lanorme 0.5.1__tar.gz

lanorme-0.5.1/.gitignore

@@ -0,0 +1,9 @@
+__pycache__/
+*.py[cod]
+.venv/
+dist/
+build/
+*.egg-info/
+.ruff_cache/
+.pytest_cache/
+benchmarks/.corpora/

lanorme-0.5.1/CHANGELOG.md

@@ -0,0 +1,250 @@
+# Changelog
+
+All notable user-facing changes to LaNorme. The public API is the set of
+rule codes that may appear in `select` / `ignore` / `per-file-ignores`
+and the configuration keys under `[tool.lanorme]`. See the Versioning
+section in the README for the breaking-change policy.
+
+This project follows the spirit of [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [Unreleased]
+
+## [0.5.1]
+
+### Changed
+
+- First release published to PyPI: `uv tool install lanorme` (or
+  `pipx install lanorme` / `pip install lanorme`). Publishing runs through
+  PyPI Trusted Publishing from GitHub Actions on each GitHub Release, so no
+  API token is stored.
+- The project moved to the `lanorme` GitHub organisation; all project URLs
+  now point to `github.com/lanorme/lanorme` (the old paths redirect).
+
+## [0.5.0]
+
+### Added
+
+- `attribute_access` check, opt-in (default-off), advisory warnings:
+  - `ATTR-001`: `hasattr(x, "name")` with a literal identifier name (duck
+    typing; prefer a `runtime_checkable` Protocol with `isinstance`, or
+    EAFP).
+  - `ATTR-002`: `getattr(x, "name")` (no default), `setattr(x, "name", v)`,
+    or `delattr(x, "name")` with a literal identifier name (use direct
+    attribute access `x.name`).
+  - High-confidence cases only: three-argument `getattr` with a default,
+    dunder names, non-identifier names, and files under `tests/` are exempt.
+    Dynamic (non-literal) names are exempt unless `flag_dynamic = true`.
+    Enable via `[tool.lanorme.attribute_access] enabled = true`. The default
+    was chosen by measuring the rule against the Python standard library,
+    where `hasattr` is dominated by legitimate platform/feature detection
+    (no Protocol fix), so the check ships off.
+- `Configurable` protocol in the public API: a `runtime_checkable` Protocol
+  for checks that accept a `[tool.lanorme.<name>]` settings table. The CLI
+  now selects configurable checks with `isinstance(check, Configurable)`.
+
+## [0.4.0]
+
+### Added
+
+- Top-level `[tool.lanorme] source_root` key. It decouples the architectural
+  root from the scan target for the two layout-aware checks (`layer_deps` and
+  `port_coverage`) only. With `source_root = "src/pkg"`, a single
+  `lanorme check .` from the repo root classifies layers under
+  `src/pkg/domain/`, `src/pkg/api/`, etc., while every other check keeps
+  scanning the whole tree. `composition_root`, `ports_dir`, and
+  `adapter_roots` are interpreted relative to `source_root`. A scanned file
+  that is not under `source_root` is layer-exempt (skipped by `layer_deps` /
+  `port_coverage`, never flagged), but is still seen by every other check.
+  Reported violation paths stay relative to the scan target, so `--exclude`,
+  `[tool.lanorme.per-file-ignores]`, and `# noqa` line up unchanged.
+  `source_root` is resolved against the scan target (for the intended
+  `lanorme check .` from the repo root these are the same directory).
+- `exclude` globs are now honoured at file-discovery time, not only in the
+  post-filter. An excluded directory is pruned during the walk, so a large
+  excluded subtree (`postman/**`, `docs/generated/**`, ...) is no longer read.
+  The CLI still post-filters by the same globs as a safety net.
+
+### Changed
+
+- A built-in set of never-source directories is pruned during every check's
+  tree walk regardless of configuration: `.git`, `.venv`, `venv`,
+  `node_modules`, `__pycache__`, `dist`, `build`, `.ruff_cache`,
+  `.pytest_cache`, `.mypy_cache`. This makes `lanorme check .` fast out of the
+  box (it no longer descends into a virtualenv or build tree). This is a
+  behaviour change not gated behind a config key: a project that deliberately
+  kept first-party `.py` files under one of these directory names would no
+  longer have them scanned. The `stray_artifacts` check already pruned the
+  same set, so its `JUNK` rules are unaffected.
