npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/typescript/ts.correctness.for-in-on-array.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.for-in-on-array
+  title: for-in over array-like value
+  summary: Prefer for-of or index loops instead of for-in on arrays.
+  rationale: for-in enumerates keys (often as strings) and may include inherited properties; for-of iterates values safely.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-037
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.for-in-on-array
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+      - language
+  message:
+    title: Avoid for-in on arrays
+    summary: "`${captures.issue.text}` uses for-in on a value that looks like an array."
+  remediation:
+    summary: Use `for (const item of array)` or indexed iteration instead of for-in.

package/rules/typescript/ts.correctness.infinite-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.infinite-loop
+  title: Infinite Loop
+  summary: Detect obvious infinite loops
+  rationale: Detect obvious infinite loops:while (true) and for(;;) without break, return, or throw in the loop body.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.infinite-loop
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Infinite Loop
+    summary: "`${captures.issue.text}` matches ts.correctness.infinite-loop."
+  remediation:
+    summary: Detect obvious infinite loops:while (true) and for(;;) without break, return, or throw in the loop body.

package/rules/typescript/ts.correctness.invalid-await-expression.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.invalid-await-expression
+  title: Invalid Await Expression
+  summary: Await only promise-like values
+  rationale: Await only promise-like values:await on literals or clearly synchronous calls is usually a mistake.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.invalid-await-expression
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Invalid Await Expression
+    summary: "`${captures.issue.text}` matches ts.correctness.invalid-await-expression."
+  remediation:
+    summary: Await only promise-like values:await on literals or clearly synchronous calls is usually a mistake.

package/rules/typescript/ts.correctness.invalid-typeof-comparison.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.invalid-typeof-comparison
+  title: Invalid typeof comparison string
+  summary: Compare typeof results only to known typeof strings.
+  rationale: typeof returns a fixed set of strings; other comparisons are always false.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-030
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.invalid-typeof-comparison
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Fix typeof comparison
+    summary: "`${captures.issue.text}` compares typeof to a string that typeof never returns."
+  remediation:
+    summary: Compare against a valid typeof result or use a different type guard (for example Array.isArray).

package/rules/typescript/ts.correctness.missing-async-on-promise-method.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-async-on-promise-method
+  title: Missing Async On Promise Method
+  summary: Mark promise callbacks async when using await
+  rationale: Mark promise callbacks async when using await:then/catch handlers that use await must be declared async.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.missing-async-on-promise-method
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Missing Async On Promise Method
+    summary: "`${captures.issue.text}` matches ts.correctness.missing-async-on-promise-method."
+  remediation:
+    summary: Mark promise callbacks async when using await:then/catch handlers that use await must be declared async.

package/rules/typescript/ts.correctness.missing-super-call.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.missing-super-call
+  title: Missing super() in subclass constructor
+  summary: Subclass constructors must call super() before using this.
+  rationale: Derived classes must initialize the base class; omitting super() is a runtime error when this is accessed.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-034
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.missing-super-call
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Call super() in the subclass constructor
+    summary: "`${captures.issue.text}` extends a base class but never calls super()."
+  remediation:
+    summary: Add `super(...)` as the first statement in the constructor (before using this).

package/rules/typescript/ts.correctness.no-floating-promise-in-function.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.no-floating-promise-in-function
+  title: No Floating Promise In Function
+  summary: Handle promise-returning calls explicitly
+  rationale: Handle promise-returning calls explicitly:statement-level promise calls should be awaited, voided, returned, or chained with rejection handling.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.floating-promise-in-function
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: No Floating Promise In Function
+    summary: "`${captures.issue.text}` matches ts.correctness.no-floating-promise-in-function."
+  remediation:
+    summary: Handle promise-returning calls explicitly:statement-level promise calls should be awaited, voided, returned, or chained with rejection handling.

package/rules/typescript/ts.correctness.no-misused-promises.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.no-misused-promises
+  title: No Misused Promises
+  summary: Do not pass async callbacks where sync is expected
+  rationale: Do not pass async callbacks where sync is expected:array iteration methods expect synchronous predicates and should not receive async callbacks.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.misused-promises
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: medium
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: No Misused Promises
+    summary: "`${captures.issue.text}` matches ts.correctness.no-misused-promises."
+  remediation:
+    summary: Do not pass async callbacks where sync is expected:array iteration methods expect synchronous predicates and should not receive async callbacks.

