npm - @critiq/rules - Versions diffs - 0.2.0 → 0.3.0 - Mend

@critiq/rules 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (199) hide show

package/rules/php/php.correctness.invalid-regex-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.invalid-regex-literal
+  title: Fix invalid regular expression literals
+  summary: preg_* calls must use a valid delimiter and closing pattern literal.
+  rationale: Invalid regex literals fail at runtime and often hide copy-paste or escaping mistakes.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.invalid-regex-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Fix invalid regular expression literals
+    summary: "`${captures.issue.text}` matches php.correctness.invalid-regex-literal."
+  remediation:
+    summary: Invalid regex literals fail at runtime and often hide copy-paste or escaping mistakes.

package/rules/php/php.correctness.missing-member-visibility.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.missing-member-visibility
+  title: Declare explicit member visibility
+  summary: Class properties and methods should declare public, protected, or private visibility.
+  rationale: Missing visibility relies on legacy defaults and makes class contracts harder to review.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.missing-member-visibility
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.55
+    tags:
+      - correctness
+      - php
+  message:
+    title: Declare explicit member visibility
+    summary: "`${captures.issue.text}` matches php.correctness.missing-member-visibility."
+  remediation:
+    summary: Missing visibility relies on legacy defaults and makes class contracts harder to review.

package/rules/php/php.correctness.nested-function-declaration.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nested-function-declaration
+  title: Avoid nested function declarations
+  summary: Declaring functions inside other functions is discouraged and hard to test.
+  rationale: Nested functions create hidden scope and make code harder to reuse, mock, and reason about.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nested-function-declaration
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid nested function declarations
+    summary: "`${captures.issue.text}` matches php.correctness.nested-function-declaration."
+  remediation:
+    summary: Nested functions create hidden scope and make code harder to reuse, mock, and reason about.

package/rules/php/php.correctness.nested-switch.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.nested-switch
+  title: Avoid nested switch statements
+  summary: Switch statements nested inside other switch statements are hard to follow.
+  rationale: Nested switch blocks increase cognitive load and often hide missing decomposition or polymorphism.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.nested-switch
+    bind: issue
+emit:
+  finding:
+    category: correctness.control-flow
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Avoid nested switch statements
+    summary: "`${captures.issue.text}` matches php.correctness.nested-switch."
+  remediation:
+    summary: Nested switch blocks increase cognitive load and often hide missing decomposition or polymorphism.

package/rules/php/php.correctness.redundant-string-cast-concat.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.redundant-string-cast-concat
+  title: Remove redundant string casts before concatenation
+  summary: Casting to string immediately before concatenation is usually redundant in PHP.
+  rationale: Redundant casts add noise without changing behavior and can hide type problems that should be fixed directly.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.redundant-string-cast-concat
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove redundant string casts before concatenation
+    summary: "`${captures.issue.text}` matches php.correctness.redundant-string-cast-concat."
+  remediation:
+    summary: Redundant casts add noise without changing behavior and can hide type problems that should be fixed directly.

package/rules/php/php.correctness.self-assignment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.self-assignment
+  title: Remove self assignments
+  summary: Assigning a variable to itself has no effect.
+  rationale: Self assignments usually indicate incomplete refactors or accidental duplication.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.self-assignment
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove self assignments
+    summary: "`${captures.issue.text}` matches php.correctness.self-assignment."
+  remediation:
+    summary: Self assignments usually indicate incomplete refactors or accidental duplication.

package/rules/php/php.correctness.todo-fixme-marker.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.todo-fixme-marker
+  title: Resolve TODO or FIXME markers
+  summary: TODO, FIXME, XXX, and HACK comments mark unfinished or risky work.
+  rationale: Tracked markers in production code often hide deferred fixes that should be ticketed or resolved before merge.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.todo-fixme-marker
+    bind: issue
+emit:
+  finding:
+    category: correctness.maintainability
+    severity: low
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Resolve TODO or FIXME markers
+    summary: "`${captures.issue.text}` matches php.correctness.todo-fixme-marker."
+  remediation:
+    summary: Tracked markers in production code often hide deferred fixes that should be ticketed or resolved before merge.

package/rules/php/php.correctness.unknown-magic-method.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.unknown-magic-method
+  title: Use only supported magic methods
+  summary: PHP recognizes a fixed set of double-underscore magic methods.
+  rationale: Unknown magic methods are never invoked by the runtime and usually indicate typos or dead code.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.unknown-magic-method
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.95
+    tags:
+      - correctness
+      - php
+  message:
+    title: Use only supported magic methods
+    summary: "`${captures.issue.text}` matches php.correctness.unknown-magic-method."
+  remediation:
+    summary: Unknown magic methods are never invoked by the runtime and usually indicate typos or dead code.

