vibecheck-ai 2.0.1 → 5.0.0

package/bin/runners/lib/cleanup/rules.js

@@ -0,0 +1,1060 @@
+/**
+ * vibecheck polish --cleanup Safe Rule Set
+ * 
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * PRODUCTION-GRADE CLEANUP WITHOUT CHAOS
+ * ═══════════════════════════════════════════════════════════════════════════════
+ * 
+ * Safe transformations that improve code quality without surprise refactors.
+ * 
+ * Design principles:
+ * - Safe by default: Only transformations that cannot change behavior
+ * - Aggressive opt-in: Requires explicit --aggressive --yes-i-am-sure
+ * - Checkpoint integration: Automatic backup before any changes
+ * - Transparent: Full diff preview before applying
+ * 
+ * Rule structure:
+ * - id: Unique identifier for the rule
+ * - name: Human-readable name
+ * - description: What this rule detects
+ * - severity: critical | high | medium | low | info
+ * - pattern: RegExp or function(content, filePath) => Match[]
+ * - fix: string | function(match) => string | null (null = flag only)
+ * - riskLevel: safe | moderate | aggressive
+ * - category: Category for grouping in output
+ * - autoFixable: Whether this can be auto-fixed
+ * - fileTypes: Array of extensions this applies to (optional, defaults to all)
+ * - exclude: Array of path patterns to exclude (optional)
+ * - aiPrompt: Prompt for AI to fix this issue (optional)
+ */
+
+"use strict";
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// HELPER FUNCTIONS FOR COMPLEX PATTERNS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Create a pattern that handles nested parentheses in console statements
+ * This is more robust than simple regex for console.log(complex(nested(args)))
+ */
+function createConsolePattern(method) {
+  return {
+    type: "function",
+    fn: (content) => {
+      const matches = [];
+      const regex = new RegExp(`console\\.${method}\\s*\\(`, "g");
+      let match;
+      
+      while ((match = regex.exec(content)) !== null) {
+        const startIndex = match.index;
+        let depth = 1;
+        let i = match.index + match[0].length;
+        
+        // Find matching closing parenthesis
+        while (i < content.length && depth > 0) {
+          if (content[i] === "(") depth++;
+          else if (content[i] === ")") depth--;
+          i++;
+        }
+        
+        // Include trailing semicolon if present
+        if (content[i] === ";") i++;
+        
+        // Only add if we found the closing paren
+        if (depth === 0) {
+          matches.push({
+            index: startIndex,
+            length: i - startIndex,
+            match: content.substring(startIndex, i),
+          });
+        }
+      }
+      
+      return matches;
+    },
+  };
+}
+
+/**
+ * Detect empty catch blocks more accurately
+ */
+function detectEmptyCatch(content) {
+  const matches = [];
+  // Match catch blocks - handles various formatting
+  const regex = /catch\s*\(\s*(\w+)?\s*\)\s*\{([^}]*)\}/g;
+  let match;
+  
+  while ((match = regex.exec(content)) !== null) {
+    const body = match[2].trim();
+    // Empty if only whitespace, comments, or nothing
+    const isEmpty = body === "" || /^(\s*\/\/[^\n]*\s*|\s*\/\*[\s\S]*?\*\/\s*)*$/.test(body);
+    
+    if (isEmpty) {
+      matches.push({
+        index: match.index,
+        length: match[0].length,
+        match: match[0],
+        catchVar: match[1] || "error",
+        body: body,
+      });
+    }
+  }
+  
+  return matches;
+}
+
+/**
+ * Detect potentially unsafe regex patterns (ReDoS)
+ */
+function detectUnsafeRegex(content) {
+  const matches = [];
+  // Find regex literals and RegExp constructors
+  const regexLiteralPattern = /\/(?![*\/])(?:[^\\/\[\n]|\\.|\[(?:[^\\\]\n]|\\.)*\])+\/[gimsuvy]*/g;
+  const regexConstructorPattern = /new\s+RegExp\s*\(\s*(['"`])(.+?)\1/g;
+  
+  const dangerousPatterns = [
+    /\([^)]*\+\)\+/,           // (a+)+
+    /\([^)]*\*\)\+/,           // (a*)+
+    /\([^)]*\+\)\*/,           // (a+)*
+    /\([^)]*\*\)\*/,           // (a*)*
+    /\.\*[^?].*\.\*/,          // .* followed by .* (greedy)
+    /\([^)]+\|[^)]+\)\+/,      // (a|b)+ with overlapping
+    /\\d\+.*\\d\+/,            // \d+...\d+ backtracking
+  ];
+  
+  let match;
+  
+  // Check regex literals
+  while ((match = regexLiteralPattern.exec(content)) !== null) {
+    const regexStr = match[0];
+    for (const dangerous of dangerousPatterns) {
+      if (dangerous.test(regexStr)) {
+        matches.push({
