vibecheck-ai 2.0.1 → 5.0.0

package/dist/scanner/index.js

@@ -0,0 +1,3395 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/scanner/index.ts
+var scanner_exports = {};
+__export(scanner_exports, {
+  ALL_ENGINES: () => ALL_ENGINES,
+  RULE_CATALOG: () => RULE_CATALOG,
+  applyFixes: () => applyFixes,
+  classifyPath: () => classifyPath,
+  fix: () => fix,
+  getRuleOrDefault: () => getRuleOrDefault,
+  scan: () => scan
+});
+module.exports = __toCommonJS(scanner_exports);
+var import_fs3 = require("fs");
+var import_path4 = require("path");
+var import_crypto = require("crypto");
+
+// src/scanner/classifiers/path-classifier.ts
+var import_path = require("path");
+var CATEGORY_PATTERNS = [
+  {
+    category: "third_party",
+    excludeByDefault: true,
+    patterns: [
+      /node_modules\//,
+      /vendor\//,
+      /\.yarn\//,
+      /\.pnpm\//,
+      /bower_components\//,
+      /packages\/.*\/node_modules/
+    ]
+  },
+  {
+    category: "build_output",
+    excludeByDefault: true,
+    patterns: [
+      /\/dist\//,
+      /\/build\//,
+      /\/.next\//,
+      /\/.nuxt\//,
+      /\/\.output\//,
+      /\/out\//,
+      /\/coverage\//,
+      /\/__generated__\//,
+      /\.min\.(js|css)$/,
+      /\.bundle\.(js|css)$/,
+      /\.chunk\.(js|css)$/
+    ]
+  },
+  {
+    category: "generated",
+    excludeByDefault: true,
+    patterns: [
+      /\.d\.ts$/,
+      /generated\//,
+      /\.gen\.(ts|js)$/,
+      /prisma\/generated\//,
+      /graphql\/generated\//,
+      /swagger-output\./,
+      /openapi-generated\//,
+      /\.lock$/,
+      /lock\.json$/
+    ]
+  },
+  {
+    category: "test",
+    excludeByDefault: false,
+    // We scan tests separately
+    patterns: [
+      /\.(test|spec)\.(ts|tsx|js|jsx)$/,
+      /__tests__\//,
+      /__mocks__\//,
+      /\.stories\.(ts|tsx|js|jsx)$/,
+      /\.storybook\//,
+      /test-utils?\.(ts|tsx|js|jsx)$/,
+      /fixtures?\//,
+      /cypress\//,
+      /playwright\//,
+      /e2e\//,
+      /setupTests\.(ts|js)$/,
+      /jest\.config\./,
+      /vitest\.config\./
+    ]
+  },
+  {
+    category: "config",
+    excludeByDefault: false,
+    patterns: [
+      /\.(config|rc)\.(ts|js|mjs|cjs|json|yaml|yml)$/,
+      /\.eslintrc/,
+      /\.prettierrc/,
+      /tsconfig.*\.json$/,
+      /\.babelrc/,
+      /tailwind\.config/,
+      /next\.config/,
+      /vite\.config/,
+      /webpack\.config/
+    ]
+  },
+  {
+    category: "documentation",
+    excludeByDefault: true,
+    patterns: [
+      /\.(md|mdx|rst|txt)$/,
+      /\/docs?\//,
+      /\/documentation\//,
+      /README/i,
+      /CHANGELOG/i,
+      /LICENSE/i,
+      /CONTRIBUTING/i
+    ]
+  }
+];
+var CRITICAL_PATH_PATTERNS = [
+  /\/api\//,
+  /\/auth\//,
+  /\/payment/,
+  /\/billing/,
+  /\/admin/,
+  /\/checkout/,
+  /\/users\//,
+  /\/account/,
+  /\/webhook/,
+  /\/security/,
+  /middleware\.(ts|js)/,
+  /\/lib\/auth/,
+  /\/lib\/db/,
+  /\/lib\/stripe/
+];
+var ALWAYS_EXCLUDE = [
+  /\.git\//,
+  /\.DS_Store$/,
+  /thumbs\.db$/i,
+  /\.(png|jpg|jpeg|gif|webp|svg|ico|bmp|tiff?)$/i,
+  /\.(woff2?|ttf|eot|otf)$/i,
+  /\.(mp3|mp4|wav|ogg|webm|avi|mov)$/i,
+  /\.(pdf|doc|docx|xls|xlsx|ppt|pptx)$/i,
+  /\.(zip|tar|gz|bz2|7z|rar)$/i,
+  /\.(exe|dll|so|dylib|bin)$/i,
+  /\.(sqlite|db)$/i
+];
+function classifyPath(relativePath) {
+  const normalizedPath = relativePath.replace(/\\/g, "/");
+  for (const pattern of ALWAYS_EXCLUDE) {
+    if (pattern.test(normalizedPath)) {
+      return {
+        category: "build_output",
+        reason: `Binary/irrelevant file: ${pattern.source}`,
+        excludeByDefault: true,
+        isCriticalPath: false
+      };
+    }
+  }
+  for (const def of CATEGORY_PATTERNS) {
+    for (const pattern of def.patterns) {
+      if (pattern.test(normalizedPath)) {
+        return {
+          category: def.category,
+          reason: `Matched pattern: ${pattern.source}`,
+          excludeByDefault: def.excludeByDefault,
+          isCriticalPath: false
+        };
+      }
+    }
+  }
+  const isCritical = CRITICAL_PATH_PATTERNS.some((p) => p.test(normalizedPath));
+  return {
+    category: "user_code",
+    reason: "Application source code",
+    excludeByDefault: false,
+    isCriticalPath: isCritical
+  };
+}
+function isCodeFile(filePath) {
+  const ext = (0, import_path.extname)(filePath).toLowerCase();
+  return [
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    ".py",
+    ".java",
+    ".go",
+    ".rs",
+    ".rb",
+    ".php",
+    ".vue",
+    ".svelte"
+  ].includes(ext);
+}
+function isUIFile(filePath) {
+  const ext = (0, import_path.extname)(filePath).toLowerCase();
+  return [".tsx", ".jsx", ".vue", ".svelte"].includes(ext);
+}
+function escalateSeverity(severity, isCriticalPath) {
+  if (!isCriticalPath) return severity;
+  const escalation = {
+    low: "medium",
+    medium: "high",
+    high: "critical",
+    critical: "critical"
+  };
+  return escalation[severity];
+}
+
+// src/scanner/utils/dedup.ts
+var SEVERITY_ORDER = {
+  critical: 4,
+  high: 3,
+  medium: 2,
+  low: 1
+};
+function deduplicateFindings(findings) {
+  const groups = /* @__PURE__ */ new Map();
+  for (const finding of findings) {
+    const key = `${finding.file}:${finding.line}`;
+    if (!groups.has(key)) {
+      groups.set(key, []);
+    }
+    groups.get(key).push(finding);
+  }
+  const deduplicated = [];
+  let suppressedCount = 0;
+  for (const [, group] of groups) {
+    if (group.length === 1) {
+      deduplicated.push(group[0]);
+      continue;
+    }
+    const subGroups = /* @__PURE__ */ new Map();
+    for (const f of group) {
+      const subKey = f.category;
+      if (!subGroups.has(subKey)) subGroups.set(subKey, []);
+      subGroups.get(subKey).push(f);
+    }
+    for (const [, subGroup] of subGroups) {
+      if (subGroup.length === 1) {
+        deduplicated.push(subGroup[0]);
+        continue;
+      }
+      subGroup.sort((a, b) => {
+        const confDiff = b.confidenceScore - a.confidenceScore;
+        if (confDiff !== 0) return confDiff;
+        return (SEVERITY_ORDER[b.severity] ?? 0) - (SEVERITY_ORDER[a.severity] ?? 0);
+      });
+      const best = { ...subGroup[0] };
+      const allTags = /* @__PURE__ */ new Set();
+      for (const f of subGroup) {
+        for (const tag of f.tags) allTags.add(tag);
+      }
+      best.tags = Array.from(allTags);
+      const uniqueEngines = new Set(subGroup.map((f) => f.engine));
+      if (uniqueEngines.size >= 2) {
+        best.verified = true;
+        if (best.severity !== "critical") {
+          const maxSeverity = subGroup.reduce(
+            (max, f) => SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[max] ? f.severity : max,
+            best.severity
+          );
+          best.severity = maxSeverity;
+        }
+        best.confidenceScore = Math.min(99, best.confidenceScore + 5);
+      }
+      deduplicated.push(best);
+      suppressedCount += subGroup.length - 1;
+    }
+  }
+  deduplicated.sort((a, b) => {
+    const sevDiff = (SEVERITY_ORDER[b.severity] ?? 0) - (SEVERITY_ORDER[a.severity] ?? 0);
+    if (sevDiff !== 0) return sevDiff;
+    return b.confidenceScore - a.confidenceScore;
+  });
+  return { deduplicated, suppressedCount };
+}
+
+// src/scanner/rules/catalog.ts
+var RULE_CATALOG = {
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CREDENTIALS (CRED)
+  // ═══════════════════════════════════════════════════════════════════════════
+  CRED001: {
+    ruleId: "CRED001",
+    name: "Hardcoded API Key",
+    category: "credentials",
+    severity: "critical",
+    description: "Hardcoded API key (Stripe, AWS, OpenAI, etc.) in source code",
+    why: "If your code is ever exposed (git push, npm publish, source maps), these credentials will be compromised. Attackers automate scanning for leaked keys.",
+    fix: "Move to environment variable. Use process.env.API_KEY and add to .env (gitignored).",
+    tags: ["secrets", "api-key", "credentials"],
+    autoFixable: false,
+    cwe: "CWE-798"
+  },
+  CRED002: {
+    ruleId: "CRED002",
+    name: "Hardcoded Password",
+    category: "credentials",
+    severity: "critical",
+    description: "Hardcoded password or database credential in source code",
+    why: "Passwords in code can be extracted from builds, logs, or version history. A single leaked DB password can compromise all user data.",
+    fix: "Use environment variables or a secrets manager (Vault, AWS Secrets Manager).",
+    tags: ["secrets", "password", "database"],
+    autoFixable: false,
+    cwe: "CWE-798"
+  },
+  CRED003: {
+    ruleId: "CRED003",
+    name: "Hardcoded JWT Secret",
+    category: "credentials",
+    severity: "critical",
+    description: "JWT signing secret hardcoded in source",
+    why: "Anyone with the JWT secret can forge authentication tokens and impersonate any user, including admins.",
+    fix: "Store in JWT_SECRET environment variable. Rotate regularly.",
+    tags: ["secrets", "jwt", "auth"],
+    autoFixable: false,
+    cwe: "CWE-798"
+  },
+  CRED004: {
+    ruleId: "CRED004",
+    name: "Private Key in Source",
+    category: "credentials",
+    severity: "critical",
+    description: "Private key (RSA, PEM, SSH) embedded in source code",
+    why: "Private keys grant access to encrypted communications, server authentication, and code signing. A leaked key requires full rotation.",
+    fix: "Store in secure key management. Load from file path in env var.",
+    tags: ["secrets", "private-key", "cryptography"],
+    autoFixable: false,
+    cwe: "CWE-321"
+  },
+  CRED005: {
+    ruleId: "CRED005",
+    name: "Connection String Exposed",
+    category: "credentials",
+    severity: "critical",
+    description: "Database connection string with credentials in source",
+    why: "Connection strings contain host, username, password, and database name. One string = complete database access.",
+    fix: "Use DATABASE_URL environment variable. Never commit .env files.",
+    tags: ["secrets", "database", "connection-string"],
+    autoFixable: false,
+    cwe: "CWE-798"
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // SECURITY (SEC)
+  // ═══════════════════════════════════════════════════════════════════════════
+  SEC001: {
+    ruleId: "SEC001",
+    name: "SQL Injection Risk",
+    category: "security",
+    severity: "critical",
+    description: "User input concatenated into SQL query",
+    why: "SQL injection allows attackers to read, modify, or delete all database data. It remains the #1 web vulnerability.",
+    fix: "Use parameterized queries or an ORM. Never concatenate user input into SQL.",
+    tags: ["injection", "sql", "database"],
+    autoFixable: false,
+    cwe: "CWE-89"
+  },
+  SEC002: {
+    ruleId: "SEC002",
+    name: "Command Injection Risk",
+    category: "security",
+    severity: "critical",
+    description: "User input passed to shell execution (exec, execSync, spawn)",
+    why: "Command injection lets attackers run arbitrary OS commands on your server \u2014 install backdoors, exfiltrate data, destroy files.",
+    fix: "Use execFile() with args array. Never pass user input to exec().",
+    tags: ["injection", "command", "shell"],
+    autoFixable: false,
+    cwe: "CWE-78"
+  },
+  SEC003: {
+    ruleId: "SEC003",
+    name: "XSS Vulnerability",
+    category: "security",
+    severity: "high",
+    description: "Unescaped user input rendered in HTML (innerHTML, dangerouslySetInnerHTML)",
+    why: "XSS lets attackers execute JavaScript in other users' browsers \u2014 steal sessions, redirect to phishing, deface UI.",
+    fix: "Use textContent instead of innerHTML. Sanitize with DOMPurify if HTML is required.",
+    tags: ["xss", "injection", "html"],
+    autoFixable: false,
+    cwe: "CWE-79"
+  },
+  SEC004: {
+    ruleId: "SEC004",
+    name: "Path Traversal Risk",
+    category: "security",
+    severity: "high",
+    description: "User input used in file path without sanitization",
+    why: "Path traversal (../../etc/passwd) lets attackers read any file on the server, including configs and secrets.",
+    fix: "Use path.resolve() and verify the result is within allowed directory.",
+    tags: ["path-traversal", "file-access"],
+    autoFixable: false,
+    cwe: "CWE-22"
+  },
+  SEC005: {
+    ruleId: "SEC005",
+    name: "SSRF Risk",
+    category: "security",
+    severity: "high",
+    description: "User-controlled URL passed to server-side fetch/request",
+    why: "SSRF lets attackers make your server request internal services, cloud metadata endpoints (169.254.169.254), or scan your network.",
+    fix: "Validate URL against allowlist of domains. Block private IPs.",
+    tags: ["ssrf", "network"],
+    autoFixable: false,
+    cwe: "CWE-918"
+  },
+  SEC006: {
+    ruleId: "SEC006",
+    name: "Prototype Pollution",
+    category: "security",
+    severity: "high",
+    description: "__proto__ or prototype[] manipulation detected",
+    why: "Prototype pollution can lead to property injection across all objects, causing auth bypass or RCE.",
+    fix: "Use Object.create(null) for lookup objects. Validate property names.",
+    tags: ["prototype-pollution", "injection"],
+    autoFixable: false,
+    cwe: "CWE-1321"
+  },
+  SEC007: {
+    ruleId: "SEC007",
+    name: "eval() Usage",
+    category: "security",
+    severity: "critical",
+    description: "eval() or new Function() with potentially dynamic input",
+    why: "eval() executes arbitrary code. If any input is user-controlled, it's equivalent to giving the attacker a shell.",
+    fix: "Use JSON.parse() for data. Use a sandboxed interpreter for expressions.",
+    tags: ["eval", "code-execution"],
+    autoFixable: false,
+    cwe: "CWE-95"
+  },
+  SEC008: {
+    ruleId: "SEC008",
+    name: "Mass Assignment",
+    category: "security",
+    severity: "high",
+    description: "Request body spread directly into database/object update",
+    why: `Mass assignment lets attackers set fields they shouldn't (isAdmin: true, role: "admin") by adding extra fields to requests.`,
+    fix: "Whitelist allowed fields explicitly. Use DTOs or pick() to select safe properties.",
+    tags: ["mass-assignment", "injection"],
+    autoFixable: false,
+    cwe: "CWE-915"
+  },
+  SEC009: {
+    ruleId: "SEC009",
+    name: "Insecure Randomness",
+    category: "security",
+    severity: "high",
+    description: "Math.random() used for security-sensitive values (tokens, IDs, secrets)",
+    why: "Math.random() is not cryptographically secure. Tokens generated with it can be predicted.",
+    fix: "Use crypto.randomUUID() or crypto.randomBytes() for security-sensitive values.",