+
+## [0.3.0]
+
+### Added
+
+- `layer_deps` and `port_coverage` are now configurable via
+  `[tool.lanorme.layer_deps]` and `[tool.lanorme.port_coverage]`. All keys
+  are optional and the built-in defaults reproduce the previous behaviour.
+  - `layer_deps`: `composition_root` (path globs), `layers`, and a nested
+    `[tool.lanorme.layer_deps.allowed]` table mapping each layer to the
+    layers it may import.
+  - `port_coverage`: `ports_dir`, `adapter_roots`, `composition_root`
+    (path globs), `skip_files`, `ports_without_impl`.
+
+### Changed
+
+- The composition root is now matched with `fnmatch` globs against the
+  source-relative path, in both `layer_deps` (LAYER-005) and
+  `port_coverage` (PORT-003), instead of a directory `startswith` /
+  substring test. A module **file** such as `api/dependencies.py` can now
+  be a composition root; previously only an `api/dependencies/` **directory**
+  was recognised. The defaults match the same paths as before, so projects
+  that do not set the new keys see no change.
+- LAYER-005 rule text changed from "only `api/dependencies/` may import
+  from infrastructure" to "only the composition root may import from
+  infrastructure" (it is now configurable).
+- `port_coverage` now scans each adapter root **recursively** (`rglob`),
+  where it previously scanned only the top level of
+  `infrastructure/services/`. A project with adapter files in
+  subdirectories of an adapter root may now see those files evaluated by
+  PORT-001 and contribute to PORT-002 coverage. For a flat
+  `infrastructure/services/*.py` layout there is no change. This is the one
+  behaviour change not gated behind a config key.
+
+## [0.2.0]
+
+### Changed
+
+- `CMT-001` recall pushed from 0.667 to 1.000 by extending the comment-as-
+  code parser with wrapping strategies for the shapes `ast.parse` rejects
+  standalone: block headers (`if x:`, `for x in y:`, `def f():`, `class C:`)
+  are tried with a `pass` body; `try:` adds a synthetic `except`; `elif` /
+  `else` / `except` / `finally` are tried inside their parent block; bare
+  `return` / `yield` / `raise` are tried inside a synthetic `def _():`; and
+  decorator lines (`@foo`) are tried followed by `def _(): pass`. Also
+  added `ast.If` / `ast.Try` / `ast.Match` / `ast.Return` to the code-node
+  whitelist. Scored: **F1 = 0.793 -> 0.992** (P = 0.978 -> 0.985,
+  R = 0.667 -> 1.000).
+- `CMT-005` moved from the `comments` check to a new `restating` check.
+  Same rule code, same precision-funnel detector (P = 1.000, R = 0.418,
+  F1 = 0.589). Configuration key changed from `[tool.lanorme.comments]
+  restating = true` to `[tool.lanorme.restating] enabled = true`.
+- `SQL-001` rewritten AST-based: only flags raw SQL that reaches a
+  database execution sink (`.execute` / `.executemany` /
+  `.executescript` on a DB-shaped receiver, or `read_sql` /
+  `read_sql_query`). Unwraps `text(...)` constructors, resolves
+  module-level and function-local string constants, treats `+` /
+  `%`-formatted / `.format`-built SQL as interpolated, and recognises
+  parameterised executes (placeholder + params arg) as safe.
+  Scored against the bundled corpus: **F1 = 0.761 -> 1.000**
+  (P = 0.686 -> 1.000, R = 0.854 -> 1.000).
