npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/go/go.bug-risk.reflect-makefunc-usage.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.bug-risk.reflect-makefunc-usage
+  title: "Use of reflect.MakeFunc — audit required"
+  summary: >-
+    `reflect.MakeFunc` dynamically constructs a function at runtime. This is
+    a powerful but dangerous operation — audit that type safety is preserved.
+  rationale: >-
+    `reflect.MakeFunc` creates a wrapper function around a given `reflect.Value`
+    (typically a function value). Misuse can lead to type confusion, runtime
+    panics, or unexpected behavior. Most usages are legitimate but warrant
+    manual review.
+  aliases:
+    - GO-W1006
+  tags:
+    - bug-risk
+    - go
+    - reflection
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.bug-risk.reflect-makefunc-usage
+    bind: issue
+emit:
+  finding:
+    category: bug-risk.reflection
+    severity: high
+    confidence: 0.85
+    tags:
+      - bug-risk
+      - go
+      - reflection
+  message:
+    title: reflect.MakeFunc usage — audit required
+    summary: >-
+      ${captures.issue.text} uses `reflect.MakeFunc`. Please audit that type
+      safety is preserved at runtime.
+  remediation:
+    summary: >-
+      Review the `reflect.MakeFunc` call to ensure type safety. Consider
+      whether the dynamic function construction can be replaced with a
+      statically-typed alternative.

package/rules/go/go.correctness.bare-return.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.bare-return
+  title: Use of bare return statements
+  summary: Bare returns in named-return functions return the current values of return parameters, which can be surprising.
+  rationale: >-
+    A bare `return` in a function with named return parameters returns the
+    current values of those parameters. While valid Go, bare returns can be
+    confusing to readers who must scan the function body to determine what
+    values are being returned.
+  aliases:
+    - GO-R3003
+  tags:
+    - correctness
+    - go
+    - clarity
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.bare-return
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: medium
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - clarity
+  message:
+    title: Bare return in named-return function
+    summary: >-
+      A bare `return` statement in `${captures.issue.text}` relies on named
+      return parameters. Consider using an explicit return for clarity.
+  remediation:
+    summary: >-
+      Replace bare `return` with `return result` (or the name of the return
+      parameter) to make the returned value explicit.

package/rules/go/go.correctness.boolean-literal-in-expression.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.boolean-literal-in-expression
+  title: Boolean literals in logic expressions
+  summary: Expressions like `flag == true` or `flag != false` can be simplified to the bare boolean value or its negation.
+  rationale: >-
+    Comparing a boolean value to `true` or `false` is redundant. `flag == true`
+    is equivalent to `flag`, and `flag == false` is equivalent to `!flag`.
+    Removing the comparison makes the intent clearer.
+  aliases:
+    - GO-R3004
+  tags:
+    - correctness
+    - go
+    - clarity
+    - simplification
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.boolean-literal-in-expression
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - clarity
+      - simplification
+  message:
+    title: Redundant boolean comparison in `${captures.issue.text}`
+    summary: >-
+      Comparing a boolean value to a literal `true` or `false` is redundant.
+      Use the bare boolean or its negation instead.
+  remediation:
+    summary: >-
+      Replace `flag == true` with `flag`, and `flag == false` with `!flag`.

package/rules/go/go.correctness.boolean-simplification.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.boolean-simplification
+  title: Boolean expression can be simplified
+  summary: Complex boolean expressions like `x > y - 1` or `x < y || x == y` can be written more concisely.
+  rationale: >-
+    Expressions such as `x > y - 1` can be written as `x >= y`, and
+    `x < y || x == y` can be simplified to `x <= y`. Simplified expressions are
+    easier to read and less error-prone.
+  aliases:
+    - CRT-D0018
+  tags:
+    - correctness
+    - go
+    - clarity
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.boolean-simplification
+    bind: issue
+emit:
+  finding:
+    category: correctness.clarity
+    severity: high
+    confidence: 0.7
+    tags:
+      - correctness
+      - go
+      - clarity
+  message:
+    title: Boolean expression can be simplified
+    summary: "This boolean expression can be simplified to a single comparison"
+  remediation:
+    summary: >-
+      Simplify `x > y - 1` to `x >= y`. Simplify `x < y || x == y` to
+      `x <= y`. Simplify `x > y || x == y` to `x >= y`.