+    tags: ["randomness", "cryptography"],
+    autoFixable: true,
+    cwe: "CWE-330"
+  },
+  SEC010: {
+    ruleId: "SEC010",
+    name: "Regex DoS Risk",
+    category: "security",
+    severity: "medium",
+    description: "Regular expression with catastrophic backtracking potential",
+    why: "A crafted input string can make a vulnerable regex take minutes/hours, causing denial of service.",
+    fix: "Use linear-time regex engines (re2) or simplify the pattern.",
+    tags: ["redos", "regex", "dos"],
+    autoFixable: false,
+    cwe: "CWE-1333"
+  },
+  SEC011: {
+    ruleId: "SEC011",
+    name: "Unfiltered DELETE/DROP",
+    category: "security",
+    severity: "critical",
+    description: "DELETE FROM or DROP TABLE without WHERE clause",
+    why: "Unfiltered destructive SQL operations can wipe entire tables in a single request.",
+    fix: "Always include WHERE clause. Add confirmation logic for destructive operations.",
+    tags: ["sql", "destructive"],
+    autoFixable: false,
+    cwe: "CWE-89"
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // HALLUCINATIONS (HAL) — AI-specific detection
+  // ═══════════════════════════════════════════════════════════════════════════
+  HAL001: {
+    ruleId: "HAL001",
+    name: "Fake npm Package",
+    category: "hallucinations",
+    severity: "critical",
+    description: "Import from a package that doesn't exist on npm",
+    why: "AI models frequently hallucinate package names. Installing a non-existent package can pull in a typosquatting malware package instead.",
+    fix: "Verify package exists on npmjs.com before importing. Check package.json dependencies.",
+    tags: ["hallucination", "npm", "supply-chain"],
+    autoFixable: false,
+    cwe: "CWE-829"
+  },
+  HAL002: {
+    ruleId: "HAL002",
+    name: "Fake API Method",
+    category: "hallucinations",
+    severity: "high",
+    description: "Call to a method that doesn't exist on the referenced library/object",
+    why: "AI models invent plausible-sounding method names. Code compiles in TS only with 'any' types, then crashes at runtime.",
+    fix: "Check the library's actual API documentation. Use TypeScript strict mode.",
+    tags: ["hallucination", "api", "method"],
+    autoFixable: false
+  },
+  HAL003: {
+    ruleId: "HAL003",
+    name: "Placeholder URL",
+    category: "hallucinations",
+    severity: "high",
+    description: "URL containing example.com, placeholder, or clearly fake domain",
+    why: "AI generates placeholder URLs that look real. Shipping these means features silently fail or hit wrong endpoints.",
+    fix: "Replace with actual API endpoint from environment variable.",
+    tags: ["hallucination", "url", "placeholder"],
+    autoFixable: false
+  },
+  HAL004: {
+    ruleId: "HAL004",
+    name: "Invented Config Option",
+    category: "hallucinations",
+    severity: "medium",
+    description: "Configuration key that doesn't exist in the library's schema",
+    why: "AI invents plausible config options. The option is silently ignored, and the expected behavior never activates.",
+    fix: "Check the library docs for valid configuration options.",
+    tags: ["hallucination", "config"],
+    autoFixable: false
+  },
+  HAL005: {
+    ruleId: "HAL005",
+    name: "Ghost Route",
+    category: "hallucinations",
+    severity: "high",
+    description: "Frontend references an API route that doesn't exist in the backend",
+    why: "AI generates matching frontend + backend code, but sometimes only one side. The missing route means the feature silently 404s.",
+    fix: "Verify route exists in your API. Run vibecheck truth to generate route manifest.",
+    tags: ["hallucination", "route", "api"],
+    autoFixable: false
+  },
+  HAL006: {
+    ruleId: "HAL006",
+    name: "Ghost Env Variable",
+    category: "hallucinations",
+    severity: "high",
+    description: "process.env.X references a variable not declared in any .env file",
+    why: "AI adds env var references without updating .env. The code silently uses undefined, causing subtle runtime bugs.",
+    fix: "Add the variable to .env.example and .env. Use required() wrapper for critical vars.",
+    tags: ["hallucination", "env", "config"],
+    autoFixable: true
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // FAKE FEATURES (FAKE) — Stubs, placeholders, empty implementations
+  // ═══════════════════════════════════════════════════════════════════════════
+  FAKE001: {
+    ruleId: "FAKE001",
+    name: "Empty Function Body",
+    category: "fake-features",
+    severity: "high",
+    description: "Function declared but body is empty or returns nothing",
+    why: "AI generates function signatures that look complete but have empty bodies. The feature appears to exist but does nothing.",
+    fix: "Implement the function body or remove if not needed.",
+    tags: ["stub", "empty", "fake-feature"],
+    autoFixable: false
+  },
+  FAKE002: {
+    ruleId: "FAKE002",
+    name: "Hardcoded Success",
+    category: "fake-features",
+    severity: "high",
+    description: "Function always returns true/success without doing actual work",
+    why: "Auth checks, validation, and payment processing that always return success means no actual protection is in place.",
+    fix: "Implement actual logic. If intentionally stubbed, add @stub annotation.",
+    tags: ["fake-success", "stub", "auth"],
+    autoFixable: false
+  },
+  FAKE003: {
+    ruleId: "FAKE003",
+    name: "Silent Error Swallowing",
+    category: "fake-features",
+    severity: "high",
+    description: "Empty catch block or catch that returns null/undefined",
+    why: "Silent failures hide bugs. Users see no error but the operation didn't complete. Data loss and corruption follow.",
+    fix: "Log the error and either re-throw, return error state, or handle gracefully.",
+    tags: ["error-handling", "silent-failure"],
+    autoFixable: false
+  },
+  FAKE004: {
+    ruleId: "FAKE004",
+    name: "Placeholder/TODO in Production",
+    category: "fake-features",
+    severity: "medium",
+    description: "TODO, FIXME, HACK, WIP, CHANGEME markers in production code",
+    why: "Placeholder markers indicate incomplete implementation. Shipping them means features are partially broken.",
+    fix: "Complete the implementation or create a tracked issue.",
+    tags: ["placeholder", "todo", "incomplete"],
+    autoFixable: false
+  },
+  FAKE005: {
+    ruleId: "FAKE005",
+    name: "Auth Bypass Pattern",
+    category: "fake-features",
+    severity: "critical",
+    description: "Authentication check that can be bypassed (skipAuth, isAdmin=true)",
+    why: "Auth bypasses in code are the most common security vulnerability. Any user can access protected resources.",
+    fix: "Remove the bypass. Use proper role-based access control.",
+    tags: ["auth", "bypass", "security"],
+    autoFixable: false,
+    cwe: "CWE-287"
+  },
+  FAKE006: {
+    ruleId: "FAKE006",
+    name: "Dangerous Default Value",
+    category: "fake-features",
+    severity: "high",
+    description: "Secret/credential env var with insecure fallback default",
+    why: "If the env var is missing, the insecure default is used in production \u2014 often a test key or empty string.",
+    fix: "Throw an error if required env vars are missing. Never provide fallback defaults for secrets.",
+    tags: ["default", "secret", "env"],
+    autoFixable: false
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // DEAD UI (UI)
+  // ═══════════════════════════════════════════════════════════════════════════
+  UI001: {
+    ruleId: "UI001",
+    name: "Dead Link",
+    category: "dead-ui",
+    severity: "high",
+    description: 'href="#" or javascript:void(0) \u2014 link goes nowhere',
+    why: "Dead links frustrate users and indicate unfinished UI. Screen readers announce them as real links.",
+    fix: "Replace with actual route, use <button> for actions, or remove.",
+    tags: ["ui", "accessibility", "dead-link"],
+    autoFixable: false
+  },
+  UI002: {
+    ruleId: "UI002",
+    name: "Noop Click Handler",
+    category: "dead-ui",
+    severity: "high",
+    description: "onClick={() => {}} \u2014 button/element does nothing when clicked",
+    why: "Users click the button expecting something to happen. Nothing does. This erodes trust in the entire application.",
+    fix: "Implement the handler or remove the onClick.",
+    tags: ["ui", "noop", "handler"],
+    autoFixable: false
+  },
+  UI003: {
+    ruleId: "UI003",
+    name: "Coming Soon in Production",
+    category: "dead-ui",
+    severity: "medium",
+    description: '"Coming soon", "under construction", "not available" in production UI',
+    why: "Users see a broken product. Competitors see an incomplete product. Neither is a good look.",
+    fix: "Hide the feature until ready, or implement it.",
+    tags: ["ui", "placeholder", "coming-soon"],
+    autoFixable: false
+  },
+  UI004: {
+    ruleId: "UI004",
+    name: "Disabled Without Reason",
+    category: "dead-ui",
+    severity: "medium",
+    description: "Disabled button/input without tooltip or explanation",
+    why: "Users don't know why they can't click. This is a UX and accessibility failure.",
+    fix: "Add tooltip, aria-label, or visible text explaining why it's disabled.",
+    tags: ["ui", "accessibility", "disabled"],
+    autoFixable: false
+  },
+  UI005: {
+    ruleId: "UI005",
+    name: "Raw Fetch in Component",
+    category: "dead-ui",
+    severity: "low",
+    description: 'Direct fetch("/api/...") call in a UI component',
+    why: "Scattered fetch calls are hard to maintain, don't handle loading/error states consistently, and bypass caching.",
+    fix: "Use React Query, SWR, tRPC, or a centralized API client.",
+    tags: ["ui", "fetch", "architecture"],
+    autoFixable: false
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // CODE QUALITY (QLT)
+  // ═══════════════════════════════════════════════════════════════════════════
+  QLT001: {
+    ruleId: "QLT001",
+    name: "Console.log in Production",
+    category: "code-quality",
+    severity: "medium",
+    description: "console.log/debug/trace statement in production code",
+    why: "Console logs leak information in browser devtools, slow down rendering, and indicate debug code left behind.",
+    fix: "Remove or replace with a proper logging library (winston, pino).",
+    tags: ["console", "debug", "quality"],
+    autoFixable: true
+  },
+  QLT002: {
+    ruleId: "QLT002",
+    name: "Debugger Statement",
+    category: "code-quality",
+    severity: "high",
+    description: "debugger statement left in production code",
+    why: "Debugger statements freeze the browser for any user with devtools open. In production, this is a showstopper.",
+    fix: "Remove the debugger statement.",
+    tags: ["debugger", "debug", "quality"],
+    autoFixable: true
+  },
+  QLT003: {
+    ruleId: "QLT003",
+    name: "Hardcoded Mock Data",
+    category: "code-quality",
+    severity: "high",
+    description: "Mock/fake/dummy data in production source files",
+    why: "Mock data makes features look functional but returns stale/fake information to real users.",
+    fix: "Connect to actual data source. Move mock data to test files.",
+    tags: ["mock", "fake-data", "quality"],
+    autoFixable: false
+  },
+  QLT004: {
+    ruleId: "QLT004",
+    name: "Unused Import",
+    category: "code-quality",
+    severity: "low",
+    description: "Import that is never used in the file",
+    why: "Unused imports increase bundle size and confuse other developers about what the file depends on.",
+    fix: "Remove the unused import.",
+    tags: ["unused", "import", "quality"],
+    autoFixable: true
+  },
+  QLT005: {
+    ruleId: "QLT005",
+    name: "Type Assertion Abuse",
+    category: "code-quality",
+    severity: "medium",
+    description: '"as any" or type assertion bypassing type safety',
+    why: "Type assertions silence the compiler but don't fix the underlying type issue. Runtime errors follow.",
+    fix: "Fix the type properly. Use type guards or proper generic types.",
+    tags: ["typescript", "type-safety", "quality"],
+    autoFixable: false
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // IMPORT GRAPH (IG) — Cross-file structural analysis
+  // ═══════════════════════════════════════════════════════════════════════════
+  IG001: {
+    ruleId: "IG001",
+    name: "Circular Dependency",
+    category: "import-graph",
+    severity: "high",
+    description: "Circular import chain detected between modules",
+    why: "Circular dependencies cause unpredictable initialization order, undefined values at import time, and make refactoring dangerous.",
+    fix: "Extract shared types/interfaces into a separate module. Break the cycle with dependency inversion.",
+    tags: ["imports", "circular", "architecture"],
+    autoFixable: false
+  },
+  IG002: {
+    ruleId: "IG002",
+    name: "Orphan Module",
+    category: "import-graph",
+    severity: "medium",
+    description: "File is never imported by any other module in the project",
+    why: "Orphan modules are dead code that increases bundle size, confuses developers, and accumulates tech debt.",
+    fix: "Delete the file if unused, or add it to your entry points if it should be included.",
+    tags: ["imports", "dead-code", "orphan"],
+    autoFixable: false
+  },
+  IG003: {
+    ruleId: "IG003",
+    name: "Ghost Route",
+    category: "import-graph",
+    severity: "high",
+    description: "Frontend fetches an API route that has no corresponding backend handler",
+    why: "Ghost routes cause silent 404s in production. Users see loading spinners that never resolve or cryptic error messages.",
+    fix: "Create the missing API route handler, or remove the frontend fetch call.",
+    tags: ["imports", "route", "api", "ghost"],
+    autoFixable: false
+  },
+  IG004: {
+    ruleId: "IG004",
+    name: "Ghost Env Variable",
+    category: "import-graph",
+    severity: "high",
+    description: "process.env.X referenced in code but not declared in any .env file",
+    why: "Missing env vars silently evaluate to undefined, causing features to break in production with no error message.",
+    fix: "Add the variable to .env and .env.example with a placeholder value.",
+    tags: ["env", "config", "ghost"],
+    autoFixable: true
+  },
+  IG005: {
+    ruleId: "IG005",
+    name: "Barrel Re-export Bloat",
+    category: "import-graph",
+    severity: "low",
+    description: "Barrel index.ts re-exports everything, defeating tree-shaking",