+- `SECRETPY-001` rewritten AST-based: flags credential-named
+  assignments (variable, dict-literal key, call kwarg) plus shape-only
+  matches (PEM, JWT, Bearer, DB-URL-with-creds, vendor-prefixed
+  tokens for AWS / GitHub / Slack / Stripe). Placeholder markers
+  (`<your-...>`, `REPLACE_ME`, `example`, ...) skip a value unless it
+  is high-entropy enough (32+ chars, mixed case, digits) to defeat the
+  marker. Scored: **F1 = 0.658 -> 1.000** (P = 0.758 -> 1.000,
+  R = 0.581 -> 1.000).
+- `SECRETPY-001` moved from the `security_patterns` check to a new
+  `secrets` check. Rule code unchanged; the check name changed.
+  Users running `lanorme check . --check=security_patterns` no longer
+  get SECRETPY-001 flags; run `--check=secrets` instead, or rely on
+  the default-on full run.
+
+### Added
+
+- `lanorme rule <CODE>` CLI subcommand. Prints the matching section of
+  `docs/RULES.md` (bundled into the wheel) for one rule code; exits 2
+  with a helpful pointer if the code is unknown.
+- Project metadata for distribution: `authors`, `[project.urls]`
+  (homepage / repository / issues / changelog), `Development Status ::
+  4 - Beta`, Python 3.14 classifier, `Typing :: Typed`, additional
+  keywords.
+- `[dependency-groups] dev = ["pytest>=8"]`: contributors install with
+  `uv sync --group dev` and run the unit suite with
+  `uv run pytest tests/unit`.
+- `[tool.hatch.build.targets.sdist]` selects the publishable artefacts
+  (src, README, CHANGELOG, LICENSE, docs/RULES.md, pyproject) for the
+  source distribution.
+- `security_calls` check, six default-on dangerous-call rules, each one
+  AST node and precision-first: `SHELL-001` (subprocess `shell=True`,
+  `os.system`, `os.popen`), `DESERIAL-001` (pickle / marshal / dill /
+  `yaml.load` without `SafeLoader`), `EVAL-001` (`eval` / `exec` /
+  `compile` on a non-literal first argument), `CRYPTO-001` (`md5` / `sha1`
+  used for security, deprecated TLS protocol constants), `TLS-001`
+  (`verify=False` in `requests` / `httpx` / `aiohttp`, `ssl.CERT_NONE`,
+  `ssl._create_unverified_context`), `DEBUG-001` (`Flask` / `FastAPI`
+  constructors and `app.run` calls with `debug=True`, `DEBUG = True` at
+  module scope in `*settings.py` / `*config.py`).
+- `[tool.lanorme.per-file-ignores]` TOML table: map a path glob to a
+  list of rule codes (full code such as `SQL-001` or a category prefix
+  such as `SQL`) that should never fire for matching files.
+- `# noqa` inline suppression. Bare `# noqa` silences any rule on the
+  line it sits on; `# noqa: CODE1,CODE2` silences only the listed codes
+  (full codes or category prefixes). Case-insensitive.
+- `test_style` check with `AAA-001` (test functions must carry inline
+  Arrange / Act / Assert section comments, or Given / When / Then) and
+  `AAA-002` (test functions in the same file must not share an identical
+  arrange prefix). Default-off; enable via
+  `[tool.lanorme.test_style] enabled = true`.
+- `CHANGELOG.md`: `docs/RULES.md` per-rule reference, versioning policy
+  in README.
+
+### Changed (breaking)
+
+- **Rule renames** so each rule's code matches its actual scope:
+  - `AUTH-001` &rarr; `AUTHN-001` (the check verifies authentication
+    presence; it does not measure authorisation).
+  - `TEST-001` &rarr; `TESTFILE-001` (it verifies that a `test_*.py`
+    partner exists; it does not measure coverage).
+  - `SECRET-001` &rarr; `SECRETPY-001` (Python-source scope only;
+    `.env` / `*.yaml` / `*.ipynb` are out of scope until a future
+    `SECRET-002` / `SECRET-003` lands).
+- **Default demotions** based on the multi-reviewer audit
+  (`docs/audit/SUMMARY.md`). All previously default-on, now opt-in:
+  - `NAMING-001` (repository CRUD prefixes). Opt-in via
+    `[tool.lanorme.naming_consistency] repo_crud = true`.
