@felixarntz/biome 0.1.0 → 0.2.0

package/README.md

@@ -2,13 +2,21 @@
 
 Reusable [Biome](https://biomejs.dev) lint rules that make your agent produce better code in fewer review cycles, written as [GritQL plugins](https://biomejs.dev/linter/plugins/). Install the package once and reference the rules from any project's Biome config — either all of them with a single line, or individually as needed — without copying `.grit` files around.
 
+Rules cover aspects like type-safety escape hatches, prototype-chain-safe property access and iteration, safer dynamic-key object construction, and self-documenting function APIs.
+
 ## Rules
 
 | Rule | What it flags |
 | --- | --- |
 | `no-as-unknown-as` | `value as unknown as T` double assertions, which bypass TypeScript's type checking entirely. |
-| `no-in-operator` | The `in` operator, recommending `Object.hasOwn(obj, prop)` (which does not walk the prototype chain). |
-| `prefer-object-parameter` | Functions, methods, and constructors with more than one positional parameter, recommending a single object argument with named parameters instead. A leading TypeScript `this` parameter is not counted. |
+| `no-empty-object-accumulator` | `.reduce(..., {})` accumulator seeds, recommending `Object.create(null)` or `Map` for dynamic-key aggregation. |
+| `no-has-own-property` | Direct `obj.hasOwnProperty(key)` calls, recommending `Object.hasOwn(obj, key)` because the method can be missing or shadowed. |
+| `no-in-operator` | The `in` operator and `for...in`, recommending own-property checks and own-key iteration that do not walk the prototype chain. |
+| `no-object-assign-target` | `Object.assign({}, ...)` plain-object merge targets, recommending `Object.assign(Object.create(null), ...)`. |
+| `no-object-from-entries` | `Object.fromEntries(...)`, which creates a plain object with `Object.prototype` for dynamic keys. |
+| `no-prototype-mutation` | `Object.setPrototypeOf(...)` and `Reflect.setPrototypeOf(...)`, which mutate prototype chains. |
+| `no-prototype-property-access` | Direct `obj.__proto__` and `obj.constructor.prototype` access, which are common prototype-pollution primitives. |
+| `prefer-object-parameter` | Functions, methods, and constructors with more than one positional parameter, recommending a single object argument with named parameters instead. A leading TypeScript `this` parameter is not counted. Inline callbacks, whose signature is dictated by the calling API, are left alone. |
 
 ## Installation
 
@@ -39,8 +47,14 @@ Some of the rules are more opinionated than others. So if you don't want to use
 {
   "$schema": "https://biomejs.dev/schemas/2.4.16/schema.json",
   "plugins": [
-    "./node_modules/@felixarntz/biome/rules/no-in-operator.grit",
     "./node_modules/@felixarntz/biome/rules/no-as-unknown-as.grit",
+    "./node_modules/@felixarntz/biome/rules/no-empty-object-accumulator.grit",
+    "./node_modules/@felixarntz/biome/rules/no-has-own-property.grit",
+    "./node_modules/@felixarntz/biome/rules/no-in-operator.grit",
+    "./node_modules/@felixarntz/biome/rules/no-object-assign-target.grit",
+    "./node_modules/@felixarntz/biome/rules/no-object-from-entries.grit",
+    "./node_modules/@felixarntz/biome/rules/no-prototype-mutation.grit",
+    "./node_modules/@felixarntz/biome/rules/no-prototype-property-access.grit",
     "./node_modules/@felixarntz/biome/rules/prefer-object-parameter.grit"
   ]
 }
@@ -54,7 +68,7 @@ Some of the rules are more opinionated than others. So if you don't want to use
 
 ## `Object.hasOwn` type augmentation
 
-`no-in-operator` steers you toward `Object.hasOwn`, but the built-in TypeScript signature returns a plain `boolean` and therefore doesn't narrow the checked object. This package ships a type augmentation that restores narrowing parity with the `in` operator.
+`no-in-operator` and `no-has-own-property` steer you toward `Object.hasOwn`, but the built-in TypeScript signature returns a plain `boolean` and therefore doesn't narrow the checked object. This package ships a type augmentation that restores narrowing parity with the `in` operator.
 