package/rules/typescript/ts.correctness.promise-reject-non-error.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.promise-reject-non-error
+  title: Reject or throw non-Error values
+  summary: Promise rejections and async throws should use Error objects.
+  rationale: Non-Error rejections lose stack traces and are harder to handle consistently in async code.
+  tags:
+    - correctness
+    - async
+    - rules-catalog
+    - crq-cor-033
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.promise-reject-non-error
+    bind: issue
+emit:
+  finding:
+    category: correctness.async
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - async
+  message:
+    title: Use Error for rejections and async throws
+    summary: "`${captures.issue.text}` rejects or throws a non-Error literal."
+  remediation:
+    summary: Reject or throw `new Error(...)` (or a typed Error subclass) instead of a string or other primitive.

package/rules/typescript/ts.correctness.this-before-super.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.this-before-super
+  title: this used before super()
+  summary: Do not use this or super members before calling super() in a subclass constructor.
+  rationale: Accessing this before super() in a derived constructor throws at runtime.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-035
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.this-before-super
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Move super() before this access
+    summary: "`${captures.issue.text}` uses this or super before super() runs."
+  remediation:
+    summary: Call `super(...)` before reading or assigning `this` in the constructor.

package/rules/typescript/ts.correctness.unnecessary-return-await.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.unnecessary-return-await
+  title: Unnecessary Return Await
+  summary: Remove redundant return await
+  rationale: Remove redundant return await:return await in async functions outside try/catch adds stack overhead without changing behavior.
+  tags:
+    - correctness
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: async.unnecessary-return-await
+    bind: issue
+emit:
+  finding:
+    category: correctness
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+  message:
+    title: Unnecessary Return Await
+    summary: "`${captures.issue.text}` matches ts.correctness.unnecessary-return-await."
+  remediation:
+    summary: Remove redundant return await:return await in async functions outside try/catch adds stack overhead without changing behavior.

package/rules/typescript/ts.correctness.use-number-is-nan.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.correctness.use-number-is-nan
+  title: Use Number.isNaN for NaN checks
+  summary: Do not compare values to NaN with `===` or `==`.
+  rationale: NaN is not equal to itself; identity comparisons are always false.
+  tags:
+    - correctness
+    - language
+    - rules-catalog
+    - crq-cor-029
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: language.use-number-is-nan
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - language
+  message:
+    title: Replace NaN identity comparison
+    summary: "`${captures.issue.text}` compares to NaN with an equality operator."
+  remediation:
+    summary: Use `Number.isNaN(value)` (or `Number.isNaN` after coercion) instead of `value === NaN`.

package/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml CHANGED Viewed

@@ -5,6 +5,18 @@ metadata:
   title: Authenticate Next.js Server Actions before mutations
   summary: Server Actions that mutate state must validate sessions locally before reaching privileged sinks.
   rationale: Server Actions behave like public POST endpoints and inherit the same authentication obligations as route handlers.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
   tags:
     - security
     - next
@@ -33,3 +45,4 @@ emit:
   remediation:
     summary: >-
       Call your auth/session helper before mutations and enforce ownership inside database predicates.

package/rules/typescript/ts.performance.no-await-in-loop.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.performance.no-await-in-loop
+  title: No Await In Loop
+  summary: Avoid await inside loops
+  rationale: Avoid await inside loops:sequential awaits in loops multiply latency; batch work or use Promise.all when safe.
+  tags:
+    - performance
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: performance.no-await-in-loop
+    bind: issue
+emit:
+  finding:
+    category: performance
+    severity: medium
+    confidence: 0.85
+    tags:
+      - performance
+  message:
+    title: No Await In Loop
+    summary: "`${captures.issue.text}` matches ts.performance.no-await-in-loop."
+  remediation:
+    summary: Avoid await inside loops:sequential awaits in loops multiply latency; batch work or use Promise.all when safe.

