+ 
+
+
+
+
+
+
+
+
+
+ Full transcript text...
+The French word for hello is bonjour.
+``` + +### Consistent navigation (3.2.3) + +```html + + +``` + +### Form labels (3.3.2) + +```html + + + + + + + + + + + + + ++ Must be at least 8 characters with one number. +
+``` + +### Error handling (3.3.1, 3.3.3) + +```html + + +``` + +```javascript +// Focus first error on submit +form.addEventListener('submit', (e) => { + const firstError = form.querySelector('[aria-invalid="true"]'); + if (firstError) { + e.preventDefault(); + firstError.focus(); + + // Announce error summary + const errorSummary = document.getElementById('error-summary'); + errorSummary.textContent = `${errors.length} errors found. Please fix them and try again.`; + errorSummary.focus(); + } +}); +``` + +--- + +## Robust + +### Valid HTML (4.1.1) + +```html + +We'll never share your email.
+``` + +### Error states +```html + + +Please enter a valid email address.
+``` + +### Navigation +```html + +``` + +### Modals +```html + # Custom browser executable
+agent-browser --extension 
+
+
+
+
+
+
+
+
+```
+
+**HSTS Header:**
+```
+Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
+```
+
+### Content Security Policy (CSP)
+
+```html
+
+
+
+
+```
+
+**CSP Header (recommended):**
+```
+Content-Security-Policy:
+ default-src 'self';
+ script-src 'self' 'nonce-abc123' https://trusted.com;
+ style-src 'self' 'nonce-abc123';
+ img-src 'self' data: https:;
+ connect-src 'self' https://api.example.com;
+ frame-ancestors 'self';
+ base-uri 'self';
+ form-action 'self';
+```
+
+**Using nonces for inline scripts:**
+```html
+
+```
+
+### Security headers
+
+```
+# Prevent clickjacking
+X-Frame-Options: DENY
+
+# Prevent MIME type sniffing
+X-Content-Type-Options: nosniff
+
+# Enable XSS filter (legacy browsers)
+X-XSS-Protection: 1; mode=block
+
+# Control referrer information
+Referrer-Policy: strict-origin-when-cross-origin
+
+# Permissions policy (formerly Feature-Policy)
+Permissions-Policy: geolocation=(), microphone=(), camera=()
+```
+
+### No vulnerable libraries
+
+```bash
+# Check for vulnerabilities
+npm audit
+yarn audit
+
+# Auto-fix when possible
+npm audit fix
+
+# Check specific package
+npm ls lodash
+```
+
+**Keep dependencies updated:**
+```json
+// package.json
+{
+ "scripts": {
+ "audit": "npm audit --audit-level=moderate",
+ "update": "npm update && npm audit fix"
+ }
+}
+```
+
+**Known vulnerable patterns to avoid:**
+```javascript
+// ❌ Prototype pollution vulnerable patterns
+Object.assign(target, userInput);
+_.merge(target, userInput);
+
+// ✅ Safer alternatives
+const safeData = JSON.parse(JSON.stringify(userInput));
+```
+
+### Input sanitization
+
+```javascript
+// ❌ XSS vulnerable
+element.innerHTML = userInput;
+document.write(userInput);
+
+// ✅ Safe text content
+element.textContent = userInput;
+
+// ✅ If HTML needed, sanitize
+import DOMPurify from 'dompurify';
+element.innerHTML = DOMPurify.sanitize(userInput);
+```
+
+### Secure cookies
+
+```javascript
+// ❌ Insecure cookie
+document.cookie = "session=abc123";
+
+// ✅ Secure cookie (server-side)
+Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict; Path=/
+```
+
+---
+
+## Browser compatibility
+
+### Doctype declaration
+
+```html
+
+
+
+
+
+
+
+```
+
+### Character encoding
+
+```html
+
+
+
+
+
+
+
+
+
+
+
+
+Item
+
+
+
+Click
+```
+
+### Semantic HTML
+
+```html
+
+
+
+
+
+
+
+
+
+
+Headline
+ Headline
+ 
+
+
+
+
+
+
+
+
+```
+
+---
+
+## Permissions & privacy
+
+### Request permissions properly
+
+```javascript
+// ❌ Request on page load (bad UX, often denied)
+navigator.geolocation.getCurrentPosition(success, error);
+
+// ✅ Request in context, after user action
+findNearbyButton.addEventListener('click', async () => {
+ // Explain why you need it
+ if (await showPermissionExplanation()) {
+ navigator.geolocation.getCurrentPosition(success, error);
+ }
+});
+```
+
+### Permissions policy
+
+```html
+
+
+
+
+
+```
+
+---
+
+## Audit checklist
+
+### Security (critical)
+- [ ] HTTPS enabled, no mixed content
+- [ ] No vulnerable dependencies (`npm audit`)
+- [ ] CSP headers configured
+- [ ] Security headers present
+- [ ] No exposed source maps
+
+### Compatibility
+- [ ] Valid HTML5 doctype
+- [ ] Charset declared first in head
+- [ ] Viewport meta tag present
+- [ ] No deprecated APIs used
+- [ ] Passive event listeners for scroll/touch
+
+### Code quality
+- [ ] No console errors
+- [ ] Valid HTML (no duplicate IDs)
+- [ ] Semantic HTML elements used
+- [ ] Proper error handling
+- [ ] Memory cleanup in components
+
+### UX
+- [ ] No intrusive interstitials
+- [ ] Permission requests in context
+- [ ] Clear error messages
+- [ ] Appropriate image aspect ratios
+
+## Tools
+
+| Tool | Purpose |
+|------|---------|
+| `npm audit` | Dependency vulnerabilities |
+| [SecurityHeaders.com](https://securityheaders.com) | Header analysis |
+| [W3C Validator](https://validator.w3.org) | HTML validation |
+| Lighthouse | Best practices audit |
+| [Observatory](https://observatory.mozilla.org) | Security scan |
+
+## References
+
+- [MDN Web Security](https://developer.mozilla.org/en-US/docs/Web/Security)
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [Web Quality Audit](../web-quality-audit/SKILL.md)
diff --git a/src/resources/skills/code-optimizer/SKILL.md b/src/resources/skills/code-optimizer/SKILL.md
new file mode 100644
index 000000000..1e955db5c
--- /dev/null
+++ b/src/resources/skills/code-optimizer/SKILL.md
@@ -0,0 +1,160 @@
+---
+name: code-optimizer
+description: >
+ Deep code optimization audit using parallel specialist agents. Each agent hunts for performance
+ anti-patterns, inefficiencies, and suboptimal code using pattern-based detection (Grep/Glob)
+ WITHOUT reading the full source code first — avoiding anchoring bias on existing implementations.
+ Covers ALL optimization domains: database queries, memory leaks, algorithmic complexity,
+ concurrency, bundle size, dead code, I/O & network, rendering/UI, data structures,
+ error handling, caching, build config, security-performance, logging, and infrastructure.
+ Use when asked to: "optimize my code", "find performance issues", "audit code quality",
+ "speed up my app", "find bottlenecks", "code review for performance", "find anti-patterns",
+ "improve code efficiency", "reduce latency", "optimize performance", "code smell detection",
+ "find slow code", "optimize this project", "performance audit", "code optimization".
+ Also triggers on: "optimizar codigo", "encontrar cuellos de botella", "mejorar rendimiento".
+---
+
+# Code Optimizer
+
+Parallel multi-agent code optimization audit. Spawn 13 specialist agents simultaneously, each
+hunting for a different class of performance problem using pattern-based detection.