 Enable it by importing it once from any `.ts`/`.d.ts` file that is part of your compilation:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@felixarntz/biome",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Reusable Biome (GritQL) lint rules that make your agent produce better code in fewer review cycles.",
   "license": "MIT",
   "keywords": [

package/rules/all.grit

@@ -7,23 +7,82 @@ or {
   `$value as unknown as $type` as $expr where {
     register_diagnostic(span=$expr, message="Avoid `as unknown as $type`. Double assertions through `unknown` bypass TypeScript's type checking entirely. Fix the underlying type mismatch instead.")
   },
-  `$prop in $obj` as $expr where {
-    register_diagnostic(span=$expr, message="Use `Object.hasOwn($obj, $prop)` instead of the `in` operator. `in` also walks the prototype chain, which is rarely the intended runtime check.")
+  `$items.reduce($reducer, {})` as $call where {
+    register_diagnostic(span=$call, message="Use `Object.create(null)` or `new Map()` instead of `{}` as a reducer accumulator. Plain object accumulators have a prototype chain that can leak into dynamic-key aggregation.")
+  },
+  `$obj.hasOwnProperty($...)` as $call where {
+    register_diagnostic(span=$call, message="Use `Object.hasOwn($obj, key)` instead of calling `hasOwnProperty()` on the object. The method can be missing on null-prototype objects or shadowed by user-controlled properties.")
+  },
+  or {
+    `$prop in $obj` as $expr,
+    JsForInStatement() as $expr
+  } where {
+    register_diagnostic(span=$expr, message="Avoid prototype-chain property checks and iteration. Use `Object.hasOwn($obj, $prop)` instead of the `in` operator, and `Object.keys()` or `Object.entries()` with `for...of` instead of `for...in`.")
+  },
+  `Object.assign($target, $...)` as $call where {
+    $target <: `{}`,
+    register_diagnostic(span=$call, message="Use `Object.assign(Object.create(null), ...)` instead of `Object.assign({}, ...)`. A plain object merge target has a prototype chain that can preserve prototype-pollution risk.")
+  },
+  `Object.fromEntries($...)` as $call where {
+    register_diagnostic(span=$call, message="Avoid `Object.fromEntries()` for dynamic keys. It creates a plain object with `Object.prototype`; use `Map`, a null-prototype helper, or explicit assignment into `Object.create(null)` instead.")
   },
   or {
-    JsParameters(items = $params) where {
-      or {
-        $params <: [TsThisParameter(), $second, $third, ...],
-        and {
-          $params <: [$first, $second, ...],
-          $first <: not TsThisParameter()
-        }
-      },
-      register_diagnostic(span=$params, message="Use a single object argument with named parameters instead of multiple positional parameters. Object parameters keep call sites self-documenting and make argument order irrelevant.")
+    `Object.setPrototypeOf($...)` as $call,
+    `Reflect.setPrototypeOf($...)` as $call
+  } where {
+    register_diagnostic(span=$call, message="Avoid mutating prototype chains with `setPrototypeOf()`. Prefer creating the intended shape up front with `Object.create(null)` or an explicit class/object model.")
+  },
+  or {
+    `$obj.__proto__` as $access,
+    `$obj.constructor.prototype` as $access
+  } where {
+    register_diagnostic(span=$access, message="Avoid direct prototype access through `__proto__` or `constructor.prototype`. These property paths are common prototype-pollution primitives; use explicit prototype APIs only in audited code.")
+  },
+  // Every arm below binds $params to a parameter items list, then the shared
+  // trailing where applies one multi-positional check and emits the diagnostic.
+  // The list is deliberately structural: it covers signatures whose author owns
+  // the parameter list -- named/declared functions, every method form (class,
+  // object, interface, abstract), constructors and construct signatures, function
+  // values assigned to a variable, and named function/constructor type aliases.
+  // It intentionally omits callback-shaped signatures whose parameter list is
+  // dictated by the API that calls them: arrow/function expressions passed inline
+  // (such as the reducer in arr.reduce(...)), object-property function values,
+  // class arrow fields, bare call signatures, and inline function types. Those
+  // cannot be rewritten to a single object parameter by the author, so flagging
+  // them only produces unfixable diagnostics.
+  //
+  // Grit parameterized pattern definitions do not compile in Biome, so the
+  // multi-positional check cannot be factored into a helper; the shared trailing
+  // where is how it stays written once.
+  or {
+    JsFunctionDeclaration(parameters = JsParameters(items = $params)),
+    TsDeclareFunctionDeclaration(parameters = JsParameters(items = $params)),
+    JsMethodClassMember(parameters = JsParameters(items = $params)),
+    TsMethodSignatureClassMember(parameters = JsParameters(items = $params)),
+    JsMethodObjectMember(parameters = JsParameters(items = $params)),
+    TsMethodSignatureTypeMember(parameters = JsParameters(items = $params)),
+    TsConstructSignatureTypeMember(parameters = JsParameters(items = $params)),
+    JsConstructorParameters(parameters = $params),
+    JsVariableDeclarator(initializer = JsInitializerClause(expression = $fn)) where {
+      $fn <: or {
+        JsArrowFunctionExpression(parameters = JsParameters(items = $params)),
+        JsFunctionExpression(parameters = JsParameters(items = $params))
+      }
     },
-    JsConstructorParameters(parameters = $params) where {
-      $params <: [$first, $second, ...],
-      register_diagnostic(span=$params, message="Use a single object argument with named parameters instead of multiple positional parameters. Object parameters keep call sites self-documenting and make argument order irrelevant.")
+    TsTypeAliasDeclaration(ty = $aliased) where {
+      $aliased <: or {
+        TsFunctionType(parameters = JsParameters(items = $params)),
+        TsConstructorType(parameters = JsParameters(items = $params))
+      }
     }
+  } where {
+    or {
+      $params <: [TsThisParameter(), $second, $third, ...],
+      and {
+        $params <: [$first, $second, ...],
+        $first <: not TsThisParameter()
+      }
+    },
+    register_diagnostic(span=$params, message="Use a single object argument with named parameters instead of multiple positional parameters. Object parameters keep call sites self-documenting and make argument order irrelevant.")
   }
 }

