npm - @critiq/rules - Versions diffs - 0.0.1 → 0.1.0 - Mend

@critiq/rules 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

package/rules/shared/security.external-file-upload.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.external-file-upload
+  title: Do not persist upload filenames directly
+  summary: Upload handlers should not store attacker-controlled filenames without generating or validating a safe local name.
+  rationale: Upload filenames can carry traversal payloads, collisions, or misleading extensions that break local containment.
+  tags:
+    - security
+    - filesystem
+    - upload
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+    - java
+    - php
+    - python
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.external-file-upload
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - filesystem
+      - upload
+  message:
+    title: Generate a trusted local filename for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` persists an upload filename derived from attacker-controlled input."
+  remediation:
+    summary: Generate a server-side filename or apply a strict allowlist before storing uploaded content.

package/rules/shared/security.permissive-file-permissions.rule.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.permissive-file-permissions
+  title: Avoid world-readable or world-writable file permissions
+  summary: File creation and permission changes should not grant broad local access.
+  rationale: Broad permissions expose application data to local users or processes that should not read or modify it.
+  tags:
+    - security
+    - filesystem
+    - permissions
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+    - java
+    - php
+    - python
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.permissive-file-permissions
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - filesystem
+      - permissions
+  message:
+    title: Tighten file permissions for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` grants world-readable or world-writable filesystem access."
+  remediation:
+    summary: Use least-privilege file modes and avoid world-readable or world-writable permissions.

package/rules/shared/security.sensitive-data-egress.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.sensitive-data-egress
+  title: Sensitive data egress to third-party processors
+  summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
+  rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  tags:
+    - security
+    - privacy
+    - data-exposure
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - python
+    - rust
+match:
+  fact:
+    kind: security.sensitive-data-egress
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.8
+    tags:
+      - security
+      - privacy
+      - data-exposure
+  message:
+    title: Avoid sending sensitive data through `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sends request or identity data to an outbound processor."
+  remediation:
+    summary: Minimize the payload, redact sensitive fields, or route the data only to approved processors.

package/rules/typescript/ts.correctness.assignment-in-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.assignment-in-condition
+  title: Assignment used as a conditional test
+  summary: Control-flow conditions should compare values, not perform assignments.
+  rationale: Using `=` where `===` was intended is a common defect; assignments in conditions also obscure data flow.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-016
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.assignment-in-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace assignment in condition
+    summary: "`${captures.issue.text}` performs assignment where a boolean predicate is expected."
+  remediation:
+    summary: Use a comparison operator or move the assignment before the condition. Note that the parser may not preserve extra grouping parentheses around the assignment.

package/rules/typescript/ts.correctness.assignment-to-import-binding.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.assignment-to-import-binding
+  title: Assignment to an imported binding
+  summary: Code assigns to or updates a symbol declared by an import.
+  rationale: ES module imports are read-only bindings; reassignment fails at runtime and signals a mistaken refactor.
+  tags:
+    - correctness
+    - modules
+    - rules-catalog
+    - crq-cor-021
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.assignment-to-import-binding
+    bind: issue
+emit:
+  finding:
+    category: correctness.modules
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - modules
+  message:
+    title: Do not assign to imported bindings
+    summary: "`${captures.issue.text}` mutates a symbol declared by an import."
+  remediation:
+    summary: Use a local variable, change the exporting module, or refactor so imports remain immutable.

package/rules/typescript/ts.correctness.async-promise-executor.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.async-promise-executor
+  title: Async Promise executor function
+  summary: The executor passed to `new Promise` is declared `async`.
+  rationale: Async executors defer errors and can swallow rejections; prefer a synchronous executor that calls `resolve`/`reject`.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-020
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.async-promise-executor
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: medium
+    confidence: 0.92
+    tags:
+      - correctness
+      - async
+  message:
+    title: Avoid async Promise executors
+    summary: "`${captures.issue.text}` is an async Promise executor, which can hide thrown errors."
+  remediation:
+    summary: Remove `async` from the executor and use `resolve`/`reject`, or wrap the async work without making the executor itself async.

package/rules/typescript/ts.correctness.duplicate-function-parameter.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-function-parameter
+  title: Duplicate function parameter names
+  summary: A function declares the same parameter name more than once.
+  rationale: Duplicate parameters are confusing and usually indicate a copy-paste or merge mistake.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-017
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-function-parameter
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate parameter
+    summary: "Duplicate parameter name `${captures.issue.text}` in the same parameter list."
+  remediation:
+    summary: Rename or remove the duplicate parameter so each binding is unique.

package/rules/typescript/ts.correctness.duplicate-import-source.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-import-source
+  title: Duplicate imports from the same module
+  summary: The file imports from the same module path more than once.
+  rationale: Multiple import declarations for one module increase bundle noise and can diverge over time.
+  tags:
+    - correctness
+    - modules
+    - rules-catalog
+    - crq-cor-024
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-import-source
+    bind: issue
+emit:
+  finding:
+    category: correctness.modules
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - modules
+  message:
+    title: Consolidate duplicate imports
+    summary: "`${captures.issue.text}` imports from a module path already imported above."
+  remediation:
+    summary: Merge named imports into a single `import` declaration from that module.

package/rules/typescript/ts.correctness.duplicate-object-key.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-object-key
+  title: Duplicate keys in object literal
+  summary: An object literal repeats the same static property name.
+  rationale: Later entries silently override earlier ones, hiding bugs during refactors.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-018
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-object-key
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Resolve duplicate object key
+    summary: "This object literal repeats a static property key; later entries override earlier ones."
+  remediation:
+    summary: Merge the values or delete the redundant property so each key is declared once.