+
+## Critical Principle: No Code Reading Before Analysis
+
+Agents MUST NOT read source files before searching for patterns. Reading the code first causes
+anchoring bias — the agent accepts the existing implementation as "reasonable" and misses
+better alternatives. Instead, each agent:
+
+1. Read its assigned reference file from `references/` to load detection patterns
+2. Use Grep/Glob to scan the codebase for anti-patterns
+3. For each finding, ONLY THEN read the surrounding context (5-10 lines) to confirm the issue
+4. Propose the optimal solution based on best practices, NOT based on the existing code
+
+## Workflow
+
+### Step 1: Detect Stack
+
+Use Glob to identify the project's tech stack:
+- `**/package.json` → Node.js/JS/TS (check for React, Next.js, Express, etc.)
+- `**/requirements.txt`, `**/pyproject.toml`, `**/setup.py` → Python
+- `**/go.mod` → Go
+- `**/Cargo.toml` → Rust
+- `**/pom.xml`, `**/build.gradle` → Java
+- `**/Gemfile` → Ruby
+- `**/Dockerfile` → Docker
+- `**/*.sql` → SQL
+- `**/webpack.config.*`, `**/vite.config.*`, `**/tsconfig.json` → Build tools
+
+### Step 2: Spawn 13 Parallel Agents
+
+Launch ALL agents simultaneously using the Agent tool. Each agent receives:
+- Its domain name and reference file path
+- The detected tech stack (so it can focus on relevant patterns)
+- The project root path
+- Instructions to NOT read code files, only Grep/Glob for patterns
+
+**Agent definitions** (spawn all 13 in a single message):
+
+| # | Agent Name | Reference File | Focus |
+|---|-----------|----------------|-------|
+| 1 | Database & Queries | `references/database-queries.md` | N+1 queries, SELECT *, missing indexes, ORM misuse, connection pooling |
+| 2 | Memory & Resources | `references/memory-resources.md` | Memory leaks, unclosed resources, large allocations, string concat in loops |
+| 3 | Algorithmic Complexity | `references/algorithmic-complexity.md` | O(n^2) patterns, unnecessary iterations, wrong data structures for lookups |
+| 4 | Concurrency & Async | `references/concurrency-async.md` | Sequential awaits, blocking in async, race conditions, unbounded concurrency |
+| 5 | Bundle & Dependencies | `references/bundle-dependencies.md` | Heavy imports, unused deps, duplicate libs, missing lazy loading |
+| 6 | Dead Code & Redundancy | `references/dead-code-redundancy.md` | Unused exports, commented code, dead branches, duplicate logic |
+| 7 | I/O & Network | `references/io-network.md` | Sequential requests, missing batching, no dedup, missing compression |
+| 8 | Rendering & UI | `references/rendering-ui.md` | Re-renders, missing virtualization, layout thrashing, animation perf |
+| 9 | Data Structures | `references/data-structures.md` | Wrong structures, unnecessary copies, inefficient serialization |
+| 10 | Error & Resilience | `references/error-resilience.md` | Missing timeouts, swallowed errors, no retries, no circuit breakers |
+| 11 | Caching & Memoization | `references/caching-memoization.md` | Missing memoization, cache without invalidation, redundant API calls |
+| 12 | Build & Compilation | `references/build-compilation.md` | Dev code in prod, missing optimization flags, slow tests, Docker issues |
+| 13 | Security-Performance | `references/security-performance.md` | Crypto misuse, missing rate limiting, ReDoS, SQL injection vectors |
+
+**Optional agents** (spawn if relevant to detected stack):
+- Logging & Observability (`references/logging-observability.md`) — if logging framework detected
+- Config & Infrastructure (`references/config-infra.md`) — if Docker/deployment config detected
+
+### Agent Prompt Template
+
+Each agent MUST receive this prompt structure:
+
+```
+You are a {DOMAIN_NAME} optimization specialist. Your job is to find performance
+anti-patterns in the codebase at {PROJECT_ROOT}.
+
+CRITICAL RULES:
+1. DO NOT read source code files before searching. This avoids anchoring bias.
+2. First, read your reference file: {SKILL_DIR}/references/{REFERENCE_FILE}
+3. Use Grep and Glob to search for the patterns described in the reference file.
+4. Only read 5-10 lines of context around each finding to confirm it's a real issue.
+5. Skip patterns that don't match the project's stack: {DETECTED_STACK}
+
+Tech stack detected: {DETECTED_STACK}
+Project root: {PROJECT_ROOT}
+
+For each finding, report:
+- **File**: path:line_number
+- **Pattern**: what anti-pattern was detected
+- **Severity**: CRITICAL / HIGH / MEDIUM / LOW
+- **Current code**: the problematic snippet (keep short)
+- **Why it's slow**: brief explanation of the performance impact
+- **Optimal fix**: the recommended solution (code snippet or approach)
+- **Estimated impact**: qualitative improvement expected (e.g., "10x faster for large lists")
+
+If you find 0 issues in your domain, report "No issues found" — this is a valid outcome.
+Sort findings by severity (CRITICAL first).
+```
+
+### Step 3: Consolidate Report
+
+After all agents complete, consolidate their findings into a single prioritized report:
+
+1. Collect all findings from all agents
+2. Deduplicate (different agents may flag the same code for different reasons)
+3. Sort by severity: CRITICAL > HIGH > MEDIUM > LOW
+4. Group by file (so the user can fix file-by-file)
+5. Present the final report with:
+ - Executive summary: total findings by severity, top 3 most impactful
+ - Detailed findings table grouped by file
+ - Improvement plan: ordered list of fixes from highest to lowest impact
+
+### Report Format
+
+```markdown
+# Code Optimization Audit Report
+
+## Executive Summary
+- **X** critical issues, **Y** high, **Z** medium, **W** low
+- Top 3 highest-impact fixes:
+ 1. [brief description] — [estimated impact]
+ 2. [brief description] — [estimated impact]
+ 3. [brief description] — [estimated impact]
+
+## Findings by File
+
+### `path/to/file.ts`
+
+| # | Severity | Domain | Pattern | Fix | Impact |
+|---|----------|--------|---------|-----|--------|
+| 1 | CRITICAL | Database | N+1 query in loop | Use prefetch_related | 50x fewer queries |
+| 2 | HIGH | Async | Sequential awaits | Use Promise.all | 3x faster |
+
+[... for each file with findings ...]
+
+## Improvement Plan
+
+Priority-ordered steps to implement the fixes:
+
+1. **[CRITICAL] Fix N+1 queries in `api/users.py`**
+ - Current: loop queries user.posts for each user
+ - Fix: add prefetch_related('posts') to queryset
+ - Impact: reduces N+1 to 2 queries
+
+2. **[HIGH] Parallelize API calls in `services/sync.ts`**
+ - Current: 5 sequential await fetch() calls
+ - Fix: Promise.all([fetch1, fetch2, ...])
+ - Impact: ~5x faster sync operation
+
+[... continue for all findings ...]
