npm - @critiq/rules - Versions diffs - 0.1.0 → 0.3.0 - Mend

@critiq/rules 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (495) hide show

package/rules/typescript/ts.security.information-leakage.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid leaking sensitive or diagnostic state
   summary: Logs, stdout or stderr, and direct response sinks should not expose sensitive fields or internal diagnostic detail.
   rationale: Stack traces, request metadata, auth or session objects, and environment state are often leaked through "temporary" debugging output that later reaches production paths.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -36,3 +45,4 @@ emit:
     summary: "`${captures.issue.text}` exposes sensitive fields or internal diagnostic detail through a direct sink."
   remediation:
     summary: Replace the payload with a fixed summary, redact sensitive fields, and strip stack, env, request, or cookie data from production output.

package/rules/typescript/ts.security.insecure-allow-origin.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not reflect request origin into CORS policy
   summary: "`Access-Control-Allow-Origin` should not be set from request-controlled input."
   rationale: Reflecting the request origin into a CORS allowlist turns origin validation into a no-op.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-942
+      title: Permissive Cross-domain Policy with Untrusted Domains
+    - kind: owasp
+      title: Cross-Origin Resource Sharing (CORS)
+      url: https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny
   tags:
     - security
     - cors
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` reflects request input into `Access-Control-Allow-Origin`."
   remediation:
     summary: Set CORS origins from a fixed allowlist or explicit trusted origin check.

package/rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Harden auth-bearing cookies
   summary: Auth and session cookies should set HttpOnly, Secure, and SameSite.
   rationale: Cookie flags prevent browser scripts, mixed transport, and cross-site requests from exposing session-bearing values.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-614
+      title: Sensitive Cookie Without Secure Attribute
+    - kind: owasp
+      title: Session Management Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Add `HttpOnly`, `Secure`, and an explicit `SameSite` policy before the cookie is used for session or auth state.

package/rules/typescript/ts.security.insecure-content-security-policy-literal.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid unsafe Content-Security-Policy literals
   summary: Static CSP header values should not rely on unsafe-inline, unsafe-eval, or unsafe-hashes without nonces.
   rationale: Permissive CSP keywords weaken XSS defenses for every response that carries the header.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - csp
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} sets a CSP that includes unsafe directives without a nonce-based escape hatch."
   remediation:
     summary: Prefer nonces or hashes, remove unsafe-inline and unsafe-eval, and scope directives to the smallest required surface.

package/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid disabling core Helmet protections
   summary: Helmet should keep nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy enabled unless another gateway enforces them.
   rationale: Turning off individual Helmet middlewares removes baseline HTTP hardening that is a high-signal misconfiguration risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - express
@@ -34,3 +43,4 @@ emit:
     summary: "${captures.issue.text} disables a Helmet protection that should usually remain enabled."
   remediation:
     summary: Remove false overrides for nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy unless a documented compensating control applies.

package/rules/typescript/ts.security.insecure-password-hash-configuration.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid legacy Argon2 password hash modes
   summary: Password hashing should not use `argon2i` or `argon2d` when safer modern modes are available.
   rationale: Older Argon2 modes are weaker choices for password storage than the modern hybrid mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Prefer `argon2id` and keep the password hash configuration aligned with current password-storage guidance.

package/rules/typescript/ts.security.insecure-websocket-transport.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use secure WebSocket transport
   summary: WebSocket clients should not connect over cleartext `ws://` when sensitive application data is involved.
   rationale: Cleartext WebSocket transport exposes application traffic to interception and manipulation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Switch the endpoint to `wss://` and keep certificate validation enabled.

package/rules/typescript/ts.security.insufficiently-random-values.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use enough entropy for secrets and tokens
   summary: Secret-bearing tokens and secrets should use at least 16 bytes of cryptographic entropy.
   rationale: Short random values are harder to brute-force than predictable values, but they can still be guessed faster than modern secret-bearing flows should allow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses a cryptographically random source, but not enough entropy for a secret-bearing value."
   remediation:
     summary: Generate at least 16 bytes of entropy for reset tokens, invitation codes, session secrets, and similar secret-bearing values.

package/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Do not sign JWTs with the none algorithm
   summary: JSON Web Token signing options must not enable the none algorithm.
   rationale: The none algorithm allows tokens to be accepted without verification, defeating authentication.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - jwt
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} is configured with the none algorithm or algorithm list."
   remediation:
     summary: Require asymmetric or HMAC algorithms explicitly and reject none at signing and verification layers.