package/rules/typescript/ts.correctness.duplicate-switch-case.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.duplicate-switch-case
+  title: Duplicate switch case labels
+  summary: A switch repeats the same case discriminant.
+  rationale: Unreachable duplicate cases usually mean a merge error or incomplete refactor.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-019
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.duplicate-switch-case
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove duplicate switch case
+    summary: "This switch repeats an earlier case discriminant, so the branch is unreachable."
+  remediation:
+    summary: Delete the unreachable duplicate case or change the discriminant so each branch is distinct.

package/rules/typescript/ts.correctness.empty-block-statement.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.empty-block-statement
+  title: Empty block statement
+  summary: A control-flow or try/catch branch uses an empty `{}` block.
+  rationale: Empty blocks hide missing logic, swallowed errors, or incomplete refactors and often mask bugs.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-025
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.empty-block-statement
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace or remove empty block
+    summary: "This block has no statements; add behavior, a comment explaining intent, or delete the branch."
+  remediation:
+    summary: Add the intended statements, throw or log in error paths, or remove the branch if it is dead code.

package/rules/typescript/ts.correctness.identical-comparison-operands.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.identical-comparison-operands
+  title: Identical comparison operands
+  summary: Both sides of a comparison use the same source text.
+  rationale: Comparing an expression to itself is either always true or always false and usually indicates a copy-paste defect.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-023
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.identical-comparison-operands
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Fix identical comparison operands
+    summary: "`${captures.issue.text}` compares an expression to itself."
+  remediation:
+    summary: Replace one operand with the value you meant to compare against.

package/rules/typescript/ts.correctness.reassign-catch-binding.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.reassign-catch-binding
+  title: Reassignment of catch binding
+  summary: The catch clause parameter is assigned or updated after it is bound.
+  rationale: Catch bindings are immutable in strict mode and confusing in sloppy mode; reassignment usually indicates a mistaken mutation of the caught error.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-026
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.reassign-catch-binding
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Avoid reassigning the catch parameter
+    summary: "Use a new local variable instead of mutating the catch binding (for example `const err = e` then work with `err`)."
+  remediation:
+    summary: Introduce a separate variable for any transformed error value and leave the catch parameter read-only.

package/rules/typescript/ts.correctness.regexp-pattern-unusual-control-character.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.regexp-pattern-unusual-control-character
+  title: Unusual ASCII control characters in regexp pattern
+  summary: The regular expression pattern embeds low ASCII control characters outside common whitespace.
+  rationale: Literal control characters in patterns are hard to read, easy to corrupt in editors, and often indicate copy-paste or encoding mistakes.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-027
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.regexp-pattern-unusual-control-character
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.8
+    tags:
+      - correctness
+      - language
+  message:
+    title: Prefer escapes instead of raw control characters in regex patterns
+    summary: "Replace embedded control characters with explicit escapes (for example `\\x01` or `\\u0001`) so the pattern stays visible and stable."
+  remediation:
+    summary: Rewrite the pattern using visible escape sequences or character class escapes instead of raw C0 control bytes.

package/rules/typescript/ts.correctness.self-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.self-assignment
+  title: Self assignment
+  summary: An assignment uses the same expression on the left and right side.
+  rationale: Self-assignments are almost always dead code or a typo where a different value was intended.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-022
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.self-assignment
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove self assignment
+    summary: "`${captures.issue.text}` assigns a variable to itself."
+  remediation:
+    summary: Delete the statement or fix the right-hand side so it references the intended value.

package/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.next.server-action-missing-local-auth
+  title: Authenticate Next.js Server Actions before mutations
+  summary: Server Actions that mutate state must validate sessions locally before reaching privileged sinks.
+  rationale: Server Actions behave like public POST endpoints and inherit the same authentication obligations as route handlers.
+  tags:
+    - security
+    - next
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.next-server-action-missing-local-auth
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.77
+    tags:
+      - security
+      - next
+  message:
+    title: Gate Server Actions with explicit authentication checks
+    summary: This Server Action performs privileged work without any preceding auth helpers.
+  remediation:
+    summary: >-
+      Call your auth/session helper before mutations and enforce ownership inside database predicates.

package/rules/typescript/ts.performance.no-array-spread-in-hot-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-array-spread-in-hot-loop
+  title: Avoid array spread inside hot loops
+  summary: Array spread or repeated concat in loops allocates per iteration and scales poorly.
+  rationale: Array spread or repeated concat in loops allocates per iteration and scales poorly.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-array-spread-in-hot-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: high
+    confidence: 0.8
+    tags:
+      - performance
+  message:
+    title: Avoid array spread inside hot loops
+    summary: "`${captures.issue.text}` matches ts.performance.no-array-spread-in-hot-loop."
+  remediation:
+    summary: Refactor this path to avoid repeated work in hot execution paths.

package/rules/typescript/ts.performance.no-cache-miss-from-unstable-key.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-cache-miss-from-unstable-key
+  title: Avoid unstable cache-key construction
+  summary: Cache keys built from unstable values cause low hit rates and repeated recomputation.
+  rationale: Cache keys built from unstable values cause low hit rates and repeated recomputation.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-cache-miss-from-unstable-key
+    bind: issue
+emit:
+  finding:
+    category: performance.cache
+    severity: medium
+    confidence: 0.8
+    tags:
+      - performance
+  message:
+    title: Avoid unstable cache-key construction
+    summary: "`${captures.issue.text}` matches ts.performance.no-cache-miss-from-unstable-key."
+  remediation:
+    summary: Refactor this path to avoid repeated work in hot execution paths.