@felixarntz/biome 0.1.1 → 0.2.0

package/README.md

@@ -2,12 +2,20 @@
 
 Reusable [Biome](https://biomejs.dev) lint rules that make your agent produce better code in fewer review cycles, written as [GritQL plugins](https://biomejs.dev/linter/plugins/). Install the package once and reference the rules from any project's Biome config — either all of them with a single line, or individually as needed — without copying `.grit` files around.
 
+Rules cover aspects like type-safety escape hatches, prototype-chain-safe property access and iteration, safer dynamic-key object construction, and self-documenting function APIs.
+
 ## Rules
 
 | Rule | What it flags |
 | --- | --- |
 | `no-as-unknown-as` | `value as unknown as T` double assertions, which bypass TypeScript's type checking entirely. |
-| `no-in-operator` | The `in` operator, recommending `Object.hasOwn(obj, prop)` (which does not walk the prototype chain). |
+| `no-empty-object-accumulator` | `.reduce(..., {})` accumulator seeds, recommending `Object.create(null)` or `Map` for dynamic-key aggregation. |
+| `no-has-own-property` | Direct `obj.hasOwnProperty(key)` calls, recommending `Object.hasOwn(obj, key)` because the method can be missing or shadowed. |
+| `no-in-operator` | The `in` operator and `for...in`, recommending own-property checks and own-key iteration that do not walk the prototype chain. |
+| `no-object-assign-target` | `Object.assign({}, ...)` plain-object merge targets, recommending `Object.assign(Object.create(null), ...)`. |
+| `no-object-from-entries` | `Object.fromEntries(...)`, which creates a plain object with `Object.prototype` for dynamic keys. |
+| `no-prototype-mutation` | `Object.setPrototypeOf(...)` and `Reflect.setPrototypeOf(...)`, which mutate prototype chains. |
+| `no-prototype-property-access` | Direct `obj.__proto__` and `obj.constructor.prototype` access, which are common prototype-pollution primitives. |
 | `prefer-object-parameter` | Functions, methods, and constructors with more than one positional parameter, recommending a single object argument with named parameters instead. A leading TypeScript `this` parameter is not counted. Inline callbacks, whose signature is dictated by the calling API, are left alone. |
 
 ## Installation
@@ -39,8 +47,14 @@ Some of the rules are more opinionated than others. So if you don't want to use
 {
   "$schema": "https://biomejs.dev/schemas/2.4.16/schema.json",
   "plugins": [
-    "./node_modules/@felixarntz/biome/rules/no-in-operator.grit",
     "./node_modules/@felixarntz/biome/rules/no-as-unknown-as.grit",
+    "./node_modules/@felixarntz/biome/rules/no-empty-object-accumulator.grit",
+    "./node_modules/@felixarntz/biome/rules/no-has-own-property.grit",
+    "./node_modules/@felixarntz/biome/rules/no-in-operator.grit",
+    "./node_modules/@felixarntz/biome/rules/no-object-assign-target.grit",
+    "./node_modules/@felixarntz/biome/rules/no-object-from-entries.grit",
+    "./node_modules/@felixarntz/biome/rules/no-prototype-mutation.grit",
+    "./node_modules/@felixarntz/biome/rules/no-prototype-property-access.grit",
     "./node_modules/@felixarntz/biome/rules/prefer-object-parameter.grit"
   ]
 }
@@ -54,7 +68,7 @@ Some of the rules are more opinionated than others. So if you don't want to use
 
 ## `Object.hasOwn` type augmentation
 
-`no-in-operator` steers you toward `Object.hasOwn`, but the built-in TypeScript signature returns a plain `boolean` and therefore doesn't narrow the checked object. This package ships a type augmentation that restores narrowing parity with the `in` operator.
+`no-in-operator` and `no-has-own-property` steer you toward `Object.hasOwn`, but the built-in TypeScript signature returns a plain `boolean` and therefore doesn't narrow the checked object. This package ships a type augmentation that restores narrowing parity with the `in` operator.
 
 Enable it by importing it once from any `.ts`/`.d.ts` file that is part of your compilation:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@felixarntz/biome",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "Reusable Biome (GritQL) lint rules that make your agent produce better code in fewer review cycles.",
   "license": "MIT",
   "keywords": [

