareness for large scenes with many off-screen objects → GPU draw calls wasted on invisible geometry. Enable `object.frustumCulled = true` (default) and avoid disabling it without reason.
+
+---
+
+## Architecture
+- **[HIGH]** All scene setup, animation, and interaction logic in a single file or class → unmaintainable God object. Separate scene graph setup, animation system, asset loading, and input handling into distinct modules.
+- **[HIGH]** Animation loop (`requestAnimationFrame` callback) not stopped on component unmount → renderer continues consuming GPU resources after the component is gone. Store the animation frame ID and call `cancelAnimationFrame(id)` on cleanup.
+- **[MEDIUM]** Assets loaded without `GLTFLoader` Draco or Meshopt compression → large file sizes increasing time-to-interactive. Use `DRACOLoader` or `MeshoptDecoder` with `GLTFLoader` for geometry compression.
+- **[MEDIUM]** Physics or game logic calculations tied directly to frame rate inside `renderer.render()` callback → simulation speed varies with display refresh rate. Use a fixed timestep accumulator pattern separate from the render loop.
+- **[LOW]** No asset loading manager (`THREE.LoadingManager`) → no coordinated loading progress or error handling across multiple assets. Use a shared `LoadingManager` to track and report loading state.
+
+---
+
+## Code Quality
+- **[HIGH]** `renderer.render(scene, camera)` called without a `resize` event handler updating renderer size and camera aspect ratio → distorted perspective on window resize or container size change. Add `ResizeObserver` or `window.resize` handler calling `renderer.setSize()` and updating `camera.aspect` then `camera.updateProjectionMatrix()`.
+- **[MEDIUM]** Manual `requestAnimationFrame` loop used inside React components instead of R3F's `useFrame` hook → conflicts with R3F's render loop causing double renders. Use `useFrame` exclusively when working within React Three Fiber.
+- **[MEDIUM]** Three.js objects not typed with JSDoc or TypeScript imports → autocompletion and type safety lost. Import types from `three` and annotate all scene object variables explicitly.
+- **[MEDIUM]** `renderer.setPixelRatio(window.devicePixelRatio)` not capped → on high-DPI displays, pixel ratio of 3+ multiplies GPU work by 9x. Cap with `Math.min(window.devicePixelRatio, 2)`.
+- **[LOW]** `Object3D.name` properties left empty on scene graph nodes → debugging via `scene.getObjectByName()` impossible and DevTools scene inspector uninformative. Assign meaningful names to all significant scene objects.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** Geometry and material not disposed when mesh is removed from scene → GPU memory leak; application slows and crashes over time. Implement a disposal utility that traverses removed subtrees and calls `dispose()` on all geometry and material instances.
+- **[HIGH]** Z-fighting artifacts from two coplanar geometries (e.g., decal on a surface) → flickering at shared depth. Apply `polygonOffset: true` with `polygonOffsetFactor` and `polygonOffsetUnits` to the front material.
+- **[HIGH]** Camera aspect ratio not updated after renderer resize → scene appears squashed or stretched. Always call `camera.aspect = width / height` and `camera.updateProjectionMatrix()` in the resize handler.
+- **[MEDIUM]** `AnimationMixer` actions not stopped and mixer not `uncacheRoot`'d before disposing the associated object → animation system holds a reference, preventing GC. Call `mixer.stopAllAction()` and `mixer.uncacheRoot(mesh)` before removal.
+- **[MEDIUM]** `Raycaster` not updated by calling `raycaster.setFromCamera(mouse, camera)` immediately before `intersectObjects()` → intersection test uses stale camera state, returning wrong or no hits.
+- **[MEDIUM]** `WebGLRenderer` created multiple times without disposing the previous instance → each renderer allocates a WebGL context; browsers limit WebGL contexts per page. Reuse a single renderer instance or dispose before creating a new one.
+- **[LOW]** `OrbitControls` `update()` not called in animation loop when `enableDamping` is true → damping never resolves, camera movement is choppy. Call `controls.update()` every frame when damping is enabled.

package/src/prr/data/stacks/trpc.md

@@ -0,0 +1,49 @@
+# tRPC — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from '@trpc/server'`, `from '@trpc/client'`, `from '@trpc/react-query'`, `initTRPC`, `router()`, `publicProcedure`, `protectedProcedure`
+
+---
+
+## Security
+- **[CRITICAL]** Sensitive operations (user data, admin actions) implemented on `publicProcedure` without any auth middleware → unauthenticated access to protected resources. Create `protectedProcedure` that validates session from context and use it for all authenticated routes.