+    why: "Barrel files that re-export entire modules prevent bundlers from tree-shaking unused code, increasing bundle size.",
+    fix: "Use direct imports instead of barrel imports for large modules.",
+    tags: ["imports", "barrel", "performance"],
+    autoFixable: false
+  },
+  // ═══════════════════════════════════════════════════════════════════════════
+  // RUNTIME VERIFY (RV) — Static analysis for runtime issues
+  // ═══════════════════════════════════════════════════════════════════════════
+  RV001: {
+    ruleId: "RV001",
+    name: "Unhandled Promise",
+    category: "runtime-verify",
+    severity: "high",
+    description: "Promise chain without .catch() or try/catch around await",
+    why: "Unhandled promise rejections crash Node.js processes and leave users with white screens in browsers.",
+    fix: "Add .catch() to the promise chain, or wrap await in try/catch.",
+    tags: ["async", "promise", "error-handling"],
+    autoFixable: false,
+    cwe: "CWE-755"
+  },
+  RV002: {
+    ruleId: "RV002",
+    name: "Async Without Await",
+    category: "runtime-verify",
+    severity: "medium",
+    description: "Async function declared but never uses await",
+    why: "An async function without await still returns a Promise, which can mask bugs if the caller doesn't await it.",
+    fix: "Remove async keyword if not needed, or add await for async operations inside.",
+    tags: ["async", "promise", "quality"],
+    autoFixable: false
+  },
+  RV003: {
+    ruleId: "RV003",
+    name: "Dead Export",
+    category: "runtime-verify",
+    severity: "medium",
+    description: "Exported function/variable is never imported by any other file",
+    why: "Dead exports increase API surface area, confuse developers about the public API, and prevent safe refactoring.",
+    fix: "Remove the export keyword if the symbol is only used locally, or delete if truly unused.",
+    tags: ["exports", "dead-code", "quality"],
+    autoFixable: false
+  },
+  RV004: {
+    ruleId: "RV004",
+    name: "Floating Promise",
+    category: "runtime-verify",
+    severity: "high",
+    description: "Async function called without await, .then(), or void operator",
+    why: "Floating promises run in the background with no error handling. Failures are silently swallowed.",
+    fix: "Add await, .then()/.catch(), or prefix with void if intentionally fire-and-forget.",
+    tags: ["async", "promise", "fire-and-forget"],
+    autoFixable: false,
+    cwe: "CWE-755"
+  },
+  RV005: {
+    ruleId: "RV005",
+    name: "Race Condition Risk",
+    category: "runtime-verify",
+    severity: "medium",
+    description: "Shared mutable state accessed in async context without synchronization",
+    why: "Concurrent async operations reading/writing the same variable cause intermittent bugs that are extremely hard to reproduce.",
+    fix: "Use a mutex/lock, or restructure to avoid shared mutable state.",
+    tags: ["async", "race-condition", "concurrency"],
+    autoFixable: false
+  }
+};
+function getRuleOrDefault(ruleId) {
+  return RULE_CATALOG[ruleId] ?? {
+    ruleId,
+    name: ruleId,
+    category: "code-quality",
+    severity: "medium",
+    description: `Rule ${ruleId}`,
+    why: "See rule documentation.",
+    fix: "Review and fix the flagged code.",
+    tags: [],
+    autoFixable: false
+  };
+}
+
+// src/scanner/engines/credentials.ts
+var PATTERNS = [
+  // ── Live payment keys (always flag) ──
+  {
+    name: "stripe-live-secret",
+    ruleId: "CRED001",
+    regex: /['"`](sk_live_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "critical",
+    message: "Stripe live secret key hardcoded",
+    fix: "Use process.env.STRIPE_SECRET_KEY",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false,
+    cwe: "CWE-798"
+  },
+  {
+    name: "stripe-live-publishable",
+    ruleId: "CRED001",
+    regex: /['"`](pk_live_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "high",
+    message: "Stripe live publishable key hardcoded",
+    fix: "Use process.env.NEXT_PUBLIC_STRIPE_KEY",
+    confidence: 95,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "stripe-test-secret",
+    ruleId: "CRED001",
+    regex: /['"`](sk_test_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "high",
+    message: "Stripe test key hardcoded \u2014 use env var even for test keys",
+    fix: "Use process.env.STRIPE_TEST_KEY",
+    confidence: 90,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  // ── AWS ──
+  {
+    name: "aws-access-key",
+    ruleId: "CRED001",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/,
+    severity: "critical",
+    message: "AWS Access Key ID hardcoded",
+    fix: "Use AWS SDK credential chain or AWS_ACCESS_KEY_ID env var",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false,
+    cwe: "CWE-798"
+  },
+  {
+    name: "aws-secret-key",
+    ruleId: "CRED001",
+    regex: /aws_secret_access_key\s*[:=]\s*['"`]([^'"`]{20,})['"`]/i,
+    severity: "critical",
+    message: "AWS Secret Access Key hardcoded",
+    fix: "Use AWS_SECRET_ACCESS_KEY environment variable",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false,
+    cwe: "CWE-798"
+  },
+  // ── AI providers ──
+  {
+    name: "openai-key",
+    ruleId: "CRED001",
+    regex: /['"`](sk-[a-zA-Z0-9]{32,})['"`]/,
+    severity: "critical",
+    message: "OpenAI API key hardcoded",
+    fix: "Use process.env.OPENAI_API_KEY",
+    confidence: 92,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "anthropic-key",
+    ruleId: "CRED001",
+    regex: /['"`](sk-ant-[a-zA-Z0-9-]{20,})['"`]/,
+    severity: "critical",
+    message: "Anthropic API key hardcoded",
+    fix: "Use process.env.ANTHROPIC_API_KEY",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── GitHub / Git ──
+  {
+    name: "github-token",
+    ruleId: "CRED001",
+    regex: /['"`](ghp_[a-zA-Z0-9]{36,})['"`]/,
+    severity: "critical",
+    message: "GitHub personal access token hardcoded",
+    fix: "Use process.env.GITHUB_TOKEN",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "github-oauth",
+    ruleId: "CRED001",
+    regex: /['"`](gho_[a-zA-Z0-9]{36,})['"`]/,
+    severity: "critical",
+    message: "GitHub OAuth token hardcoded",
+    fix: "Use process.env.GITHUB_OAUTH_TOKEN",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── Google / Firebase ──
+  {
+    name: "google-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](AIza[0-9A-Za-z_-]{35})['"`]/,
+    severity: "high",
+    message: "Google API key hardcoded",
+    fix: "Use process.env.GOOGLE_API_KEY",
+    confidence: 95,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  // ── Generic secrets ──
+  {
+    name: "jwt-secret",
+    ruleId: "CRED003",
+    regex: /(?:jwt[_-]?secret|JWT_SECRET)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/i,
+    severity: "critical",
+    message: "JWT signing secret hardcoded",
+    fix: "Use process.env.JWT_SECRET",
+    confidence: 90,
+    flagInTests: false,
+    skipInExamples: true,
+    cwe: "CWE-798"
+  },
+  {
+    name: "generic-password",
+    ruleId: "CRED002",
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`]([^'"`]{4,})['"`]/i,
+    severity: "high",
+    message: "Hardcoded password detected",
+    fix: "Use environment variable or secrets manager",
+    confidence: 75,
+    flagInTests: false,
+    skipInExamples: true,
+    cwe: "CWE-798"
+  },
+  {
+    name: "generic-secret",
+    ruleId: "CRED002",
+    regex: /(?:secret|api[_-]?key|auth[_-]?token)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/i,
+    severity: "high",
+    message: "Hardcoded secret/token detected",
+    fix: "Use environment variable",
+    confidence: 70,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "private-key-pem",
+    ruleId: "CRED004",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+    severity: "critical",
+    message: "Private key embedded in source code",
+    fix: "Store key in file, reference via env var path",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false,
+    cwe: "CWE-321"
+  },
+  {
+    name: "connection-string",
+    ruleId: "CRED005",
+    regex: /['"`](?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\/\/[^'"`\s]{10,}['"`]/i,
+    severity: "critical",
+    message: "Database connection string with credentials in source",
+    fix: "Use DATABASE_URL environment variable",
+    confidence: 92,
+    flagInTests: false,
+    skipInExamples: true,
+    cwe: "CWE-798"
+  },
+  // ── Additional providers ──
+  {
+    name: "slack-token",
+    ruleId: "CRED001",
+    regex: /['"`](xox[bpoas]-[0-9a-zA-Z-]{10,})['"`]/,
+    severity: "critical",
+    message: "Slack token hardcoded",
+    fix: "Use process.env.SLACK_TOKEN",
+    confidence: 97,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "sendgrid-key",
+    ruleId: "CRED001",
+    regex: /['"`](SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})['"`]/,
+    severity: "critical",
+    message: "SendGrid API key hardcoded",
+    fix: "Use process.env.SENDGRID_API_KEY",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "twilio-key",
+    ruleId: "CRED001",
+    regex: /['"`](SK[a-f0-9]{32})['"`]/,
+    severity: "high",
+    message: "Twilio API key hardcoded",
+    fix: "Use process.env.TWILIO_API_KEY",
+    confidence: 85,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "npm-token",
+    ruleId: "CRED001",
+    regex: /['"`](npm_[a-zA-Z0-9]{36,})['"`]/,
+    severity: "critical",
+    message: "npm auth token hardcoded",
+    fix: "Use .npmrc with env var interpolation",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  }
+];
+var credentialsEngine = {
+  name: "credentials",
+  description: "Detects hardcoded API keys, secrets, passwords, tokens",
+  async scan(files, options) {
+    const findings = [];
+    for (const [, file] of files) {
+      const isTest = file.classification.category === "test";
+      const isExample = /\.(example|sample|template)\b/.test(file.path);
+      const isCritical = file.classification.isCriticalPath;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") && !trimmed.includes("=")) continue;
+        if (trimmed.startsWith("*")) continue;
+        for (const pattern of PATTERNS) {
+          if (isTest && !pattern.flagInTests) continue;
+          if (isExample && pattern.skipInExamples) continue;
+          const match = line.match(pattern.regex);
+          if (!match) continue;
+          if (pattern.name === "generic-password") {
+            if (/type\s|interface\s|placeholder|example/i.test(line)) continue;
+            const val = match[1];
+            if (!val || val.length < 6) continue;
+          }
+          if (pattern.name === "generic-secret") {
+            const val = match[1];
+            if (!val || /^[a-z_]+$/i.test(val)) continue;
+            if (/placeholder|example|your[_-]/i.test(val)) continue;
+          }
+          const rule = getRuleOrDefault(pattern.ruleId);
+          const severity = escalateSeverity(pattern.severity, isCritical);
+          findings.push({
+            id: `${pattern.ruleId}-${file.path}-${i + 1}`,
+            ruleId: pattern.ruleId,
+            engine: "credentials",
+            category: "credentials",
+            severity,
+            confidence: pattern.confidence >= 90 ? "certain" : pattern.confidence >= 70 ? "likely" : "possible",
+            confidenceScore: pattern.confidence,
+            file: file.path,
+            line: i + 1,
+            column: match.index,
+            code: trimmed,
+            message: pattern.message,
+            why: rule.why,
+            fix: pattern.fix,
+            autoFixable: false,
+            tags: rule.tags,
+            cwe: pattern.cwe,
+            verified: false,
+            _dedup: `${pattern.name}:${file.path}:${i + 1}`
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/engines/security.ts
+var PATTERNS2 = [
+  // ── Injection ──
+  {
+    name: "sql-injection-concat",
+    ruleId: "SEC001",
+    regex: /(?:query|execute|raw)\s*\(\s*[`'"](?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER)\s[^`'"]*\$\{/i,
+    severity: "critical",
+    message: "SQL injection: template literal in query",
+    fix: 'Use parameterized queries: db.query("SELECT * FROM users WHERE id = $1", [userId])',
+    confidence: 92,
+    excludeInTests: true,
+    cwe: "CWE-89"
+  },
+  {
+    name: "sql-injection-plus",
+    ruleId: "SEC001",
+    regex: /(?:query|execute|raw)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)\s[^'"]*['"]\s*\+/i,
+    severity: "critical",
+    message: "SQL injection: string concatenation in query",
+    fix: "Use parameterized queries. Never concatenate user input into SQL.",
+    confidence: 90,
+    excludeInTests: true,
+    cwe: "CWE-89"
+  },
+  {
+    name: "unfiltered-delete",
+    ruleId: "SEC011",
+    regex: /DELETE\s+FROM\s+\w+\s*;?\s*$/im,
+    severity: "critical",
+    message: "Unfiltered DELETE statement (no WHERE clause)",
+    fix: "Add WHERE clause. Add confirmation logic for destructive operations.",
+    confidence: 85,
+    excludeInTests: true,
+    cwe: "CWE-89"
+  },
+  {
+    name: "drop-table",
+    ruleId: "SEC011",
+    regex: /DROP\s+TABLE/i,
+    severity: "critical",
+    message: "DROP TABLE statement in application code",
+    fix: "Use migrations for schema changes. Never DROP in application logic.",
+    confidence: 88,
+    excludeInTests: true
+  },
+  // ── Command Injection ──
+  {
+    name: "exec-template",
+    ruleId: "SEC002",
+    regex: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*`[^`]*\$\{/,
+    severity: "critical",
+    message: "Command injection: template literal in shell command",
+    fix: 'Use execFile() with args array: execFile("cmd", [arg1, arg2])',
+    confidence: 95,
+    excludeInTests: true,
+    cwe: "CWE-78"
+  },
+  {
+    name: "exec-concat",
+    ruleId: "SEC002",
+    regex: /(?:exec|execSync)\s*\(\s*['"][^'"]*['"]\s*\+/,
+    severity: "critical",
+    message: "Command injection: concatenation in shell command",
+    fix: "Use execFile() with args array.",
+    confidence: 93,
+    excludeInTests: true,
+    cwe: "CWE-78"
+  },
+  {
+    name: "child-process-exec",
+    ruleId: "SEC002",
+    regex: /child_process\s*\.\s*exec\s*\(/,
+    severity: "high",
+    message: "child_process.exec() can run arbitrary shell commands",
+    fix: "Prefer execFile() or spawn() with explicit args array.",
+    confidence: 80,
+    excludeInTests: true,
+    cwe: "CWE-78"
+  },
+  // ── XSS ──
+  {
+    name: "innerhtml-assignment",
+    ruleId: "SEC003",
+    regex: /\.innerHTML\s*=/,
+    severity: "high",
+    message: "innerHTML assignment \u2014 potential XSS if content is user-controlled",