+```
diff --git a/src/resources/skills/code-optimizer/references/algorithmic-complexity.md b/src/resources/skills/code-optimizer/references/algorithmic-complexity.md
new file mode 100644
index 000000000..206b301df
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/algorithmic-complexity.md
@@ -0,0 +1,66 @@
+# Algorithmic Complexity
+
+## Grep/Glob Patterns to Detect
+
+### O(n^2) and Worse Patterns
+```
+# Nested loops over same/related collections
+for.*in.*\n.*for.*in (nested for loops)
+\.forEach\(.*\.forEach\( (nested forEach)
+\.map\(.*\.map\( (nested map)
+\.filter\(.*\.includes\( (filter+includes = O(n*m))
+\.find\(.*inside.*\.map\( (find inside map)
+\.indexOf\(.*inside.*for (indexOf in loop)
+\.includes\(.*inside.*for (includes in loop)
+# Array as lookup table
+array\.find\(.*=== (use Map/Set instead)
+array\.some\(.*=== (use Set.has instead)
+list\.index\( (Python: use dict instead)
+if.*in\s+list (Python: O(n) lookup in list)
+```
+
+### Unnecessary Iterations
+```
+\.filter\(.*\.length (filter just to count)
+\.filter\(.*\[0\] (filter just to get first - use find)
+\.map\(.*\.filter\( (map then filter - combine or reverse order)
+\.filter\(.*\.map\(.*\.filter (multiple passes when one suffices)
+\.sort\(\).*\[0\] (sort to get min/max - use Math.min/max or reduce)
+\.sort\(\).*\.slice\(0 (sort to get top-k - use partial sort/heap)
+sorted\(.*\)\[0\] (Python: use min() instead)
+sorted\(.*\)\[-1\] (Python: use max() instead)
+\.reverse\(\).*\.forEach (reverse just to iterate backwards)
+Object\.keys\(.*\.map\(.*Object\.values (iterating keys then accessing values)
+```
+
+### Redundant Computation
+```
+# Same computation in loop
+for.*\n.*Math\. (math operations that could be hoisted)
+for.*\n.*\.length (accessing .length repeatedly - may be fine, check)
+for.*\n.*document\.querySelector (DOM queries in loops)
+for.*\n.*JSON\.parse (parsing same JSON repeatedly)
+for.*\n.*new RegExp\( (creating regex in loop)
+for.*\n.*new Date\( (creating Date objects in loop for same date)
+```
+
+### Inefficient Data Structure Choice
+```
+# Using arrays where Set/Map would be better
+\.push\(.*\.includes\( (array as unique set)
+\.filter\(.*\.indexOf\( (dedup with filter+indexOf)
+\[\].*\.find\( (array for lookups)
+# Using objects where Map would be better
+\{\}.*\[.*\]\s*= (frequent dynamic key insertion)
+delete.*\[ (frequent key deletion from object)
+```
+
+## Improvement Strategies
+
+1. **Nested loops**: Pre-build lookup Map/Set, use hash-based approaches
+2. **Filter+includes**: Convert one collection to Set for O(1) lookups
+3. **Sort for min/max**: Use Math.min/max, reduce, or heap for top-k
+4. **Multiple passes**: Combine into single reduce/loop
+5. **Redundant computation**: Hoist invariants out of loops, memoize
+6. **Array as lookup**: Use Map for key-value, Set for existence checks
+7. **String matching in loops**: Pre-compile regex, use Map for exact matches
diff --git a/src/resources/skills/code-optimizer/references/build-compilation.md b/src/resources/skills/code-optimizer/references/build-compilation.md
new file mode 100644
index 000000000..d35f598b8
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/build-compilation.md
@@ -0,0 +1,90 @@
+# Build & Compilation Optimization
+
+## Grep/Glob Patterns to Detect
+
+### Unoptimized Build Config
+```
+# Webpack
+mode:\s*['"]development['"] (dev mode in production build)
+devtool:\s*['"]source-map['"] (full source maps in production)
+devtool:\s*['"]eval (eval source maps in production)
+# No code splitting
+splitChunks.*false (code splitting disabled)
+# No minification
+minimize:\s*false (minification disabled)
+# Missing tree shaking
+sideEffects.*true (prevents tree shaking)
+```
+
+### Development-Only Code in Production
+```
+console\.log\( (debug logging)
+console\.debug\( (debug logging)
+console\.trace\( (trace logging)
+debugger; (debugger statement)
+\.only\( (test.only left in)
+\.skip\( (test.skip left in)
+if\s*\(.*process\.env\.NODE_ENV.*development (dev-only code)
+__DEV__ (React Native dev flag)
+```
+
+### Missing Optimization Flags
+```
+# TypeScript
+"strict":\s*false (strict mode disabled)
+"skipLibCheck":\s*false (slow lib checking)
+"incremental":\s*false (no incremental compilation)
+# Python
+python\s+-O (check if optimized flag used)
+__debug__ (debug-only code)
+# Docker
+FROM.*:latest (unpinned base image)
+RUN.*pip install(?!.*--no-cache) (pip without --no-cache-dir)
+RUN.*npm install(?!.*--production) (npm install without --production)
+COPY\s+\.\s+\. (copying entire context)
+```
+
+### Large/Slow Imports at Startup
+```
+# Top-level heavy imports that could be lazy
+import.*tensorflow (heavy ML library at top)
+import.*pandas (heavy data library at top)
+import.*matplotlib (heavy viz library at top)
+import.*scipy (heavy math library at top)
+from.*import\s+\* (wildcard imports slow startup)
+# Circular imports
+ImportError.*circular (circular import errors)
+```
+
+### Missing Caching in CI/CD
+```
+# No caching steps
+npm install(?!.*cache) (npm install without cache)
+pip install(?!.*cache) (pip install without cache)
+go build(?!.*cache) (go build without cache)
+docker build(?!.*cache) (docker build without layer cache)
+```
+
+### Slow Test Suite
+```
+# Real I/O in tests
+fetch\(.*test (real network calls in tests)
+requests\.\w+\(.*test (real HTTP in Python tests)
+open\(.*test (real file I/O in tests)
+# No test parallelization
+--runInBand (Jest sequential mode)
+-p no:xdist (pytest parallelization disabled)
+# Heavy setup/teardown
+beforeAll.*database (real DB setup in tests)
+setUp.*database (real DB in Python tests)
+```
+
+## Improvement Strategies
+
+1. **Build config**: Ensure production mode, minification, tree shaking, code splitting
+2. **Dev code**: Strip console.log/debugger via build plugin (e.g., babel-plugin-transform-remove-console)
+3. **TypeScript**: Enable strict, incremental, skipLibCheck for faster builds
+4. **Docker**: Multi-stage builds, .dockerignore, layer caching, pinned versions
+5. **Lazy imports**: Move heavy imports to function scope where they're needed
+6. **CI caching**: Cache node_modules, pip cache, go build cache, Docker layers
+7. **Test speed**: Mock I/O, run tests in parallel, use in-memory DBs for integration tests
diff --git a/src/resources/skills/code-optimizer/references/bundle-dependencies.md b/src/resources/skills/code-optimizer/references/bundle-dependencies.md
new file mode 100644
index 000000000..5e36edab5
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/bundle-dependencies.md
@@ -0,0 +1,82 @@
+# Bundle Size & Dependencies
+
+## Grep/Glob Patterns to Detect
+
+### Heavy Imports
+```
+import\s+\w+\s+from\s+['"]lodash['"] (full lodash import vs lodash/specific)
+import\s+\w+\s+from\s+['"]moment['"] (moment.js - use date-fns/dayjs)
+import\s+\w+\s+from\s+['"]underscore['"] (underscore - mostly native now)
+import\s+\*\s+as (wildcard imports prevent tree-shaking)
+require\(['"]lodash['"]\) (CJS lodash import)
+from\s+pandas\s+import\s+\* (full pandas import)
+import\s+tensorflow (full TF import)
+import\s+boto3 (full AWS SDK)
+```
+
+### Unused Dependencies
+```
+# Check package.json dependencies vs actual imports
+# Check requirements.txt vs actual imports
+# Check go.mod vs actual imports
+import.*from.*['"](\w+)['"] (cross-reference with package.json)
+```
+
+### Duplicate Functionality
+```
+# Multiple date libraries
+moment.*\n.*date-fns (both moment and date-fns)
+moment.*\n.*dayjs (both moment and dayjs)
+# Multiple HTTP clients
+axios.*\n.*node-fetch (both axios and fetch)
+axios.*\n.*got (both axios and got)
+# Multiple utility libraries
+lodash.*\n.*underscore (both lodash and underscore)
+# Multiple state managers
+redux.*\n.*mobx (both redux and mobx)
+zustand.*\n.*jotai (multiple state libs)
+```
+
+### Dev Dependencies in Production
+```
+# devDependencies imported in src/
+import.*from.*['"](@testing|jest|mocha|chai|sinon|cypress|storybook)
+# Debug/test code in production
+console\.log\(
+console\.debug\(
+debugger;
+\.only\( (test.only left in)
+```
+
+### Dynamic Imports Missing
+```
+# Large components imported statically that could be lazy
+import.*Modal (modals are great candidates for lazy loading)
+import.*Chart (charts are heavy)
+import.*Editor (rich editors are heavy)
+import.*PDF (PDF libs are heavy)
+import.*Map (map components are heavy)
+# Route-level components not lazy loaded
+import.*Page.*from (page components should often be lazy)
+```
+
+### Large Assets
+```
+# Check for unoptimized assets
+\.png['"] (check if could be webp/avif)
+\.jpg['"] (check if could be webp/avif)
+\.gif['"] (check if could be video/webp)
+\.svg['"].*import (SVGs imported as modules - check size)
+base64 (inline base64 assets)
+data:image (inline images)
+```
+
+## Improvement Strategies
+
+1. **Lodash**: Use `lodash-es/specific` or native equivalents (Array.find, Object.entries, etc.)