+- **[CRITICAL]** `protectedProcedure` middleware absent → no consistent enforcement of authentication across the router. Define and enforce a middleware chain: `t.middleware(({ ctx, next }) => { if (!ctx.user) throw new TRPCError({ code: 'UNAUTHORIZED' }); return next({ ctx }) })`.
+- **[HIGH]** Procedure input not validated with a Zod schema → type confusion, prototype pollution, and unexpected data shapes reaching business logic. Always define `.input(z.object({ ... }))` on every procedure that accepts input.
+- **[HIGH]** Returning full ORM/DB model objects instead of selecting only needed fields → PII and internal fields (hashed passwords, internal IDs) exposed to clients. Select only required fields in DB queries; use Zod `.pick()` or explicit select projections.
+- **[HIGH]** IDOR via ID passed in input without ownership verification → user A reads or mutates user B's data. After fetching by input ID, assert `record.userId === ctx.user.id` before returning or modifying.
+- **[MEDIUM]** Internal error details (stack traces, DB error messages) leaking to client in production → reconnaissance information for attackers. Configure `errorFormatter` to strip internal details in production: return only `code` and a safe `message`.
+
+---
+
+## Performance
+- **[HIGH]** N+1 query pattern in query handlers — fetching a list then querying per-item in a loop → multiplicative DB round trips. Batch with a single query using `WHERE id IN (...)` or use a DataLoader instance per request.
+- **[HIGH]** DataLoader pattern not used for cross-procedure data sharing → repeated identical queries across procedures in a single request. Attach per-request DataLoader instances to context and use them in all procedures.
+- **[HIGH]** tRPC subscriptions not cleaned up when the client disconnects → server-side resource leak (DB connections, event emitter listeners). Use the `on` cleanup return in `observable` to tear down resources when the subscription ends.
+- **[MEDIUM]** `useQuery` called without configuring `staleTime` or `gcTime` → refetches on every component mount and window focus. Set appropriate `staleTime` per query based on data freshness requirements.
+- **[MEDIUM]** Large objects serialized over the wire without selecting specific fields → high bandwidth usage and slow serialization. Define output schemas with `.output(z.object({ ... }))` to enforce response shape and size.
+
+---
+
+## Architecture
+- **[HIGH]** Business logic (complex validation, external API calls, DB operations) written directly inside procedure handlers → untestable handlers, fat router files. Extract to a service layer; procedures should only orchestrate: validate input → call service → return result.
+- **[HIGH]** `t.createCallerFactory` not used for server-to-server calls; instead procedures called by importing handler functions directly → context middleware (auth, logging) is bypassed. Use `createCallerFactory` to call procedures server-side so middleware runs correctly.
+- **[MEDIUM]** Context not used to inject shared services (DB client, logger, auth) → services instantiated inside procedures, no request-scoped sharing. Attach all shared services to the tRPC context in `createContext` and consume via `ctx`.
+- **[MEDIUM]** Deeply nested routers without a clear domain boundary grouping → hard to navigate, hard to apply middleware selectively. Group by domain (e.g. `userRouter`, `postRouter`) with one file per domain; merge in a root `appRouter`.
+- **[MEDIUM]** Missing `errorFormatter` in `initTRPC` configuration → default error shape varies between tRPC versions and client expectations. Define a consistent `errorFormatter` that maps `TRPCError` to a stable client-facing structure.
+
+---
+
+## Code Quality
+- **[MEDIUM]** Procedure responses not validated with `.output()` schema → clients receive untyped `unknown` responses; breaking changes in DB schema silently alter API shape. Add `.output(z.object({ ... }))` to critical procedures to enforce response contracts.
+- **[MEDIUM]** Procedures scattered across many files without a consistent co-location strategy → hard to find and review related functionality. Co-locate each router with its domain: `src/server/routers/user.ts` contains all user-related procedures.
+- **[HIGH]** `query` procedure used for operations with side effects (sending email, writing DB) → GET requests cached by browser/CDN, side effect may not run on repeat navigations. Always use `mutation` for any operation that changes state.
+- **[LOW]** Procedures not annotated with a `meta` description → generated OpenAPI docs (if used) are empty; hard to discover API surface. Add `meta: { openapi: { method: 'GET', path: '/resource', description: '...' } }` or use `procedure.meta({ description: '...' })`.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `useQuery` without `error` state handled in the UI → unhandled errors are silently swallowed; user sees blank/stale UI with no feedback. Always destructure and render `error` from every `useQuery` call.
+- **[HIGH]** `ctx.user` typed as `any` because context type not properly inferred → type safety of `protectedProcedure` is illusory. Ensure `createContext` return type is explicit and flows into the `initTRPC` generic: `initTRPC.context<Context>().create()`.
