redline-review 1.0.0

package/rules/observability.yaml

@@ -0,0 +1,59 @@
+category: observability
+severity_context: >
+  Prioritize observability gaps that make production incidents difficult to diagnose,
+  trace, or recover from. Systems should be diagnosable under production failure conditions.
+
+rules:
+  - id: sensitive_data_in_logs
+    severity: critical
+    detect: sensitive data leakage into logs
+    examples:
+      - |
+        log(password)
+        log(authToken)
+        logger.info('User login', { password })
+
+  - id: missing_error_logging
+    severity: high
+    detect: errors caught but not logged
+    examples:
+      - |
+        catch error:
+            return failed
+
+  - id: silent_failures
+    severity: high
+    detect: silent failure paths where errors are swallowed with no logging
+    examples:
+      - |
+        catch error:
+            pass
+
+  - id: missing_tracing_context
+    severity: high
+    detect: cross-service calls missing tracing or correlation context
+    examples:
+      - |
+        serviceA -> serviceB with no correlation ID
+
+  - id: useless_logs
+    severity: medium
+    detect: useless or non-actionable log statements
+    examples:
+      - |
+        log('here')
+        log('done')
+
+  - id: missing_operational_metrics
+    severity: medium
+    detect: long-running or resource-intensive operations missing metrics
+    examples:
+      - |
+        processLargeJob() with no timing or success/failure metric
+
+  - id: excessive_logging_noise
+    severity: low
+    detect: excessive logging that creates noise and degrades log signal
+    examples:
+      - |
+        log('loop iteration ' + i)

package/rules/performance-algorithmic.yaml

@@ -0,0 +1,49 @@
+category: algorithmic_performance
+severity_context: >
+  Estimate complexity mentally during review. Watch for O(n²) growth patterns and
+  unnecessary memory allocations in hot paths.
+
+rules:
+  - id: nested_loops
+    severity: high
+    detect: nested loops over collections that produce O(n²) or worse complexity
+    examples:
+      - |
+        foreach users as user:
+            foreach roles as role:
+                check(user, role)
+
+  - id: brute_force_solution
+    severity: high
+    detect: brute-force solutions where a more efficient algorithm exists
+    examples:
+      - |
+        Linear scan to find an item that could use a hash map or index
+
+  - id: repeated_scans
+    severity: medium
+    detect: repeated scans or computations over the same data
+    examples:
+      - |
+        array.filter(...) called three times in the same function
+
+  - id: bad_time_complexity
+    severity: high
+    detect: algorithms with unnecessarily bad time complexity
+    examples:
+      - |
+        Sorting on every iteration instead of sorting once
+
+  - id: bad_memory_complexity
+    severity: medium
+    detect: algorithms with unnecessarily bad memory complexity
+    examples:
+      - |
+        Building a full copy of a large dataset to extract a single field
+
+  - id: excessive_allocations
+    severity: medium
+    detect: excessive object or array allocations in tight loops
+    examples:
+      - |
+        new Array() or {} construction inside a hot loop

package/rules/performance-db.yaml

@@ -0,0 +1,44 @@
+category: database_performance
+severity_context: >
+  Prioritize database access patterns that can cause production degradation, scaling
+  bottlenecks, or infrastructure overload. Always review ORM-heavy code with scale
+  assumptions in mind.
+
+rules:
+  - id: n_plus_one_queries
+    severity: high
+    detect: N+1 query patterns in hot paths
+    examples:
+      - |
+        foreach ($orders as $order) {
+            $order->user->name;
+        }
+
+  - id: unbounded_queries
+    severity: high
+    detect: unbounded queries without pagination or limits
+    examples:
+      - |
+        User::all()
+        SELECT * FROM orders
+
+  - id: overfetching
+    severity: medium
+    detect: overfetching by selecting all columns when only a subset is needed
+    examples:
+      - |
+        SELECT * FROM users WHERE id = 1
+
+  - id: missing_pagination
+    severity: high
+    detect: missing pagination or chunking on large result sets
+    examples:
+      - |
+        $users = User::where('active', true)->get()
+
+  - id: repeated_relationship_loading
+    severity: medium
+    detect: repeated relationship loading that should use eager loading
+    examples:
+      - |
+        $post->author inside a loop without ->with('author')

package/rules/performance-system.yaml

@@ -0,0 +1,37 @@
+category: distributed_system_performance
+severity_context: >
+  Prioritize distributed communication patterns that increase latency, reduce throughput,
+  or amplify cascading failures. Latency compounds across distributed systems.
+
+rules:
+  - id: synchronous_waterfall
+    severity: high
+    detect: synchronous request waterfalls where parallel execution is possible
+    examples:
+      - |
+        const user = await getUser(id)
+        const orders = await getOrders(id)
+        const billing = await getBilling(id)
+
+  - id: serialized_io_bottleneck
+    severity: high
+    detect: serialized I/O operations that could be parallelized
+    examples:
+      - |
+        await sendEmail()
+        await sendSMS()
+        await updateAnalytics()
+
+  - id: excessive_network_roundtrips
+    severity: high
+    detect: excessive network roundtrips that could be batched
+    examples:
+      - |
+        Fetching user, permissions, and settings as three separate API calls
+
+  - id: missing_redis_pipelining
+    severity: medium
+    detect: missing Redis pipelining or batching opportunities
+    examples:
+      - |
+        redis.get() called in a loop instead of mget or pipeline