+2. **Moment.js**: Replace with date-fns or dayjs (10x smaller)
+3. **Wildcard imports**: Use named imports for tree-shaking
+4. **Unused deps**: Remove from package.json/requirements.txt
+5. **Dynamic imports**: Use React.lazy/import() for heavy, below-fold components
+6. **Images**: Convert to WebP/AVIF, use responsive srcset, lazy load below-fold
+7. **Duplicate libs**: Consolidate to one library per concern
diff --git a/src/resources/skills/code-optimizer/references/caching-memoization.md b/src/resources/skills/code-optimizer/references/caching-memoization.md
new file mode 100644
index 000000000..973ffca9b
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/caching-memoization.md
@@ -0,0 +1,76 @@
+# Caching & Memoization
+
+## Grep/Glob Patterns to Detect
+
+### Missing Memoization
+```
+# Expensive computations without caching
+def\s+\w+\(.*\).*:\s*\n.*for.*for (Python: expensive function without @lru_cache)
+function\s+\w+\(.*\).*\{.*for.*for (JS: expensive function without memoization)
+# React missing useMemo/useCallback
+const\s+\w+\s*=\s*\w+\.filter\( (derived data on every render)
+const\s+\w+\s*=\s*\w+\.map\( (derived data on every render)
+const\s+\w+\s*=\s*\w+\.reduce\( (derived data on every render)
+const\s+\w+\s*=\s*\w+\.sort\( (sorting on every render)
+# Same computation called multiple times
+(\w+)\(same_args\).*\1\(same_args\) (same function, same args, called twice)
+```
+
+### Cache Without Invalidation
+```
+cache\s*=\s*\{\} (cache without TTL or max size)
+_cache\s*=\s*\{\} (module cache without eviction)
+memo\s*=\s*\{\} (memo without invalidation)
+\.cache\s*=\s*\{\} (instance cache without cleanup)
+CACHE_TTL.*=.*(?:86400|3600.*24) (very long TTL - stale data risk)
+```
+
+### Redundant API/DB Calls
+```
+# Same query executed multiple times
+\.query\(.*same.*\.query\( (duplicate queries)
+fetch\(['"]same_url['"]\).*fetch\( (duplicate fetches)
+# No SWR/stale-while-revalidate
+useEffect\(.*fetch\(.*\[\] (fetch on every mount without caching)
+useEffect\(.*axios\.\w+\(.*\[\] (API call on every mount)
+componentDidMount.*fetch (fetch without caching layer)
+```
+
+### Over-Caching
+```
+# Caching things that change frequently
+cache.*user.*session (caching session-specific data)
+cache.*real.?time (caching real-time data)
+cache.*current.*time (caching time-dependent data)
+# Caching large objects
+cache\[.*\]\s*=\s*.*large (large objects in cache)
+```
+
+### Missing HTTP Caching
+```
+# API responses without cache headers
+res\.json\( (check if Cache-Control is set)
+return\s+Response\( (check if cache headers are set)
+return\s+JsonResponse\( (Django: check cache headers)
+# Static assets without long cache
+express\.static\( (check maxAge setting)
+nginx.*location.*static (check expires/cache-control)
+```
+
+### Computed Properties Recalculated
+```
+# Getters that compute on every access
+get\s+\w+\(\)\s*\{.*return.*\.filter (getter computing on each access)
+get\s+\w+\(\)\s*\{.*return.*\.map (getter computing on each access)
+@property\s*\n\s*def.*\n.*for (Python property computing in loop)
+```
+
+## Improvement Strategies
+
+1. **Memoization**: Use @lru_cache (Python), useMemo/useCallback (React), _.memoize (JS)
+2. **Cache invalidation**: Always set TTL and max size; prefer LRU eviction
+3. **API caching**: Use SWR/React Query for client, Redis/Memcached for server
+4. **HTTP caching**: Set Cache-Control headers, use ETags, stale-while-revalidate
+5. **Computed properties**: Cache results with dirty flag or use memoized selectors (reselect)
+6. **Request deduplication**: Deduplicate identical in-flight requests
+7. **Multi-level cache**: L1 (in-memory) -> L2 (Redis) -> L3 (DB) for read-heavy workloads
diff --git a/src/resources/skills/code-optimizer/references/concurrency-async.md b/src/resources/skills/code-optimizer/references/concurrency-async.md
new file mode 100644
index 000000000..7e929cb9f
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/concurrency-async.md
@@ -0,0 +1,80 @@
+# Concurrency & Async Patterns
+
+## Grep/Glob Patterns to Detect
+
+### Sequential Async (Should Be Parallel)
+```
+await.*\n.*await.*\n.*await (multiple sequential awaits that could be parallel)
+for.*await (sequential await in loop)
+\.then\(.*\.then\(.*\.then\( (promise chain that could be Promise.all)
+# Python
+await.*\n.*await.*\n.*await (sequential awaits)
+for.*in.*:\n.*await (await in loop)
+```
+
+### Missing Parallelization
+```
+# Should use Promise.all / asyncio.gather
+fetch\(.*\n.*fetch\( (sequential fetches)
+axios\.\w+\(.*\n.*axios\. (sequential HTTP calls)
+requests\.\w+\(.*\n.*requests\. (Python sequential requests)
+```
+
+### Blocking Operations in Async Context
+```
+# Node.js sync operations in async code
+fs\.readFileSync (blocking file read)
+fs\.writeFileSync (blocking file write)
+fs\.existsSync (blocking existence check)
+child_process\.execSync (blocking exec)
+\.readFileSync\( (any sync file operation)
+# Python blocking in async
+time\.sleep\( (use asyncio.sleep instead)
+requests\. (use aiohttp/httpx instead)
+open\(.*\.read\(\) (use aiofiles instead)
+os\.path\.exists (use aio equivalent)
+```
+
+### Race Conditions & Thread Safety
+```
+# Shared mutable state
+global\s+\w+.*= (Python global mutation)
+threading\.Thread.*shared (shared state across threads)
+# Missing locks
+\.append\(.*thread (list append without lock)
+\+=.*without.*lock (increment without lock)
+# JavaScript
+let\s+\w+.*=.*\n.*async (mutable let used in async)
+```
+
+### Unbounded Concurrency
+```
+# No concurrency limit
+\.map\(.*fetch (unbounded parallel fetches)
+\.map\(.*axios (unbounded parallel requests)
+Promise\.all\(.*\.map\( (all items in parallel, no limit)
+asyncio\.gather\(.*for (all coroutines at once)
+# Missing backpressure
+while.*true.*await (infinite async loop without backpressure)
+```
+
+### Error Handling in Async
+```
+# Unhandled rejections
+\.then\(.*without.*\.catch (promise without catch)
+async.*without.*try.*catch (async without error handling)
+# Swallowed errors
+catch\s*\(\s*\)\s*\{ (empty catch block)
+except:\s*$ (bare except)
+except\s+Exception\s*:.*pass (catch-all with pass)
+```
+
+## Improvement Strategies
+
+1. **Sequential awaits**: Use Promise.all/allSettled, asyncio.gather for independent operations
+2. **Await in loops**: Batch with Promise.all or use p-limit for controlled concurrency
+3. **Blocking in async**: Replace sync APIs with async equivalents
+4. **Race conditions**: Use locks, atomic operations, or immutable patterns
+5. **Unbounded concurrency**: Use semaphores, p-limit, connection pools
+6. **Error handling**: Always catch async errors, use Promise.allSettled for partial failure tolerance
+7. **Backpressure**: Use queues, streaming, or batching for producer-consumer patterns