+          index: match.index,
+          length: match[0].length,
+          match: match[0],
+          reason: "Potential ReDoS: nested quantifiers or overlapping patterns",
+        });
+        break;
+      }
+    }
+  }
+  
+  // Check RegExp constructors
+  while ((match = regexConstructorPattern.exec(content)) !== null) {
+    const regexStr = match[2];
+    for (const dangerous of dangerousPatterns) {
+      if (dangerous.test(regexStr)) {
+        matches.push({
+          index: match.index,
+          length: match[0].length,
+          match: match[0],
+          reason: "Potential ReDoS: nested quantifiers or overlapping patterns",
+        });
+        break;
+      }
+    }
+  }
+  
+  return matches;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// SAFE RULES - Cannot change program behavior
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Safe rules that can be auto-applied without confirmation.
+ * These transformations are guaranteed to not change program behavior.
+ */
+const SAFE_RULES = {
+  // ─────────────────────────────────────────────────────────────
+  // Console statements (safe to remove in production)
+  // Uses function-based detection for proper parenthesis matching
+  // ─────────────────────────────────────────────────────────────
+  "console-log": {
+    id: "console-log",
+    name: "console.log statements",
+    description: "Remove console.log statements (debug leftovers)",
+    severity: "low",
+    pattern: createConsolePattern("log"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+    exclude: ["*.test.*", "*.spec.*", "**/__tests__/**", "**/test/**"],
+  },
+  
+  "console-debug": {
+    id: "console-debug",
+    name: "console.debug statements",
+    description: "Remove console.debug statements",
+    severity: "low",
+    pattern: createConsolePattern("debug"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+    exclude: ["*.test.*", "*.spec.*"],
+  },
+  
+  "console-info": {
+    id: "console-info",
+    name: "console.info statements",
+    description: "Remove console.info statements",
+    severity: "low",
+    pattern: createConsolePattern("info"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+    exclude: ["*.test.*", "*.spec.*"],
+  },
+  
+  "console-trace": {
+    id: "console-trace",
+    name: "console.trace statements",
+    description: "Remove console.trace statements",
+    severity: "low",
+    pattern: createConsolePattern("trace"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-dir": {
+    id: "console-dir",
+    name: "console.dir statements",
+    description: "Remove console.dir statements",
+    severity: "low",
+    pattern: createConsolePattern("dir"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-table": {
+    id: "console-table",
+    name: "console.table statements",
+    description: "Remove console.table statements",
+    severity: "low",
+    pattern: createConsolePattern("table"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-time": {
+    id: "console-time",
+    name: "console.time/timeEnd statements",
+    description: "Remove console.time/timeEnd statements (profiling)",
+    severity: "low",
+    pattern: createConsolePattern("time(?:End|Log)?"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-count": {
+    id: "console-count",
+    name: "console.count statements",
+    description: "Remove console.count/countReset statements",
+    severity: "low",
+    pattern: createConsolePattern("count(?:Reset)?"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-group": {
+    id: "console-group",
+    name: "console.group statements",
+    description: "Remove console.group/groupEnd statements",
+    severity: "low",
+    pattern: createConsolePattern("group(?:End|Collapsed)?"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-clear": {
+    id: "console-clear",
+    name: "console.clear statements",
+    description: "Remove console.clear statements",
+    severity: "low",
+    pattern: createConsolePattern("clear"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+  
+  "console-profile": {
+    id: "console-profile",
+    name: "console.profile statements",
+    description: "Remove console.profile/profileEnd statements",
+    severity: "low",
+    pattern: createConsolePattern("profile(?:End)?"),
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Debug artifacts
+  // ─────────────────────────────────────────────────────────────
+  "debugger-statement": {