package/rules/typescript/ts.quality.no-empty-function.rule.yaml ADDED Viewed

@@ -0,0 +1,32 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.quality.no-empty-function
+  title: No Empty Function
+  summary: Avoid empty function bodies
+  rationale: Avoid empty function bodies:empty implementations hide missing logic; use a comment, throw, or remove the stub.
+  tags:
+    - quality
+    - rules-catalog
+  stability: stable
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: quality.empty-function
+    bind: issue
+emit:
+  finding:
+    category: quality
+    severity: low
+    confidence: 0.85
+    tags:
+      - quality
+  message:
+    title: No Empty Function
+    summary: "`${captures.issue.text}` matches ts.quality.no-empty-function."
+  remediation:
+    summary: Avoid empty function bodies:empty implementations hide missing logic; use a comment, throw, or remove the stub.

package/rules/typescript/ts.react.no-bind-in-jsx-props.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-bind-in-jsx-props
+  title: Avoid inline functions and bind in JSX props
+  summary: Creating `function` handlers or `.bind()` calls inside JSX forces new function identities every render and makes memoized children re-render unnecessarily.
+  rationale: Stable handler references keep render work predictable and make dependency lists in memoized components meaningful.
+  tags:
+    - react
+    - performance
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.bind-in-jsx-prop
+    bind: issue
+emit:
+  finding:
+    category: performance.ui
+    severity: medium
+    confidence: 0.78
+    tags:
+      - react
+      - performance
+      - ui
+  message:
+    title: Hoist JSX event handlers out of render
+    summary: "`${captures.issue.text}` creates a new handler on every render."
+  remediation:
+    summary: Define handlers on the class instance, bind once in the constructor, or use useCallback for function components.

package/rules/typescript/ts.react.no-children-prop.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-children-prop
+  title: Prefer nested JSX children over the children prop
+  summary: Passing `children` as a named prop is harder to read than composing elements between opening and closing tags.
+  rationale: Nested children match React composition idioms and keep component APIs consistent across the tree.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.children-prop
+    bind: issue
+emit:
+  finding:
+    category: maintainability.ui
+    severity: low
+    confidence: 0.8
+    tags:
+      - react
+      - ui
+  message:
+    title: Nest JSX children instead of using the children prop
+    summary: "`${captures.issue.text}` passes children through a prop attribute."
+  remediation:
+    summary: Place child elements between the component tags or accept `children` through normal function parameters without a JSX prop.

package/rules/typescript/ts.react.no-direct-state-mutation.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-direct-state-mutation
+  title: Do not mutate React state directly
+  summary: Assigning to `this.state` bypasses React change detection and produces stale UI.
+  rationale: State updates must flow through setState or hooks so React can schedule renders and enforce immutability guarantees.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.direct-state-mutation
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.88
+    tags:
+      - react
+      - ui
+  message:
+    title: Update React state with setState
+    summary: "`${captures.issue.text}` mutates state directly."
+  remediation:
+    summary: Call setState with the next value or replace the state object immutably instead of assigning into this.state.

package/rules/typescript/ts.react.no-duplicate-jsx-attributes.rule.yaml ADDED Viewed

@@ -0,0 +1,34 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-duplicate-jsx-attributes
+  title: Remove duplicate JSX attributes
+  summary: Repeating the same prop on a JSX element makes the last value win silently and hides author intent.
+  rationale: Duplicate attributes are usually copy-paste mistakes that change runtime behavior without type errors.
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.duplicate-jsx-attribute
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.9
+    tags:
+      - react
+      - ui
+  message:
+    title: Keep only one JSX attribute with the same name
+    summary: "`${captures.issue.text}` appears more than once on the same JSX element."
+  remediation:
+    summary: Remove the duplicate attribute or merge the values into a single prop expression.

package/rules/typescript/ts.react.no-jsx-props-spread.rule.yaml ADDED Viewed

@@ -0,0 +1,35 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-jsx-props-spread
+  title: Avoid spreading props onto JSX elements
+  summary: Unfiltered prop spreads hide which attributes reach the DOM and defeat static analysis of event handlers and accessibility props.
+  rationale: Explicit prop forwarding documents the component contract and avoids accidentally passing invalid or sensitive attributes downstream.
+  tags:
+    - react
+    - performance
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.jsx-props-spread
+    bind: issue
+emit:
+  finding:
+    category: maintainability.ui
+    severity: low
+    confidence: 0.75
+    tags:
+      - react
+      - ui
+  message:
+    title: Forward JSX props explicitly
+    summary: "`${captures.issue.text}` spreads props onto a JSX element."
+  remediation:
+    summary: Destructure the props you intend to pass, whitelist safe attributes, or use a typed wrapper component.