diff --git a/src/resources/skills/code-optimizer/references/config-infra.md b/src/resources/skills/code-optimizer/references/config-infra.md
new file mode 100644
index 000000000..e37a95800
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/config-infra.md
@@ -0,0 +1,71 @@
+# Configuration & Infrastructure Inefficiencies
+
+## Grep/Glob Patterns to Detect
+
+### Missing Connection Pooling
+```
+# New connection per request
+create_engine\(.*(?!.*pool) (SQLAlchemy without pool config)
+new Pool\(.*(?!.*max) (pg Pool without max connections)
+mongoose\.connect\(.*(?!.*pool) (Mongoose without pool)
+DriverManager\.getConnection\( (Java: new connection per call)
+psycopg2\.connect\(.*(?!.*pool) (psycopg2 without pool)
+redis\.createClient\(.*per.*request (new Redis client per request)
+```
+
+### Missing Environment-Based Config
+```
+hardcoded.*url (hardcoded URLs)
+['"]http://localhost (hardcoded localhost URLs)
+['"]127\.0\.0\.1 (hardcoded localhost IPs)
+password\s*=\s*['"] (hardcoded passwords)
+api.?key\s*=\s*['"] (hardcoded API keys)
+secret\s*=\s*['"] (hardcoded secrets)
+port\s*=\s*\d{4} (hardcoded port numbers)
+```
+
+### Missing Process Management
+```
+# Single-threaded Node.js without clustering
+app\.listen\(.*(?!.*cluster) (Node without cluster module)
+# Python without proper WSGI/ASGI workers
+\.run\(.*debug=True (Flask debug mode)
+uvicorn\.run\(.*workers=1 (single worker)
+gunicorn.*-w\s*1\b (single gunicorn worker)
+```
+
+### Docker/Container Issues
+```
+FROM.*:latest (unpinned image version)
+RUN.*apt-get.*&&.*apt-get (check if apt cache is cleaned)
+COPY\s+\.\s+\. (copying entire context - no .dockerignore)
+RUN.*npm install\b(?!.*--production) (installing devDeps in production)
+RUN.*pip install\b(?!.*--no-cache) (pip without cache clearing)
+# Multiple RUN commands that should be combined
+RUN.*\nRUN.*\nRUN (multiple RUN layers)
+```
+
+### Missing Health Checks
+```
+# Services without health endpoints
+app\.(listen|start)\(.*(?!.*health) (server without health check)
+# Docker without HEALTHCHECK
+Dockerfile.*(?!.*HEALTHCHECK) (Dockerfile without health check)
+```
+
+### Inefficient Polling
+```
+setInterval\(.*fetch (polling instead of WebSocket/SSE)
+setInterval\(.*axios (polling instead of push)
+while.*sleep.*fetch (polling loop)
+time\.sleep\(.*requests (Python: polling with sleep)
+```
+
+## Improvement Strategies
+
+1. **Connection pooling**: Configure pool_size, max_overflow, pool_recycle
+2. **Environment config**: Use .env files, config libraries, never hardcode secrets
+3. **Process management**: Use cluster mode (Node), multiple workers (Python ASGI/WSGI)
+4. **Docker**: Multi-stage builds, .dockerignore, combine RUN layers, pin versions
+5. **Health checks**: Add /health endpoint, Docker HEALTHCHECK, readiness/liveness probes
+6. **Polling -> Push**: Use WebSocket, SSE, or long-polling instead of interval polling
diff --git a/src/resources/skills/code-optimizer/references/data-structures.md b/src/resources/skills/code-optimizer/references/data-structures.md
new file mode 100644
index 000000000..f09191575
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/data-structures.md
@@ -0,0 +1,80 @@
+# Data Structures & Serialization
+
+## Grep/Glob Patterns to Detect
+
+### Wrong Data Structure for the Job
+```
+# Array used for frequent lookups (should be Map/Set/dict)
+\.find\(.*=== (linear search - use Map)
+\.findIndex\(.*=== (linear search for index)
+\.includes\(.*inside.*loop (O(n) lookup in loop)
+\.indexOf\(.*inside.*loop (O(n) lookup in loop)
+if.*in\s+\[ (Python: list membership test)
+list\.count\( (Python: counting in list)
+
+# Searching sorted data linearly (should use binary search)
+\.find\(.*sorted (linear search on sorted array)
+for.*sorted (iterating sorted data to find)
+
+# Using objects where Map is better (non-string keys, frequent add/delete)
+\w+\[\w+\.id\]\s*= (object with dynamic keys from IDs)
+delete\s+\w+\[ (frequent deletion from object)
+Object\.keys\(.*\.length (counting object keys - Map.size is O(1))
+
+# Using array for queue/deque operations
+\.shift\(\) (Array.shift is O(n) - use proper queue)
+\.unshift\( (Array.unshift is O(n))
+```
+
+### Unnecessary Deep Copies
+```
+JSON\.parse\(JSON\.stringify (JSON round-trip for deep clone)
+\.map\(.*\.map\(.*spread (nested spread for deep copy)
+\{\.\.\..*\{\.\.\. (nested object spread)
+structuredClone\(.*inside.*loop (deep cloning in loop)
+copy\.deepcopy\(.*loop (Python deepcopy in loop)
+import\s+copy (check if deepcopy is overused)
+```
+
+### Inefficient Serialization
+```
+# JSON for internal communication (use binary formats)
+JSON\.stringify.*JSON\.parse.*internal
+pickle\.dump.*pickle\.load (Python: consider msgpack for cross-language)
+# Serializing more than needed
+JSON\.stringify\(.*entire (serializing entire object when subset needed)
+\.toJSON\(\) (check what's being serialized)
+# Repeated serialization
+JSON\.stringify\(.*loop (stringifying in loop)
+JSON\.parse\(.*loop (parsing in loop)
+```
+
+### Unnecessary Object Creation
+```
+new Date\(.*inside.*loop (creating Date objects in loop)
+new RegExp\(.*inside.*loop (compiling regex in loop)
+new URL\(.*inside.*loop (creating URL objects in loop)
+\.split\(.*\.join\( (split then join - use replace)
+\.toString\(\).*\.split\( (unnecessary string conversion)
+Array\.from\(.*Array\.from\( (double Array.from)
+```
+
+### Immutability Overhead
+```
+# Excessive spread operators
+\{\.\.\.state, (spreading large state objects)
+\[\.\.\.array, (spreading large arrays)
+\.map\(.*=>.*\{\.\.\. (creating new objects in map with spread)
+# Immer not used where it should be
+produce\( (check if immer is used consistently)
+```
+
+## Improvement Strategies
+
+1. **Array -> Map/Set**: Use Map for key-value lookups, Set for membership testing
+2. **Array.shift/unshift**: Use a proper deque/queue implementation
+3. **Deep copies**: Use structuredClone (modern), or targeted shallow copies
+4. **Serialization**: Use msgpack/protobuf for internal services, only JSON for external APIs
+5. **Object creation in loops**: Hoist object creation, reuse instances, use object pools
+6. **Large state spreads**: Use Immer's produce(), or targeted updates
+7. **Binary search**: Use on sorted data instead of linear search
diff --git a/src/resources/skills/code-optimizer/references/database-queries.md b/src/resources/skills/code-optimizer/references/database-queries.md
new file mode 100644
index 000000000..dc55f8f3d
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/database-queries.md
@@ -0,0 +1,76 @@
+# Database & Query Optimization
+
+## Grep/Glob Patterns to Detect
+
+### N+1 Query Problems
+```
+# ORM loops - querying inside iterations
+for.*in.*\.all\(\)
+for.*in.*\.filter\(
+for.*in.*\.objects\.