package/rules/typescript/ts.security.jwt-not-revoked.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Add a JWT revocation hook
   summary: Express JWT middleware should check revocation state when bearer tokens can be invalidated early.
   rationale: Signature validation alone does not handle logout, compromise, or forced token invalidation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Add an `isRevoked` callback or equivalent revocation check for tokens that can be invalidated before expiry.

package/rules/typescript/ts.security.jwt-sensitive-claims.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Remove sensitive claims from JWT payloads
   summary: JWT payloads should avoid embedding PII or secrets unless absolutely required.
   rationale: Client-visible tokens often outlive a single request and can leak more data than intended.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Keep JWT claims minimal. Prefer stable identifiers, not direct PII or secret-bearing fields.

package/rules/typescript/ts.security.legacy-buffer-constructor.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Replace legacy Buffer constructors
   summary: Use Buffer.from, Buffer.alloc, or Buffer.allocUnsafe instead of the deprecated Buffer constructor.
   rationale: Legacy constructors behave differently across Node versions and are harder to audit for safe allocation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - node
@@ -33,3 +42,4 @@ emit:
     summary: "${captures.issue.text} uses the deprecated Buffer constructor API."
   remediation:
     summary: Prefer Buffer.from for encoded data and Buffer.alloc for zero-filled buffers sized by trusted logic.

package/rules/typescript/ts.security.log-injection.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Sanitize user-controlled values before they reach log messages
   summary: Logger calls in pino, winston, bunyan, and consola should not interpolate or concatenate request input directly into the message text.
   rationale: Unsanitized request data in log messages enables CRLF injection, control-character smuggling, and downstream log-parser confusion. Wrapping the value with a structured field, JSON encoder, or CRLF-stripping replace neutralizes the vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
   tags:
     - security
     - logging
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` interpolates request data into a log message without an obvious sanitizer."
   remediation:
     summary: Pass request data as a structured field, JSON-encode it, or strip CRLF and control characters before concatenating it into the log message.

package/rules/typescript/ts.security.manual-html-sanitization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid ad hoc HTML sanitization
   summary: Hand-rolled HTML escaping and sanitization should be replaced with vetted sanitizers or safe rendering paths.
   rationale: String replacement chains miss edge cases and are easy to bypass as rendering behavior evolves.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use a vetted sanitizer or framework-native escaping model instead of string replacement chains.

package/rules/typescript/ts.security.missing-authorization-before-sensitive-action.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing authorization before sensitive action
   summary: Sensitive backend actions should be guarded by an authorization or permission check.
   rationale: Calling destructive or privileged actions without an authorization guard increases the risk of broken access control.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` performs a sensitive action without a matching authorization guard."
   remediation:
     summary: Add an explicit authorization or permission check before the sensitive action executes.

package/rules/typescript/ts.security.missing-integrity-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use authenticated encryption for secrets and tokens
   summary: Session, cookie, and token encryption should provide integrity protection in the same helper.
   rationale: Confidentiality-only encryption leaves secret-bearing values vulnerable to tampering unless the code also applies an integrity check or uses an authenticated mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` encrypts a secret-bearing value without authenticated encryption or a same-helper integrity check."
   remediation:
     summary: Prefer authenticated encryption such as AES-GCM, or pair non-AEAD encryption with an explicit integrity check in the same helper.

package/rules/typescript/ts.security.missing-message-origin-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Verify `message` event origins
   summary: "`message` handlers should validate `event.origin` before trusting cross-window data."
   rationale: Without an origin check, hostile pages can post crafted messages into the handler.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - browser
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` handles cross-window messages without validating the sender origin."
   remediation:
     summary: Gate the handler on a strict allowlist of expected origins before reading `event.data`.

package/rules/typescript/ts.security.missing-ownership-validation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing ownership validation
   summary: Resource identifiers from request input should be checked against the caller before sensitive actions run.
   rationale: Authorization alone is not enough when handlers act on caller-provided resource ids that may belong to someone else.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` is used in a sensitive path without a matching ownership check."
   remediation:
     summary: Compare the request-derived resource id to the authenticated caller or load the resource through an ownership-enforcing query.

package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing request timeout or retry protection
   summary: External calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows.
   rationale: Authentication and dependency calls that have neither timeout nor retry protection fail unpredictably under network stress.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - resilience
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
   remediation:
     summary: Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical.