+    fix: "Use textContent for text. Use DOMPurify.sanitize() if HTML is needed.",
+    confidence: 75,
+    excludeInTests: true,
+    cwe: "CWE-79"
+  },
+  {
+    name: "dangerously-set-innerhtml",
+    ruleId: "SEC003",
+    regex: /dangerouslySetInnerHTML/,
+    severity: "high",
+    message: "dangerouslySetInnerHTML \u2014 ensure content is sanitized",
+    fix: "Sanitize with DOMPurify before passing to dangerouslySetInnerHTML.",
+    confidence: 70,
+    excludeInTests: true,
+    cwe: "CWE-79"
+  },
+  {
+    name: "document-write",
+    ruleId: "SEC003",
+    regex: /document\.write\s*\(/,
+    severity: "high",
+    message: "document.write() can overwrite entire page with unescaped content",
+    fix: "Use DOM manipulation methods instead.",
+    confidence: 80,
+    excludeInTests: true,
+    cwe: "CWE-79"
+  },
+  // ── Path Traversal ──
+  {
+    name: "path-traversal-join",
+    ruleId: "SEC004",
+    regex: /(?:path\.join|path\.resolve)\s*\([^)]*(?:req\.|params\.|query\.|body\.)/,
+    severity: "high",
+    message: "User input in file path \u2014 potential path traversal",
+    fix: "Validate resolved path is within allowed directory: resolvedPath.startsWith(allowedDir)",
+    confidence: 82,
+    excludeInTests: true,
+    cwe: "CWE-22"
+  },
+  {
+    name: "fs-read-user-input",
+    ruleId: "SEC004",
+    regex: /fs\.(?:readFile|readFileSync|createReadStream)\s*\([^)]*(?:req\.|params\.|query\.)/,
+    severity: "high",
+    message: "User input passed directly to file read operation",
+    fix: "Sanitize path and verify it's within allowed directory.",
+    confidence: 85,
+    excludeInTests: true,
+    cwe: "CWE-22"
+  },
+  // ── SSRF ──
+  {
+    name: "ssrf-fetch",
+    ruleId: "SEC005",
+    regex: /fetch\s*\(\s*(?:req\.|params\.|query\.|body\.|url|href)/,
+    severity: "high",
+    message: "User-controlled URL in server-side fetch \u2014 SSRF risk",
+    fix: "Validate URL against allowlist. Block private IPs (10.x, 172.16-31.x, 192.168.x, 169.254.x).",
+    confidence: 78,
+    excludeInTests: true,
+    cwe: "CWE-918"
+  },
+  {
+    name: "ssrf-axios",
+    ruleId: "SEC005",
+    regex: /axios\s*(?:\.get|\.post|\.put|\.delete|\.request)\s*\(\s*(?:req\.|params\.|query\.|body\.)/,
+    severity: "high",
+    message: "User-controlled URL in axios request \u2014 SSRF risk",
+    fix: "Validate URL against allowlist of allowed domains.",
+    confidence: 78,
+    excludeInTests: true,
+    cwe: "CWE-918"
+  },
+  // ── Code Execution ──
+  {
+    name: "eval-usage",
+    ruleId: "SEC007",
+    regex: /\beval\s*\(/,
+    severity: "critical",
+    message: "eval() can execute arbitrary code",
+    fix: "Use JSON.parse() for data. Use a sandboxed interpreter for expressions.",
+    confidence: 88,
+    excludeInTests: true,
+    cwe: "CWE-95",
+    validate: (line) => !/\/\/.*eval|['"]eval['"]/.test(line)
+  },
+  {
+    name: "new-function",
+    ruleId: "SEC007",
+    regex: /\bnew\s+Function\s*\(/,
+    severity: "critical",
+    message: "new Function() can execute arbitrary code",
+    fix: "Avoid dynamic code generation. Use a template engine or parser.",
+    confidence: 90,
+    excludeInTests: true,
+    cwe: "CWE-95"
+  },
+  // ── Prototype Pollution ──
+  {
+    name: "proto-access",
+    ruleId: "SEC006",
+    regex: /__proto__|prototype\s*\[/,
+    severity: "high",
+    message: "Prototype pollution risk \u2014 __proto__ or prototype[] access",
+    fix: "Use Object.create(null) for lookup objects. Validate property names.",
+    confidence: 82,
+    excludeInTests: true,
+    cwe: "CWE-1321"
+  },
+  {
+    name: "mass-assignment",
+    ruleId: "SEC008",
+    regex: /Object\.assign\s*\([^,]+,\s*req\.body/,
+    severity: "high",
+    message: "Mass assignment \u2014 spreading request body into object",
+    fix: "Whitelist allowed fields: const { name, email } = req.body",
+    confidence: 85,
+    excludeInTests: true,
+    cwe: "CWE-915"
+  },
+  {
+    name: "spread-req-body",
+    ruleId: "SEC008",
+    regex: /\{\s*\.\.\.req\.body\s*\}/,
+    severity: "high",
+    message: "Mass assignment \u2014 spreading request body directly",
+    fix: "Destructure only needed fields from req.body.",
+    confidence: 88,
+    excludeInTests: true,
+    cwe: "CWE-915"
+  },
+  // ── Insecure Randomness ──
+  {
+    name: "math-random-token",
+    ruleId: "SEC009",
+    regex: /Math\.random\s*\(\s*\).*(?:token|id|key|secret|session|nonce|csrf)/i,
+    severity: "high",
+    message: "Math.random() used for security-sensitive value",
+    fix: "Use crypto.randomUUID() or crypto.randomBytes()",
+    confidence: 85,
+    excludeInTests: true,
+    cwe: "CWE-330"
+  },
+  {
+    name: "math-random-hex",
+    ruleId: "SEC009",
+    regex: /Math\.random\(\)\.toString\((?:16|36)\)/,
+    severity: "medium",
+    message: "Math.random() for ID generation \u2014 not cryptographically secure",
+    fix: "Use crypto.randomUUID() for unique IDs",
+    confidence: 80,
+    excludeInTests: true,
+    cwe: "CWE-330"
+  },
+  // ── Destructive Operations ──
+  {
+    name: "rm-rf-root",
+    ruleId: "SEC002",
+    regex: /rm\s+-rf\s+\//,
+    severity: "critical",
+    message: "Recursive delete from root directory",
+    fix: "Use explicit, validated path. Never delete from root.",
+    confidence: 98,
+    excludeInTests: false
+  },
+  {
+    name: "rm-rf-wildcard",
+    ruleId: "SEC002",
+    regex: /rm\s+-rf\s+\*/,
+    severity: "critical",
+    message: "Recursive delete with wildcard",
+    fix: "Use explicit, validated path.",
+    confidence: 95,
+    excludeInTests: false
+  },
+  // ── Dynamic Require/Import ──
+  {
+    name: "dynamic-require",
+    ruleId: "SEC007",
+    regex: /require\s*\(\s*[^'"][a-zA-Z_$]/,
+    severity: "medium",
+    message: "Dynamic require() \u2014 path injection risk",
+    fix: "Use static imports. Validate path against allowlist if dynamic is needed.",
+    confidence: 72,
+    excludeInTests: true
+  },
+  {
+    name: "dynamic-import",
+    ruleId: "SEC007",
+    regex: /import\s*\(\s*[^'"][a-zA-Z_$]/,
+    severity: "medium",
+    message: "Dynamic import() \u2014 path injection risk",
+    fix: "Use static imports when possible. Validate path.",
+    confidence: 68,
+    excludeInTests: true
+  },
+  // ── File Deletion ──
+  {
+    name: "fs-unlink",
+    ruleId: "SEC002",
+    regex: /fs\.(?:unlink|rmdir|rm)(?:Sync)?\s*\(/,
+    severity: "medium",
+    message: "File/directory deletion \u2014 ensure path is validated",
+    fix: "Validate path is within allowed directory before deletion.",
+    confidence: 65,
+    excludeInTests: true,
+    validate: (line) => !line.includes("temp") && !line.includes("tmp")
+  },
+  // ── Weak Crypto ──
+  {
+    name: "md5-usage",
+    ruleId: "SEC009",
+    regex: /createHash\s*\(\s*['"`]md5['"`]\s*\)/,
+    severity: "medium",
+    message: "MD5 hash \u2014 cryptographically broken",
+    fix: 'Use SHA-256 or better: crypto.createHash("sha256")',
+    confidence: 90,
+    excludeInTests: true,
+    cwe: "CWE-328"
+  },
+  {
+    name: "sha1-usage",
+    ruleId: "SEC009",
+    regex: /createHash\s*\(\s*['"`]sha1['"`]\s*\)/,
+    severity: "medium",
+    message: "SHA-1 hash \u2014 deprecated for security use",
+    fix: 'Use SHA-256: crypto.createHash("sha256")',
+    confidence: 85,
+    excludeInTests: true,
+    cwe: "CWE-328"
+  },
+  // ── CORS Misconfiguration ──
+  {
+    name: "cors-wildcard",
+    ruleId: "SEC005",
+    regex: /(?:Access-Control-Allow-Origin|origin)\s*[:=]\s*['"`]\*['"`]/,
+    severity: "high",
+    message: "CORS wildcard allows any origin",
+    fix: "Restrict to specific allowed origins.",
+    confidence: 80,
+    excludeInTests: true
+  },
+  // ── NoSQL Injection ──
+  {
+    name: "nosql-injection",
+    ruleId: "SEC001",
+    regex: /\$(?:where|regex|gt|lt|ne|or|and)\s*[:=]\s*(?:req\.|params\.|query\.|body\.)/,
+    severity: "high",
+    message: "NoSQL injection \u2014 MongoDB operator from user input",
+    fix: "Sanitize input. Use mongoose-sanitize or explicit field selection.",
+    confidence: 82,
+    excludeInTests: true,
+    cwe: "CWE-943"
+  }
+];
+var securityEngine = {
+  name: "security",
+  description: "Detects injection, XSS, SSRF, prototype pollution, and security anti-patterns",
+  async scan(files, options) {
+    const findings = [];
+    for (const [, file] of files) {
+      const isTest = file.classification.category === "test";
+      const isCritical = file.classification.isCriticalPath;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
+        for (const pattern of PATTERNS2) {
+          if (isTest && pattern.excludeInTests) continue;
+          const match = line.match(pattern.regex);
+          if (!match) continue;
+          if (pattern.validate && !pattern.validate(line, file.lines, i)) continue;
+          const rule = getRuleOrDefault(pattern.ruleId);
+          const severity = escalateSeverity(pattern.severity, isCritical);
+          findings.push({
+            id: `${pattern.ruleId}-${file.path}-${i + 1}`,
+            ruleId: pattern.ruleId,
+            engine: "security",
+            category: "security",
+            severity,
+            confidence: pattern.confidence >= 90 ? "certain" : pattern.confidence >= 70 ? "likely" : "possible",
+            confidenceScore: pattern.confidence,
+            file: file.path,
+            line: i + 1,
+            column: match.index,
+            code: trimmed,
+            message: pattern.message,
+            why: rule.why,
+            fix: pattern.fix,
+            autoFixable: false,
+            tags: rule.tags,
+            cwe: pattern.cwe,
+            verified: false,
+            _dedup: `${pattern.name}:${file.path}:${i + 1}`
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/engines/fake-features.ts
+var PLACEHOLDER_PATTERNS = [
+  // Match 'placeholder' when used as value, not HTML attribute
+  /[=:]\s*['"]?placeholder['"]?(?:\s*[,;}\]]|$)/i,
+  // Match 'stub' in function/method context
+  /\bstub(?:bed|bing)?\s*(?:function|method|implementation|out)/i,
+  // Match 'dummy' in data contexts
+  /\bdummy[-_]?(?:data|value|user|id|token|response)\b/i,
+  // Match 'fake' in data contexts (not test files)
+  /\bfake[-_]?(?:data|response|user|api|endpoint)\b/i,
+  // Hardcoded credential placeholders
+  /\bhardcoded\s*(?:secret|password|key|token|credential)/i,
+  // TODO with action verbs
+  /\bTODO\b.*(?:implement|fix|complete|replace|remove)/i,
+  // Work in progress markers
+  /\bWIP\b(?:\s*[-:]\s|\s+)/i,
+  // TBD markers
+  /\bTBD\b(?:\s*[-:]\s|\s+)/i,
+  // Not yet implemented
+  /\bNYI\b/i,
+  /\bcoming\s+soon\b/i,
+  // CHANGEME / REPLACEME
+  /\bCHANGE[-_]?ME\b/i,
+  /\bREPLACE[-_]?ME\b/i
+];
+var FAKE_SUCCESS_PATTERNS = [
+  // Return true with nothing else in the function
+  /^\s*return\s+true\s*;?\s*$/i,
+  // Hardcoded success without checking
+  /return\s*{\s*success:\s*true\s*}/i,
+  // Always returning ok
+  /return\s*{\s*status:\s*["']ok["']\s*}/i,
+  // Mock/fake success comments
+  /\/\/\s*(?:fake|mock|stub)\s*success/i
+];
+var SILENT_FAILURE_PATTERNS = [
+  // Completely empty catch blocks
+  /catch\s*\(\s*(?:_|e|err|error)?\s*\)\s*{\s*}/,
+  // Catch that just returns undefined/null
+  /catch\s*\([^)]*\)\s*{\s*return(?:\s+(?:undefined|null))?\s*;?\s*}/,
+  // Catch with only a comment
+  /catch\s*\([^)]*\)\s*{\s*\/\/[^\n]*\s*}/,
+  // Catch with only console.log (no actual handling)
+  /catch\s*\([^)]*\)\s*{\s*console\.log\([^)]+\)\s*;?\s*}/
+];
+var AUTH_BYPASS_PATTERNS = [
+  // Hardcoded admin bypasses
+  /(?:if|&&|\|\|)\s*\(\s*(?:true|1)\s*\)\s*.*(?:admin|auth)/i,
+  // Skip/disable auth flags
+  /\b(?:skip|disable|bypass)Auth(?:entication)?\s*[=:]\s*true\b/i,
+  // Hardcoded isAdmin = true
+  /\b(?:const|let|var)\s+isAdmin\s*=\s*true\b/i,
+  // Auth bypass comments
+  /\/\/\s*(?:bypass|skip|disable)\s*auth/i,
+  // UI-only gating
+  /\/\/\s*(?:ui|client)[-\s]*only\s*(?:check|gating|validation)/i,
+  // Wildcard permissions
+  /permissions?\s*[=:]\s*\[\s*['"]?\*['"]?\s*\]/i,
+  // Always-true auth functions
+  /(?:isAuth|isAdmin|hasPermission|canAccess)\s*[=:]\s*\(\)\s*=>\s*true/i
+];
+var DANGEROUS_DEFAULT_PATTERNS = [
+  // Secret env vars with insecure defaults
+  /process\.env\.(?:\w*(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*)\s*\|\|\s*["'][^'"]{0,50}["']/i,
+  // Database URLs with placeholder passwords
+  /(?:DATABASE|DB|MONGO|POSTGRES|MYSQL|REDIS)_URL\s*[=:]\s*["'][^'"]*(?:password|changeme|replace)[^'"]*["']/i,
+  // Placeholder markers in credentials
+  /(?:api[_-]?key|secret|token|password)\s*[=:]\s*["'](?:CHANGEME|REPLACE_ME|YOUR_[A-Z_]+|xxx+|TODO)["']/i,
+  // Auth endpoints pointing to localhost
+  /(?:AUTH|BILLING|PAYMENT|WEBHOOK)_(?:URL|ENDPOINT)\s*[=:]\s*["']https?:\/\/localhost/i,
+  // Empty string defaults for required secrets
+  /(?:SECRET|API_KEY|TOKEN|PASSWORD)\s*[=:]\s*process\.env\.\w+\s*\|\|\s*["']\s*["']/i
+];
+var EMPTY_FUNCTION_PATTERNS = [
+  // async function with empty body
+  /async\s+(?:function\s+\w+|(?:const|let)\s+\w+\s*=\s*async)\s*\([^)]*\)\s*(?::\s*\w+[<>\[\]]*\s*)?\s*{\s*}/,
+  // function with only return undefined
+  /function\s+\w+\s*\([^)]*\)\s*{\s*return\s*;?\s*}/,
+  // arrow function with empty body
+  /=>\s*{\s*}\s*[;,)]/
+];
+function isCommentLine(line) {
+  return /^\s*(?:\/\/|\/\*|\*|#|<!--|"""|''')/.test(line);
+}
+function isDocContext(filePath, line) {
+  const lp = filePath.toLowerCase();
+  if (/\.(md|mdx|rst|txt)$/.test(lp)) return true;
+  if (lp.includes("/docs/") || lp.includes("/documentation/")) return true;
+  if (lp.includes("/examples/") || lp.includes("/example/")) return true;
+  if (/^\s*\*\s*@(?:example|see|param|returns)/.test(line)) return true;
+  return false;
+}
+function isInErrorContext(lines, lineIndex) {
+  const before = lines.slice(Math.max(0, lineIndex - 5), lineIndex).join("\n");
+  return /catch|onError|fallback|error|exception/i.test(before);
+}
+function validatePlaceholder(line, filePath) {
+  const ll = line.toLowerCase();
+  if (/placeholder\s*[=:]/.test(ll) && !ll.includes("=")) return false;
+  if (ll.includes("type ") || ll.includes("interface ")) return false;
+  return true;
+}
+function validateFakeSuccess(line, filePath) {
+  const ll = line.toLowerCase();
+  if (ll.includes("expect(") || ll.includes("assert")) return false;
+  if (filePath.includes(".test.") || filePath.includes(".spec.")) return false;
+  return true;
+}
+var fakeFeaturesEngine = {
+  name: "fake-features",
+  description: "Detects stubs, fake success, silent failures, auth bypasses, placeholders",
+  async scan(files, options) {
