@pyreon/lint 0.14.0 → 0.15.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pyreon/lint",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "description": "Pyreon-specific linter — 56 rules for signals, JSX, SSR, performance, router, and architecture",
   "homepage": "https://github.com/pyreon/pyreon/tree/main/packages/lint#readme",
   "bugs": {
@@ -17,6 +17,7 @@
   },
   "files": [
     "lib",
+    "!lib/**/*.map",
     "src",
     "schema",
     "README.md",
@@ -52,7 +53,7 @@
   },
   "dependencies": {
     "@oxc-project/types": "^0.123.0",
-    "oxc-parser": "^0.123.0"
+    "oxc-parser": "^0.129.0"
   },
   "devDependencies": {
     "@pyreon/manifest": "0.13.1"

package/src/manifest.ts

@@ -4,12 +4,12 @@ export default defineManifest({
   name: '@pyreon/lint',
   title: 'Pyreon-specific Linter',
   tagline:
-    'Pyreon-specific linter — 59 rules across 12 categories, config files, watch mode, AST cache, CLI + LSP',
+    'Pyreon-specific linter — 62 rules across 12 categories, config files, watch mode, AST cache, CLI + LSP',
   description:
-    'Pyreon-specific lint rules powered by `oxc-parser`. Covers reactivity (10), JSX (11), lifecycle (4), performance (4), SSR (3), architecture (7), store (3), form (3), styling (4), hooks (3), accessibility (3), router (4) — 59 rules total. Programmatic API (`lint`, `lintFile`), CLI (`pyreon-lint`), watch mode (fs.watch + 100ms debounce + AstCache), LSP server, and `.pyreonlintrc.json` config with per-rule options via ESLint-style tuple form. Notable rules: `pyreon/no-process-dev-gate` (auto-fixable; replaces dead-in-browser `typeof process` gates with `import.meta.env?.DEV`), `pyreon/require-browser-smoke-test` (locks in T1.1 browser-test durability).',
+    'Pyreon-specific lint rules powered by `oxc-parser`. Covers reactivity (12), JSX (11), lifecycle (5), performance (4), SSR (3), architecture (7), store (3), form (3), styling (4), hooks (3), accessibility (3), router (4) — 62 rules total. Programmatic API (`lint`, `lintFile`), CLI (`pyreon-lint`), watch mode (fs.watch + 100ms debounce + AstCache), LSP server, and `.pyreonlintrc.json` config with per-rule options via ESLint-style tuple form. Notable rules: `pyreon/no-process-dev-gate` (auto-fixable; replaces dead-in-browser `typeof process` gates with `import.meta.env?.DEV`), `pyreon/require-browser-smoke-test` (locks in T1.1 browser-test durability).',
   category: 'server',
   features: [
-    '59 rules across 12 categories',
+    '62 rules across 12 categories',
     'lint(options) programmatic API + lintFile() low-level entry',
     'CLI: pyreon-lint with --preset / --fix / --watch / --format / --rule-options',
     '4 presets: recommended, strict, app, lib',
@@ -43,7 +43,7 @@ const fileResult = lintFile('app.tsx', source, allRules, config, cache)
 //   pyreon-lint --preset strict --quiet                    # CI mode
 //   pyreon-lint --fix                                      # auto-fix
 //   pyreon-lint --watch src/                               # watch mode
-//   pyreon-lint --list                                     # list all 59 rules
+//   pyreon-lint --list                                     # list all 62 rules
 //   pyreon-lint --rule-options 'pyreon/no-window-in-ssr={"exemptPaths":["src/foundation/"]}' src/`,
   api: [
     {
@@ -51,7 +51,7 @@ const fileResult = lintFile('app.tsx', source, allRules, config, cache)
       kind: 'function',
       signature: 'lint(options?: LintOptions): LintResult',
       summary:
-        '59 rules across 12 categories. Auto-loads `.pyreonlintrc.json`. Presets: `recommended`, `strict`, `app`, `lib`. Per-rule options via tuple form in config (`["error", { exemptPaths: [...] }]`) or `ruleOptionsOverrides`. Wrong-typed options surface on `result.configDiagnostics`. Uses `oxc-parser` with AST caching.',
+        '62 rules across 12 categories. Auto-loads `.pyreonlintrc.json`. Presets: `recommended`, `strict`, `app`, `lib`. Per-rule options via tuple form in config (`["error", { exemptPaths: [...] }]`) or `ruleOptionsOverrides`. Wrong-typed options surface on `result.configDiagnostics`. Uses `oxc-parser` with AST caching.',
       example: `import { lint } from "@pyreon/lint"
 
