prr-kit 1.1.3 → 1.2.1

package/src/prr/data/stacks/fiber.md

@@ -0,0 +1,55 @@
+# Fiber — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: "github.com/gofiber/fiber", fiber.New(), app.Get(, c.JSON(, c.BodyParser(, fiber.Config{
+
+---
+
+## Security
+- **[HIGH]** Missing `helmet` middleware (`github.com/gofiber/helmet`) → no security headers sent, leaving app vulnerable to clickjacking, MIME sniffing, and XSS. Register helmet middleware globally before route handlers.
+- **[HIGH]** CSRF middleware not configured on state-mutating routes → cross-site form submissions processed without token validation. Enable CSRF protection for all POST/PUT/PATCH/DELETE routes.
+- **[HIGH]** `c.BodyParser` used without a body size limit → large payloads exhaust memory. Configure `fiber.Config{ BodyLimit: 4 * 1024 * 1024 }` to enforce a maximum request body size.
+- **[HIGH]** Wildcard CORS configured in production (origin: "*") → cross-origin requests accepted from any domain. Set explicit allowed origins in `cors.Config{ AllowOrigins: "https://yourdomain.com" }`.
+- **[CRITICAL]** Path traversal via `c.Params()` values used in file operations → attacker crafts a path to read or overwrite arbitrary files. Sanitize and validate all path parameters before using them in file system calls.
+- **[MEDIUM]** Missing authentication middleware on protected route groups → unauthenticated requests reach protected handlers. Use `app.Use()` on route groups to enforce auth before handler execution.
+- **[MEDIUM]** Not validating struct fields after `c.BodyParser` → business logic receives zero-value or malformed data. Integrate a validation library (e.g., `go-playground/validator`) after parsing.
+- **[MEDIUM]** Sensitive error details returned in HTTP responses → internal paths or DB errors exposed to clients. Return generic error messages and log detailed errors server-side only.
+
+---
+
+## Performance
+- **[CRITICAL]** Fiber reuses `*fiber.Ctx` across requests → capturing ctx in a goroutine causes data races and use-after-free bugs. Never pass ctx to goroutines; extract all needed values before launching.
+- **[MEDIUM]** Missing compress middleware for large responses → uncompressed JSON or HTML payloads increase bandwidth and client load time. Add `github.com/gofiber/fiber/middleware/compress`.
+- **[MEDIUM]** `c.JSON()` marshaling large structs without streaming → entire response buffered in memory. For large datasets, use streaming responses or pagination.
+- **[LOW]** `Prefork: true` not used on multi-core servers handling CPU-bound workloads → single process cannot fully utilize available CPU cores. Enable prefork in production environments and test for compatibility.
+- **[HIGH]** Synchronous blocking calls (file I/O, external HTTP) inside handlers → Fiber's event loop stalls, degrading all concurrent requests. Use goroutines with proper synchronization for blocking operations.
+- **[MEDIUM]** Not using `app.Static()` for serving static files → static assets served through application handlers with unnecessary overhead. Configure the built-in static file middleware for asset serving.
+
+---
+
+## Architecture
+- **[MEDIUM]** Not using `app.Group()` for route organization → all routes defined at the top level, making the router file unmanageable as the app grows. Group related routes with common prefixes and middleware.
+- **[HIGH]** Business logic implemented directly in handler functions → handlers become untestable and hard to maintain. Extract domain logic into service types with clear interfaces.
+- **[MEDIUM]** Custom error handler not set via `app.Use(errorHandler)` → default Fiber error format inconsistent with the application API contract. Define a custom error handler returning the standard error shape.
+- **[MEDIUM]** Database connections not managed via dependency injection → global DB instances make testing difficult and hide coupling. Pass DB and service dependencies through closure or a custom handler struct.
+- **[LOW]** No middleware for request ID generation → distributed tracing and log correlation are difficult without request IDs. Add a request-ID middleware and propagate it through context and response headers.
+
+---
+
+## Code Quality
+- **[HIGH]** Missing input validation after `c.BodyParser` → raw parsed data used without field-level validation, allowing missing or malformed data into business logic. Integrate `go-playground/validator` or equivalent after parsing.
+- **[MEDIUM]** `c.Locals()` used as a typed store without type assertions → values retrieved as `interface{}` cause silent nil panics when the type is wrong. Define typed accessor helpers for context locals.
+- **[HIGH]** Not handling `c.BodyParser` errors explicitly → parse failures pass a zero-value struct to the handler, corrupting business logic. Always check and return the error from BodyParser.
+- **[MEDIUM]** No logging middleware configured → requests and errors go untracked, making production debugging difficult. Add the built-in logger middleware or a structured logging middleware.
+- **[LOW]** Not using fiber's built-in timeout middleware → slow handlers hold connections indefinitely. Configure `middleware/timeout` to enforce handler deadlines.
+- **[MEDIUM]** Using `fiber.Map` for all responses instead of typed structs → response shape is untyped and prone to field name typos. Define response structs to enforce a stable contract.
+
+---
+
+## Common Bugs & Pitfalls
+- **[CRITICAL]** `*fiber.Ctx` captured in a goroutine without copying → ctx is recycled after handler returns, causing reads of garbage data or panics. Use `c.Context().Copy()` or extract needed values before the goroutine.
+- **[MEDIUM]** `c.JSON()` called after `c.Next()` in middleware → response already committed by an inner handler, causing "response already sent" errors. Check if response is committed before writing in middleware.
+- **[MEDIUM]** Path parameters overlapping between route definitions → ambiguous routes cause the wrong handler to be called. Order routes from most specific to most general and use explicit path segments.
+- **[HIGH]** Not handling panics in goroutines spawned from handlers → goroutine panics crash the process and take down all active requests. Recover from panics in goroutines and log or report the error.
+- **[MEDIUM]** `app.Listen()` without graceful shutdown → in-flight requests dropped when process exits. Implement signal handling and `app.Shutdown()` for graceful termination.
+- **[HIGH]** Not setting `ReadTimeout` and `WriteTimeout` in `fiber.Config` → slow or malicious clients hold connections open indefinitely, exhausting connection slots. Set appropriate timeouts in the Fiber config.

