npm - lemmaly - Versions diffs - 0.1.0 - Mend

lemmaly 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/LICENSE +201 -0
package/README.md +238 -0
package/cli/gen-agents-md.js +60 -0
package/cli/gen-rule-docs.js +885 -0
package/cli/lemmaly.js +162 -0
package/commands/benchmark.md +40 -0
package/commands/budget.md +53 -0
package/commands/complexity.md +26 -0
package/commands/cut.md +27 -0
package/commands/hotpath.md +22 -0
package/commands/invariant.md +22 -0
package/commands/n-plus-one.md +20 -0
package/commands/profile.md +34 -0
package/commands/regress.md +43 -0
package/commands/scale-check.md +37 -0
package/commands/ship-check.md +26 -0
package/package.json +48 -0
package/rules/cpp.json +46 -0
package/rules/csharp.json +38 -0
package/rules/go.json +46 -0
package/rules/java.json +38 -0
package/rules/javascript.json +102 -0
package/rules/php.json +38 -0
package/rules/python.json +62 -0
package/rules/ruby.json +38 -0
package/rules/rust.json +38 -0
package/rules/shell.json +38 -0
package/rules/sql.json +54 -0
package/skills/complexity-cuts/SKILL.md +259 -0
package/skills/invariant-guard/SKILL.md +310 -0
package/skills/lemmaly/AGENTS.md +1869 -0
package/skills/lemmaly/SKILL.md +365 -0
package/skills/lemmaly/references/async.md +135 -0
package/skills/lemmaly/references/complexity.md +66 -0
package/skills/lemmaly/references/hot-paths.md +87 -0
package/skills/lemmaly/references/memory.md +118 -0
package/skills/lemmaly/references/n-plus-one.md +139 -0
package/skills/lemmaly/rules/cpp-map-double-lookup.md +38 -0
package/skills/lemmaly/rules/cpp-range-loop-copy.md +33 -0
package/skills/lemmaly/rules/cpp-raw-new.md +36 -0
package/skills/lemmaly/rules/cpp-string-concat-in-loop.md +45 -0
package/skills/lemmaly/rules/cpp-vector-push-no-reserve.md +40 -0
package/skills/lemmaly/rules/cs-async-void.md +45 -0
package/skills/lemmaly/rules/cs-disposable-no-using.md +32 -0
package/skills/lemmaly/rules/cs-list-contains-in-loop.md +36 -0
package/skills/lemmaly/rules/cs-string-concat-in-loop.md +42 -0
package/skills/lemmaly/rules/go-defer-in-loop.md +39 -0
package/skills/lemmaly/rules/go-err-not-checked.md +38 -0
package/skills/lemmaly/rules/go-loop-var-capture.md +47 -0
package/skills/lemmaly/rules/go-slice-append-no-cap.md +39 -0
package/skills/lemmaly/rules/go-string-concat-in-loop.md +44 -0
package/skills/lemmaly/rules/java-arraylist-remove-in-for-i.md +44 -0
package/skills/lemmaly/rules/java-bare-catch-exception.md +42 -0
package/skills/lemmaly/rules/java-list-contains-in-loop.md +40 -0
package/skills/lemmaly/rules/java-string-concat-in-loop.md +42 -0
package/skills/lemmaly/rules/js-anonymous-handler-jsx.md +31 -0
package/skills/lemmaly/rules/js-array-key-index.md +29 -0
package/skills/lemmaly/rules/js-async-in-foreach.md +43 -0
package/skills/lemmaly/rules/js-await-in-for-loop.md +41 -0
package/skills/lemmaly/rules/js-deep-clone-via-json.md +33 -0
package/skills/lemmaly/rules/js-helper-call-in-iterator.md +41 -0
package/skills/lemmaly/rules/js-includes-in-iterator.md +37 -0
package/skills/lemmaly/rules/js-inline-object-jsx-prop.md +35 -0
package/skills/lemmaly/rules/js-nested-for-loops.md +45 -0
package/skills/lemmaly/rules/js-spread-in-reduce.md +38 -0
package/skills/lemmaly/rules/js-unique-via-indexof.md +35 -0
package/skills/lemmaly/rules/js-useeffect-missing-deps.md +33 -0
package/skills/lemmaly/rules/php-count-in-for-condition.md +45 -0
package/skills/lemmaly/rules/php-in-array-in-loop.md +42 -0
package/skills/lemmaly/rules/php-loose-equality.md +35 -0
package/skills/lemmaly/rules/php-query-in-loop.md +47 -0
package/skills/lemmaly/rules/py-bare-except.md +39 -0
package/skills/lemmaly/rules/py-django-loop-without-eager.md +42 -0
package/skills/lemmaly/rules/py-in-list-literal.md +37 -0
package/skills/lemmaly/rules/py-mutable-default-arg.md +39 -0
package/skills/lemmaly/rules/py-open-without-with.md +33 -0
package/skills/lemmaly/rules/py-range-len.md +35 -0
package/skills/lemmaly/rules/py-string-concat-in-loop.md +43 -0
package/skills/lemmaly/rules/rb-bare-rescue.md +41 -0
package/skills/lemmaly/rules/rb-include-in-iterator.md +37 -0
package/skills/lemmaly/rules/rb-n-plus-one-activerecord.md +39 -0
package/skills/lemmaly/rules/rb-string-concat-in-loop.md +39 -0
package/skills/lemmaly/rules/rs-clone-in-loop.md +38 -0
package/skills/lemmaly/rules/rs-string-push-no-capacity.md +43 -0
package/skills/lemmaly/rules/rs-unwrap-in-prod.md +36 -0
package/skills/lemmaly/rules/rs-vec-push-no-capacity.md +42 -0
package/skills/lemmaly/rules/sh-for-ls.md +41 -0
package/skills/lemmaly/rules/sh-set-e-no-pipefail.md +37 -0
package/skills/lemmaly/rules/sh-unquoted-var.md +35 -0
package/skills/lemmaly/rules/sh-useless-cat-pipe.md +32 -0
package/skills/lemmaly/rules/sql-leading-wildcard-like.md +34 -0
package/skills/lemmaly/rules/sql-not-in-subquery.md +38 -0
package/skills/lemmaly/rules/sql-or-in-where.md +35 -0
package/skills/lemmaly/rules/sql-select-no-limit.md +37 -0
package/skills/lemmaly/rules/sql-select-star.md +29 -0
package/skills/lemmaly/rules/sql-update-no-where.md +35 -0
package/skills/mathguard/SKILL.md +277 -0

