Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

Releases

Changelog timeline

Shipped releases and pending changes across the public Critiq OSS repositories (critiq-core and critiq-rules), in one scrolling timeline. Released entries come from each package CHANGELOG; pending entries are unconsumed changesets queued for the next npm cut. Each row shows the affected packages, bump type, and release note text.

#Timeline

Showing 290 entries sorted by date (newest first). Released rows include the npm version; pending rows are queued for the next release.

June 2026
Jun 13critiq-corependingminor

Add Ruby bug-risk adapter facts for 8 new RB-RL rails framework rules: `has-and-belongs-to-many`, `dependent-option-cascade`, `helper-instance-variables`, `http-methods-without-params`, `deprecated-http-status-symbols`, `skip-filter-conditional`, `missing-inverse-of`, and `undefined-action-filter`.

@critiq/adapter-shared
Jun 13critiq-corev0.4.0minor

1e2a570: Ship CloudFormation cfn-lint adapter support, 26 PHP analyzer parity adapter facts, and Ruby, Android, and Electron adapter facts. Prompt to install `@critiq/rules` when the configured catalog package is missing from local or global `node_modules`.

@critiq/cli
Jun 13critiq-corev0.4.0minor

5fd870f: Add Wave 1 benchmark peer-gap facts for path-join user input, insecure HTTP server bootstrap, and Python path traversal user input.

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: feat(ruby): add batch 17 bug-risk and performance fact collectors (RB-RL1052-RB-RL1059)

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: Add 7 new Ruby bug-risk fact collectors for RB-LI batch 13: self-assignment (RB-LI1092), identical-binary-operands (RB-LI1093), branches-without-body (RB-LI1094), trailing-comma-attribute (RB-LI1099), equal-instead-of-equal (RB-LI1100), invalid-integer-times (RB-LI1101), and constant-in-block (RB-LI1102).

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: ruby: add 8 rails framework bug-risk facts (RB-RL1001-RB-RL1008)

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: ruby: add 8 rails framework bug-risk facts (RB-RL1009-RB-RL1016)

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: Add 8 new Ruby bug-risk fact collectors for RB-RL batch 13: `ruby.bug-risk.deprecated-find-by-dynamic` (RB-RL1017), `ruby.bug-risk.enum-array-syntax` (RB-RL1018), `ruby.bug-risk.enum-duplicate-values` (RB-RL1019), `ruby.bug-risk.rails-env-equality` (RB-RL1020), `ruby.bug-risk.exit-in-app-code` (RB-RL1021), `ruby.bug-risk.rails-root-join` (RB-RL1022), `ruby.bug-risk.where-first-over-find-by` (RB-RL1023), `ruby.bug-risk.all-each-to-find-each` (RB-RL1024).

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: feat: tune testing.flaky-timer-in-test fact for precision

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: feat: tune security.iframe-missing-sandbox-attribute fact for precision

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: Ruby batch 09 (RB-RL) adapter facts

@critiq/cli
Jun 13critiq-corev0.4.0patch

7f0cce4: feat: add Java documentation fact collectors (java-doc.ts) for batch 05

@critiq/cli
Jun 13critiq-corev0.4.0patch

846919c: Ruby batch 05 (RB-LI-1001, 1002, 1003) ambiguous method invocation rules

@critiq/cli
Jun 13critiq-corev0.4.0minor

5fd870f: Improve Wave 2 benchmark peer-gap SAST facts for contextual Python weak hashes, request-tainted dynamic code execution, Flask markup precision, taint-gated DOM HTML sinks, and user-controlled RegExp construction.

@critiq/cli
Jun 13critiq-corev0.4.0minor

82fd4d5: Add batch-01 JavaScript parity adapter facts:

@critiq/cli
Jun 13critiq-corev0.4.0minor

82fd4d5: Add batch-03 JavaScript parity adapter facts:

@critiq/cli
Jun 13critiq-corev0.4.0minor

82fd4d5: Add Vue Options API fact detectors (framework.vue.reserved-key-overwrite, framework.vue.computed-mutation, framework.vue.invalid-prop-type, framework.vue.data-object-declaration) to the TypeScript adapter for JavaScript parity batch 08.

@critiq/cli
Jun 13critiq-corev0.4.0minor

0130a7f: feat: add 8 Ruby bug-risk fact collectors

@critiq/cli
Jun 13critiq-corev0.4.0minor

0130a7f: Ruby adapter: add deprecated-big-decimal-new, symbol-boolean-name, circular-argument-reference, deprecated-class-methods, disjunctive-assignment-in-constructor fact collectors

@critiq/cli
Jun 13critiq-corev0.4.0minor

0130a7f: Ruby adapter: add duplicate-constant-assignment, io-select-single-arg, bad-operand-order fact collectors

@critiq/cli
Jun 13critiq-corev0.4.0minor

846919c: **async.infinite-loop fact**: Added YieldExpression detection to loopBodyHasExit

@critiq/cli
Jun 13critiq-rulesv0.4.0minor

3c42355: Ship Wave 1 benchmark peer-gap SAST rules for path-join user input, insecure Express listen bootstrap, and Python path traversal user input.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

