@critiq/rules 0.0.1

package/rules/typescript/ts.quality.deep-nesting.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.deep-nesting
+  title: Deep nesting reducing readability
+  summary: Deeply nested control flow should be flattened where practical.
+  rationale: Deep nesting increases cognitive load and makes edge cases harder to reason about during review.
+  tags:
+    - quality
+    - structure
+    - rules-catalog
+    - crq-qua-042
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.deep-nesting
+    bind: issue
+emit:
+  finding:
+    category: quality.structure
+    severity: low
+    confidence: 0.9
+    tags:
+      - quality
+      - structure
+  message:
+    title: Flatten deeply nested control flow
+    summary: Review `${captures.issue.text}` and reduce indentation depth.
+  remediation:
+    summary: Use guard clauses, helper functions, or early returns to keep the main path shallow.

package/rules/typescript/ts.quality.duplicate-code-block.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.duplicate-code-block
+  title: Duplicate code block
+  summary: Large duplicated function bodies across files make behavior harder to maintain safely.
+  rationale: Duplicated logic often diverges over time and increases the cost of fixes, testing, and future changes.
+  tags:
+    - quality
+    - duplication
+    - rules-catalog
+    - crq-qua-043
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.duplicate-code-block
+    bind: issue
+emit:
+  finding:
+    category: quality.duplication
+    severity: low
+    confidence: 0.75
+    tags:
+      - quality
+      - duplication
+  message:
+    title: Extract duplicated logic into a shared unit
+    summary: "`${captures.issue.text}` duplicates a substantial code block already present elsewhere in the project."
+  remediation:
+    summary: Extract the shared logic into a common helper or module and keep one maintained implementation.

package/rules/typescript/ts.quality.function-too-large-or-complex.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.function-too-large-or-complex
+  title: Function too large or too complex
+  summary: Oversized or overly complex functions should be split into smaller units.
+  rationale: Large functions are harder to test, review, and change safely because behavior and branching accumulate in one place.
+  tags:
+    - quality
+    - structure
+    - rules-catalog
+    - crq-qua-041
+  stability: stable
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.function-too-large-or-complex
+    bind: issue
+emit:
+  finding:
+    category: quality.structure
+    severity: low
+    confidence: 0.95
+    tags:
+      - quality
+      - structure
+  message:
+    title: Split large or complex functions
+    summary: Review `${captures.issue.text}` and extract smaller units of behavior.
+  remediation:
+    summary: Break the function into helpers, reduce branching, and isolate independent responsibilities.

package/rules/typescript/ts.quality.hardcoded-configuration-values.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.hardcoded-configuration-values
+  title: Hardcoded configuration values
+  summary: Config-like values should usually come from configuration sources rather than source literals.
+  rationale: Hardcoded service URLs, timeouts, and regions make deployments harder to vary and review safely.
+  tags:
+    - quality
+    - configuration
+    - rules-catalog
+    - crq-qua-044
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.hardcoded-configuration-values
+    bind: issue
+emit:
+  finding:
+    category: quality.configuration
+    severity: low
+    confidence: 0.8
+    tags:
+      - quality
+      - configuration
+  message:
+    title: Externalize config-like literals
+    summary: Review `${captures.issue.text}` and move config-like literals behind a configuration source.
+  remediation:
+    summary: Load the value from env, params, or a dedicated config module instead of hardcoding it in source.

package/rules/typescript/ts.quality.logic-change-without-test-updates.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.logic-change-without-test-updates
+  title: Logic change without corresponding test updates
+  summary: Diffs that change critical logic should usually update the matching tests in the same change.
+  rationale: Critical logic changes without test updates are easy to miss in review and increase regression risk.
+  tags:
+    - quality
+    - testing
+    - rules-catalog
+    - crq-qua-050
+  stability: stable
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+  changedLinesOnly: true
+match:
+  fact:
+    kind: quality.logic-change-without-test-updates
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.7
+    tags:
+      - quality
+      - testing
+  message:
+    title: Update tests alongside critical logic changes
+    summary: "`${captures.issue.text}` changed without a corresponding test file change in the same diff."
+  remediation:
+    summary: Update or add the matching tests in the same change so the new behavior is exercised by the diff.

package/rules/typescript/ts.quality.magic-numbers-or-strings.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.magic-numbers-or-strings
+  title: Magic numbers or magic strings
+  summary: Non-trivial literals in logic should be named to explain their meaning.
+  rationale: Bare literals hide domain meaning and make future changes riskier because intent is not captured in code.
+  tags:
+    - quality
+    - readability
+    - rules-catalog
+    - crq-qua-045
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.magic-numbers-or-strings
+    bind: issue
+emit:
+  finding:
+    category: quality.readability
+    severity: low
+    confidence: 0.65
+    tags:
+      - quality
+      - readability
+  message:
+    title: Name magic literals
+    summary: Review `${captures.issue.text}` and replace unexplained literals with named constants.
+  remediation:
+    summary: Extract the literal into a descriptive constant or enum so the intent is explicit.

