@critiq/rules 0.3.0 → 0.4.0

package/rules/ruby/ruby.bug-risk.with-object-value-unused.rule.yaml

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.bug-risk.with-object-value-unused
+  title: with_object called but object value unused
+  summary: >-
+    `with_object` or `each_with_object` is called but the block only receives
+    one argument. The accumulated object is silently discarded.
+  rationale: >-
+    When `with_object` is used with a single-argument block, the memo object
+    is created but never used. Either use both arguments or use a plain
+    iteration method.
+  aliases:
+    - RB-LI1053
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.bug-risk.with-object-value-unused
+    bind: issue
+emit:
+  finding:
+    category: correctness.language
+    severity: high
+    confidence: 0.85
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: >-
+      "`${captures.issue.text}` matches
+      `ruby.bug-risk.with-object-value-unused`."
+  remediation:
+    summary: >-
+      Add a second block parameter to capture the accumulator object, or
+      replace with a plain `each` if no accumulator is needed.

package/rules/ruby/ruby.performance.efficient-hash-search.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.efficient-hash-search
+  title: Prefer `key?` and `value?` over `.keys.include?` and `.values.include?`
+  summary: >-
+    `.keys.include?(...)` and `.values.include?(...)` allocate a new array
+    of all keys or values before searching. Use `key?` or `has_value?` instead.
+  rationale: >-
+    Extracting all keys or values into an array before checking membership
+    allocates an O(n) array. Using `key?` or `has_value?` searches without
+    intermediate allocation.
+  aliases:
+    - RB-PR1012
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.efficient-hash-search
+    bind: issue
+emit:
+  finding:
+    category: performance.lookup
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Use `key?` or `has_value?` instead of `.keys.include?`/`.values.include?`
+    summary: "`${captures.issue.text}` allocates a temporary array to search the hash."
+  remediation:
+    summary: >-
+      Replace `.keys.include?(k)` with `.key?(k)` and `.values.include?(v)`
+      with `.has_value?(v)` to avoid intermediate array allocation.

package/rules/ruby/ruby.performance.enumerable-index-by.rule.yaml

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.enumerable-index-by
+  title: Use index_by instead of map+to_h to create a hash from an enumerable
+  summary: >-
+    Uses `.map { |e| [e.key, e] }.to_h` which can be replaced with
+    `.index_by(&:key)` for clearer intent and better performance.
+  rationale: >-
+    ActiveSupport's `Enumerable#index_by` is specifically designed for the
+    common pattern of creating a hash where keys are derived from each element.
+    It avoids creating an intermediate array and is more readable than the
+    equivalent `.map { |e| [e.key, e] }.to_h` pattern.
+  aliases:
+    - RB-RL1058
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+    - performance
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.performance.enumerable-index-by
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.7
+    tags:
+      - performance
+      - ruby
+  message:
+    title: "Use `.index_by(&:key)` instead of `.map { |e| [e.key, e] }.to_h`"
+    summary: "'${captures.issue.text}' builds a hash from `.map` + `.to_h`. Use `.index_by(&:key)` for better performance and clarity."
+  remediation:
+    summary: >-
+      Replace `.map { |e| [e.key, e] }.to_h` with `.index_by(&:key)`.
+      If the value is not the element itself, use `.index_by { |e| e.key }.transform_values { |e| transform(e) }`.