3c42355: Ship Wave 2 benchmark peer-gap precision updates and the taint-gated `ts.security.user-controlled-regexp` rule.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add Go correctness unnecessary-dereference rule (strict preset) (batch 06)

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8ce737: Add 8 Rust correctness rules for batch 04 codes: hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8ce737: Add 8 Rust correctness rules for batch 06: hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8ce737: Add 8 Rust quality rules for batch 09: redundant-mem-replace-with-none, redundant-mem-replace-with-default, redundant-mem-replace-with-zero, fn-ptr-null-comparison, possible-missing-comma-in-array, non-utf8-literal-in-from-utf8-unchecked, size-of-val-on-reference, fn-ptr-to-non-pointer-cast.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8ce737: Add 8 Rust quality rules (RS-W1013, RS-W1015, RS-W1016, RS-W1028, RS-W1039, RS-W1075, RS-W1081, RS-W1084)

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

2324763: Add parity aliases (`RS-W1086`, `RS-W1087`, `RS-W1089`, `RS-W1091`, `RS-W1093`, `RS-W1094`, `RS-W1100`, `RS-W1106`) to 8 existing `rust.quality.*` rules.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add Go correctness deferred-func-literal and redundant-type-declaration rules (strict preset) (batch 07)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add Go bug-risk and correctness rules (strict preset) (batch 09): gin.LoadHTMLGlob ill-formed pattern, Redis incorrect arg count, Redis unimplemented method, etcd invalid Compare operator, GORM Where/Updates zero-value exclusion, signedness casting, hidden goroutine

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add 5 new Go performance rules (strict preset) (batch 11): reorder-operands, non-idiomatic-slice-zeroing, utf8-decode-rune, fmt-fprint, iowriter-write-string

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add Go correctness rules (interface-any-preferred, unnecessary-else-return, bare-return, boolean-literal-in-expression, unexported-capital-name, http-nobody-nil, string-concat-simplify) and aliases (GO-R4004 on unnecessary-dereference) (batch 12, refactoring family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add 5 new Go security rules (strict + security presets): decompression-bomb, http-dir-path-traversal, weak-file-permission, unsafe-defer-close, tainted-value-sink. Add alias mappings for GO-S2108 (pprof-exposed), GO-S2112/S2114 (net-http-missing-timeouts). Batch 13.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add 7 new Go bug-risk and correctness rules (strict preset): deprecated-redis-methods, impossible-interface-nil-check, duplicate-if-else-condition, etcd-getlogger-misuse, gorm-skip-default-transaction, gorm-dry-run-enabled, reflect-makefunc-usage. Batch 14.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add Go bug-risk rules (strict preset) (batch 10): poorly formed nilness guards, compound assignment misuse

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 8 Java correctness catalog rules for batch 13: unconditional-recursion, double-checked-locking, stream-reuse, array-index-bounds, sync-on-get-class, optional-null, stringbuilder-char-ctor, static-date-field.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 8 Java OSS catalog rules for batch 14: unescaped-whitespace, unsupported-jdk-api, nan-comparison, read-resolve-return-type, serialization-method-signature, serializable-superclass, collection-remove-type-mismatch, setup-teardown-annotation.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

0f1fa17: Add 20 new `ts.correctness.*` catalog rules and wire 12 existing rules with parity aliases for JavaScript high/critical batches 01–04 (`JS-0024` through `JS-0231`).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 8 Java correctness catalog rules batch 15: `java.correctness.unsafe-collection-downcast`, `java.correctness.annotation-check-always-false`, `java.correctness.unimplementable-interface`, `java.correctness.invalid-serial-version-uid`, `java.correctness.hashcode-on-array`, `java.correctness.loop-condition-never-true`, `java.correctness.non-terminating-loop`, `java.correctness.unsupported-method-call`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 7 Java correctness catalog rules batch 16: `java.correctness.sync-on-mutable-ref`, `java.correctness.unsync-static-lazy-init`, `java.correctness.boxed-boolean-conditional`, `java.correctness.sync-on-nullable-field`, `java.correctness.sync-on-public-field`, `java.correctness.thread-static-misuse`, `java.correctness.double-assignment`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 6 Java correctness catalog rules batch 17: `java.correctness.invalid-time-constants`, `java.correctness.comparator-downcast-sign-flip`, `java.correctness.cacheloader-null-return`, `java.correctness.incorrect-main-signature`, `java.correctness.enum-get-class`, `java.correctness.deprecated-thread-methods`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 5 new Java rules for batch 21 (JAVA-S): java.performance.thread-as-runnable, java.performance.url-in-collection, java.correctness.system-exit, java.performance.inefficient-string-constructor, java.performance.empty-string-constructor

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 5 new Java rules and 3 alias updates for batch 23 (JAVA-P): java.performance.string-to-string, java.performance.explicit-gc, java.performance.boxed-boolean-constructor, java.performance.boxed-integer-constructor, java.performance.boxed-double-constructor; add JAVA-P0057/P0062/P0063 aliases to existing rules