 const result = lint({ paths: ["src/"], preset: "recommended" })
@@ -94,7 +94,7 @@ const result = lintFile("app.tsx", source, allRules, config, cache, configSink)`
       example: `pyreon-lint --preset strict --quiet    # CI mode
 pyreon-lint --fix                       # auto-fix
 pyreon-lint --watch src/                # watch mode
-pyreon-lint --list                      # list all 59 rules
+pyreon-lint --list                      # list all 62 rules
 pyreon-lint --format json               # machine-readable
 pyreon-lint --rule-options 'pyreon/no-window-in-ssr={"exemptPaths":["src/foundation/"]}' src/`,
       seeAlso: ['lint'],

package/src/rules/architecture/dev-guard-warnings.ts

@@ -90,11 +90,55 @@ export const devGuardWarnings: Rule = {
       return false
     }
 
+    // `process.env.NODE_ENV` access — also matches optional-chaining shapes
+    // (`process?.env?.NODE_ENV`). Returns true when the node is the
+    // `process.env.NODE_ENV` member access itself.
+    function isProcessEnvNodeEnv(node: any): boolean {
+      let n = node
+      if (n?.type === 'ChainExpression') n = n.expression
+      if (n?.type !== 'MemberExpression') return false
+      if (n.property?.type !== 'Identifier' || n.property.name !== 'NODE_ENV') return false
+      let envObj = n.object
+      if (envObj?.type === 'ChainExpression') envObj = envObj.expression
+      if (envObj?.type !== 'MemberExpression') return false
+      if (envObj.property?.type !== 'Identifier' || envObj.property.name !== 'env') return false
+      const procObj = envObj.object
+      return procObj?.type === 'Identifier' && procObj.name === 'process'
+    }
+
+    // Match a development-mode check: `process.env.NODE_ENV !== 'production'`
+    // (and `!=` variant). The bundler-agnostic library convention for dev
+    // gates — every modern bundler auto-replaces `process.env.NODE_ENV`.
+    function isDevelopmentCheck(node: any): boolean {
+      if (node?.type !== 'BinaryExpression') return false
+      if (node.operator !== '!==' && node.operator !== '!=') return false
+      const matches = (a: any, b: any) =>
+        isProcessEnvNodeEnv(a) &&
+        (b?.type === 'Literal' || b?.type === 'StringLiteral') &&
+        b.value === 'production'
+      return matches(node.left, node.right) || matches(node.right, node.left)
+    }
+
+    // Match a production-mode check: `process.env.NODE_ENV === 'production'`.
+    // Used as the early-return guard form: `if (process.env.NODE_ENV === 'production') return`.
+    function isProductionCheck(node: any): boolean {
+      if (node?.type !== 'BinaryExpression') return false
+      if (node.operator !== '===' && node.operator !== '==') return false
+      const matches = (a: any, b: any) =>
+        isProcessEnvNodeEnv(a) &&
+        (b?.type === 'Literal' || b?.type === 'StringLiteral') &&
+        b.value === 'production'
+      return matches(node.left, node.right) || matches(node.right, node.left)
+    }
+
     // Match `<flag>`, `<flag> && X`, `X && <flag>`, `<flag> === true`, etc.
     // `&&` only — `||` doesn't guarantee dev-only execution.
+    // Also accepts the bundler-agnostic `process.env.NODE_ENV !== 'production'`
+    // dev check directly.
     function containsDevGuard(test: any): boolean {
       if (!test) return false
       if (isDevFlag(test)) return true
+      if (isDevelopmentCheck(test)) return true
       if (test.type === 'LogicalExpression' && test.operator === '&&') {
         return containsDevGuard(test.left) || containsDevGuard(test.right)
       }
@@ -109,18 +153,24 @@ export const devGuardWarnings: Rule = {
     }
 