package/rules/ruby/ruby.performance.enumerable-index-with.rule.yaml

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.enumerable-index-with
+  title: Use index_with instead of map+to_h to create a hash from an enumerable
+  summary: >-
+    Uses `.map { |e| [e, e.value] }.to_h` which can be replaced with
+    `.index_with(&:value)` for clearer intent and better performance.
+  rationale: >-
+    ActiveSupport's `Enumerable#index_with` is specifically designed for the
+    common pattern of creating a hash where elements are keys and values are
+    derived from each element. It avoids creating an intermediate array and is
+    more readable than the equivalent `.map { |e| [e, e.value] }.to_h` pattern.
+  aliases:
+    - RB-RL1059
+  detection:
+    kind: pattern
+  tags:
+    - rules-catalog
+    - ruby
+    - performance
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.performance.enumerable-index-with
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.7
+    tags:
+      - performance
+      - ruby
+  message:
+    title: "Use `.index_with(&:value)` instead of `.map { |e| [e, e.value] }.to_h`"
+    summary: "'${captures.issue.text}' builds a hash from `.map` + `.to_h`. Use `.index_with(&:value)` for better performance and clarity."
+  remediation:
+    summary: >-
+      Replace `.map { |e| [e, e.value] }.to_h` with `.index_with(&:value)`.
+      If the value expression is more complex than a simple attribute access,
+      use `.index_with { |e| complex_expression(e) }`.

package/rules/ruby/ruby.performance.merge-single-key.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.merge-single-key
+  title: Prefer direct assignment over `merge!` with a single key
+  summary: >-
+    `.merge!({key: value})` for a single key creates an intermediate hash.
+    Use direct assignment `self[:key] = value` instead.
+  rationale: >-
+    Creating a hash literal and passing it to `merge!` allocates a temporary
+    hash object. Direct key assignment avoids the intermediate allocation and
+    is more readable for single-key updates.
+  aliases:
+    - RB-PR1017
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.merge-single-key
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Use direct assignment instead of single-key `merge!`
+    summary: "`${captures.issue.text}` creates a temporary hash for a single-key update. Use direct assignment."
+  remediation:
+    summary: >-
+      Replace `hash.merge!(key: value)` with `hash[:key] = value` to avoid
+      allocating a temporary hash object.

package/rules/ruby/ruby.performance.no-static-size-computation.rule.yaml

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.no-static-size-computation
+  title: Avoid computing size of static arrays and hashes
+  summary: >-
+    Calling `.count`, `.size`, or `.length` on a static array or hash literal
+    computes a value known at parse-time. Prefer assigning the literal to a
+    constant or using the literal directly.
+  rationale: >-
+    Static collections have a fixed size known at compile time. Calling
+    `.count`/`.size`/`.length` on them adds unnecessary runtime overhead
+    compared to using the known constant value.
+  aliases:
+    - RB-PR1010
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.no-static-size-computation
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Avoid calling `.count`/`.size`/`.length` on static collection
+    summary: "`${captures.issue.text}` computes the size of a static collection at runtime."
+  remediation:
+    summary: >-
+      Replace the dynamic size computation with the known literal value, or
+      assign the collection to a constant and reference its size directly.

package/rules/ruby/ruby.performance.prefer-delete-prefix.rule.yaml

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.prefer-delete-prefix
+  title: Use delete_prefix instead of gsub with \A-anchored regex
+  summary: >-
+    Calling `gsub(/\Aprefix/, '')` compiles and runs a regex to strip a literal
+    prefix. `String#delete_prefix` is faster and clearer.
+  rationale: >-
+    Using `gsub` with a `\A`-anchored regex and an empty replacement string
+    to strip a prefix incurs regex compilation and matching overhead.
+    `String#delete_prefix` performs a simple string comparison, which is
+    significantly faster and more readable.
+  aliases:
+    - RB-PR1026
+  detection:
+    kind: pattern
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.performance.prefer-delete-prefix
+    bind: issue
+emit:
+  finding:
+    category: performance.computation
+    severity: medium
+    confidence: 0.75
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Replace `gsub(/\A.../, '')` with `delete_prefix`
+    summary: "'${captures.issue.text}' uses a regex to strip a prefix. Use `delete_prefix` instead."
+  remediation:
+    summary: >-
+      Replace `str.gsub(/\Aprefix/, '')` with `str.delete_prefix('prefix')`.
+      `delete_prefix` avoids regex overhead and expresses intent more clearly.
+      Note: `delete_prefix` only works for literal prefixes — verify the regex
+      body contains no metacharacters before applying this change.