package/rules/typescript/ts.security.nestjs-helmet-after-route-mount.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Register Helmet before Nest route mounts
   summary: Nest bootstrap files should apply Helmet before mounting path-bound routers.
   rationale: Middleware order determines whether framed routes inherit Helmet protections; mounting routers too early widens exposure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -32,3 +47,4 @@ emit:
     summary: Helmet runs after a route-mounted `app.use` in this Nest bootstrap.
   remediation:
     summary: Call `helmet()` before registering routers bound to external paths unless another gateway applies equivalent protections.

package/rules/typescript/ts.security.nestjs-missing-global-validation-pipe.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Add a global Nest ValidationPipe
   summary: Nest bootstrap entries should register `ValidationPipe` globally when controllers parse bodies or DTOs.
   rationale: Without a validation pipe unexpected fields can reach controllers and weaken input hygiene.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -33,3 +48,4 @@ emit:
   remediation:
     summary: >-
       Call app.useGlobalPipes with ValidationPipe using whitelist and forbidNonWhitelisted flags near bootstrap completion.

package/rules/typescript/ts.security.nestjs-skip-throttle-sensitive-route.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Do not skip throttling on credential routes
   summary: Sensitive Nest routes should not disable `@nestjs/throttler` protections without a compensating throttle.
   rationale: Authentication endpoints are brute-force magnets; removing throttling removes basic abuse resistance.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -33,3 +48,4 @@ emit:
     summary: "`${captures.issue.text}` disables throttling on an authentication-sensitive route."
   remediation:
     summary: Remove `@SkipThrottle()` or pair it with an explicit `@Throttle` policy tuned for the handler.

package/rules/typescript/ts.security.nestjs-validation-pipe-without-whitelist.rule.yaml CHANGED Viewed

@@ -5,6 +5,21 @@ metadata:
   title: Harden Nest ValidationPipe with whitelist mode
   summary: Global ValidationPipe instances should enable whitelist-style stripping for unexpected fields.
   rationale: Allowing undeclared fields preserves attack surface for mass-assignment style bugs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
   tags:
     - security
     - nestjs
@@ -34,3 +49,4 @@ emit:
   remediation:
     summary: >-
       Enable whitelist true and usually forbidNonWhitelisted true on the global ValidationPipe.

package/rules/typescript/ts.security.no-alert-confirm-prompt.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-alert-confirm-prompt
+  title: Avoid blocking dialog APIs
+  summary: Do not call `alert`, `confirm`, or `prompt` in application code.
+  rationale: Blocking dialogs freeze the UI thread, are easy to abuse for social engineering, and are inappropriate for production UX.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - ux
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.alert-confirm-prompt
+    bind: issue
+emit:
+  finding:
+    category: security.ux
+    severity: medium
+    confidence: 0.93
+    tags:
+      - security
+      - ux
+  message:
+    title: Avoid blocking dialog APIs
+    summary: "`${captures.issue.text}` uses a blocking browser dialog that should not ship in application code."
+  remediation:
+    summary: Replace blocking dialogs with in-app UI components or structured notifications.

package/rules/typescript/ts.security.no-arguments-callee.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-arguments-callee
+  title: Avoid `arguments.callee` and `arguments.caller`
+  summary: Do not read `arguments.callee` or `arguments.caller` in functions.
+  rationale: These legacy properties break optimizations, leak stack details, and are restricted in strict mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-94
+      title: Improper Control of Generation of Code
+    - kind: owasp
+      title: Code Injection
+      url: https://owasp.org/www-community/attacks/Code_Injection
+  tags:
+    - security
+    - language
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.arguments-callee-or-caller
+    bind: issue
+emit:
+  finding:
+    category: security.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - security
+      - language
+  message:
+    title: Avoid `${captures.issue.text}`
+    summary: "`${captures.issue.text}` relies on deprecated `arguments` metadata and should not be used."
+  remediation:
+    summary: Use named function expressions or arrow functions instead of `arguments.callee` or `arguments.caller`.

package/rules/typescript/ts.security.no-assign-mutable-export.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-assign-mutable-export
+  title: Avoid mutable module exports
+  summary: Shared module state should not be exported with `let`/`var` or reassigned after export.
+  rationale: Mutable exports make it easy for unrelated modules to change shared security or configuration state at runtime.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - maintainability
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.mutable-module-export
+    bind: issue
+emit:
+  finding:
+    category: security.maintainability
+    severity: low
+    confidence: 0.84
+    tags:
+      - security
+      - module-boundary
+  message:
+    title: Keep exported module state immutable for `${captures.issue.text}`
+    summary: "`${captures.issue.text}` is exported with a mutable binding that can change at runtime."
+  remediation:
+    summary: Export read-only values, freeze shared objects, or expose accessors instead of mutable bindings.