package/src/prr/data/stacks/firebase.md

@@ -0,0 +1,43 @@
+# Firebase — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `firebase` in deps · `initializeApp(` · `getFirestore(` · `getAuth(` · `collection(` · `import 'firebase/` · `firebase.json` · `.firebaserc`
+
+---
+
+## Security
+
+- **[CRITICAL]** Firestore / Realtime Database security rules contain `allow read, write: if true` → anyone on the internet can read, write, or delete your entire database.
+- **[CRITICAL]** Firebase Admin SDK service account JSON committed to version control → full administrative access to your Firebase project, bypasses all security rules.
+- **[HIGH]** Firestore security rules not validating incoming data shape or field types → client can write documents with any structure, including oversized fields or unexpected types. Add `request.resource.data` validation.
+- **[HIGH]** Authorization logic in client-side code only: `if (user.uid === doc.ownerId)` → client code can be bypassed. Enforce ownership and access control in Firestore security rules.
+- **[MEDIUM]** Firebase API key visible in client-side code → expected (it's a public identifier), BUT ensure domain restrictions are configured in Firebase Console to prevent use from unauthorized domains.
+
+---
+
+## Performance
+
+- **[HIGH]** `onSnapshot` listener not unsubscribed on component unmount → each mount adds a new listener; stale listeners fire callbacks on unmounted components, causing memory leaks and potential state updates after unmount.
+- **[HIGH]** Fetching entire collection without a `where()` query → every read costs money; full collection scans on large datasets will exhaust quota and budget.
+- **[MEDIUM]** Missing `limit()` on Firestore queries → unbounded reads; a growing collection causes increasing cost and latency over time.
+- **[MEDIUM]** Real-time `onSnapshot` listener used where a one-time `getDoc()` / `getDocs()` suffices → continuous WebSocket connection maintained unnecessarily.
+- **[LOW]** Not using `enableIndexedDbPersistence()` for offline support → queries fail when offline; consider offline capability for mobile-like use cases.
+
+---
+
+## Architecture
+
+- **[HIGH]** Business logic placed in Firestore security rules (complex calculations, multi-step workflows) → rules are for access control only; complex logic belongs in Cloud Functions or the application layer.
+- **[MEDIUM]** Deeply nested Firestore sub-collections more than 2 levels → Firestore cannot query across parent documents for sub-collections. Flatten the data model or use root-level collections with foreign key fields.
+- **[MEDIUM]** `set()` used without `{ merge: true }` when partial update is intended → overwrites entire document, deletes unspecified fields. Use `update()` for partial updates.
+- **[LOW]** Storing large blobs or images directly in Firestore documents → Firestore is optimized for structured data; store binaries in Firebase Storage and keep URLs/metadata in Firestore.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** Direct array write instead of `arrayUnion` / `arrayRemove` for concurrent updates → two simultaneous writes both read the array, modify it, and write back; one write overwrites the other (last-write-wins). Use atomic array operations.
+- **[HIGH]** `Timestamp.now()` used for ordering instead of `serverTimestamp()` → client clock may be wrong (wrong timezone, wrong time). Use `serverTimestamp()` for ordering and audit trails.
+- **[MEDIUM]** Querying with `where('field', '!=', value)` without a composite index → Firestore throws an error at runtime pointing to the missing index. Check the Firebase Console for required indexes.
+- **[MEDIUM]** `auth.currentUser` accessed synchronously on app load before auth state is initialized → may be `null` even if user is logged in. Always use `onAuthStateChanged` to react to auth state.
+- **[LOW]** Firestore `where` inequality filter (`<`, `>`, `!=`) on a field combined with `orderBy` on a different field → requires a composite index and may throw a runtime error.

package/src/prr/data/stacks/flask.md

@@ -0,0 +1,46 @@
+# Flask — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `from flask import`, `@app.route`, `Flask(__name__)`, `Blueprint`, `flask` in requirements.txt
+
+---
+
+## Security
+
+- **[CRITICAL]** `render_template_string()` with user-controlled input → Server-Side Template Injection (SSTI). Never use with user data.
+- **[CRITICAL]** SQL query with f-string / `.format()` of user input → SQL injection. Use parameterized queries.
+- **[HIGH]** Missing `@login_required` / auth check on protected routes.
+- **[HIGH]** `SECRET_KEY` hardcoded in app code → session forgery. Load from environment.
+- **[HIGH]** `Markup()` used to mark user content as safe → XSS. Jinja2 escapes by default; don't bypass it.
+- **[HIGH]** Debug mode enabled in production (`app.run(debug=True)`) → interactive debugger accessible to users, RCE risk.
+- **[MEDIUM]** `send_file()` / `send_from_directory()` with user-controlled path → path traversal. Validate and sanitize paths.
+- **[MEDIUM]** Missing CSRF protection (Flask-WTF or manual token) on state-changing forms.
+- **[MEDIUM]** Allowing all origins in CORS configuration for APIs with auth.
+
+---
+
+## Performance
+
+- **[HIGH]** Synchronous DB calls blocking Flask worker — use async frameworks (Quart) or offload to Celery.
+- **[HIGH]** N+1 ORM queries in view function — load relations eagerly.
+- **[MEDIUM]** `session` object used to store large data → stored in cookie, 4KB limit, sent on every request.
+- **[MEDIUM]** No pagination on list endpoints.
+- **[LOW]** Flask development server (`app.run()`) used in production instead of Gunicorn/uWSGI → single-threaded.
+
+---
+
+## Architecture
+
+- **[HIGH]** All routes in single `app.py` → use Blueprints to organize by domain.
+- **[MEDIUM]** Application factory pattern (`create_app()`) not used → hard to test with different configs.
+- **[MEDIUM]** Business logic directly in route function → move to service/model layer.
+- **[LOW]** `current_app` accessed outside application context → `RuntimeError`.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** Mutable default in route function or SQLAlchemy model → shared state across requests.
+- **[HIGH]** `g` object used to store request-scoped data but not cleaned up → leaks between requests in some WSGI setups.
+- **[MEDIUM]** `redirect(request.referrer)` without validation → open redirect.
+- **[MEDIUM]** `jsonify()` not used for JSON responses → missing Content-Type header.