     // Detects an early-return DEV guard at the head of a function body:
-    //   `if (!__DEV__) return`  /  `if (!import.meta.env.DEV) return`
+    //   `if (!__DEV__) return`                                  (legacy)
+    //   `if (!import.meta.env.DEV) return`                       (Vite-tied — also legacy)
+    //   `if (process.env.NODE_ENV === 'production') return`     (current bundler-agnostic standard)
     // Everything after this in the function is implicitly dev-only.
     function isEarlyReturnDevGuard(node: any): boolean {
       if (!node || node.type !== 'IfStatement') return false
       const t = node.test
+      const c = node.consequent
+      const isReturn =
+        c?.type === 'ReturnStatement' ||
+        (c?.type === 'BlockStatement' && c.body.length === 1 && c.body[0]?.type === 'ReturnStatement')
+      if (!isReturn) return false
+      // Bundler-agnostic: `if (process.env.NODE_ENV === 'production') return`
+      if (isProductionCheck(t)) return true
+      // Legacy: `if (!isDev) return`
       const arg = t?.type === 'UnaryExpression' && t.operator === '!' ? t.argument : null
       if (!arg) return false
-      if (!isDevFlag(arg)) return false
-      const c = node.consequent
-      if (c?.type === 'ReturnStatement') return true
-      if (c?.type === 'BlockStatement' && c.body.length === 1 && c.body[0]?.type === 'ReturnStatement') return true
-      return false
+      return isDevFlag(arg)
     }
 
     let devGuardDepth = 0

package/src/rules/architecture/no-process-dev-gate.ts

@@ -4,40 +4,48 @@ import { isPathExempt } from '../../utils/exempt-paths'
 import { isTestFile } from '../../utils/file-roles'
 