+    id: "debugger-statement",
+    name: "debugger statements",
+    description: "Remove debugger statements (stops execution in dev tools)",
+    severity: "high",
+    pattern: /(?:^|[;\s{])(debugger)\s*;?/gm,
+    fix: "",
+    riskLevel: "safe",
+    category: "debug-cleanup",
+    autoFixable: true,
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Trailing whitespace and formatting
+  // ─────────────────────────────────────────────────────────────
+  "trailing-whitespace": {
+    id: "trailing-whitespace",
+    name: "Trailing whitespace",
+    description: "Remove trailing whitespace at end of lines",
+    severity: "info",
+    pattern: /[ \t]+$/gm,
+    fix: "",
+    riskLevel: "safe",
+    category: "formatting",
+    autoFixable: true,
+  },
+
+  "multiple-empty-lines": {
+    id: "multiple-empty-lines",
+    name: "Multiple consecutive empty lines",
+    description: "Collapse multiple empty lines into single empty line",
+    severity: "info",
+    pattern: /\n{3,}/g,
+    fix: "\n\n",
+    riskLevel: "safe",
+    category: "formatting",
+    autoFixable: true,
+  },
+  
+  "trailing-newlines": {
+    id: "trailing-newlines",
+    name: "Multiple trailing newlines",
+    description: "Ensure file ends with exactly one newline",
+    severity: "info",
+    pattern: /\n{2,}$/,
+    fix: "\n",
+    riskLevel: "safe",
+    category: "formatting",
+    autoFixable: true,
+  },
+  
+  "no-final-newline": {
+    id: "no-final-newline",
+    name: "Missing final newline",
+    description: "Ensure file ends with a newline (POSIX compliance)",
+    severity: "info",
+    pattern: {
+      type: "function",
+      fn: (content) => {
+        if (content.length > 0 && !content.endsWith("\n")) {
+          return [{
+            index: content.length,
+            length: 0,
+            match: "",
+            insertAfter: "\n",
+          }];
+        }
+        return [];
+      },
+    },
+    fix: null, // Handled by insertAfter
+    riskLevel: "safe",
+    category: "formatting",
+    autoFixable: true,
+  },
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// MODERATE RULES - Low risk, but worth reviewing
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Moderate rules that are generally safe but warrant review.
+ * Applied by default but included in diff summary for review.
+ */
+const MODERATE_RULES = {
+  // ─────────────────────────────────────────────────────────────
+  // Empty blocks
+  // ─────────────────────────────────────────────────────────────
+  "empty-catch-silent": {
+    id: "empty-catch-silent",
+    name: "Empty catch blocks (silent failures)",
+    description: "Catch blocks that swallow errors without any handling",
+    severity: "high",
+    pattern: {
+      type: "function",
+      fn: detectEmptyCatch,
+    },
+    suggestedFix: "Add error logging: console.error(error) or proper error handling",
+    riskLevel: "moderate",
+    category: "error-handling",
+    autoFixable: false, // Flag, don't auto-fix (behavior change)
+    aiPrompt: `Add appropriate error handling to this empty catch block. Options:
+1. Log the error: console.error('Operation failed:', error);
+2. Re-throw with context: throw new Error('Context: ' + error.message);
+3. Handle gracefully with fallback behavior
+4. If intentionally ignoring, add comment: // Intentionally ignoring error`,
+  },
+
+  "empty-function": {
+    id: "empty-function",
+    name: "Empty functions",
+    description: "Functions with no implementation (potential stub)",
+    severity: "medium",
+    pattern: /(?:async\s+)?function\s+\w+\s*\([^)]*\)\s*\{\s*\}|(?:const|let|var)\s+\w+\s*=\s*(?:async\s*)?\([^)]*\)\s*=>\s*\{\s*\}/g,
+    suggestedFix: "Implement function or add TODO comment explaining why it's empty",
+    riskLevel: "moderate",
+    category: "code-quality",
+    autoFixable: false,
+    aiPrompt: "This function has no implementation. Either implement it or add a comment explaining why it's a stub.",
+  },
+  
+  "empty-if-block": {
+    id: "empty-if-block",
+    name: "Empty if blocks",
+    description: "If statements with empty bodies",
+    severity: "medium",
+    pattern: /if\s*\([^)]+\)\s*\{\s*\}/g,
+    suggestedFix: "Add implementation or remove the empty if block",
+    riskLevel: "moderate",
+    category: "code-quality",
+    autoFixable: false,
+  },
+  
+  "empty-else-block": {
+    id: "empty-else-block",
+    name: "Empty else blocks",
+    description: "Else statements with empty bodies",
