@pyreon/lint 0.12.13 → 0.12.15

package/src/rules/hooks/no-raw-setinterval.ts

@@ -1,4 +1,6 @@
 import type { Rule, VisitorCallbacks } from '../../types'
+import { isPathExempt } from '../../utils/exempt-paths'
+import { createComponentContextTracker } from '../../utils/component-context'
 import { getSpan, isCallTo } from '../../utils/ast'
 
 const TIMER_FNS = new Set(['setInterval', 'setTimeout'])
@@ -10,16 +12,28 @@ export const noRawSetInterval: Rule = {
     description: 'Suggest wrapping setInterval/setTimeout in onMount for automatic cleanup.',
     severity: 'info',
     fixable: false,
+    schema: { exemptPaths: 'string[]' },
   },
   create(context) {
+    // Configurable `exemptPaths` — for packages that IMPLEMENT
+    // `useInterval` / `useTimeout` (they can't use themselves).
+    if (isPathExempt(context)) return {}
+
+    // Only flag when *inside* a component / hook setup body. Module-level
+    // timers, utility functions, and test callbacks have their own
+    // lifecycle and don't need component-tied cleanup.
+    const ctx = createComponentContextTracker()
+
     let mountDepth = 0
     const callbacks: VisitorCallbacks = {
+      ...ctx.callbacks,
       CallExpression(node: any) {
         if (isCallTo(node, 'onMount')) {
           mountDepth++
         }
 
         if (mountDepth > 0) return
+        if (!ctx.isInComponentOrHook()) return
 
         const callee = node.callee
         if (!callee || callee.type !== 'Identifier') return

package/src/rules/index.ts

@@ -10,6 +10,7 @@ import { noCrossLayerImport } from './architecture/no-cross-layer-import'
 import { noDeepImport } from './architecture/no-deep-import'
 import { noErrorWithoutPrefix } from './architecture/no-error-without-prefix'
 import { noProcessDevGate } from './architecture/no-process-dev-gate'
+import { requireBrowserSmokeTest } from './architecture/require-browser-smoke-test'
 import { noSubmitWithoutValidation } from './form/no-submit-without-validation'
 // Form
 import { noUnregisteredField } from './form/no-unregistered-field'
@@ -108,13 +109,14 @@ export const allRules: Rule[] = [
   noWindowInSsr,
   noMismatchRisk,
   preferRequestContext,
-  // Architecture (6)
+  // Architecture (7)
   noCircularImport,
   noDeepImport,
   noCrossLayerImport,
   devGuardWarnings,
   noErrorWithoutPrefix,
   noProcessDevGate,
+  requireBrowserSmokeTest,
   // Store (3)
   noStoreOutsideProvider,
   noMutateStoreState,
@@ -187,6 +189,7 @@ export {
   noPeekInTracked,
   noProcessDevGate,
   noPropsDestructure,
+  requireBrowserSmokeTest,
   // Hooks
   noRawAddEventListener,
   noRawLocalStorage,

package/src/rules/jsx/no-props-destructure.ts

@@ -42,25 +42,40 @@ export const noPropsDestructure: Rule = {
   },
   create(context) {
     let functionDepth = 0
+    // oxc visitor doesn't pass `parent` to callbacks — previous
+    // `parent?.type === 'CallExpression'` check was silently inert. Pre-mark
+    // function nodes that appear as CallExpression arguments on the way in.
+    const callArgFns = new WeakSet<any>()
 
     const callbacks: VisitorCallbacks = {
+      CallExpression(node: any) {
+        for (const arg of node.arguments ?? []) {
+          if (
+            arg?.type === 'ArrowFunctionExpression' ||
+            arg?.type === 'FunctionExpression' ||
+            arg?.type === 'FunctionDeclaration'
+          ) {
+            callArgFns.add(arg)
+          }
+        }
+      },
       ArrowFunctionExpression(node: any) {
         functionDepth++
-        checkFunction(node, context, functionDepth)
+        checkFunction(node, context, functionDepth, callArgFns)
       },
       'ArrowFunctionExpression:exit'() {
         functionDepth--
       },
       FunctionDeclaration(node: any) {
         functionDepth++
-        checkFunction(node, context, functionDepth)
+        checkFunction(node, context, functionDepth, callArgFns)
       },
       'FunctionDeclaration:exit'() {
         functionDepth--
       },
       FunctionExpression(node: any) {
         functionDepth++
-        checkFunction(node, context, functionDepth)
+        checkFunction(node, context, functionDepth, callArgFns)
       },
       'FunctionExpression:exit'() {
         functionDepth--
@@ -70,7 +85,7 @@ export const noPropsDestructure: Rule = {
   },
 }
 
