@critiq/rules 0.0.1

package/rules/shared/security.no-hardcoded-credentials.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.no-hardcoded-credentials
+  title: Hardcoded API keys or credentials
+  summary: Source files should not embed credential-like string literals.
+  rationale: Hardcoded credentials are difficult to rotate and are easily leaked through source control.
+  tags:
+    - security
+    - secrets
+    - credentials
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.hardcoded-credentials
+    bind: credential
+emit:
+  finding:
+    category: security.secrets
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - secrets
+      - credentials
+  message:
+    title: Avoid hardcoded credentials in `${captures.credential.text}`
+    summary: "`${captures.credential.text}` appears to embed a credential-like literal in source code."
+  remediation:
+    summary: Move the secret to a secure runtime secret store or environment-backed config path.

package/rules/shared/security.no-request-path-file-read.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.no-request-path-file-read
+  title: Path traversal via user input
+  summary: File access calls must not use request-controlled paths directly.
+  rationale: User-controlled paths can escape the intended directory and expose sensitive files.
+  tags:
+    - security
+    - filesystem
+    - path-traversal
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.request-path-file-read
+    bind: fileRead
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - filesystem
+      - path-traversal
+  message:
+    title: Avoid request-controlled file access in `${captures.fileRead.text}`
+    summary: "`${captures.fileRead.text}` reads from a path derived from request data without an allowlist or boundary check."
+  remediation:
+    summary: Resolve the path against a trusted base directory and reject values that escape it.

package/rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.no-sensitive-data-in-logs-and-telemetry
+  title: Avoid sensitive data in logs and telemetry
+  summary: Sensitive fields should not be sent to logging, tracing, or analytics sinks.
+  rationale: Observability payloads often leave the service boundary and can expose secrets, account identifiers, or personal data if they carry raw request or user fields.
+  tags:
+    - security
+    - privacy
+    - logging
+    - telemetry
+    - rules-catalog
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.sensitive-data-in-logs-and-telemetry
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - privacy
+      - logging
+      - telemetry
+  message:
+    title: Remove sensitive data from logs and telemetry
+    summary: "`${captures.issue.text}` reaches a logging or telemetry sink with sensitive data."
+  remediation:
+    summary: Redact, hash, or drop the sensitive field before it reaches the sink.

package/rules/shared/security.no-sql-interpolation.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.no-sql-interpolation
+  title: Avoid raw or interpolated SQL
+  summary: Database query sinks must not receive request-driven or dynamically interpolated SQL text.
+  rationale: Raw or interpolated SQL can let attackers control query structure when values are not passed separately.
+  tags:
+    - security
+    - sql
+    - injection
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.sql-interpolation
+    bind: queryCall
+emit:
+  finding:
+    category: security.injection
+    severity: high
+    confidence: 0.95
+    tags:
+      - security
+      - sql
+      - injection
+  message:
+    title: Avoid interpolated SQL in `${captures.queryCall.text}`
+    summary: "`${captures.queryCall.text}` builds or forwards SQL text directly into a raw query sink."
+  remediation:
+    summary: Use prepared statements, placeholder parameters, or a typed query builder instead of executing raw SQL text.

package/rules/shared/security.tls-verification-disabled.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.tls-verification-disabled
+  title: TLS verification disabled
+  summary: Transport clients should not disable certificate verification.
+  rationale: Trust-all TLS settings accept any certificate and undermine transport security.
+  tags:
+    - security
+    - transport
+    - tls
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.tls-verification-disabled
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - transport
+      - tls
+  message:
+    title: TLS verification disabled in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` disables certificate verification or trust validation."
+  remediation:
+    summary: Use trusted certificate validation and remove trust-all overrides outside local development.

package/rules/shared/security.unsafe-deserialization.rule.yaml

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.unsafe-deserialization
+  title: Protect deserialization trust boundaries
+  summary: Deserializers should not consume untrusted payloads directly across a trust boundary.
+  rationale: Deserializing untrusted payloads can let attacker-controlled data reshape parser state, object graphs, or downstream runtime behavior.
+  tags:
+    - security
+    - deserialization
+    - rules-catalog
+    - crq-sec-028
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.unsafe-deserialization
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - deserialization
+  message:
+    title: Constrain the trust boundary before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` deserializes an untrusted payload across a trust boundary."
+  remediation:
+    summary: Deserialize only from trusted producers, or validate and constrain the payload shape before crossing the deserialization boundary.