+    const findings = [];
+    for (const [, file] of files) {
+      if (file.classification.category === "test" && !options.includeTests) continue;
+      if (file.classification.category === "documentation") continue;
+      const isCritical = file.classification.isCriticalPath;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (!isCommentLine(trimmed) || /\b(?:TODO|FIXME|WIP|TBD)\b/i.test(trimmed)) {
+          if (!isDocContext(file.path, trimmed)) {
+            for (const pattern of PLACEHOLDER_PATTERNS) {
+              if (pattern.test(line) && validatePlaceholder(line, file.path)) {
+                findings.push(makeFinding("FAKE004", file, i, trimmed, "placeholder", "medium", 65, isCritical));
+                break;
+              }
+            }
+          }
+        }
+        if (isCommentLine(trimmed)) continue;
+        const inErrorCtx = isInErrorContext(file.lines, i);
+        for (const pattern of FAKE_SUCCESS_PATTERNS) {
+          if (pattern.test(line) && validateFakeSuccess(line, file.path)) {
+            const sev = inErrorCtx ? "high" : "medium";
+            findings.push(makeFinding("FAKE002", file, i, trimmed, "fake-success", sev, inErrorCtx ? 80 : 65, isCritical));
+            break;
+          }
+        }
+        for (const pattern of SILENT_FAILURE_PATTERNS) {
+          if (pattern.test(line)) {
+            if (line.toLowerCase().includes("finally")) continue;
+            findings.push(makeFinding("FAKE003", file, i, trimmed, "silent-failure", "high", 85, isCritical));
+            break;
+          }
+        }
+        for (const pattern of AUTH_BYPASS_PATTERNS) {
+          if (pattern.test(line)) {
+            if (file.path.includes(".config.") || file.path.includes(".env")) continue;
+            findings.push(makeFinding("FAKE005", file, i, trimmed, "auth-bypass", "critical", 88, isCritical));
+            break;
+          }
+        }
+        for (const pattern of DANGEROUS_DEFAULT_PATTERNS) {
+          if (pattern.test(line)) {
+            if (file.path.includes(".example") || file.path.includes(".template")) continue;
+            if (file.path.includes(".env.sample")) continue;
+            findings.push(makeFinding("FAKE006", file, i, trimmed, "dangerous-default", "high", 82, isCritical));
+            break;
+          }
+        }
+        for (const pattern of EMPTY_FUNCTION_PATTERNS) {
+          if (pattern.test(line)) {
+            if (/noop|passthrough|abstract|interface|override/i.test(line)) continue;
+            findings.push(makeFinding("FAKE001", file, i, trimmed, "empty-function", "high", 75, isCritical));
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+function makeFinding(ruleId, file, lineIndex, code, tag, severity, confidence, isCritical) {
+  const rule = getRuleOrDefault(ruleId);
+  const finalSeverity = escalateSeverity(severity, isCritical);
+  return {
+    id: `${ruleId}-${file.path}-${lineIndex + 1}`,
+    ruleId,
+    engine: "fake-features",
+    category: "fake-features",
+    severity: finalSeverity,
+    confidence: confidence >= 85 ? "certain" : confidence >= 65 ? "likely" : "possible",
+    confidenceScore: confidence,
+    file: file.path,
+    line: lineIndex + 1,
+    code,
+    message: rule.description,
+    why: rule.why,
+    fix: rule.fix,
+    autoFixable: rule.autoFixable,
+    tags: [...rule.tags, tag],
+    verified: false,
+    _dedup: `${ruleId}:${file.path}:${lineIndex + 1}`
+  };
+}
+
+// src/scanner/engines/hallucinations.ts
+var PATTERNS3 = [
+  // ── Fake npm packages (known hallucinated package names) ──
+  {
+    name: "fake-npm-react-auth",
+    ruleId: "HAL001",
+    regex: /from\s+['"](?:react-auth-provider|react-secure-auth|next-auth-helpers|react-auth-kit-v2)['"]|require\s*\(\s*['"](?:react-auth-provider|react-secure-auth|next-auth-helpers)['"]/,
+    severity: "critical",
+    message: "Import from frequently hallucinated npm package",
+    fix: "Verify package exists on npmjs.com. AI often invents auth/utility packages.",
+    confidence: 88,
+    excludeInTests: false
+  },
+  {
+    name: "fake-npm-util",
+    ruleId: "HAL001",
+    regex: /from\s+['"](?:string-utils-pro|array-helpers-ts|object-deep-merge|config-loader-pro|api-response-handler)['"]|require\s*\(\s*['"](?:string-utils-pro|array-helpers-ts|object-deep-merge)['"]/,
+    severity: "critical",
+    message: "Import from frequently hallucinated npm package",
+    fix: "Check npmjs.com. These utility package names are commonly invented by AI.",
+    confidence: 85,
+    excludeInTests: false
+  },
+  // ── Placeholder URLs ──
+  {
+    name: "placeholder-url",
+    ruleId: "HAL003",
+    regex: /['"`]https?:\/\/(?:api\.)?example\.com[^'"`]*['"`]/i,
+    severity: "high",
+    message: "Placeholder URL (example.com) in source code",
+    fix: "Replace with actual API endpoint from environment variable.",
+    confidence: 92,
+    excludeInTests: true
+  },
+  {
+    name: "placeholder-url-yoursite",
+    ruleId: "HAL003",
+    regex: /['"`]https?:\/\/(?:your-?(?:site|app|domain|api)|my-?(?:api|app|site))\.[a-z]+[^'"`]*['"`]/i,
+    severity: "high",
+    message: "Placeholder URL (your-site/my-api) \u2014 AI-generated placeholder",
+    fix: "Replace with actual URL from environment variable.",
+    confidence: 95,
+    excludeInTests: true
+  },
+  {
+    name: "placeholder-url-todo",
+    ruleId: "HAL003",
+    regex: /['"`]https?:\/\/(?:todo|fixme|placeholder|changeme)\.[a-z]+[^'"`]*['"`]/i,
+    severity: "high",
+    message: "Placeholder URL with marker keyword",
+    fix: "Replace with actual URL.",
+    confidence: 98,
+    excludeInTests: true
+  },
+  {
+    name: "localhost-in-prod",
+    ruleId: "HAL003",
+    regex: /(?:API_URL|BASE_URL|BACKEND_URL|SERVER_URL)\s*[=:]\s*['"`]https?:\/\/localhost/i,
+    severity: "high",
+    message: "Localhost URL in production configuration",
+    fix: "Use environment variable: process.env.API_URL",
+    confidence: 80,
+    excludeInTests: true,
+    validate: (line, file) => !file.path.includes(".env") && !file.path.includes(".local")
+  },
+  // ── Invented API methods ──
+  {
+    name: "prisma-hallucinated",
+    ruleId: "HAL002",
+    regex: /prisma\.\w+\.(?:getAll|fetchAll|search|getOne|fetchOne|removeAll|updateAll|createOrUpdate|findFirst|getById)\s*\(/,
+    severity: "high",
+    message: "Possible hallucinated Prisma method \u2014 verify against Prisma docs",
+    fix: "Prisma uses findMany, findUnique, create, update, delete, upsert. Check docs.",
+    confidence: 65,
+    excludeInTests: true,
+    validate: (line) => {
+      if (line.includes("findFirst")) return false;
+      return true;
+    }
+  },
+  {
+    name: "express-hallucinated",
+    ruleId: "HAL002",
+    regex: /(?:app|router)\.(?:handle|serve|mount|listen)\s*\(\s*['"]\/\w/,
+    severity: "medium",
+    message: "Possible hallucinated Express method \u2014 verify against Express docs",
+    fix: "Express uses .get(), .post(), .put(), .delete(), .use(), .all(). Check docs.",
+    confidence: 60,
+    excludeInTests: true
+  },
+  // ── Invented config options ──
+  {
+    name: "next-config-hallucinated",
+    ruleId: "HAL004",
+    regex: /(?:next\.config|nextConfig)\s*(?:=|\.)\s*\{[^}]*(?:enableSSR|enableCSR|autoOptimize|smartBundling|lazyHydration|autoCache)/,
+    severity: "medium",
+    message: "Possible hallucinated Next.js config option",
+    fix: "Check next.config.js docs for valid options.",
+    confidence: 70,
+    excludeInTests: true
+  },
+  // ── Fake test data in production ──
+  {
+    name: "test-email-prod",
+    ruleId: "HAL003",
+    regex: /['"`](?:test|user|admin|john|jane|foo|bar)@(?:test|example|fake|dummy|placeholder)\.\w+['"`]/i,
+    severity: "medium",
+    message: "Test/fake email address in production code",
+    fix: "Replace with actual user data or remove.",
+    confidence: 78,
+    excludeInTests: true
+  },
+  {
+    name: "test-phone-prod",
+    ruleId: "HAL003",
+    regex: /['"`]\+?1?[-.\s]?\(?(?:555|000|123)\)?[-.\s]?\d{3}[-.\s]?\d{4}['"`]/,
+    severity: "medium",
+    message: "Fake phone number (555/000/123 prefix) in production code",
+    fix: "Replace with actual data or remove.",
+    confidence: 82,
+    excludeInTests: true
+  },
+  // ── Lorem ipsum ──
+  {
+    name: "lorem-ipsum",
+    ruleId: "HAL003",
+    regex: /lorem\s+ipsum/i,
+    severity: "medium",
+    message: "Lorem ipsum placeholder text in production code",
+    fix: "Replace with actual content.",
+    confidence: 95,
+    excludeInTests: true
+  }
+];
+var hallucinationsEngine = {
+  name: "hallucinations",
+  description: "Detects AI-hallucinated code: fake packages, invented methods, placeholder URLs",
+  async scan(files, options) {
+    const findings = [];
+    for (const [, file] of files) {
+      const isTest = file.classification.category === "test";
+      const isCritical = file.classification.isCriticalPath;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
+        for (const pattern of PATTERNS3) {
+          if (isTest && pattern.excludeInTests) continue;
+          const match = line.match(pattern.regex);
+          if (!match) continue;
+          if (pattern.validate && !pattern.validate(line, file)) continue;
+          const rule = getRuleOrDefault(pattern.ruleId);
+          const severity = escalateSeverity(pattern.severity, isCritical);
+          findings.push({
+            id: `${pattern.ruleId}-${file.path}-${i + 1}`,
+            ruleId: pattern.ruleId,
+            engine: "hallucinations",
+            category: "hallucinations",
+            severity,
+            confidence: pattern.confidence >= 85 ? "certain" : pattern.confidence >= 65 ? "likely" : "possible",
+            confidenceScore: pattern.confidence,
+            file: file.path,
+            line: i + 1,
+            column: match.index,
+            code: trimmed,
+            message: pattern.message,
+            why: rule.why,
+            fix: pattern.fix,
+            autoFixable: false,
+            tags: [...rule.tags],
+            verified: false,
+            _dedup: `${pattern.name}:${file.path}:${i + 1}`
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/engines/dead-ui.ts
+var LEGIT_HASH_LINK = [/aria-controls=/i, /role=["']tab["']/i, /role=["']button["']/i, /data-toggle=/i, /data-bs-toggle=/i, /onClick\s*=\s*\{[^}]+\}/, /tabIndex=/i];
+var LEGIT_NOOP = [/disabled/i, /aria-disabled/i, /loading/i, /pending/i, /isLoading/i, /stopPropagation/i, /preventDefault/i];
+var LEGIT_COMING_SOON = [/changelog/i, /readme/i, /roadmap/i, /\/\//, /\/\*/, /translation/i, /i18n/i, /t\(['"`]/i];
+var LEGIT_DISABLED = [/aria-disabled/i, /isDisabled/i, /isLoading/i, /disabled=\{/i, /&&\s*disabled/i, /\?\s*disabled/i];
+var LEGIT_FETCH = [/useQuery/i, /useMutation/i, /useSWR/i, /createApi/i, /trpc/i, /\.server\./i, /route\.ts$/i, /api\/.*\.ts$/i];
+function hasContext(line, patterns) {
+  return patterns.some((p) => p.test(line));
+}
+var deadUIEngine = {
+  name: "dead-ui",
+  description: "Detects dead links, noop handlers, coming soon UI, disabled without reason",
+  async scan(files, options) {
+    const findings = [];
+    for (const [, file] of files) {
+      if (!isUIFile(file.path)) continue;
+      if (file.classification.category === "test" && !options.includeTests) continue;
+      if (file.classification.category === "documentation") continue;
+      const isApiFile = /\/api\/|\/routes\/|\.server\./.test(file.path.toLowerCase());
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (/href=["']#["']|href=["']javascript:void\(0\)["']/g.test(line)) {
+          if (!hasContext(line, LEGIT_HASH_LINK)) {
+            findings.push(make("UI001", file, i, trimmed, "high", 88));
+          }
+        }
+        if (/onClick\s*=\s*\{\s*\(\)\s*=>\s*\{\s*\}\s*\}/.test(line)) {
+          if (!hasContext(line, LEGIT_NOOP)) {
+            findings.push(make("UI002", file, i, trimmed, "high", 90));
+          }
+        }
+        if (/coming\s+soon|under\s+construction|not\s+available|work\s+in\s+progress/gi.test(line)) {
+          if (!hasContext(line, LEGIT_COMING_SOON) && !trimmed.startsWith("//") && !trimmed.startsWith("*")) {
+            findings.push(make("UI003", file, i, trimmed, "medium", 72));
+          }
+        }
+        if (line.includes("disabled") && !/tooltip|aria-label|aria-describedby|title|reason/i.test(line)) {
+          if (!hasContext(line, LEGIT_DISABLED) && !/disabled=\{[^}]*\}/.test(line)) {
+            findings.push(make("UI004", file, i, trimmed, "medium", 68));
+          }
+        }
+        if (!isApiFile && /fetch\s*\(\s*["'`]\/api\//.test(line)) {
+          if (!hasContext(line, LEGIT_FETCH)) {
+            findings.push(make("UI005", file, i, trimmed, "low", 60));
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+function make(ruleId, file, lineIdx, code, severity, confidence) {
+  const rule = getRuleOrDefault(ruleId);
+  return {
+    id: `${ruleId}-${file.path}-${lineIdx + 1}`,
+    ruleId,
+    engine: "dead-ui",
+    category: "dead-ui",
+    severity,
+    confidence: confidence >= 85 ? "certain" : confidence >= 65 ? "likely" : "possible",
+    confidenceScore: confidence,
+    file: file.path,
+    line: lineIdx + 1,
+    code,
+    message: rule.description,
+    why: rule.why,
+    fix: rule.fix,
+    autoFixable: false,
+    tags: rule.tags,
+    verified: false,
+    _dedup: `${ruleId}:${file.path}:${lineIdx + 1}`
+  };
+}
+
+// src/scanner/engines/code-quality.ts
+var PATTERNS4 = [
+  // ── Debug Code ──
+  {
+    name: "console-log",
+    ruleId: "QLT001",
+    regex: /\bconsole\.log\s*\(/,
+    severity: "medium",
+    message: "console.log() in production code",
+    fix: "Remove or replace with proper logger (winston, pino)",
+    confidence: 92,
+    excludeInTests: true,
+    autoFixable: true
+  },
+  {
+    name: "console-debug",
+    ruleId: "QLT001",
+    regex: /\bconsole\.debug\s*\(/,
+    severity: "medium",
+    message: "console.debug() in production code",
+    fix: "Remove or replace with proper logger",
+    confidence: 92,
+    excludeInTests: true,
+    autoFixable: true
+  },
+  {
+    name: "console-trace",
+    ruleId: "QLT001",
+    regex: /\bconsole\.trace\s*\(/,
+    severity: "medium",
+    message: "console.trace() in production code",
+    fix: "Remove or use proper debugging tools",
+    confidence: 92,
+    excludeInTests: true,
+    autoFixable: true
+  },
+  {
+    name: "debugger",
+    ruleId: "QLT002",
+    regex: /\bdebugger\b\s*;?/,
+    severity: "high",
+    message: "debugger statement left in code",
+    fix: "Remove the debugger statement",
