redline-review 1.0.0

package/dist/redline-review.js

@@ -0,0 +1,171 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const yaml = __importStar(require("js-yaml"));
+const child_process_1 = require("child_process");
+const build_context_1 = require("./build-context");
+const detect_domains_1 = require("./detect-domains");
+function parseArgs() {
+    const args = process.argv.slice(2);
+    const get = (flag) => {
+        const idx = args.indexOf(flag);
+        return idx !== -1 ? args[idx + 1] : undefined;
+    };
+    const stack = get('--stack')?.split(',').filter(Boolean);
+    const reviewType = get('--type')?.split(',').filter(Boolean);
+    const promptVariant = get('--prompt') ?? 'base';
+    const base = get('--base');
+    return { stack, reviewType, promptVariant, base };
+}
+function detectBaseBranch() {
+    try {
+        return (0, child_process_1.execSync)('git rev-parse --abbrev-ref @{upstream}', { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    }
+    catch { /* no upstream configured */ }
+    try {
+        const ref = (0, child_process_1.execSync)('git symbolic-ref refs/remotes/origin/HEAD', { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+        return ref.replace('refs/remotes/', '');
+    }
+    catch { /* no remote HEAD ref */ }
+    return null;
+}
+function getGitDiff(baseOverride) {
+    const baseCandidates = baseOverride
+        ? [baseOverride]
+        : [detectBaseBranch(), 'main', 'master', 'develop', 'trunk'].filter(Boolean);
+    for (const base of baseCandidates) {
+        try {
+            const result = (0, child_process_1.execSync)(`git diff ${base}...HEAD`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+            if (result.length > 0) {
+                process.stderr.write(`Base branch: ${base}\n`);
+                return result;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    for (const cmd of ['git diff HEAD~1', 'git diff --cached']) {
+        try {
+            const result = (0, child_process_1.execSync)(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+            if (result.length > 0) {
+                process.stderr.write(`Warning: could not find a base branch; falling back to \`${cmd}\`\n`);
+                return result;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    process.stderr.write('No diff found. Make sure you are in a git repository with changes.\n');
+    process.exit(1);
+}
+function loadRules(rulesDir, selectedFiles) {
+    const files = fs_1.default.readdirSync(rulesDir)
+        .filter(f => f.endsWith('.yaml'))
+        .filter(f => !selectedFiles || selectedFiles.includes(f));
+    return files.map(file => {
+        const content = fs_1.default.readFileSync(path_1.default.join(rulesDir, file), 'utf8');
+        return yaml.load(content);
+    });
+}
+function formatRulesForPrompt(ruleFiles) {
+    return ruleFiles.map(rf => {
+        const header = `### ${rf.category.replace(/_/g, ' ').replace(/\b\w/g, c => c.toUpperCase())}`;
+        const context = rf.severity_context ? `\n*${rf.severity_context.trim()}*\n` : '';
+        const rules = rf.rules.map(r => {
+            const examples = r.examples && r.examples.length > 0
+                ? `\n  Example:\n${r.examples[0].split('\n').map(l => `    ${l}`).join('\n')}`
+                : '';
+            return `- [${r.severity.toUpperCase()}] ${r.detect}${examples}`;
+        }).join('\n');
+        return `${header}${context}\n${rules}`;
+    }).join('\n\n');
+}
+function buildPrompt(rulesText, diff, promptTemplate) {
+    return promptTemplate
+        .replace('{{selectedRules}}', rulesText)
+        .replace('{{gitDiff}}', diff);
+}
+function resolvePromptPath(variant, promptsDir) {
+    const map = {
+        base: 'base-reviewer.md',
+        strict: 'strict-reviewer.md',
+        lightweight: 'lightweight-reviewer.md',
+    };
+    const file = map[variant] ?? 'base-reviewer.md';
+    return path_1.default.join(promptsDir, file);
+}
+function main() {
+    process.stdout.on('error', (err) => {
+        if (err.code === 'EPIPE')
+            process.exit(0);
+    });
+    const { stack, reviewType, promptVariant, base } = parseArgs();
+    const rulesDir = path_1.default.join(__dirname, '..', 'rules');
+    const promptsDir = path_1.default.join(__dirname, '..', 'prompts');
+    const diff = getGitDiff(base);
+    let selectedFiles;
+    let contextSource;
+    if (reviewType || stack) {
+        selectedFiles = (0, build_context_1.buildReviewContext)({ stack, reviewType });
+        if (selectedFiles.length === 0) {
+            process.stderr.write('Warning: no matching rules for the given --stack/--type. Falling back to all rules.\n');
+            selectedFiles = undefined;
+        }
+        contextSource = 'explicit';
+    }
+    else {
+        selectedFiles = (0, detect_domains_1.detectRelevantDomains)(diff);
+        contextSource = 'auto-detected';
+    }
+    const ruleFiles = loadRules(rulesDir, selectedFiles?.length ? selectedFiles : undefined);
+    const promptPath = resolvePromptPath(promptVariant, promptsDir);
+    const promptTemplate = fs_1.default.readFileSync(promptPath, 'utf8');
+    const rulesText = formatRulesForPrompt(ruleFiles);
+    const finalPrompt = buildPrompt(rulesText, diff, promptTemplate);
+    if (selectedFiles?.length) {
+        process.stderr.write(`Domains (${contextSource}): ${selectedFiles.join(', ')}\n`);
+    }
+    process.stdout.write(finalPrompt + '\n');
+}
+main();
+//# sourceMappingURL=redline-review.js.map