package/rules/no-empty-object-accumulator.grit

@@ -0,0 +1,5 @@
+language js
+
+`$items.reduce($reducer, {})` as $call where {
+  register_diagnostic(span=$call, message="Use `Object.create(null)` or `new Map()` instead of `{}` as a reducer accumulator. Plain object accumulators have a prototype chain that can leak into dynamic-key aggregation.")
+}

package/rules/no-has-own-property.grit

@@ -0,0 +1,5 @@
+language js
+
+`$obj.hasOwnProperty($...)` as $call where {
+  register_diagnostic(span=$call, message="Use `Object.hasOwn($obj, key)` instead of calling `hasOwnProperty()` on the object. The method can be missing on null-prototype objects or shadowed by user-controlled properties.")
+}

package/rules/no-in-operator.grit

@@ -1,5 +1,8 @@
 language js
 
-`$prop in $obj` as $expr where {
-  register_diagnostic(span=$expr, message="Use `Object.hasOwn($obj, $prop)` instead of the `in` operator. `in` also walks the prototype chain, which is rarely the intended runtime check.")
+or {
+  `$prop in $obj` as $expr,
+  JsForInStatement() as $expr
+} where {
+  register_diagnostic(span=$expr, message="Avoid prototype-chain property checks and iteration. Use `Object.hasOwn($obj, $prop)` instead of the `in` operator, and `Object.keys()` or `Object.entries()` with `for...of` instead of `for...in`.")
 }

package/rules/no-object-assign-target.grit

@@ -0,0 +1,6 @@
+language js
+
+`Object.assign($target, $...)` as $call where {
+  $target <: `{}`,
+  register_diagnostic(span=$call, message="Use `Object.assign(Object.create(null), ...)` instead of `Object.assign({}, ...)`. A plain object merge target has a prototype chain that can preserve prototype-pollution risk.")
+}

package/rules/no-object-from-entries.grit

@@ -0,0 +1,5 @@
+language js
+
+`Object.fromEntries($...)` as $call where {
+  register_diagnostic(span=$call, message="Avoid `Object.fromEntries()` for dynamic keys. It creates a plain object with `Object.prototype`; use `Map`, a null-prototype helper, or explicit assignment into `Object.create(null)` instead.")
+}