+    confidence: 98,
+    excludeInTests: true,
+    autoFixable: true
+  },
+  {
+    name: "alert-call",
+    ruleId: "QLT001",
+    regex: /\balert\s*\(\s*['"`]/,
+    severity: "medium",
+    message: "alert() call in production code",
+    fix: "Use a proper notification/toast component",
+    confidence: 85,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  // ── Type Safety ──
+  {
+    name: "as-any",
+    ruleId: "QLT005",
+    regex: /\bas\s+any\b/,
+    severity: "medium",
+    message: '"as any" bypasses TypeScript safety',
+    fix: "Fix the type properly. Use type guards or generics.",
+    confidence: 88,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  {
+    name: "ts-ignore",
+    ruleId: "QLT005",
+    regex: /@ts-ignore(?!\s*\()/,
+    severity: "medium",
+    message: "@ts-ignore suppresses type errors without explanation",
+    fix: "Use @ts-expect-error with explanation, or fix the type.",
+    confidence: 90,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  {
+    name: "any-type-annotation",
+    ruleId: "QLT005",
+    regex: /:\s*any\b(?!\s*\[\])/,
+    severity: "low",
+    message: 'Explicit "any" type annotation',
+    fix: "Use a proper type. Use unknown for truly dynamic values.",
+    confidence: 75,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  // ── Mock Data in Production ──
+  {
+    name: "mock-data-array",
+    ruleId: "QLT003",
+    regex: /(?:const|let|var)\s+(?:mock|fake|dummy|sample|test)(?:Data|Users?|Items?|Products?|Orders?)\s*[=:]/i,
+    severity: "high",
+    message: "Mock/fake data variable in production code",
+    fix: "Connect to actual data source. Move mock data to test files.",
+    confidence: 80,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  {
+    name: "hardcoded-user",
+    ruleId: "QLT003",
+    regex: /(?:name|email|username)\s*:\s*['"`](?:John\s*Doe|Jane\s*Doe|Test\s*User|Admin\s*User|user@example\.com)['"`]/i,
+    severity: "high",
+    message: "Hardcoded fake user data in production code",
+    fix: "Replace with actual user data from database/auth.",
+    confidence: 85,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  {
+    name: "hardcoded-price",
+    ruleId: "QLT003",
+    regex: /(?:price|amount|cost)\s*:\s*(?:9\.99|19\.99|29\.99|49\.99|99\.99|0\.00)\b/i,
+    severity: "medium",
+    message: "Hardcoded price/amount \u2014 likely mock data",
+    fix: "Fetch pricing from database/config.",
+    confidence: 72,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  // ── Error Handling Smells ──
+  {
+    name: "throw-string",
+    ruleId: "QLT001",
+    regex: /throw\s+['"`][^'"`]+['"`]/,
+    severity: "medium",
+    message: "Throwing a string instead of an Error object",
+    fix: 'Throw an Error: throw new Error("message")',
+    confidence: 92,
+    excludeInTests: true,
+    autoFixable: true
+  },
+  {
+    name: "promise-no-catch",
+    ruleId: "QLT001",
+    regex: /\.then\s*\([^)]*\)\s*(?:$|;|\n)(?!.*\.catch)/,
+    severity: "medium",
+    message: "Promise chain without .catch() \u2014 unhandled rejection risk",
+    fix: "Add .catch() handler or use async/await with try/catch.",
+    confidence: 68,
+    excludeInTests: true,
+    autoFixable: false
+  },
+  // ── Dead Code Indicators ──
+  {
+    name: "unreachable-code",
+    ruleId: "QLT004",
+    regex: /^\s*(?:const|let|var|function|class|return|throw)\b.*$/,
+    severity: "low",
+    message: "Potentially unreachable code after return/throw",
+    fix: "Remove dead code.",
+    confidence: 45,
+    excludeInTests: true,
+    autoFixable: true
+  },
+  // ── Performance ──
+  {
+    name: "sync-fs-in-handler",
+    ruleId: "QLT001",
+    regex: /(?:readFileSync|writeFileSync|existsSync|readdirSync|statSync)\s*\(/,
+    severity: "medium",
+    message: "Synchronous file operation \u2014 blocks event loop",
+    fix: "Use async version: fs.promises.readFile() or fs.readFile()",
+    confidence: 70,
+    excludeInTests: true,
+    autoFixable: false
+  }
+];
+var codeQualityEngine = {
+  name: "code-quality",
+  description: "Detects debug code, type safety issues, mock data, and quality anti-patterns",
+  async scan(files, options) {
+    const findings = [];
+    for (const [, file] of files) {
+      const isTest = file.classification.category === "test";
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
+        for (const pattern of PATTERNS4) {
+          if (isTest && pattern.excludeInTests) continue;
+          const match = line.match(pattern.regex);
+          if (!match) continue;
+          if (pattern.name === "unreachable-code") {
+            if (i === 0 || !/\b(?:return|throw)\b/.test(file.lines[i - 1])) continue;
+          }
+          const rule = getRuleOrDefault(pattern.ruleId);
+          findings.push({
+            id: `${pattern.ruleId}-${file.path}-${i + 1}`,
+            ruleId: pattern.ruleId,
+            engine: "code-quality",
+            category: "code-quality",
+            severity: pattern.severity,
+            confidence: pattern.confidence >= 85 ? "certain" : pattern.confidence >= 65 ? "likely" : "possible",
+            confidenceScore: pattern.confidence,
+            file: file.path,
+            line: i + 1,
+            column: match.index,
+            code: trimmed,
+            message: pattern.message,
+            why: rule.why,
+            fix: pattern.fix,
+            autoFixable: pattern.autoFixable,
+            tags: rule.tags,
+            verified: false,
+            _dedup: `${pattern.name}:${file.path}:${i + 1}`
+          });
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/engines/import-graph.ts
+var import_fs = require("fs");
+var import_path2 = require("path");
+function extractImports(file) {
+  const edges = [];
+  const importRegex = /(?:import\s+(?:[\s\S]*?)\s+from\s+['"]([^'"]+)['"]|import\s*\(\s*['"]([^'"]+)['"]\s*\)|require\s*\(\s*['"]([^'"]+)['"]\s*\))/g;
+  for (let i = 0; i < file.lines.length; i++) {
+    const line = file.lines[i];
+    let match;
+    importRegex.lastIndex = 0;
+    const lineRegex = /(?:import\s+(?:[\s\S]*?)\s+from\s+['"]([^'"]+)['"]|import\s*\(\s*['"]([^'"]+)['"]\s*\)|require\s*\(\s*['"]([^'"]+)['"]\s*\))/g;
+    while ((match = lineRegex.exec(line)) !== null) {
+      const specifier = match[1] || match[2] || match[3];
+      if (specifier) {
+        edges.push({
+          from: file.path,
+          to: specifier,
+          specifier,
+          line: i + 1
+        });
+      }
+    }
+  }
+  return edges;
+}
+function resolveImport(from, specifier, fileMap) {
+  if (!specifier.startsWith(".") && !specifier.startsWith("/")) return null;
+  const fromDir = (0, import_path2.dirname)(from);
+  const resolved = (0, import_path2.join)(fromDir, specifier).replace(/\\/g, "/");
+  const extensions = ["", ".ts", ".tsx", ".js", ".jsx", "/index.ts", "/index.tsx", "/index.js"];
+  for (const ext of extensions) {
+    const candidate = resolved + ext;
+    const normalized = candidate.replace(/\\/g, "/");
+    if (fileMap.has(normalized)) return normalized;
+    const winNormalized = candidate.replace(/\//g, "\\");
+    if (fileMap.has(winNormalized)) return winNormalized;
+  }
+  for (const ext of extensions) {
+    const candidate = (resolved.startsWith("./") ? resolved.slice(2) : resolved) + ext;
+    if (fileMap.has(candidate)) return candidate;
+  }
+  return null;
+}
+function findCircularDeps(adjacency) {
+  const cycles = [];
+  const visited = /* @__PURE__ */ new Set();
+  const inStack = /* @__PURE__ */ new Set();
+  const path = [];
+  function dfs(node) {
+    if (inStack.has(node)) {
+      const cycleStart = path.indexOf(node);
+      if (cycleStart >= 0) {
+        cycles.push(path.slice(cycleStart).concat(node));
+      }
+      return;
+    }
+    if (visited.has(node)) return;
+    visited.add(node);
+    inStack.add(node);
+    path.push(node);
+    for (const neighbor of adjacency.get(node) ?? []) {
+      dfs(neighbor);
+    }
+    path.pop();
+    inStack.delete(node);
+  }
+  for (const node of adjacency.keys()) {
+    dfs(node);
+  }
+  return cycles;
+}
+function extractFetchRoutes(file) {
+  const routes = [];
+  const fetchRegex = /(?:fetch|axios\.(?:get|post|put|patch|delete)|\.get|\.post|\.put|\.patch|\.delete)\s*\(\s*[`'"](\/api\/[^`'"]*)[`'"]/g;
+  for (let i = 0; i < file.lines.length; i++) {
+    let match;
+    fetchRegex.lastIndex = 0;
+    while ((match = fetchRegex.exec(file.lines[i])) !== null) {
+      routes.push({ route: match[1], line: i + 1 });
+    }
+  }
+  return routes;
+}
+function extractRouteHandlers(file) {
+  const handlers = [];
+  const handlerRegex = /(?:app|router|server)\s*\.\s*(?:get|post|put|patch|delete|all)\s*\(\s*[`'"](\/api\/[^`'"]*)[`'"]/g;
+  for (const line of file.lines) {
+    let match;
+    handlerRegex.lastIndex = 0;
+    while ((match = handlerRegex.exec(line)) !== null) {
+      handlers.push(match[1]);
+    }
+  }
+  const normalized = file.path.replace(/\\/g, "/");
+  if (normalized.includes("/api/") || normalized.includes("/routes/")) {
+    const apiMatch = normalized.match(/(?:pages|app)(\/api\/[^.]+)/);
+    if (apiMatch) {
+      handlers.push(apiMatch[1].replace(/\/route$/, "").replace(/\/index$/, ""));
+    }
+  }
+  return handlers;
+}
+function extractEnvRefs(file) {
+  const refs = [];
+  const envRegex = /process\.env\.([A-Z_][A-Z0-9_]*)/g;
+  for (let i = 0; i < file.lines.length; i++) {
+    const line = file.lines[i];
+    if (line.trim().startsWith("//") || line.trim().startsWith("*")) continue;
+    let match;
+    envRegex.lastIndex = 0;
+    while ((match = envRegex.exec(line)) !== null) {
+      refs.push({ name: match[1], line: i + 1 });
+    }
+  }
+  return refs;
+}
+function loadEnvVars(projectRoot) {
+  const vars = /* @__PURE__ */ new Set();
+  const envFiles = [".env", ".env.local", ".env.development", ".env.production", ".env.example"];
+  for (const envFile of envFiles) {
+    const envPath = (0, import_path2.join)(projectRoot, envFile);
+    try {
+      if ((0, import_fs.existsSync)(envPath)) {
+        const content = (0, import_fs.readFileSync)(envPath, "utf-8");
+        for (const line of content.split("\n")) {
+          const match = line.match(/^\s*([A-Z_][A-Z0-9_]*)\s*=/);
+          if (match) vars.add(match[1]);
+        }
+      }
+    } catch {
+    }
+  }
+  const builtins = [
+    "NODE_ENV",
+    "PORT",
+    "HOME",
+    "PATH",
+    "PWD",
+    "USER",
+    "SHELL",
+    "TERM",
+    "LANG",
+    "CI",
+    "GITHUB_ACTIONS",
+    "VERCEL",
+    "NETLIFY",
+    "HEROKU",
+    "npm_package_version"
+  ];
+  for (const b of builtins) vars.add(b);
+  return vars;
+}
+function isBarrelFile(file) {
+  if (!file.path.endsWith("index.ts") && !file.path.endsWith("index.js")) {
+    return { isBarrel: false, reExportCount: 0 };
+  }
+  let reExportCount = 0;
+  for (const line of file.lines) {
+    if (/^export\s+\*\s+from\s+/.test(line.trim()) || /^export\s+\{[^}]+\}\s+from\s+/.test(line.trim())) {
+      reExportCount++;
+    }
+  }
+  return { isBarrel: reExportCount >= 5, reExportCount };
+}
+var importGraphEngine = {
+  name: "import-graph",
+  description: "Cross-file import graph analysis: circular deps, orphans, ghost routes, ghost env vars",
+  async scan(files, options) {
+    const findings = [];
+    const adjacency = /* @__PURE__ */ new Map();
+    const allImported = /* @__PURE__ */ new Set();
+    const allEdges = [];
+    for (const [path, file] of files) {
+      const edges = extractImports(file);
+      const resolved = [];
+      for (const edge of edges) {
+        const target = resolveImport(path, edge.specifier, files);
+        if (target) {
+          resolved.push(target);
+          allImported.add(target);
+          allEdges.push({ ...edge, to: target });
+        }
+      }
+      adjacency.set(path, resolved);
+    }
+    const cycles = findCircularDeps(adjacency);
+    const reportedCycles = /* @__PURE__ */ new Set();
+    for (const cycle of cycles) {
+      const cycleKey = [...cycle].sort().join("\u2192");
+      if (reportedCycles.has(cycleKey)) continue;
+      reportedCycles.add(cycleKey);
+      const file = files.get(cycle[0]);
+      if (!file) continue;
+      const rule = getRuleOrDefault("IG001");
+      const cyclePath = cycle.map((p) => p.split("/").pop()).join(" \u2192 ");
+      findings.push({
+        id: `IG001-${cycle[0]}-cycle`,
+        ruleId: "IG001",
+        engine: "import-graph",
+        category: "import-graph",
+        severity: "high",
+        confidence: "certain",
+        confidenceScore: 95,
+        file: cycle[0],
+        line: 1,
+        code: `Circular: ${cyclePath}`,
+        message: `Circular dependency chain: ${cyclePath}`,
+        why: rule.why,
+        fix: rule.fix,
+        autoFixable: false,
+        tags: rule.tags,
+        verified: false,
+        _dedup: `IG001:${cycleKey}`
+      });
+    }
+    const entryPatterns = /(?:index|main|app|server|cli|entry)\.[tj]sx?$/;
+    for (const [path, file] of files) {
+      if (entryPatterns.test(path)) continue;
+      if (file.classification.category === "test") continue;
+      if (file.classification.category === "config") continue;
+      if (path.includes(".config.")) continue;
+      if (path.includes(".d.ts")) continue;
+      if (!allImported.has(path)) {
+        const rule = getRuleOrDefault("IG002");
+        findings.push({
+          id: `IG002-${path}`,
+          ruleId: "IG002",
+          engine: "import-graph",
+          category: "import-graph",
+          severity: "medium",
+          confidence: "likely",
+          confidenceScore: 75,
+          file: path,
+          line: 1,
+          code: path,
+          message: `Orphan module: ${path.split(/[/\\]/).pop()} is never imported`,
+          why: rule.why,
+          fix: rule.fix,
+          autoFixable: false,
+          tags: rule.tags,
+          verified: false,
+          _dedup: `IG002:${path}`
+        });
+      }
+    }
+    const allFetchedRoutes = [];
+    const allHandlerRoutes = /* @__PURE__ */ new Set();
+    for (const [, file] of files) {
+      const fetched = extractFetchRoutes(file);
+      for (const f of fetched) {
+        allFetchedRoutes.push({ ...f, file: file.path });
+      }
+      const handlers = extractRouteHandlers(file);
+      for (const h of handlers) {
+        allHandlerRoutes.add(h);
+      }
+    }
+    for (const fetchedRoute of allFetchedRoutes) {
+      const normalized = fetchedRoute.route.replace(/\/$/g, "").replace(/\/:[^/]+/g, "/[param]");
+      const hasHandler = [...allHandlerRoutes].some((handler) => {