 /**
- * `pyreon/no-process-dev-gate` — flag the broken `typeof process` dev-mode gate
- * pattern that is dead code in real Vite browser bundles.
+ * `pyreon/no-process-dev-gate` — flag bundler-coupled dev-gate patterns
+ * that are dead code or unsupported in some bundlers Pyreon ships to.
  *
- * The pattern this rule catches:
+ * Pyreon publishes libraries to npm. Consumers compile those libraries
+ * with whatever bundler they use — Vite, Webpack (Next.js), Rolldown,
+ * esbuild, Rollup, Parcel, Bun. The framework should not ship dev gates
+ * that only fire in one bundler.
  *
- * ```ts
- * const __DEV__ = typeof process !== 'undefined' && process.env.NODE_ENV !== 'production'
- * ```
+ * **Two broken patterns this rule catches:**
+ *
+ * 1. `typeof process !== 'undefined' && process.env.NODE_ENV !== 'production'`
+ *    The `typeof process` guard isn't replaced by Vite, evaluates to
+ *    `false` in the browser, and the whole expression is dead. Wrapped
+ *    dev warnings never fire for users running Vite browser builds.
  *
- * This works in vitest (Node, `process` is defined) but is **silently dead
- * code in real Vite browser bundles** because Vite does not polyfill
- * `process` for the client. Every dev warning gated on this constant never
- * fires for real users in dev mode.
+ * 2. `import.meta.env.DEV` (and the `(import.meta as ViteMeta).env?.DEV`
+ *    cast variant). Vite/Rolldown literal-replace this at build time, but
+ *    Webpack/esbuild/Rollup/Parcel/Bun/Node-direct don't. In a Pyreon
+ *    library shipped to a Next.js (Webpack) app, dev warnings never fire
+ *    — even in development. PR #200 introduced this pattern as the
+ *    "correct" replacement for the typeof-process compound; that
+ *    direction was wrong for library code.
  *
- * The fix is to use `import.meta.env.DEV`, which Vite/Rolldown literal-replace
- * at build time:
+ * **The bundler-agnostic standard** (used by React, Vue, Preact, Solid,
+ * MobX, Redux):
  *
  * ```ts
- * // No const needed — read directly at the use site so the bundler can fold:
- * if (!import.meta.env?.DEV) return
+ * if (process.env.NODE_ENV !== 'production') console.warn('...')
  * ```
  *
- * Vitest sets `import.meta.env.DEV === true` automatically (because it is
- * Vite-based), so existing tests continue to pass.
+ * Every modern bundler auto-replaces `process.env.NODE_ENV` at consumer
+ * build time. No `typeof process` guard needed — bundlers replace the
+ * literal regardless of whether `process` is otherwise defined.
  *
  * Reference implementation: `packages/fundamentals/flow/src/layout.ts:warnIgnoredOptions`.
  *
- * **Auto-fix**: replaces the assignment with `import.meta.env?.DEV === true`.
- * Does NOT delete the const declaration — that has to happen by hand because
- * the variable name and downstream usages may need updating in callers.
+ * **Auto-fix**: replaces the broken expression with
+ * `process.env.NODE_ENV !== 'production'`.
  *
- * **Server-only exemption**: projects configure `exemptPaths` per-file for
- * server-only code (Node environments where `process` is always defined and
- * the pattern is correct). Configure in `.pyreonlintrc.json`:
+ * **Server-only exemption**: projects configure `exemptPaths` per-file
+ * for server-only code (Node environments where the typeof-process
+ * compound is harmless). Configure in `.pyreonlintrc.json`:
  *
  *     {
  *       "rules": {
@@ -54,54 +62,49 @@ export const noProcessDevGate: Rule = {
     id: 'pyreon/no-process-dev-gate',
     category: 'architecture',
     description:
-      'Forbid `typeof process !== "undefined" && process.env.NODE_ENV !== "production"` as a dev-mode gate. Use `import.meta.env.DEV` instead — `typeof process` is dead code in real Vite browser bundles because Vite does not polyfill `process` for the client.',
+      'Forbid bundler-coupled dev gates: `typeof process !== "undefined" && process.env.NODE_ENV !== "production"` is dead in Vite browser bundles, and `import.meta.env.DEV` is Vite/Rolldown-only (dead in Webpack/Next.js, esbuild, Rollup, Parcel, Bun). Use bundler-agnostic `process.env.NODE_ENV !== "production"` — every modern bundler auto-replaces it at consumer build time.',
     severity: 'error',
     fixable: true,
   },
   create(context) {
-    // Skip test files — vitest has `process`, the gate works there, and
-    // tests are not shipped to users. Universal, not a heuristic.
+    // Skip test files — vitest has both `process` and Vite's `import.meta.env`,
+    // both broken patterns work there, and tests aren't shipped to users.
     if (isTestFile(context.getFilePath())) return {}
 
     // Configurable `exemptPaths` option for server-only directories.
     if (isPathExempt(context)) return {}
 
+    const REPLACEMENT = `process.env.NODE_ENV !== 'production'`
+
     /**
-     * Match the broken pattern at the AST level. We're looking for any
-     * `LogicalExpression` whose two sides are:
-     *
-     *   1. `typeof process !== 'undefined'` (a UnaryExpression on the LHS
-     *      of a BinaryExpression with operator `!==`)
-     *   2. `process.env.NODE_ENV !== 'production'` (a MemberExpression on
-     *      the LHS of a BinaryExpression with operator `!==`)
-     *
-     * The order can be either way (process check first or NODE_ENV check
-     * first), and the operator can be `&&` or `||` (we only flag `&&`
-     * because `||` doesn't make sense as a dev gate).
+     * Pattern 1: `typeof process !== 'undefined'`
      */
     function isTypeofProcessCheck(node: any): boolean {
-      // typeof process !== 'undefined'
       if (node?.type !== 'BinaryExpression') return false
       if (node.operator !== '!==' && node.operator !== '!=') return false
       const left = node.left
       const right = node.right
       if (left?.type !== 'UnaryExpression' || left.operator !== 'typeof') return false
       if (left.argument?.type !== 'Identifier' || left.argument.name !== 'process') return false
-      if (
+      return (
         (right?.type === 'Literal' || right?.type === 'StringLiteral') &&
         right.value === 'undefined'
-      ) {
-        return true
-      }
-      return false
+      )
     }
 
