npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/typescript/ts.security.request-driven-array-index-access.rule.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.request-driven-array-index-access
+  title: Avoid request-driven array indexing without bounds checks
+  summary: Arrays indexed with request-derived keys can read or write out-of-bounds entries.
+  rationale: Attacker-controlled indexes bypass assumptions about array length and element initialization.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+  tags:
+    - security
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.request-driven-array-index-access
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.72
+    tags:
+      - security
+  message:
+    title: "Validate index ${captures.issue.text} before use"
+    summary: "Array access uses a computed index derived from ${captures.issue.text}."
+  remediation:
+    summary: Parse and bound-check indexes, prefer maps keyed by stable identifiers, or avoid indexing arrays with request data.

package/rules/typescript/ts.security.sensitive-data-egress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sensitive data egress to third-party processors
   summary: Sensitive values should not be sent to external processors or outbound SDKs without minimization or redaction.
   rationale: Sending regulated or secret data to third-party services increases privacy exposure and creates downstream processor risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -16,6 +25,7 @@ scope:
   languages:
     - typescript
     - javascript
+    - java
 match:
   fact:
     kind: security.sensitive-data-egress
@@ -34,3 +44,4 @@ emit:
     summary: "`${captures.issue.text}` sends normalized sensitive datatypes to an outbound processor or external service."
   remediation:
     summary: Minimize the payload, redact the sensitive fields, or route the data only to approved processors.

package/rules/typescript/ts.security.sensitive-data-in-exception.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid sensitive data in thrown errors
   summary: Exceptions and rejection payloads should not include raw secrets or personal data.
   rationale: Exception payloads often reach logs, APM tools, and client responses with less review than normal business data.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Replace raw secrets and personal data with opaque identifiers or redacted summaries before throwing or rejecting.

package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid writing sensitive data to files
   summary: Data exports and local file writes should not persist raw secrets or personal fields.
   rationale: Static files, exports, and backups are easy to copy or retain beyond their intended lifetime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-200
+      title: Exposure of Sensitive Information to an Unauthorized Actor
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Redact, hash, or exclude the sensitive fields before writing the file.

package/rules/typescript/ts.security.ssrf.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Server-side request forgery
   summary: Outbound requests should not use attacker-controlled targets or private hosts.
   rationale: Request-controlled targets can force the server to call internal services, metadata endpoints, or attacker-controlled infrastructure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+    - kind: owasp
+      title: Server-Side Request Forgery
+      url: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
   tags:
     - security
     - network
@@ -14,6 +23,7 @@ scope:
   languages:
     - typescript
     - javascript
+    - go
 match:
   fact:
     kind: security.ssrf
@@ -32,3 +42,4 @@ emit:
     summary: "`${captures.ssrfCall.text}` sends an outbound request to a request-controlled or private target."
   remediation:
     summary: Resolve URLs against a trusted allowlist, reject private hosts, and proxy outbound requests through a vetted server-side helper.

package/rules/typescript/ts.security.token-or-session-not-validated.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Token or session not validated
   summary: Session and token values from external input should be verified before authentication or identity use.
   rationale: Parsing or loading session state without verification allows forged or stale credentials to influence authorization paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` uses token or session input without any preceding validation step."
   remediation:
     summary: Verify or authenticate the token or session value before decoding, loading, or deriving identity from it.

package/rules/typescript/ts.security.ui-redress.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not derive anti-framing headers from request input
   summary: Framing and CSP headers should not be set from request-controlled values.
   rationale: Request-controlled anti-framing headers weaken protections against clickjacking and UI redress attacks.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - clickjacking
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Set framing and CSP headers from fixed server policy instead of request data.

package/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-dirname-path-concat
+  title: Avoid string-built paths from `__dirname` or `__filename`
+  summary: Do not build filesystem paths by concatenating `__dirname` or `__filename` with strings or templates.
+  rationale: String-built paths are easy to get wrong and can enable directory traversal when any segment is dynamic.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-434
+      title: Unrestricted Upload of File with Dangerous Type
+    - kind: owasp
+      title: File Upload Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  tags:
+    - security
+    - filesystem
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.unsafe-dirname-path-concat
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - filesystem
+  message:
+    title: Avoid string-built paths from `__dirname` or `__filename`
+    summary: "`${captures.issue.text}` builds a path by concatenating `__dirname` or `__filename`, which is fragile and risky."
+  remediation:
+    summary: Use `path.join`, `path.resolve`, or `import.meta.url` with validated segments instead of string concatenation.