+        const normHandler = handler.replace(/\/$/g, "").replace(/\/:[^/]+/g, "/[param]");
+        return normHandler === normalized || normalized.startsWith(normHandler);
+      });
+      if (!hasHandler && allHandlerRoutes.size > 0) {
+        const rule = getRuleOrDefault("IG003");
+        findings.push({
+          id: `IG003-${fetchedRoute.file}-${fetchedRoute.line}`,
+          ruleId: "IG003",
+          engine: "import-graph",
+          category: "import-graph",
+          severity: "high",
+          confidence: "likely",
+          confidenceScore: 80,
+          file: fetchedRoute.file,
+          line: fetchedRoute.line,
+          code: `fetch("${fetchedRoute.route}")`,
+          message: `Ghost route: ${fetchedRoute.route} has no matching backend handler`,
+          why: rule.why,
+          fix: rule.fix,
+          autoFixable: false,
+          tags: rule.tags,
+          verified: false,
+          _dedup: `IG003:${fetchedRoute.file}:${fetchedRoute.route}`
+        });
+      }
+    }
+    const declaredEnvVars = loadEnvVars(options.projectRoot);
+    const allEnvRefs = [];
+    for (const [, file] of files) {
+      const refs = extractEnvRefs(file);
+      for (const ref of refs) {
+        allEnvRefs.push({ ...ref, file: file.path });
+      }
+    }
+    const reportedEnvVars = /* @__PURE__ */ new Set();
+    for (const ref of allEnvRefs) {
+      if (declaredEnvVars.has(ref.name)) continue;
+      if (reportedEnvVars.has(ref.name)) continue;
+      reportedEnvVars.add(ref.name);
+      const rule = getRuleOrDefault("IG004");
+      findings.push({
+        id: `IG004-${ref.file}-${ref.line}`,
+        ruleId: "IG004",
+        engine: "import-graph",
+        category: "import-graph",
+        severity: "high",
+        confidence: "likely",
+        confidenceScore: 82,
+        file: ref.file,
+        line: ref.line,
+        code: `process.env.${ref.name}`,
+        message: `Ghost env variable: ${ref.name} not found in any .env file`,
+        why: rule.why,
+        fix: rule.fix,
+        autoFixable: true,
+        tags: rule.tags,
+        verified: false,
+        _dedup: `IG004:${ref.name}`
+      });
+    }
+    for (const [path, file] of files) {
+      const { isBarrel, reExportCount } = isBarrelFile(file);
+      if (isBarrel) {
+        const rule = getRuleOrDefault("IG005");
+        findings.push({
+          id: `IG005-${path}`,
+          ruleId: "IG005",
+          engine: "import-graph",
+          category: "import-graph",
+          severity: "low",
+          confidence: "likely",
+          confidenceScore: 78,
+          file: path,
+          line: 1,
+          code: `${reExportCount} re-exports from index file`,
+          message: `Barrel file with ${reExportCount} re-exports may defeat tree-shaking`,
+          why: rule.why,
+          fix: rule.fix,
+          autoFixable: false,
+          tags: rule.tags,
+          verified: false,
+          _dedup: `IG005:${path}`
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/engines/runtime-verify.ts
+function extractExports(file) {
+  const exports2 = [];
+  const exportRegex = /export\s+(?:async\s+)?(?:function|const|let|var|class|enum|type|interface)\s+([A-Za-z_$][A-Za-z0-9_$]*)/;
+  for (let i = 0; i < file.lines.length; i++) {
+    const line = file.lines[i];
+    const match = line.match(exportRegex);
+    if (match) {
+      exports2.push({ name: match[1], line: i + 1 });
+    }
+    const namedExport = line.match(/export\s+\{([^}]+)\}/);
+    if (namedExport) {
+      const names = namedExport[1].split(",").map((n) => n.trim().split(/\s+as\s+/)[0].trim());
+      for (const name of names) {
+        if (name && /^[A-Za-z_$]/.test(name)) {
+          exports2.push({ name, line: i + 1 });
+        }
+      }
+    }
+  }
+  return exports2;
+}
+function extractImportedSymbols(file) {
+  const symbols = /* @__PURE__ */ new Set();
+  const importRegex = /import\s+\{([^}]+)\}\s+from/g;
+  const defaultImportRegex = /import\s+([A-Za-z_$][A-Za-z0-9_$]*)\s+from/g;
+  for (const line of file.lines) {
+    let match;
+    importRegex.lastIndex = 0;
+    while ((match = importRegex.exec(line)) !== null) {
+      const names = match[1].split(",").map((n) => {
+        const parts = n.trim().split(/\s+as\s+/);
+        return parts[0].trim();
+      });
+      for (const name of names) {
+        if (name) symbols.add(name);
+      }
+    }
+    defaultImportRegex.lastIndex = 0;
+    while ((match = defaultImportRegex.exec(line)) !== null) {
+      symbols.add(match[1]);
+    }
+  }
+  return symbols;
+}
+function findAsyncFunctions(file) {
+  const functions = [];
+  const asyncDeclRegex = /(?:export\s+)?async\s+function\s+([A-Za-z_$][A-Za-z0-9_$]*)/;
+  const asyncArrowRegex = /(?:export\s+)?(?:const|let|var)\s+([A-Za-z_$][A-Za-z0-9_$]*)\s*=\s*async/;
+  for (let i = 0; i < file.lines.length; i++) {
+    const line = file.lines[i];
+    const declMatch = line.match(asyncDeclRegex);
+    const arrowMatch = line.match(asyncArrowRegex);
+    const match = declMatch || arrowMatch;
+    if (match) {
+      const name = match[1];
+      const startLine = i + 1;
+      let braceCount = 0;
+      let hasAwait = false;
+      let endLine = startLine;
+      let started = false;
+      for (let j = i; j < file.lines.length; j++) {
+        const fLine = file.lines[j];
+        for (const ch of fLine) {
+          if (ch === "{") {
+            braceCount++;
+            started = true;
+          }
+          if (ch === "}") braceCount--;
+        }
+        if (/\bawait\b/.test(fLine) && j > i) {
+          hasAwait = true;
+        }
+        if (started && braceCount === 0) {
+          endLine = j + 1;
+          break;
+        }
+      }
+      if (/\bawait\b/.test(line) && line.indexOf("await") > line.indexOf("async")) {
+        hasAwait = true;
+      }
+      functions.push({ name, startLine, hasAwait, endLine });
+    }
+  }
+  return functions;
+}
+function isInsideTryCatch(lines, lineIndex) {
+  let braceDepth = 0;
+  for (let i = lineIndex; i >= 0; i--) {
+    const line = lines[i];
+    for (let j = line.length - 1; j >= 0; j--) {
+      if (line[j] === "}") braceDepth++;
+      if (line[j] === "{") braceDepth--;
+    }
+    if (braceDepth < 0 && /\btry\b/.test(lines[i])) return true;
+    if (braceDepth < 0 && /\bcatch\b/.test(lines[i])) return true;
+  }
+  return false;
+}
+var runtimeVerifyEngine = {
+  name: "runtime-verify",
+  description: "Static analysis for runtime issues: unhandled promises, dead exports, async bugs",
+  async scan(files, options) {
+    const findings = [];
+    const allImportedSymbols = /* @__PURE__ */ new Set();
+    for (const [, file] of files) {
+      const symbols = extractImportedSymbols(file);
+      for (const s of symbols) allImportedSymbols.add(s);
+    }
+    for (const [path, file] of files) {
+      if (![".ts", ".tsx", ".js", ".jsx"].includes(file.ext)) continue;
+      const asyncFunctions = findAsyncFunctions(file);
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
+        if (/\.then\s*\(/.test(trimmed) && !/.catch\s*\(/.test(trimmed)) {
+          const nextLines = file.lines.slice(i + 1, i + 4).join(" ");
+          if (!/.catch\s*\(/.test(nextLines)) {
+            const rule = getRuleOrDefault("RV001");
+            findings.push({
+              id: `RV001-${path}-${i + 1}`,
+              ruleId: "RV001",
+              engine: "runtime-verify",
+              category: "runtime-verify",
+              severity: "high",
+              confidence: "likely",
+              confidenceScore: 82,
+              file: path,
+              line: i + 1,
+              code: trimmed,
+              message: "Promise .then() without .catch() \u2014 rejection will be unhandled",
+              why: rule.why,
+              fix: rule.fix,
+              autoFixable: false,
+              tags: rule.tags,
+              verified: false,
+              _dedup: `RV001:${path}:${i + 1}`
+            });
+          }
+        }
+        if (/\bawait\b/.test(trimmed) && !isInsideTryCatch(file.lines, i)) {
+          const rule = getRuleOrDefault("RV001");
+          findings.push({
+            id: `RV001-await-${path}-${i + 1}`,
+            ruleId: "RV001",
+            engine: "runtime-verify",
+            category: "runtime-verify",
+            severity: "medium",
+            confidence: "possible",
+            confidenceScore: 65,
+            file: path,
+            line: i + 1,
+            code: trimmed,
+            message: "await without surrounding try/catch \u2014 rejection may be unhandled",
+            why: rule.why,
+            fix: rule.fix,
+            autoFixable: false,
+            tags: rule.tags,
+            verified: false,
+            _dedup: `RV001-await:${path}:${i + 1}`
+          });
+        }
+      }
+      for (const fn of asyncFunctions) {
+        if (!fn.hasAwait && fn.endLine - fn.startLine > 1) {
+          const rule = getRuleOrDefault("RV002");
+          findings.push({
+            id: `RV002-${path}-${fn.startLine}`,
+            ruleId: "RV002",
+            engine: "runtime-verify",
+            category: "runtime-verify",
+            severity: "medium",
+            confidence: "likely",
+            confidenceScore: 80,
+            file: path,
+            line: fn.startLine,
+            code: file.lines[fn.startLine - 1]?.trim() ?? "",
+            message: `Async function '${fn.name}' never uses await`,
+            why: rule.why,
+            fix: rule.fix,
+            autoFixable: false,
+            tags: rule.tags,
+            verified: false,
+            _dedup: `RV002:${path}:${fn.startLine}`
+          });
+        }
+      }
+      const exports2 = extractExports(file);
+      const isEntry = /(?:index|main|app|server|cli)\.[tj]sx?$/.test(path);
+      if (!isEntry) {
+        for (const exp of exports2) {
+          if (!allImportedSymbols.has(exp.name)) {
+            const rule = getRuleOrDefault("RV003");
+            findings.push({
+              id: `RV003-${path}-${exp.line}`,
+              ruleId: "RV003",
+              engine: "runtime-verify",
+              category: "runtime-verify",
+              severity: "medium",
+              confidence: "possible",
+              confidenceScore: 68,
+              file: path,
+              line: exp.line,
+              code: file.lines[exp.line - 1]?.trim() ?? "",
+              message: `Dead export: '${exp.name}' is exported but never imported`,
+              why: rule.why,
+              fix: rule.fix,
+              autoFixable: false,
+              tags: rule.tags,
+              verified: false,
+              _dedup: `RV003:${path}:${exp.name}`
+            });
+          }
+        }
+      }
+      const asyncFuncNames = new Set(asyncFunctions.map((f) => f.name));
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
+        if (trimmed.startsWith("import ") || trimmed.startsWith("export ")) continue;
+        if (/^(?:async\s+)?function\s/.test(trimmed)) continue;
+        for (const asyncName of asyncFuncNames) {
+          const callRegex = new RegExp(`(?<!await\\s)(?<!void\\s)\\b${asyncName}\\s*\\(`);
+          if (callRegex.test(trimmed) && !trimmed.includes(".then(") && !trimmed.includes("await ")) {
+            if (/(?:const|let|var|return)\s/.test(trimmed)) continue;
+            const rule = getRuleOrDefault("RV004");
+            findings.push({
+              id: `RV004-${path}-${i + 1}`,
+              ruleId: "RV004",
+              engine: "runtime-verify",
+              category: "runtime-verify",
+              severity: "high",
+              confidence: "likely",
+              confidenceScore: 78,
+              file: path,
+              line: i + 1,
+              code: trimmed,
+              message: `Floating promise: '${asyncName}()' called without await or .then()`,
+              why: rule.why,
+              fix: rule.fix,
+              autoFixable: false,
+              tags: rule.tags,
+              verified: false,
+              _dedup: `RV004:${path}:${i + 1}`
+            });
+          }
+        }
+      }
+      const moduleVars = [];
+      let depth = 0;
+      for (let i = 0; i < file.lines.length; i++) {
+        const line = file.lines[i];
+        for (const ch of line) {
+          if (ch === "{") depth++;
+          if (ch === "}") depth--;
+        }
+        if (depth === 0) {
+          const varMatch = line.match(/(?:let|var)\s+([A-Za-z_$][A-Za-z0-9_$]*)/);
+          if (varMatch) {
+            moduleVars.push({ name: varMatch[1], line: i + 1 });
+          }
+        }
+      }
+      for (const fn of asyncFunctions) {
+        for (const v of moduleVars) {
+          for (let j = fn.startLine - 1; j < fn.endLine && j < file.lines.length; j++) {
+            const fLine = file.lines[j];
+            const writeRegex = new RegExp(`\\b${v.name}\\s*(?:=|\\+=|-=|\\+\\+|--)`);
+            if (writeRegex.test(fLine)) {
+              const rule = getRuleOrDefault("RV005");
+              findings.push({
+                id: `RV005-${path}-${j + 1}`,
+                ruleId: "RV005",
+                engine: "runtime-verify",
+                category: "runtime-verify",
+                severity: "medium",
+                confidence: "possible",
+                confidenceScore: 65,
+                file: path,
+                line: j + 1,
+                code: fLine.trim(),
+                message: `Race condition risk: async function '${fn.name}' mutates shared variable '${v.name}'`,
+                why: rule.why,
+                fix: rule.fix,
+                autoFixable: false,
+                tags: rule.tags,
+                verified: false,
+                _dedup: `RV005:${path}:${v.name}:${fn.name}`
+              });
+              break;
+            }
+          }
+        }
+      }
+    }
+    return findings;
+  }
+};
+
+// src/scanner/engines/auto-fix.ts
+var import_fs2 = require("fs");
+var import_path3 = require("path");
+var fixStrategies = [
+  // ── QLT001: Remove console.log ──
+  {
+    ruleId: "QLT001",
+    apply(finding, lines) {
+      const lineIdx = finding.line - 1;
+      const line = lines[lineIdx];
+      if (!line) return null;
+      const trimmed = line.trim();
+      if (/^\s*console\.(log|debug|trace|info|warn)\s*\(/.test(line)) {
+        let fullStatement = trimmed;
+        let endIdx = lineIdx;
+        let parenCount = 0;
+        for (let i = lineIdx; i < lines.length; i++) {
+          for (const ch of lines[i]) {
+            if (ch === "(") parenCount++;
+            if (ch === ")") parenCount--;
+          }