package/rules/ruby/ruby.performance.prefer-delete-suffix.rule.yaml

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.prefer-delete-suffix
+  title: Use delete_suffix instead of gsub with \z-anchored regex
+  summary: >-
+    Calling `gsub(/suffix\z/, '')` compiles and runs a regex to strip a literal
+    suffix. `String#delete_suffix` is faster and clearer.
+  rationale: >-
+    Using `gsub` with a `\z`-anchored regex and an empty replacement string
+    to strip a suffix incurs regex compilation and matching overhead.
+    `String#delete_suffix` performs a simple string comparison, which is
+    significantly faster and more readable.
+  aliases:
+    - RB-PR1027
+  detection:
+    kind: pattern
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.performance.prefer-delete-suffix
+    bind: issue
+emit:
+  finding:
+    category: performance.computation
+    severity: medium
+    confidence: 0.75
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Replace `gsub(/...\z/, '')` with `delete_suffix`
+    summary: "'${captures.issue.text}' uses a regex to strip a suffix. Use `delete_suffix` instead."
+  remediation:
+    summary: >-
+      Replace `str.gsub(/suffix\z/, '')` with `str.delete_suffix('suffix')`.
+      `delete_suffix` avoids regex overhead and expresses intent more clearly.
+      Note: `delete_suffix` only works for literal suffixes — verify the regex
+      body contains no metacharacters before applying this change.

package/rules/ruby/ruby.performance.prefer-flat-map.rule.yaml

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.prefer-flat-map
+  title: Prefer `flat_map` over `map { ... }.flatten`
+  summary: >-
+    `.map { ... }.flatten` iterates the collection and then flattens the result
+    in a second pass. `flat_map` combines both operations in a single pass.
+  rationale: >-
+    Using `.flat_map` instead of `.map { ... }.flatten` avoids an intermediate
+    array allocation and a second iteration, reducing memory and CPU overhead.
+  aliases:
+    - RB-PR1011
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.prefer-flat-map
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Replace `.map { ... }.flatten` with `flat_map`
+    summary: "`${captures.issue.text}` chains `.map` and `.flatten`. Use `.flat_map` instead."
+  remediation:
+    summary: >-
+      Replace `.map { ... }.flatten` with `.flat_map { ... }` to combine
+      mapping and flattening in a single pass.

package/rules/ruby/ruby.performance.prefer-struct-over-openstruct.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.prefer-struct-over-openstruct
+  title: Prefer `Struct` over `OpenStruct`
+  summary: >-
+    `OpenStruct.new` is significantly slower and more memory-intensive than
+    `Struct.new` for fixed-schema data objects.
+  rationale: >-
+    OpenStruct uses `define_method` dynamically and stores data in a hash,
+    making it slower to create and access. For fixed-schema objects, Struct
+    provides better performance and type safety.
+  aliases:
+    - RB-PR1013
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.prefer-struct-over-openstruct
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Replace `OpenStruct` with `Struct` for fixed-schema data
+    summary: "`${captures.issue.text}` creates an OpenStruct which is slower and more memory-intensive than Struct."
+  remediation:
+    summary: >-
+      Replace `OpenStruct.new(...)` with `Struct.new(...)` or a dedicated
+      class definition for better performance and type safety.

package/rules/ruby/ruby.performance.range-cover-over-include.rule.yaml

@@ -0,0 +1,43 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.range-cover-over-include
+  title: Prefer `cover?` over `include?` for range membership
+  summary: >-
+    `Range#include?` iterates the range to check membership, while
+    `Range#cover?` uses a simple comparison. For numeric ranges, `cover?`
+    is significantly faster.
+  rationale: >-
+    `include?` on a Range checks each element sequentially for contiguous
+    numeric ranges, while `cover?` simply compares against the endpoints.
+    `cover?` is O(1) versus O(n) for `include?` on large ranges.
+  aliases:
+    - RB-PR1014
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.range-cover-over-include
+    bind: issue
+emit:
+  finding:
+    category: performance.allocation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Use `cover?` instead of `include?` for range membership checks
+    summary: "`${captures.issue.text}` uses `include?` on a Range. Use `cover?` for O(1) comparison."
+  remediation:
+    summary: >-
+      Replace `range.include?(value)` with `range.cover?(value)` for
+      numeric or string ranges to use endpoint comparison instead of iteration.

