In `@benchmarks/c15t-nextjs/next-env.d.ts`:
- Line 3: Remove the manual import from the auto-generated next-env.d.ts file
(delete the line importing "./.next/types/routes.d.ts") and do not edit
next-env.d.ts again; instead add the pattern ".next/types/**/*.ts" to the
"include" array in tsconfig.json so the generated route types are picked up
globally by the TypeScript compiler.

In `@benchmarks/c15t-nextjs/package.json`:
- Line 13: Update the dependency entry for "@c15t/nextjs" in package.json from
"1.7.1" to the latest stable "1.8.3"; then regenerate your lockfile by running
your package manager (npm install or yarn install) so the updated version is
reflected in package-lock.json or yarn.lock and CI uses the new dependency.

In `@benchmarks/cookie-control/config.json`:
- Around line 18-22: The bundleType value in the techStack JSON is invalid
("iife"); update the "bundleType" property in the techStack object to the
schema-allowed value "iffe" (replace "iife" with "iffe") so the config validates
against the benchmark-schema enum for bundleType.

In `@benchmarks/cookie-yes/next-env.d.ts`:
- Around line 3-6: The import of "./.next/types/routes.d.ts" in next-env.d.ts is
auto-generated and should not be manually edited; ensure the project's Next.js
config (next.config.js/next.config.ts) enables typedRoutes: true so Next
regenerates this import consistently rather than editing next-env.d.ts
directly—open your next.config file, add or set the typedRoutes option to true,
and revert any manual changes to next-env.d.ts so the auto-generated import is
maintained by the build.

In `@benchmarks/didomi/app/layout.tsx`:
- Around line 1-6: This layout is missing the metadata export; add a server-side
export named metadata (export const metadata: Metadata = { title: "benchmark" })
but because metadata is only valid in Server Components you must remove or
relocate the "use client" usage: either drop "use client" and move the
DidomiSDK/client-specific logic into a separate client component (e.g.,
DidomiClient component) which you import into the server layout, or split this
file into a server layout that exports metadata and a companion client component
file that contains "use client" and the DidomiSDK/IDidomiObject usage; update
imports/exports accordingly to keep DidomiSDK, IDidomiObject and any
useState/useCallback calls inside the client file.
- Around line 76-85: The inline arrow handlers for onNoticeHidden and
onNoticeShown cause new function refs each render; wrap them in
React.useCallback and replace the inline props with the memoized callbacks
(e.g., create const handleNoticeHidden = useCallback(() => { if (DEBUG_DIDOMI)
console.log("Didomi notice hidden"); }, [DEBUG_DIDOMI]) and similarly
handleNoticeShown) and pass those to the DidomiSDK props to avoid unnecessary
re-renders.

In `@benchmarks/iubenda/config.json`:
- Line 25: The bundleType value in benchmarks/iubenda/config.json is using the
invalid enum "iife"; update the "bundleType" property to the allowed enum value
"iffe" (replace "iife" with "iffe") so it matches the schema used by the
benchmark-schema (valid values: "esm", "cjs", "iffe", "bundled").

In `@benchmarks/osano/app/layout.tsx`:
- Around line 17-20: The benchmark layouts differ: this file uses the Next.js
Script component with strategy="afterInteractive" (the Script import and JSX
usage), while the Enzuzo benchmark uses a raw <script> in the head; pick one
approach and make them consistent. Either replace the Script usage in this
layout with the same plain script insertion used by the Enzuzo layout, or update
the Enzuzo layout to use the Next.js Script component with the same strategy;
ensure you update the component import/usage (Script) or the head script
insertion accordingly so both benchmarks load the third‑party Osano/Enzuzo
scripts identically for comparable measurements.

In `@package.json`:
- Around line 28-30: Update the root package.json "engines" entry so the "node"
field matches the stricter workspace requirement (set to ">=20.9.0"); locate the
"engines" object and change the "node" value, ensuring consistency with
workspace packages such as packages/benchmark/package.json and
benchmarks/enzuzo/package.json to avoid engine mismatches across the monorepo.

In `@packages/benchmark-schema/results.schema.json`:
- Around line 38-46: The timestamp properties generatedAtUtc, runStartedAtUtc,
and runCompletedAtUtc are declared as "type": "string" but should enforce ISO
8601; update each property in the schema to include "format": "date-time"
alongside "type": "string" (e.g., generatedAtUtc, runStartedAtUtc,
runCompletedAtUtc) so JSON Schema validators will validate them as
RFC3339/ISO-8601 date-time strings.
- Around line 16-18: The "results" array in results.schema.json currently has no
"items" schema, allowing any content; update the "results" definition to include
an "items" schema that describes the expected element shape (e.g., an object
with required properties, types, and any nested schemas), referencing the
"results" property name so validators and docs enforce the expected result
structure (adjust property names and required fields to match your
domain-specific result object).

