npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/typescript/ts.correctness.infinite-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.infinite-loop
+  title: Infinite Loop
+  summary: Detect obvious infinite loops
+  rationale: Detect obvious infinite loops:while (true) and for(;;) without break, return, or throw in the loop body.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.infinite-loop
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Infinite Loop
+    summary: "`${captures.issue.text}` matches ts.correctness.infinite-loop."
+  remediation:
+    summary: Detect obvious infinite loops:while (true) and for(;;) without break, return, or throw in the loop body.

package/rules/typescript/ts.correctness.invalid-await-expression.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.invalid-await-expression
+  title: Invalid Await Expression
+  summary: Await only promise-like values
+  rationale: Await only promise-like values:await on literals or clearly synchronous calls is usually a mistake.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.invalid-await-expression
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Invalid Await Expression
+    summary: "`${captures.issue.text}` matches ts.correctness.invalid-await-expression."
+  remediation:
+    summary: Await only promise-like values:await on literals or clearly synchronous calls is usually a mistake.

package/rules/typescript/ts.correctness.invalid-typeof-comparison.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.invalid-typeof-comparison
+  title: Invalid typeof comparison string
+  summary: Compare typeof results only to known typeof strings.
+  rationale: typeof returns a fixed set of strings; other comparisons are always false.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-030
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.invalid-typeof-comparison
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Fix typeof comparison
+    summary: "`${captures.issue.text}` compares typeof to a string that typeof never returns."
+  remediation:
+    summary: Compare against a valid typeof result or use a different type guard (for example Array.isArray).

package/rules/typescript/ts.correctness.missing-async-on-promise-method.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-async-on-promise-method
+  title: Missing Async On Promise Method
+  summary: Mark promise callbacks async when using await
+  rationale: Mark promise callbacks async when using await:then/catch handlers that use await must be declared async.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.missing-async-on-promise-method
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Missing Async On Promise Method
+    summary: "`${captures.issue.text}` matches ts.correctness.missing-async-on-promise-method."
+  remediation:
+    summary: Mark promise callbacks async when using await:then/catch handlers that use await must be declared async.

package/rules/typescript/ts.correctness.missing-super-call.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-super-call
+  title: Missing super() in subclass constructor
+  summary: Subclass constructors must call super() before using this.
+  rationale: Derived classes must initialize the base class; omitting super() is a runtime error when this is accessed.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-034
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.missing-super-call
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Call super() in the subclass constructor
+    summary: "`${captures.issue.text}` extends a base class but never calls super()."
+  remediation:
+    summary: Add `super(...)` as the first statement in the constructor (before using this).

package/rules/typescript/ts.correctness.no-floating-promise-in-function.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.no-floating-promise-in-function
+  title: No Floating Promise In Function
+  summary: Handle promise-returning calls explicitly
+  rationale: Handle promise-returning calls explicitly:statement-level promise calls should be awaited, voided, returned, or chained with rejection handling.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.floating-promise-in-function
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: No Floating Promise In Function
+    summary: "`${captures.issue.text}` matches ts.correctness.no-floating-promise-in-function."
+  remediation:
+    summary: Handle promise-returning calls explicitly:statement-level promise calls should be awaited, voided, returned, or chained with rejection handling.

package/rules/typescript/ts.correctness.no-misused-promises.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.no-misused-promises
+  title: No Misused Promises
+  summary: Do not pass async callbacks where sync is expected
+  rationale: Do not pass async callbacks where sync is expected:array iteration methods expect synchronous predicates and should not receive async callbacks.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.misused-promises
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: No Misused Promises
+    summary: "`${captures.issue.text}` matches ts.correctness.no-misused-promises."
+  remediation:
+    summary: Do not pass async callbacks where sync is expected:array iteration methods expect synchronous predicates and should not receive async callbacks.

package/rules/typescript/ts.correctness.promise-reject-non-error.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.promise-reject-non-error
+  title: Reject or throw non-Error values
+  summary: Promise rejections and async throws should use Error objects.
+  rationale: Non-Error rejections lose stack traces and are harder to handle consistently in async code.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-033
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.promise-reject-non-error
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - async
+  message:
+    title: Use Error for rejections and async throws
+    summary: "`${captures.issue.text}` rejects or throws a non-Error literal."
+  remediation:
+    summary: Reject or throw `new Error(...)` (or a typed Error subclass) instead of a string or other primitive.

package/rules/typescript/ts.correctness.reassign-catch-binding.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.reassign-catch-binding
+  title: Reassignment of catch binding
+  summary: The catch clause parameter is assigned or updated after it is bound.
+  rationale: Catch bindings are immutable in strict mode and confusing in sloppy mode; reassignment usually indicates a mistaken mutation of the caught error.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-026
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.reassign-catch-binding
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - language
+  message:
+    title: Avoid reassigning the catch parameter
+    summary: "Use a new local variable instead of mutating the catch binding (for example `const err = e` then work with `err`)."
+  remediation:
+    summary: Introduce a separate variable for any transformed error value and leave the catch parameter read-only.

package/rules/typescript/ts.correctness.regexp-pattern-unusual-control-character.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.regexp-pattern-unusual-control-character
+  title: Unusual ASCII control characters in regexp pattern
+  summary: The regular expression pattern embeds low ASCII control characters outside common whitespace.
+  rationale: Literal control characters in patterns are hard to read, easy to corrupt in editors, and often indicate copy-paste or encoding mistakes.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-027
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.regexp-pattern-unusual-control-character
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.8
+    tags:
+      - correctness
+      - language
+  message:
+    title: Prefer escapes instead of raw control characters in regex patterns
+    summary: "Replace embedded control characters with explicit escapes (for example `\\x01` or `\\u0001`) so the pattern stays visible and stable."
+  remediation:
+    summary: Rewrite the pattern using visible escape sequences or character class escapes instead of raw C0 control bytes.

