@critiq/rules 0.3.0 → 0.4.0

package/rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml

@@ -4,7 +4,7 @@ metadata:
   id: ts.security.observable-timing-discrepancy
   title: Use constant-time secret comparison
   summary: Secrets and tokens should not be compared with ordinary equality operators.
-  rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material.
+  rationale: Ordinary string comparison can leak timing differences that help attackers guess secret material. Note that the current heuristic is pattern-based without taint tracking and produces false positives on non-secret comparisons.
   detection:
     kind: pattern
   references:
@@ -32,8 +32,8 @@ match:
 emit:
   finding:
     category: security.cryptography
-    severity: high
-    confidence: 0.9
+    severity: medium
+    confidence: 0.55
     tags:
       - security
       - cryptography

package/rules/typescript/ts.security.open-redirect.rule.yaml

@@ -27,6 +27,12 @@ scope:
     - javascript
     - java
     - go
+    - python
+  paths:
+    exclude:
+      - "**/lib/**"
+      - "**/node_modules/**"
+      - "**/vendor/**"
 match:
   fact:
     kind: security.open-redirect

package/rules/typescript/ts.security.path-join-user-input.rule.yaml

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.path-join-user-input
+  title: Avoid user-controlled path segments in path.join and path.resolve
+  summary: Path construction APIs should not consume request- or upload-derived segments without a trusted root and validation.
+  rationale: Joining external input into filesystem paths can enable directory traversal outside the intended base directory.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-22
+      title: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+    - kind: owasp
+      title: Path Traversal
+      url: https://owasp.org/www-community/attacks/Path_Traversal
+  tags:
+    - security
+    - filesystem
+    - path-traversal
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
+match:
+  fact:
+    kind: security.path-join-user-input
+    bind: issue
+emit:
+  finding:
+    category: security.filesystem
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - filesystem
+      - path-traversal
+  message:
+    title: Validate path segments passed to `${captures.issue.text}`
+    summary: "`${captures.issue.text}` joins external input into a filesystem path without a validated trusted root."
+  remediation:
+    summary: Resolve files under a fixed base directory and validate or allowlist user-supplied segments before joining paths.

package/rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.sensitive-data-written-to-file
-  title: Avoid writing sensitive data to files
-  summary: Data exports and local file writes should not persist raw secrets or personal fields.
-  rationale: Static files, exports, and backups are easy to copy or retain beyond their intended lifetime.
+  title: Sensitive data written to file
+  summary: File writes that persist fields like passwords, tokens, secrets, credentials, or PII (email, SSN, phone) risk data exposure.
+  rationale: Static files, exports, backups, and logs are easy to copy or retain beyond their intended lifetime. Sensitive fields should be redacted or excluded before writing.
   detection:
     kind: pattern
   references:
@@ -25,6 +25,16 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/__tests__/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/scripts/**"
+      - "**/deprecated-packages/**"
+      - "**/benchmarks/**"
 match:
   fact:
     kind: security.sensitive-data-written-to-file
@@ -32,7 +42,7 @@ match:
 emit:
   finding:
     category: security.privacy
-    severity: high
+    severity: medium
     confidence: 0.9
     tags:
       - security
@@ -40,8 +50,8 @@ emit:
       - filesystem
   message:
     title: Remove sensitive fields before `${captures.issue.text}`
-    summary: "`${captures.issue.text}` writes sensitive data into a local file sink."
+    summary: "`${captures.issue.text}` writes data containing sensitive fields (password, token, secret, credential, email, SSN, phone) to a file. This risks data exposure if the file is leaked, backed up, or retained beyond its intended lifetime."
   remediation:
-    summary: Redact, hash, or exclude the sensitive fields before writing the file.
+    summary: Remove sensitive fields (passwords, tokens, secrets, credentials, email, SSN, phone) before writing to a file. Destructure to exclude them, or hash/encrypt the values. Build scripts, benchmarks, test fixtures, and deprecated packages are exempt.
 