package/rules/ruby/ruby.performance.regex-match-over-match.rule.yaml

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.regex-match-over-match
+  title: Prefer `match?` over `match` for boolean checks
+  summary: >-
+    `.match(...)` used as a boolean condition allocates a MatchData object.
+    Use `.match?(...)` or `===` instead when the match result is not needed.
+  rationale: >-
+    `String#match` returns a MatchData object, incurring allocation overhead.
+    `String#match?` (Ruby 2.4+) returns a boolean without allocating, and is
+    significantly faster when only a boolean check is needed.
+  aliases:
+    - RB-PR1016
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.regex-match-over-match
+    bind: issue
+emit:
+  finding:
+    category: performance.computation
+    severity: medium
+    confidence: 0.66
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Use `match?` instead of `match` for boolean checks
+    summary: "`${captures.issue.text}` uses `.match()` in a condition. Use `.match?()` to avoid MatchData allocation."
+  remediation:
+    summary: >-
+      Replace `.match(/pattern/)` with `.match?(/pattern/)` when the match
+      result is not captured, to avoid MatchData allocation overhead.

package/rules/ruby/ruby.performance.yield-over-block-call.rule.yaml

@@ -0,0 +1,41 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.performance.yield-over-block-call
+  title: Prefer `yield` over explicit `block.call`
+  summary: >-
+    Methods that accept a block with `&block` and call it via `block.call`
+    should use implicit `yield` instead for better performance.
+  rationale: >-
+    Using `yield` is faster than capturing a block into a proc and calling
+    `.call` because it avoids proc allocation and method dispatch overhead.
+  aliases:
+    - RB-PR1015
+  tags:
+    - performance
+    - ruby
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+match:
+  fact:
+    kind: ruby.performance.yield-over-block-call
+    bind: issue
+emit:
+  finding:
+    category: performance.computation
+    severity: medium
+    confidence: 0.5
+    tags:
+      - performance
+      - ruby
+  message:
+    title: Use `yield` instead of `block.call`
+    summary: "`${captures.issue.text}` captures a block and calls it explicitly. Use implicit `yield`."
+  remediation:
+    summary: >-
+      Remove the `&block` parameter and use implicit `yield` to invoke the
+      block, avoiding proc allocation and call overhead.

package/rules/ruby/ruby.security.io-shell-command.rule.yaml

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ruby.security.io-shell-command
+  title: Avoid IO class reads that may invoke shell commands
+  summary: >-
+    IO.read and related IO class methods can spawn subprocesses when the path starts with a pipe.
+  rationale: >-
+    IO.read and related IO class methods can spawn subprocesses when the path starts with a pipe.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-78
+      title: Improper Neutralization of Special Elements used in an OS Command
+    - kind: url
+      title: RuboCop Security/IoMethods
+      url: https://docs.rubocop.org/rubocop/cops_security.html#securityiometrics
+  tags:
+    - security
+    - rules-catalog
+    - ruby
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - ruby
+  paths:
+    include:
+      - "**/*.rb"
+    exclude:
+      - "**/vendor/**"
+      - "**/node_modules/**"
+match:
+  fact:
+    kind: ruby.security.io-shell-command
+    bind: issue
+emit:
+  finding:
+    category: security.command-injection
+    severity: critical
+    confidence: 0.9
+    tags:
+      - ruby
+  message:
+    title: Review `${captures.issue.text}`
+    summary: "`${captures.issue.text}` matches `ruby.security.io-shell-command`."
+  remediation:
+    summary: >-
+      IO.read and related IO class methods can spawn subprocesses when the path starts with a pipe.