npm - @critiq/rules - Versions diffs - 0.3.0 → 0.4.0 - Mend

@critiq/rules 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (735) hide show

package/rules/go/go.correctness.impossible-interface-nil-check.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.impossible-interface-nil-check
+  title: "Impossible interface nil check"
+  summary: >-
+    Interface value compared to nil when the underlying concrete type is always
+    non-nil. The nil check is always false because an interface holding a nil
+    concrete pointer is not itself nil.
+  rationale: >-
+    In Go, an interface value is nil only when both the type and value are nil.
+    A function returning `*MyError` (concrete pointer) assigned to an `error`
+    interface variable produces a non-nil interface even when the concrete
+    pointer is nil. The subsequent `if err != nil` check is always true,
+    masking potential bugs. For more detail, see the Go FAQ on nil error values.
+  aliases:
+    - GO-W1001
+  tags:
+    - correctness
+    - go
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.impossible-interface-nil-check
+    bind: issue
+emit:
+  finding:
+    category: correctness.semantics
+    severity: high
+    confidence: 0.35
+    tags:
+      - correctness
+      - go
+      - experimental
+  message:
+    title: Interface nil check is always true
+    summary: >-
+      ${captures.issue.text} assigns a concrete pointer type to an error
+      interface — the nil check will never fire.
+  remediation:
+    summary: >-
+      Return `error` directly from the function instead of a concrete pointer
+      type, or check nil on the concrete value before assigning to the
+      interface. See the Go FAQ on nil error values for more details.

package/rules/go/go.correctness.incomplete-nil-check.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.incomplete-nil-check
+  title: Incomplete nil check on slice
+  summary: Checking `xs != nil` before indexing a slice is not sufficient — a non-nil empty slice still panics on index access.
+  rationale: >-
+    In Go, a nil slice has no elements, but an empty (non-nil) slice also has no
+    elements. Checking `xs != nil && xs[0] == ...` panics on an empty non-nil
+    slice. Use `len(xs) > 0` to guard against both nil and empty slices.
+  aliases:
+    - CRT-D0017
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.incomplete-nil-check
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Incomplete nil check on slice
+    summary: "Nil check on slice before index access — use `len(xs) > 0` instead to guard against empty non-nil slices"
+  remediation:
+    summary: >-
+      Replace `xs != nil && xs[index]` with `len(xs) > 0 && xs[index]` to
+      correctly handle both nil and empty slices.

package/rules/go/go.correctness.integer-truncation.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.integer-truncation
+  title: Potentially lossy integer truncation in comparison
+  summary: Narrowing an integer type before comparison may lose precision.
+  rationale: >-
+    When a wider integer type is narrowed (e.g., `int16(x)` where `x` is int32)
+    and then compared, the narrowing truncates the value before the comparison.
+    This can lead to incorrect results if the wider type holds values outside
+    the narrower type's range. Prefer widening the smaller type instead.
+  aliases:
+    - CRT-D0020
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.integer-truncation
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.65
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Lossy integer truncation in comparison
+    summary: "Comparing a value after narrowing conversion may lose precision — widen the smaller type instead"
+  remediation:
+    summary: >-
+      Instead of narrowing the wider type, widen the smaller type before
+      comparison. For example, replace `int16(x) < y` with `x < int32(y)`
+      where `x` is int32 and `y` is int16.

package/rules/go/go.correctness.interface-any-preferred.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.interface-any-preferred
+  title: Use `any` instead of `interface{}`
+  summary: Go 1.18 introduced `any` as an alias for `interface{}`. Prefer `any` for brevity.
+  rationale: >-
+    Since Go 1.18, `any` is a built-in alias for `interface{}`. Using `any`
+    is shorter and clearer. The `interface{}` syntax is older and more verbose.
+  aliases:
+    - GO-R3001
+  tags:
+    - correctness
+    - go
+    - clarity
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.interface-any-preferred
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - clarity
+  message:
+    title: Use `any` instead of `interface{}` in `${captures.issue.text}`
+    summary: >-
+      The `interface{}` type can be replaced with `any` (available since Go 1.18)
+      for shorter and clearer code.
+  remediation:
+    summary: >-
+      Replace `interface{}` with `any`. For example, `map[string]interface{}`
+      becomes `map[string]any`.

package/rules/go/go.correctness.nil-error-returned.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.nil-error-returned
+  title: Returning nil value with nil error
+  summary: Returning nil, nil may indicate a missing result or an error that should be returned instead.
+  rationale: >-
+    Returning nil for both the value and the error in a function that returns
+    (any, error) is often a mistake. The caller may expect a non-nil value on
+    success, or an error should be returned to indicate why the value is nil.
+  aliases:
+    - CRT-D0013
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.nil-error-returned
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: high
+    confidence: 0.65
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Returning nil value with nil error
+    summary: "Returning nil, nil in a function that returns (value, error) is suspicious. Provide a meaningful value or return an error."
+  remediation:
+    summary: >-
+      Return a meaningful value alongside nil, or return a non-nil error to
+      explain why the value is nil.