package/rules/typescript/ts.security.unsafe-dompurify-version.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-dompurify-version
+  title: Upgrade DOM sanitization dependency
+  summary: DOM sanitization libraries should stay on patched versions before they are trusted for untrusted HTML.
+  rationale: Older sanitizer versions can miss browser parsing edge cases and leave XSS protections incomplete.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1104
+      title: Use of Unmaintained Third Party Components
+    - kind: owasp
+      title: Vulnerable Dependency Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html
+  tags:
+    - security
+    - dependency
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dependency.dompurify-unsafe-version
+    bind: issue
+emit:
+  finding:
+    category: security.dependency
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - dependency
+      - xss
+  message:
+    title: Upgrade `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is below the minimum sanitizer version Critiq treats as safe for untrusted HTML."
+  remediation:
+    summary: Upgrade the package, then keep HTML sanitizer usage behind a small reviewed wrapper.

package/rules/typescript/ts.security.unsafe-marked-version.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.unsafe-marked-version
+  title: Upgrade Markdown rendering dependency
+  summary: Markdown renderers should stay on patched versions before rendering untrusted content.
+  rationale: Older Markdown renderer versions can expose unsafe HTML handling and parser edge cases.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1104
+      title: Use of Unmaintained Third Party Components
+    - kind: owasp
+      title: Vulnerable Dependency Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html
+  tags:
+    - security
+    - dependency
+    - xss
+    - rules-catalog
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.dependency.marked-unsafe-version
+    bind: issue
+emit:
+  finding:
+    category: security.dependency
+    severity: high
+    confidence: 0.82
+    tags:
+      - security
+      - dependency
+      - xss
+  message:
+    title: Upgrade `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is below the minimum Markdown renderer version Critiq treats as safe for untrusted content."
+  remediation:
+    summary: Upgrade the package and keep untrusted Markdown rendering behind explicit sanitization.

package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe raw HTTP response output
   summary: Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.
   rationale: Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` writes request-controlled data into a raw HTTP response sink without a trusted HTML escaping model."
   remediation:
     summary: Escape or sanitize the data with a trusted helper, or switch to a response format that does not treat it as executable markup.

package/rules/typescript/ts.security.unvalidated-external-input.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Validate untrusted input before parser construction
   summary: Untrusted input should be validated before it is used to construct sensitive parsers or runtime objects.
   rationale: Passing untrusted text across regex or URL construction boundaries increases the risk of parser abuse, denial of service, and downstream policy bypass.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - input-validation
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` constructs a sensitive parser or runtime object from untrusted input without a trust-boundary check."
   remediation:
     summary: Validate, sanitize, or normalize the untrusted value before passing it into URL, RegExp, or similarly sensitive constructors.

package/rules/typescript/ts.security.user-controlled-sendfile.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain `res.sendFile` to a trusted root
   summary: "`res.sendFile()` should not resolve filenames or options from request input without a trusted root."
   rationale: Request-controlled file responses are a common path to path traversal and unintended local file disclosure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-918
+      title: Server-Side Request Forgery (SSRF)
+    - kind: owasp
+      title: Server-Side Request Forgery
+      url: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
   tags:
     - security
     - filesystem
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` serves a request-controlled file path or options object without a trusted root."
   remediation:
     summary: Resolve files from an allowlisted directory and validate request input before it reaches `res.sendFile()`.

package/rules/typescript/ts.security.user-controlled-view-render.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Constrain `res.render()` trust boundaries
   summary: Express view names should not cross into server-side rendering from untrusted input.
   rationale: Untrusted template names can expose internal views, bypass intended route behavior, or widen a server-side template boundary.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` selects a server-side template across a trust boundary using untrusted input."
   remediation:
     summary: Resolve the template from an allowlist or fixed route mapping before calling `res.render()`.

package/rules/typescript/ts.security.weak-cipher-or-mode.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak cipher algorithms and modes
   summary: Cryptographic ciphers should use modern authenticated modes and approved algorithms.
   rationale: Weak modes such as ECB and legacy ciphers such as DES or RC4 do not provide adequate confidentiality.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - crypto
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` uses a weak cipher algorithm or mode."
   remediation:
     summary: Use modern authenticated encryption such as AES-GCM with approved key sizes and IV handling.

package/rules/typescript/ts.security.weak-key-strength.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid weak key-generation strength
   summary: Key-generation helpers should use current minimum strengths for RSA, AES, and HMAC keys.
   rationale: Weak modulus or key lengths make brute-force and cryptanalytic attacks more practical, even when the API itself is correct.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` configures a key length or modulus size below the current minimum expected for production cryptography."
   remediation:
     summary: Use at least 2048-bit RSA keys and at least 128-bit AES or HMAC keys unless a clearly documented compatibility boundary requires otherwise.