-function checkFunction(node: any, context: any, depth: number) {
+function checkFunction(node: any, context: any, depth: number, callArgFns: WeakSet<any>) {
   const params = node.params
   if (!params || params.length === 0) return
 
@@ -82,8 +97,7 @@ function checkFunction(node: any, context: any, depth: number) {
 
   // Skip functions passed as arguments to HOC factories
   // e.g. createLink(({ href, ...rest }) => <a {...rest} />)
-  const parent = node.parent
-  if (parent?.type === 'CallExpression' && parent.arguments?.includes(node)) return
+  if (callArgFns.has(node)) return
 
   const body = node.body
   if (!body) return

package/src/rules/lifecycle/no-dom-in-setup.ts

@@ -18,12 +18,74 @@ export const noDomInSetup: Rule = {
     fixable: false,
   },
   create(context) {
-    let safeDepth = 0 // inside onMount or effect
+    let safeDepth = 0
+    function isSafeContextCall(node: any): boolean {
+      // Lifecycle + effect hooks only run post-mount in a browser.
+      // `onUnmount` / `onCleanup` fire after the component has mounted so
+      // the DOM exists. `renderEffect` is the signal-system equivalent of
+      // `effect`. `requestAnimationFrame` only schedules its callback
+      // inside a browser frame, so its body is always post-setup execution.
+      return (
+        isCallTo(node, 'onMount') ||
+        isCallTo(node, 'onUnmount') ||
+        isCallTo(node, 'onCleanup') ||
+        isCallTo(node, 'effect') ||
+        isCallTo(node, 'renderEffect') ||
+        isCallTo(node, 'requestAnimationFrame')
+      )
+    }
+    // `if (typeof document === 'undefined') return|throw` at the head of a
+    // function makes the rest of the body implicitly browser-safe — the
+    // SSR path bailed out. Same heuristic as `no-window-in-ssr`.
+    function isNegatedTypeofDocument(test: any): boolean {
+      if (!test) return false
+      if (
+        test.type === 'BinaryExpression' &&
+        (test.operator === '===' || test.operator === '==') &&
+        test.left?.type === 'UnaryExpression' &&
+        test.left.operator === 'typeof' &&
+        test.left.argument?.type === 'Identifier' &&
+        (test.left.argument.name === 'document' || test.left.argument.name === 'window')
+      )
+        return true
+      return false
+    }
+    function isEarlyReturnDocumentGuard(stmt: any): boolean {
+      if (!stmt || stmt.type !== 'IfStatement') return false
+      if (!isNegatedTypeofDocument(stmt.test)) return false
+      const c = stmt.consequent
+      const isTerminator = (s: any): boolean =>
+        s?.type === 'ReturnStatement' || s?.type === 'ThrowStatement'
+      if (isTerminator(c)) return true
+      if (c?.type === 'BlockStatement' && c.body.length === 1 && isTerminator(c.body[0]))
+        return true
+      return false
+    }
+    // Per-function depth bumps from early-return guards — popped on exit.
+    const earlyReturnStack: number[] = []
+    function pushFunctionScope(node: any) {
+      const body = node?.body
+      const stmts = body?.type === 'BlockStatement' ? body.body : null
+      let bumps = 0
+      if (stmts && stmts.length > 0 && isEarlyReturnDocumentGuard(stmts[0])) {
+        bumps = 1
+        safeDepth++
+      }
+      earlyReturnStack.push(bumps)
+    }
+    function popFunctionScope() {
+      const bumps = earlyReturnStack.pop() ?? 0
+      if (bumps > 0) safeDepth -= bumps
+    }
     const callbacks: VisitorCallbacks = {
+      FunctionDeclaration: pushFunctionScope,
+      'FunctionDeclaration:exit': popFunctionScope,
+      FunctionExpression: pushFunctionScope,
+      'FunctionExpression:exit': popFunctionScope,
+      ArrowFunctionExpression: pushFunctionScope,
+      'ArrowFunctionExpression:exit': popFunctionScope,
       CallExpression(node: any) {
-        if (isCallTo(node, 'onMount') || isCallTo(node, 'effect')) {
-          safeDepth++
-        }
+        if (isSafeContextCall(node)) safeDepth++
 