In `@packages/benchmark/README.md`:
- Line 104: The README's BUNDLE_TYPES lists "IIFE" while the code/schema uses
"iffe" — make them consistent by choosing one canonical value and updating the
other; locate the BUNDLE_TYPES constant and the schema validation (look for
symbols named BUNDLE_TYPES and the schema or enum that contains "iffe") and
either change the schema enum to "IIFE" or change the README/constant to "iffe"
(and update any serialization/deserialization logic that maps between
human-facing names and stored values) so both documentation and runtime
validation use the same token.
- Line 14: The README mentions "IIFE" but the benchmark schema's enum for
bundleType uses the value "iffe"; update either the schema or the docs to be
consistent: either change the enum in the benchmark-schema package to "iife" or
explicitly document the actual enum value ("iffe") in
packages/benchmark/README.md; reference the bundleType enum in the
cookiebench/benchmark-schema package (valid values: "esm", "cjs", "iffe",
"bundled") when making the change so users won't be confused by the IIFE vs iffe
spelling.

In `@packages/benchmark/src/constants.ts`:
- Around line 76-82: The BUNDLE_TYPES constant contains an incorrect literal
"iife" which doesn't match the schema (schema expects "iffe"); update the
BUNDLE_TYPES export so the bundle type matches the schema by replacing the IIFE
entry with the correct value/key (e.g., change the key to IFFE and its value to
"iffe" or at minimum change the value to "iffe"), and then update all usages
that reference BUNDLE_TYPES.IIFE to use BUNDLE_TYPES.IFFE (or the new value) so
runtime/config validation passes.

In `@packages/benchmark/src/network-monitor.ts`:
- Around line 200-206: getNetworkRequests and getMetrics expose internal mutable
state by returning direct references; change them to return defensive copies
instead (e.g., return a shallow copy of the array for getNetworkRequests and a
shallow-cloned object for getMetrics). Update the implementations of
getNetworkRequests() and getMetrics() to return copies (e.g., using array spread
or slice for networkRequests and object spread or a shallow
clone/structuredClone for metrics) so external callers cannot mutate
this.networkRequests or this.metrics; if metrics contains nested objects and
mutation protection is required, perform a deep clone.
- Around line 160-166: The async handlers handleRequestFinished and
handleRequestFailed can produce unhandled rejections when passed directly to
page.on; change them to ensure all exceptions are caught by wrapping the async
work in a try/catch (inside each function) or replace the direct registration
with a non-async wrapper that calls the async function and calls
.catch(...)—e.g., catch and log errors (or forward to commitRequest error
handling) around the call to commitRequest(request, await request.response()) so
failures are handled instead of propagating unhandled rejections; reference
handleRequestFinished, handleRequestFailed, and commitRequest when making the
change.

In `@packages/benchmark/src/perfume-collector.ts`:
- Line 168: Replace the fixed sleep call
page.waitForTimeout(BENCHMARK_CONSTANTS.PERFUME_METRICS_WAIT) with a
deterministic wait that polls for the actual metrics to be present; for example,
use page.waitForFunction to wait until the Perfume metrics object/DOM is
populated (inspect the collector code to see whether it exposes
window.__perfume, window.perfume, or a specific DOM element) so the collector in
perfume-collector.ts continues only when the actual metrics exist rather than
after a fixed timeout.
- Around line 242-253: The object built from rawMetrics uses inconsistent falsy
handling: replace the uses of || 0 with nullish coalescing so legitimate zero
values are preserved. Specifically, update the fields that reference rawMetrics
(firstPaint, firstContentfulPaint, largestContentfulPaint,
cumulativeLayoutShift, totalBlockingTime) to use rawMetrics.<metric>?.value ??
0, and change timeToFirstByte to use rawMetrics.TTFB?.value ??
navigationTiming?.timeToFirstByte ?? 0 so navigationTiming and
defaultNavigationTiming behavior remains intact; keep firstInputDelay and
interactionToNextPaint as ?? null.

In `@packages/benchmark/src/resource-timing-collector.ts`:
- Around line 192-197: The stylesheet detection filters (where styleEntries is
created from resourceEntries) currently uses entry.name.endsWith(".css") which
misses URLs with query strings or fragments (e.g., styles.css?v=1); update the
predicate to parse the entry.name as a URL (or strip the query/fragment) and
check the pathname for a trailing ".css" (or use a regex that tests for
\.css($|[?#])) so CSS files with query strings are correctly classified; modify
the filter creating styleEntries accordingly.

In `@packages/cookiebench-cli/README.md`:
- Line 377: Change the phrase "Open source status" to use a hyphenated compound
adjective so it reads "Open-source status" in the "4. **Transparency** (15%):
Open source status, documentation, licensing" line (update the specific text
"Open source status" to "Open-source status").