package/rules/go/go.correctness.off-by-one-index.rule.yaml ADDED Viewed

@@ -0,0 +1,48 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.off-by-one-index
+  title: Off-by-one index access
+  summary: Indexing an array or slice at len(arr) reads one past the last valid element.
+  rationale: >-
+    Accessing `arr[len(arr)]` panics at runtime because valid indices range from
+    0 to len(arr)-1. The correct access is `arr[len(arr)-1]` for the last element.
+  aliases:
+    - CRT-D0015
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.off-by-one-index
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Index at `len(arr)` is off-by-one
+    summary: "Indexing array/slice at `len(arr)` is off-by-one — last valid index is `len(arr)-1`"
+  remediation:
+    summary: >-
+      Use `arr[len(arr)-1]` to access the last element, or ensure the index is
+      strictly less than `len(arr)`.

package/rules/go/go.correctness.redundant-type-declaration.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.redundant-type-declaration
+  title: Redundant type in variable declaration
+  summary: The explicit type in `var count int = 10` is unnecessary — Go can infer it from the RHS literal.
+  rationale: >-
+    When a variable is declared with `var name Type = literal`, Go's type inference
+    can determine the type from the literal value. The explicit type annotation is
+    redundant and adds noise. Prefer `var name = literal` for clarity.
+  aliases:
+    - GO-C5001
+  tags:
+    - correctness
+    - go
+    - simplification
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.redundant-type-declaration
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.8
+    tags:
+      - correctness
+      - go
+      - simplification
+  message:
+    title: Redundant type declaration in `${captures.issue.text}`
+    summary: >-
+      The type annotation is redundant because Go can infer it from the literal
+      value on the right-hand side.
+  remediation:
+    summary: >-
+      Remove the explicit type. Write `var name = value` instead of
+      `var name Type = value`.

package/rules/go/go.correctness.signedness-casting.rule.yaml ADDED Viewed

@@ -0,0 +1,56 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.signedness-casting
+  title: Integer signedness lost through narrowing cast
+  summary: >-
+    Narrowing an integer type (e.g., `int8(x)`, `uint16(y)`) can lose
+    precision or produce unexpected results when the source value exceeds
+    the target type's range.
+  rationale: >-
+    Converting between integer types of different widths truncates the value.
+    For example, `int8(int16(200))` produces `-56` due to overflow. When
+    the result of `strconv.Atoi` or another integer expression is cast to a
+    narrower type, validate the value fits before converting, or widen the
+    target type instead.
+  aliases:
+    - GO-E1006
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.signedness-casting
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.55
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Narrowing integer cast may lose signedness
+    summary: "`${captures.issue.text}` narrows an integer value — the result may overflow or lose precision"
+  remediation:
+    summary: >-
+      Validate the source value fits within the target type's range before
+      casting, or widen the target type instead. For `strconv.Atoi` results,
+      check the value against `math.MinInt8` / `math.MaxInt8` etc. before
+      narrowing.

package/rules/go/go.correctness.string-concat-simplify.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.string-concat-simplify
+  title: String concatenation can be simplified
+  summary: String concatenation patterns like `strings.Join(parts, "")` or `fmt.Sprintf("%s%s", a, b)` can be simplified.
+  rationale: >-
+    Using `strings.Join` with an empty separator is equivalent to direct string
+    concatenation but is less readable. Similarly, `fmt.Sprintf` with only `%s`
+    placeholders can be replaced with `strings.Join` or direct concatenation
+    for clarity and performance.
+  aliases:
+    - GO-R4003
+  tags:
+    - correctness
+    - go
+    - simplification
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.string-concat-simplify
+    bind: issue
+emit:
+  finding:
+    category: correctness.simplification
+    severity: medium
+    confidence: 0.75
+    tags:
+      - correctness
+      - go
+      - simplification
+  message:
+    title: String concatenation can be simplified in `${captures.issue.text}`
+    summary: >-
+      This string concatenation pattern can be simplified. Use direct
+      concatenation or `strings.Join` for clarity.
+  remediation:
+    summary: >-
+      Replace `strings.Join(parts, "")` with direct concatenation, or
+      replace `fmt.Sprintf("%s%s...", a, b)` with `a + b`.