 

package/rules/typescript/ts.security.ssrf.rule.yaml

@@ -24,6 +24,7 @@ scope:
     - typescript
     - javascript
     - go
+    - python
 match:
   fact:
     kind: security.ssrf

package/rules/typescript/ts.security.unsafe-dirname-path-concat.rule.yaml

@@ -14,10 +14,13 @@ metadata:
     - kind: owasp
       title: File Upload Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
+  aliases:
+    - JS-0262
   tags:
     - security
     - filesystem
     - rules-catalog
+    - public-directory-parity
   stability: stable
   appliesTo: block
 scope:

package/rules/typescript/ts.security.unsanitized-http-response.rule.yaml

@@ -2,8 +2,8 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.unsanitized-http-response
-  title: Avoid unsafe raw HTTP response output
-  summary: Raw response writers should not echo request data into HTML-capable responses without trusted escaping or sanitization.
+  title: Avoid raw response output driven by request input
+  summary: Raw response sinks should not echo request data without escaping or sanitization. JSON.stringify and JSON responses are excluded — their output is not executable markup.
   rationale: Directly reflecting request data into HTML-capable response sinks creates reflected XSS and content injection risk.
   detection:
     kind: pattern
@@ -25,6 +25,17 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/sandbox/**"
+      - "**/tests/setup/**"
+      - "**/tests/smoke/**"
+      - "**/e2e/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/test/**"
+      - "**/tests/**"
 match:
   fact:
     kind: security.unsanitized-http-response
@@ -32,7 +43,7 @@ match:
 emit:
   finding:
     category: security.output-encoding
-    severity: high
+    severity: medium
     confidence: 0.88
     tags:
       - security

package/rules/typescript/ts.security.user-controlled-regexp.rule.yaml

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.user-controlled-regexp
+  title: Avoid user-controlled regular expression patterns
+  summary: Regular expression construction should not consume request-derived pattern strings without validation.
+  rationale: Attacker-controlled regex patterns can trigger catastrophic backtracking and block the Node.js event loop.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-1333
+      title: Inefficient Regular Expression Complexity
+    - kind: owasp
+      title: Denial of Service Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
+  tags:
+    - security
+    - redos
+    - input-validation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
+      - "**/vendor/**"
+      - "**/lib/**"
+match:
+  fact:
+    kind: security.user-controlled-regexp
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.84
+    tags:
+      - security
+      - redos
+      - input-validation
+  message:
+    title: Validate regex pattern before `${captures.issue.text}`
+    summary: "`${captures.issue.text}` builds a regular expression from request-controlled input."
+  remediation:
+    summary: Use fixed or allowlisted regex patterns, or validate and bound user-supplied patterns before compiling them.

package/rules/typescript/ts.testing.no-flaky-timer-test.rule.yaml

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.testing.no-flaky-timer-test
-  title: Prefer fake timers in unit tests
-  summary: Real timers, sleeps, or wall-clock reads in unit tests are flaky unless fake timers are enabled for the file.
-  rationale: Wall-clock based tests race CI load and parallelization; fake timers keep behavior deterministic.
+  title: Avoid timer-dependent assertions in unit tests
+  summary: Unit tests using real timers (setTimeout/setInterval with delays >50ms) without fake timers may produce flaky results under CI load.
+  rationale: Wall-clock-based tests race CI load and parallelization; fake timers keep behavior deterministic. Performance measurement (performance.now, Date.now) and sub-50ms micro-delays for event-loop yielding are exempt.
   tags:
     - testing
     - quality
@@ -27,12 +27,12 @@ emit:
   finding:
     category: quality.testing
     severity: low
-    confidence: 0.68
+    confidence: 0.55
     tags:
       - testing
       - timers
   message:
-    title: Stabilize timer usage in `${captures.issue.text}`
-    summary: "`${captures.issue.text}` uses real timers or wall-clock reads without `jest.useFakeTimers` / `vi.useFakeTimers` in the same file."
+    title: Timer-dependent assertion without fake timers in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` uses real timers with a delay >50ms without `jest.useFakeTimers` / `vi.useFakeTimers` in the same file. Micro-delays (<=50ms) and performance clocks (performance.now, Date.now) are not flagged."
   remediation:
-    summary: Enable fake timers for the suite, inject a clock abstraction, or move timing assertions behind a test double.
+    summary: Enable fake timers for the suite, inject a clock abstraction, or move timing-dependent assertions behind a test double. If the delay is intentional for testing a timeout path, consider using jest.advanceTimersByTime instead of real waits.

package/rules/typescript/ts.testing.no-legacy-test-waiter.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.no-legacy-test-waiter
+  title: Avoid legacy test waiters
+  summary: Deprecated test waiting APIs like wait(), waitForElement(), and waitForDomChange() should be replaced with waitFor().
+  rationale: These APIs were removed in React Testing Library v13+ and create brittle, timing-dependent tests. The modern waitFor() API provides a more reliable and consistent approach to waiting for asynchronous DOM changes.
+  aliases:
+    - JS-0794
+  tags:
+    - testing
+    - quality
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: testing.legacy-waiter
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: high
+    confidence: 0.82
+    tags:
+      - testing
+      - migration
+  message:
+    title: Replace legacy test waiter with waitFor
+    summary: "${captures.issue.text} uses a deprecated testing-library waiter API. Use waitFor() instead."
+  remediation:
+    summary: Replace wait(), waitForElement(), or waitForDomChange() calls with waitFor() from the same testing-library package.

