prr-kit 1.1.3 → 1.2.0

package/src/prr/data/stacks/bootstrap.md

@@ -0,0 +1,52 @@
+# Bootstrap — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `bootstrap`, `from 'bootstrap'`, `class="btn`, `class="container`, `data-bs-`, `navbar-`, `modal`, `bootstrap.bundle`
+
+---
+
+## Security
+- **[HIGH]** Bootstrap tooltip or popover initialized with `html: true` and content sourced from user input → XSS via `data-bs-content`, `data-bs-title`, or the `content` option. Set `html: false` (default) and encode all user content before use; sanitize with DOMPurify if HTML is required.
+- **[HIGH]** Bootstrap JavaScript loaded from a public CDN without a Subresource Integrity (SRI) hash → compromised CDN serves malicious script. Add `integrity` and `crossorigin="anonymous"` attributes to all CDN `<script>` and `<link>` tags.
+- **[MEDIUM]** Modal body dynamically populated via `innerHTML` with unencoded user data → XSS inside the modal. Use `textContent` for user data or sanitize with DOMPurify before inserting into modal content.
+- **[MEDIUM]** Bootstrap's sanitizer (`allowList`) not configured when using `html: true` → default allowlist may permit dangerous attributes. Review and restrict the `allowList` to only the HTML tags and attributes your application requires.
+- **[LOW]** Form `action` or `href` attributes dynamically constructed from user input in Bootstrap form components → open redirect or injection. Validate and encode all dynamic URL values used in Bootstrap component attributes.
+
+---
+
+## Performance
+- **[HIGH]** Entire Bootstrap bundle imported `import 'bootstrap'` instead of only the required components → full ~150KB JS bundle loaded even when only a few components are used. Import specific components: `import { Modal } from 'bootstrap'` or use tree-shaking-friendly imports.
+- **[HIGH]** Bootstrap CSS not purged of unused styles in production → Bootstrap's full CSS is ~230KB; most projects use under 20% of it. Configure PurgeCSS or the Sass `@use` per-component approach to include only used styles.
+- **[MEDIUM]** Bootstrap utility classes (`d-none`, `d-block`) toggled via JavaScript for show/hide animations → no CSS transitions, jarring UX. Use Bootstrap's built-in transition utilities or `collapse`/`fade` classes with the JavaScript component API.
+- **[MEDIUM]** Bootstrap CSS custom properties not leveraged for theming → overriding compiled Bootstrap CSS with higher-specificity rules. Use Bootstrap's CSS custom property overrides (`--bs-primary`, `--bs-font-size-base`) in `:root` instead of overriding classes.
+- **[MEDIUM]** `bootstrap.bundle.min.js` (includes Popper) loaded when Popper is also imported separately → Popper loaded twice, increasing bundle size and causing potential conflicts. Use `bootstrap.min.js` (without Popper) if Popper is managed separately.
+- **[LOW]** Bootstrap grid mixed with custom CSS Grid or Flexbox on the same container → layout conflicts from competing systems. Pick one layout system per container; use Bootstrap grid OR custom CSS, not both on the same element.
+
+---
+
+## Architecture
+- **[HIGH]** Bootstrap JavaScript component initialized multiple times on the same DOM element → duplicate event listeners causing double modal opens, double tooltips, or broken dismiss behavior. Check for an existing instance with `bootstrap.Modal.getInstance(el)` before calling `new bootstrap.Modal(el)`.
+- **[MEDIUM]** Bootstrap default classes overridden with higher-specificity custom selectors (`.btn.btn-primary { ... }`) → specificity arms race making future Bootstrap upgrades painful. Use Bootstrap's SCSS variable/map customization system at build time rather than overriding compiled CSS.
+- **[MEDIUM]** Bootstrap SCSS not customized via its provided variables and maps → colors, spacing, and breakpoints duplicated in custom CSS. Import Bootstrap SCSS after overriding `_variables.scss` values to customize via the source.
+- **[MEDIUM]** JavaScript component lifecycle not managed (not destroyed before re-initialization) → stale component instances accumulate in single-page applications during navigation. Destroy components with `instance.dispose()` before removing their DOM elements.
+- **[LOW]** Bootstrap 4 data attributes (`data-toggle`, `data-target`) used in a Bootstrap 5 project → components silently fail to initialize in Bootstrap 5 which uses `data-bs-toggle`, `data-bs-target`. Audit all `data-` attributes and update to the `data-bs-*` namespace.
+
+---
+
+## Code Quality
+- **[HIGH]** Interactive Bootstrap components (modals, dropdowns, accordions) missing required ARIA attributes (`aria-expanded`, `aria-controls`, `role`) → screen readers cannot navigate or announce component state. Follow Bootstrap's documented accessibility markup for each component type.
+- **[MEDIUM]** Non-`<button>` elements (e.g., `<div>`, `<a>`) used as interactive Bootstrap triggers without `role="button"` and `tabindex="0"` → keyboard navigation broken, not focusable. Use `<button>` for all click-triggered Bootstrap interactions, or add required ARIA and keyboard event handlers.
+- **[MEDIUM]** Bootstrap CSS loaded from both CDN (in HTML `<head>`) and npm (via bundler) simultaneously → styles applied twice, specificity becomes unpredictable. Choose one loading strategy; prefer npm + bundler for projects that build a bundle.
+- **[MEDIUM]** Bootstrap JS components controlled via jQuery's `$().modal()` API in a Bootstrap 5 project → Bootstrap 5 dropped jQuery; the jQuery API does not exist. Use the vanilla JS API: `new bootstrap.Modal(el).show()`.
+- **[LOW]** Bootstrap icons or images referenced by hardcoded CDN paths in templates → broken assets after CDN changes or in offline environments. Host assets locally or configure asset paths via the build system.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Modal appearing behind a fixed or sticky navbar due to `z-index` conflict → modal backdrop covers the navbar but the modal itself renders below it. Set the modal's `z-index` above the navbar, or move the modal to a direct child of `<body>` to escape stacking context issues.
+- **[HIGH]** `data-bs-dismiss="modal"` placed on a non-interactive element that does not receive focus or click events correctly → close button appears but does not function. Ensure `data-bs-dismiss` is placed on a `<button>` element inside the modal.
+- **[MEDIUM]** Bootstrap's `position: relative` on `.container` or `.row` breaking `position: fixed` children → fixed elements position relative to the container instead of the viewport. Remove `position: relative` from ancestor containers or restructure the DOM so fixed elements are direct children of `<body>`.
+- **[MEDIUM]** Form validation class `was-validated` added to the `<form>` element before the user attempts submission → browser validation errors shown immediately on page load. Only add `was-validated` after a submit attempt; listen for the `submit` event before toggling the class.
+- **[MEDIUM]** Bootstrap collapse component target has an `id` that does not match the `data-bs-target` value → accordion or collapse silently fails to open/close. Verify that `data-bs-target="#myId"` exactly matches `id="myId"` on the collapsible element.
+- **[LOW]** Tooltip not initialized via `new bootstrap.Tooltip(element)` → elements with `data-bs-toggle="tooltip"` do not activate automatically; Bootstrap 5 requires explicit JS initialization. Initialize all tooltips with `document.querySelectorAll('[data-bs-toggle="tooltip"]').forEach(el => new bootstrap.Tooltip(el))`.
+- **[LOW]** Bootstrap responsive breakpoint classes (`col-md-6`) used without understanding the mobile-first cascade → desktop layout applied at all sizes because `col-` (xs) not set. Always define the smallest breakpoint first and add larger breakpoint classes to override upward.