package/rules/typescript/ts.quality.missing-error-context.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.missing-error-context
+  title: Missing error context or logging
+  summary: Catch blocks should include the caught error when they log or rethrow.
+  rationale: Logging or rethrowing without the original error strips the context needed to diagnose the failure.
+  tags:
+    - quality
+    - error-handling
+    - rules-catalog
+    - crq-qua-048
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: error-handling.missing-error-context
+    bind: issue
+emit:
+  finding:
+    category: quality.error-handling
+    severity: low
+    confidence: 0.8
+    tags:
+      - quality
+      - error-handling
+  message:
+    title: Preserve the original error context
+    summary: "Review `${captures.issue.text}` and include the caught error in the log or rethrow."
+  remediation:
+    summary: Pass the caught error to the logger or preserve it when constructing the replacement error.

package/rules/typescript/ts.quality.missing-tests-for-critical-logic.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.missing-tests-for-critical-logic
+  title: Missing tests for critical logic
+  summary: Critical auth, payment, or similar business logic should have a matching test file.
+  rationale: Important business and security logic needs direct regression coverage to keep changes safe and reviewable.
+  tags:
+    - quality
+    - testing
+    - rules-catalog
+    - crq-qua-049
+  stability: stable
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.missing-tests-for-critical-logic
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.8
+    tags:
+      - quality
+      - testing
+  message:
+    title: Add tests for critical logic paths
+    summary: "`${captures.issue.text}` looks like critical logic but no matching test file was found."
+  remediation:
+    summary: Add a focused unit or integration test that covers the critical behavior before future changes land.

package/rules/typescript/ts.quality.swallowed-error.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.swallowed-error
+  title: Errors swallowed silently
+  summary: Catch blocks must log, reject, or rethrow failures instead of dropping them silently.
+  rationale: Silent catch blocks hide failures and make production diagnosis unnecessarily difficult.
+  tags:
+    - quality
+    - error-handling
+    - rules-catalog
+    - crq-qua-047
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: error-handling.swallowed-error
+    bind: issue
+emit:
+  finding:
+    category: quality.error-handling
+    severity: medium
+    confidence: 0.95
+    tags:
+      - quality
+      - error-handling
+  message:
+    title: Do not swallow caught errors
+    summary: "Review `${captures.issue.text}` and propagate or record the failure."
+  remediation:
+    summary: Rethrow the error, reject the async flow, or log the failure through a recognized error sink.

package/rules/typescript/ts.quality.tight-module-coupling.rule.yaml

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.tight-module-coupling
+  title: Tight coupling between modules
+  summary: Direct import cycles between modules increase coupling and make change boundaries harder to maintain.
+  rationale: Cyclic dependencies complicate initialization order, testing, and architecture boundaries.
+  tags:
+    - quality
+    - architecture
+    - rules-catalog
+    - crq-qua-046
+  stability: stable
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.tight-module-coupling
+    bind: issue
+emit:
+  finding:
+    category: quality.architecture
+    severity: medium
+    confidence: 0.9
+    tags:
+      - quality
+      - architecture
+  message:
+    title: Break direct cyclic imports between modules
+    summary: "`${captures.issue.text}` participates in a direct module import cycle."
+  remediation:
+    summary: Extract shared types or helpers into a third module, or invert the dependency so the cycle disappears.

package/rules/typescript/ts.random.no-math-random-in-core.rule.yaml

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.random.no-math-random-in-core
+  title: Avoid `Math.random()` in core code
+  summary: Core code should not depend on nondeterministic random generation.
+  rationale: Randomness in core logic makes behavior hard to test and reason about.
+  tags:
+    - determinism
+    - rules-catalog
+scope:
+  languages:
+    - typescript
+  paths:
+    include:
+      - "**/core/**"
+match:
+  node:
+    kind: CallExpression
+    bind: randomCall
+    where:
+      - path: callee.object.text
+        equals: Math
+      - path: callee.property.text
+        equals: random
+emit:
+  finding:
+    category: maintainability
+    severity: medium
+    confidence: high
+    tags:
+      - determinism
+  message:
+    title: Avoid `${captures.randomCall.text}`
+    summary: Replace `${captures.randomCall.text}` with an injected randomness source.
+  remediation:
+    summary: Pass a random source into core logic instead of calling `Math.random()` directly.

package/rules/typescript/ts.react.no-cascaded-effect-fetches.rule.yaml

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-cascaded-effect-fetches
+  title: Avoid cascaded fetches inside React effects
+  summary: React effects should not serialize independent fetches that can run in parallel or move server-side.
+  rationale: Waterfall-style fetches delay rendering and hide data-loading cost inside client effects.
+  tags:
+    - performance
+    - react
+    - next
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.react-effect-fetch-waterfall
+    bind: issue
+emit:
+  finding:
+    category: performance.ui
+    severity: medium
+    confidence: 0.82
+    tags:
+      - performance
+      - react
+      - next
+  message:
+    title: Avoid cascaded fetches inside React effects
+    summary: "`${captures.issue.text}` serializes fetches inside a React effect."
+  remediation:
+    summary: Parallelize the requests, move data loading server-side, or cache the first response before issuing the next request.
+