package/rules/typescript/ts.correctness.self-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.self-assignment
+  title: Self assignment
+  summary: An assignment uses the same expression on the left and right side.
+  rationale: Self-assignments are almost always dead code or a typo where a different value was intended.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-022
+    - public-directory-parity
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.self-assignment
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.88
+    tags:
+      - correctness
+      - language
+  message:
+    title: Remove self assignment
+    summary: "`${captures.issue.text}` assigns a variable to itself."
+  remediation:
+    summary: Delete the statement or fix the right-hand side so it references the intended value.

package/rules/typescript/ts.correctness.this-before-super.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.this-before-super
+  title: this used before super()
+  summary: Do not use this or super members before calling super() in a subclass constructor.
+  rationale: Accessing this before super() in a derived constructor throws at runtime.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-035
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.this-before-super
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Move super() before this access
+    summary: "`${captures.issue.text}` uses this or super before super() runs."
+  remediation:
+    summary: Call `super(...)` before reading or assigning `this` in the constructor.

package/rules/typescript/ts.correctness.unnecessary-return-await.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.unnecessary-return-await
+  title: Unnecessary Return Await
+  summary: Remove redundant return await
+  rationale: Remove redundant return await:return await in async functions outside try/catch adds stack overhead without changing behavior.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.unnecessary-return-await
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Unnecessary Return Await
+    summary: "`${captures.issue.text}` matches ts.correctness.unnecessary-return-await."
+  remediation:
+    summary: Remove redundant return await:return await in async functions outside try/catch adds stack overhead without changing behavior.

package/rules/typescript/ts.correctness.use-number-is-nan.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.use-number-is-nan
+  title: Use Number.isNaN for NaN checks
+  summary: Do not compare values to NaN with `===` or `==`.
+  rationale: NaN is not equal to itself; identity comparisons are always false.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-029
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.use-number-is-nan
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace NaN identity comparison
+    summary: "`${captures.issue.text}` compares to NaN with an equality operator."
+  remediation:
+    summary: Use `Number.isNaN(value)` (or `Number.isNaN` after coercion) instead of `value === NaN`.

package/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.next.server-action-missing-local-auth
+  title: Authenticate Next.js Server Actions before mutations
+  summary: Server Actions that mutate state must validate sessions locally before reaching privileged sinks.
+  rationale: Server Actions behave like public POST endpoints and inherit the same authentication obligations as route handlers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+  tags:
+    - security
+    - next
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.next-server-action-missing-local-auth
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: high
+    confidence: 0.77
+    tags:
+      - security
+      - next
+  message:
+    title: Gate Server Actions with explicit authentication checks
+    summary: This Server Action performs privileged work without any preceding auth helpers.
+  remediation:
+    summary: >-
+      Call your auth/session helper before mutations and enforce ownership inside database predicates.

package/rules/typescript/ts.performance.no-array-spread-in-hot-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-array-spread-in-hot-loop
+  title: Avoid array spread inside hot loops
+  summary: Array spread or repeated concat in loops allocates per iteration and scales poorly.
+  rationale: Array spread or repeated concat in loops allocates per iteration and scales poorly.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-array-spread-in-hot-loop
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: high
+    confidence: 0.8
+    tags:
+      - performance
+  message:
+    title: Avoid array spread inside hot loops
+    summary: "`${captures.issue.text}` matches ts.performance.no-array-spread-in-hot-loop."
+  remediation:
+    summary: Refactor this path to avoid repeated work in hot execution paths.

package/rules/typescript/ts.performance.no-await-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-await-in-loop
+  title: No Await In Loop
+  summary: Avoid await inside loops
+  rationale: Avoid await inside loops:sequential awaits in loops multiply latency; batch work or use Promise.all when safe.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-await-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance
+    severity: medium
+    confidence: 0.85
+    tags:
+      - performance
+  message:
+    title: No Await In Loop
+    summary: "`${captures.issue.text}` matches ts.performance.no-await-in-loop."
+  remediation:
+    summary: Avoid await inside loops:sequential awaits in loops multiply latency; batch work or use Promise.all when safe.

package/rules/typescript/ts.performance.no-cache-miss-from-unstable-key.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-cache-miss-from-unstable-key
+  title: Avoid unstable cache-key construction
+  summary: Cache keys built from unstable values cause low hit rates and repeated recomputation.
+  rationale: Cache keys built from unstable values cause low hit rates and repeated recomputation.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-cache-miss-from-unstable-key
+    bind: issue
+emit:
+  finding:
+    category: performance.cache
+    severity: medium
+    confidence: 0.8
+    tags:
+      - performance
+  message:
+    title: Avoid unstable cache-key construction
+    summary: "`${captures.issue.text}` matches ts.performance.no-cache-miss-from-unstable-key."
+  remediation:
+    summary: Refactor this path to avoid repeated work in hot execution paths.

package/rules/typescript/ts.performance.no-expensive-sort-in-render-path.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-expensive-sort-in-render-path
+  title: Avoid expensive sort or transforms in render path
+  summary: Sorting or heavy transforms in React render paths should be memoized or precomputed.
+  rationale: Sorting or heavy transforms in React render paths should be memoized or precomputed.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-expensive-sort-in-render-path
+    bind: issue
+emit:
+  finding:
+    category: performance.render
+    severity: medium
+    confidence: 0.8
+    tags:
+      - performance
+  message:
+    title: Avoid expensive sort or transforms in render path
+    summary: "`${captures.issue.text}` matches ts.performance.no-expensive-sort-in-render-path."
+  remediation:
+    summary: Refactor this path to avoid repeated work in hot execution paths.