package/rules/all.grit

@@ -7,8 +7,36 @@ or {
   `$value as unknown as $type` as $expr where {
     register_diagnostic(span=$expr, message="Avoid `as unknown as $type`. Double assertions through `unknown` bypass TypeScript's type checking entirely. Fix the underlying type mismatch instead.")
   },
-  `$prop in $obj` as $expr where {
-    register_diagnostic(span=$expr, message="Use `Object.hasOwn($obj, $prop)` instead of the `in` operator. `in` also walks the prototype chain, which is rarely the intended runtime check.")
+  `$items.reduce($reducer, {})` as $call where {
+    register_diagnostic(span=$call, message="Use `Object.create(null)` or `new Map()` instead of `{}` as a reducer accumulator. Plain object accumulators have a prototype chain that can leak into dynamic-key aggregation.")
+  },
+  `$obj.hasOwnProperty($...)` as $call where {
+    register_diagnostic(span=$call, message="Use `Object.hasOwn($obj, key)` instead of calling `hasOwnProperty()` on the object. The method can be missing on null-prototype objects or shadowed by user-controlled properties.")
+  },
+  or {
+    `$prop in $obj` as $expr,
+    JsForInStatement() as $expr
+  } where {
+    register_diagnostic(span=$expr, message="Avoid prototype-chain property checks and iteration. Use `Object.hasOwn($obj, $prop)` instead of the `in` operator, and `Object.keys()` or `Object.entries()` with `for...of` instead of `for...in`.")
+  },
+  `Object.assign($target, $...)` as $call where {
+    $target <: `{}`,
+    register_diagnostic(span=$call, message="Use `Object.assign(Object.create(null), ...)` instead of `Object.assign({}, ...)`. A plain object merge target has a prototype chain that can preserve prototype-pollution risk.")
+  },
+  `Object.fromEntries($...)` as $call where {
+    register_diagnostic(span=$call, message="Avoid `Object.fromEntries()` for dynamic keys. It creates a plain object with `Object.prototype`; use `Map`, a null-prototype helper, or explicit assignment into `Object.create(null)` instead.")
+  },
+  or {
+    `Object.setPrototypeOf($...)` as $call,
+    `Reflect.setPrototypeOf($...)` as $call
+  } where {
+    register_diagnostic(span=$call, message="Avoid mutating prototype chains with `setPrototypeOf()`. Prefer creating the intended shape up front with `Object.create(null)` or an explicit class/object model.")
+  },
+  or {
+    `$obj.__proto__` as $access,
+    `$obj.constructor.prototype` as $access
+  } where {
+    register_diagnostic(span=$access, message="Avoid direct prototype access through `__proto__` or `constructor.prototype`. These property paths are common prototype-pollution primitives; use explicit prototype APIs only in audited code.")
   },
   // Every arm below binds $params to a parameter items list, then the shared
   // trailing where applies one multi-positional check and emits the diagnostic.

package/rules/no-empty-object-accumulator.grit

@@ -0,0 +1,5 @@
+language js
+
+`$items.reduce($reducer, {})` as $call where {
+  register_diagnostic(span=$call, message="Use `Object.create(null)` or `new Map()` instead of `{}` as a reducer accumulator. Plain object accumulators have a prototype chain that can leak into dynamic-key aggregation.")
+}

package/rules/no-has-own-property.grit

@@ -0,0 +1,5 @@
+language js
+
+`$obj.hasOwnProperty($...)` as $call where {
+  register_diagnostic(span=$call, message="Use `Object.hasOwn($obj, key)` instead of calling `hasOwnProperty()` on the object. The method can be missing on null-prototype objects or shadowed by user-controlled properties.")
+}

package/rules/no-in-operator.grit

@@ -1,5 +1,8 @@
 language js
 
-`$prop in $obj` as $expr where {
-  register_diagnostic(span=$expr, message="Use `Object.hasOwn($obj, $prop)` instead of the `in` operator. `in` also walks the prototype chain, which is rarely the intended runtime check.")
+or {
+  `$prop in $obj` as $expr,
+  JsForInStatement() as $expr
+} where {
+  register_diagnostic(span=$expr, message="Avoid prototype-chain property checks and iteration. Use `Object.hasOwn($obj, $prop)` instead of the `in` operator, and `Object.keys()` or `Object.entries()` with `for...of` instead of `for...in`.")
 }

package/rules/no-object-assign-target.grit

@@ -0,0 +1,6 @@
+language js
+
+`Object.assign($target, $...)` as $call where {
+  $target <: `{}`,
+  register_diagnostic(span=$call, message="Use `Object.assign(Object.create(null), ...)` instead of `Object.assign({}, ...)`. A plain object merge target has a prototype chain that can preserve prototype-pollution risk.")
+}

package/rules/no-object-from-entries.grit

@@ -0,0 +1,5 @@
+language js
+
+`Object.fromEntries($...)` as $call where {
+  register_diagnostic(span=$call, message="Avoid `Object.fromEntries()` for dynamic keys. It creates a plain object with `Object.prototype`; use `Map`, a null-prototype helper, or explicit assignment into `Object.create(null)` instead.")
+}

package/rules/no-prototype-mutation.grit

@@ -0,0 +1,8 @@
+language js
+
+or {
+  `Object.setPrototypeOf($...)` as $call,
+  `Reflect.setPrototypeOf($...)` as $call
+} where {
+  register_diagnostic(span=$call, message="Avoid mutating prototype chains with `setPrototypeOf()`. Prefer creating the intended shape up front with `Object.create(null)` or an explicit class/object model.")
+}

package/rules/no-prototype-property-access.grit

@@ -0,0 +1,8 @@
+language js
+
+or {
+  `$obj.__proto__` as $access,
+  `$obj.constructor.prototype` as $access
+} where {
+  register_diagnostic(span=$access, message="Avoid direct prototype access through `__proto__` or `constructor.prototype`. These property paths are common prototype-pollution primitives; use explicit prototype APIs only in audited code.")
+}