+    severity: "low",
+    pattern: /else\s*\{\s*\}/g,
+    suggestedFix: "Add implementation or remove the empty else block",
+    riskLevel: "moderate",
+    category: "code-quality",
+    autoFixable: false,
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Code hygiene markers
+  // ─────────────────────────────────────────────────────────────
+  "todo-fixme-comments": {
+    id: "todo-fixme-comments",
+    name: "TODO/FIXME comments",
+    description: "Flag TODO/FIXME comments that should be addressed before shipping",
+    severity: "low",
+    pattern: /\/\/\s*(TODO|FIXME|HACK|XXX|BUG|OPTIMIZE|REFACTOR):?[^\n]*/gi,
+    fix: null, // Don't auto-remove, just flag
+    riskLevel: "moderate",
+    category: "code-hygiene",
+    autoFixable: false,
+  },
+  
+  "eslint-disable-line": {
+    id: "eslint-disable-line",
+    name: "ESLint disable comments",
+    description: "Comments disabling ESLint rules - review if still needed",
+    severity: "low",
+    pattern: /\/\/\s*eslint-disable(?:-next)?-line[^\n]*/gi,
+    riskLevel: "moderate",
+    category: "code-hygiene",
+    autoFixable: false,
+    aiPrompt: "Review this ESLint disable comment. Can the underlying issue be fixed instead of suppressing the warning?",
+  },
+  
+  "ts-ignore-comment": {
+    id: "ts-ignore-comment",
+    name: "@ts-ignore comments",
+    description: "@ts-ignore comments suppress TypeScript errors - review if still needed",
+    severity: "medium",
+    pattern: /\/\/\s*@ts-(?:ignore|nocheck|expect-error)[^\n]*/gi,
+    riskLevel: "moderate",
+    category: "code-hygiene",
+    autoFixable: false,
+    aiPrompt: "Review this TypeScript suppression comment. Can the type error be fixed properly instead?",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Potential dead code patterns
+  // ─────────────────────────────────────────────────────────────
+  "unreachable-after-return": {
+    id: "unreachable-after-return",
+    name: "Code after return/throw",
+    description: "Code that appears after return/throw statement in same block",
+    severity: "medium",
+    pattern: {
+      type: "function",
+      fn: (content) => {
+        const matches = [];
+        // Match return/throw followed by non-closing-brace code
+        const regex = /(?:return\s+[^;]+;|throw\s+[^;]+;)\s*\n\s*(?![\s}]*(?:\}|case\s|default:|else|catch|finally))[^\s}][^\n]+/g;
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          matches.push({
+            index: match.index,
+            length: match[0].length,
+            match: match[0],
+          });
+        }
+        return matches;
+      },
+    },
+    riskLevel: "moderate",
+    category: "dead-code",
+    autoFixable: false,
+  },
+  
+  "constant-condition": {
+    id: "constant-condition",
+    name: "Constant conditions",
+    description: "If statements with constant true/false conditions",
+    severity: "medium",
+    pattern: /if\s*\(\s*(?:true|false|1|0|null|undefined)\s*\)/g,
+    riskLevel: "moderate",
+    category: "dead-code",
+    autoFixable: false,
+    aiPrompt: "This condition is always true/false. Remove the condition or the dead branch.",
+  },
+  
+  // ─────────────────────────────────────────────────────────────
+  // Security-adjacent (flag for review)
+  // ─────────────────────────────────────────────────────────────
+  "hardcoded-localhost": {
+    id: "hardcoded-localhost",
+    name: "Hardcoded localhost URLs",
+    description: "Hardcoded localhost URLs that won't work in production",
+    severity: "medium",
+    pattern: /['"`]https?:\/\/(?:localhost|127\.0\.0\.1)(?::\d+)?[^'"`]*['"`]/g,
+    riskLevel: "moderate",
+    category: "configuration",
+    autoFixable: false,
+    aiPrompt: "Replace this hardcoded localhost URL with an environment variable like process.env.API_URL",
+  },
+  
+  "hardcoded-port": {
+    id: "hardcoded-port",
+    name: "Hardcoded ports",
+    description: "Hardcoded port numbers that should be configurable",
+    severity: "low",
+    pattern: /(?:port|PORT)\s*[:=]\s*(?:['"`]?)(\d{4,5})(?:['"`]?)/g,
+    riskLevel: "moderate",
+    category: "configuration",
+    autoFixable: false,
+    exclude: ["*.test.*", "*.spec.*", "*.config.*"],
+  },
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// AGGRESSIVE RULES - Require explicit opt-in
+// ═══════════════════════════════════════════════════════════════════════════════
+
+/**
+ * Aggressive rules that could change program behavior.
