npm - @critiq/rules - Versions diffs - 0.2.0 → 0.4.0 - Mend

@critiq/rules 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (907) hide show

package/rules/go/go.bug-risk.poorly-formed-nilness-guards.rule.yaml ADDED Viewed

@@ -0,0 +1,57 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.bug-risk.poorly-formed-nilness-guards
+  title: Poorly formed nilness guards may cause nil pointer dereference
+  summary: >-
+    The expression uses `== nil &&` (short-circuits to the dereference when
+    the value IS nil) or `!= nil ||` (short-circuits to the dereference when
+    the value IS nil). Both patterns risk a nil pointer dereference.
+  rationale: >-
+    Go's short-circuit evaluation means `x == nil && x.Method()` proceeds to
+    `x.Method()` when `x` is nil (the AND continues because the left operand
+    is true). Similarly `x != nil || x.Method()` proceeds to `x.Method()`
+    when `x` is nil (the OR continues because the left operand is false).
+    The correct guard for dereferencing is `x != nil && x.Method()` or
+    `x == nil || x.Method()`.
+  aliases:
+    - GO-E1008
+  tags:
+    - bug-risk
+    - go
+    - framework
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.bug-risk.poorly-formed-nilness-guards
+    bind: issue
+emit:
+  finding:
+    category: bug-risk.framework
+    severity: critical
+    confidence: 0.85
+    tags:
+      - bug-risk
+      - go
+  message:
+    title: Poorly formed nilness guard may panic
+    summary: >-
+      ${captures.issue.text} uses a nilness guard pattern that will
+      dereference nil instead of protecting against it.
+  remediation:
+    summary: >-
+      Swap the comparison operator or operand order so the nil check
+      correctly guards the dereference. Use `x != nil && x.method()` or
+      `x == nil || x.method()` instead.

package/rules/go/go.bug-risk.redis-incorrect-arg-count.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.bug-risk.redis-incorrect-arg-count
+  title: Redis variadic function called with wrong argument count
+  summary: >-
+    Redis variadic methods such as `MemoryUsage`, `ZPopMax`, `ZPopMin`, and
+    `BitPos` accept a specific number of arguments. Passing too many will
+    cause a runtime panic.
+  rationale: >-
+    go-redis variadic methods have strict argument expectations. For example,
+    `MemoryUsage(key, samples...)` expects a key + up to one extra arg.
+    `ZPopMax(key, count)` expects exactly key + count. Passing extra arguments
+    causes a panic. Audit each call site against the Redis command spec.
+  aliases:
+    - GO-E1001
+  tags:
+    - bug-risk
+    - go
+    - redis
+    - framework
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.bug-risk.redis-incorrect-arg-count
+    bind: issue
+emit:
+  finding:
+    category: bug-risk.framework
+    severity: high
+    confidence: 0.75
+    tags:
+      - bug-risk
+      - go
+      - redis
+  message:
+    title: Redis variadic method may receive incorrect argument count
+    summary: "`${captures.issue.text}` calls a Redis variadic method — verify the argument count against the spec"
+  remediation:
+    summary: >-
+      Check the Redis command spec for the expected argument count. Remove
+      any extra arguments. Use a linter or code review to audit each call site.

package/rules/go/go.bug-risk.redis-unimplemented-method.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.bug-risk.redis-unimplemented-method
+  title: Unimplemented Redis method call would panic
+  summary: >-
+    `Sync(ctx)` and `Quit(ctx)` are listed in the go-redis interface but
+    are not implemented — calling them panics at runtime.
+  rationale: >-
+    The go-redis library provides `Sync()` and `Quit()` as interface methods
+    for compatibility, but their implementations panic with "not implemented".
+    These methods should never be called. Use the standard Redis `CLIENT LIST`
+    or `QUIT` commands through `Do()` instead.
+  aliases:
+    - GO-E1002
+  tags:
+    - bug-risk
+    - go
+    - redis
+    - framework
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.bug-risk.redis-unimplemented-method
+    bind: issue
+emit:
+  finding:
+    category: bug-risk.framework
+    severity: high
+    confidence: 0.75
+    tags:
+      - bug-risk
+      - go
+      - redis
+  message:
+    title: Unimplemented Redis method will panic at runtime
+    summary: "`${captures.issue.text}` calls a Redis method that is not implemented in go-redis"
+  remediation:
+    summary: >-
+      Remove the call to `Sync()` or `Quit()`. Use `redisClient.Do(ctx, "CLIENT LIST")`
+      or `redisClient.Close()` instead.