package/src/prr/data/stacks/flutter.md

@@ -0,0 +1,75 @@
+# Flutter / Dart — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.dart` files · `pubspec.yaml` with `flutter:` · `import 'package:flutter/` · `Widget` · `StatefulWidget` · `BuildContext` · `Riverpod`/`Bloc`/`Provider`
+
+---
+
+## Security
+
+- **[HIGH]** Sensitive data (tokens, passwords, PINs) in `SharedPreferences` → not encrypted. Use `flutter_secure_storage` (Keychain on iOS, Keystore on Android).
+- **[HIGH]** `WebView` with `javaScriptMode: JavascriptMode.unrestricted` loading untrusted URLs → XSS, platform channel access.
+- **[HIGH]** API keys hardcoded in Dart source → extracted from APK/IPA via reverse engineering. Use `--dart-define` or backend proxy.
+- **[HIGH]** `dart:mirrors` used for dynamic invocation of user-controlled method names → code injection.
+- **[MEDIUM]** Certificate validation disabled (custom `HttpClient.badCertificateCallback`) → MITM.
+- **[MEDIUM]** `Platform.environment` in Flutter → may expose environment variables. Use `--dart-define` for build-time constants.
+- **[MEDIUM]** Deep link params not validated → malicious intent triggers action with crafted data.
+- **[LOW]** Debug flag (`kDebugMode`) not checked before logging sensitive data.
+
+---
+
+## Performance
+
+- **[HIGH]** `setState()` on high-level ancestor for leaf change → rebuilds entire subtree. Use `Provider`/`Riverpod`/`ValueNotifier` to scope rebuilds.
+- **[HIGH]** Heavy objects created inside `build()` → recreated on every rebuild. Move to `initState()` or `didChangeDependencies()`.
+- **[HIGH]** `ListView` (non-builder) for dynamic/long lists → all items rendered. Use `ListView.builder()`.
+- **[HIGH]** `FutureBuilder` without stable `future` reference → parent rebuild creates new Future, re-fetches every time. Store Future in `initState`.
+- **[HIGH]** `const` constructor missing on stateless widgets → prevents subtree optimization.
+- **[HIGH]** `build()` method doing I/O or heavy computation → blocks UI thread. Use `compute()` or `Isolate`.
+- **[MEDIUM]** `Image.network` without `cacheWidth`/`cacheHeight` → full resolution decoded for small display.
+- **[MEDIUM]** `AnimationController` not disposed → memory leak and assertion errors.
+- **[MEDIUM]** `StreamBuilder` subscribing to broadcast stream that never closes → subscription held forever.
+- **[LOW]** Not using `RepaintBoundary` to isolate frequently repainting widgets → whole tree repainted.
+- **[LOW]** `Opacity` widget used for animations instead of `AnimatedOpacity` or `FadeTransition`.
+
+---
+
+## Architecture
+
+- **[HIGH]** Business logic inside `Widget.build()` → hard to test. Use BLoC, Provider, Riverpod, or GetX.
+- **[HIGH]** `BuildContext` used across `async` gap without `mounted` check → crash after navigation.
+- **[HIGH]** `Navigator.pop()` called without checking navigator stack → `FlutterError` on first route.
+- **[HIGH]** `StatefulWidget` used for everything → use `StatelessWidget` + state management for separation.
+- **[MEDIUM]** `GetX` controller not bound to widget lifecycle → controller persists after widget destroyed.
+- **[MEDIUM]** Not using `GoRouter` or `auto_route` for deep link + navigation → manual route management breaks.
+- **[MEDIUM]** Platform channel not handling errors → unhandled exception on plugin failure.
+- **[LOW]** Widget `build()` >100 lines → extract named sub-widgets or methods.
+- **[LOW]** Not organizing code by feature → flat `lib/` directory with hundreds of files.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `dynamic` type used broadly → defeats Dart sound null safety. Use specific types or generics.
+- **[HIGH]** `TextEditingController`/`FocusNode`/`ScrollController` not disposed → memory leak + debug assertion.
+- **[HIGH]** `mounted` check missing after every `await` in `StatefulWidget` method.
+- **[MEDIUM]** `print()` in production → use `debugPrint()` (no-op in release) or structured logging.
+- **[MEDIUM]** Missing `Key` on list items → Flutter can't reconcile tree on reorder.
+- **[MEDIUM]** `late` variables accessed before initialization → `LateInitializationError` at runtime.
+- **[MEDIUM]** Nullable variable accessed with `!` without check → `Null check operator used on null value`.
+- **[LOW]** Not running `flutter analyze` in CI → lint issues uncaught.
+- **[LOW]** `pubspec.yaml` dependencies not version-pinned → unexpected breaking changes.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `async` `onPressed` without `mounted` check → `setState()` on unmounted widget.
+- **[HIGH]** `Column` with `Expanded` inside `ListView` → layout exception (unbounded height). Use `shrinkWrap` or restructure.
+- **[HIGH]** `StreamController` not closed → memory leak and lint warning.
+- **[MEDIUM]** `Image.network` without `errorBuilder` → broken image shown silently.
+- **[MEDIUM]** `FocusNode.dispose()` not called → memory leak.
+- **[MEDIUM]** `Riverpod` provider accessed after widget disposed → `ProviderScope` not found error.
+- **[MEDIUM]** `WillPopScope` deprecated (Flutter 3.12+) → use `PopScope` with `canPop` instead.
+- **[LOW]** `ThemeData` not using `ColorScheme.fromSeed` (Material 3) → inconsistent colors.
+- **[LOW]** Not testing on both iOS and Android → platform-specific bugs missed.