package/rules/go.json ADDED Viewed

@@ -0,0 +1,46 @@
+{
+  "language": "go",
+  "extensions": [".go"],
+  "rules": [
+    {
+      "id": "go-loop-var-capture",
+      "severity": "error",
+      "title": "Loop variable captured by goroutine — pre-1.22 races on the last value",
+      "pattern": "for\\s+[\\w,\\s]+:?=\\s*range\\s+\\w+\\s*\\{[\\s\\S]{0,200}?go\\s+func\\s*\\(\\s*\\)\\s*\\{",
+      "flags": "g",
+      "fix": "Pin the variable inside the loop: `i := i` before `go func() { use(i) }()`, or pass as argument: `go func(i int) { ... }(i)`. (Fixed automatically in Go 1.22+.)"
+    },
+    {
+      "id": "go-string-concat-in-loop",
+      "severity": "warning",
+      "title": "string += inside loop — O(n^2); use strings.Builder",
+      "pattern": "for\\s+[^{]*\\{[\\s\\S]{0,300}?\\b\\w+\\s*\\+=\\s*[\"'\\w]",
+      "flags": "g",
+      "fix": "Use strings.Builder: `var sb strings.Builder; for ... { sb.WriteString(x) }; sb.String()`."
+    },
+    {
+      "id": "go-defer-in-loop",
+      "severity": "warning",
+      "title": "defer inside loop — defers accumulate until function returns",
+      "pattern": "for\\s+[^{]*\\{[\\s\\S]{0,300}?\\bdefer\\s",
+      "flags": "g",
+      "fix": "Wrap the body in a function so each iteration's defer fires at iteration end, or close resources explicitly."
+    },
+    {
+      "id": "go-err-not-checked",
+      "severity": "warning",
+      "title": "Error return value discarded — silent failures",
+      "pattern": "^\\s*\\w+\\s*,\\s*_\\s*:?=\\s*\\w+\\.[A-Za-z]\\w*\\s*\\(",
+      "flags": "gm",
+      "fix": "Handle the error or comment why it is safe to ignore (`_ = err // <reason>`)."
+    },
+    {
+      "id": "go-slice-append-no-cap",
+      "severity": "info",
+      "title": "append in loop without preallocated capacity — repeated reallocation",
+      "pattern": "var\\s+\\w+\\s+\\[\\]\\w+\\s*\\n[\\s\\S]{0,200}?for\\s+[^{]*\\{[\\s\\S]{0,200}?\\w+\\s*=\\s*append\\s*\\(\\s*\\w+\\s*,",
+      "flags": "g",
+      "fix": "Preallocate: `out := make([]T, 0, len(in))` then `append`."
+    }
+  ]
+}