package/src/prr/data/stacks/bun.md

@@ -0,0 +1,55 @@
+# Bun — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: bun, Bun.serve(, Bun.file(, bunfig.toml, bun.lockb, from 'bun'
+
+---
+
+## Security
+- **[HIGH]** Bun.serve used without TLS in production → HTTP traffic transmitted in plaintext. Configure TLS with tls: { cert, key } in Bun.serve options or terminate TLS at a reverse proxy.
+- **[CRITICAL]** Bun.spawn with user-controlled arguments → attacker injects shell metacharacters or additional arguments to run arbitrary commands. Use a fixed command array and never interpolate user input into spawn arguments.
+- **[HIGH]** Bun.file(userPath) without path validation → path traversal allows reading arbitrary files on the server. Resolve the full path and verify it falls within the intended base directory before serving.
+- **[CRITICAL]** eval() or new Function() with user-provided input → arbitrary code execution on the server. Never evaluate user input; restructure logic to avoid dynamic code evaluation.
+- **[HIGH]** Missing CORS configuration on the Bun HTTP server → cross-origin requests accepted or rejected without policy. Add explicit CORS response headers based on allowed origins in the fetch handler.
+- **[HIGH]** Passwords stored or compared without hashing → plaintext passwords exposed on DB breach. Use Bun.password.hash() and Bun.password.verify() for all password storage and comparison.
+- **[MEDIUM]** Secrets read from process.env without validation at startup → missing secrets cause runtime errors deep in request handling. Validate all required environment variables at server startup and fail fast with a clear message.
+- **[MEDIUM]** WebSocket handlers not validating the origin header → cross-origin WebSocket connections accepted from attacker-controlled pages. Validate the Origin header in the upgrade handler.
+
+---
+
+## Performance
+- **[MEDIUM]** Not using Bun.file() streaming for file responses → entire file loaded into memory before sending. Use Bun.file(path) directly as a Response body to enable zero-copy streaming.
+- **[HIGH]** Blocking or CPU-heavy synchronous operations in fetch handlers → Bun runs on a single thread per worker; blocking stalls all concurrent requests. Offload CPU-bound work to Bun Worker threads.
+- **[MEDIUM]** Not using Bun.build for production bundling → development-mode imports resolved at runtime, increasing startup latency and file read overhead. Run Bun.build as part of the production build step.
+- **[MEDIUM]** bun:sqlite not using prepared statements → SQL queries re-parsed on every execution, adding overhead. Create prepared statements with db.prepare() and reuse them across requests.
+- **[LOW]** Not using Bun.CryptoHasher for batch hashing instead of Web Crypto API → Web Crypto adds async overhead for simple hashing tasks. Use Bun.CryptoHasher for synchronous, high-throughput hashing.
+- **[MEDIUM]** WebSocket message handlers performing synchronous I/O → Bun WS handler blocks the event loop during I/O. Use async handlers and await all I/O operations within WebSocket message handlers.
+
+---
+
+## Architecture
+- **[MEDIUM]** Mixing Bun-specific APIs with Node.js compatibility APIs inconsistently → codebase is harder to reason about and may fail when running on Node.js in tests. Choose a target runtime and use its native APIs consistently; isolate compat shims.
+- **[LOW]** Not using Bun built-in test runner (bun:test) and relying on Jest or Vitest instead → additional dependencies add to install time and binary size. Migrate to bun:test for native, fast test execution without extra packages.
+- **[LOW]** Using process.env instead of Bun.env for environment variable access → Bun.env is typed and faster; process.env is the compat shim. Prefer Bun.env.VARIABLE_NAME in Bun-native code.
+- **[MEDIUM]** Not using Bun.serve route patterns instead of manual URL parsing → manual routing is error-prone and slower. Use static: {} for static file serving and routes for API endpoints in Bun.serve config.
+- **[MEDIUM]** Not exporting a Bun.serve object from the main file for hot reload compatibility → hot reload does not work with programmatic listen patterns. Export the server config object directly for Bun hot reload to work correctly.
+
+---
+
+## Code Quality
+- **[LOW]** Not taking advantage of Bun native TypeScript support and using an extra transpilation step → unnecessary build complexity and slower iteration. Remove tsc/esbuild from the pipeline; Bun runs TypeScript natively.
+- **[HIGH]** Bun.password.hash not used for password hashing, using a custom or weaker approach instead → passwords stored with weak or no hashing are exposed on DB breach. Always use Bun.password.hash() which uses bcrypt or argon2 under the hood.
+- **[HIGH]** bun.lockb not committed to version control → reproducible installs are broken across environments, leading to dependency version drift. Commit bun.lockb and install with bun install --frozen-lockfile in CI.
+- **[MEDIUM]** Not using Bun.sleep instead of setTimeout/Promise-based delays in Bun-native code → minor overhead from wrapping. Use await Bun.sleep(ms) for cleaner async delays in Bun environments.
+- **[LOW]** TypeScript strict mode not enabled → implicit any and unsafe type operations go uncaught. Enable strict: true in tsconfig.json to catch type errors at compile time.
+- **[MEDIUM]** Not setting Content-Type on manual Response objects → clients may misinterpret the response body. Always set the Content-Type header explicitly on responses that are not created via the Bun Response helpers.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Node.js __dirname and __filename undefined in Bun ESM modules → code using these globals fails at runtime. Replace with import.meta.dir and import.meta.file in Bun ESM context.
+- **[HIGH]** bun:sqlite transactions not using db.transaction() for multi-step writes → partial writes not rolled back on failure, corrupting data. Wrap all multi-statement writes in db.transaction() for atomicity.
+- **[MEDIUM]** Hot reload not working with certain module patterns (e.g., top-level side effects, non-exported servers) → code changes require a full restart. Structure the entry point with an exported default and avoid top-level side effects.
+- **[HIGH]** Not handling Bun.serve fetch handler errors → unhandled exceptions in the fetch handler crash the request with a generic error. Wrap the handler body in try/catch and return an appropriate error Response.
+- **[MEDIUM]** WebSocket publish called before client subscriptions are established → messages lost because the client is not yet subscribed to the topic. Subscribe the client in the open handler before publishing any messages.
+- **[MEDIUM]** Not configuring Bun.serve maxRequestBodySize → default body size limit may be too large or too small for the use case. Set maxRequestBodySize explicitly based on expected payload sizes.