package/dist/redline-review.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redline-review.js","sourceRoot":"","sources":["../src/redline-review.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA,4CAAoB;AACpB,gDAAwB;AACxB,8CAAgC;AAChC,iDAAyC;AACzC,mDAAqD;AACrD,qDAAyD;AAsBzD,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnC,MAAM,GAAG,GAAG,CAAC,IAAY,EAAsB,EAAE;QAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/B,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAChD,CAAC,CAAC;IAEF,MAAM,KAAK,GAAG,GAAG,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,GAAG,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC;IAChD,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE3B,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,gBAAgB;IACvB,IAAI,CAAC;QACH,OAAO,IAAA,wBAAQ,EAAC,wCAAwC,EACtD,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC,CAAC,4BAA4B,CAAC,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,2CAA2C,EAC9D,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAChE,OAAO,GAAG,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;IAEpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,YAAqB;IACvC,MAAM,cAAc,GAAa,YAAY;QAC3C,CAAC,CAAC,CAAC,YAAY,CAAC;QAChB,CAAC,CAAE,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAc,CAAC;IAE7F,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,YAAY,IAAI,SAAS,EAC/C,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAChE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,IAAI,IAAI,CAAC,CAAC;gBAC/C,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YAAC,SAAS;QAAC,CAAC;IACvB,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,GAAG,EACzB,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YAChE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4DAA4D,GAAG,MAAM,CAAC,CAAC;gBAC5F,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YAAC,SAAS;QAAC,CAAC;IACvB,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,aAAwB;IAC3D,MAAM,KAAK,GAAG,YAAE,CAAC,WAAW,CAAC,QAAQ,CAAC;SACnC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;SAChC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5D,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QACtB,MAAM,OAAO,GAAG,YAAE,CAAC,YAAY,CAAC,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAa,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAqB;IACjD,OAAO,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;QACxB,MAAM,MAAM,GAAG,OAAO,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC9F,MAAM,OAAO,GAAG,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACjF,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YAC7B,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAClD,CAAC,CAAC,iBAAiB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9E,CAAC,CAAC,EAAE,CAAC;YACP,OAAO,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;QAClE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,OAAO,GAAG,MAAM,GAAG,OAAO,KAAK,KAAK,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,WAAW,CAAC,SAAiB,EAAE,IAAY,EAAE,cAAsB;IAC1E,OAAO,cAAc;SAClB,OAAO,CAAC,mBAAmB,EAAE,SAAS,CAAC;SACvC,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe,EAAE,UAAkB;IAC5D,MAAM,GAAG,GAA2B;QAClC,IAAI,EAAS,kBAAkB;QAC/B,MAAM,EAAO,oBAAoB;QACjC,WAAW,EAAE,yBAAyB;KACvC,CAAC;IACF,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,kBAAkB,CAAC;IAChD,OAAO,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,IAAI;IACX,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;QACxD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,SAAS,EAAE,CAAC;IAC/D,MAAM,QAAQ,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;IAEzD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,aAAmC,CAAC;IACxC,IAAI,aAAqB,CAAC;IAE1B,IAAI,UAAU,IAAI,KAAK,EAAE,CAAC;QACxB,aAAa,GAAG,IAAA,kCAAkB,EAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;QAC1D,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uFAAuF,CAAC,CAAC;YAC9G,aAAa,GAAG,SAAS,CAAC;QAC5B,CAAC;QACD,aAAa,GAAG,UAAU,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,aAAa,GAAG,IAAA,sCAAqB,EAAC,IAAI,CAAC,CAAC;QAC5C,aAAa,GAAG,eAAe,CAAC;IAClC,CAAC;IAED,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACzF,MAAM,UAAU,GAAG,iBAAiB,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;IAChE,MAAM,cAAc,GAAG,YAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,WAAW,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IAEjE,IAAI,aAAa,EAAE,MAAM,EAAE,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,aAAa,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;AAC3C,CAAC;AAED,IAAI,EAAE,CAAC"}