package/src/prr/data/stacks/gin.md

@@ -0,0 +1,57 @@
+# Gin — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: "github.com/gin-gonic/gin", gin.Default(), gin.New(), c.JSON(, c.ShouldBindJSON, r.GET(, r.POST(
+
+---
+
+## Security
+- **[CRITICAL]** `c.ShouldBind` used without validation struct tags → unvalidated user input reaches business logic. Always define and enforce validation tags (`binding:"required"`, `validate:"email"`, etc.) on all bound structs.
+- **[CRITICAL]** SQL injection via `fmt.Sprintf` in database queries → attacker-controlled input alters query structure. Always use parameterized queries or an ORM with prepared statements.
+- **[HIGH]** Missing CORS configuration or wildcard CORS (`"*"`) in production → cross-origin requests accepted from any domain. Configure explicit allowed origins via gin-cors middleware.
+- **[HIGH]** No rate limiting middleware → DoS attacks succeed without throttling. Integrate a rate limiter such as `golang.org/x/time/rate` or a middleware library.
+- **[HIGH]** Server binding to `0.0.0.0` in production without TLS → traffic transmitted in plaintext over network. Terminate TLS at the load balancer or configure `tls.ListenAndServeTLS`.
+- **[HIGH]** SSRF via user-controlled URL in proxy or fetch handlers → attacker triggers requests to internal services. Validate and whitelist allowed URL schemes and hosts before making server-side requests.
+- **[MEDIUM]** Sensitive data (tokens, passwords) logged in debug mode → secrets appear in log files accessible to operators. Use structured logging with field redaction and disable debug logs in production.
+- **[MEDIUM]** Missing input length limits on string fields → oversized payloads cause excessive memory allocation or ReDoS in regex validators. Enforce maximum lengths in validation tags or middleware.
+
+---
+
+## Performance
+- **[HIGH]** Debug mode (`gin.Default()`) used in production → verbose logging and color output add unnecessary overhead. Use `gin.New()` with explicit middleware and set `GIN_MODE=release`.
+- **[MEDIUM]** No response caching for static or slow-changing data → repeated expensive queries for identical data on every request. Add cache-control headers or an in-memory cache layer.
+- **[MEDIUM]** Synchronous database calls in handlers without goroutines for independent queries → sequential round-trips increase total response latency. Use goroutines with `errgroup` for parallel independent DB calls.
+- **[MEDIUM]** Large JSON marshaling of full structs without streaming → entire response built in memory before sending. For very large datasets, use streaming encoders or pagination.
+- **[LOW]** Missing gzip middleware for large responses → uncompressed payloads increase bandwidth and client latency. Add `github.com/gin-contrib/gzip` to the middleware stack.
+- **[MEDIUM]** Allocating large slices with fixed capacity inside handlers → GC pressure accumulates under load. Pre-allocate with realistic capacity estimates or use sync.Pool for reusable buffers.
+- **[MEDIUM]** Not using Gin route groups for common middleware (e.g., auth, logging) → middleware applied redundantly or inconsistently across routes. Use `r.Group()` with shared middleware.
+
+---
+
+## Architecture
+- **[HIGH]** Business logic implemented in handler functions instead of a service layer → handlers become large, untestable, and tightly coupled to HTTP. Extract logic into service structs with well-defined interfaces.
+- **[HIGH]** Not using dependency injection → hardcoded global DB connections and singletons make testing impossible and hide coupling. Pass dependencies (DB, logger, services) through handler structs or closures.
+- **[MEDIUM]** Route groups not organized by domain or API version → route file becomes a flat, unnavigable list as the app grows. Group related routes with `r.Group("/api/v1/")` and domain prefixes.
+- **[MEDIUM]** Middleware not scoped appropriately to route groups → auth or logging middleware applied globally when only needed for specific paths. Attach middleware at the group level, not globally.
+- **[MEDIUM]** No graceful shutdown handling → in-flight requests dropped when the process receives SIGTERM. Implement `srv.Shutdown(ctx)` on SIGTERM/SIGINT signals.
+- **[LOW]** Single router file containing all route definitions → file grows unwieldy in large applications. Split route registration into per-domain files and register them in the main router setup.
+
+---
+
+## Code Quality
+- **[HIGH]** Missing `binding:"required"` tags on struct fields → optional fields treated as present when absent, leading to zero-value data passing validation silently. Tag all required fields explicitly.
+- **[MEDIUM]** Not using `c.Error()` for error accumulation during request processing → multiple errors not collected, only the last one surfaced. Use `c.Error(err)` and a centralized error handler middleware.
+- **[MEDIUM]** Handler returning `nil` error for all code paths → callers cannot differentiate success from business-logic errors. Return meaningful typed errors and let the error handler map them to HTTP status codes.
+- **[HIGH]** `c.Abort()` not called after `c.JSON()` in error path → handler chain continues executing after error response is sent. Always call `c.Abort()` when sending an early response in middleware.
+- **[MEDIUM]** Missing API versioning strategy → breaking changes break existing clients without warning. Use route groups with version prefixes (`/api/v1`) and document deprecation timelines.
+- **[LOW]** Not using Gin's custom validator tags via `validator.RegisterValidation` → complex validation rules duplicated across handlers. Register custom validators once and reference them via struct tags.
+
+---
+
+## Common Bugs & Pitfalls
+- **[MEDIUM]** Confusing `c.ShouldBindJSON` with `c.BindJSON` → `c.BindJSON` writes a 400 response automatically on error, preventing custom error handling. Prefer `c.ShouldBindJSON` and handle errors explicitly.
+- **[CRITICAL]** Handler goroutine using `c *gin.Context` after the request ends → Gin reuses context objects, causing data races and panics. Copy needed values before launching goroutines; never pass `c` directly.
+- **[MEDIUM]** `gin.Recovery()` swallowing panics silently in production without custom handler → panics logged at error level but client gets a generic 500 with no alerting. Replace with a custom recovery middleware that triggers alerting.
+- **[LOW]** Route params and paths being case-sensitive with trailing slash issues → clients get unexpected 404s due to URL casing or missing slash. Configure `RedirectTrailingSlash` and document case sensitivity.
+- **[HIGH]** Not validating `Content-Type` header before binding → unexpected content type causes a 400 error that is hard to debug. Check content-type early and return a clear error message.
+- **[MEDIUM]** Ignoring errors from `c.JSON()` or `c.String()` → write failures go undetected. Log write errors or use a response wrapper that captures write errors.