         if (safeDepth > 0) return
 
@@ -43,9 +105,7 @@ export const noDomInSetup: Rule = {
         }
       },
       'CallExpression:exit'(node: any) {
-        if (isCallTo(node, 'onMount') || isCallTo(node, 'effect')) {
-          safeDepth--
-        }
+        if (isSafeContextCall(node)) safeDepth--
       },
     }
     return callbacks

package/src/rules/reactivity/no-bare-signal-in-jsx.ts

@@ -1,6 +1,17 @@
 import type { Rule, VisitorCallbacks } from '../../types'
 import { getSpan } from '../../utils/ast'
 
+// `use…`/`get…`/`is…`/`has…` are conventional hook/getter prefixes — not
+// signal reads. `[A-Z]…` covers component invocations. The skip-names set
+// covers framework VNode-producing helpers whose call sites always produce
+// JSX, not signal values:
+//   - `render`     — `@pyreon/ui-core` render-prop helper
+//   - `h`          — `@pyreon/core` hyperscript (JSX runtime)
+//   - `cloneVNode` — `@pyreon/core` VNode-tree cloner (used by kinetic)
+// Matching is on full identifier name, so user-defined signals with these
+// exact names would slip through; rename to `rendered`/`hyperscript`/etc.
+// or move the read outside JSX.
+const SKIP_NAMES = new Set(['render', 'h', 'cloneVNode'])
 const SKIP_PREFIXES = /^(use|get|is|has|[A-Z])/
 
 export const noBareSignalInJsx: Rule = {
@@ -35,7 +46,7 @@ export const noBareSignalInJsx: Rule = {
         if (!callee || callee.type !== 'Identifier') return
 
         const name: string = callee.name
-        if (SKIP_PREFIXES.test(name)) return
+        if (SKIP_NAMES.has(name) || SKIP_PREFIXES.test(name)) return
 
         const span = getSpan(node)
         const source = context.getSourceText()

package/src/rules/reactivity/no-unbatched-updates.ts

@@ -1,5 +1,6 @@
 import type { Rule, VisitorCallbacks } from '../../types'
 import { getSpan, isCallTo, isSetCall } from '../../utils/ast'
+import { isPathExempt } from '../../utils/exempt-paths'
 
 interface ScopeInfo {
   setCalls: Array<{ span: { start: number; end: number } }>
@@ -15,8 +16,10 @@ export const noUnbatchedUpdates: Rule = {
     description: 'Warn when 3+ .set() calls occur in the same function without batch().',
     severity: 'warn',
     fixable: false,
+    schema: { exemptPaths: 'string[]' },
   },
   create(context) {
+    if (isPathExempt(context)) return {}
     const scopeStack: ScopeInfo[] = []
     let batchDepth = 0
 