package/src/prr/data/stacks/cpp.md

@@ -0,0 +1,57 @@
+# C++ — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.cpp` · `*.cc` · `*.cxx` · `*.hpp` · `*.h` with `#include <` · `namespace` · `std::` · `CMakeLists.txt` · `Makefile`
+
+---
+
+## Security
+
+- **[CRITICAL]** `strcpy`, `sprintf`, `gets`, `strcat` with user-controlled input → buffer overflow. Use `strncpy`, `snprintf`, `fgets`, `strncat` with explicit size limits, or C++ `std::string`.
+- **[CRITICAL]** `system(userInput)` → command injection. Avoid `system()`; use `exec*()` family with sanitized argv array.
+- **[HIGH]** Integer overflow in buffer size calculation (e.g., `malloc(count * sizeof(T))`) → heap overflow if multiplication wraps. Use checked arithmetic or `std::vector`.
+- **[HIGH]** `printf(userInput)` — untrusted string used as format specifier → format string attack. Always use `printf("%s", userInput)`.
+- **[MEDIUM]** Reading from uninitialized memory → undefined behavior, potential info leak. Initialize all variables at declaration.
+
+---
+
+## Performance
+
+- **[HIGH]** Large object passed by value to function → unnecessary copy. Use `const T&` or `T&&` (move semantics).
+- **[HIGH]** `new` / `delete` in tight loop → heap fragmentation and allocator overhead. Use stack allocation, `std::vector` with `reserve()`, or a pool allocator.
+- **[HIGH]** Virtual function calls in performance-critical inner loop → vtable dispatch per call. Consider templates (CRTP) or `final` to enable devirtualization.
+- **[MEDIUM]** `std::map` / `std::set` where `std::unordered_map` / `std::unordered_set` suffices → O(log n) vs O(1) average lookup.
+- **[MEDIUM]** Missing `std::move` when returning named local variable (before NRVO applies) → unnecessary copy.
+- **[LOW]** `std::endl` in output loop → flushes buffer every iteration. Use `'\n'` unless flush is explicitly needed.
+
+---
+
+## Architecture
+
+- **[CRITICAL]** Raw owning pointer without RAII wrapper → manual `delete` easily missed, double-free, or leak. Use `std::unique_ptr` for exclusive ownership, `std::shared_ptr` for shared.
+- **[HIGH]** Memory leak: `new` allocated object not `delete`d on all code paths (including exceptions) → use smart pointers or stack allocation.
+- **[HIGH]** Use-after-free: accessing pointer after `delete` → undefined behavior. Set pointer to `nullptr` after delete (or eliminate raw `delete` entirely).
+- **[HIGH]** Double-free: `delete` called twice on same pointer → heap corruption. Smart pointers prevent this automatically.
+- **[MEDIUM]** Global / static mutable state → thread safety issues without synchronization. Use `std::mutex` or `thread_local`.
+- **[LOW]** Deep inheritance hierarchy → prefer composition over inheritance for non-polymorphic designs.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `using namespace std;` in a header file → pollutes namespace of every translation unit that includes it. Limit to `.cpp` files or use explicit `std::` prefix.
+- **[MEDIUM]** Member function that doesn't modify state not marked `const` → prevents use with `const` objects, hides intent.
+- **[MEDIUM]** Implicit conversion between signed and unsigned integers without explicit cast → subtle overflow or wrap-around bugs. Enable `-Wsign-conversion`.
+- **[MEDIUM]** Missing `override` on virtual method override → if base signature changes, override silently becomes a new function.
+- **[LOW]** Long function > 50 lines with complex control flow → decompose into smaller functions.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[CRITICAL]** Undefined behavior: signed integer overflow, null pointer dereference, out-of-bounds array access, data race → UB cannot be relied upon to "just work" even if it appears to.
+- **[HIGH]** Iterator invalidation: modifying `std::vector` / `std::map` while iterating (erase, push_back) → UB. Collect indices/iterators first or use erase-remove idiom.
+- **[HIGH]** `std::vector::operator[]` without bounds check in production code → UB on out-of-bounds. Use `.at()` during development/testing; add assertion in production.
+- **[MEDIUM]** Object slicing: assigning derived-class object to base-class by value → vtable and derived members are lost silently.
+- **[MEDIUM]** `#pragma once` vs include guards mixed in same codebase → inconsistency. Pick one convention.
+- **[LOW]** Comparing floating-point values with `==` → imprecise. Use epsilon comparison: `std::abs(a - b) < epsilon`.