package/rules/typescript/ts.security.weak-tls-version.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Require modern TLS minimum versions
   summary: Transport clients should not explicitly allow SSLv3, TLS 1.0, or TLS 1.1.
   rationale: Legacy TLS protocol floors weaken transport security and keep obsolete downgrade-compatible settings alive in production code.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` explicitly allows an obsolete TLS or SSL protocol version."
   remediation:
     summary: Set `minVersion` to at least `TLSv1.2` or `TLSv1.3` and remove legacy `secureProtocol` values.

package/rules/typescript/ts.security.xml-parse-string-with-untrusted-input.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.xml-parse-string-with-untrusted-input
+  title: Do not parse untrusted XML with permissive parsers
+  summary: parseString and similar XML helpers should not consume request-controlled payloads without hardening.
+  rationale: Untrusted XML can enable XXE-style parser abuse depending on the underlying implementation and parser flags.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-502
+      title: Deserialization of Untrusted Data
+    - kind: owasp
+      title: Deserialization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
+  tags:
+    - security
+    - xml
+    - deserialization
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.xml-parse-string-with-untrusted-input
+    bind: issue
+emit:
+  finding:
+    category: security.deserialization
+    severity: high
+    confidence: 0.78
+    tags:
+      - security
+      - xml
+  message:
+    title: "Validate XML parsing for ${captures.issue.text}"
+    summary: "${captures.issue.text} parses XML that appears request-driven."
+  remediation:
+    summary: Disable external entities, validate payloads against a strict schema, and parse with a hardened XML configuration.

package/rules/typescript/ts.testing.no-flaky-timer-test.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-flaky-timer-test
+  title: Prefer fake timers in unit tests
+  summary: Real timers, sleeps, or wall-clock reads in unit tests are flaky unless fake timers are enabled for the file.
+  rationale: Wall-clock based tests race CI load and parallelization; fake timers keep behavior deterministic.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/e2e/**"
+      - "**/*.integration.test.*"
+match:
+  fact:
+    kind: testing.flaky-timer-in-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: low
+    confidence: 0.68
+    tags:
+      - testing
+      - timers
+  message:
+    title: Stabilize timer usage in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses real timers or wall-clock reads without `jest.useFakeTimers` / `vi.useFakeTimers` in the same file."
+  remediation:
+    summary: Enable fake timers for the suite, inject a clock abstraction, or move timing assertions behind a test double.

package/rules/typescript/ts.testing.no-focused-test.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-focused-test
+  title: Remove focused or exclusive tests before merge
+  summary: Focused tests such as it.only or describe.only should not ship because they silence the rest of the suite in CI.
+  rationale: Exclusive tests hide failures in sibling cases and are a common accidental merge footgun.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: testing.focused-only-invocation
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.88
+    tags:
+      - testing
+      - ci
+  message:
+    title: Remove focused test `${captures.issue.text}`
+    summary: "`${captures.issue.text}` runs in exclusive mode so other tests in the file or suite are skipped."
+  remediation:
+    summary: Remove `.only` / `fit` / `fdescribe` style exclusivity and rely on the full suite in CI.

package/rules/typescript/ts.testing.no-missing-edge-case-tests.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-missing-edge-case-tests
+  title: Update tests when branch-heavy service logic changes
+  summary: Diffs that touch many branches in critical service paths should update paired tests in the same change.
+  rationale: Branch-heavy edits without test updates often miss boundary and failure behavior reviewers expect.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: project
+scope:
+  languages:
+    - typescript
+    - javascript
+  changedLinesOnly: false
+match:
+  fact:
+    kind: testing.missing-edge-case-tests-for-changes
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.66
+    tags:
+      - testing
+      - diff
+  message:
+    title: Exercise new branches in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` changes branch-heavy logic on a critical path without a corresponding test file change."
+  remediation:
+    summary: Extend the paired unit test with cases for new branches, guards, and failure paths touched by the diff.

package/rules/typescript/ts.testing.no-network-call-in-unit-test.rule.yaml ADDED Viewed

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-network-call-in-unit-test
+  title: Avoid real network calls in unit tests
+  summary: Unit tests should not open real sockets; prefer doubles, recordings, or local fakes.
+  rationale: Real network calls make tests flaky, slow, and unsafe against live systems.
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/e2e/**"
+      - "**/*.integration.test.*"
+match:
+  fact:
+    kind: testing.real-network-in-unit-test
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.74
+    tags:
+      - testing
+      - network
+  message:
+    title: Replace live network call `${captures.issue.text}`
+    summary: "`${captures.issue.text}` performs an outbound HTTP style call inside a unit test path."
+  remediation:
+    summary: Mock HTTP clients, use an in-memory server, or relocate the scenario to an explicit integration suite.