In `@packages/cookiebench-cli/src/commands/benchmark.ts`:
- Around line 80-84: The two optional timing fields are inconsistent:
timeToFirstByte returns undefined when no valid values but
interactionToNextPaint returns null; update the interactionToNextPaint
assignment to use undefined instead of null so both fields use the same
missing-value sentinel (e.g., change the interactionToNextPaint ternary to
return undefined when validInp.length === 0); ensure you keep
calculateAverage(validInp) for the present-case and reference the
timeToFirstByte and interactionToNextPaint properties and calculateAverage
helper when making the change.
- Around line 340-362: The current code mutates the loaded config object
in-place when applying iterations and profile/cacheMode overrides (the block
adjusting config.iterations and config.measurement.minSuccessfulIterations and
the subsequent profile/cacheMode overrides); to avoid side effects, create a
cloned config (e.g., clonedConfig = structuredClone(config) or a deep clone)
immediately after obtaining the config from loadValidatedConfigSync and apply
all mutations to clonedConfig instead of config, then pass clonedConfig into the
rest of the benchmark flow and update the debug log to reference clonedConfig;
ensure you clone deeply so nested fields like
measurement.minSuccessfulIterations are isolated.
- Around line 392-403: The current mkdir(tracesDir, { recursive: true }) catch
block can silently swallow errors that lack a code property; update the handler
in benchmark.ts so that any error without code or with a code different from
"EEXIST" is rethrown. In other words, extract the error code safely (e.g., const
code = (error as any)?.code) and only ignore the error when code === "EEXIST";
for all other cases (including undefined code) rethrow the error so unexpected
failures from mkdir are not swallowed.

In `@packages/cookiebench-cli/src/commands/db.ts`:
- Around line 156-166: The function generateCommand is declared synchronously
while similar handlers (pushCommand, migrateCommand, statusCommand) are async;
change generateCommand to an async function (async function
generateCommand(logger: CliLogger, projectRoot: string)) returning a
Promise<void> so its signature matches the others, keep the same internal logic
(calls to runDrizzleCommand, logger.*) and verify callers that await
generateCommand remain correct; this keeps consistency with
pushCommand/migrateCommand/statusCommand and avoids confusion about awaiting
non-Promise values.
- Around line 182-193: runDrizzleCommand currently calls process.exit(1) on
failure, so the try-catch in db.ts around runDrizzleCommand is unreachable;
refactor by removing process.exit from runDrizzleCommand and instead throw an
Error (or reject the promise) when it fails, then keep the existing try {
runDrizzleCommand(...) } catch (error) in db.ts to log via logger.error and call
process.exit(1) there; ensure runDrizzleCommand's signature returns/throws an
Error so callers can handle failures and do not swallow exits inside the helper.
- Around line 195-208: The studioCommand function should be made async (matching
generateCommand) and should await runDrizzleCommand; replace the empty catch
with error discrimination: in the catch inspect the thrown error (e.g.,
err.signal === 'SIGINT' or err.name === 'AbortError') and treat those as normal
interruptions by logging "Studio closed.", otherwise call logger.error with a
descriptive message and the error (or rethrow) so unexpected failures aren't
swallowed; reference studioCommand and runDrizzleCommand when making these
changes.
- Around line 61-62: The artificial 1-second pause after clearing the logger
(the await setTimeout(ONE_SECOND) following logger.clear()) adds unnecessary
latency; remove that await call (or replace ONE_SECOND with a much shorter
constant or make the delay configurable) so the screen clears immediately.
Update any surrounding logic that assumed the delay and run tests/CLI flows to
confirm no race conditions remain.
- Around line 255-256: The dynamic import of node:fs/promises for readdir is
unnecessary; replace it with a static top-level import and remove the
in-function dynamic import. Add "import { readdir } from 'node:fs/promises';" to
the file's existing imports and delete the line "const { readdir } = await
import('node:fs/promises');" so the code uses the top-level readdir symbol
directly where it's listed/used in the db.ts command logic.
- Around line 210-226: The findProjectRoot() function is duplicated; extract it
into a shared utility (e.g., a new projectRoot() exported from `@consentio/shared`
or a CLI utils module) and replace the local implementation in
packages/cookiebench-cli/src/commands/db.ts with an import of that shared
function; update any callers to use the new exported symbol (projectRoot or
findProjectRoot) and remove the local function to avoid duplication and keep
behavior consistent across packages.