package/src/prr/data/stacks/csharp.md

@@ -0,0 +1,95 @@
+# C# / .NET — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.cs` files · `*.csproj` · `*.sln` · `using System` · `namespace` · `dotnet` CLI · `appsettings.json` · ASP.NET Core · Entity Framework
+
+---
+
+## Security
+
+- **[CRITICAL]** SQL built with string interpolation: `$"SELECT * WHERE id = {id}"` → SQL injection. Use parameterized queries (`SqlParameter`) or EF Core.
+- **[CRITICAL]** `Process.Start(new ProcessStartInfo { UseShellExecute = true, FileName = input })` with user input → command injection. Use argument arrays, not shell strings.
+- **[CRITICAL]** `BinaryFormatter.Deserialize()` on untrusted data → arbitrary code execution (CVE-class). Use `System.Text.Json` or `XmlSerializer` with safe settings.
+- **[HIGH]** Missing `[ValidateAntiForgeryToken]` on ASP.NET Core POST/PUT/DELETE → CSRF.
+- **[HIGH]** Hardcoded connection strings / API keys in `appsettings.json` committed to VCS → use `dotnet user-secrets`, Azure Key Vault, or environment variables.
+- **[HIGH]** `Path.Combine(baseDir, userInput)` without `Path.GetFullPath()` + prefix check → path traversal.
+- **[HIGH]** `JsonConvert.DeserializeObject<T>(input)` with `TypeNameHandling.All` → remote code execution via `$type`.
+- **[HIGH]** Sensitive data logged via `_logger.LogInformation()` with string interpolation → log injection.
+- **[HIGH]** `RNGCryptoServiceProvider` deprecated → use `RandomNumberGenerator.Fill()` (static, .NET 6+).
+- **[MEDIUM]** `Math.Random` used for security purposes → use `RandomNumberGenerator` from `System.Security.Cryptography`.
+- **[MEDIUM]** CORS configured too permissively (`AllowAnyOrigin + AllowCredentials`) → CORS misconfiguration.
+- **[MEDIUM]** `HttpContext.Request.Headers["X-Forwarded-For"]` trusted without proxy validation → IP spoofing.
+- **[MEDIUM]** Passwords stored as `string` → immutable, lingers in memory. Use `SecureString` or clear char arrays.
+- **[LOW]** Exception details returned in API response in production → configure `app.UseExceptionHandler` properly.
+
+---
+
+## Performance
+
+- **[HIGH]** `async void` method (not event handler) → exceptions unobservable, swallowed silently. Use `async Task`.
+- **[HIGH]** `.Result` or `.Wait()` on Task in ASP.NET context → deadlock on synchronization context. Always `await`.
+- **[HIGH]** `string +=` in loop → O(n²). Use `StringBuilder` or `string.Join`.
+- **[HIGH]** `await` inside loop instead of batching with `Task.WhenAll()` → sequential async = unnecessary latency.
+- **[HIGH]** Entity Framework `Include()` loading entire related collection when only count or single field needed → select projection.
+- **[HIGH]** Synchronous EF Core calls (`.ToList()` without `Async`) in ASP.NET Core → blocking thread pool thread.
+- **[HIGH]** Missing `AsNoTracking()` on read-only EF Core queries → change tracker overhead.
+- **[MEDIUM]** `.ToList()` called on `IQueryable` before further LINQ operations → materializes entire result prematurely.
+- **[MEDIUM]** Missing `ConfigureAwait(false)` in library code → captures unnecessary sync context.
+- **[MEDIUM]** `IEnumerable<T>` iterated multiple times → if `IQueryable`, triggers multiple DB calls. Materialize once.
+- **[MEDIUM]** Large object allocation in hot path without pooling → GC pressure. Use `ArrayPool<T>` or `MemoryPool<T>`.
+- **[MEDIUM]** Not using `Span<T>` / `Memory<T>` for buffer operations → unnecessary heap allocations.
+- **[MEDIUM]** LINQ `GroupBy` on large in-memory collections → O(n) memory → push to DB if possible.
+- **[LOW]** Not using `HttpClient` with `IHttpClientFactory` → socket exhaustion with `new HttpClient()`.
+- **[LOW]** `Task.Run` wrapping CPU-bound work then awaiting → thread pool overhead for short tasks.
+
+---
+
+## Architecture
+
+- **[HIGH]** `static` mutable fields in ASP.NET Core services → shared across requests, race conditions without sync.
+- **[HIGH]** `IDisposable` object created without `using` or `await using` → resource leak (DB connections, streams).
+- **[HIGH]** Service registered with wrong DI lifetime: `Scoped` injected into `Singleton` → captive dependency.
+- **[HIGH]** `DbContext` used as singleton → EF Core `DbContext` is not thread-safe, designed for scoped lifetime.
+- **[HIGH]** Business logic in ASP.NET Core controllers → move to service/domain layer.
+- **[HIGH]** Not using Repository/Unit of Work pattern with EF Core → testability and coupling issues.
+- **[MEDIUM]** Catching `Exception` too broadly → masks unrelated bugs. Catch specific exceptions.
+- **[MEDIUM]** `HttpClient` instantiated per request → socket exhaustion. Use `IHttpClientFactory`.
+- **[MEDIUM]** Not using `CancellationToken` propagation in async chain → operations can't be cancelled.
+- **[MEDIUM]** God class with >500 lines → decompose by responsibility.
+- **[MEDIUM]** Domain model leaking persistence concerns (EF navigation properties in API contracts).
+- **[LOW]** Not using `record` types (C# 9+) for DTOs and value objects → verbose boilerplate equality.
+- **[LOW]** Not using `sealed` on classes not designed for inheritance → unintended extension.
+
+---
+
+## Code Quality
+
+- **[HIGH]** Nullable reference types disabled (`<Nullable>disable</Nullable>`) → NullReferenceException not caught at compile time. Enable and fix warnings.
+- **[HIGH]** `throw ex` instead of `throw` in catch block → resets stack trace, hides origin.
+- **[HIGH]** `int.Parse(input)` without `TryParse` → `FormatException` on invalid input crashes request.
+- **[HIGH]** Not using `pattern matching` for type checks → verbose `is`/`as` + null check.
+- **[MEDIUM]** `var` used where type not obvious from RHS → readability suffers.
+- **[MEDIUM]** Missing cancellation token propagation in async call chain.
+- **[MEDIUM]** Magic strings for configuration keys instead of typed options with `IOptions<T>`.
+- **[MEDIUM]** `?.` null conditional chaining producing `null` result silently used without null check.
+- **[MEDIUM]** Not using C# 10+ features (`record struct`, global using, file-scoped namespace) in modern projects.
+- **[MEDIUM]** Event subscription not unsubscribed → memory leak via event handler reference.
+- **[LOW]** Public method without XML doc comment on public API.
+- **[LOW]** Not using `nameof()` for property names in validation/logging → typo-prone string literals.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `DateTime.Now` for storage/cross-system → timezone-dependent. Use `DateTime.UtcNow` or `DateTimeOffset.UtcNow`.
+- **[HIGH]** `LINQ` deferred execution not understood → query executed multiple times or after `DbContext` disposed.
+- **[HIGH]** EF Core `SaveChangesAsync()` not called after mutations → changes not persisted silently.
+- **[HIGH]** `lock(this)` or `lock(typeof(Foo))` → public lock objects can be acquired externally → deadlock.
+- **[HIGH]** `Task.WhenAll()` not awaited → exceptions swallowed.
+- **[MEDIUM]** Struct implementing `IDisposable` boxed via interface → `Dispose` called on copy.
+- **[MEDIUM]** Enum default value (0) not explicitly named → uninitialized enum has valid meaningless value.
+- **[MEDIUM]** `string.Compare` for equality → use `string.Equals` with `StringComparison`.
+- **[MEDIUM]** EF Core lazy loading enabled without understanding → N+1 queries via navigation property access.
+- **[MEDIUM]** `ConcurrentDictionary.GetOrAdd` with factory that has side effects → factory may run multiple times.
+- **[LOW]** `StringBuilder.Append()` returning `this` for chaining not used → verbose multi-line appends.
+- **[LOW]** `Encoding.UTF8.GetString` on bytes from wrong encoding → mojibake.