package/src/prr/data/stacks/github-actions.md

@@ -0,0 +1,71 @@
+# GitHub Actions Stack Rules
+
+Detection signals: `.github/workflows/*.yml`, `.github/workflows/*.yaml`, `on:` trigger, `jobs:`, `steps:`, `uses:`, `runs-on:`, `actions/checkout`
+
+---
+
+## Security
+
+- **[CRITICAL]** User-controlled data interpolated directly in a `run:` step via expressions like `github.event.issue.title` passed as shell arguments → script injection allows an attacker to execute arbitrary commands with the runner's permissions. Always pass untrusted input via an env var and reference as `$VAR` in shell, never inline the expression.
+- **[CRITICAL]** `pull_request_target` trigger checking out and running code from the PR branch → this event runs with write permissions and access to secrets; a malicious PR can exfiltrate the `GITHUB_TOKEN` or deploy credentials. Never checkout the PR ref in `pull_request_target` without strict branch restrictions and required approvals.
+- **[CRITICAL]** Secrets echoed or logged in run steps → GitHub masks known secret values but transformed or encoded forms may still leak. Never echo, log, or interpolate secrets into shell output; pass them only as environment variables to commands that need them.
+- **[HIGH]** Actions pinned by mutable tag (e.g. `uses: actions/checkout@v4`) rather than a full commit SHA → the tag can be moved or deleted, enabling a supply-chain attack that substitutes malicious code. Pin to full SHA with a tag comment: `uses: actions/checkout@11bd71901... # v4`.
+- **[HIGH]** `permissions: write-all` or omitting the `permissions` key entirely (defaults to write on some repos) → the `GITHUB_TOKEN` is over-privileged, increasing the blast radius of any compromised step. Always declare minimal permissions per job.
+- **[HIGH]** Self-hosted runner on shared infrastructure with no job isolation between runs → one workflow can read another job's secrets, artifacts, or working directory state. Use ephemeral self-hosted runners or GitHub-hosted runners for sensitive jobs.
+- **[HIGH]** Workflow triggered on `pull_request` with write permissions and no approval requirement for fork PRs → fork PR can trigger a privileged workflow and leak secrets. Use environment protection rules with required reviewers for any job that accesses secrets.
+- **[MEDIUM]** Third-party action from an unverified publisher without SHA pinning → the action could be compromised at any future point without warning. Fork the action into your own org, or pin to a specific commit SHA and audit the source.
+- **[MEDIUM]** Secrets stored in repo-level env blocks visible in verbose runner logs → even masked secrets may appear in transformed form. Use step-level env blocks and minimize secret scope to the step that needs it.
+- **[MEDIUM]** `GITHUB_TOKEN` used beyond its intended repository scope without explicit permission grant → scoping errors cause unexpected access or unexpected failures. Declare permissions explicitly; use fine-grained PATs for cross-repository operations.
+- **[LOW]** Workflow files in public repositories not reviewed by a security-aware maintainer → any maintainer can introduce a step that exfiltrates secrets. Require CODEOWNERS review for all changes to `.github/workflows/`.
+- **[LOW]** `continue-on-error: true` on security-sensitive steps such as secret rotation or audit submission → failure is silently ignored, leaving the system in an insecure state. Only use this on genuinely optional steps.
+
+---
+
+## Performance
+
+- **[CRITICAL]** No dependency caching (`actions/cache` or setup action built-in cache) for package managers → npm/pip/maven/gradle install runs from scratch on every job, wasting 1-5 minutes. Cache with a key based on the lockfile hash using hashFiles.
+- **[HIGH]** All steps in a single monolithic job with no parallelism → serial bottleneck; the job is as slow as the sum of all steps. Split into parallel jobs using the `needs:` dependency graph to run independent work concurrently.
+- **[HIGH]** Uploading and downloading artifacts in every job when only specific jobs need them → unnecessary I/O and artifact storage costs. Upload once in the producing job; download only in jobs that explicitly need it.
+- **[HIGH]** Matrix strategy not used for multi-platform or multi-version testing → sequential test runs instead of parallel. Use `strategy: matrix: { os: [...], node: [...] }` to test all combinations concurrently.
+- **[MEDIUM]** Uploading large unused artifacts (full build directories, node_modules) → wastes storage quota and slows down the workflow summary. Filter artifacts to only the files needed by downstream jobs or for debugging.
+- **[MEDIUM]** Missing `timeout-minutes` on jobs → a hung job (deadlocked process, waiting for user input) runs until the 6-hour GitHub default limit, burning paid minutes. Set an explicit timeout appropriate for each job.
+- **[MEDIUM]** No concurrency cancellation for PR branch workflows → every push to a PR branch queues a new run while old runs are still active, wasting minutes. Add a concurrency group with cancel-in-progress: true for pull_request triggers.
+- **[MEDIUM]** Running the full test suite on every push to every branch without path filtering → a docs-only change triggers a full 10-minute test run. Use `on: push: paths:` or `paths-ignore:` filters to skip irrelevant runs.
+- **[LOW]** Tool installation repeated in every job because the runner environment is not cached → installing Node.js, Python, or other runtimes adds 30-60 seconds per job. Use setup actions (`actions/setup-node`) with their built-in caching options.
+- **[LOW]** Not using composite actions or reusable workflows for repeated step sequences → the same 5-step build setup copy-pasted across 8 workflows drifts over time. Extract to a composite action or reusable workflow called via `uses:`.
+- **[LOW]** Not gating expensive steps on PR draft status or fork conditions → expensive deployments and integration tests run on every commit including work-in-progress. Check `github.event.pull_request.draft` before expensive steps.
+- **[LOW]** Not using `fetch-depth: 1` for jobs that do not need git history → full clone adds seconds on large repos. Add `fetch-depth: 1` to the checkout step for pure build/test jobs.
+
+---
+
+## Architecture
+
+- **[HIGH]** All deployment and CI logic in a single monolithic workflow file → no reusability; every project duplicates the same steps. Extract shared logic to reusable workflows (`workflow_call`) or composite actions and call them from individual workflow files.
+- **[HIGH]** Workflow triggered on push to main with no branch protection rules → direct pushes bypass PR review and immediately trigger production deployment. Enforce branch protection: require PR, status checks, and at least one review before merge.
+- **[HIGH]** No environment protection rules on production deployment jobs → any branch or actor can trigger a production deploy. Use GitHub Environments with required reviewers and deployment wait timers for production.
+- **[HIGH]** Repository-level secrets used across all workflows regardless of need → any workflow can read any repo secret, increasing blast radius of a compromised workflow. Use environment-scoped secrets that are only available to jobs targeting that environment.
+- **[MEDIUM]** Environment URLs, account IDs, or regions hardcoded in workflow YAML → changing environments requires searching and editing all workflow files. Use GitHub Environments, the `vars` context, or repository variables for environment-specific values.
+- **[MEDIUM]** No concurrency group on deployment workflows → parallel deployments to the same environment create race conditions and partial rollouts. Add a concurrency group per environment and cancel-in-progress or queue-based strategy.
+- **[MEDIUM]** Reusable workflow not versioned with a release tag → callers get breaking changes automatically when the reusable workflow is updated. Tag reusable workflows with semver releases and have callers pin to a tag.
+- **[MEDIUM]** Complex job dependency graph (needs:) not documented → multi-job DAGs are impossible to understand without a visual aid. Add a Mermaid diagram or ASCII art of the workflow DAG to the README or workflow file header.
+- **[LOW]** No branch naming convention enforced on wildcard triggers → wildcard branch patterns in triggers match unintended branches. Document and enforce a branch naming convention (`feature/*`, `fix/*`) and use it in trigger patterns.
+- **[LOW]** `workflow_dispatch` inputs not validated before use → integer or enum inputs arrive as strings; invalid values cause obscure errors in later steps. Validate all inputs in the first step and fail fast with a clear error message.
+- **[LOW]** No staging environment between CI and production → code goes directly from CI green to production without a pre-production validation step. Add a staging environment job with a smoke test gate before the production deployment job.
+- **[LOW]** Secrets shared between staging and production environments → a staging breach exposes production credentials. Use separate secret sets per environment; rotate independently.
+
+---
+
+## Code Quality
+
+- **[HIGH]** Deprecated `set-output` command: `echo "::set-output name=foo::bar"` → command was removed; workflows using it silently fail or produce warnings. Replace with the environment file approach: `echo "foo=bar" >> 'GITHUB_OUTPUT var'`.
+- **[HIGH]** Deprecated `set-env` command: `echo "::set-env name=VAR::val"` → command was disabled due to security vulnerabilities. Replace with: `echo "VAR=val" >> 'GITHUB_ENV var'`.
+- **[HIGH]** Deprecated `add-path` command: `echo "::add-path::..."` → command was disabled. Replace with: `echo "/my/path" >> 'GITHUB_PATH var'`.
+- **[HIGH]** `continue-on-error: true` on critical steps (build, test, security scan, deploy) → the job shows green even when a critical step fails, hiding real failures. Only use `continue-on-error` for genuinely optional steps; always check step outcome.
+- **[MEDIUM]** Long inline shell scripts in `run:` blocks → inline scripts are untestable, unlintable, and hard to review. Extract scripts to files in the repository (`.github/scripts/`), test them locally, and call them from the workflow.
+- **[MEDIUM]** Missing `defaults.run.shell` at workflow or job level → shell behavior differs across ubuntu, windows, and macos runners. Be explicit: set `defaults: run: shell: bash` to ensure consistent behavior.
+- **[MEDIUM]** Hardcoded runner labels using specific OS versions (`ubuntu-20.04`) → end-of-life runners cause silent workflow failures when GitHub removes them. Use `ubuntu-latest` or document the pinned version and set a calendar reminder to update.
+- **[MEDIUM]** Not using `fromJSON()` for complex expressions involving JSON manipulation → string operations on JSON in expression context are fragile and hard to debug. Use `fromJSON(steps.id.outputs.value)` to parse JSON outputs properly.
+- **[MEDIUM]** YAML anchors not used for repeated step configurations (env vars, options) → the same environment variable block copy-pasted across 12 steps drifts when values change. Use YAML anchors and aliases to define once and reference many times.
+- **[LOW]** Missing `if: always()` on cleanup or notification steps → these steps are skipped when a previous step fails, leaving cleanup undone and stakeholders uninformed. Add `if: always()` to steps that must run regardless of prior step outcome.
+- **[LOW]** Workflow files not linted with `actionlint` or a similar tool → YAML syntax errors, unknown context references, and deprecated commands are only caught at runtime. Add `rhysd/actionlint` to a pre-commit hook or a dedicated lint workflow.
+- **[LOW]** No comments explaining non-obvious workflow logic or permission grants → future maintainers cannot understand why a permission is needed or why a step exists. Add inline comments for all non-obvious decisions.