package/rules/php/php.correctness.useless-post-increment.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.useless-post-increment
+  title: Remove useless post-increment statements
+  summary: Standalone post-increment statements with discarded results are usually mistakes.
+  rationale: Post-increment statements that do not feed a larger expression often indicate dead or accidental code.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.useless-post-increment
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.85
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove useless post-increment statements
+    summary: "`${captures.issue.text}` matches php.correctness.useless-post-increment."
+  remediation:
+    summary: Post-increment statements that do not feed a larger expression often indicate dead or accidental code.

package/rules/php/php.correctness.useless-unset.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.correctness.useless-unset
+  title: Remove useless unset calls
+  summary: Calling unset on literals or non-variables has no effect.
+  rationale: Useless unset calls add noise and suggest the author misunderstood PHP unset semantics.
+  tags:
+    - correctness
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.correctness.useless-unset
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - correctness
+      - php
+  message:
+    title: Remove useless unset calls
+    summary: "`${captures.issue.text}` matches php.correctness.useless-unset."
+  remediation:
+    summary: Useless unset calls add noise and suggest the author misunderstood PHP unset semantics.

package/rules/php/php.performance.expensive-loop-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.performance.expensive-loop-condition
+  title: Avoid expensive calls in loop conditions
+  summary: Functions like count() and strlen() inside loop conditions run on every iteration.
+  rationale: Recomputing expensive conditions in loops adds avoidable overhead in hot paths.
+  tags:
+    - performance
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.performance.expensive-loop-condition
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.85
+    tags:
+      - performance
+      - php
+  message:
+    title: Avoid expensive calls in loop conditions
+    summary: "`${captures.issue.text}` matches php.performance.expensive-loop-condition."
+  remediation:
+    summary: Recomputing expensive conditions in loops adds avoidable overhead in hot paths.

package/rules/php/php.security.unsafe-new-static.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: php.security.unsafe-new-static
+  title: Avoid unsafe new static() instantiation
+  summary: "Using `new static()` can instantiate unexpected subclasses and weaken type guarantees."
+  rationale: "Late static binding with `new static()` can bypass intended class boundaries and create objects outside expected inheritance chains."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-470
+      title: Use of Externally-Controlled Input to Select Classes or Code
+  tags:
+    - security
+    - php
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - php
+  paths:
+    include:
+      - "**/*.php"
+match:
+  fact:
+    kind: php.security.unsafe-new-static
+    bind: issue
+emit:
+  finding:
+    category: security.injection
+    severity: medium
+    confidence: 0.88
+    tags:
+      - security
+      - php
+  message:
+    title: Avoid unsafe new static() instantiation
+    summary: "`${captures.issue.text}` matches php.security.unsafe-new-static."
+  remediation:
+    summary: "Late static binding with `new static()` can bypass intended class boundaries and create objects outside expected inheritance chains."

package/rules/ruby/ruby.bug-risk.assignment-in-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.assignment-in-condition
+  title: Avoid assignment inside conditionals
+  summary: >-
+    Extract assignments from if, unless, while, and until conditions.
+  rationale: >-
+    Assignment in conditions is easy to mistake for comparison.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.assignment-in-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.assignment-in-condition`."
+  remediation:
+    summary: >-
+      Extract assignments from if, unless, while, and until conditions.

package/rules/ruby/ruby.bug-risk.deprecated-uri-escape.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.deprecated-uri-escape
+  title: Avoid deprecated URI.escape helpers
+  summary: >-
+    Use CGI.escape, URI.encode_www_form_component, or Addressable instead.
+  rationale: >-
+    URI.escape and URI.unescape are deprecated and removed in modern Ruby.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.deprecated-uri-escape
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: low
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.deprecated-uri-escape`."
+  remediation:
+    summary: >-
+      Use CGI.escape, URI.encode_www_form_component, or Addressable instead.

package/rules/ruby/ruby.bug-risk.division-by-zero.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.division-by-zero
+  title: Avoid division by zero literals
+  summary: >-
+    Do not divide by literal zero.
+  rationale: >-
+    Division by zero raises ZeroDivisionError at runtime.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.division-by-zero
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.division-by-zero`."
+  remediation:
+    summary: >-
+      Do not divide by literal zero.

package/rules/ruby/ruby.bug-risk.duplicate-hash-keys.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.duplicate-hash-keys
+  title: Avoid duplicate keys in hash literals
+  summary: >-
+    Remove duplicate symbol or string keys in the same hash literal.
+  rationale: >-
+    Later duplicate keys silently override earlier entries.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.duplicate-hash-keys
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.duplicate-hash-keys`."
+  remediation:
+    summary: >-
+      Remove duplicate symbol or string keys in the same hash literal.

package/rules/ruby/ruby.bug-risk.exception-class-overwritten.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.exception-class-overwritten
+  title: Do not assign rescue result to exception class names
+  summary: >-
+    Use rescue StandardError or rescue StandardError => e, not rescue => StandardError.
+  rationale: >-
+    rescue => StandardError shadows the exception class with the rescued value.
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.exception-class-overwritten
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: medium
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.bug-risk.exception-class-overwritten`."
+  remediation:
+    summary: >-
+      Use rescue StandardError or rescue StandardError => e, not rescue => StandardError.