+ * Requires --aggressive --yes-i-am-sure flags.
+ */
+const AGGRESSIVE_RULES = {
+  // ─────────────────────────────────────────────────────────────
+  // Security: Unsafe regex patterns (potential ReDoS)
+  // ─────────────────────────────────────────────────────────────
+  "unsafe-regex": {
+    id: "unsafe-regex",
+    name: "Potentially unsafe regex (ReDoS)",
+    description: "Regex patterns vulnerable to catastrophic backtracking",
+    severity: "high",
+    pattern: {
+      type: "function",
+      fn: detectUnsafeRegex,
+    },
+    riskLevel: "aggressive",
+    category: "security",
+    autoFixable: false,
+    aiPrompt: `This regex may be vulnerable to ReDoS (Regular Expression Denial of Service).
+Rewrite to avoid:
+- Nested quantifiers like (a+)+, (a*)*
+- Overlapping alternations
+- Backreferences with quantifiers
+Consider using a regex linter or the 'safe-regex' package.`,
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Security: Dangerous functions
+  // ─────────────────────────────────────────────────────────────
+  "eval-usage": {
+    id: "eval-usage",
+    name: "eval() usage",
+    description: "eval() can execute arbitrary code - major security risk",
+    severity: "critical",
+    pattern: /\beval\s*\(/g,
+    riskLevel: "aggressive",
+    category: "security",
+    autoFixable: false,
+    aiPrompt: "eval() is dangerous and should be avoided. Use JSON.parse() for JSON, Function() for dynamic code, or refactor to avoid dynamic code execution entirely.",
+  },
+  
+  "new-function": {
+    id: "new-function",
+    name: "new Function() usage",
+    description: "new Function() is similar to eval() - security risk",
+    severity: "high",
+    pattern: /new\s+Function\s*\(/g,
+    riskLevel: "aggressive",
+    category: "security",
+    autoFixable: false,
+    aiPrompt: "new Function() is similar to eval(). Refactor to avoid dynamic code generation.",
+  },
+  
+  "innerhtml-assignment": {
+    id: "innerhtml-assignment",
+    name: "innerHTML assignment",
+    description: "Direct innerHTML assignment can lead to XSS vulnerabilities",
+    severity: "high",
+    pattern: /\.innerHTML\s*=\s*(?!['"`]\s*['"`])/g,
+    riskLevel: "aggressive",
+    category: "security",
+    autoFixable: false,
+    aiPrompt: "innerHTML can lead to XSS. Use textContent for text, or sanitize HTML with DOMPurify before insertion.",
+    exclude: ["*.test.*", "*.spec.*"],
+  },
+  
+  "document-write": {
+    id: "document-write",
+    name: "document.write() usage",
+    description: "document.write() is deprecated and can cause issues",
+    severity: "medium",
+    pattern: /document\.write\s*\(/g,
+    riskLevel: "aggressive",
+    category: "security",
+    autoFixable: false,
+    aiPrompt: "document.write() is deprecated. Use DOM manipulation methods instead.",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Security: Hardcoded secrets
+  // ─────────────────────────────────────────────────────────────
+  "hardcoded-secret": {
+    id: "hardcoded-secret",
+    name: "Potential hardcoded secrets",
+    description: "Strings that look like API keys, tokens, or passwords",
+    severity: "critical",
+    pattern: {
+      type: "function",
+      fn: (content) => {
+        const matches = [];
+        const patterns = [
+          // API keys (generic)
+          /(?:api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"`]([a-zA-Z0-9_\-]{20,})['"`]/gi,
+          // AWS
+          /(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}/g,
+          // GitHub tokens
+          /ghp_[a-zA-Z0-9]{36}/g,
+          /gho_[a-zA-Z0-9]{36}/g,
+          /ghu_[a-zA-Z0-9]{36}/g,
+          /ghs_[a-zA-Z0-9]{36}/g,
+          // Slack tokens
+          /xox[baprs]-[0-9a-zA-Z]{10,}/g,
+          // JWT-like (but not template literals)
+          /['"`](eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,})['"`]/g,
+          // Generic password assignments
+          /(?:password|passwd|pwd|secret)\s*[:=]\s*['"`](?![${])[^'"`]{8,}['"`]/gi,
+        ];
+        
+        for (const pattern of patterns) {
+          let match;
+          pattern.lastIndex = 0;
+          while ((match = pattern.exec(content)) !== null) {