package/src/prr/data/stacks/go.md

@@ -0,0 +1,88 @@
+# Go — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.go` files, `go.mod`, `package main`, `func main()`, `goroutine`, `chan`, `go vet`, `golangci-lint`
+
+---
+
+## Security
+
+- **[CRITICAL]** SQL query with `fmt.Sprintf` / string concatenation of user input → SQL injection. Use `db.Query("SELECT ... WHERE id = ?", userInput)`.
+- **[CRITICAL]** `os/exec.Command` with user input as string to shell → command injection. Use argument list form.
+- **[HIGH]** `html/template` replaced with `text/template` for HTML rendering → XSS, `text/template` doesn't escape.
+- **[HIGH]** Sensitive data in error messages returned to client → info disclosure.
+- **[HIGH]** `math/rand` for security-sensitive values (tokens, IDs) → predictable. Use `crypto/rand`.
+- **[HIGH]** `filepath.Join` not used for user-controlled paths → path traversal via `../`.
+- **[HIGH]** `http.ListenAndServe` without TLS in production → plaintext traffic.
+- **[HIGH]** Goroutine spawned to handle request without context cancellation → goroutine leak on client disconnect.
+- **[HIGH]** CORS wildcard with credentials in HTTP handler → credential leakage to any origin.
+- **[MEDIUM]** Secrets loaded with `os.Getenv()` without validation for empty string → app runs with empty secret.
+- **[MEDIUM]** Race condition on shared map without `sync.Mutex` or `sync.RWMutex`.
+- **[LOW]** `regexp.MustCompile` with user input at runtime → panic on invalid regex.
+
+---
+
+## Performance
+
+- **[HIGH]** Goroutine leak — goroutine started but never signaled to stop (no `ctx.Done()`, no WaitGroup) → memory grows indefinitely.
+- **[HIGH]** Mutex held during I/O → blocks all goroutines waiting for lock.
+- **[HIGH]** Unbuffered channel for high-frequency events → sender blocks on every send.
+- **[HIGH]** `append` in tight loop without pre-allocated capacity → many reallocations. Use `make([]T, 0, knownSize)`.
+- **[HIGH]** `fmt.Sprintf` in hot path for string building → use `strings.Builder`.
+- **[HIGH]** Missing context timeout/deadline on HTTP client calls → requests hang indefinitely.
+- **[HIGH]** `sync.Mutex` protecting large struct when `sync.RWMutex` allows parallel reads.
+- **[MEDIUM]** Pointer to small struct unnecessarily → passing small structs by value is cheaper.
+- **[MEDIUM]** `defer` inside loop → defers execute at function end, not loop end → resource exhaustion.
+- **[MEDIUM]** Goroutine per request without worker pool → goroutine explosion under load.
+- **[MEDIUM]** JSON marshaling/unmarshaling in hot path without pooling encoder/decoder.
+- **[LOW]** `interface{}` / `any` in hot path → boxing/unboxing overhead.
+- **[LOW]** Not using `sync.Pool` for frequently allocated/freed objects.
+
+---
+
+## Architecture
+
+- **[HIGH]** Error ignored with `_` on operations that can fail → silent failures.
+- **[HIGH]** Panic used for expected error conditions → use error returns. Panic only for programmer errors.
+- **[HIGH]** Global mutable state (`var globalDB *sql.DB` mutated after init) → race conditions.
+- **[HIGH]** `init()` functions doing side effects (DB init, file I/O) → hard to test, unpredictable order.
+- **[HIGH]** Context not propagated through function call chain → cancellation doesn't work.
+- **[MEDIUM]** Interface defined by implementer instead of consumer → breaks dependency inversion.
+- **[MEDIUM]** Package names too generic (`util`, `common`, `helper`) → hard to discover.
+- **[MEDIUM]** Struct embedding for code reuse when composition/interfaces cleaner → hidden method promotion.
+- **[MEDIUM]** Not using `errors.Is()` / `errors.As()` for error inspection → string comparison brittle.
+- **[MEDIUM]** Not using sentinel errors or custom error types → callers can't distinguish error categories.
+- **[LOW]** Exported type without methods returning interface → unnecessary coupling.
+- **[LOW]** Not using `go generate` for repetitive boilerplate.
+
+---
+
+## Code Quality
+
+- **[HIGH]** Error not checked: `result, _ := someFunc()` when error indicates real failure.
+- **[HIGH]** `defer file.Close()` after error check omitted → resource leak if `Open()` fails.
+- **[HIGH]** Goroutine closure capturing loop variable → all goroutines use last value. Shadow: `v := v`.
+- **[MEDIUM]** Named return values with naked `return` in long functions → confusing.
+- **[MEDIUM]** Returning concrete type instead of interface from constructor → couples callers to implementation.
+- **[MEDIUM]** Not using `golangci-lint` / `staticcheck` → issues not caught.
+- **[MEDIUM]** `go vet` not run in CI → common mistakes missed.
+- **[MEDIUM]** Test files not using `_test` package for black-box testing → testing internal state.
+- **[LOW]** Missing `golint` compliance (exported types without comments).
+- **[LOW]** Not using table-driven tests → duplicated test setup.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** Loop variable captured by goroutine: `go func() { use(v) }()` in range → all use last value (fixed in Go 1.22).
+- **[HIGH]** Map/slice concurrent read+write without mutex → data race, undefined behavior.
+- **[HIGH]** `time.Sleep` for synchronization → use channels or `sync.WaitGroup`.
+- **[HIGH]** `nil` interface vs nil concrete pointer — `interface{}` wrapping nil pointer is not `== nil`.
+- **[HIGH]** `http.Response.Body` not closed after reading → connection leak.
+- **[HIGH]** Goroutine panics not recovered → crashes entire program.
+- **[MEDIUM]** `json.Unmarshal` ignoring error → silently retains zero values on malformed JSON.
+- **[MEDIUM]** Integer conversion between `int32` and `int64` losing data on 32-bit platforms.
+- **[MEDIUM]** `select` with default case in timing-sensitive code → busy loop.
+- **[MEDIUM]** `context.WithCancel` defer cancel not called → context leak.
+- **[LOW]** `make(chan T)` vs `make(chan T, 1)` — unbuffered vs buffered behavior difference not understood.
+- **[LOW]** `strings.Contains` used where `strings.HasPrefix`/`HasSuffix` is more appropriate.