In `@packages/cookiebench-cli/src/commands/migrate-results.ts`:
- Around line 125-129: The KB-detection heuristic (variables likelyKbData,
totalSizeCandidates, multiplier) can misclassify edge cases; update it to first
look for an explicit v1 marker (e.g., a stored sizeUnit or version flag on the
record) and use that when present, and if no marker exists fall back to a safer
heuristic: require both a majority of values < 100_000 AND a small max/min
spread (or a threshold like max < 200_000 and mean < 50_000) before setting
multiplier = 1024; whenever the fallback heuristic is used, emit a clear
logger.warn that the heuristic was applied and include summary stats (count,
min, max, mean) so callers can opt to re-run with an explicit flag if needed.
- Around line 262-263: The migration currently overwrites files in place (see
migrateV1ToV2, parsed, migrated, writeFile, file) so create a backup before
writing: copy or rename the original (file) to a safe backup name (e.g., file +
'.bak' or include timestamp) and only proceed to writeStringified migrated data
after the backup succeeds; on write failure, restore the backup and surface an
error, and consider writing to a temp file and renaming atomically to avoid
partial files. Ensure the backup/restore logic is added around the existing
writeFile call and that errors during backup or write are handled and reported.

In `@packages/cookiebench-cli/src/commands/results.ts`:
- Around line 366-876: The printDetailedResults function currently assumes
results has at least one iteration, causing divide-by-zero/NaN when
results.length === 0; add an early guard at the top of printDetailedResults that
checks if !results || results.length === 0, logs a brief message (or color.dim
warning) and returns early to avoid computing averages and rendering tables
(affects avg* calculations, totalFiles, waterfall/sampleResult logic and
aggregatedResources). Ensure the guard prevents further use of sampleResult,
firstResult and any reductions that divide by results.length.

In `@packages/cookiebench-cli/src/commands/save.ts`:
- Around line 101-139: The saveBenchmarkResult function currently calls fetch
without a timeout; wrap the request in an AbortController with a 15s timer:
create an AbortController, pass controller.signal to fetch, and set a setTimeout
that calls controller.abort() after 15000ms; clear that timeout after fetch
resolves (both success and failure) to avoid leaks. Update the catch in
saveBenchmarkResult to detect an abort (error.name === "AbortError" or
error.message indicating abort) and log a specific timeout/connection message
(using apiUrl), then rethrow; reference saveBenchmarkResult, logger, and
response handling when making these changes.

In `@packages/cookiebench-cli/src/commands/scores.ts`:
- Around line 330-337: The average calculation for cookieBannerVisibleTimeMs can
produce NaN when both b.timing.cookieBanner.userVisibleTime and
b.timing.cookieBanner.visibilityTime are null/undefined; update the reducer in
scores.ts (the cookieBannerVisibleTimeMs computation using appResults.reduce) to
coalesce missing timings to a numeric fallback (e.g., 0) or skip those entries
and adjust the divisor accordingly so the sum never becomes NaN; ensure you
reference cookieBannerVisibleTimeMs and the appResults.reduce call when making
the change.

In `@packages/cookiebench-cli/src/components/intro.ts`:
- Around line 42-82: The gradient currently emits raw ANSI escapes via
customColor and thus ignores NO_COLOR/TTY; update the logic to gate ANSI output
on picocolors' color support (e.g., check color.isColorSupported or
process.env.NO_COLOR/tty.isatty) so when color is not supported you return plain
figletText lines unchanged. Concretely, modify the use of customColor (or
initialize customColor) in the intro rendering path that handles figletText,
lines, gradientDenominator, and coloredLines so that if colors are unsupported
the mapping returns the original line (no ANSI) or make each customColor.* a
no-op when color support is false.

In `@packages/cookiebench-cli/src/types/index.ts`:
- Line 12: The grade/type inconsistency: the top-level type "grade" currently
uses PascalCase string literals ("Excellent" | "Good" | "Fair" | "Poor" |
"Critical") while "status" uses lowercase and omits "critical", which will break
mappings; fix this by extracting a single shared union type (e.g., GradeValue or
Grade) and use it for both the top-level grade and status representations (or
create a canonical lowercased union and consistently map/transform where
needed), update the "status" union to include "critical" if you keep lowercase,
or convert "grade" to lowercase to match, and adjust any code that reads/writes
these fields to use the shared type (refer to the grade and status type
declarations to locate where to change).