+  - `NAMING-002` (service CRUD prefixes). Opt-in via
+    `service_crud = true`. These two rules actively conflicted with
+    `TERM-NNN` on a serious DDD project; the audit's biggest single
+    finding.
+  - `KWARG-001` (`bare *` on every multi-argument function). Opt-in
+    via `[tool.lanorme.named_args] enabled = true`.
+  - `AAA-001` / `AAA-002`. Opt-in via
+    `[tool.lanorme.test_style] enabled = true`.
+- **Earlier rename pass** (commit `4703490`):
+  - `SEC-001` &rarr; `AUTH-001` (later renamed again, see above).
+  - `SEC-002` &rarr; `SQL-001`, `SEC-003` &rarr; `SECRET-001` (later
+    renamed again, see above).
+  - `SIZE-004` &rarr; `COMPLEXITY-001` (cyclomatic complexity is not a
+    size).
+  - `SIZE-005` &rarr; `PARAM-001` (parameter count is not a size).
+  - `PATTERN-001` &rarr; `IMPORT-001`, `PATTERN-002` &rarr; `TYPING-001`
+    (later removed), `PATTERN-004` &rarr; `ENDPOINT-001`.
+  - `PROJ-001` &rarr; `PATH-001`.
+  - `ART-001` / `ART-002` &rarr; `JUNK-001` / `JUNK-002`.
+  - `NAMED-001` &rarr; `KWARG-001`.
+- **CMT-003 / CMT-004 unified under PROSE-001 / PROSE-003** (one rule
+  code per intent regardless of file type). The `comments` check now
+  emits `PROSE-001` and `PROSE-003` on Python comments and docstrings
+  when `em_dash` / `emoji` are enabled; the `prose` check still emits
+  the same codes on Markdown.
+
+### Removed (breaking)
+
+- `TEST-002` (weak blank-line AAA heuristic). Superseded by `AAA-001`
+  (comment-marker AAA in the `test_style` check, stronger signal).
+- `TYPING-001` (no `TYPE_CHECKING` outside model files). Three of four
+  reviewers in the audit flagged the rule's premise as inverting the
+  community typing consensus (ruff's `TCH` family actively promotes
+  `TYPE_CHECKING` guards). The helper was also unwired in practice. May
+  return as an opt-in with the premise inverted (encourage rather than
+  forbid).
+
+## [0.1.0] - initial commit `aaef1f5`
+
+First public-shape release. Eighteen checks extracted from a private
+codebase, fully de-identified, with a configurable CLI (`lanorme check`,
+`lanorme rules`), TOML-driven configuration (`[tool.lanorme]` in
+`pyproject.toml` or a dedicated `lanorme.toml`), and a plugin model
+through `[project.entry-points."lanorme.checks"]` or
+`[tool.lanorme] plugins = [...]`.

lanorme-0.5.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 LaNorme contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

lanorme-0.5.1/PKG-INFO

@@ -0,0 +1,220 @@
+Metadata-Version: 2.4
+Name: lanorme
+Version: 0.5.1
+Summary: La norme: a configurable, pluggable architecture and code-quality linter for Python.
+Project-URL: Homepage, https://github.com/lanorme/lanorme
+Project-URL: Repository, https://github.com/lanorme/lanorme
+Project-URL: Issues, https://github.com/lanorme/lanorme/issues
+Project-URL: Changelog, https://github.com/lanorme/lanorme/blob/main/CHANGELOG.md
+License-Expression: MIT
+License-File: LICENSE
+Keywords: architecture,checks,code-quality,ddd,hexagonal,linter,static-analysis
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Classifier: Typing :: Typed
+Requires-Python: >=3.13
+Description-Content-Type: text/markdown
+
+# LaNorme
+
+A linter for Python. It checks the usual things, dead code, file and function
+size, complexity, weak types, hardcoded secrets, dangerous calls, and a few
+things most linters do not: hexagonal layer boundaries, ports-and-adapters
+wiring, and a project's own naming vocabulary.