package/rules/shared/security.weak-hash-algorithm.rule.yaml

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.weak-hash-algorithm
+  title: Avoid weak hash algorithms
+  summary: Cryptographic hashing should use modern, collision-resistant algorithms.
+  rationale: Weak digests such as MD5 and SHA-1 are vulnerable to collisions and should not be used for security-sensitive hashing.
+  tags:
+    - security
+    - crypto
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.weak-hash-algorithm
+    bind: issue
+emit:
+  finding:
+    category: security.secrets
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - crypto
+      - hash
+  message:
+    title: Avoid weak hash algorithms
+    summary: "`${captures.issue.text}` uses a weak hash algorithm."
+  remediation:
+    summary: Use SHA-256, SHA-384, SHA-512, or a stronger approved hashing primitive instead.

package/rules/typescript/ts.config.no-process-env-outside-config.rule.yaml

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.config.no-process-env-outside-config
+  title: Avoid direct `process.env` access outside config
+  summary: Keep environment variable access inside config modules.
+  rationale: Centralized config makes environment handling predictable and testable.
+  tags:
+    - config
+    - rules-catalog
+scope:
+  languages:
+    - typescript
+  paths:
+    exclude:
+      - "**/config/**"
+match:
+  node:
+    kind: MemberExpression
+    bind: envAccess
+    where:
+      - path: object.object.text
+        equals: process
+      - path: object.property.text
+        equals: env
+emit:
+  finding:
+    category: maintainability
+    severity: medium
+    confidence: high
+    tags:
+      - config
+  message:
+    title: Avoid `${captures.envAccess.text}`
+    summary: Keep `${captures.envAccess.text}` access inside config modules.
+  remediation:
+    summary: Read the environment value in a config module and inject it where needed.

package/rules/typescript/ts.correctness.blocking-call-in-async-flow.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.blocking-call-in-async-flow
+  title: Blocking call inside async flow
+  summary: Async functions should not call synchronous blocking APIs on the hot path.
+  rationale: Blocking sync APIs stall the event loop and erase the throughput benefits of async control flow.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-013
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.blocking-call-in-async-flow
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: medium
+    confidence: 0.75
+    tags:
+      - correctness
+      - async
+  message:
+    title: Avoid blocking sync calls in async flows
+    summary: "`${captures.issue.text}` uses a blocking sync API inside an async function."
+  remediation:
+    summary: Replace the sync API with its asynchronous equivalent or move the blocking work out of the async request path.

package/rules/typescript/ts.correctness.constant-condition.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.constant-condition
+  title: Always-true or always-false condition
+  summary: Flow-control conditions should not resolve to a constant boolean value.
+  rationale: Constant conditions hide dead branches and usually signal leftover debug code or a mistaken comparison.
+  tags:
+    - correctness
+    - logic
+    - rules-catalog
+    - crq-cor-006
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: control-flow.constant-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - logic
+  message:
+    title: Review constant condition
+    summary: "`${captures.issue.text}` always resolves to the same boolean value."
+  remediation:
+    summary: Replace the constant predicate with a real runtime check or remove the dead branch.

package/rules/typescript/ts.correctness.implicit-undefined-return.rule.yaml

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.implicit-undefined-return
+  title: Implicit undefined return in function
+  summary: Functions that return a value on some paths must not fall through implicitly.
+  rationale: Mixed value-return and implicit-fallthrough paths are a common source of undefined behavior.
+  tags:
+    - correctness
+    - control-flow
+    - rules-catalog
+    - crq-cor-005
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: control-flow.implicit-undefined-return
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - control-flow
+  message:
+    title: Avoid implicit undefined return
+    summary: This function returns a value on some paths but falls through without returning on others.
+  remediation:
+    summary: Return a value on every reachable path or make the function consistently void.