In `@packages/cookiebench-cli/src/utils/config-validation.ts`:
- Around line 424-445: The array branch treats "iffe" as invalid because
assertStringArray checks items against BUNDLE_TYPES while the string branch
first normalizes "iffe" to "iife"; update the array handling to normalize items
before validation (or accept "iffe" in BUNDLE_TYPES). Specifically, in the
techStack.bundleType Array path use the same normalization logic as the string
path (or call normalizeBundleType on each array element) prior to calling
assertStringArray so that values like "iffe" are normalized to "iife" and
validated against BUNDLE_TYPES consistently.
- Around line 286-296: Simplify the complex conditional that assigns enabled by
first calling assertBoolean and capturing its result, then use the captured
boolean to decide behavior: call assertBoolean(issues, "remote.enabled",
remote.enabled) only if remote.enabled is not undefined and store the result in
a variable (e.g., isValidEnabled), then set enabled = remote.enabled &&
isValidEnabled (or false if remote.enabled is undefined). After that, keep the
existing checks for assertString(issues, "remote.url", remote.url) when enabled
is true or when remote.url is provided. Reference symbols: enabled,
remote.enabled, assertBoolean, isValidEnabled (new temp), assertString,
remote.url, issues.

In `@packages/cookiebench-cli/src/utils/project-root.ts`:
- Around line 32-37: The function currently returns join(projectRoot,
"benchmarks", appPath) without verifying it contains config.json; update the
logic (using directPath, projectRoot, appPath, existsSync, join) to check the
fallback path for a config.json as well and only return it if
existsSync(join(fallbackPath, "config.json")) is true, otherwise throw or return
a clear error/undefined so callers don't get an invalid benchmark path.

In `@packages/cookiebench-cli/src/utils/scoring.ts`:
- Around line 507-514: The calculateNetworkScore function currently declares an
unused parameter named _resourceData; either remove that parameter from the
function signature (and all callers) to eliminate dead code, or if you intend to
keep it for future use, leave the parameter but add a brief comment next to
_resourceData explaining it is reserved for future use and should remain unused
(e.g., "reserved for future resource-based scoring"); update the function
signature and any references accordingly to keep linting/tests clean.
- Around line 186-207: The parseTechStack function returns techStack.typescript
directly which can be undefined; change it to default to false so parsed results
are consistent with the catch fallback. Update the return in parseTechStack (the
success path) to use a boolean coalescing/default (e.g., set typescript to
techStack.typescript ?? false) so that typescript is always false when missing
or undefined.
- Around line 153-163: The open-source tag check in the block that computes
lowerTags (variable lowerTags and the conditional returning true) is too broad
because it treats "free" and "community" as definitive indicators; remove "free"
and "community" from the includes list (or replace them with more specific
phrases like "community edition" or "free and open source" if you want to retain
some coverage) so the conditional only matches clear OSS indicators ("open
source", "opensource", "oss"); update the conditional in the same function (the
lowerTags.includes(...) checks) accordingly.
- Around line 1354-1361: The category and detail score displays hardcode “/100”
which is wrong for items with varying maxScore; update the table rows in the
scores rendering logic so category rows use
`${category.score}/${category.maxScore}` (replace `${category.score}/100`) and
detail rows use `${detail.score}/${detail.maxScore}` (replace
`${detail.score}/100`) so each display shows the actual maxScore for that item;
locate these changes around the loop over scores.categories and the inner loop
that pushes detail rows (references: scores.categories, category.score,
category.maxScore, detail.score, detail.maxScore).

In `@packages/cookiebench-cli/tsconfig.base.json`:
- Line 9: Remove the browser DOM libs from the TypeScript lib list: edit the
tsconfig's "lib" array (the "lib" property containing "es2022", "DOM",
"DOM.Iterable") and delete the "DOM" and "DOM.Iterable" entries so the CLI
package uses only Node-oriented libs (leaving "es2022" or other Node-targeted
entries intact).

In `@packages/runner/package.json`:
- Around line 1-33: Add a top-level "engines" field to this package.json for
`@consentio/runner` to match the monorepo constraint; specifically add "engines":
{ "node": ">=20.9.0" } at the root of the manifest (alongside "name", "version",
"type", etc.) so the runner package enforces the same Node version requirement
as the benchmarks package.

In `@packages/runner/README.md`:
- Around line 44-62: The README example and API list call buildAndServeNextApp
without the required logger parameter; update the usage example and the API
documentation to pass a logger instance (e.g., processLogger or any object
implementing the expected logger interface) to buildAndServeNextApp(serverPath,
logger) so the call in the snippet and the API signature reflect the new
required logger argument; reference buildAndServeNextApp in the README example
and the API section so users know to provide the logger.