+    /**
+     * Pattern 1: `process.env.NODE_ENV !== 'production'` — also matches
+     * optional-chaining variants (`process?.env?.NODE_ENV`,
+     * `process.env?.NODE_ENV`). ESTree wraps optional access in a
+     * `ChainExpression` whose `.expression` is the underlying
+     * `MemberExpression` chain.
+     */
     function isNodeEnvCheck(node: any): boolean {
-      // process.env.NODE_ENV !== 'production'
       if (node?.type !== 'BinaryExpression') return false
       if (node.operator !== '!==' && node.operator !== '!=') return false
-      const left = node.left
+      let left = node.left
       const right = node.right
+      if (left?.type === 'ChainExpression') left = left.expression
       if (left?.type !== 'MemberExpression') return false
       if (left.object?.type !== 'MemberExpression') return false
       if (left.object.object?.type !== 'Identifier' || left.object.object.name !== 'process') {
@@ -111,42 +114,118 @@ export const noProcessDevGate: Rule = {
         return false
       }
       if (left.property?.type !== 'Identifier' || left.property.name !== 'NODE_ENV') return false
-      if (
+      return (
         (right?.type === 'Literal' || right?.type === 'StringLiteral') &&
         right.value === 'production'
-      ) {
-        return true
-      }
-      return false
+      )
     }
 
-    function isBrokenDevGate(node: any): boolean {
+    /**
+     * Match the typeof-process compound: a `LogicalExpression` whose
+     * sides are a typeof-process check + a NODE_ENV check, in either
+     * order, joined with `&&`.
+     */
+    function isTypeofCompound(node: any): boolean {
       if (node?.type !== 'LogicalExpression') return false
       if (node.operator !== '&&') return false
-      // Order can be (typeof process) && (NODE_ENV) OR vice versa
       return (
         (isTypeofProcessCheck(node.left) && isNodeEnvCheck(node.right)) ||
         (isNodeEnvCheck(node.left) && isTypeofProcessCheck(node.right))
       )
     }
 