+            // Skip if in comments
+            const lineStart = content.lastIndexOf("\n", match.index) + 1;
+            const beforeMatch = content.substring(lineStart, match.index);
+            if (beforeMatch.includes("//") || beforeMatch.trim().startsWith("*")) continue;
+            
+            // Skip if it's a template/example
+            if (/your[_-]?|example|placeholder|xxx|changeme/i.test(match[0])) continue;
+            
+            matches.push({
+              index: match.index,
+              length: match[0].length,
+              match: match[0].substring(0, 30) + (match[0].length > 30 ? "..." : ""),
+              fullMatch: match[0],
+            });
+          }
+        }
+        
+        return matches;
+      },
+    },
+    riskLevel: "aggressive",
+    category: "security",
+    autoFixable: false,
+    aiPrompt: "Move this secret to an environment variable. Never commit secrets to version control.",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Code hygiene: Commented-out code
+  // ─────────────────────────────────────────────────────────────
+  "commented-code-block": {
+    id: "commented-code-block",
+    name: "Commented-out code blocks",
+    description: "Large blocks of commented-out code (use version control)",
+    severity: "low",
+    pattern: {
+      type: "function",
+      fn: (content) => {
+        const matches = [];
+        
+        // Multi-line comment blocks with code-like content
+        const multiLineRegex = /\/\*[\s\S]{50,}?\*\//g;
+        let match;
+        while ((match = multiLineRegex.exec(content)) !== null) {
+          const inner = match[0];
+          // Check if it contains code-like patterns
+          const codePatterns = /(function|const|let|var|if|for|while|return|import|export|class)\s/;
+          if (codePatterns.test(inner)) {
+            matches.push({
+              index: match.index,
+              length: match[0].length,
+              match: match[0].substring(0, 50) + "...",
+            });
+          }
+        }
+        
+        // Multiple consecutive single-line comments with code
+        const lines = content.split("\n");
+        let commentBlock = [];
+        let blockStart = 0;
+        
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          if (line.startsWith("//") && /^\s*\/\/\s*(function|const|let|var|if|for|while|return|import|export|class|\w+\s*[=:({])/.test(lines[i])) {
+            if (commentBlock.length === 0) {
+              blockStart = content.indexOf(lines[i]);
+            }
+            commentBlock.push(lines[i]);
+          } else {
+            if (commentBlock.length >= 3) {
+              const blockContent = commentBlock.join("\n");
+              matches.push({
+                index: blockStart,
+                length: blockContent.length,
+                match: blockContent.substring(0, 50) + "...",
+              });
+            }
+            commentBlock = [];
+          }
+        }
+        
+        return matches;
+      },
+    },
+    riskLevel: "aggressive",
+    category: "code-hygiene",
+    autoFixable: false,
+    aiPrompt: "Remove this commented-out code. Use version control to track code history instead.",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // TypeScript: Type safety
+  // ─────────────────────────────────────────────────────────────
+  "any-type": {
+    id: "any-type",
+    name: "TypeScript 'any' type",
+    description: "Explicit 'any' type bypasses type checking",
+    severity: "medium",
+    pattern: /:\s*any\b(?!\s*\/\/\s*(?:intentional|necessary|required))/g,
+    riskLevel: "aggressive",
+    category: "type-safety",
+    autoFixable: false,
+    fileTypes: [".ts", ".tsx"],
+    aiPrompt: `Replace 'any' with a proper type:
+- Use 'unknown' if the type is truly unknown (safer than any)
+- Use a generic type parameter if this is meant to be flexible
+- Define an interface/type for the expected shape
+- Use 'as const' for literal types`,
+  },
+  
+  "non-null-assertion": {
+    id: "non-null-assertion",
+    name: "Non-null assertions (!)",
+    description: "Non-null assertion operator bypasses null checks",
+    severity: "medium",
+    pattern: /\w+\s*!\s*\./g,