In `@packages/runner/src/benchmark-runner.ts`:
- Around line 446-448: The call to global.gc in benchmark-runner.ts can be a
no-op unless Node was started with --expose-gc; update the code around the
global.gc() call to detect and handle that case: check for global.gc and
process.execArgv.includes('--expose-gc') (or at least global.gc existence) and
when absent emit a clear warning via the existing logger (or console.warn)
indicating GC is unavailable and that Node must be started with --expose-gc to
enable manual GC; keep the current global.gc() invocation when available but add
the log/documentation path when it is not.
- Around line 312-324: The execFileAsync call using traceZipPath and tempDir (in
benchmark-runner.ts around execFileAsync, traceDir, traceZipPath, traceFilePath)
can be fed untrusted path components; validate and sanitize those paths before
invoking execFileAsync: resolve and normalize traceZipPath and tempDir (e.g.,
via path.resolve/path.normalize), reject null-bytes or path-traversal (../) and
ensure the resolved paths are inside an allowed base directory (or a created
safe temp directory) and exist as expected; restrict config-derived names to a
safe character whitelist or generate safe filenames yourself and use those, then
call execFileAsync with the sanitized absolute paths and only the expected
filename ("trace.trace") to prevent injection or unexpected file access.
- Around line 66-70: The network profiles `fast3g` and `slow4g` in
benchmark-runner.ts have mismatched throughput/latency values; update them to
realistic values (or add a clarifying comment if the divergence is intentional).
Specifically, change `slow4g` to a typical 4G profile (e.g., latency ~60ms,
download ~10 Mbps, upload ~3 Mbps) and change `fast3g` to a typical 3G profile
(e.g., latency ~120ms, download ~1.6 Mbps, upload ~0.75 Mbps); locate the
`fast3g` and `slow4g` objects and replace the numeric literals for `latency`,
`downloadThroughput`, and `uploadThroughput` accordingly (or add an explanatory
comment above each profile if you want to keep synthetic/conservative values).

In `@packages/runner/src/performance-aggregator.ts`:
- Around line 276-300: The comment notes a mismatch between the AI summary and
the code: the calculateNetworkImpact method is declared private but referenced
as public; update the method visibility or docs accordingly. Change the method
declaration name calculateNetworkImpact in class PerformanceAggregator (or the
file performance-aggregator.ts) from private to public if it must be used by
external callers like BenchmarkRunner, or if it should remain internal, update
the AI summary/docs to state it is private/internal; ensure any callers (e.g.,
BenchmarkRunner) are updated to use the public API or tests adjusted to reflect
the correct visibility.
- Around line 302-314: The method hasMeaningfulVariability is declared private
but the AI summary and external callers expect it to be public; change its
visibility from private to public (i.e., make the method public on the class
where calculateStatistics(...) and hasMeaningfulVariability are declared),
update the method signature accordingly, and run/adjust any unit tests or
imports that reference it so external consumers can call
hasMeaningfulVariability(...) directly; ensure exported class typings reflect
the public method.

In `@packages/runner/src/server.ts`:
- Around line 48-69: The child process is created with stdout piped but not
consumed, which can block; update the spawn call that creates serverProcess
(spawn(pm.command, startArgs, {...})) to either inherit stdout by changing stdio
from ["inherit","pipe","inherit"] to ["inherit","inherit","inherit"] (or
similar) or explicitly consume serverProcess.stdout by attaching a
data/error/close listener that forwards/drains output (e.g., piping to
process.stdout or reading and discarding data) so the buffer cannot fill during
Next.js startup.

In `@packages/runner/src/statistics.ts`:
- Around line 150-152: The current check if (mean === 0) { return 0; } in the CV
calculation masks an edge case; update the CV function in statistics.ts (the
routine that computes coefficient of variation using the mean variable and CV
result) to return NaN instead of 0 when mean === 0, add a short comment
explaining this choice (signals undefined CV for zero mean), and ensure any
callers of this function handle NaN (or explicitly document the behavior) so
consumers can detect and handle the edge case.
- Around line 45-47: The variance is computed as a population variance (dividing
by values.length) which underestimates variability for small samples; change the
computation in statistics.ts where variance and stddev are calculated (variables
variance, stddev using values and mean) to use sample variance by dividing by
(values.length - 1) when values.length > 1 (and handle length <=1 safely), and
mirror the same change at the other occurrence around lines 146-147 to keep
consistency across the file.

In `@packages/shared/package.json`:
- Line 25: The `@types/node` dependency in package.json is set to ^24 which may
not match the project's supported Node range (benchmarks/onetrust specifies node
>=20.9.0); update the `@types/node` major to align with your minimum Node major
(e.g., ^20) or use the project's dependency catalog reference consistent with
other packages, and ensure package.json's "dependencies"/"devDependencies" entry
for "@types/node" is changed (search for the string "@types/node" in the file)
so the type definitions don't expose APIs newer than your supported Node
runtime.