package/rules/typescript/ts.testing.no-network-call-in-unit-test.rule.yaml

@@ -18,7 +18,13 @@ scope:
   paths:
     exclude:
       - "**/e2e/**"
+      - "**/browser/**"
+      - "**/smoke/**"
+      - "**/sandbox/**"
+      - "**/setup/**"
       - "**/*.integration.test.*"
+      - "**/*.browser.test.*"
+      - "**/*.smoke.test.*"
 match:
   fact:
     kind: testing.real-network-in-unit-test
@@ -26,7 +32,7 @@ match:
 emit:
   finding:
     category: quality.testing
-    severity: medium
+    severity: low
     confidence: 0.74
     tags:
       - testing

package/rules/typescript/ts.testing.no-skipped-test-without-ticket.rule.yaml

@@ -28,7 +28,7 @@ emit:
       - testing
       - coverage
   message:
-    title: Add a ticket or suppression note for `${captures.issue.text}`
-    summary: "`${captures.issue.text}` skips a test without an adjacent issue key, GitHub issue URL, or TODO(expires) style note."
+    title: Skipped test lacks adequate justification — add a reason, ticket, or comment
+    summary: "`${captures.issue.text}` skips a test without a descriptive name, explicit reason string, ticket reference, or explanatory comment."
   remediation:
-    summary: Link the skip to a tracker id, add a short expiry note, or replace the skip with a focused assertion.
+    summary: Add a descriptive test name, explicit reason string, ticket reference, or explanatory comment to document why this test is skipped.

package/rules/typescript/ts.testing.useless-assertion.rule.yaml

@@ -0,0 +1,37 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.testing.useless-assertion
+  title: Useless assertion testing a constant value
+  summary: Assertions that compare a static primitive literal against itself will never fail.
+  rationale: "`expect(true).toBe(true)` or similar tautological assertions always pass regardless of code behavior. They indicate leftover debug code or a mistaken test."
+  aliases:
+    - JS-W1039
+  tags:
+    - testing
+    - correctness
+    - rules-catalog
+    - public-directory-parity
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: testing.useless-assertion
+    bind: issue
+emit:
+  finding:
+    category: quality.testing
+    severity: medium
+    confidence: 0.95
+    tags:
+      - testing
+      - quality
+  message:
+    title: Useless assertion
+    summary: "`${captures.issue.text}` is a tautological assertion that always passes."
+  remediation:
+    summary: Replace the assertion with a meaningful check against actual runtime values, or remove dead test code.

package/rules/typescript/ts.vue.emits-validator-return-boolean.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.emits-validator-return-boolean
+  title: Emits validators must return a boolean
+  summary: "Emit event validators are expected to return a boolean value indicating whether the event payload is valid."
+  rationale: Vue emits validators, like prop validators, are expected to return a boolean. Returning non-boolean values or omitting the return statement can lead to unexpected behavior. Validators that return nothing or return non-boolean values make the emit always appear valid.
+  aliases:
+    - JS-0660
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.emits-validator-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.75
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Return boolean from emits validator
+    summary: "${captures.issue.text} has an emits validator that does not return a boolean. Add a boolean return statement."
+  remediation:
+    summary: "Ensure each emits validator function returns a boolean value. For example: `emits: { submit: (payload) => { return typeof payload === 'string'; } }`."

package/rules/typescript/ts.vue.no-browser-globals-in-created.rule.yaml

@@ -0,0 +1,39 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.no-browser-globals-in-created
+  title: Avoid browser globals in server-side lifecycle hooks
+  summary: The created and beforeCreate hooks may run on the server during SSR; accessing window or document there causes errors.
+  rationale: In Nuxt and other SSR Vue frameworks, the created and beforeCreate hooks execute on both server and client. Accessing browser-only globals like window or document in these hooks will throw ReferenceError during SSR. Move browser access to mounted() or use client-side guards.
+  aliases:
+    - JS-E1001
+  tags:
+    - nuxt
+    - vue
+    - correctness
+    - rules-catalog
+    - public-directory-parity
+  stability: experimental
+  appliesTo: file
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.nuxt.browser-global-in-created-lifecycle
+    bind: issue
+emit:
+  finding:
+    category: correctness.framework
+    severity: high
+    confidence: 0.85
+    tags:
+      - nuxt
+      - vue
+      - correctness
+  message:
+    title: Move browser global access out of server-side hook
+    summary: "`${captures.issue.text}` accesses a browser global in a server-side lifecycle hook."
+  remediation:
+    summary: Move window/document access to mounted() or guard with process.client check.