+- **[HIGH]** Infinite queries not using cursor-based pagination → offset pagination breaks on concurrent inserts/deletes. Use `z.object({ cursor: z.string().optional() })` input and return `{ items, nextCursor }` for `useInfiniteQuery`.
+- **[HIGH]** `useMutation`'s `onSuccess` not calling `utils.queryName.invalidate()` → related `useQuery` data stays stale after mutation. Add cache invalidation in `onSuccess`: `await utils.posts.list.invalidate()`.
+- **[HIGH]** `superjson` transformer not configured on both the tRPC client and server → `Date` objects serialized as strings on server are not deserialized back to `Date` on client; type mismatch. Add `transformer: superjson` to both `initTRPC.create()` and `createTRPCProxyClient()`.

package/src/prr/data/stacks/typeorm.md

@@ -0,0 +1,40 @@
+# TypeORM — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `@Entity(`, `@Column(`, `@PrimaryGeneratedColumn`, `TypeORM`, `DataSource`, `createConnection`, `getRepository(`
+
+---
+
+## Security
+
+- **[CRITICAL]** `createQueryBuilder().where(\`id = ${userId}\`)` → SQL injection. Always use parameterized: `.where("id = :id", { id: userId })`.
+- **[HIGH]** Entity returned directly from controller → exposes all columns. Use DTOs and `@Exclude()` / `plainToClass`.
+- **[MEDIUM]** `getManager().query()` with string interpolation → injection. Use parameterized.
+
+---
+
+## Performance
+
+- **[HIGH]** N+1 — accessing relation (`entity.relation`) in loop without `relations` option or `leftJoinAndSelect`. Use `find({ relations: ['relation'] })`.
+- **[HIGH]** `find()` without `take`/`skip` on large tables → unbounded result.
+- **[HIGH]** Missing `@Index()` on columns used in `where`, `order`, `join`.
+- **[MEDIUM]** Using `getRepository()` inside function calls → creates new repository instance each time. Get repository once outside.
+- **[MEDIUM]** Multiple separate queries that could be wrapped in `queryRunner.startTransaction()`.
+- **[LOW]** `eager: true` on relation → always loaded even when not needed.
+
+---
+
+## Architecture
+
+- **[HIGH]** TypeORM entity used as DTO directly → couples DB schema to API contract.
+- **[MEDIUM]** `getConnection()` (deprecated) instead of `DataSource.getRepository()`.
+- **[MEDIUM]** Missing `@Transaction()` decorator or manual transaction on multi-step writes.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `save()` on partial entity object → fields not included default to `undefined`, overwriting existing values with NULL.
+- **[MEDIUM]** `@BeforeInsert` / `@BeforeUpdate` hooks not firing on `update()` query builder — hooks only fire on `save()`.
+- **[MEDIUM]** `cascade: true` on relation without understanding → unintended deletes or inserts.
+- **[LOW]** Missing `synchronize: false` in production config → TypeORM auto-migrates schema, dangerous on live DB.

package/src/prr/data/stacks/typescript.md

@@ -0,0 +1,83 @@
+# TypeScript — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.ts` / `*.tsx` files, `tsconfig.json`, `typescript` in devDeps, `strict: true`, type imports
+
+---
+
+## Security
+
+- **[HIGH]** `as any` on external/user data bypasses all type checking → runtime errors and security holes. Use `unknown` + type narrowing.
+- **[HIGH]** Missing runtime validation at system boundaries (API responses, user input, env vars) — types are erased at runtime; use Zod/Valibot/ArkType.
+- **[HIGH]** Prototype pollution via `Object.assign({}, userInput)` with no type guard → attacker can set `__proto__`.
+- **[MEDIUM]** `@ts-ignore` without explanation → suppressing errors that may indicate real bugs.
+- **[MEDIUM]** Unsafe type cast `value as SpecificType` without runtime validation → assumption may be wrong at runtime.
+- **[MEDIUM]** `JSON.parse(userInput)` typed with `as MyType` without validation → type lie, runtime mismatch.
+- **[LOW]** `any` return from `JSON.parse()` propagating through typed interfaces without guard.
+
+---
+
+## Performance
+
+- **[HIGH]** Massive barrel files (`index.ts` re-exporting hundreds of items) → slow TypeScript compilation and IDE.
+- **[HIGH]** Deeply nested conditional types → exponential type-checking time; simplify with mapped types.
+- **[MEDIUM]** `const enum` used in declaration files / across module boundaries → erasure issues with bundlers.
+- **[MEDIUM]** Type assertions `as` in hot paths creating false sense of safety and potential misuse.