In `@packages/shared/src/constants.ts`:
- Around line 5-7: BYTES_TO_KB and KILOBYTE are duplicate constants (both 1024);
remove the redundancy by keeping one canonical identifier and updating all
usages accordingly — choose either BYTES_TO_KB (if you prefer explicit
conversion naming) or KILOBYTE (if you prefer unit naming), then refactor
references to the removed constant across the codebase (search for BYTES_TO_KB
and KILOBYTE) and update imports/exports to use the retained constant
consistently; if both concepts are required, rename one to clarify semantic
difference (e.g., BYTES_PER_KILOBYTE) and adjust usages to match.
- Around line 9-11: PERCENTAGE_MULTIPLIER and PERCENTAGE_DIVISOR are both set to
100, which is redundant; either consolidate them into a single constant (e.g.,
PERCENTAGE_SCALE or PERCENTAGE_FACTOR) and update all usages of
PERCENTAGE_MULTIPLIER and PERCENTAGE_DIVISOR to that single symbol, or keep both
but add clear comments explaining the distinct semantic roles (multiplying to
convert to percent vs dividing to convert to decimal) and ensure names reflect
those roles; update any imports/usages of PERCENTAGE_MULTIPLIER and
PERCENTAGE_DIVISOR to the chosen symbol and run tests to confirm no regressions.
- Around line 13-14: TTI_BUFFER_MS is hardcoded to 1000 while ONE_SECOND already
exists; update the constant so TTI_BUFFER_MS references ONE_SECOND instead of
the literal to make the relationship explicit and prevent divergence (locate the
constants ONE_SECOND and TTI_BUFFER_MS in constants.ts and replace the numeric
literal with ONE_SECOND).

In `@packages/shared/src/utils/config.ts`:
- Around line 27-31: The catch block in the function that reads config (the
catch handling the read of configPath / join(process.cwd(), "config.json")) uses
console.error which will conflict with the ultracite “No console” rule; replace
the console.error call with the shared logging utility (e.g., logger.error or
getLogger(...).error) or add a rule-allowlist comment if intentional; update the
error logging call in that catch to forward the same message and error object
via the shared logger (preserving the `${configPath || join(process.cwd(),
"config.json")}` context) so the lint rule is satisfied and debugging info is
preserved.

In `@benchmarks/didomi/app/didomi-client.tsx`:
- Around line 72-79: The Didomi SDK is currently passed a hard-coded API key via
the apiKey prop in the DidomiSDK JSX—move this secret into a client-safe
environment variable and rotate the exposed key: replace the literal string with
process.env.NEXT_PUBLIC_DIDOMI_API_KEY (or equivalent NEXT_PUBLIC_ var) and
ensure the build/runtime provides that env var, update any README or deployment
configs to set NEXT_PUBLIC_DIDOMI_API_KEY with the rotated value, and remove the
hard-coded value from the repo; validate in the DidomiSDK usage site (DidomiSDK
component in didomi-client.tsx) that the env var is used and that no other
hard-coded Didomi keys remain.

In `@packages/benchmark/src/bundle-strategy.ts`:
- Around line 4-31: The isIIFE/isArrayWithModules detection in
determineBundleStrategy fails to recognize the schema value "iffe" (schema uses
"iffe" while BUNDLE_TYPES.IIFE === "iife"), so update the checks to treat "iffe"
as equivalent to "iife": either expand legacyIifeType to include "iffe" or add
explicit comparisons against "iffe" wherever legacyIifeType or BUNDLE_TYPES.IIFE
is checked (references: determineBundleStrategy, rawBundleType, legacyIifeType,
isIIFE, isArrayWithModules) so that configs using "iffe" are correctly detected
as IIFE bundles and isBundled is computed correctly.

In `@packages/benchmark/src/perfume-collector.ts`:
- Around line 88-160: The loadPerfumeScript function currently attempts multiple
hardcoded possiblePaths before using createRequire/require.resolve; make
resolution more robust by trying
require.resolve("perfume.js/dist/perfume.umd.min.js") first (inside the existing
try/catch) and reading that file if found, then fall back to the existing
possiblePaths search and finally to the empty string fallback; update references
to readFileSync, createRequire, and require.resolve in loadPerfumeScript to
reflect this order and preserve the existing logger.warn fallback behavior.

In `@packages/benchmark/src/types.ts`:
- Around line 4-75: The BundleType union in packages/benchmark/src/types.ts is
using the wrong literal "iife"; change the BundleType type definition (symbol:
BundleType) to use "iffe" instead of "iife" so it matches the schema enum ("esm"
| "cjs" | "iffe" | "bundled"); also search for any other references to the
"iife" literal in this file or consumers and update them to "iffe" to keep types
consistent.

In `@packages/cookiebench-cli/README.md`:
- Around line 284-286: The README config example uses a boolean for
includes.backend which violates the benchmark-schema's includes.backend oneOf
(string | string[]); update the example to use either a single string or an
array of strings (e.g., "backend": "node" or "backend": ["node", "python"])
instead of false, ensuring the example matches the includes.backend schema rule
in the benchmark-schema and will validate.