package/rules/typescript/ts.vue.no-computed-missing-dependency.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.no-computed-missing-dependency
+  title: Declare external dependencies in computed properties
+  summary: Vue computed properties referencing data Vue cannot reactively track should declare explicit dependencies.
+  rationale: Vue 2 computed properties auto-track reactive dependencies accessed via `this.*` but cannot track module-level variables, window properties, or other non-reactive sources. Explicit `dependencies` arrays make the dependency contract visible and prevent stale computed values.
+  aliases:
+    - JS-0813
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.computed-missing-dependency
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.72
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Computed property references external dependency
+    summary: "Computed property `${captures.issue.text}` references external data that Vue cannot reactively track."
+  remediation:
+    summary: Add an explicit `dependencies` array to the computed property, or move the external reference to a reactive data property.

package/rules/typescript/ts.vue.no-computed-mutation.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.no-computed-mutation
+  title: Avoid mutating variables inside computed properties
+  summary: Computed properties should not produce side effects such as assignments or array mutations.
+  rationale: Vue computed properties must be pure functions that derive values from reactive data. Mutations inside computed getters violate the unidirectional data flow model and create unpredictable reactivity behavior.
+  aliases:
+    - JS-0615
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.computed-mutation
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.80
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Avoid mutation inside computed property
+    summary: "${captures.issue.text} mutates state inside a computed property getter."
+  remediation:
+    summary: Move the mutation to a method, watch, or action. Computed properties should only read reactive state and return a derived value.

package/rules/typescript/ts.vue.no-data-object-declaration.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.no-data-object-declaration
+  title: Deprecation of Object Declaration on data
+  summary: The `data` option in Vue components must be a function, not an object literal, to avoid shared state across instances.
+  rationale: When `data` is declared as a plain object, all component instances share the same reference. This causes cross-instance state corruption. Vue requires `data` to be a function that returns a fresh object for each instance.
+  aliases:
+    - JS-0629
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.data-object-declaration
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.95
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Replace object literal data with a function
+    summary: "${captures.issue.text} declares data as a plain object. Use a function that returns the object instead."
+  remediation:
+    summary: "Change `data: { ... }` to `data() { return { ... }; }` to ensure each component instance gets its own reactive state."

package/rules/typescript/ts.vue.no-deprecated-keycodes-config.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.no-deprecated-keycodes-config
+  title: Avoid deprecated Vue.config.keyCodes
+  summary: "Vue.config.keyCodes was removed in Vue 3. Use key alias modifiers directly instead."
+  rationale: Vue 2 allowed custom keycode aliases via `Vue.config.keyCodes`. Vue 3 removes this API entirely and requires the use of standard key names. Directly reference key names with `@keyup.enter` rather than configuring custom numeric mappings.
+  aliases:
+    - JS-0657
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.deprecated-keycodes-config
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.90
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Replace Vue.config.keyCodes with key alias modifiers
+    summary: "${captures.issue.text} uses the deprecated Vue.config.keyCodes API. Use key alias modifiers instead."
+  remediation:
+    summary: "Remove `Vue.config.keyCodes` assignments. Reference key names directly in templates using `@keyup.enter`, `@keyup.escape`, or other standard key aliases supported by Vue 3."

package/rules/typescript/ts.vue.no-deprecated-listeners.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.vue.no-deprecated-listeners
+  title: Prefer $attrs over $listeners
+  summary: "$listeners was deprecated in Vue 3. Use $attrs instead, which now includes both attributes and listeners."
+  rationale: Vue 3 merges `$listeners` into `$attrs`, making the separate `$listeners` property obsolete. All event listeners passed to a component are now accessible via `$attrs.onXxx` or through the `inheritAttrs` mechanism.
+  aliases:
+    - JS-0655
+  tags:
+    - vue
+    - correctness
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: framework.vue.deprecated-listeners
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: medium
+    confidence: 0.70
+    tags:
+      - vue
+      - correctness
+  message:
+    title: Replace $listeners with $attrs
+    summary: "${captures.issue.text} uses the deprecated $listeners API. Use $attrs instead."
+  remediation:
+    summary: "Replace `this.$listeners` with `this.$attrs`. In Vue 3, listeners are merged into `$attrs` and can be forwarded with `v-bind=\"$attrs\"`."