package/rules/typescript/ts.runtime.no-debugger-statement.rule.yaml

@@ -0,0 +1,29 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.runtime.no-debugger-statement
+  title: Remove `debugger;`
+  summary: Remove debugger statements before committing source files.
+  rationale: Debugger statements interrupt runtime execution and should not ship.
+  tags:
+    - runtime
+    - rules-catalog
+scope:
+  languages:
+    - typescript
+match:
+  node:
+    kind: DebuggerStatement
+    bind: statement
+emit:
+  finding:
+    category: maintainability
+    severity: medium
+    confidence: high
+    tags:
+      - runtime
+  message:
+    title: Remove `debugger;`
+    summary: Remove the debugger statement before committing the file.
+  remediation:
+    summary: Delete the debugger statement.

package/rules/typescript/ts.security.bind-to-all-interfaces.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.bind-to-all-interfaces
+  title: Avoid binding to all interfaces
+  summary: Network-facing services should not explicitly bind to every interface unless public exposure is intentional and protected.
+  rationale: Binding to `0.0.0.0` or `::` can expose a service beyond the expected trust boundary and widen the reachable attack surface.
+  tags:
+    - security
+    - network
+    - exposure
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.bind-to-all-interfaces
+    bind: issue
+emit:
+  finding:
+    category: security.network
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - network
+      - exposure
+  message:
+    title: Restrict interface binding in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` explicitly binds a network-facing service to every interface."
+  remediation:
+    summary: Bind to loopback or a specific interface unless public exposure is an intentional deployment requirement with compensating controls.

package/rules/typescript/ts.security.browser-token-storage.rule.yaml

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.browser-token-storage
+  title: Avoid browser token storage
+  summary: Access and session tokens should not be stored in long-lived browser storage.
+  rationale: Long-lived browser storage exposes tokens to script access and increases the impact of XSS or device compromise.
+  tags:
+    - security
+    - authentication
+    - storage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ts.security.browser-token-storage
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - authentication
+      - storage
+  message:
+    title: Avoid storing tokens in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` stores an access or session token in browser storage."
+  remediation:
+    summary: Keep tokens in HttpOnly cookies or in memory, and avoid long-lived cleartext browser storage.
+

package/rules/typescript/ts.security.dangerous-insert-html.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.dangerous-insert-html
+  title: Avoid unsafe DOM HTML insertion sinks
+  summary: "`outerHTML`, `document.write*`, and `insertAdjacentHTML` should only receive fixed or explicitly sanitized HTML."
+  rationale: HTML-capable DOM insertion sinks can execute attacker-controlled markup unless the HTML is fixed or strongly sanitized first.
+  tags:
+    - security
+    - xss
+    - output-encoding
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dangerous-insert-html
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.92
+    tags:
+      - security
+      - xss
+      - output-encoding
+  message:
+    title: Avoid unsafe HTML insertion in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses an HTML-capable DOM sink with non-literal, non-sanitized content."
+  remediation:
+    summary: Insert text with safe DOM APIs, or pass only fixed or explicitly sanitized HTML to the sink.

package/rules/typescript/ts.security.dangerously-set-inner-html.rule.yaml

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.dangerously-set-inner-html
+  title: Avoid unsafe `dangerouslySetInnerHTML`
+  summary: React `dangerouslySetInnerHTML` should only render fixed or explicitly sanitized HTML.
+  rationale: React bypasses its normal escaping model when `dangerouslySetInnerHTML` is used, which makes unsanitized HTML a direct XSS sink.
+  tags:
+    - security
+    - xss
+    - react
+    - output-encoding
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dangerously-set-inner-html
+    bind: issue
+emit:
+  finding:
+    category: security.output-encoding
+    severity: high
+    confidence: 0.93
+    tags:
+      - security
+      - xss
+      - react
+      - output-encoding
+  message:
+    title: Avoid unsafe `dangerouslySetInnerHTML` in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` bypasses React escaping with non-literal, non-sanitized HTML."
+  remediation:
+    summary: Prefer normal React rendering, or pass only fixed or explicitly sanitized HTML to `dangerouslySetInnerHTML`.

package/rules/typescript/ts.security.datadog-browser-track-user-interactions.rule.yaml

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.datadog-browser-track-user-interactions
+  title: Review Datadog RUM user interaction capture
+  summary: Datadog Browser RUM should not enable broad user interaction capture without a privacy review.
+  rationale: Automatic interaction capture can leak sensitive page content or element labels to third-party telemetry.
+  tags:
+    - security
+    - privacy
+    - telemetry
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.datadog-browser-track-user-interactions
+    bind: issue
+emit:
+  finding:
+    category: security.privacy
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - privacy
+      - telemetry
+  message:
+    title: Review `${captures.issue.text}` before enabling interaction capture
+    summary: "`${captures.issue.text}` turns on Datadog RUM user interaction tracking, which can capture sensitive UI context."
+  remediation:
+    summary: Disable broad interaction capture or add explicit scrubbing and allowlisted action naming before enabling it.
+