+\.prefetch_related (absence of - check if loops exist WITHOUT prefetch)
+\.select_related (absence of - check if FK access exists WITHOUT select_related)
+# SQLAlchemy
+session\.query.*for.*in
+\.lazy\s*=\s*True
+# ActiveRecord
+\.each.*\.where
+\.map.*\.find
+# Sequelize / TypeORM
+findOne.*inside.*map
+findOne.*inside.*for
+await.*find.*inside.*loop
+```
+
+### Unoptimized Queries
+```
+SELECT \*
+SELECT.*FROM.*WITHOUT.*WHERE (full table scans)
+LIKE '% (leading wildcard - can't use index)
+ORDER BY.*RAND()
+NOT IN.*SELECT (subquery instead of JOIN)
+DISTINCT.*SELECT \*
+GROUP BY.*without.*index
+\.raw\(.*SELECT (raw queries - potential SQL injection too)
+COUNT\(\*\).*WHERE (count with filter vs indexed count)
+```
+
+### Missing Indexes (Heuristic)
+```
+WHERE.*=.*AND.*= (composite queries without composite index)
+ORDER BY.*multiple columns
+JOIN.*ON.*without index hint
+\.filter\(.*__in= (IN queries on large sets)
+```
+
+### ORM Anti-patterns
+```
+\.save\(\).*inside.*loop (batch update instead)
+\.create\(\).*inside.*loop (bulk_create instead)
+\.update\(\).*for.*in (queryset.update instead)
+len\(.*\.all\(\)\) (.count() instead)
+list\(.*\.all\(\)\) (unnecessary materialization)
+if.*\.exists\(\).*\.first\(\) (double query)
+\.values\(\).*\.values\(\) (chained values)
+```
+
+### Connection Management
+```
+# Missing connection pooling
+create_engine\(.*pool_size (check if pool is configured)
+new Pool\( (check pool settings)
+max_connections (check if reasonable)
+# Unclosed connections
+connection\.open.*without.*close
+cursor.*without.*close
+```
+
+## Improvement Strategies
+
+1. **N+1 Queries**: Use eager loading (prefetch_related, select_related, JOIN FETCH, include/eager)
+2. **SELECT ***: Select only needed columns
+3. **Missing indexes**: Add indexes on frequently filtered/joined columns
+4. **Loop queries**: Use bulk operations (bulk_create, bulk_update, executemany)
+5. **Connection pooling**: Configure connection pools with appropriate size
+6. **Query caching**: Cache frequently-read, rarely-changing data
+7. **Pagination**: Never load unbounded result sets
diff --git a/src/resources/skills/code-optimizer/references/dead-code-redundancy.md b/src/resources/skills/code-optimizer/references/dead-code-redundancy.md
new file mode 100644
index 000000000..e6200d48b
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/dead-code-redundancy.md
@@ -0,0 +1,84 @@
+# Dead Code & Redundancy
+
+## Grep/Glob Patterns to Detect
+
+### Unused Exports/Functions
+```
+export\s+(function|const|class)\s+\w+ (cross-reference: is it imported anywhere?)
+def\s+\w+\( (cross-reference: is it called anywhere?)
+public\s+(static\s+)?\w+\s+\w+\( (Java/C# methods - are they called?)
+func\s+\w+\( (Go functions - are they called?)