package/rules/go/go.correctness.suspicious-regex-pattern.rule.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.suspicious-regex-pattern
+  title: Suspicious unescaped dot in regex pattern
+  summary: An unescaped dot (`.`) in a regex pattern matches any character, not a literal dot.
+  rationale: >-
+    When using `regexp.Compile` or `regexp.MustCompile`, an unescaped dot in the
+    pattern matches any character (wildcard). For matching literal dots (e.g., in
+    domain names like `google.com`), the dot must be escaped as `\.`.
+  aliases:
+    - CRT-D0019
+  tags:
+    - correctness
+    - go
+    - bug-risk
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.suspicious-regex-pattern
+    bind: issue
+emit:
+  finding:
+    category: correctness.logic
+    severity: high
+    confidence: 0.75
+    tags:
+      - correctness
+      - go
+      - bug-risk
+  message:
+    title: Unescaped dot in regex pattern
+    summary: "Unescaped dot (`.`) in regex matches any character — escape it as `\\.` for a literal dot"
+  remediation:
+    summary: >-
+      Escape literal dots in regex patterns by replacing `.` with `\\.`. For
+      example, `google.com` should be `google\\.com`.

package/rules/go/go.correctness.terminal-call-with-defer.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.terminal-call-with-defer
+  title: Terminal call in function with deferred cleanup
+  summary: os.Exit/log.Fatal skips deferred calls, leaving resources in an inconsistent state.
+  rationale: >-
+    Functions that use defer for cleanup (closing files, releasing locks,
+    flushing buffers) must not call os.Exit or log.Fatal before the deferred
+    calls run. These calls terminate the program immediately, skipping deferred
+    cleanup.
+  aliases:
+    - CRT-D0011
+  tags:
+    - correctness
+    - go
+    - resource-leak
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.terminal-call-with-defer
+    bind: issue
+emit:
+  finding:
+    category: correctness.exceptions
+    severity: high
+    confidence: 0.85
+    tags:
+      - correctness
+      - go
+      - resource-leak
+  message:
+    title: Terminal call `${captures.issue.text}` in function with deferred cleanup
+    summary: "A function containing defer statements also calls os.Exit or log.Fatal, which skips deferred cleanup."
+  remediation:
+    summary: >-
+      Use return and propagate the error instead, or call deferred cleanup
+      explicitly before os.Exit.

package/rules/go/go.correctness.unexported-capital-name.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.unexported-capital-name
+  title: Un-exportable symbol starts with capital
+  summary: Unexported types with exported fields may indicate a design inconsistency.
+  rationale: >-
+    An unexported (lowercase) struct type with exported (uppercase) fields is
+    often unintentional. If the type is not exported, its fields should typically
+    also be unexported to avoid leaking implementation details through the
+    package boundary. Legitimate exceptions include fields like `ID` or `URL`.
+  aliases:
+    - GO-R3005
+  tags:
+    - correctness
+    - go
+    - design
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.unexported-capital-name
+    bind: issue
+emit:
+  finding:
+    category: correctness.design
+    severity: medium
+    confidence: 0.7
+    tags:
+      - correctness
+      - go
+      - design
+  message:
+    title: Unexported type `${captures.issue.text}` has exported fields
+    summary: >-
+      An unexported struct type contains fields starting with an uppercase
+      letter. Consider whether the fields should also be unexported.
+  remediation:
+    summary: >-
+      Either export the type by capitalizing its name, or make the fields
+      unexported by starting them with a lowercase letter.

package/rules/go/go.correctness.unnecessary-dereference.rule.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: go.correctness.unnecessary-dereference
+  title: Unnecessary dereference expressions
+  summary: Unnecessary pointer dereference when accessing struct fields or indexing — Go auto-dereferences pointers in these contexts.
+  rationale: >-
+    Go automatically dereferences pointers when accessing struct fields (`ptr.field`
+    instead of `(*ptr).field`) and when indexing into arrays, slices, or maps
+    (`ptr[index]` instead of `(*ptr)[index]`). The explicit dereference is redundant
+    and adds noise to the code.
+  aliases:
+    - CRT-S0012
+    - GO-R4004
+  tags:
+    - correctness
+    - go
+    - simplification
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - go
+  paths:
+    include:
+      - "**/*.go"
+    exclude:
+      - "**/*_test.go"
+      - "**/testdata/**"
+      - "**/vendor/**"
+match:
+  fact:
+    kind: go.correctness.unnecessary-dereference
+    bind: issue
+emit:
+  finding:
+    category: correctness.style
+    severity: high
+    confidence: 0.9
+    tags:
+      - correctness
+      - go
+      - simplification
+  message:
+    title: Unnecessary dereference in `${captures.issue.text}`
+    summary: >-
+      The pointer dereference `${captures.issue.text}` is unnecessary — Go
+      auto-dereferences pointers for field access and indexing.
+  remediation:
+    summary: >-
+      Remove the unnecessary dereference. Use `ptr.field` instead of
+      `(*ptr).field`, or `(*ptr).field` instead of `(**ptr).field`.