package/rules/go/go.bug-risk.reflect-makefunc-usage.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.bug-risk.reflect-makefunc-usage
+  title: "Use of reflect.MakeFunc — audit required"
+  summary: >-
+    `reflect.MakeFunc` dynamically constructs a function at runtime. This is
+    a powerful but dangerous operation — audit that type safety is preserved.
+  rationale: >-
+    `reflect.MakeFunc` creates a wrapper function around a given `reflect.Value`
+    (typically a function value). Misuse can lead to type confusion, runtime
+    panics, or unexpected behavior. Most usages are legitimate but warrant
+    manual review.
+  aliases:
+    - GO-W1006
+  tags:
+    - bug-risk
+    - go
+    - reflection
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.bug-risk.reflect-makefunc-usage
+    bind: issue
+emit:
+  finding:
+    category: bug-risk.reflection
+    severity: high
+    confidence: 0.85
+    tags:
+      - bug-risk
+      - go
+      - reflection
+  message:
+    title: reflect.MakeFunc usage — audit required
+    summary: >-
+      ${captures.issue.text} uses `reflect.MakeFunc`. Please audit that type
+      safety is preserved at runtime.
+  remediation:
+    summary: >-
+      Review the `reflect.MakeFunc` call to ensure type safety. Consider
+      whether the dynamic function construction can be replaced with a
+      statically-typed alternative.

package/rules/go/go.correctness.bare-return.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.bare-return
+  title: Use of bare return statements
+  summary: Bare returns in named-return functions return the current values of return parameters, which can be surprising.
+  rationale: >-
+    A bare `return` in a function with named return parameters returns the
+    current values of those parameters. While valid Go, bare returns can be
+    confusing to readers who must scan the function body to determine what
+    values are being returned.
+  aliases:
+    - GO-R3003
+  tags:
+    - correctness
+    - go
+    - clarity
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.bare-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: medium
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - clarity
+  message:
+    title: Bare return in named-return function
+    summary: >-
+      A bare `return` statement in `${captures.issue.text}` relies on named
+      return parameters. Consider using an explicit return for clarity.
+  remediation:
+    summary: >-
+      Replace bare `return` with `return result` (or the name of the return
+      parameter) to make the returned value explicit.

package/rules/go/go.correctness.boolean-literal-in-expression.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.boolean-literal-in-expression
+  title: Boolean literals in logic expressions
+  summary: Expressions like `flag == true` or `flag != false` can be simplified to the bare boolean value or its negation.
+  rationale: >-
+    Comparing a boolean value to `true` or `false` is redundant. `flag == true`
+    is equivalent to `flag`, and `flag == false` is equivalent to `!flag`.
+    Removing the comparison makes the intent clearer.
+  aliases:
+    - GO-R3004
+  tags:
+    - correctness
+    - go
+    - clarity
+    - simplification
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.boolean-literal-in-expression
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - clarity
+      - simplification
+  message:
+    title: Redundant boolean comparison in `${captures.issue.text}`
+    summary: >-
+      Comparing a boolean value to a literal `true` or `false` is redundant.
+      Use the bare boolean or its negation instead.
+  remediation:
+    summary: >-
+      Replace `flag == true` with `flag`, and `flag == false` with `!flag`.

package/rules/go/go.correctness.boolean-simplification.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.boolean-simplification
+  title: Boolean expression can be simplified
+  summary: Complex boolean expressions like `x > y - 1` or `x < y || x == y` can be written more concisely.
+  rationale: >-
+    Expressions such as `x > y - 1` can be written as `x >= y`, and
+    `x < y || x == y` can be simplified to `x <= y`. Simplified expressions are
+    easier to read and less error-prone.
+  aliases:
+    - CRT-D0018
+  tags:
+    - correctness
+    - go
+    - clarity
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.boolean-simplification
+    bind: issue
+emit:
+  finding:
+    category: correctness.clarity
+    severity: high
+    confidence: 0.7
+    tags:
+      - correctness
+      - go
+      - clarity
+  message:
+    title: Boolean expression can be simplified
+    summary: "This boolean expression can be simplified to a single comparison"
+  remediation:
+    summary: >-
+      Simplify `x > y - 1` to `x >= y`. Simplify `x < y || x == y` to
+      `x <= y`. Simplify `x > y || x == y` to `x >= y`.