package/src/prr/data/stacks/css.md

@@ -0,0 +1,55 @@
+# CSS / SCSS / SASS — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.css`, `*.scss`, `*.sass`, `*.less`, `*.styl` files
+
+---
+
+## Security
+
+- **[HIGH]** `url()` with user-controlled value → CSS injection loading external resources. Never interpolate user data into CSS.
+- **[MEDIUM]** `expression()` (IE legacy) in CSS → executes JavaScript. Never use.
+- **[MEDIUM]** Missing `Content-Security-Policy: style-src 'self'` allowing inline styles that could be injected.
+
+---
+
+## Performance
+
+- **[HIGH]** Universal selector `*` with expensive properties (`box-shadow`, `transform`) → applied to every element, layout thrash.
+- **[HIGH]** `@import` in CSS (not SCSS) → blocking serial HTTP requests. Use `<link>` or bundler imports.
+- **[HIGH]** Triggering layout thrash — reading layout properties (`offsetWidth`, `getBoundingClientRect`) then writing in same frame (JS + CSS combo). Use `transform` for animations.
+- **[MEDIUM]** Overly specific selectors (`div > ul > li > a.link`) → slow browser matching, hard to override.
+- **[MEDIUM]** `position: fixed` elements on scroll-heavy pages without `will-change: transform` → repaints entire page.
+- **[MEDIUM]** Animating `width`/`height`/`top`/`left` → triggers layout recalculation. Use `transform: translate()` / `scale()` instead.
+- **[LOW]** Large unused CSS from third-party libraries not purged → bundle bloat.
+
+---
+
+## Architecture
+
+- **[HIGH]** Deeply nested SCSS selectors (>4 levels) → high specificity, hard to override, fragile.
+- **[MEDIUM]** Color/spacing values duplicated as magic numbers instead of CSS custom properties / SCSS variables.
+- **[MEDIUM]** `!important` overuse → specificity war, maintainability nightmare.
+- **[MEDIUM]** Class names not following a convention (BEM, utility-first) → inconsistent, hard to predict.
+- **[LOW]** Vendor prefixes added manually instead of using Autoprefixer → out-of-date, missing prefixes.
+- **[LOW]** SCSS `@extend` used with placeholder selectors — can cause unexpected selector bloat.
+
+---
+
+## Accessibility
+
+- **[HIGH]** `outline: none` / `outline: 0` on focusable elements without alternative focus indicator → keyboard navigation broken (WCAG 2.4.7).
+- **[HIGH]** Text contrast below WCAG AA (4.5:1 for normal text, 3:1 for large text).
+- **[MEDIUM]** `display: none` used on content that should be accessible to screen readers → use visually-hidden pattern instead.
+- **[MEDIUM]** `pointer-events: none` on interactive elements without disabling them in HTML → keyboard still reaches them.
+- **[LOW]** `user-select: none` on body/large containers → breaks copy-paste for users.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `z-index` wars — arbitrary large values (`z-index: 9999`) without documented stacking context.
+- **[MEDIUM]** Margin collapsing not accounted for — `margin-top` on child collapses with parent without overflow/padding/border.
+- **[MEDIUM]** `height: 100%` on child without parent having explicit height → renders as 0.
+- **[MEDIUM]** Flexbox/Grid item `flex: 1` without `min-width: 0` → overflow issues with long text content.
+- **[LOW]** `calc()` with missing spaces around operators (`calc(100%-20px)`) → invalid in some browsers.

package/src/prr/data/stacks/cypress.md

@@ -0,0 +1,53 @@
+# Cypress — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `cypress`, `cy.visit(`, `cy.get(`, `cy.intercept(`, `cypress.config.*`, `describe(` in `cypress/`
+
+---
+
+## Security
+- **[HIGH]** Hardcoded test credentials in Cypress test files committed to the repository → credentials exposed in version control and CI logs. Use `Cypress.env()` with environment variables injected at CI time; store secrets in your CI secret manager.
+- **[HIGH]** `cy.request()` calling authenticated API endpoints without proper auth token setup → tests may inadvertently call real external services or bypass auth unexpectedly. Always set the auth token via `cy.session()` or `Authorization` header in `cy.request()` explicitly.
+- **[MEDIUM]** Secrets placed in `cypress.env.json` and committed to the repository → sensitive values in version control. Add `cypress.env.json` to `.gitignore` and inject values via CI environment variables only.
+- **[MEDIUM]** Test data including PII from seeded users not cleaned up after test runs → leftover PII accumulates in the staging database. Add an `afterEach` or `after` hook that deletes or resets test data via a `cy.task()` DB call.
+- **[LOW]** `chromeWebSecurity: false` set in `cypress.config` to allow cross-origin requests → disables browser same-origin protections, letting cross-origin attacks go undetected. Remove `chromeWebSecurity: false` and use `cy.origin()` for legitimate cross-origin testing.
+
+---
+
+## Performance
+- **[HIGH]** `cy.wait(5000)` hard-coded time waits instead of waiting on network requests → tests are slow and flaky; the wait may not be enough on slow CI. Replace with `cy.intercept()` aliases and `cy.wait('@aliasName')` to wait for the actual request.
+- **[HIGH]** `cy.session()` not used for authentication state → login UI flow executed on every test, adding seconds per test. Cache login state with `cy.session('user', loginFn)` so auth is established once per session.
+- **[HIGH]** `cy.visit()` called for every test when tests could share a single page load → full navigation and app initialization overhead per test. Visit once in `before()` and reset state between tests without full reloads where possible.
+- **[MEDIUM]** `cy.get('.selector')` traversing the entire DOM when a scoped query is possible → selector resolution slows on large DOMs. Chain `.within()` to scope: `cy.get('#parent').within(() => { cy.get('button') })`.
+- **[MEDIUM]** `cy.task()` not used for database seeding → seeding done via UI or `cy.request()`, which depends on the app being fully functional. Use `cy.task('db:seed', data)` to insert directly into the DB via Node.js.
+- **[LOW]** Screenshots and videos enabled in CI without artifact retention policy → disk fills up and artifact uploads slow pipelines. Set `video: false` in CI and enable `screenshotOnRunFailure: true` only.
+
+---
+
+## Architecture
+- **[HIGH]** Selectors based on CSS classes or visible text → tests break whenever the UI is restyled or copy changes. Use `data-cy` attributes: `cy.get('[data-cy="submit-button"]')`.
+- **[HIGH]** Repeated auth, navigation, or interaction logic not extracted to custom commands → duplication across tests; one UI change breaks dozens. Extract sequences to `Cypress.Commands.add('login', ...)`.
+- **[MEDIUM]** Tests not organized by feature or page → test files become hundreds of lines, slow to scan. Organize into subdirectories: `cypress/e2e/auth/login.cy.ts`, `cypress/e2e/dashboard/overview.cy.ts`.
+- **[MEDIUM]** Cypress commands chained after native Promises without returning the Cypress chain → commands run out of order. Always return the Cypress chain from inside `.then()` callbacks; avoid mixing native Promises with Cypress commands.
+- **[MEDIUM]** No page object pattern for complex multi-step user flows → test code directly manipulates selectors; refactoring requires editing every test. Create helper functions or custom commands that encapsulate multi-step flows.
+- **[LOW]** Cypress configuration not split into base config plus environment-specific overrides → CI and local configs are identical; developers must manually change settings. Use `defineConfig` with environment-specific override files.
+
+---
+
+## Code Quality
+- **[HIGH]** `cy.get(sel).then(el => cy.get(sel2))` anti-pattern instead of `.within()` → creates unnecessary nested chains that are hard to read. Use `cy.get('#container').within(() => { cy.get('button').click() })`.
+- **[HIGH]** Assertions missing from tests → test passes even when the feature is broken because no assertion checks the expected state. Every test must end with at least one `.should()` assertion verifying the intended UI state.
+- **[MEDIUM]** `.should('be.visible')` not asserted before interacting with an element → Cypress may try to click a hidden or detached element, causing flaky failures. Use `cy.get(sel).should('be.visible').click()`.
+- **[MEDIUM]** Test data hardcoded inline instead of using fixtures → same data duplicated across tests; changing it requires editing multiple files. Extract to `cypress/fixtures/` JSON files and load with `cy.fixture()`.
+- **[MEDIUM]** No TypeScript types for custom commands in `cypress/support/index.d.ts` → custom commands typed as `any`; autocomplete absent. Extend the `Chainable` interface with type declarations for every custom command.
+- **[LOW]** No Cypress lint rules (eslint-plugin-cypress) configured → Cypress-specific anti-patterns not caught automatically. Add `eslint-plugin-cypress` with the recommended rule set to the ESLint config.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** `cy.get()` matching multiple elements when only one is expected → Cypress acts on the first match silently; tests pass against the wrong element. Assert `.should('have.length', 1)` or use a more specific selector.
+- **[HIGH]** Async code (Promises, async/await) in `before()` or `beforeEach()` without returning the Cypress chain → setup completes after tests begin; state is missing when tests run. Return the Cypress chain from setup hooks or use `cy.wrap(promise)`.
+- **[MEDIUM]** `cy.intercept()` alias defined after `cy.visit()` → network request fires before intercept is registered; alias never resolves. Always define `cy.intercept()` aliases before `cy.visit()` or the action that triggers the request.
+- **[MEDIUM]** `cy.contains()` matching hidden text nodes (e.g., inside a tooltip or offscreen element) → test passes but the visible text the user sees is different. Add `.should('be.visible')` after `cy.contains()`.
+- **[MEDIUM]** "detached from DOM" error when an element re-renders between `cy.get()` and the subsequent action → element reference becomes stale after React or Vue re-render. Re-query the element inside `.then()` after re-render-triggering actions.
+- **[LOW]** `cy.clock()` and `cy.tick()` not restored after tests that manipulate timers → fake clock bleeds into subsequent tests causing unexpected timing behavior. Call `cy.clock().then(c => c.restore())` in `afterEach`.