+    riskLevel: "aggressive",
+    category: "type-safety",
+    autoFixable: false,
+    fileTypes: [".ts", ".tsx"],
+    aiPrompt: "Replace the non-null assertion (!) with proper null checking using optional chaining (?.) or an if statement.",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Logging: console.error (might be intentional)
+  // ─────────────────────────────────────────────────────────────
+  "console-error": {
+    id: "console-error",
+    name: "console.error statements",
+    description: "console.error should be replaced with proper logging",
+    severity: "low",
+    pattern: createConsolePattern("error"),
+    riskLevel: "aggressive",
+    category: "logging",
+    autoFixable: false,
+    exclude: ["*.test.*", "*.spec.*"],
+    aiPrompt: "Replace console.error with a proper logging library (winston, pino, etc.) that supports log levels and structured logging.",
+  },
+  
+  "console-warn": {
+    id: "console-warn",
+    name: "console.warn statements",
+    description: "console.warn should be replaced with proper logging",
+    severity: "low",
+    pattern: createConsolePattern("warn"),
+    riskLevel: "aggressive",
+    category: "logging",
+    autoFixable: false,
+    exclude: ["*.test.*", "*.spec.*"],
+    aiPrompt: "Replace console.warn with a proper logging library.",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // UX: Legacy browser APIs
+  // ─────────────────────────────────────────────────────────────
+  "browser-alert": {
+    id: "browser-alert",
+    name: "Browser alert()",
+    description: "alert() blocks the thread and has poor UX",
+    severity: "medium",
+    pattern: /\balert\s*\(/g,
+    riskLevel: "aggressive",
+    category: "ux",
+    autoFixable: false,
+    aiPrompt: "Replace alert() with a modern toast/modal component from your UI library (e.g., react-hot-toast, shadcn/ui dialog).",
+  },
+  
+  "browser-confirm": {
+    id: "browser-confirm",
+    name: "Browser confirm()",
+    description: "confirm() blocks the thread and has poor UX",
+    severity: "medium",
+    pattern: /\bconfirm\s*\(/g,
+    riskLevel: "aggressive",
+    category: "ux",
+    autoFixable: false,
+    aiPrompt: "Replace confirm() with a modern confirmation dialog component.",
+  },
+  
+  "browser-prompt": {
+    id: "browser-prompt",
+    name: "Browser prompt()",
+    description: "prompt() blocks the thread and has poor UX",
+    severity: "medium",
+    pattern: /\bprompt\s*\(/g,
+    riskLevel: "aggressive",
+    category: "ux",
+    autoFixable: false,
+    aiPrompt: "Replace prompt() with a modern input modal/dialog component.",
+  },
+
+  // ─────────────────────────────────────────────────────────────
+  // Dead code: Unused variables (basic detection)
+  // ─────────────────────────────────────────────────────────────
+  "unused-import": {
+    id: "unused-import",
+    name: "Potentially unused imports",
+    description: "Imports that may not be used in the file",
+    severity: "low",
+    pattern: {
+      type: "function",
+      fn: (content, filePath) => {
+        const matches = [];
+        
+        // Extract all imports
+        const importRegex = /import\s+(?:{([^}]+)}|(\w+))\s+from\s+['"][^'"]+['"]/g;
+        let match;
+        
+        while ((match = importRegex.exec(content)) !== null) {
+          const imports = match[1] || match[2];
+          if (!imports) continue;
+          
+          // Get individual import names
+          const names = imports.split(",").map(s => s.trim().split(/\s+as\s+/).pop().trim());
+          
+          for (const name of names) {
+            if (!name || name === "type") continue;
+            
+            // Count occurrences (excluding the import line itself)
+            const afterImport = content.substring(match.index + match[0].length);
+            const usageRegex = new RegExp(`\\b${name}\\b`, "g");
+            const usages = (afterImport.match(usageRegex) || []).length;
+            
+            if (usages === 0) {
+              matches.push({
+                index: match.index,
+                length: match[0].length,
+                match: `import { ${name} } appears unused`,
+                importName: name,