package/rules/go/go.correctness.deferred-func-literal.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.deferred-func-literal
+  title: Deferred function literal can be simplified
+  summary: A `defer func() { bar() }()` wrapping a single call can be simplified to `defer bar()`.
+  rationale: >-
+    Wrapping a single function call in a deferred anonymous function is unnecessary
+    noise. The call can be deferred directly. Multi-statement bodies, bodies containing
+    control flow, and function literals with parameters are excluded because they
+    cannot be simplified.
+  aliases:
+    - GO-C4005
+  tags:
+    - correctness
+    - go
+    - simplification
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.deferred-func-literal
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - simplification
+  message:
+    title: Simplify deferred function literal to direct call
+    summary: >-
+      The expression `${captures.issue.text}` wraps a single function call in a
+      deferred anonymous function. It can be written as `defer call()` instead.
+  remediation:
+    summary: >-
+      Replace `defer func() { fn() }()` with `defer fn()`. The deferred call is
+      equivalent without the wrapping closure.

package/rules/go/go.correctness.duplicate-branch-body.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-branch-body
+  title: Duplicate body in adjacent branches
+  summary: Adjacent if-else branches have identical bodies. One branch is likely dead or wrong.
+  rationale: >-
+    When two consecutive branches in an if-else chain produce the same outcome,
+    one of the branches is suspicious. Either the conditions overlap or a
+    copy-paste error duplicated the body.
+  aliases:
+    - CRT-D0006
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-branch-body
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.75
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Duplicate body in adjacent branches
+    summary: "Two adjacent if-else branches have identical bodies (limited to single-line bodies)."
+  remediation:
+    summary: >-
+      Merge branches with the same outcome, or fix the branch condition or body
+      logic.

package/rules/go/go.correctness.duplicate-function-arguments.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-function-arguments
+  title: Duplicate function arguments
+  summary: Consecutive identical arguments may indicate a copy-paste error.
+  rationale: >-
+    Passing the same identifier as two consecutive arguments to a function call
+    is often a copy-paste mistake. The second argument should typically reference
+    a different value.
+  aliases:
+    - CRT-D0005
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-function-arguments
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Duplicate argument `${captures.issue.text}` passed to function
+    summary: "Two adjacent arguments in the function call are identical identifiers. This may be a copy-paste error."
+  remediation:
+    summary: >-
+      Verify that both arguments should reference different values. If
+      intentional, suppress the warning.

package/rules/go/go.correctness.duplicate-if-else-condition.rule.yaml ADDED Viewed

@@ -0,0 +1,54 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-if-else-condition
+  title: "if and else condition are the same"
+  summary: >-
+    The same boolean expression appears on both an `if` and the following
+    `else if` branch. This is likely a copy-paste error; the second condition
+    should probably be different.
+  rationale: >-
+    Identical conditions in `if` and `else if` branches mean the else-if body
+    is dead code — the `if` body always executes when the condition is true,
+    and the `else if` body executes only when the same condition is true again
+    (which is impossible in a single-evaluation model). This typically indicates
+    the developer forgot to update the condition after copying.
+  aliases:
+    - GO-W1002
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-if-else-condition
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.6
+    tags:
+      - correctness
+      - go
+  message:
+    title: Duplicate condition in if and else-if
+    summary: >-
+      ${captures.issue.text} — the condition is identical to the preceding if
+      branch. The else-if body is dead code.
+  remediation:
+    summary: >-
+      Review the logic and change the second condition to the intended
+      expression, or merge the branches if they are truly identical.

package/rules/go/go.correctness.duplicate-switch-cases.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.duplicate-switch-cases
+  title: Duplicate case in switch statement
+  summary: Duplicate case values mean the second case is unreachable.
+  rationale: >-
+    A switch with two cases that have the same literal value will never execute
+    the second case. This is typically a copy-paste error where the case value
+    should be different.
+  aliases:
+    - CRT-D0007
+  tags:
+    - correctness
+    - go
+    - dead-code
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.duplicate-switch-cases
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - dead-code
+  message:
+    title: Duplicate case `${captures.issue.text}` in switch statement
+    summary: "The switch contains two cases with the same value. The second case is unreachable."
+  remediation:
+    summary: >-
+      Remove or consolidate the duplicate case value into a single case.