package/src/prr/data/stacks/d3.md

@@ -0,0 +1,53 @@
+# D3.js — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from 'd3'`, `import * as d3`, `d3.select`, `d3.scaleLinear`, `d3.axisBottom`, `.enter().append`
+
+---
+
+## Security
+- **[CRITICAL]** `.html(userContent)` called on a D3 selection with unencoded user data → XSS; D3 sets `innerHTML` directly. Use `.text(userContent)` for text content, or sanitize HTML with DOMPurify before passing to `.html()`.
+- **[HIGH]** `d3.json(userUrl)` or `d3.csv(userUrl)` called with a URL derived from user input without validation → SSRF or loading of malicious data. Validate and allowlist URLs before passing to D3 fetch helpers.
+- **[HIGH]** Dynamic SVG `<foreignObject>` elements populated with user-controlled HTML → XSS vector that bypasses SVG's normal escaping. Sanitize all HTML content placed inside `<foreignObject>` elements.
+- **[MEDIUM]** Axis tick labels or tooltip content bound directly to raw user data values → unencoded strings rendered as SVG `text` content. D3 `.text()` is safe, but `.html()` or `innerHTML` on tooltip containers is not; sanitize before inserting.
+- **[LOW]** D3 charts embedding data from external sources in SVG `<title>` or `<desc>` elements without encoding → minor content injection risk. Encode all external data used in SVG metadata.
+
+---
+
+## Performance
+- **[HIGH]** Not using `selection.join()` (D3 v5+) for enter/update/exit pattern → manual three-phase code is verbose, error-prone, and slower to execute. Replace `.selectAll().data().enter().append()` chains with `.join()`.
+- **[HIGH]** Rebuilding the entire chart (re-running enter/append on all elements) on every data update instead of updating existing elements → O(n) DOM operations on each change. Use the update selection to modify existing elements; only enter new ones and exit removed ones.
+- **[HIGH]** No transition throttling or debouncing on resize-driven re-renders → chart redraws on every pixel of window resize. Debounce resize handlers with at least 100ms delay.
+- **[MEDIUM]** Rendering thousands of SVG `<circle>` or `<path>` elements for large datasets → SVG DOM overhead causes frame drops. Switch to `<canvas>` rendering (D3 + Canvas API) or use `d3-tile` with WebGL for datasets above ~5,000 points.
+- **[MEDIUM]** D3 scale functions (`d3.scaleLinear`, `d3.scaleBand`) recreated on every render without memoization in React → recalculation overhead and new references causing child re-renders. Memoize scales with `useMemo` keyed on data and dimensions.
+- **[LOW]** `d3.csv` or `d3.json` called inside a render or effect without caching result → network request repeated on every render cycle. Load data once, store in state or ref, pass as prop.
+
+---
+
+## Architecture
+- **[HIGH]** D3 DOM manipulation (`.append()`, `.attr()`, `.style()`) running alongside React rendering on the same elements → virtual DOM and actual DOM desync causing lost updates and React warnings. Let React own the DOM; use D3 only for math (scales, axes, path generators) and render SVG elements via JSX.
+- **[MEDIUM]** Chart dimensions hardcoded as magic numbers instead of measured from the container → chart overflows or underutilizes space on different screen sizes. Use `ResizeObserver` on the container element and pass measured `width`/`height` to the chart.
+- **[MEDIUM]** Data transformation (filtering, aggregation, normalization) mixed with rendering logic in the same function → hard to test and reuse. Separate data pipeline (pure functions) from rendering (D3/SVG operations).
+- **[MEDIUM]** Axes, legends, and tooltips tightly coupled to chart internals → cannot reuse or test independently. Extract as separate components or factory functions receiving scales as arguments.
+- **[LOW]** Using deprecated D3 v4 or v5 API patterns (`.on('zoom')` without `d3.zoom()`, old nest API) in a v7 codebase → subtle behavioral differences. Audit imports and replace deprecated patterns with v7 equivalents.
+
+---
+
+## Code Quality
+- **[HIGH]** `d3.select<ElementType, Datum>()` called without TypeScript generics → selection typed as `Selection<BaseType, unknown, ...>`, losing all type safety on datum and element properties. Always provide element and datum type parameters.
+- **[MEDIUM]** Chart margins defined as magic numbers inline → hardcoded values repeated across multiple chart files. Extract to a named config object `const margin = { top: 20, right: 30, bottom: 40, left: 50 }`.
+- **[MEDIUM]** Transitions across charts using inconsistent durations and easing → jarring UX. Define shared transition presets and apply via `d3.transition('name')` named transitions.
+- **[MEDIUM]** Tooltip element created via `d3.select('body').append('div')` without cleanup → orphaned tooltip `<div>` elements accumulate in the DOM. Remove tooltip in component cleanup/teardown.
+- **[LOW]** Not using D3's built-in color schemes (`d3.schemeTableau10`, `d3.interpolateViridis`) → custom color arrays duplicated and inconsistent across charts. Use D3 ordinal and sequential color scales with built-in schemes.
+- **[LOW]** SVG not given explicit `viewBox` and `preserveAspectRatio` attributes → SVG does not scale correctly in flexible containers. Always set `viewBox="0 0 ${width} ${height}"` on the root SVG element.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Data join key function omitted from `.data(dataset, d => d.id)` → D3 matches elements by index, causing wrong enter/exit assignment when data order changes. Always provide a key function that uniquely identifies each datum.
+- **[HIGH]** `d3.scaleLinear().domain([d3.min(data), d3.max(data)])` when `data` contains non-numeric or `undefined` values → domain becomes `[NaN, NaN]`, all positions render at 0. Validate and filter data before computing domain; use `d3.extent` for safety.
+- **[MEDIUM]** SVG y-axis inverted (y increases downward) not accounted for in scale range → chart renders upside down. Set scale range as `[height, 0]` for y-axis scales to flip the coordinate system.
+- **[MEDIUM]** Tooltip not hidden on `mouseleave` from chart element → tooltip stays visible indefinitely after cursor exits. Always pair `mouseover`/`mouseenter` handlers with `mouseleave` handlers that hide the tooltip.
+- **[MEDIUM]** `d3.zoom` transform applied to the wrong parent element → pan/zoom causes jumpy or offset behavior. Apply the transform to the inner `<g>` element, not the `<svg>`, and account for margin offset.
+- **[MEDIUM]** `d3.brushX` selection not cleared when data updates → stale brush extent filters new data unexpectedly. Reset brush programmatically with `brush.move(brushGroup, null)` on data change.
+- **[LOW]** `path.attr('d', lineGenerator)` called before data is bound to the selection → generator receives `undefined`, rendering an empty or broken path. Ensure data is joined before calling path generators.