+              });
+            }
+          }
+        }
+        
+        return matches;
+      },
+    },
+    riskLevel: "aggressive",
+    category: "dead-code",
+    autoFixable: false,
+    aiPrompt: "This import appears to be unused. Remove it if not needed, or check if it's used for side effects.",
+  },
+  
+  // ─────────────────────────────────────────────────────────────
+  // Performance: Synchronous operations
+  // ─────────────────────────────────────────────────────────────
+  "sync-fs-operation": {
+    id: "sync-fs-operation",
+    name: "Synchronous fs operations",
+    description: "Sync fs operations block the event loop",
+    severity: "medium",
+    pattern: /(?:readFileSync|writeFileSync|appendFileSync|mkdirSync|rmdirSync|unlinkSync|copyFileSync|renameSync|existsSync|statSync|readdirSync)\s*\(/g,
+    riskLevel: "aggressive",
+    category: "performance",
+    autoFixable: false,
+    exclude: ["*.config.*", "*.test.*", "*.spec.*", "**/scripts/**", "**/bin/**"],
+    aiPrompt: "Replace synchronous fs operations with async versions (e.g., readFileSync -> readFile with await). Sync operations block the event loop.",
+  },
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// RULE CATEGORIES
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const CATEGORIES = {
+  "debug-cleanup": {
+    name: "Debug Cleanup",
+    description: "Remove debug artifacts (console.log, debugger)",
+    icon: "🧹",
+  },
+  "error-handling": {
+    name: "Error Handling",
+    description: "Improve error handling patterns",
+    icon: "⚠️",
+  },
+  "dead-code": {
+    name: "Dead Code",
+    description: "Remove or flag unreachable/unused code",
+    icon: "💀",
+  },
+  "code-quality": {
+    name: "Code Quality",
+    description: "General code quality improvements",
+    icon: "✨",
+  },
+  "code-hygiene": {
+    name: "Code Hygiene",
+    description: "Code cleanliness and maintainability",
+    icon: "🧼",
+  },
+  "formatting": {
+    name: "Formatting",
+    description: "Whitespace and formatting cleanup",
+    icon: "📝",
+  },
+  "security": {
+    name: "Security",
+    description: "Security-related issues",
+    icon: "🔒",
+  },
+  "type-safety": {
+    name: "Type Safety",
+    description: "TypeScript type safety",
+    icon: "📊",
+  },
+  "logging": {
+    name: "Logging",
+    description: "Logging and observability",
+    icon: "📋",
+  },
+  "ux": {
+    name: "User Experience",
+    description: "UX-related issues",
+    icon: "👤",
+  },
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// RISK LEVELS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+const RISK_LEVELS = {
+  safe: {
+    name: "Safe",
+    description: "Cannot change program behavior",
+    color: "green",
+    requiresConfirmation: false,
+  },
+  moderate: {
+    name: "Moderate",
+    description: "Generally safe, but worth reviewing",
+    color: "yellow",
+    requiresConfirmation: false,
+  },
+  aggressive: {
+    name: "Aggressive",
+    description: "Could change program behavior",
+    color: "red",
+    requiresConfirmation: true,
+  },
+};
+
+// ═══════════════════════════════════════════════════════════════════════════════
+// EXPORTS
+// ═══════════════════════════════════════════════════════════════════════════════
+
+module.exports = {
+  SAFE_RULES,
+  MODERATE_RULES,
+  AGGRESSIVE_RULES,
+  CATEGORIES,
+  RISK_LEVELS,
+  
+  // Convenience getters
+  getAllRules: () => ({ ...SAFE_RULES, ...MODERATE_RULES, ...AGGRESSIVE_RULES }),
+  getSafeRules: () => SAFE_RULES,
+  getModerateRules: () => MODERATE_RULES,
+  getAggressiveRules: () => AGGRESSIVE_RULES,
+  
+  getRuleById: (id) => {
+    return SAFE_RULES[id] || MODERATE_RULES[id] || AGGRESSIVE_RULES[id] || null;
+  },
+  
+  getRulesByCategory: (category) => {
+    const all = { ...SAFE_RULES, ...MODERATE_RULES, ...AGGRESSIVE_RULES };
+    return Object.values(all).filter(r => r.category === category);
+  },
+  
+  getRulesByRiskLevel: (level) => {
+    if (level === "safe") return Object.values(SAFE_RULES);
+    if (level === "moderate") return Object.values(MODERATE_RULES);
+    if (level === "aggressive") return Object.values(AGGRESSIVE_RULES);
+    return [];
+  },
+};