package/rules/go/go.correctness.flag-pointer-immediate-deref.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.flag-pointer-immediate-deref
+  title: Immediate dereference of flag pointer
+  summary: Dereferencing the flag pointer at the call site defeats the purpose of using a flag method.
+  rationale: >-
+    Using *flag.String(...) immediately dereferences the pointer returned by
+    the flag function. The correct pattern is to assign the pointer to a
+    variable and dereference it after flag.Parse().
+  aliases:
+    - CRT-D0009
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.flag-pointer-immediate-deref
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Immediate dereference of flag pointer in `${captures.issue.text}`
+    summary: "Dereferencing a flag pointer immediately at the call site may evaluate before flag.Parse() is called."
+  remediation:
+    summary: >-
+      Assign the flag pointer to a variable, call flag.Parse(), then dereference
+      the pointer where the value is needed.

package/rules/go/go.correctness.hidden-goroutine.rule.yaml ADDED Viewed

@@ -0,0 +1,55 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.hidden-goroutine
+  title: Function body wraps entirety in hidden goroutine
+  summary: >-
+    A function whose entire body consists of a single `go func()` call
+    obscures the concurrent nature of the operation and makes error
+    handling and cancellation invisible to the caller.
+  rationale: >-
+    Wrapping an entire function body in a goroutine (`go func() { ... }()`)
+    hides the fact that the function runs concurrently. This makes it
+    impossible for the caller to await completion, handle errors, or
+    cancel the operation. Prefer explicit goroutine invocation at the
+    call site with proper error propagation via channels or errgroups.
+  aliases:
+    - GO-E1007
+  tags:
+    - correctness
+    - go
+    - concurrency
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.hidden-goroutine
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.55
+    tags:
+      - correctness
+      - go
+      - concurrency
+  message:
+    title: Function body is entirely wrapped in an anonymous goroutine
+    summary: "`${captures.issue.text}` wraps its entire body in `go func()` — concurrency is hidden from callers"
+  remediation:
+    summary: >-
+      Remove the enclosing goroutine and let the caller decide whether to
+      invoke the function concurrently. Use `errgroup.Group` or channels
+      for error propagation and cancellation.

package/rules/go/go.correctness.http-nobody-nil.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.http-nobody-nil
+  title: http.NoBody instead of nil
+  summary: Use http.NoBody for HTTP requests with no body instead of nil.
+  rationale: >-
+    When creating an HTTP request with `http.NewRequest` or
+    `http.NewRequestWithContext` where no body is needed, pass `http.NoBody`
+    instead of `nil`. `http.NoBody` is an explicit sentinel that indicates
+    no body is intended, while `nil` can be ambiguous.
+  aliases:
+    - GO-R4001
+  tags:
+    - correctness
+    - go
+    - api-usage
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.http-nobody-nil
+    bind: issue
+emit:
+  finding:
+    category: correctness.api-usage
+    severity: medium
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - api-usage
+  message:
+    title: Use `http.NoBody` instead of `nil` in `${captures.issue.text}`
+    summary: >-
+      An HTTP request is created with a `nil` body. Use `http.NoBody` instead
+      to explicitly signal no body is intended.
+  remediation:
+    summary: >-
+      Replace `nil` with `http.NoBody` as the body argument.
+      For example, `http.NewRequest("GET", url, http.NoBody)`.

package/rules/go/go.correctness.identical-binary-operands.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.identical-binary-operands
+  title: Binary operation with identical operands
+  summary: Identical expressions on both sides of an operator is likely a copy-paste error.
+  rationale: >-
+    Using the same expression on both sides of a binary operator (e.g., x == x,
+    a < b || a < b) does not change the outcome and indicates a bug or
+    tautology.
+  aliases:
+    - CRT-D0008
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.identical-binary-operands
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Binary operation with identical operands in `${captures.issue.text}`
+    summary: "Both sides of the operator are the same expression. This is likely a copy-paste bug."
+  remediation:
+    summary: >-
+      Replace one side with the intended expression or extract to a variable.