package/rules/typescript/ts.correctness.incorrect-boolean-logic.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.incorrect-boolean-logic
+  title: Incorrect boolean logic (AND/OR misuse)
+  summary: Comparison chains on the same value must use the boolean operator that matches the intended logic.
+  rationale: Using `&&` for mutually exclusive equality checks or `||` for inequality chains produces conditions that can never behave as intended.
+  tags:
+    - correctness
+    - logic
+    - rules-catalog
+    - crq-cor-008
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: control-flow.incorrect-boolean-logic
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - logic
+  message:
+    title: Review boolean comparison logic
+    summary: "`${captures.issue.text}` uses an AND/OR comparison chain that cannot behave as intended."
+  remediation:
+    summary: Use `||` for equality alternatives or `&&` for inequality exclusions, depending on the intended condition.

package/rules/typescript/ts.correctness.missing-await-on-async-call.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-await-on-async-call
+  title: Missing await on async call
+  summary: Async functions should not drop direct async calls without awaiting them.
+  rationale: Unawaited async work in an async function often indicates a missed dependency or a promise that can reject outside the intended control flow.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-011
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.missing-await
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - async
+  message:
+    title: Await direct async work
+    summary: "`${captures.issue.text}` starts async work without `await`."
+  remediation:
+    summary: Await the call, return the promise explicitly, or document a deliberate fire-and-forget path outside the async flow.

package/rules/typescript/ts.correctness.missing-default-dispatch.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-default-dispatch
+  title: Missing default case in switch or conditional dispatch
+  summary: Dispatch constructs should include an explicit default or final else path.
+  rationale: Default handling makes control-flow intent explicit and avoids silent fallthrough for unhandled values.
+  tags:
+    - correctness
+    - control-flow
+    - rules-catalog
+    - crq-cor-007
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: control-flow.missing-default-dispatch
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - control-flow
+  message:
+    title: Add an explicit default dispatch path
+    summary: "Review `${captures.issue.text}` and add a `default` case or final `else`."
+  remediation:
+    summary: Handle the fallback branch explicitly so unexpected values do not rely on implicit behavior.

package/rules/typescript/ts.correctness.missing-timeout-on-external-call.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-timeout-on-external-call
+  title: Missing timeout on external call
+  summary: External HTTP calls should declare timeout or cancellation behavior.
+  rationale: Network calls without explicit timeouts can hang indefinitely and make retry or fallback behavior unreliable.
+  tags:
+    - correctness
+    - resilience
+    - rules-catalog
+    - crq-cor-014
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: resilience.missing-timeout-on-external-call
+    bind: issue
+emit:
+  finding:
+    category: correctness.resilience
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - resilience
+  message:
+    title: Configure timeouts on external calls
+    summary: "`${captures.issue.text}` performs an external call without explicit timeout or cancellation settings."
+  remediation:
+    summary: Add a timeout-bearing config object, such as `signal` for `fetch` or `timeout` for axios.

package/rules/typescript/ts.correctness.nested-property-access-without-check.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.nested-property-access-without-check
+  title: Nested property access without existence check
+  summary: Deep property chains derived from external input should verify intermediate values before access.
+  rationale: Multi-hop access into request or payload objects is brittle when any segment can be absent, renamed, or malformed.
+  tags:
+    - correctness
+    - "null"
+    - rules-catalog
+    - crq-cor-002
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: data-flow.nested-property-access-without-check
+    bind: issue
+emit:
+  finding:
+    category: correctness.null
+    severity: medium
+    confidence: 0.8
+    tags:
+      - correctness
+      - "null"
+  message:
+    title: Check nested external-input paths before use
+    summary: "`${captures.issue.text}` walks a deep property chain without checking that each segment exists."
+  remediation:
+    summary: Add guards for the intermediate objects or switch the chain to explicit optional access with a fallback.

package/rules/typescript/ts.correctness.off-by-one-loop-boundary.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.off-by-one-loop-boundary
+  title: Off-by-one error in loop boundaries
+  summary: Index-based loops should not skip the first element or iterate one step past the collection boundary.
+  rationale: Off-by-one loop conditions frequently cause undefined reads, missed work, or stale guard logic around array bounds.
+  tags:
+    - correctness
+    - logic
+    - rules-catalog
+    - crq-cor-009
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: control-flow.off-by-one-loop-boundary
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - logic
+  message:
+    title: Review loop boundary condition
+    summary: "`${captures.issue.text}` likely skips or overruns one loop iteration."
+  remediation:
+    summary: Use `< collection.length` for ascending loops and `>= 0` for descending loops that start at `length - 1`.