+
+Standard library only. No runtime dependencies. Python 3.13+.
+
+```console
+$ lanorme check .
+```
+
+## Install
+
+From PyPI:
+
+```console
+uv tool install lanorme       # or: pipx install lanorme, pip install lanorme
+```
+
+Run it once without installing anything:
+
+```console
+uvx lanorme check .
+```
+
+Or install straight from source:
+
+```console
+uv tool install "git+https://github.com/lanorme/lanorme@v0.5.1"
+```
+
+Releases are tagged `vX.Y.Z`; see the [releases page](https://github.com/lanorme/lanorme/releases) for notes.
+
+## Usage
+
+```console
+lanorme check [PATHS...]            # run every enabled check (default path: .)
+lanorme check . --check=secrets     # run one check by name
+lanorme check . --select TYPE,AUTHN # only these rule codes or categories
+lanorme check . --ignore NAMING-003 # skip specific rules
+lanorme check . --output-format json
+lanorme rules                       # list every registered rule
+lanorme rule  SQL-001               # show the reference for one rule
+```
+
+Exit code is `1` when any check fails, `0` when the tree is clean.
+
+A run looks like this:
+
+```console
+$ lanorme check src/
+[FAIL] secrets
+  VIOLATION: app.py:8 — Hardcoded credential value bound to 'API_KEY'
+    Rule: SECRETPY-001: No hardcoded secrets in source code
+    Fix: Read the value from an environment variable, secrets manager, or settings module
+```
+
+### Suppressing a finding
+
+A `# noqa` at the end of a line silences every rule on that line; `# noqa: CODE`
+silences only the listed codes (a full code like `SQL-001` or a category like
+`SQL`):
+
+```python
+def legacy_handler(req):  # noqa: KWARG-001
+    return req.text  # noqa
+```
+
+For whole directories, use the per-file table in your config (below).
+
+## Configuration
+
+LaNorme walks up from the target path looking for config: a dedicated
+`lanorme.toml`, otherwise a `[tool.lanorme]` table in `pyproject.toml`. Command
+line flags win over both.
+
+```toml
+[tool.lanorme]
+select = ["ALL"]                            # rule codes or categories to run
+ignore = ["NAMING-003"]                     # rule codes or categories to skip
+exclude = ["postman/**", "vendor/*"]        # path globs, pruned at walk time
+source_root = "src/myproject"               # architectural root for layer_deps/port_coverage
+plugins = ["myproject.checks.house_rules"]  # extra check modules to load
+
+# Silence specific rules for matching paths (the file is still scanned).
+[tool.lanorme.per-file-ignores]
+"tests/**/*.py"   = ["AAA", "SECRETPY"]
+"alembic/**/*.py" = ["SQL"]
+"notebooks/*.py"  = ["KWARG", "DRY"]
+
+# Each per-check table is handed to that check.
+[tool.lanorme.stray_artifacts]
+extensions = [".zip", ".pdf"]               # also flag these (JUNK-002)
+allow = ["docs/diagram.png"]                # never flag these (globs)
+
+[tool.lanorme.forbidden_paths]
+dirs = ["legacy_src", "build_artifacts"]    # these directories must not exist
+
+[[tool.lanorme.domain_terms.rules]]
+id = "TERM-001"
+canonical = "Account"
+forbidden = ["Acct", "Acnt"]
+```
+
+`exclude` globs are pruned during the walk, not just filtered from output, so a
+large excluded subtree is never read. A built-in set of never-source
+directories (`.git`, `.venv`, `venv`, `node_modules`, `__pycache__`, `dist`,
+`build`, `.ruff_cache`, `.pytest_cache`, `.mypy_cache`) is always pruned, so
+`lanorme check .` is fast out of the box.
+
+`source_root` applies only to the two layout-aware checks (`layer_deps`,
+`port_coverage`). It lets you run `lanorme check .` from the repo root while the
+hexagonal layers live under a nested package: layers are classified relative to
+`source_root`, files outside it are layer-exempt, and `composition_root` /
+`ports_dir` / `adapter_roots` are read relative to it. Every other check still
+scans the whole tree.