+```
+
+### Unused Imports
+```
+import.*from.*['"].*['"] (cross-reference with usage in file)
+from\s+\w+\s+import\s+\w+ (Python: check if imported name is used)
+require\(['"].*['"]\) (CJS: check if result is used)
+use\s+\w+; (Rust: check if used)
+```
+
+### Commented-Out Code
+```
+//\s*(function|const|let|var|class|import|return|if|for|while)
+#\s*(def|class|import|return|if|for|while)
+/\*[\s\S]*?(function|class|import)[\s\S]*?\*/
+```
+
+### Dead Branches
+```
+if\s*\(\s*false\s*\) (always-false condition)
+if\s*\(\s*true\s*\) (always-true condition - dead else)
+if\s*\(\s*0\s*\) (falsy constant)
+if\s*\(\s*['"]['"] (empty string - always falsy)
+TODO.*remove (TODOs indicating dead code)
+FIXME.*remove
+HACK.*temporary
+# Feature flags stuck off
+FEATURE_.*=\s*false
+ENABLE_.*=\s*false
+```
+
+### Duplicate Logic
+```
+# Similar function signatures in same file or nearby files
+function\s+\w*(get|fetch|load|process|handle)\w*\( (many similar handlers)
+def\s+\w*(get|fetch|load|process|handle)\w*\( (Python: similar functions)
+# Copy-paste indicators
+# Same code block appearing multiple times (use Grep to find identical blocks)
+```
+
+### Deprecated/Legacy Code
+```
+@deprecated
+@Deprecated
+# deprecated
+\.deprecated
+DEPRECATED
+legacy
+Legacy
+LEGACY
+__legacy__
+_old\b
+_backup\b
+_v[0-9]\b (versioned functions like process_v1)
+```
+
+### Unreachable Code
+```
+return.*\n\s*(var|let|const|function) (code after return)
+throw.*\n\s*(var|let|const|function) (code after throw)
+exit\(\).*\n (code after exit)
+sys\.exit\(.*\n (Python: code after sys.exit)
+break\s*;\s*\n\s*\w (code after break)
+```
+
+## Improvement Strategies
+
+1. **Unused exports**: Remove and verify no external consumers (check all import statements)
+2. **Unused imports**: Remove with IDE or linting tooling
+3. **Commented code**: Delete it - version control preserves history
+4. **Dead branches**: Remove unreachable code, clean up feature flags
+5. **Duplicate logic**: Extract shared function, use strategy pattern if variants differ slightly
+6. **Deprecated code**: Plan migration, remove after all callers are updated
+7. **Unreachable code**: Remove statements after return/throw/exit
diff --git a/src/resources/skills/code-optimizer/references/error-resilience.md b/src/resources/skills/code-optimizer/references/error-resilience.md
new file mode 100644
index 000000000..0e9b46b3c
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/error-resilience.md
@@ -0,0 +1,80 @@
+# Error Handling & Resilience
+
+## Grep/Glob Patterns to Detect
+
+### Missing Timeouts
+```
+fetch\(.*(?!.*timeout) (fetch without timeout)
+axios\.\w+\(.*(?!.*timeout) (axios without timeout)
+requests\.\w+\(.*(?!.*timeout) (Python requests without timeout)
+http\.\w+\(.*(?!.*timeout) (http call without timeout)
+new Promise\(.*(?!.*setTimeout) (promise without timeout)
+\.connect\(.*(?!.*timeout) (DB/socket connect without timeout)
+```
+
+### Swallowed Errors
+```
+catch\s*\(\s*\w*\s*\)\s*\{\s*\} (empty catch block)
+catch\s*\(\s*\)\s*\{\s*\} (empty catch, no error param)
+except:\s*$ (bare except)
+except\s+Exception.*pass (catch-all with pass)
+except\s+Exception.*continue (catch-all with continue)
+\.catch\(\s*\(\)\s*=>\s*\{\s*\}\) (empty .catch handler)
+\.catch\(\s*\(\)\s*=>\s*null\) (swallowing with null)
+on_error.*pass (error handler that does nothing)
+```
+
+### Missing Retries for Transient Failures
+```
+# Network calls without retry logic
+fetch\(.*(?!.*retry) (fetch without retry)
+axios\.\w+\(.*(?!.*retry) (API call without retry)
+requests\.\w+\(.*(?!.*retry) (Python request without retry)
+# Database operations without retry
+\.query\(.*(?!.*retry) (DB query without retry)
+\.execute\(.*(?!.*retry) (DB execute without retry)
+```
+
+### No Circuit Breaker
+```
+# Repeated calls to potentially failing services without circuit breaking
+while.*retry.*fetch (retry loop without circuit break)
+MAX_RETRIES.*=.*[5-9]|[1-9]\d+ (high retry count without circuit breaker)
+```
+
+### Resource Cleanup on Error
+```
+# try without finally for resource cleanup
+try\s*\{.*open.*(?!.*finally) (open resource without finally)
+try:.*open\(.*(?!.*finally) (Python: open without finally or context manager)
+# Async cleanup missing
+async.*try.*(?!.*finally) (async operation without cleanup)
+```
+
+### Cascading Failures
+```
+# No fallback/default values
+\?\?.*undefined (check fallback quality)
+\|\|.*null (check fallback quality)
+\.get\(.*,\s*None\) (Python: check if None is appropriate default)
+# No graceful degradation
+catch.*throw (catching just to re-throw - no degradation)
+catch.*return\s+null (returning null on error - caller may not handle)
+```
+
+### Logging Without Action
+```
+console\.error\(.*(?!.*throw|return|retry) (logging error but not handling it)
+logger\.error\(.*(?!.*raise|return|retry) (Python: logging without action)
+print\(.*error.*(?!.*raise|return) (print error without handling)
+```
+
+## Improvement Strategies
+
+1. **Timeouts**: Add timeouts to ALL external calls (network, DB, file I/O). Use AbortController for fetch
+2. **Swallowed errors**: At minimum log errors, prefer explicit handling or re-throwing
+3. **Retries**: Implement exponential backoff with jitter for transient failures
+4. **Circuit breakers**: Use circuit breaker pattern for external service calls
+5. **Resource cleanup**: Use try-finally, context managers, or using statements
+6. **Graceful degradation**: Return cached/default data instead of failing completely
+7. **Error propagation**: Don't catch errors you can't handle - let them bubble up
diff --git a/src/resources/skills/code-optimizer/references/io-network.md b/src/resources/skills/code-optimizer/references/io-network.md
new file mode 100644
index 000000000..28dee89ed
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/io-network.md
@@ -0,0 +1,89 @@
+# I/O & Network Optimization
+
+## Grep/Glob Patterns to Detect
+
+### Sequential Requests (Should Be Batched/Parallel)
+```
+fetch\(.*\n.*fetch\( (sequential fetch calls)
+axios\.\w+\(.*\n.*axios\. (sequential axios calls)
+requests\.\w+\(.*\n.*requests (sequential Python requests)
+http\.\w+\(.*\n.*http\. (sequential Node http calls)
+\.get\(.*\n.*\.get\( (sequential GET requests)
+\.post\(.*\n.*\.post\( (sequential POST requests)
+```
+
+### Missing Batching
+```
+# Individual API calls in loops
+for.*\n.*fetch\( (fetch in loop)
+for.*\n.*axios\. (axios in loop)
+for.*\n.*requests\. (requests in loop)
+\.map\(.*fetch (map with individual fetches)
+\.forEach\(.*fetch (forEach with individual fetches)
+# Individual DB writes in loops
+\.save\(\).*for (save in loop - should batch)
+\.insert\(.*for (insert in loop - should bulk insert)
+```
+
+### No Request Deduplication
+```
+# Same endpoint called multiple times
+fetch\(['"]([^'"]+)['"]\) (check for duplicate URLs)
+axios\.\w+\(['"]([^'"]+)['"] (check for duplicate URLs)
+useQuery\(.*['"]([^'"]+)['"] (check for duplicate query keys)
+```
+
+### Missing Compression
+```
+# Large payload without compression
+Content-Type.*application/json (check if gzip/br enabled)
+res\.json\( (response without compression middleware)
+# No compression middleware
+express\(\).*without.*compression
+```
+
+### Inefficient Serialization
+```
+JSON\.stringify\(.*large (stringifying large objects)
+JSON\.parse\(.*JSON\.stringify (deep clone via JSON - use structuredClone)
+pickle\.dumps\( (Python: consider msgpack/protobuf for performance)
+yaml\.dump\(.*yaml\.load\( (YAML round-trip - slow for data exchange)
+```
+
+### Missing Streaming
+```
+\.readFile\( (read entire file vs createReadStream)
+\.readFileSync\( (sync + entire file)