+- **[LOW]** Project references not configured for monorepo → single tsconfig compiling everything slowly.
+- **[LOW]** `tsc --noEmit` not run in CI → type errors only caught on build.
+
+---
+
+## Architecture
+
+- **[HIGH]** `any` type on function parameters, return types, or variables → defeats TypeScript's purpose. Use `unknown` + narrow.
+- **[HIGH]** `strict: false` in tsconfig → implicit `any`, loose null checks. Always enable `"strict": true`.
+- **[HIGH]** Non-null assertion `!` without justification → potential `null`/`undefined` runtime crash.
+- **[HIGH]** Types defined as `interface` with implementation knowledge leaked into them → couple type to impl.
+- **[HIGH]** `any` used in generics `<T = any>` → generic provides no type safety.
+- **[HIGH]** Discriminated union missing exhaustive check → new variant added later silently falls through.
+- **[MEDIUM]** Missing return type annotation on exported functions → API contract not enforced.
+- **[MEDIUM]** `interface` vs `type` inconsistency → pick one convention; `type` for unions/intersections, `interface` for objects.
+- **[MEDIUM]** Overly broad union type instead of discriminated union → defeats narrowing.
+- **[MEDIUM]** `extends` abuse creating deep inheritance chains → use composition/intersection types.
+- **[MEDIUM]** `Partial<T>` used as function return type when specific optional fields are known → too permissive.
+- **[MEDIUM]** Type utilities (`Pick`, `Omit`, `Partial`) not used → manual re-typing of subsets creates drift.
+- **[LOW]** `enum` usage → prefer `as const` objects for better tree-shaking and JS interop.
+- **[LOW]** Missing `readonly` on arrays/objects that shouldn't be mutated → accidental mutation.
+- **[LOW]** Deeply nested generic types (3+ levels) → create intermediate type aliases for readability.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `// @ts-ignore` or `// @ts-expect-error` without comment explaining why → hidden bugs.
+- **[HIGH]** Missing null/undefined checks on values from external sources → `Cannot read properties of undefined` at runtime.
+- **[HIGH]** `!` non-null assertion on DOM queries (`document.getElementById('x')!`) → crashes if element missing.
+- **[HIGH]** `keyof typeof obj` not used when iterating object keys → `Object.keys()` returns `string[]`, losing type info.
+- **[MEDIUM]** `import` instead of `import type` for type-only imports → slightly larger bundles, breaks isolatedModules.
+- **[MEDIUM]** Duplicate type definitions across files instead of shared types module → drift over time.
+- **[MEDIUM]** Type assertions in tests (`as any`, `as unknown as T`) masking real type errors.
+- **[MEDIUM]** `Record<string, any>` instead of specific type → index signature hides structure.
+- **[MEDIUM]** `Function` type instead of specific signature → loses parameter and return type info.
+- **[MEDIUM]** `object` type instead of `Record<string, unknown>` → too broad, no property access.
+- **[LOW]** Missing JSDoc on exported public API functions → poor IDE experience for consumers.
+- **[LOW]** Large barrel `index.ts` exporting everything → circular dependency risk, slow compilation.
+- **[LOW]** `namespace` used instead of ES modules → legacy pattern, avoid in new code.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** Optional chaining `?.` used but result not checked before use → defeats the purpose; still need null check.
+- **[HIGH]** `async` function in array `.map()` → returns `Promise[]` not resolved values. Use `Promise.all(arr.map(async ...))`.
+- **[HIGH]** Spreading typed object onto untyped base `{ ...defaults, ...userInput }` where `userInput: any` → loses type safety.
+- **[HIGH]** `as unknown as T` double assertion → bypasses all type checking; red flag in code review.
+- **[HIGH]** Generic constraint not tight enough → function accepts invalid types without error.
+- **[MEDIUM]** `Object.keys(obj)` returns `string[]` not `(keyof typeof obj)[]` → type-unsafe iteration.
+- **[MEDIUM]** `parseInt` / `parseFloat` return `NaN` on invalid input, not caught → NaN propagates silently.
+- **[MEDIUM]** Conditional type `extends` not distributing over union as expected → wrap in `[]` to prevent distribution.
+- **[MEDIUM]** `infer` in complex conditional types causing `never` unexpectedly → simplify or test with `ts-expect-error`.
+- **[MEDIUM]** Declaration merging on interfaces used inadvertently → confusing for maintainers.
+- **[MEDIUM]** Mapped type modifiers (`-readonly`, `-?`) not understood → removing optionality unintentionally.
+- **[LOW]** `satisfies` operator (TS 4.9+) not used where it would be clearer than `as`.
+- **[LOW]** Template literal types used for validation logic that should be runtime validation.