package/rules/java.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "language": "java",
+  "extensions": [".java"],
+  "rules": [
+    {
+      "id": "java-string-concat-in-loop",
+      "severity": "warning",
+      "title": "String += inside loop — O(n^2) on immutable String",
+      "pattern": "\\bfor\\s*\\([^{]*\\)\\s*\\{[\\s\\S]{0,300}?\\b\\w+\\s*\\+=\\s*[\"'\\w]",
+      "flags": "g",
+      "fix": "Use StringBuilder: `var sb = new StringBuilder(); for (...) sb.append(x); sb.toString();`"
+    },
+    {
+      "id": "java-list-contains-in-loop",
+      "severity": "warning",
+      "title": "List.contains inside iterator — O(n*m); use HashSet",
+      "pattern": "\\.(stream|forEach|map|filter)\\s*\\([\\s\\S]{0,200}?\\.contains\\s*\\(",
+      "flags": "g",
+      "fix": "Build a HashSet outside: `Set<T> s = new HashSet<>(list); s.contains(x);`"
+    },
+    {
+      "id": "java-arraylist-remove-in-for-i",
+      "severity": "error",
+      "title": "list.remove(i) inside for-i — index shifts; ConcurrentModification risk",
+      "pattern": "\\bfor\\s*\\(\\s*int\\s+\\w+\\s*=[\\s\\S]{0,80}?\\w+\\.size\\s*\\(\\s*\\)[\\s\\S]{0,200}?\\.remove\\s*\\(",
+      "flags": "g",
+      "fix": "Iterate backwards, use Iterator.remove(), or collect indexes and remove in one removeIf()."
+    },
+    {
+      "id": "java-bare-catch-exception",
+      "severity": "warning",
+      "title": "catch (Exception) with empty body or log-only — swallows root cause",
+      "pattern": "catch\\s*\\(\\s*Exception\\s+\\w+\\s*\\)\\s*\\{\\s*(?:\\}|\\w+\\.(printStackTrace|log|warn|info)\\s*\\([^)]*\\)\\s*;\\s*\\})",
+      "flags": "g",
+      "fix": "Catch the narrowest exception, rethrow as a domain exception, or handle with a documented fallback. Never swallow silently."
+    }
+  ]
+}