+body\.json\(\) (parse entire body vs streaming parser)
+\.text\(\) (entire response as text)
+\.json\(\).*large (entire JSON response in memory)
+response\.data (entire response buffered)
+```
+
+### Missing Caching Headers
+```
+# API responses without caching
+res\.json\(.*without.*cache-control
+res\.send\(.*without.*etag
+# Static assets without cache headers
+express\.static\(.*without.*maxAge
+```
+
+### Retry Without Backoff
+```
+retry.*count (check if exponential backoff exists)
+while.*retry (retry loop without delay increase)
+catch.*retry (catch-retry without backoff)
+MAX_RETRIES (check backoff strategy)
+```
+
+## Improvement Strategies
+
+1. **Sequential requests**: Use Promise.all, asyncio.gather, or batch APIs
+2. **Loop requests**: Batch into single API call or use DataLoader pattern
+3. **Deduplication**: Use request deduplication (SWR, React Query, custom cache)
+4. **Compression**: Enable gzip/brotli at server and CDN level
+5. **Serialization**: Use efficient formats (protobuf, msgpack) for internal services
+6. **Streaming**: Use streams for large files/responses, NDJSON for large JSON
+7. **Caching**: Set appropriate Cache-Control, ETag, use stale-while-revalidate
+8. **Retries**: Implement exponential backoff with jitter
diff --git a/src/resources/skills/code-optimizer/references/logging-observability.md b/src/resources/skills/code-optimizer/references/logging-observability.md
new file mode 100644
index 000000000..c3f439d1a
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/logging-observability.md
@@ -0,0 +1,64 @@
+# Logging & Observability Performance
+
+## Grep/Glob Patterns to Detect
+
+### Excessive Logging
+```
+console\.log\( (console.log in production code)
+console\.debug\( (console.debug in production)
+print\(.*debug (Python print debugging)
+logger\.debug\(.*inside.*loop (debug logging in hot loop)
+log\.\w+\(.*inside.*for (any logging in tight loop)
+console\.log\(JSON\.stringify\( (serializing objects just to log)
+```
+
+### Expensive String Formatting in Logs
+```
+# String interpolation/formatting when log level is disabled
+logger\.debug\(f" (Python f-string even when debug disabled)
+logger\.debug\(.*\.format\( (Python .format() even when debug disabled)
+logger\.debug\(` (JS template literal even when debug disabled)
+logger\.debug\(.*\+.*\+ (string concat for debug log)
+JSON\.stringify\(.*log (JSON stringify for logging)
+```
+
+### Missing Structured Logging
+```
+console\.log\(["'].*:.*["'] (unstructured string logging)
+print\(.*["'].*:.*["'] (unstructured print logging)
+logger\.\w+\(["'].*["'] % (format string logging vs structured)
+```
+
+### Synchronous Logging
+```
+fs\.writeFileSync.*log (sync file write for logging)
+fs\.appendFileSync.*log (sync file append for logging)
+open\(.*log.*\)\.write\( (Python: sync log file write)
+```
+
+### Missing Request/Trace IDs
+```
+# API handlers without correlation IDs
+app\.(get|post)\(.*req.*res (check if request ID is propagated)
+@app\.route\( (check if request ID middleware exists)
+```
+
+### Metrics Collection Overhead
+```
+# Metrics in hot paths
+\.observe\(.*inside.*loop (Prometheus observe in loop)
+\.increment\(.*inside.*loop (counter increment in loop)
+statsd\..*inside.*loop (StatsD in loop)
+\.timing\(.*inside.*loop (timing metric in loop)
+Date\.now\(\).*Date\.now\(\) (manual timing - use proper instrumentation)
+performance\.now\(\).*performance (manual performance timing)
+```
+
+## Improvement Strategies
+
+1. **Console.log**: Remove from production, use proper logger with levels
+2. **Log formatting**: Use lazy evaluation - logger.debug("msg %s", expensive_value) vs f-strings
+3. **Structured logging**: Use JSON structured logs for machine parsing
+4. **Async logging**: Buffer and flush logs asynchronously, don't block request handling
+5. **Request IDs**: Add correlation ID middleware, propagate through all service calls
+6. **Metrics**: Pre-aggregate metrics, use histograms instead of per-request timers in hot loops
diff --git a/src/resources/skills/code-optimizer/references/memory-resources.md b/src/resources/skills/code-optimizer/references/memory-resources.md
new file mode 100644
index 000000000..95488f8fe
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/memory-resources.md
@@ -0,0 +1,66 @@
+# Memory & Resource Management
+
+## Grep/Glob Patterns to Detect
+
+### Memory Leaks
+```
+# Event listeners never removed
+addEventListener.*without.*removeEventListener
+\.on\(.*without.*\.off\(
+\.subscribe\(.*without.*unsubscribe
+# Timers never cleared
+setInterval\(.*without.*clearInterval
+setTimeout\(.*without.*clearTimeout
+# Global/module-level caches without eviction
+global.*\[\] (unbounded global arrays)
+global.*\{\} (unbounded global dicts/objects)
+module\.exports.*cache.*=.*\{\}
+_cache\s*=\s*\{\} (module-level cache without LRU/TTL)
+# Closures retaining references
+closure.*large.*object
+# React-specific
+useEffect.*without.*cleanup
+useRef.*large.*object
+```
+
+### Unclosed Resources
+```
+open\(.*without.*close
+open\(.*without.*with\s (Python: not using context manager)
+new FileReader\(.*without.*close
+createReadStream\(.*without.*destroy
+createWriteStream\(.*without.*end
+fs\.open\(.*without.*fs\.close
+new Socket\(.*without.*\.close
+new WebSocket\(.*without.*\.close
+acquire\(.*without.*release
+```
+
+### Large Allocations
+```
+new Array\(\d{5,} (arrays > 10k elements)
+Buffer\.alloc\(\d{6,} (buffers > 1MB)
+\.fill\(.*\d{6,} (filling large arrays)
+\.repeat\(\d{4,} (string repeat large count)
+JSON\.parse\(.*large (parsing large JSON in memory)
+\.readFileSync\( (synchronous large file reads)
+\.readFile\(.*without.*stream (reading whole file vs streaming)
+```
+
+### String Concatenation in Loops
+```
+\+=.*string.*for
+\+=.*\".*loop
+str\s*\+= (Python string concat in loop)
+\.join\(\[ (check if used correctly)
+```
+
+## Improvement Strategies
+
+1. **Event listeners**: Always pair add/remove, use AbortController for bulk cleanup
+2. **Timers**: Clear intervals in cleanup/unmount, use refs for timer IDs
+3. **Caches**: Use LRU cache with max size, add TTL, use WeakMap/WeakRef where possible
+4. **File handling**: Use context managers (Python with), try-finally, or using statements
+5. **Streams**: Use streaming for large data instead of loading everything in memory
+6. **String building**: Use StringBuilder/list join pattern instead of concatenation in loops
+7. **Buffers**: Pool and reuse buffers, use streaming transforms
diff --git a/src/resources/skills/code-optimizer/references/rendering-ui.md b/src/resources/skills/code-optimizer/references/rendering-ui.md
new file mode 100644
index 000000000..2dd464759
--- /dev/null
+++ b/src/resources/skills/code-optimizer/references/rendering-ui.md
@@ -0,0 +1,90 @@
+# Rendering & UI Performance
+
+## Grep/Glob Patterns to Detect
+
+### React Re-render Issues
+```
+# Missing memoization
+const\s+\w+\s*=\s*\(\s*\)\s*=>.*return\s*\( (inline component definitions)
+\w+\s*=\s*\{.*\}.*prop= (object literal as prop - new ref every render)
+\w+\s*=\s*\[.*\].*prop= (array literal as prop)
+\w+\s*=\s*\(\).*=>.*prop= (arrow function as prop - new ref every render)
+style=\{\{ (inline style object)
+# Context causing re-renders
+useContext\( (check context value stability)
+<\w+Provider\s+value=\{\{ (new object in Provider value)
+<\w+Provider\s+value=\{[^}]*\} (unstable provider value)
+# State management
+useState\(.*\{ (object state - check if needs splitting)
+setState\(.*\{\.\.\.state (spreading entire state on each update)
+```
+
+### Missing Virtualization
+```
+\.map\(.*<\w+ (rendering list items - check list size)
+{items\.map\( (JSX list rendering - check if >50 items)
+\.map\(.*return.*