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "redline-review",
+  "version": "1.0.0",
+  "description": "Adaptive AI code review skill for any frontier agent — context-aware, rule-driven, diff-native",
+  "keywords": [
+    "code-review",
+    "ai",
+    "claude",
+    "opencode",
+    "copilot",
+    "codex",
+    "llm",
+    "developer-tools",
+    "git",
+    "prompt",
+    "review",
+    "static-analysis"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nabil1440/redline-review.git"
+  },
+  "homepage": "https://github.com/nabil1440/redline-review#readme",
+  "bin": {
+    "redline-review": "bin/redline-review"
+  },
+  "files": [
+    "bin",
+    "dist",
+    "rules",
+    "prompts",
+    "schemas",
+    "adapters",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "ts-node src/redline-review.ts",
+    "prepare": "npm run build"
+  },
+  "dependencies": {
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^22.0.0",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.7.0"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}

package/prompts/base-reviewer.md

@@ -0,0 +1,28 @@
+You are an expert code reviewer with deep expertise in software architecture, security, performance, and correctness.
+
+## Review Focus Areas
+
+{{selectedRules}}
+
+## Instructions
+
+Review the diff below and identify issues based on the focus areas above.
+
+For each issue found:
+- **Location**: file name and line number (if determinable from the diff)
+- **Rule**: which rule category and rule ID applies
+- **Severity**: CRITICAL / HIGH / MEDIUM / LOW
+- **Issue**: a concise explanation of the problem
+- **Suggestion**: a concrete recommendation to fix it
+
+Group issues by severity descending: CRITICAL → HIGH → MEDIUM → LOW.
+
+If no issues are found in a category, skip it. If the diff is clean, say so.
+
+Keep explanations tight — one or two sentences per issue. No filler.
+
+## Diff
+
+```diff
+{{gitDiff}}
+```

package/prompts/lightweight-reviewer.md

@@ -0,0 +1,20 @@
+You are an expert code reviewer doing a quick scan.
+
+## Review Focus Areas
+
+{{selectedRules}}
+
+## Instructions
+
+Review the diff below. Return the **top 3 most important issues only**, regardless of category.
+
+Format each as a single tight paragraph:
+`[SEVERITY] file:line — issue description. Suggested fix.`
+
+If the diff looks clean, say so in one sentence.
+
+## Diff
+
+```diff
+{{gitDiff}}
+```

package/prompts/strict-reviewer.md

@@ -0,0 +1,24 @@
+You are an expert code reviewer performing a strict security and correctness pass.
+
+## Review Focus Areas
+
+{{selectedRules}}
+
+## Instructions
+
+Review the diff below. Report **only CRITICAL and HIGH severity issues** — skip MEDIUM and LOW entirely.
+
+For each issue:
+- **Location**: file name and line number
+- **Rule**: category and rule ID
+- **Severity**: CRITICAL or HIGH
+- **Issue**: one sentence describing the problem
+- **Fix**: a concrete code-level suggestion
+
+Be direct. No filler. If there are no CRITICAL or HIGH issues, say: "No critical or high severity issues found."
+
+## Diff
+
+```diff
+{{gitDiff}}
+```

package/rules/architecture.yaml

@@ -0,0 +1,55 @@
+category: architecture_design
+severity_context: >
+  Prioritize architectural patterns that increase coupling, centralize instability,
+  or create long-term maintenance bottlenecks. Optimize for maintainability,
+  scalability, and low coupling.
+
+rules:
+  - id: god_class
+    severity: high
+    detect: God classes, services, or components with too many responsibilities
+    examples:
+      - |
+        UserManager handles auth, billing, notifications, and reporting
+
+  - id: responsibility_leakage
+    severity: high
+    detect: responsibility leakage between layers or modules
+    examples:
+      - |
+        Controller directly queries the database
+
+  - id: separation_of_concerns
+    severity: medium
+    detect: violations of separation of concerns
+    examples:
+      - |
+        Business logic inside a route handler
+
+  - id: low_cohesion
+    severity: medium
+    detect: modules or classes with low cohesion
+    examples:
+      - |
+        Utility class mixing string helpers, date parsing, and HTTP calls
+
+  - id: unnecessary_abstractions
+    severity: medium
+    detect: unnecessary or premature abstractions that add complexity without value
+    examples:
+      - |
+        AbstractBaseServiceFactoryInterface
+
+  - id: framework_convention_deviation
+    severity: medium
+    detect: deviations from established framework conventions without justification
+    examples:
+      - |
+        Custom routing that bypasses framework middleware
+
+  - id: unclear_architectural_boundaries
+    severity: high
+    detect: unclear or violated architectural boundaries between layers or domains
+    examples:
+      - |
+        Domain model importing from infrastructure layer