package/rules/javascript.json ADDED Viewed

@@ -0,0 +1,102 @@
+{
+  "language": "javascript",
+  "extensions": [".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"],
+  "rules": [
+    {
+      "id": "js-await-in-for-loop",
+      "severity": "error",
+      "title": "await inside for-loop — likely N+1 / serialized I/O",
+      "pattern": "for\\s*\\([^)]*\\)\\s*\\{[\\s\\S]{0,400}?\\bawait\\s",
+      "flags": "g",
+      "fix": "Collect promises into an array and use Promise.all(...), or batch with a bulk query (WHERE id IN (...))."
+    },
+    {
+      "id": "js-async-in-foreach",
+      "severity": "error",
+      "title": "async passed to .forEach — returned promises are dropped",
+      "pattern": "\\.forEach\\s*\\(\\s*async\\b",
+      "flags": "g",
+      "fix": "Use `for (const x of arr) await fn(x)` or `await Promise.all(arr.map(fn))`."
+    },
+    {
+      "id": "js-deep-clone-via-json",
+      "severity": "warning",
+      "title": "JSON.parse(JSON.stringify(x)) — slow clone; loses Dates/Maps/undefined",
+      "pattern": "JSON\\.parse\\s*\\(\\s*JSON\\.stringify\\s*\\(",
+      "flags": "g",
+      "fix": "Use structuredClone(x), or copy only the fields you actually need."
+    },
+    {
+      "id": "js-useeffect-missing-deps",
+      "severity": "warning",
+      "title": "useEffect without a deps array — runs after every render",
+      "pattern": "useEffect\\s*\\(\\s*(?:async\\s*)?\\(\\s*\\)\\s*=>\\s*\\{[\\s\\S]*?^\\s*\\}\\s*\\)\\s*;",
+      "flags": "gm",
+      "fix": "Add a deps array — `[]` for mount-only, `[a, b]` to track changes."
+    },
+    {
+      "id": "js-inline-object-jsx-prop",
+      "severity": "warning",
+      "title": "Inline object literal as JSX prop — new reference every render",
+      "pattern": "\\s[a-zA-Z][a-zA-Z0-9]*=\\{\\{[^{}]+\\}\\}",
+      "flags": "g",
+      "fix": "Hoist outside render, or wrap in useMemo if the child is React.memo."
+    },
+    {
+      "id": "js-anonymous-handler-jsx",
+      "severity": "warning",
+      "title": "Anonymous arrow handler in JSX — breaks memoized-child equality",
+      "pattern": "\\son[A-Z][A-Za-z]+=\\{\\s*\\(",
+      "flags": "g",
+      "fix": "Wrap with useCallback if the child is memoized. Otherwise ignore."
+    },
+    {
+      "id": "js-nested-for-loops",
+      "severity": "info",
+      "title": "Nested for-loops — O(n*m); consider hashing one side",
+      "pattern": "for\\s*\\([^)]*\\)\\s*\\{[\\s\\S]{0,300}?for\\s*\\(",
+      "flags": "g",
+      "fix": "If looking up between the two arrays, put one into a Set/Map first → O(n+m)."
+    },
+    {
+      "id": "js-spread-in-reduce",
+      "severity": "warning",
+      "title": "Object spread inside reduce — O(n^2)",
+      "pattern": "\\.reduce\\s*\\([\\s\\S]{0,80}?=>\\s*\\(\\s*\\{\\s*\\.\\.\\.",
+      "flags": "g",
+      "fix": "Mutate the accumulator (`acc[k] = v; return acc`) or use Object.fromEntries(arr.map(...))."
+    },
+    {
+      "id": "js-includes-in-iterator",
+      "severity": "info",
+      "title": "Array.includes inside .map/.filter/.forEach — O(n*m); use a Set",
+      "pattern": "\\.(map|forEach|filter|reduce|find|some|every)\\s*\\([\\s\\S]{0,80}?=>[\\s\\S]{0,150}?\\.includes\\s*\\(",
+      "flags": "g",
+      "fix": "Build a Set once outside the iterator, then `set.has(x)` inside."
+    },
+    {
+      "id": "js-unique-via-indexof",
+      "severity": "warning",
+      "title": "Unique-by-indexOf — O(n^2) dedupe; use `Array.from(new Set(arr))`",
+      "pattern": "\\.filter\\s*\\(\\s*\\([^)]*\\)\\s*=>\\s*\\w+\\.indexOf\\s*\\([^)]+\\)\\s*===\\s*\\w+",
+      "flags": "g",
+      "fix": "Use `Array.from(new Set(arr))`, or build a Set inline. O(n) instead of O(n^2)."
+    },
+    {
+      "id": "js-helper-call-in-iterator",
+      "severity": "warning",
+      "title": "get*/find*/fetch* helper called inside iterator — likely N round-trips",
+      "pattern": "\\.(map|forEach|filter|reduce|find|some|every)\\s*\\([\\s\\S]{0,80}?=>[\\s\\S]{0,100}?\\b(get|find|fetch|load|query|select)[A-Z]\\w*\\s*\\(",
+      "flags": "g",
+      "fix": "Hoist the helper out of the loop and pass a precomputed lookup (Map/Set) into the iterator, or batch with a single bulk query."
+    },
+    {
+      "id": "js-array-key-index",
+      "severity": "info",
+      "title": "key={index} on a list — breaks identity for reorderable items",
+      "pattern": "key=\\{(i|idx|index)\\}",
+      "flags": "g",
+      "fix": "Use a stable id when the list can reorder, insert, or delete in the middle."
+    }
+  ]
+}