package/src/rules/router/no-imperative-navigate-in-render.ts

@@ -11,73 +11,169 @@ export const noImperativeNavigateInRender: Rule = {
     fixable: false,
   },
   create(context) {
-    // Track depth of component functions and safe callback wrappers
-    // We detect components via VariableDeclarator with PascalCase name + ArrowFunctionExpression init,
-    // or FunctionDeclaration with PascalCase name.
-    // "Safe" = onMount/effect/onUnmount callbacks or JSX event handlers.
+    // The rule fires when `navigate()` / `router.push()` runs synchronously
+    // as part of rendering the component — the infinite-render-loop case.
+    //
+    // The render path consists of the component body itself PLUS any nested
+    // function that is called synchronously from the render body (IIFEs,
+    // locally-bound fns that are invoked immediately). Nested functions
+    // that are stored (assigned to a const, returned, passed as a callback
+    // to an event handler / setTimeout / .then) are deferred execution and
+    // don't contribute to the render-loop bug.
     let componentBodyDepth = 0
-    let safeDepth = 0
+    // Depth inside a nested non-component function AT ALL — used to scope
+    // call-tracking (we only record nested-fn calls while inside a
+    // component body, not in module-level code).
+    let nestedFnDepth = 0
+    // Arrow/Function expressions that are the direct init of a PascalCase
+    // `VariableDeclarator` (= component assignment) — marked so the
+    // ArrowFn/FunctionExpression visitor knows to NOT count them as nested.
+    const componentInits = new WeakSet<any>()
+    // Names of locally-bound nested fns (e.g. `const fn = () => router.push(...)`)
+    // whose body contains a dangerous navigation call. Populated during the
+    // nested fn's walk; checked on synchronous `fn()` calls in the render
+    // body. Stack-scoped to the enclosing component so nested components
+    // don't leak bindings.
+    const dangerousBindings: Array<Set<string>> = []
+    // When we're inside a nested fn whose binding might be dangerous, mark
+    // the current nested fn as "contains navigate" if we see one.
+    const nestedFnStack: Array<{ containsNavigate: boolean; bindingName: string | null }> = []
+
+    function isComponentFunctionDecl(node: any): boolean {
+      return /^[A-Z]/.test(node.id?.name ?? '')
+    }
+
+    function enterNestedFn(node: any, bindingName: string | null) {
+      nestedFnDepth++
+      nestedFnStack.push({ containsNavigate: false, bindingName })
+    }
+    function exitNestedFn() {
+      nestedFnDepth--
+      const frame = nestedFnStack.pop()
+      if (!frame) return
+      if (frame.containsNavigate && frame.bindingName && dangerousBindings.length > 0) {
+        dangerousBindings[dangerousBindings.length - 1]!.add(frame.bindingName)
+      }
+    }
+
+    function isNavigateCall(node: any): boolean {
+      return isCallTo(node, 'navigate') || isMemberCallTo(node, 'router', 'push')
+    }
 
     const callbacks: VisitorCallbacks = {
       FunctionDeclaration(node: any) {
-        const name: string = node.id?.name ?? ''
-        if (/^[A-Z]/.test(name)) {
+        if (isComponentFunctionDecl(node)) {
           componentBodyDepth++
+          dangerousBindings.push(new Set())
+        } else if (componentBodyDepth > 0) {
+          enterNestedFn(node, node.id?.type === 'Identifier' ? node.id.name : null)
         }
       },
       'FunctionDeclaration:exit'(node: any) {
-        const name: string = node.id?.name ?? ''
-        if (/^[A-Z]/.test(name)) {
+        if (isComponentFunctionDecl(node)) {
           componentBodyDepth--
+          dangerousBindings.pop()
+        } else if (componentBodyDepth > 0) {
+          exitNestedFn()
         }
       },
-      // For arrow functions, we use VariableDeclarator to detect component assignment
       VariableDeclarator(node: any) {
-        const name: string = node.id?.name ?? ''
-        if (/^[A-Z]/.test(name) && node.init?.type === 'ArrowFunctionExpression') {
+        if (
+          /^[A-Z]/.test(node.id?.name ?? '') &&
+          (node.init?.type === 'ArrowFunctionExpression' || node.init?.type === 'FunctionExpression')
+        ) {
           componentBodyDepth++
+          dangerousBindings.push(new Set())
+          componentInits.add(node.init)
         }
       },
       'VariableDeclarator:exit'(node: any) {
-        const name: string = node.id?.name ?? ''
-        if (/^[A-Z]/.test(name) && node.init?.type === 'ArrowFunctionExpression') {
+        if (
+          /^[A-Z]/.test(node.id?.name ?? '') &&
+          (node.init?.type === 'ArrowFunctionExpression' || node.init?.type === 'FunctionExpression')
+        ) {
           componentBodyDepth--
+          dangerousBindings.pop()
+        }
+      },
+      ArrowFunctionExpression(node: any) {
+        if (componentInits.has(node)) return
+        if (componentBodyDepth > 0) {
+          // Binding name comes from the parent VariableDeclarator if the
+          // arrow is its init — e.g. `const fn = () => …`. Parent is not
+          // passed by oxc, so we rely on order: `VariableDeclarator` visits
+          // before its init. We patch the binding name in a pre-visitor pass.
+          enterNestedFn(node, bindingAssignmentNames.get(node) ?? null)
+        }
+      },
+      'ArrowFunctionExpression:exit'(node: any) {
+        if (componentInits.has(node)) return
+        if (componentBodyDepth > 0) exitNestedFn()
+      },
+      FunctionExpression(node: any) {
+        if (componentInits.has(node)) return
+        if (componentBodyDepth > 0) {
+          enterNestedFn(node, bindingAssignmentNames.get(node) ?? null)
         }
       },
-      // Track safe callback boundaries: onMount(() => ...), effect(() => ...), etc.
+      'FunctionExpression:exit'(node: any) {
+        if (componentInits.has(node)) return
+        if (componentBodyDepth > 0) exitNestedFn()
+      },
       CallExpression(node: any) {
         if (componentBodyDepth <= 0) return
 