package/src/prr/data/stacks/deno.md

@@ -0,0 +1,49 @@
+# Deno — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `deno.json` / `deno.jsonc` · `deno.lock` · `Deno.` namespace usage · `import_map.json` · `jsr:` / `npm:` / `https://` import specifiers · `deno run` scripts
+
+---
+
+## Security
+
+- **[CRITICAL]** Running with `--allow-all` (or `-A`) flag → defeats Deno's permission model entirely. Grant only the minimum required permissions (`--allow-net=api.example.com`, `--allow-read=./data`).
+- **[HIGH]** `--allow-run` without specifying allowed commands → grants permission to execute any process. Restrict with `--allow-run=git,node` allowlist.
+- **[HIGH]** Dynamic `import()` from a user-controlled URL or string → arbitrary code execution. Never construct import URLs from external input.
+- **[MEDIUM]** `--allow-net` without domain restriction → can connect to any host. Restrict to required domains.
+- **[MEDIUM]** `--allow-env` without variable allowlist → exposes all environment variables including secrets to the script. Use `--allow-env=SPECIFIC_VAR`.
+
+---
+
+## Performance
+
+- **[HIGH]** `Deno.readFileSync` / `Deno.writeFileSync` on large files in an async context → blocks the event loop. Use async `await Deno.readFile()` / `Deno.writeFile()`.
+- **[MEDIUM]** `for await ... of` on `Deno.readDir` without early exit → iterates entire directory. Break early when target is found.
+- **[LOW]** Not using Deno's native `Deno.serve()` (Deno 1.35+) → older `serve()` from `std/http` has more overhead. Prefer the native API for new code.
+
+---
+
+## Architecture
+
+- **[HIGH]** Node.js `require()` used without `npm:` specifier → `require` is not available in Deno by default. Use `import` with `npm:package-name` or `jsr:@scope/package`.
+- **[HIGH]** Dependencies imported from raw `https://` URLs without version pinning → non-reproducible builds; upstream URL changes silently break code. Use `jsr:` or `npm:` specifiers with versions.
+- **[MEDIUM]** `deno.lock` file not committed to version control → dependency versions not reproducible across environments. Commit the lockfile.
+- **[MEDIUM]** Permissions requested at CLI level too broadly for a library → libraries should not prescribe permissions; they should document what permissions callers must grant.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `// @ts-nocheck` or `any` type used extensively → Deno enforces strict TypeScript by default; suppressing type checking defeats the safety guarantee.
+- **[MEDIUM]** `Deno.env.get("VAR")` result used without null check → returns `undefined` for missing variables. Always validate or use a default: `Deno.env.get("PORT") ?? "8000"`.
+- **[LOW]** `import * as foo from "module"` when only one or two exports are needed → increases bundle size in compiled output. Use named imports.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** Network request attempted without `--allow-net` → `Deno.errors.PermissionDenied` thrown at runtime, not at startup. Test with the exact set of permissions you intend to deploy with.
+- **[HIGH]** Top-level `await` in a module imported by many others → delays the entire import chain. Use `await` inside functions or limit top-level `await` to entry points.
+- **[MEDIUM]** `import 'https://deno.land/...'` from the Deno third-party module registry → `deno.land/x` is no longer receiving new modules; prefer `jsr:` for new dependencies.
+- **[MEDIUM]** `Deno.cwd()` used to construct file paths → returns the working directory at runtime, which may differ from the script's location. Use `import.meta.url` + `new URL('./file', import.meta.url).pathname` for script-relative paths.
+- **[LOW]** `Deno.exit()` called in a library function → terminates the entire process; callers cannot handle the error. Throw an error instead.