+    /**
+     * Strip layers an `import.meta.env.DEV` access can hide behind:
+     * - `ChainExpression` (optional chaining)
+     * - `TSAsExpression` / `TSTypeAssertion` (`(import.meta as ViteMeta)`)
+     * - `ParenthesizedExpression` (just parens)
+     */
+    function unwrap(node: any): any {
+      let n = node
+      while (n) {
+        if (n.type === 'ChainExpression') n = n.expression
+        else if (n.type === 'TSAsExpression' || n.type === 'TSTypeAssertion') n = n.expression
+        else if (n.type === 'ParenthesizedExpression') n = n.expression
+        else break
+      }
+      return n
+    }
+
+    function isImportMeta(node: any): boolean {
+      const n = unwrap(node)
+      if (n?.type !== 'MetaProperty') return false
+      const meta = n.meta
+      const prop = n.property
+      return (
+        meta?.type === 'Identifier' &&
+        meta.name === 'import' &&
+        prop?.type === 'Identifier' &&
+        prop.name === 'meta'
+      )
+    }
+
+    /**
+     * Pattern 2: `import.meta.env.DEV` access (any optional/cast variant).
+     * Returns the outermost expression node so the autofix replaces the
+     * full `import.meta.env.DEV` access (not just the `.DEV` property).
+     */
+    function isImportMetaEnvDev(node: any): boolean {
+      const outer = unwrap(node)
+      if (outer?.type !== 'MemberExpression') return false
+      if (outer.property?.type !== 'Identifier' || outer.property.name !== 'DEV') return false
+      // outer.object should resolve to `import.meta.env` (an inner MemberExpression
+      // whose object is `import.meta` and property is `env`).
+      const envAccess = unwrap(outer.object)
+      if (envAccess?.type !== 'MemberExpression') return false
+      if (envAccess.property?.type !== 'Identifier' || envAccess.property.name !== 'env') {
+        return false
+      }
+      return isImportMeta(envAccess.object)
+    }
+
+    // Track ChainExpression-wrapped MemberExpressions so the inner visitor
+    // doesn't double-flag the same access.
+    const handledNodes = new WeakSet<object>()
+
     const callbacks: VisitorCallbacks = {
       LogicalExpression(node: any) {
-        if (!isBrokenDevGate(node)) return
-
+        if (!isTypeofCompound(node)) return
+        const span = getSpan(node)
+        context.report({
+          message:
+            '`typeof process !== "undefined" && process.env.NODE_ENV !== "production"` is dead code in real Vite browser bundles — Vite does not polyfill `process`, so the guard is `false` and any wrapped dev warnings never fire. Use the bundler-agnostic `process.env.NODE_ENV !== "production"` (no typeof guard) — every modern bundler replaces it at consumer build time. Reference: `packages/fundamentals/flow/src/layout.ts`.',
+          span,
+          fix: { span, replacement: REPLACEMENT },
+        })
+      },
+      ChainExpression(node: any) {
+        // Catch `import.meta.env?.DEV` shapes wrapped in ChainExpression at
+        // the outermost layer (e.g. when the optional `?.` is on the
+        // outermost `.DEV` access). The inner MemberExpression is then
+        // marked handled so the MemberExpression visitor skips it.
+        if (!isImportMetaEnvDev(node)) return
+        const inner = unwrap(node)
+        if (inner) handledNodes.add(inner)
+        const span = getSpan(node)
+        context.report({
+          message:
+            '`import.meta.env.DEV` is Vite/Rolldown-specific. In a Pyreon library shipped to consumers using Webpack (Next.js), esbuild, Rollup, Parcel, or Bun, `import.meta.env.DEV` is undefined and dev warnings never fire — even in development. Use bundler-agnostic `process.env.NODE_ENV !== "production"` instead. Reference: `packages/fundamentals/flow/src/layout.ts`.',
+          span,
+          fix: { span, replacement: REPLACEMENT },
+        })
+      },
+      MemberExpression(node: any) {
+        if (handledNodes.has(node)) return
+        if (!isImportMetaEnvDev(node)) return
+        // Only flag the OUTERMOST `.DEV` access — the visitor will also
+        // hit the inner `.env` MemberExpression, which we want to skip.
+        if (node.property?.name !== 'DEV') return
         const span = getSpan(node)
-        // Auto-fix: replace the entire `typeof process ... && process.env.NODE_ENV ...`
-        // expression with `import.meta.env?.DEV === true`. We use optional
-        // chaining + strict equality so the expression is `false` (not
-        // `undefined`) when `import.meta.env` is missing — preserving the
-        // boolean shape callers expect.
-        const replacement = 'import.meta.env?.DEV === true'
-
         context.report({
           message:
-            '`typeof process !== "undefined" && process.env.NODE_ENV !== "production"` is dead code in real Vite browser bundles — Vite does not polyfill `process`, so this guard is `false` and any wrapped dev warnings never fire for real users. Use `import.meta.env.DEV` instead, which Vite literal-replaces at build time and tree-shakes correctly in prod. Reference implementation: `packages/fundamentals/flow/src/layout.ts:warnIgnoredOptions`.',
+            '`import.meta.env.DEV` is Vite/Rolldown-specific. In a Pyreon library shipped to consumers using Webpack (Next.js), esbuild, Rollup, Parcel, or Bun, `import.meta.env.DEV` is undefined and dev warnings never fire — even in development. Use bundler-agnostic `process.env.NODE_ENV !== "production"` instead. Reference: `packages/fundamentals/flow/src/layout.ts`.',
           span,
-          fix: { span, replacement },
+          fix: { span, replacement: REPLACEMENT },
         })
       },
     }