-        // Check if this is a safe wrapper entering
-        if (isSafeWrapperCall(node)) {
-          safeDepth++
+        // Direct `navigate()` / `router.push()` call. At render-body depth
+        // (nestedFnDepth === 0) it's the classic infinite-loop bug. Inside
+        // a nested fn, mark the enclosing frame as dangerous (so a later
+        // sync call of that fn's binding re-surfaces the issue).
+        if (isNavigateCall(node)) {
+          if (nestedFnDepth === 0) {
+            context.report({
+              message:
+                'Imperative navigation at the top level of a component — this runs on every render and causes infinite loops. Move inside `onMount`, `effect`, or an event handler.',
+              span: getSpan(node),
+            })
+          } else if (nestedFnStack.length > 0) {
+            nestedFnStack[nestedFnStack.length - 1]!.containsNavigate = true
+          }
+          return
         }
 
-        // Only report if we're in a component body and NOT inside a safe callback
-        if (safeDepth > 0) return
-
-        if (isCallTo(node, 'navigate') || isMemberCallTo(node, 'router', 'push')) {
+        // Sync invocation (at render-body depth) of a locally-bound fn
+        // whose body contains `navigate()`. `const fn = () => router.push();
+        // fn()` IS the infinite-loop bug — the previous rewrite missed it.
+        if (
+          nestedFnDepth === 0 &&
+          node.callee?.type === 'Identifier' &&
+          dangerousBindings.length > 0 &&
+          dangerousBindings[dangerousBindings.length - 1]!.has(node.callee.name)
+        ) {
           context.report({
             message:
-              'Imperative navigation at the top level of a component — this runs on every render and causes infinite loops. Move inside `onMount`, `effect`, or an event handler.',
+              'Synchronous call of a nested function that performs imperative navigation — this runs during render and causes infinite loops. Move the call inside `onMount`, `effect`, or an event handler.',
             span: getSpan(node),
           })
         }
       },
-      'CallExpression:exit'(node: any) {
-        if (componentBodyDepth <= 0) return
-        if (isSafeWrapperCall(node)) {
-          safeDepth--
+    }
+
+    // Pre-walk: for each `VariableDeclarator` whose init is an ArrowFn or
+    // FunctionExpression, stash the binding name against the init node so
+    // the ArrowFn/FunctionExpression visitor can retrieve it without needing
+    // parent-in-visitor (oxc doesn't pass parent).
+    const bindingAssignmentNames = new WeakMap<any, string>()
+    callbacks.VariableDeclaration = (node: any) => {
+      for (const decl of node.declarations ?? []) {
+        if (
+          decl.id?.type === 'Identifier' &&
+          (decl.init?.type === 'ArrowFunctionExpression' ||
+            decl.init?.type === 'FunctionExpression')
+        ) {
+          bindingAssignmentNames.set(decl.init, decl.id.name)
         }
-      },
+      }
     }
     return callbacks
   },
 }
-
-function isSafeWrapperCall(node: any): boolean {
-  const callee = node.callee
-  if (!callee || callee.type !== 'Identifier') return false
-  const name: string = callee.name
-  return name === 'onMount' || name === 'effect' || name === 'onUnmount'
-}