+
+## What it checks
+
+`lanorme rules` prints the live list. Each rule, what it catches and does not,
+its config, and where measured its precision and recall on the bundled test
+corpora, is in [`docs/RULES.md`](docs/RULES.md).
+
+On by default, on any project, no config needed:
+
+| Rule | Catches |
+|---|---|
+| `CMT-001/002` | commented-out code, over-long comment blocks |
+| `DRY-001` | near-duplicate function bodies |
+| `SIZE-001..003` / `COMPLEXITY-001` / `PARAM-001` | file, function and class size; cyclomatic complexity; parameter count |
+| `IMPORT-001` / `ENDPOINT-001` | imports inside function bodies; deeply nested endpoints |
+| `NAMING-003/004` | HTTP-verb-to-handler match; boolean-prefix predicates |
+| `TYPE-001..003` | `dict[str, Any]`, bare containers, untyped `**kwargs` |
+| `AUTHN-001` / `SQL-001` / `SECRETPY-001` | mutation endpoints without an auth dependency; raw SQL at a database call; hardcoded secrets in `.py` |
+| `SHELL-001` / `DESERIAL-001` / `EVAL-001` / `CRYPTO-001` / `TLS-001` / `DEBUG-001` | shell injection, unsafe deserialisation, `eval`/`exec`, weak hashes, disabled TLS, debug mode |
+| `JUNK-001/002` | screenshots, scratch files, OS junk, stray binaries |
+| `TESTFILE-001` | a production module with no `test_*.py` partner |
+| `META-001..005` | the checks themselves emit well-formed output |
+
+Off until you turn them on:
+
+| Rule | Why |
+|---|---|
+| `LAYER-001..005` | needs a layered layout (`domain/ application/ infrastructure/ api/`) |
+| `PORT-001..003` | needs an `application/ports/` directory |
+| `TERM-NNN` | needs a vocabulary in `[tool.lanorme.domain_terms]` |
+| `PATH-001` / `STALE-001` | need forbidden dirs / stale tokens configured |
+| `KWARG-001` | keyword-only call sites; a strong house style |
+| `NAMING-001/002` | CRUD method prefixes; conflicts with domain naming |
+| `AAA-001/002` | Arrange-Act-Assert markers and DRY in tests |
+| `CMT-005` | restating-comment detector; experimental, precision-first |
+| `ATTR-001/002` | `hasattr`/`getattr`/`setattr` with a literal attribute name; a missing-type smell |
+| `PROSE-001..003` | em dashes, US spelling and emoji in Markdown or comments |
+
+## Writing a check
+
+A check is any object with `name`, `description`, `rules`, and a `run` method:
+
+```python
+from lanorme import CheckResult, Status, Violation, register
+
+
+class MyCheck:
+    name = "my_check"
+    description = "What it enforces"
+    rules = ["MYCODE-001: the rule, in one line"]
+
+    def run(self, *, src_root: str) -> CheckResult:
+        violations: list[Violation] = []
+        # inspect files under src_root
+        status = Status.FAIL if violations else Status.PASS
+        return CheckResult(check=self.name, status=status, violations=violations)
+
+
+register(MyCheck())
+```
+
+Drop it in `lanorme/checks/`, ship it under the `lanorme.checks` entry-point
+group, or point at it with `[tool.lanorme] plugins = [...]`. LaNorme finds it
+and runs it.
+
+## Versioning
+
+The public surface is the rule codes you put in `select` / `ignore` /
+`per-file-ignores` and the config keys under `[tool.lanorme]`. Renaming a rule,
+dropping one, or turning a default-on rule off is a breaking change; adding a
+rule or a new config key with a sensible default is not. Before 1.0, breaking
+changes land in minor releases and are listed in
+[`CHANGELOG.md`](CHANGELOG.md).
+
+## License
+
+MIT. See [`LICENSE`](LICENSE).