package/src/rules/index.ts

@@ -33,6 +33,7 @@ import { noTernaryConditional } from './jsx/no-ternary-conditional'
 import { useByNotKey } from './jsx/use-by-not-key'
 import { noDomInSetup } from './lifecycle/no-dom-in-setup'
 import { noEffectInMount } from './lifecycle/no-effect-in-mount'
+import { noImperativeEffectOnCreate } from './lifecycle/no-imperative-effect-on-create'
 // Lifecycle
 import { noMissingCleanup } from './lifecycle/no-missing-cleanup'
 import { noMountInEffect } from './lifecycle/no-mount-in-effect'
@@ -42,11 +43,13 @@ import { noEffectInFor } from './performance/no-effect-in-for'
 import { noLargeForWithoutBy } from './performance/no-large-for-without-by'
 import { preferShowOverDisplay } from './performance/prefer-show-over-display'
 // Reactivity
+import { noAsyncEffect } from './reactivity/no-async-effect'
 import { noBareSignalInJsx } from './reactivity/no-bare-signal-in-jsx'
 import { noContextDestructure } from './reactivity/no-context-destructure'
 import { noEffectAssignment } from './reactivity/no-effect-assignment'
 import { noNestedEffect } from './reactivity/no-nested-effect'
 import { noPeekInTracked } from './reactivity/no-peek-in-tracked'
+import { noSignalCallWrite } from './reactivity/no-signal-call-write'
 import { noSignalInLoop } from './reactivity/no-signal-in-loop'
 import { noSignalInProps } from './reactivity/no-signal-in-props'
 import { noSignalLeak } from './reactivity/no-signal-leak'
@@ -72,7 +75,8 @@ import { noThemeOutsideProvider } from './styling/no-theme-outside-provider'
 import { preferCx } from './styling/prefer-cx'
 
 export const allRules: Rule[] = [
-  // Reactivity (10)
+  // Reactivity (12)
+  noAsyncEffect,
   noBareSignalInJsx,
   noContextDestructure,
   noSignalInLoop,
@@ -83,6 +87,7 @@ export const allRules: Rule[] = [
   preferComputed,
   noEffectAssignment,
   noSignalLeak,
+  noSignalCallWrite,
   // JSX (11)
   noMapInJsx,
   useByNotKey,
@@ -95,11 +100,12 @@ export const allRules: Rule[] = [
   noMissingForBy,
   noPropsDestructure,
   noChildrenAccess,
-  // Lifecycle (4)
+  // Lifecycle (5)
   noMissingCleanup,
   noMountInEffect,
   noEffectInMount,
   noDomInSetup,
+  noImperativeEffectOnCreate,
   // Performance (4)
   noLargeForWithoutBy,
   noEffectInFor,
@@ -151,6 +157,7 @@ export {
   dialogA11y,
   noAndConditional,
   // Reactivity
+  noAsyncEffect,
   noBareSignalInJsx,
   noContextDestructure,
   noChildrenAccess,
@@ -169,6 +176,7 @@ export {
   noErrorWithoutPrefix,
   noHrefNavigation,
   noHtmlFor,
+  noImperativeEffectOnCreate,
   noImperativeNavigateInRender,
   noIndexAsBy,
   // Styling
@@ -189,6 +197,7 @@ export {
   noPeekInTracked,
   noProcessDevGate,
   noPropsDestructure,
+  noSignalCallWrite,
   requireBrowserSmokeTest,
   // Hooks
   noRawAddEventListener,

package/src/rules/jsx/no-props-destructure.ts

@@ -1,5 +1,6 @@
 import type { Rule, VisitorCallbacks } from '../../types'
 import { getSpan, isDestructuring } from '../../utils/ast'
+import { isPathExempt } from '../../utils/exempt-paths'
 
 function containsJSXReturn(node: any): boolean {
   if (!node) return false
@@ -31,6 +32,40 @@ function getDestructuredNames(pattern: any): string[] {
   return names
 }
 