package/rules/go/go.correctness.deferred-func-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.deferred-func-literal
+  title: Deferred function literal can be simplified
+  summary: A `defer func() { bar() }()` wrapping a single call can be simplified to `defer bar()`.
+  rationale: >-
+    Wrapping a single function call in a deferred anonymous function is unnecessary
+    noise. The call can be deferred directly. Multi-statement bodies, bodies containing
+    control flow, and function literals with parameters are excluded because they
+    cannot be simplified.
+  aliases:
+    - GO-C4005
+  tags:
+    - correctness
+    - go
+    - simplification
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.deferred-func-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - simplification
+  message:
+    title: Simplify deferred function literal to direct call
+    summary: >-
+      The expression `${captures.issue.text}` wraps a single function call in a
+      deferred anonymous function. It can be written as `defer call()` instead.
+  remediation:
+    summary: >-
+      Replace `defer func() { fn() }()` with `defer fn()`. The deferred call is
+      equivalent without the wrapping closure.

package/rules/go/go.correctness.duplicate-branch-body.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-branch-body
+  title: Duplicate body in adjacent branches
+  summary: Adjacent if-else branches have identical bodies. One branch is likely dead or wrong.
+  rationale: >-
+    When two consecutive branches in an if-else chain produce the same outcome,
+    one of the branches is suspicious. Either the conditions overlap or a
+    copy-paste error duplicated the body.
+  aliases:
+    - CRT-D0006
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-branch-body
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.75
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Duplicate body in adjacent branches
+    summary: "Two adjacent if-else branches have identical bodies (limited to single-line bodies)."
+  remediation:
+    summary: >-
+      Merge branches with the same outcome, or fix the branch condition or body
+      logic.

package/rules/go/go.correctness.duplicate-function-arguments.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-function-arguments
+  title: Duplicate function arguments
+  summary: Consecutive identical arguments may indicate a copy-paste error.
+  rationale: >-
+    Passing the same identifier as two consecutive arguments to a function call
+    is often a copy-paste mistake. The second argument should typically reference
+    a different value.
+  aliases:
+    - CRT-D0005
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-function-arguments
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Duplicate argument `${captures.issue.text}` passed to function
+    summary: "Two adjacent arguments in the function call are identical identifiers. This may be a copy-paste error."
+  remediation:
+    summary: >-
+      Verify that both arguments should reference different values. If
+      intentional, suppress the warning.

package/rules/go/go.correctness.duplicate-if-else-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-if-else-condition
+  title: "if and else condition are the same"
+  summary: >-
+    The same boolean expression appears on both an `if` and the following
+    `else if` branch. This is likely a copy-paste error; the second condition
+    should probably be different.
+  rationale: >-
+    Identical conditions in `if` and `else if` branches mean the else-if body
+    is dead code — the `if` body always executes when the condition is true,
+    and the `else if` body executes only when the same condition is true again
+    (which is impossible in a single-evaluation model). This typically indicates
+    the developer forgot to update the condition after copying.
+  aliases:
+    - GO-W1002
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-if-else-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.6
+    tags:
+      - correctness
+      - go
+  message:
+    title: Duplicate condition in if and else-if
+    summary: >-
+      ${captures.issue.text} — the condition is identical to the preceding if
+      branch. The else-if body is dead code.
+  remediation:
+    summary: >-
+      Review the logic and change the second condition to the intended
+      expression, or merge the branches if they are truly identical.

package/rules/go/go.correctness.duplicate-switch-cases.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-switch-cases
+  title: Duplicate case in switch statement
+  summary: Duplicate case values mean the second case is unreachable.
+  rationale: >-
+    A switch with two cases that have the same literal value will never execute
+    the second case. This is typically a copy-paste error where the case value
+    should be different.
+  aliases:
+    - CRT-D0007
+  tags:
+    - correctness
+    - go
+    - dead-code
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-switch-cases
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - dead-code
+  message:
+    title: Duplicate case `${captures.issue.text}` in switch statement
+    summary: "The switch contains two cases with the same value. The second case is unreachable."
+  remediation:
+    summary: >-
+      Remove or consolidate the duplicate case value into a single case.

package/rules/go/go.correctness.flag-pointer-immediate-deref.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.flag-pointer-immediate-deref
+  title: Immediate dereference of flag pointer
+  summary: Dereferencing the flag pointer at the call site defeats the purpose of using a flag method.
+  rationale: >-
+    Using *flag.String(...) immediately dereferences the pointer returned by
+    the flag function. The correct pattern is to assign the pointer to a
+    variable and dereference it after flag.Parse().
+  aliases:
+    - CRT-D0009
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.flag-pointer-immediate-deref
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Immediate dereference of flag pointer in `${captures.issue.text}`
+    summary: "Dereferencing a flag pointer immediately at the call site may evaluate before flag.Parse() is called."
+  remediation:
+    summary: >-
+      Assign the flag pointer to a variable, call flag.Parse(), then dereference
+      the pointer where the value is needed.