package/rules/no-prototype-mutation.grit

@@ -0,0 +1,8 @@
+language js
+
+or {
+  `Object.setPrototypeOf($...)` as $call,
+  `Reflect.setPrototypeOf($...)` as $call
+} where {
+  register_diagnostic(span=$call, message="Avoid mutating prototype chains with `setPrototypeOf()`. Prefer creating the intended shape up front with `Object.create(null)` or an explicit class/object model.")
+}

package/rules/no-prototype-property-access.grit

@@ -0,0 +1,8 @@
+language js
+
+or {
+  `$obj.__proto__` as $access,
+  `$obj.constructor.prototype` as $access
+} where {
+  register_diagnostic(span=$access, message="Avoid direct prototype access through `__proto__` or `constructor.prototype`. These property paths are common prototype-pollution primitives; use explicit prototype APIs only in audited code.")
+}

package/rules/prefer-object-parameter.grit

@@ -1,18 +1,49 @@
 language js
 
+// Every arm below binds $params to a parameter items list, then the shared
+// trailing where applies one multi-positional check and emits the diagnostic.
+// The list is deliberately structural: it covers signatures whose author owns
+// the parameter list -- named/declared functions, every method form (class,
+// object, interface, abstract), constructors and construct signatures, function
+// values assigned to a variable, and named function/constructor type aliases.
+// It intentionally omits callback-shaped signatures whose parameter list is
+// dictated by the API that calls them: arrow/function expressions passed inline
+// (such as the reducer in arr.reduce(...)), object-property function values,
+// class arrow fields, bare call signatures, and inline function types. Those
+// cannot be rewritten to a single object parameter by the author, so flagging
+// them only produces unfixable diagnostics.
+//
+// Grit parameterized pattern definitions do not compile in Biome, so the
+// multi-positional check cannot be factored into a helper; the shared trailing
+// where is how it stays written once.
 or {
-  JsParameters(items = $params) where {
-    or {
-      $params <: [TsThisParameter(), $second, $third, ...],
-      and {
-        $params <: [$first, $second, ...],
-        $first <: not TsThisParameter()
-      }
-    },
-    register_diagnostic(span=$params, message="Use a single object argument with named parameters instead of multiple positional parameters. Object parameters keep call sites self-documenting and make argument order irrelevant.")
+  JsFunctionDeclaration(parameters = JsParameters(items = $params)),
+  TsDeclareFunctionDeclaration(parameters = JsParameters(items = $params)),
+  JsMethodClassMember(parameters = JsParameters(items = $params)),
+  TsMethodSignatureClassMember(parameters = JsParameters(items = $params)),
+  JsMethodObjectMember(parameters = JsParameters(items = $params)),
+  TsMethodSignatureTypeMember(parameters = JsParameters(items = $params)),
+  TsConstructSignatureTypeMember(parameters = JsParameters(items = $params)),
+  JsConstructorParameters(parameters = $params),
+  JsVariableDeclarator(initializer = JsInitializerClause(expression = $fn)) where {
+    $fn <: or {
+      JsArrowFunctionExpression(parameters = JsParameters(items = $params)),
+      JsFunctionExpression(parameters = JsParameters(items = $params))
+    }
   },
-  JsConstructorParameters(parameters = $params) where {
-    $params <: [$first, $second, ...],
-    register_diagnostic(span=$params, message="Use a single object argument with named parameters instead of multiple positional parameters. Object parameters keep call sites self-documenting and make argument order irrelevant.")
+  TsTypeAliasDeclaration(ty = $aliased) where {
+    $aliased <: or {
+      TsFunctionType(parameters = JsParameters(items = $params)),
+      TsConstructorType(parameters = JsParameters(items = $params))
+    }
   }
+} where {
+  or {
+    $params <: [TsThisParameter(), $second, $third, ...],
+    and {
+      $params <: [$first, $second, ...],
+      $first <: not TsThisParameter()
+    }
+  },
+  register_diagnostic(span=$params, message="Use a single object argument with named parameters instead of multiple positional parameters. Object parameters keep call sites self-documenting and make argument order irrelevant.")
 }