package/src/prr/data/stacks/godot.md

@@ -0,0 +1,56 @@
+# Godot — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.gd` GDScript files, `*.tscn` scenes, `extends Node`, `func _ready()`, `func _process()`, `export var`, `@export`, `Godot`, `project.godot`
+
+---
+
+## Security
+- **[HIGH]** `OS.execute()` or `OS.shell_open()` called with user-controlled arguments → command injection on the host OS; never pass untrusted input to OS execution APIs.
+- **[HIGH]** HTTP requests made to user-provided URLs without validation → SSRF and malicious content fetching; validate URLs against an allowlist before any network request.
+- **[HIGH]** Save game files loaded with `JSON.parse()` or `ResourceLoader.load()` without schema validation → crashes or exploits from malformed data; validate all fields and types after deserialization.
+- **[MEDIUM]** `get_node()` called with a `NodePath` derived from user input → accessing arbitrary nodes in the scene tree; never construct node paths from untrusted data.
+- **[MEDIUM]** Autoload singletons storing authentication tokens or private game state accessible from any script → overly broad attack surface; restrict sensitive data access to dedicated, narrowly scoped systems.
+- **[LOW]** GDScript source files not encrypted in exported project (`Export > Resources > Script export mode`) → readable with PCK extraction tools; use bytecode-only export and PCK encryption for commercial titles.
+
+---
+
+## Performance
+- **[HIGH]** Heavy computation (pathfinding, collision queries, string building) in `_process(delta)` → called every frame at full refresh rate; move to `_physics_process`, signals, timers, or background threads via `Thread`.
+- **[HIGH]** `get_node()` or `$NodePath` shorthand called every frame instead of cached in `_ready()` → repeated scene-tree traversal; cache all node references as member variables in `_ready()`.
+- **[HIGH]** Nodes instantiated and freed every frame (bullets, particles, effects) without pooling → GC pressure and frame spikes; implement a node pool using `queue_free()` + `visible = false` recycling.
+- **[HIGH]** Large images imported without enabling appropriate compression (VRAM-compressed formats like S3TC, ETC2, BPTC) → excessive VRAM usage; configure import settings per texture type.
+- **[MEDIUM]** `await get_tree().process_frame` used in tight loops without frame budget awareness → logic spread across many deferred frames; batch work with explicit budgeting.
+- **[MEDIUM]** Signals not disconnected when nodes are freed → potential callbacks on freed objects; always disconnect signals in `_exit_tree()` or use `connect(..., CONNECT_ONE_SHOT)`.
+- **[LOW]** `VisibleOnScreenNotifier2D`/`VisibleOnScreenNotifier3D` not used for off-screen objects that run `_process` → wasted CPU on invisible nodes; disable processing when off-screen.
+
+---
+
+## Architecture
+- **[HIGH]** Scene tree traversal using `get_parent().get_parent().get_child(2)` chains → brittle structural coupling; use signals, groups, or exported node references for cross-node communication.
+- **[HIGH]** Autoloads used as a dumping ground for all shared state and logic → implicit global coupling that makes scenes non-portable; limit autoloads to truly global services and use scene-local composition otherwise.
+- **[MEDIUM]** Node-to-node communication done by calling methods directly on sibling or parent nodes instead of emitting signals → tight coupling; emit signals upward and call methods downward.
+- **[MEDIUM]** Game logic embedded in UI nodes (`Button`, `Label` subclasses with game rules) → untestable in isolation; separate game logic into non-UI Node or RefCounted classes.
+- **[MEDIUM]** Data not modeled as `Resource` subclasses → ad-hoc dictionaries passed everywhere; use typed `Resource` subclasses with `@export` fields for all structured data.
+- **[LOW]** Scenes not decomposed into reusable sub-scenes → monolithic tscn files that are hard to maintain; extract repeating structures into their own scenes.
+
+---
+
+## Code Quality
+- **[HIGH]** `@export` variables declared without type hints (`@export var speed` instead of `@export var speed: float`) → no editor type validation or static analysis; always type all exported variables.
+- **[HIGH]** Return value of `get_node()` used without null check on nodes that may be absent → "Invalid get index" runtime error; null-check or use `has_node()` before access.
+- **[MEDIUM]** GDScript functions and variables declared without type hints → static analyzer and Godot's type checker cannot catch errors; add type annotations to all declarations.
+- **[MEDIUM]** `match` statement without a default `_:` branch for enum-like values → unhandled states silently fall through; always include a default branch that asserts or logs.
+- **[MEDIUM]** Signals defined but never emitted, or emitted but never connected → dead code or broken communication channels; audit all signal definitions for use.
+- **[LOW]** Node names containing spaces (e.g., `"My Node"`) → `$My Node` shorthand breaks; use PascalCase or snake_case node names consistently.
+
+---
+
+## Common Bugs & Pitfalls
+- **[HIGH]** Holding a reference to a node after `queue_free()` and accessing it on the next frame → "Object was deleted" crash; use `is_instance_valid(node)` before accessing any potentially freed node.
+- **[HIGH]** Signal connected multiple times (e.g., inside `_process` or on scene re-entry) without checking for existing connections → callback invoked multiple times per event; use `is_connected()` guard or `CONNECT_ONE_SHOT`.
+- **[HIGH]** `_ready()` called before parent node's `_ready()` has completed in child-first order → child accesses parent state that is not yet initialized; use `call_deferred()` or `await owner.ready` for deferred initialization.
+- **[MEDIUM]** `CharacterBody2D`/`CharacterBody3D` velocity not reset to zero before applying new movement each frame → accumulated velocity causing unintended drift; reset or reassign `velocity` explicitly each physics frame.
+- **[MEDIUM]** `@export` variable default value changed in script after the scene has been saved → saved scene retains old serialized value, script default ignored; reset the property in the scene inspector after changing script defaults.
+- **[MEDIUM]** `Timer` node not stopped and freed when the owning node is removed → timer fires callback on a freed object; always call `timer.stop()` in `_exit_tree()`.
+- **[LOW]** Integer division used unintentionally in GDScript 4 (`5 / 2 == 2`) → use `float(5) / 2` or `5.0 / 2.0` for fractional results.