+          if (parenCount <= 0) {
+            endIdx = i;
+            break;
+          }
+        }
+        return {
+          replacement: endIdx === lineIdx ? "" : "",
+          description: `Remove ${trimmed.split("(")[0]}() statement`
+        };
+      }
+      return null;
+    }
+  },
+  // ── QLT002: Remove debugger ──
+  {
+    ruleId: "QLT002",
+    apply(finding, lines) {
+      const lineIdx = finding.line - 1;
+      const line = lines[lineIdx];
+      if (!line) return null;
+      if (/^\s*debugger\s*;?\s*$/.test(line)) {
+        return {
+          replacement: "",
+          description: "Remove debugger statement"
+        };
+      }
+      return null;
+    }
+  },
+  // ── SEC009: Replace Math.random() with crypto.randomUUID() ──
+  {
+    ruleId: "SEC009",
+    apply(finding, lines) {
+      const lineIdx = finding.line - 1;
+      const line = lines[lineIdx];
+      if (!line) return null;
+      if (/Math\.random\(\)/.test(line)) {
+        const fixed = line.replace(
+          /Math\.random\(\)\.toString\(\d*\)(?:\.slice\(\d+\))?/g,
+          "crypto.randomUUID()"
+        ).replace(
+          /Math\.random\(\)/g,
+          "crypto.randomUUID()"
+        );
+        if (fixed !== line) {
+          return {
+            replacement: fixed,
+            description: "Replace Math.random() with crypto.randomUUID()"
+          };
+        }
+      }
+      return null;
+    }
+  },
+  // ── IG004/HAL006: Add missing env var to .env.example ──
+  {
+    ruleId: "IG004",
+    apply(finding, _lines, projectRoot) {
+      const envVarMatch = finding.code.match(/process\.env\.([A-Z_][A-Z0-9_]*)/);
+      if (!envVarMatch) return null;
+      const varName = envVarMatch[1];
+      const envExamplePath = (0, import_path3.join)(projectRoot, ".env.example");
+      if ((0, import_fs2.existsSync)(envExamplePath)) {
+        const content = (0, import_fs2.readFileSync)(envExamplePath, "utf-8");
+        if (content.includes(`${varName}=`)) return null;
+      }
+      return {
+        replacement: `${varName}=`,
+        description: `Add ${varName} to .env.example`
+      };
+    }
+  }
+];
+function applyFixes(options) {
+  const startTime = Date.now();
+  const fixResults = [];
+  const fixable = options.findings.filter((f) => f.autoFixable);
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of fixable) {
+    if (!byFile.has(f.file)) byFile.set(f.file, []);
+    byFile.get(f.file).push(f);
+  }
+  const envVarsToAdd = [];
+  for (const [filePath, findings] of byFile) {
+    const absPath = (0, import_path3.join)(options.projectRoot, filePath);
+    let lines;
+    try {
+      const content = (0, import_fs2.readFileSync)(absPath, "utf-8");
+      lines = content.split("\n");
+    } catch {
+      for (const f of findings) {
+        fixResults.push({
+          findingId: f.id,
+          ruleId: f.ruleId,
+          file: filePath,
+          line: f.line,
+          original: f.code,
+          replacement: "",
+          applied: false,
+          description: "File not readable, skipped"
+        });
+      }
+      continue;
+    }
+    const sorted = [...findings].sort((a, b) => b.line - a.line);
+    let modified = false;
+    for (const finding of sorted) {
+      const strategy = fixStrategies.find((s) => s.ruleId === finding.ruleId);
+      if (!strategy) {
+        fixResults.push({
+          findingId: finding.id,
+          ruleId: finding.ruleId,
+          file: filePath,
+          line: finding.line,
+          original: finding.code,
+          replacement: "",
+          applied: false,
+          description: "No fix strategy available"
+        });
+        continue;
+      }
+      const result = strategy.apply(finding, lines, options.projectRoot);
+      if (!result) {
+        fixResults.push({
+          findingId: finding.id,
+          ruleId: finding.ruleId,
+          file: filePath,
+          line: finding.line,
+          original: finding.code,
+          replacement: "",
+          applied: false,
+          description: "Fix not applicable to this code pattern"
+        });
+        continue;
+      }
+      const lineIdx = finding.line - 1;
+      const original = lines[lineIdx] ?? "";
+      if (finding.ruleId === "IG004" || finding.ruleId === "HAL006") {
+        envVarsToAdd.push(result.replacement);
+        fixResults.push({
+          findingId: finding.id,
+          ruleId: finding.ruleId,
+          file: ".env.example",
+          line: 0,
+          original: "",
+          replacement: result.replacement,
+          applied: !options.dryRun,
+          description: result.description
+        });
+        continue;
+      }
+      if (result.replacement === "") {
+        lines.splice(lineIdx, 1);
+      } else {
+        lines[lineIdx] = result.replacement;
+      }
+      modified = true;
+      fixResults.push({
+        findingId: finding.id,
+        ruleId: finding.ruleId,
+        file: filePath,
+        line: finding.line,
+        original,
+        replacement: result.replacement || "(line removed)",
+        applied: !options.dryRun,
+        description: result.description
+      });
+    }
+    if (modified && !options.dryRun) {
+      try {
+        (0, import_fs2.writeFileSync)(absPath, lines.join("\n"), "utf-8");
+      } catch {
+        for (const r of fixResults) {
+          if (r.file === filePath) r.applied = false;
+        }
+      }
+    }
+  }
+  if (envVarsToAdd.length > 0 && !options.dryRun) {
+    const envExamplePath = (0, import_path3.join)(options.projectRoot, ".env.example");
+    try {
+      const additions = envVarsToAdd.map((v) => `${v}
+`).join("");
+      if ((0, import_fs2.existsSync)(envExamplePath)) {
+        (0, import_fs2.appendFileSync)(envExamplePath, `
+# Added by VibeCheck auto-fix
+${additions}`, "utf-8");
+      } else {
+        (0, import_fs2.writeFileSync)(envExamplePath, `# Environment Variables
+# Added by VibeCheck auto-fix
+${additions}`, "utf-8");
+      }
+    } catch {
+      for (const r of fixResults) {
+        if (r.file === ".env.example") r.applied = false;
+      }
+    }
+  }
+  const applied = fixResults.filter((r) => r.applied).length;
+  return {
+    totalFixable: fixable.length,
+    applied,
+    skipped: fixable.length - applied,
+    fixes: fixResults,
+    durationMs: Date.now() - startTime
+  };
+}
+
+// src/scanner/index.ts
+var ALL_ENGINES = [
+  credentialsEngine,
+  securityEngine,
+  fakeFeaturesEngine,
+  hallucinationsEngine,
+  deadUIEngine,
+  codeQualityEngine,
+  importGraphEngine,
+  runtimeVerifyEngine
+];
+var DEFAULT_EXCLUDE = [
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "coverage",
+  "__pycache__",
+  ".venv",
+  "venv",
+  ".output"
+];
+function loadFiles(projectRoot, options) {
+  const files = /* @__PURE__ */ new Map();
+  const exclude = options.exclude ?? DEFAULT_EXCLUDE;
+  const maxFileSize = 512 * 1024;
+  function walk(dir) {
+    let entries;
+    try {
+      entries = (0, import_fs3.readdirSync)(dir);
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const fullPath = (0, import_path4.join)(dir, entry);
+      if (exclude.some((e) => entry === e || entry.startsWith("."))) {
+        try {
+          if ((0, import_fs3.statSync)(fullPath).isDirectory()) continue;
+        } catch {
+          continue;
+        }
+      }
+      let stat;
+      try {
+        stat = (0, import_fs3.statSync)(fullPath);
+      } catch {
+        continue;
+      }
+      if (stat.isDirectory()) {
+        walk(fullPath);
+        continue;
+      }
+      if (!isCodeFile(fullPath)) continue;
+      if (stat.size > maxFileSize) continue;
+      const relativePath = (0, import_path4.relative)(projectRoot, fullPath);
+      const classification = classifyPath(relativePath);
+      if (classification.excludeByDefault && classification.category !== "test") continue;
+      if (classification.category === "test" && !options.includeTests) continue;
+      try {
+        const content = (0, import_fs3.readFileSync)(fullPath, "utf-8");
+        const hash = (0, import_crypto.createHash)("md5").update(content).digest("hex");
+        files.set(relativePath, {
+          path: relativePath,
+          absolutePath: fullPath,
+          content,
+          lines: content.split("\n"),
+          ext: (0, import_path4.extname)(fullPath).toLowerCase(),
+          hash,
+          classification
+        });
+      } catch {
+      }
+    }
+  }
+  if (options.files && options.files.length > 0) {
+    for (const filePath of options.files) {
+      const fullPath = (0, import_path4.join)(projectRoot, filePath);
+      if (!(0, import_fs3.existsSync)(fullPath)) continue;
+      try {
+        const content = (0, import_fs3.readFileSync)(fullPath, "utf-8");
+        const hash = (0, import_crypto.createHash)("md5").update(content).digest("hex");
+        const classification = classifyPath(filePath);
+        files.set(filePath, {
+          path: filePath,
+          absolutePath: fullPath,
+          content,
+          lines: content.split("\n"),
+          ext: (0, import_path4.extname)(fullPath).toLowerCase(),
+          hash,
+          classification
+        });
+      } catch {
+      }
+    }
+  } else {
+    walk(projectRoot);
+  }
+  return files;
+}
+function calculateHealthScore(findings) {
+  let score = 100;
+  for (const f of findings) {
+    switch (f.severity) {
+      case "critical":
+        score -= 15;
+        break;
+      case "high":
+        score -= 8;
+        break;
+      case "medium":
+        score -= 3;
+        break;
+      case "low":
+        score -= 1;
+        break;
+    }
+    if (f.category === "hallucinations") score -= 3;
+    if (f.ruleId === "FAKE005") score -= 5;
+  }
+  return Math.max(0, Math.min(100, score));
+}
+async function scan(options) {
+  const startTime = Date.now();
+  const scanId = `scan-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+  options.onProgress?.({
+    phase: "loading",
+    processed: 0,
+    total: 0,
+    percentage: 0,
+    elapsedMs: 0
+  });
+  const files = loadFiles(options.projectRoot, options);
+  options.onProgress?.({
+    phase: "classifying",
+    processed: files.size,
+    total: files.size,
+    percentage: 10,
+    elapsedMs: Date.now() - startTime
+  });
+  const enabledEngines = options.engines ? ALL_ENGINES.filter((e) => options.engines.includes(e.name)) : ALL_ENGINES;
+  const engineResults = [];
+  let allFindings = [];
+  if (options.parallel !== false) {
+    const promises = enabledEngines.map(async (engine) => {
+      const engineStart = Date.now();
+      try {
+        const findings = await Promise.race([
+          engine.scan(files, options),
+          new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("Engine timeout")), options.engineTimeout ?? 3e4)
+          )
+        ]);
+        return {
+          engine: engine.name,
+          findings: findings.length,
+          durationMs: Date.now() - engineStart,
+          success: true,
+          result: findings
+        };
+      } catch (err) {
+        return {
+          engine: engine.name,
+          findings: 0,
+          durationMs: Date.now() - engineStart,
+          success: false,
+          error: err instanceof Error ? err.message : "Unknown error",
+          result: []
+        };
+      }
+    });
+    const results = await Promise.all(promises);
+    for (const r of results) {
+      engineResults.push({
+        engine: r.engine,
+        findings: r.findings,
+        durationMs: r.durationMs,
+        success: r.success,
+        error: r.error
+      });
+      allFindings.push(...r.result);
+    }
+  } else {
+    for (const engine of enabledEngines) {
+      const engineStart = Date.now();
+      try {
+        const findings = await engine.scan(files, options);
+        engineResults.push({
+          engine: engine.name,
+          findings: findings.length,
+          durationMs: Date.now() - engineStart,
+          success: true
+        });
+        allFindings.push(...findings);
+      } catch (err) {
+        engineResults.push({
+          engine: engine.name,
+          findings: 0,
+          durationMs: Date.now() - engineStart,
+          success: false,
+          error: err instanceof Error ? err.message : "Unknown error"
+        });
+      }
+    }
+  }
+  options.onProgress?.({
+    phase: "deduplicating",
+    processed: allFindings.length,
+    total: allFindings.length,
+    percentage: 85,
+    elapsedMs: Date.now() - startTime
+  });
+  const { deduplicated, suppressedCount } = deduplicateFindings(allFindings);
+  const severityOrder = ["low", "medium", "high", "critical"];
+  const minSeverityIndex = severityOrder.indexOf(options.severityThreshold ?? "low");
+  const filtered = deduplicated.filter(
+    (f) => severityOrder.indexOf(f.severity) >= minSeverityIndex
+  );
+  if (options.onFinding) {
+    for (const f of filtered) {
+      options.onFinding(f);
+    }
+  }
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byCategory = {};
+  const byEngine = {};
+  for (const f of filtered) {
+    bySeverity[f.severity]++;
+    byCategory[f.category] = (byCategory[f.category] ?? 0) + 1;
+    byEngine[f.engine] = (byEngine[f.engine] ?? 0) + 1;
+  }
+  const durationMs = Date.now() - startTime;
+  const engineTimings = {};
+  for (const r of engineResults) {
+    engineTimings[r.engine] = r.durationMs;
+  }
+  options.onProgress?.({
+    phase: "complete",
+    processed: files.size,
+    total: files.size,
+    percentage: 100,
+    elapsedMs: durationMs
+  });
+  return {
+    scanId,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    findings: filtered,
+    summary: {
+      totalFiles: files.size,
+      filesScanned: files.size,
+      totalFindings: filtered.length,
+      bySeverity,
+      byCategory,
+      byEngine,
+      autoFixable: filtered.filter((f) => f.autoFixable).length,
+      suppressedDuplicates: suppressedCount
+    },
+    healthScore: calculateHealthScore(filtered),
+    engineResults,
+    metrics: {
+      durationMs,
+      filesPerSecond: files.size > 0 ? Math.round(files.size / durationMs * 1e3) : 0,
+      engineTimings
+    }
+  };
+}
+async function fix(options) {
+  const report = await scan(options);
+  const fixReport = applyFixes({
+    findings: report.findings,
+    projectRoot: options.projectRoot,
+    dryRun: options.dryRun ?? false
+  });
+  return { report, fixReport };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ALL_ENGINES,
+  RULE_CATALOG,
+  applyFixes,
+  classifyPath,
+  fix,
+  getRuleOrDefault,
+  scan
+});
+//# sourceMappingURL=index.js.map