package/rules/risk-patterns.yaml

@@ -0,0 +1,58 @@
+category: risk_patterns
+severity_context: >
+  Review systems assuming future misuse, scaling pressure, operator mistakes, and
+  evolving complexity. Flag anything that could become a silent footgun.
+
+rules:
+  - id: architectural_landmine
+    severity: high
+    detect: small helpers or utilities that have become implicit dependencies of many critical flows
+    examples:
+      - |
+        formatCurrency() now called by billing, invoicing, reporting, and emails
+
+  - id: operational_footgun
+    severity: high
+    detect: dangerous operations callable without safeguards or confirmation
+    examples:
+      - |
+        deleteAllUsers() with no confirmation or dry-run mode
+
+  - id: hidden_blast_radius
+    severity: high
+    detect: shared utilities or functions with hidden blast radius across critical domains
+    examples:
+      - |
+        normalizeUser() used by auth, billing, and orders without isolation
+
+  - id: sharp_api_edges
+    severity: medium
+    detect: API or function signatures that accept unsafe or nullable combinations
+    examples:
+      - |
+        function process(user, config = null, override = false)
+
+  - id: dangerous_defaults
+    severity: critical
+    detect: dangerous default values that could cause production issues
+    examples:
+      - |
+        isProduction = false
+        skipAuth = true
+        dryRun = false
+
+  - id: fragile_assumptions
+    severity: high
+    detect: fragile assumptions about system state that will break under scale or concurrency
+    examples:
+      - |
+        assume event ordering
+        assume single worker
+        assume in-memory cache is current
+
+  - id: single_point_of_failure
+    severity: high
+    detect: single points of failure in critical orchestration flows
+    examples:
+      - |
+        One service handles all payment orchestration with no fallback

package/rules/simplicity.yaml

@@ -0,0 +1,85 @@
+category: simplicity_clarity
+severity_context: >
+  Keep implementations cognitively cheap. Optimize for readability and intent clarity.
+
+rules:
+  - id: redundant_checking
+    severity: medium
+    detect: redundant null/existence checking
+    examples:
+      - |
+        if x exists:
+            if x is not null:
+                process(x)
+
+  - id: redundant_normalization
+    severity: low
+    detect: redundant normalization or transformation steps
+    examples:
+      - |
+        trim(lowercase(trim(value)))
+
+  - id: redundant_type_casting
+    severity: low
+    detect: redundant type casting or conversion
+    examples:
+      - |
+        toInt(parseInt(value))
+
+  - id: verbose_defensive_programming
+    severity: medium
+    detect: overly verbose defensive guard chains
+    examples:
+      - |
+        if array exists:
+            if length > 0:
+                if first item exists:
+
+  - id: nested_conditionals
+    severity: medium
+    detect: deeply nested if/else blocks that should be flattened or extracted
+    examples:
+      - |
+        if a:
+            if b:
+                if c:
+                    execute()
+
+  - id: chained_ternaries
+    severity: medium
+    detect: chained ternaries beyond simple cases
+    examples:
+      - |
+        x = a ? b : c ? d : e ? f : g
+
+  - id: large_conditional_chains
+    severity: medium
+    detect: large if/else-if chains that should use switch or a lookup table
+    examples:
+      - |
+        if type == 'A'
+        else if type == 'B'
+        else if type == 'C'
+
+  - id: complex_inline_boolean
+    severity: medium
+    detect: overly complex inline boolean conditions
+    examples:
+      - |
+        if a && b && !c && (d || e) && f:
+
+  - id: unclear_naming
+    severity: medium
+    detect: unclear or non-intent-revealing naming for functions, variables, or classes
+    examples:
+      - |
+        processData2()
+        doThing()
+        handleStuff()
+
+  - id: accidental_complexity
+    severity: high
+    detect: accidental complexity through unnecessary abstraction layers
+    examples:
+      - |
+        FactoryManagerResolverBuilder

package/schemas/rule.schema.json

@@ -0,0 +1,52 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "RedlineReviewRuleFile",
+  "type": "object",
+  "required": ["category", "rules"],
+  "properties": {
+    "category": {
+      "type": "string",
+      "description": "Snake-case category identifier"
+    },
+    "severity_context": {
+      "type": "string",
+      "description": "Guidance for how the LLM should prioritize severity within this category"
+    },
+    "rules": {
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/Rule"
+      }
+    }
+  },
+  "definitions": {
+    "Rule": {
+      "type": "object",
+      "required": ["id", "severity", "detect"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "description": "Snake-case unique identifier for the rule"
+        },
+        "severity": {
+          "type": "string",
+          "enum": ["critical", "high", "medium", "low"]
+        },
+        "detect": {
+          "type": "string",
+          "description": "Human-readable description of what to detect"
+        },
+        "examples": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Code examples demonstrating the anti-pattern"
+        },
+        "keywords": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Keywords used for auto domain detection from diffs"
+        }
+      }
+    }
+  }
+}