package/rules/auth.yaml

@@ -0,0 +1,57 @@
+category: authentication_authorization
+severity_context: >
+  Prioritize vulnerabilities that can enable unauthorized access, privilege escalation,
+  or exposure of sensitive data. Review all sensitive actions assuming hostile access
+  patterns and privilege escalation attempts.
+
+rules:
+  - id: missing_authentication_checks
+    severity: critical
+    detect: missing authentication checks on sensitive operations
+    examples:
+      - |
+        updateUserProfile(userId)
+
+  - id: missing_authorization_checks
+    severity: critical
+    detect: missing authorization checks on sensitive operations
+    examples:
+      - |
+        adminDeletePost(postId)
+
+  - id: role_permission_bypass
+    severity: critical
+    detect: role or permission bypass opportunities through insufficient guard logic
+    examples:
+      - |
+        if isLoggedIn:
+            allowDelete()
+
+  - id: idor_patterns
+    severity: critical
+    detect: insecure direct object reference patterns where ownership is not validated
+    examples:
+      - |
+        GET /invoice/123
+
+  - id: hardcoded_roles_permissions
+    severity: high
+    detect: hardcoded roles or permission strings
+    examples:
+      - |
+        if role == 'admin'
+
+  - id: inconsistent_permission_enforcement
+    severity: high
+    detect: inconsistent permission enforcement across API routes and background jobs
+    examples:
+      - |
+        API route protected
+        background job unprotected
+
+  - id: missing_ownership_validation
+    severity: critical
+    detect: sensitive operations missing ownership or tenancy validation
+    examples:
+      - |
+        updateOrder(orderId)

package/rules/concurrency.yaml

@@ -0,0 +1,62 @@
+category: concurrency_consistency
+severity_context: >
+  Prioritize concurrency and consistency issues that can create corrupted state,
+  duplicate execution, financial inconsistencies, or distributed coordination failures.
+  Review concurrent and distributed flows assuming retries, duplication, delays,
+  and parallel execution.
+
+rules:
+  - id: race_condition
+    severity: critical
+    detect: race condition opportunities from unguarded read-modify-write patterns
+    examples:
+      - |
+        read balance
+        update balance
+        save balance
+
+  - id: missing_transaction_boundaries
+    severity: critical
+    detect: multi-step operations missing transaction boundaries
+    examples:
+      - |
+        createOrder()
+        chargeCard()
+        updateInventory()
+
+  - id: non_idempotent_retry
+    severity: critical
+    detect: non-idempotent operations in retry flows
+    examples:
+      - |
+        retry payment()
+
+  - id: missing_distributed_lock
+    severity: high
+    detect: scenarios requiring distributed locks that have none
+    examples:
+      - |
+        Multiple workers processing the same job without coordination
+
+  - id: shared_mutable_state
+    severity: high
+    detect: shared mutable state accessed without synchronization
+    examples:
+      - |
+        globalCache.value += 1
+
+  - id: eventual_consistency_hazard
+    severity: high
+    detect: code that assumes read-after-write consistency on eventually consistent stores
+    examples:
+      - |
+        write database
+        immediately read replica
+
+  - id: unsafe_async_ordering
+    severity: high
+    detect: unsafe assumptions about async operation ordering
+    examples:
+      - |
+        sendEmail()
+        assume user saved