package/rules/php.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "language": "php",
+  "extensions": [".php"],
+  "rules": [
+    {
+      "id": "php-count-in-for-condition",
+      "severity": "warning",
+      "title": "count() in for-condition — recomputed every iteration",
+      "pattern": "for\\s*\\(\\s*\\$\\w+\\s*=\\s*\\d+\\s*;\\s*\\$\\w+\\s*<\\s*count\\s*\\(",
+      "flags": "g",
+      "fix": "Hoist: `for ($i = 0, $n = count($a); $i < $n; $i++)`. Or use `foreach`."
+    },
+    {
+      "id": "php-in-array-in-loop",
+      "severity": "warning",
+      "title": "in_array inside loop — O(n*m); use array_flip + isset",
+      "pattern": "\\b(?:foreach|for|while)\\s*\\([^{]*\\)\\s*\\{[\\s\\S]{0,200}?in_array\\s*\\(",
+      "flags": "g",
+      "fix": "`$set = array_flip($haystack); ... isset($set[$x])` is O(1) per check."
+    },
+    {
+      "id": "php-query-in-loop",
+      "severity": "error",
+      "title": "DB query inside loop — N+1",
+      "pattern": "\\b(?:foreach|for|while)\\s*\\([^{]*\\)\\s*\\{[\\s\\S]{0,300}?(?:\\$\\w+->query|mysqli_query|->prepare|->execute|DB::|->where\\b)",
+      "flags": "g",
+      "fix": "Collect the ids, run ONE `WHERE id IN (...)` query, index by id, then loop. In Eloquent use eager loading: `Model::with('relation')`."
+    },
+    {
+      "id": "php-loose-equality",
+      "severity": "info",
+      "title": "== / != — loose equality has surprising coercions",
+      "pattern": "(?<![=!<>])[!=]=(?!=)",
+      "flags": "g",
+      "fix": "Use `===` / `!==` unless type-juggling is explicitly intended (with a comment)."
+    }
+  ]
+}

package/rules/python.json ADDED Viewed

@@ -0,0 +1,62 @@
+{
+  "language": "python",
+  "extensions": [".py"],
+  "rules": [
+    {
+      "id": "py-mutable-default-arg",
+      "severity": "error",
+      "title": "Mutable default argument — shared across calls",
+      "pattern": "def\\s+\\w+\\s*\\([^)]*=\\s*(\\[\\s*\\]|\\{\\s*\\}|set\\s*\\(\\s*\\))",
+      "flags": "g",
+      "fix": "Default to None; create inside: `def f(x=None): x = x or []`."
+    },
+    {
+      "id": "py-string-concat-in-loop",
+      "severity": "warning",
+      "title": "String += inside loop — O(n^2)",
+      "pattern": "for\\s+\\w+\\s+in[\\s\\S]{0,300}?\\b\\w+\\s*\\+=\\s*['\"f]",
+      "flags": "g",
+      "fix": "Append to a list, then ''.join(list). Or use io.StringIO."
+    },
+    {
+      "id": "py-range-len",
+      "severity": "info",
+      "title": "range(len(x)) — un-Pythonic; use enumerate(x)",
+      "pattern": "range\\s*\\(\\s*len\\s*\\(",
+      "flags": "g",
+      "fix": "Use `for i, item in enumerate(x):` when you need the index too."
+    },
+    {
+      "id": "py-in-list-literal",
+      "severity": "info",
+      "title": "Membership against a list literal — O(n) per check; use a set",
+      "pattern": "\\bin\\s+\\[[^\\]]{12,}\\]",
+      "flags": "g",
+      "fix": "Hoist to a module-level frozenset({...})."
+    },
+    {
+      "id": "py-django-loop-without-eager",
+      "severity": "warning",
+      "title": "Django ORM iteration — verify select_related/prefetch_related to avoid N+1",
+      "pattern": "for\\s+\\w+\\s+in\\s+[A-Za-z_][A-Za-z0-9_]*\\.objects\\.(all|filter|exclude)\\s*\\(",
+      "flags": "g",
+      "fix": "Add .select_related('fk') for FK/OneToOne, .prefetch_related('rel') for reverse FK / M2M."
+    },
+    {
+      "id": "py-bare-except",
+      "severity": "info",
+      "title": "Bare except — hides timeouts, OOM, KeyboardInterrupt",
+      "pattern": "except\\s*:",
+      "flags": "g",
+      "fix": "Catch specific exceptions: `except (TimeoutError, ConnectionError):`."
+    },
+    {
+      "id": "py-open-without-with",
+      "severity": "info",
+      "title": "open() without `with` — risk of leaked file descriptors",
+      "pattern": "(?<!with\\s)\\bopen\\s*\\([^)]*\\)(?!\\s*as\\b)",
+      "flags": "g",
+      "fix": "Use `with open(path) as f:` to ensure the handle is released."
+    }
+  ]
+}