package/src/prr/data/stacks/graphql.md

@@ -0,0 +1,76 @@
+# GraphQL — Stack-Specific Review Rules
+
+> Applies to: GR · SR · PR · AR · BR
+> Detection signals: `*.graphql` / `*.gql` files, `gql\`\``, `GraphQLSchema`, `typeDefs`, `resolvers`, `ApolloServer`, `graphql-yoga`, `pothos`, `nexus`
+
+---
+
+## Security
+
+- **[CRITICAL]** Missing field-level authorization in resolver → any authenticated user queries any field/mutation. Check permissions per-resolver, not just at route level.
+- **[CRITICAL]** Introspection enabled in production → full schema exposed to attackers. Set `introspection: false` in production.
+- **[HIGH]** Missing query depth limit → nested queries cause exponential DB calls (DoS). Use `graphql-depth-limit` (max 7-10 levels).
+- **[HIGH]** Missing query complexity limit → single query requesting thousands of nodes. Use `graphql-query-complexity`.
+- **[HIGH]** User-controlled field names in dynamic resolver → injection or over-fetching of sensitive fields.
+- **[HIGH]** Batch query abuse — 1000 aliases in single query bypassing per-query rate limit. Limit max aliases.
+- **[HIGH]** Missing rate limiting at GraphQL endpoint → high-complexity queries bypass REST-level limits.
+- **[HIGH]** GraphQL errors leaking stack traces → configure custom error formatter to strip internal details.
+- **[MEDIUM]** IDOR in resolver — fetching resource by ID in args without ownership check.
+- **[MEDIUM]** Subscription not authenticated → real-time events delivered to unauthenticated WebSocket.
+- **[LOW]** `directives` not documented or enforced on sensitive fields → ad-hoc security.
+
+---
+
+## Performance
+
+- **[CRITICAL]** N+1 in resolver — DB query per parent node's children. Use `DataLoader` for batching + per-request caching.
+- **[HIGH]** Resolver fetching all related data regardless of selection set → over-fetching. Use projection based on `info.fieldNodes`.
+- **[HIGH]** No persisted queries → clients send full query string each request, larger payload, no CDN caching.
+- **[HIGH]** `DataLoader` not scoped per-request → stale data served from previous request's loader cache.
+- **[HIGH]** Subscription sending full object on every update when client only needs changed fields.
+- **[MEDIUM]** Missing `@cacheControl` directives → CDN cannot cache GraphQL responses.
+- **[MEDIUM]** Over-fetching in resolvers — entire DB record loaded for 2-field selection.
+- **[MEDIUM]** `context.dataloaders` not used → DataLoader instances not shared across resolvers in request.
+- **[MEDIUM]** Deeply nested fragment spread causing resolver chain traversal on every request.
+- **[LOW]** Not using `graphql-jit` for hot query compilation.
+
+---
+
+## Architecture
+
+- **[HIGH]** Business logic in resolver functions → move to service/domain layer; resolvers orchestrate only.
+- **[HIGH]** Schema-first vs code-first inconsistency in same project → pick one, enforce via lint.
+- **[HIGH]** Mutations not returning affected type → client must do extra query to refresh; return mutated entity.
+- **[HIGH]** Missing input validation on mutation args → invalid data reaches business logic.
+- **[MEDIUM]** Overloaded `Query` type with dozens of top-level fields → use namespaced query types.
+- **[MEDIUM]** Not using schema federation for microservices → monolithic schema becomes bottleneck.
+- **[MEDIUM]** Context not used for shared services (DB, auth, DataLoader) → instantiating per-resolver.
+- **[MEDIUM]** Union/interface types not used for polymorphic data → overloaded nullable fields.
+- **[LOW]** Missing `description` on types/fields → poor schema documentation, bad DX.
+- **[LOW]** Not using code-generation (`graphql-codegen`) for TypeScript types → resolvers typed as `any`.
+
+---
+
+## Code Quality
+
+- **[HIGH]** `any` type on resolver `context` or `parent` → no type safety.
+- **[HIGH]** Missing `__resolveType` on union/interface → Apollo can't distinguish members.
+- **[MEDIUM]** Resolver returning `undefined` for nullable field → client gets `null` unexpectedly.
+- **[MEDIUM]** `async` resolver not returning Promise → Apollo silently resolves, async work never awaited.
+- **[MEDIUM]** Mutations not following `input` type convention → inline args instead of typed `input` object.
+- **[MEDIUM]** Error handling inconsistent — some resolvers throw, others return `null` → client can't distinguish.
+- **[LOW]** Not using `graphql-scalars` for common scalars (DateTime, URL, Email) → custom validator reinvented.
+- **[LOW]** Schema not validated with `graphql-inspector` → breaking changes undetected.
+
+---
+
+## Common Bugs & Pitfalls
+
+- **[HIGH]** `DataLoader` key type mismatch (string vs number) → batching function receives mixed types, wrong results.
+- **[HIGH]** Subscription not cleaned up on client disconnect → resource leak (DB connection, event listener).
+- **[HIGH]** Resolver error not wrapped in `GraphQLError` → error format inconsistent, stack trace leaked.
+- **[MEDIUM]** `context` mutated inside resolver → shared between parallel field resolvers, race condition.
+- **[MEDIUM]** DataLoader `batchLoadFn` not returning results in same order as keys → wrong data mapped to wrong parents.
+- **[MEDIUM]** `@deprecated` directive added but not enforced in CI → clients continue using deprecated fields.
+- **[LOW]** Union type `__resolveType` missing → Apollo returns null for union field.
+- **[LOW]** `null` vs empty array not distinguished in list fields → client gets wrong "no results" state.