package/rules/correctness.yaml

@@ -0,0 +1,108 @@
+category: correctness_safety
+severity_context: >
+  Prioritize correctness issues that can cause silent failures, corrupted state,
+  unpredictable behavior, or production instability.
+
+rules:
+  - id: swallowed_exceptions
+    severity: high
+    detect: swallowed or silently caught exceptions
+    examples:
+      - |
+        try:
+            riskyOperation()
+        catch:
+            pass
+
+  - id: hidden_side_effects
+    severity: high
+    detect: functions with hidden side effects not implied by their name or signature
+    examples:
+      - |
+        calculateTotal()
+            -> updates database
+
+  - id: ambiguous_failure_states
+    severity: critical
+    detect: ambiguous or silent failure states returned as null or empty
+    examples:
+      - |
+        return null
+
+  - id: unhandled_custom_exceptions
+    severity: high
+    detect: custom exceptions raised but never caught or documented
+    examples:
+      - |
+        raise PaymentError
+
+  - id: unreachable_branches
+    severity: medium
+    detect: unreachable code after return, throw, or break statements
+    examples:
+      - |
+        return result
+        log('done')
+
+  - id: dead_code
+    severity: medium
+    detect: dead code, unused variables, or unused helper functions
+    examples:
+      - |
+        unusedHelper()
+        unusedVariable
+
+  - id: stale_abstractions
+    severity: medium
+    detect: stale or legacy abstractions still in active code paths
+    examples:
+      - |
+        LegacyUserAdapter
+        OldPaymentService
+
+  - id: vague_error_messages
+    severity: medium
+    detect: vague or non-actionable error messages
+    examples:
+      - |
+        "Something went wrong"
+        "Operation failed"
+
+  - id: missing_operational_context_in_errors
+    severity: medium
+    detect: error messages missing operational context needed for diagnosis
+    examples:
+      - |
+        "Failed to process request"
+
+  - id: inconsistent_error_quality
+    severity: low
+    detect: inconsistent error message quality across the codebase
+    examples:
+      - |
+        "Invalid input"
+        vs
+        "Email format is invalid"
+
+  - id: leaked_implementation_details_in_errors
+    severity: high
+    detect: leaked internal implementation details exposed in error messages
+    examples:
+      - |
+        SQLSTATE[23505]
+        NullReferenceException at line 842
+
+  - id: user_hostile_error_wording
+    severity: medium
+    detect: user-hostile or unhelpful error wording
+    examples:
+      - |
+        "Bad request"
+        "Invalid"
+
+  - id: missing_remediation_guidance
+    severity: medium
+    detect: recoverable errors missing remediation guidance for the user
+    examples:
+      - |
+        "Upload failed"

package/rules/frontend.yaml

@@ -0,0 +1,46 @@
+category: frontend_heuristics
+severity_context: >
+  Frontend complexity compounds fast. Keep state and rendering flows isolated.
+
+rules:
+  - id: god_component
+    severity: high
+    detect: God frontend components handling too many concerns in one place
+    examples:
+      - |
+        UserDashboard manages auth state, data fetching, form handling, and routing
+
+  - id: duplicated_state
+    severity: medium
+    detect: duplicated state across multiple components that should be shared or derived
+    examples:
+      - |
+        const [user, setUser] = useState() in three sibling components
+
+  - id: unnecessary_derived_state
+    severity: medium
+    detect: unnecessary derived state stored in useState instead of computed inline
+    examples:
+      - |
+        const [fullName, setFullName] = useState(firstName + ' ' + lastName)
+
+  - id: excessive_prop_drilling
+    severity: medium
+    detect: excessive prop drilling through multiple component layers
+    examples:
+      - |
+        <A user={user}><B user={user}><C user={user} /></B></A>
+
+  - id: unnecessary_third_party_tooling
+    severity: medium
+    detect: unnecessary third-party library usage where a native or framework solution exists
+    examples:
+      - |
+        Using axios for a request when Inertia client handles it natively
+
+  - id: axios_instead_of_inertia
+    severity: medium
+    detect: axios usage where Inertia client is more appropriate
+    examples:
+      - |
+        axios.post('/users') instead of router.post('/users')

package/rules/maintainability.yaml

@@ -0,0 +1,42 @@
+category: maintainability
+severity_context: >
+  Code should be easy to modify safely under pressure. Focus on patterns that create
+  friction for future changes.
+
+rules:
+  - id: poor_naming
+    severity: medium
+    detect: poor naming that obscures intent at the variable, function, or class level
+    examples:
+      - |
+        let x = getD()
+        function proc(v) {}
+
+  - id: large_functions
+    severity: medium
+    detect: large functions or methods that should be decomposed
+    examples:
+      - |
+        A 200-line function handling validation, DB writes, and notifications
+
+  - id: implicit_mutations
+    severity: medium
+    detect: implicit mutations of shared state or parameters
+    examples:
+      - |
+        function process(order) { order.status = 'done' }
+
+  - id: inconsistent_conventions
+    severity: low
+    detect: inconsistent naming, formatting, or structural conventions
+    examples:
+      - |
+        getUserById, fetchOrder, loadProduct in the same codebase
+
+  - id: future_change_friction
+    severity: medium
+    detect: patterns that create friction for future changes
+    examples:
+      - |
+        Magic numbers without named constants
+        Hardcoded URLs or config values inline