package/rules/ruby.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "language": "ruby",
+  "extensions": [".rb"],
+  "rules": [
+    {
+      "id": "rb-include-in-iterator",
+      "severity": "warning",
+      "title": "Array#include? inside iterator — O(n*m); use Set",
+      "pattern": "\\.(each|map|select|reject|find|any\\?|all\\?|count|filter)\\s*\\{[\\s\\S]{0,150}?\\.include\\?\\s*\\(",
+      "flags": "g",
+      "fix": "`require 'set'; allowed = Set.new(list); ... allowed.include?(x)`."
+    },
+    {
+      "id": "rb-n-plus-one-activerecord",
+      "severity": "error",
+      "title": "ActiveRecord iteration touching an association — N+1 without includes",
+      "pattern": "\\b\\w+(?:\\.all|\\.where\\s*\\([^)]+\\))(?!\\.includes)[\\s\\S]{0,80}?\\.(each|map|find_each|pluck)\\s*(?:do|\\{)",
+      "flags": "g",
+      "fix": "Use `Model.includes(:assoc)` or `:preload` / `:eager_load` before iterating."
+    },
+    {
+      "id": "rb-bare-rescue",
+      "severity": "warning",
+      "title": "Bare rescue — catches StandardError, hides bugs",
+      "pattern": "\\brescue\\s*\\n",
+      "flags": "g",
+      "fix": "Catch a specific class: `rescue Net::ReadTimeout` etc. Bare rescue swallows too much."
+    },
+    {
+      "id": "rb-string-concat-in-loop",
+      "severity": "info",
+      "title": "String += in loop — O(n^2) since += creates a new string each iteration",
+      "pattern": "\\.each\\s*(?:\\{|do)[\\s\\S]{0,150}?\\w+\\s*\\+=\\s*[\"'\\w]",
+      "flags": "g",
+      "fix": "Use `<<` (mutates) or `parts.join` if building from an array."
+    }
+  ]
+}

package/rules/rust.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "language": "rust",
+  "extensions": [".rs"],
+  "rules": [
+    {
+      "id": "rs-unwrap-in-prod",
+      "severity": "warning",
+      "title": ".unwrap() / .expect() panics on None/Err — surface the error",
+      "pattern": "\\.(unwrap|expect)\\s*\\(",
+      "flags": "g",
+      "fix": "Use `?`, `match`, `unwrap_or`, `unwrap_or_else`, or `ok_or(...)?`. Reserve unwrap for tests and provably infallible paths."
+    },
+    {
+      "id": "rs-clone-in-loop",
+      "severity": "info",
+      "title": ".clone() inside iterator — avoid if a borrow works",
+      "pattern": "\\.(iter|into_iter|map|filter)\\s*\\([\\s\\S]{0,150}?\\.clone\\s*\\(\\s*\\)",
+      "flags": "g",
+      "fix": "Borrow with &, use Rc/Arc for shared ownership, or move once outside the loop."
+    },
+    {
+      "id": "rs-vec-push-no-capacity",
+      "severity": "info",
+      "title": "Vec::new() + push in loop — repeated reallocation",
+      "pattern": "let\\s+mut\\s+\\w+\\s*=\\s*Vec::new\\s*\\(\\s*\\)\\s*;[\\s\\S]{0,300}?for\\s+[^{]*\\{[\\s\\S]{0,200}?\\.push\\s*\\(",
+      "flags": "g",
+      "fix": "Preallocate: `Vec::with_capacity(n)`, or use `.collect::<Vec<_>>()` over an iterator that has a size hint."
+    },
+    {
+      "id": "rs-string-push-no-capacity",
+      "severity": "info",
+      "title": "String::new() + push_str in loop — repeated reallocation",
+      "pattern": "let\\s+mut\\s+\\w+\\s*=\\s*String::new\\s*\\(\\s*\\)\\s*;[\\s\\S]{0,300}?for\\s+[^{]*\\{[\\s\\S]{0,200}?\\.(push_str|push)\\s*\\(",
+      "flags": "g",
+      "fix": "Preallocate: `String::with_capacity(n)`, or `parts.join(sep)` for known parts."
+    }
+  ]
+}