+/**
+ * Names of HOC / factory call expressions whose first-argument render
+ * function takes Pyreon component props. Destructuring inside these IS
+ * a real reactivity bug — same as destructuring at the component
+ * signature directly. Do NOT add this exemption for these.
+ *
+ * The `callArgFns` exemption is intentionally narrow: it only fires for
+ * generic call arguments where the parent call is NOT one of these
+ * known component-shaped factories.
+ */
+const COMPONENT_FACTORY_NAMES = new Set([
+  'createComponent',
+  'defineComponent',
+  'lazy',
+  'memo',
+  'observer',
+  'forwardRef',
+  'rocketstyle',
+  'styled',
+  'attrs',
+  'kinetic',
+])
+
+function isComponentFactoryCall(call: any): boolean {
+  if (!call || call.type !== 'CallExpression') return false
+  const callee = call.callee
+  if (!callee) return false
+  if (callee.type === 'Identifier' && COMPONENT_FACTORY_NAMES.has(callee.name)) return true
+  // `styled.div\`...\`` template tag falls back to a CallExpression on
+  // styled members in some compilers — be conservative and don't try to
+  // detect template literal forms here.
+  return false
+}
+
 export const noPropsDestructure: Rule = {
   meta: {
     id: 'pyreon/no-props-destructure',
@@ -39,13 +74,18 @@ export const noPropsDestructure: Rule = {
       'Disallow destructuring props in component functions — breaks reactive prop tracking. Use props.x or splitProps().',
     severity: 'error',
     fixable: false,
+    schema: { exemptPaths: 'string[]' },
   },
   create(context) {
+    if (isPathExempt(context)) return {}
+
     let functionDepth = 0
     // oxc visitor doesn't pass `parent` to callbacks — previous
     // `parent?.type === 'CallExpression'` check was silently inert. Pre-mark
     // function nodes that appear as CallExpression arguments on the way in.
-    const callArgFns = new WeakSet<any>()
+    // Track BOTH the function and its parent call so we can later refuse
+    // the exemption when the parent is a known component factory.
+    const callArgFns = new WeakMap<any, any>()
 
     const callbacks: VisitorCallbacks = {
       CallExpression(node: any) {
@@ -55,7 +95,7 @@ export const noPropsDestructure: Rule = {
             arg?.type === 'FunctionExpression' ||
             arg?.type === 'FunctionDeclaration'
           ) {
-            callArgFns.add(arg)
+            callArgFns.set(arg, node)
           }
         }
       },
@@ -85,19 +125,29 @@ export const noPropsDestructure: Rule = {
   },
 }
 
-function checkFunction(node: any, context: any, depth: number, callArgFns: WeakSet<any>) {
+function checkFunction(node: any, context: any, depth: number, callArgFns: WeakMap<any, any>) {
   const params = node.params
   if (!params || params.length === 0) return
 
   const firstParam = params[0]
   if (!isDestructuring(firstParam)) return
 
-  // Skip HOC inner functions (depth > 1)
+  // Skip nested functions (depth > 1). This protects render-prop
+  // callbacks whose first param is NOT a Pyreon component prop bag —
+  // e.g. `<For>{(item) => <li>{item}</li>}</For>` passes raw array
+  // items, so destructuring is a non-issue there. The tradeoff is that
+  // genuinely-nested component declarations slip past this rule;
+  // they're rare enough in practice that the false-negative is
+  // acceptable.
   if (depth > 1) return
 
-  // Skip functions passed as arguments to HOC factories
-  // e.g. createLink(({ href, ...rest }) => <a {...rest} />)
-  if (callArgFns.has(node)) return
+  // Skip functions passed as call arguments (HOC / render-prop
+  // pattern), UNLESS the parent call is a known component factory.
+  // Component factories receive Pyreon props via the inner function,
+  // so destructuring there breaks reactivity exactly like it does at
+  // the component signature.
+  const parentCall = callArgFns.get(node)
+  if (parentCall && !isComponentFactoryCall(parentCall)) return
 
   const body = node.body
   if (!body) return