| CC-S1 function length | WARNING | Structure debt — not immediately broken |
| CC-S2 single responsibility | WARNING | Same class of issue as CC-S1 |
| CC-S3 abstraction levels | SUGGEST | Subtle and context-dependent |
| CC-N1 meaningful names | WARNING | Generic names accumulate into readability debt across the codebase |
| CC-N2 magic values | WARNING | Unexplained literals create silent maintenance hazards |
| CC-I1 parameter count | WARNING | Design smell — signals a missing abstraction |
| CC-I2 boolean trap | SUGGEST | Unreadable at call site but logic is correct |
| CC-H1 DRY | SUGGEST at 2 occurrences / WARNING at 3+ | Reviewer must count before assigning |
| CC-H2 dead code | WARNING | Misleads readers, pollutes git blame |
| CC-H3 premature abstraction | WARNING | Directly violates CLAUDE.md: "Don't create helpers for one-time operations" |
| CC-F1 component size | WARNING | Monolithic components block reuse and testing |
| CC-F2 props interface | WARNING | Over-coupled components indicate decomposition is needed |
| CC-F3 logic extraction | SUGGEST | Logic in render functions works but is harder to test |
| CC-NS1 unguarded nullable access | BLOCKER | Directly causes TypeError/AttributeError/nil pointer dereference in production |
| CC-NS2 non-null assertion | WARNING | Bypasses the type system — generated code must not use it |
| CC-NS3 undeclared nullable return | WARNING | Callers cannot write safe code against undeclared nullable returns |
| CC-NS4 unguarded collection access | BLOCKER | Index out of bounds / undefined on empty collections crashes in production |
| CC-NS5 unvalidated external data | BLOCKER | Malformed external data causes crashes or silent data corruption |
| CC-NS6 null swallowed in service | WARNING | Hides absence from caller — leads to wrong-data bugs |
| CC-AS1 unawaited promise | BLOCKER | Silent failure — errors swallowed and operations silently skip |
| CC-AS2 mixed async styles | WARNING | Confusing control flow and inconsistent error propagation |
| CC-AS3 async error swallowed | BLOCKER | Caller cannot detect failure — same production impact as CR-E1 |
| CC-AS4 parallel state mutation | WARNING | Non-deterministic results; data races in non-JS runtimes |
| CC-AS5 no timeout on external call | WARNING | Hangs indefinitely under network partition or slow dependency |
| CC-IV1 unvalidated request body | BLOCKER | Type confusion, panics, or injection when unvalidated fields reach DB or logic |
| CC-IV2 unvalidated path/query params | BLOCKER | Type coercion failures, invalid DB queries, injection via malformed IDs |
| CC-IV3 unsanitised string inputs | WARNING | Length violations cause DB errors; unsanitised HTML output is XSS |
| CC-IV4 unvalidated env vars | WARNING | Config errors surface at runtime, not at startup |
| CC-IV5 unknown fields passed through | WARNING | Mass-assignment risk — escalates to BLOCKER if ORM binds the full body |
| CC-CS1 mutable loop variable capture | BLOCKER | All closures reference the same final value — silent logic error |
| CC-CS2 stale closure in React state | WARNING | Non-deterministic state updates under rapid interaction |
| CC-CS3 unprotected shared mutable state | WARNING | Safe in Node.js but data race in Go/.NET/Python threaded contexts |
| CC-CS4 non-atomic paired reads | WARNING | TOCTOU window — accept or mitigate with a single atomic query |
| CC-CS5 non-idempotent mutation | WARNING | Duplicate charges/records under retry — escalates to BLOCKER for payments |