package/rules/shell.json ADDED Viewed

@@ -0,0 +1,38 @@
+{
+  "language": "shell",
+  "extensions": [".sh", ".bash"],
+  "rules": [
+    {
+      "id": "sh-set-e-no-pipefail",
+      "severity": "warning",
+      "title": "set -e without set -o pipefail — failures inside pipes are masked",
+      "pattern": "^\\s*set\\s+-e(?:uo?)?\\s*$",
+      "flags": "gm",
+      "fix": "Use `set -euo pipefail` so the script also fails when an earlier stage in a pipe fails."
+    },
+    {
+      "id": "sh-unquoted-var",
+      "severity": "warning",
+      "title": "Unquoted $var — word splitting and glob expansion",
+      "pattern": "(?:\\b(?:if|while|case)\\s+[^\\n]{0,40}|=)\\s*\\$\\{?[A-Za-z_]\\w*\\}?(?![\\w\\\"])",
+      "flags": "g",
+      "fix": "Quote: `\"$var\"`. Use `\"${arr[@]}\"` for arrays. Required even for paths you trust."
+    },
+    {
+      "id": "sh-useless-cat-pipe",
+      "severity": "info",
+      "title": "cat file | cmd — useless use of cat (UUOC)",
+      "pattern": "\\bcat\\s+[^|\\n]+\\|\\s*(grep|awk|sed|wc|sort|head|tail)\\b",
+      "flags": "g",
+      "fix": "Run the command on the file directly: `grep ... file` instead of `cat file | grep ...`."
+    },
+    {
+      "id": "sh-for-ls",
+      "severity": "warning",
+      "title": "for f in $(ls ...) — breaks on filenames with spaces / newlines",
+      "pattern": "for\\s+\\w+\\s+in\\s+\\$\\(\\s*ls\\b",
+      "flags": "g",
+      "fix": "Use glob `for f in *.txt` or `find ... -print0 | xargs -0`. Never parse `ls`."
+    }
+  ]
+}

package/rules/sql.json ADDED Viewed

@@ -0,0 +1,54 @@
+{
+  "language": "sql",
+  "extensions": [".sql"],
+  "rules": [
+    {
+      "id": "sql-select-star",
+      "severity": "warning",
+      "title": "SELECT * — fetches unused columns; blocks index-only scans",
+      "pattern": "SELECT\\s+\\*",
+      "flags": "gi",
+      "fix": "Name the columns. Smaller payload and more covering-index opportunities."
+    },
+    {
+      "id": "sql-leading-wildcard-like",
+      "severity": "warning",
+      "title": "LIKE with leading wildcard — cannot use a B-tree index",
+      "pattern": "LIKE\\s+['\"]\\s*%",
+      "flags": "gi",
+      "fix": "Use a trigram index (pg_trgm), full-text search, or a reversed-column index."
+    },
+    {
+      "id": "sql-not-in-subquery",
+      "severity": "warning",
+      "title": "NOT IN (subquery) — null-unsafe; usually slower than NOT EXISTS",
+      "pattern": "NOT\\s+IN\\s*\\(\\s*SELECT",
+      "flags": "gi",
+      "fix": "Rewrite as `WHERE NOT EXISTS (SELECT 1 FROM ... WHERE ...)`."
+    },
+    {
+      "id": "sql-select-no-limit",
+      "severity": "info",
+      "title": "SELECT without LIMIT — unbounded result set",
+      "pattern": "SELECT\\s+(?!.*\\bLIMIT\\b)[\\s\\S]+?FROM[\\s\\S]+?;",
+      "flags": "gi",
+      "fix": "Add LIMIT, or paginate by id range. Unbounded reads OOM under growth."
+    },
+    {
+      "id": "sql-or-in-where",
+      "severity": "info",
+      "title": "OR in WHERE — can prevent index use",
+      "pattern": "WHERE[\\s\\S]{0,200}?\\sOR\\s",
+      "flags": "gi",
+      "fix": "Equality on same column → `WHERE col IN (...)`. Otherwise consider UNION ALL."
+    },
+    {
+      "id": "sql-update-no-where",
+      "severity": "error",
+      "title": "UPDATE / DELETE without WHERE — touches every row",
+      "pattern": "(?:UPDATE|DELETE\\s+FROM)\\s+[A-Za-z_][A-Za-z0-9_.\"]*\\s+(?!.*\\bWHERE\\b)[\\s\\S]*?;",
+      "flags": "gi",
+      "fix": "Add a WHERE clause, or confirm in a comment that touching all rows is intentional."
+    }
+  ]
+}