In `@packages/cookiebench-cli/src/commands/results.ts`:
- Around line 281-299: The code currently accepts and assigns empty result
arrays to results[appFromFile], which later causes divide-by-zero when
reducers/averages use data.results.length; update the block that checks
appFromFile and data.results to also check that data.results.length > 0 (or
!isEmpty) and if zero log a warning (using logger.warn) mentioning the file and
appFromFile and continue, so only non-empty result sets are stored in results;
touch the symbols results, appFromFile, data.results, logger, and file in the
same conditional block.

In `@packages/cookiebench-cli/src/commands/save.ts`:
- Around line 543-550: cookieBannerVisibleTimeMs currently sums potentially
null/undefined values from appResults (timing.cookieBanner.userVisibleTime or
visibilityTime) which can produce NaN; update the calculation in save.ts to
first map each appResult to the numeric value (prefer userVisibleTime then
visibilityTime), filter out non-finite values (null/undefined/NaN), then compute
the average by dividing by the filtered count (guarding against zero length) so
you return 0 or undefined when no valid timings exist; reference
cookieBannerVisibleTimeMs, appResults, timing.cookieBanner.userVisibleTime and
timing.cookieBanner.visibilityTime when locating and modifying the logic.
- Around line 642-649: The bannerVisibilityTime average can produce NaN when
some entries lack timing values; update the computation for bannerVisibilityTime
in save.ts to only sum defined values and divide by the count of entries that
have either timing.cookieBanner.userVisibleTime or
timing.cookieBanner.visibilityTime (defaulting to 0 if count is zero), i.e.
filter/map appResults to extract the first defined value per item, accumulate
and divide by the number of defined items; adjust the calculation that currently
uses appResults.reduce(...) so it uses a filtered sum/count approach referencing
bannerVisibilityTime, appResults, timing.cookieBanner.userVisibleTime and
timing.cookieBanner.visibilityTime.

In `@packages/cookiebench-cli/src/commands/scores.ts`:
- Around line 221-368: Duplicate metric-aggregation logic surrounding the
calculateScores call should be moved into a shared helper so both scores.ts and
save.ts reuse the same implementation; create a function (e.g.,
aggregateAppResults or computeAggregateMetrics) that accepts appResults and
returns the three metric objects (core timings, sizes, resource stats, cookie
banner metrics, etc.) plus any optional fields currently passed into
calculateScores, replace the inline reduce/map blocks in scores.ts (around
calculateScores) and the matching logic in save.ts to call this helper, and
export/import that helper from a shared module so calculateScores is invoked
with the single shared aggregated result to eliminate duplication and keep
behavior consistent.

In `@packages/cookiebench-cli/src/index.ts`:
- Around line 50-84: The CLI parsing branches for "--trace", "--profile", and
"--cache-mode" access args[index + 1] without checking bounds; update each
branch to first verify that args[index + 1] is defined and non-empty and if not
throw a clear "Missing value for --trace" (or "--profile"/"--cache-mode") error,
otherwise proceed to validate the value and set parsed.traceMode,
parsed.profile, or parsed.cacheMode and advance index; ensure the new check is
added before any validation logic that reads value so undefined values produce
the specific missing-value error instead of the generic invalid-value error.

In `@packages/cookiebench-cli/tsconfig.json`:
- Around line 1-15: Update this package tsconfig to explicitly extend the shared
tsconfig.base.json and only override settings that must differ so there is no
ambiguity between "target", "module", and "moduleResolution"; specifically
modify the package's tsconfig.json to include "extends": "tsconfig.base.json" at
the top and move any intentional deviations (e.g., target: ES2020, module:
ESNext, moduleResolution: bundler) into a minimal "compilerOptions" override, or
remove them if they should inherit the base defaults—ensuring the file clearly
documents why any overrides exist so builds use a single authoritative base plus
explicit, intentional differences.

In `@packages/runner/src/benchmark-runner.ts`:
- Around line 230-305: The runSingleBenchmark flow currently only calls
collector.cleanup() and this.networkMonitor.reset() on the success path, so
failures (e.g., in page.goto, waitForElement, or metric collectors) leave state
dirty; wrap the core navigation/collection logic inside a try/finally (or
try/catch/finally) in runSingleBenchmark so that collector.cleanup() and
this.networkMonitor.reset() are always invoked in the finally block, ensuring
cleanup even on errors while preserving existing error propagation (rethrow or
allow to bubble) and keeping existing log behavior.

In `@README.md`:
- Around line 103-104: The README's `bundleType` enum value is incorrect (it
lists "iife" while the schema in packages/benchmark-schema/schema.json defines
"iffe"); update the README documentation where `bundleType` is described to list
the exact enum values "esm", "cjs", "iffe", and "bundled" so it matches the
schema and avoid the typo. Reference the `bundleType` entry in README and ensure
wording matches the `benchmark-schema`'s enum.