package/src/prr/data/stacks/django.md

@@ -0,0 +1,92 @@
+# Django — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from django`, `models.Model`, `views.py`, `urls.py`, `settings.py`, `manage.py`, `INSTALLED_APPS`, DRF `serializers.py`, `djangorestframework`
+
+---
+
+## Security
+
+- **[CRITICAL]** Raw SQL via `raw()` or `cursor.execute()` with string formatting → SQL injection. Use `%s` parameterized or ORM.
+- **[CRITICAL]** `mark_safe()` on user-controlled content → XSS. Only use on strings you fully control.
+- **[CRITICAL]** `DEBUG = True` in production → detailed error pages with source code exposed.
+- **[CRITICAL]** `SECRET_KEY` hardcoded in `settings.py` → version control exposure. Use `os.environ.get()` or `django-environ`.
+- **[HIGH]** Missing `@login_required` or DRF `permission_classes` → unauthenticated access.
+- **[HIGH]** `@csrf_exempt` without justification on state-changing endpoints.
+- **[HIGH]** `ALLOWED_HOSTS = ['*']` in production → HTTP Host header injection.
+- **[HIGH]** Object-level permission not checked → `get_object_or_404` without ownership verification → IDOR.
+- **[HIGH]** Missing `is_staff`/`is_superuser` check on admin-equivalent views.
+- **[HIGH]** File upload without content-type validation → execute malicious file via misconfigured server.
+- **[HIGH]** Open redirect via unvalidated `next` parameter in login views.
+- **[MEDIUM]** Missing `HttpOnly`/`Secure`/`SameSite` flags on session cookie (`SESSION_COOKIE_*` settings).
+- **[MEDIUM]** `MEDIA_ROOT` served by Django in production → should be served by Nginx/CDN with correct content-type.
+- **[MEDIUM]** DRF `TokenAuthentication` over HTTP → tokens transmitted in plaintext. Enforce HTTPS.
+- **[LOW]** Django admin accessible at default `/admin/` path in production → known attack target; change with custom URL.
+
+---
+
+## Performance
+
+- **[CRITICAL]** N+1 ORM queries — accessing related objects in loop without `select_related()` or `prefetch_related()`.
+- **[HIGH]** `QuerySet.all()` without filtering → loads entire table.
+- **[HIGH]** Missing database indexes on frequently filtered/ordered fields (`db_index=True` or `Meta.indexes`).
+- **[HIGH]** `len(queryset)` instead of `queryset.count()` → loads all records into memory.
+- **[HIGH]** Synchronous external API calls in view → blocks Django worker. Use Celery for async work.
+- **[HIGH]** DRF serializer with `many=True` on unfiltered QuerySet → serializing entire table.
+- **[HIGH]** Missing Celery/task queue for email sending, image processing in request-response cycle.
+- **[MEDIUM]** Missing pagination on list views (ListView or DRF `pagination_class`).
+- **[MEDIUM]** Missing `only()` / `defer()` on queries that don't need all fields → SELECT *.
+- **[MEDIUM]** `values()` / `values_list()` not used for read-only aggregation → full ORM overhead.
+- **[MEDIUM]** QuerySet not cached via `django.core.cache` for expensive repeated reads.
+- **[MEDIUM]** Database queries in template rendering (lazy ORM evaluation).
+- **[LOW]** `annotate()` not used for counting related objects → N+1 Python-side counting.
+- **[LOW]** Not using `bulk_create()` / `bulk_update()` for batch DB operations.
+
+---
+
+## Architecture
+
+- **[HIGH]** Business logic in views or templates → move to model methods, managers, or service layer.
+- **[HIGH]** Fat models >500 lines → split into service classes or managers.
+- **[HIGH]** Django signals used for critical business logic → hard to trace, test. Prefer explicit service calls.
+- **[HIGH]** Not using `AbstractBaseUser` for custom auth → `AUTH_USER_MODEL` migration headaches later.
+- **[HIGH]** `settings.py` not split by environment (base/dev/prod) → debug settings leaked to production.
+- **[MEDIUM]** Missing `related_name` on FK/M2M → reverse accessor is `<model>_set`, confusing.
+- **[MEDIUM]** Direct `settings` import in reusable apps → use `AppConfig`.
+- **[MEDIUM]** Missing migration for model change → `makemigrations` not run, production schema drift.
+- **[MEDIUM]** DRF `ModelSerializer` used with `fields = '__all__'` → over-exposing fields.
+- **[MEDIUM]** DRF view doing too much (validation + business logic + serialization) → extract to service.
+- **[LOW]** Not using Django's `AbstractModel` for common fields (created_at, updated_at).
+- **[LOW]** App-level URLs not included in project `urls.py` via `include()`.
+
+---
+
+## Code Quality
+
+- **[HIGH]** Missing `__str__` on Model → `<Model object (1)>` in admin and logs.
+- **[HIGH]** Missing `Meta.ordering` on models used in list views → non-deterministic order.
+- **[HIGH]** DRF serializer `validate_<field>` not raising `serializers.ValidationError` → validation silently ignored.
+- **[MEDIUM]** `get_or_create` without checking `created` flag → unaware if object was newly created.
+- **[MEDIUM]** `filter().get()` instead of `get()` → extra unnecessary query.
+- **[MEDIUM]** Hardcoded URLs in templates/views instead of `{% url %}` or `reverse()`.
+- **[MEDIUM]** Not using `get_object_or_404` in views → raw `Model.objects.get()` raises 500 on miss.
+- **[MEDIUM]** `null=True` on `CharField`/`TextField` → two empty values (empty string + NULL). Use `blank=True` only.
+- **[MEDIUM]** DRF not using `@action` decorator for custom actions → awkward URL patterns.
+- **[LOW]** Missing `verbose_name`/`verbose_name_plural` on models → ugly admin.
+- **[LOW]** Missing `app_name` in `urls.py` → namespace conflicts.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** QuerySet as default argument (`def fn(qs=Model.objects.all())`) → evaluated once at definition, stale data.
+- **[HIGH]** Transaction not used around multiple related DB writes → partial failure leaves inconsistent state.
+- **[HIGH]** `update()` on QuerySet bypasses `save()` and signals → `pre_save`/`post_save` not triggered.
+- **[HIGH]** `delete()` on QuerySet bypasses model `delete()` and `post_delete` signals.
+- **[HIGH]** `request.user` accessed in model or service layer → breaking separation of concerns and testability.
+- **[MEDIUM]** Timezone-naive `datetime.now()` instead of `timezone.now()` → bugs in non-UTC deployments.
+- **[MEDIUM]** `get_or_create` in concurrent requests → race condition, unique constraint violations.
+- **[MEDIUM]** Signal `sender` not specified → signal fires for all models of that event.
+- **[MEDIUM]** Migration squashing not done → extremely slow migration history.
+- **[LOW]** `on_delete=models.CASCADE` default assumed without considering orphan behavior.
+- **[LOW]** `choices` on CharField not enforced at DB level → only validated in forms/serializers.