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 6 Java catalog rules (batch 24): java.correctness.prepared-statement-in-loop, java.correctness.assertion-in-production, java.correctness.array-compared-to-non-array, java.correctness.parameter-reassignment, java.testing.setup-without-super, java.testing.teardown-without-super; add JAVA-S0348 and JAVA-S0349 aliases to java.correctness.equals-on-array

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 8 bug risk (JAVA-E) correctness rules for Java: possible-null-access,

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a98a371: Add 6 Java OSS catalog rules for batch 15: zoneid-invalid-timezone, timezone-invalid-id, instant-unsupported-temporal-unit, iterable-path-type, throw-null, hashtable-contains-value.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add `ts.correctness.new-expression-with-require` rule (JS-0261) and wire JS-0262/JS-0263 as parity aliases on existing `ts.security.unsafe-dirname-path-concat` and `ts.runtime.no-process-exit`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b83af7d: Add 8 SQL style rules to the OSS catalog:

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

0f1fa17: Add 32 PHP high/critical batch correctness rules with alias mappings for existing security and hygiene rules.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add 2 new rules and 6 alias mappings for Go security parity:

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 7 new rules, 1 alias update for JavaScript batch-01 parity:

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 6 new rules for JavaScript batch-03 parity:

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 6 new rules for JavaScript parity batch 04 and 2 alias updates

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 2 new rules for JavaScript parity batch 05 and 5 alias updates

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 6 new TypeScript/JavaScript React class-component rules for JavaScript batch 06 parity:

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 8 AngularJS deprecated API rules to the OSS catalog (JavaScript parity batch 07):

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 4 TypeScript/JavaScript rules to the OSS catalog (JavaScript parity batch 12):

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add `ts.correctness.this-outside-class` (JS-B002) and `ts.correctness.unused-expression` (JS-B003) rules for JavaScript high/critical batch 13 parity.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add JS-E family rules: `ts.vue.no-server-env-in-client-hooks` (JS-E1000), `ts.vue.no-browser-globals-in-created` (JS-E1001), `ts.next.no-document-import-outside-custom-document` (JS-E1002), `ts.next.no-head-import-in-custom-document` (JS-E1003), `ts.correctness.duplicate-export` (JS-E1004), `ts.correctness.namespace-import-unexported-name` (JS-E1007), `ts.correctness.unresolved-import` (JS-E1010). Add JS-E1009 alias to `ts.security.no-assign-mutable-export`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

bd4ef84: Add 20 new Python bandit security and code-quality rules: assert-outside-test, hardcoded-temp-directory, insecure-cipher, insecure-cipher-mode, insecure-xml-parser, telnet-usage, ftp-usage, insecure-crypto-import, xmlrpc-import, weak-crypto-key, insecure-ssl-version, ssh-host-key-validation, mako-insecure-templates, insecure-urllib-method, wildcard-subprocess-injection, redefined-builtin, global-statement, super-with-arguments, useless-return, and unnecessary-comprehension.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add six JS-W parity batch 16 rules: ts.correctness.non-existent-assignment-operators (JS-W1033), ts.correctness.no-href-with-nuxt-link (JS-W1034), ts.correctness.no-confusing-label-in-switch (JS-W1036), ts.testing.useless-assertion (JS-W1039), ts.correctness.flawed-string-comparison (JS-W1040), ts.correctness.simplify-boolean-return (JS-W1041).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b83af7d: Add PHP correctness rules for batch 01: missing-return-statement, uninitialized-typed-property, throw-non-exception with alias mappings PHP-E1001, PHP-E1004, PHP-E1008.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b83af7d: feat(php): add instanceof-invalid-type rule (PHP-E1009)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b83af7d: Add 5 SQL rules to the OSS catalog (batch 02):

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 8 new Vue deprecation/correctness rules (JavaScript parity batch 11, JS-0653 through JS-0660): `ts.vue.no-deprecated-scoped-slots`, `ts.vue.no-deprecated-model-option`, `ts.vue.no-deprecated-listeners`, `ts.vue.no-keycode-modifiers`, `ts.vue.no-deprecated-keycodes-config`, `ts.vue.no-slot-property-access`, `ts.vue.require-transition-conditional`, and `ts.vue.emits-validator-return-boolean`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

a09b194: Add 4 Vue Options API correctness rules to the OSS catalog (JavaScript parity batch 08):

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 4 new Java rules for batch 04 (quality + testing)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: feat: add 4 Java documentation rules (batch 05 — JAVA-D family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 7 Java correctness rules for Batch 06 (JAVA-E family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 5 Java performance rules for Batch 06 (JAVA-P family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

ffb64c8: Add eight high-severity Ruby catalog rules for IO shell invocation, Rails HTTP digest auth, validation-skipping updates, inline render modes, broad exception handling, and deprecated OpenSSL and URI APIs.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 8 Java correctness rules for Batch 08 (JAVA-E family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 8 Java correctness rules for Batch 09 (JAVA-E family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 5 Java correctness rules for Batch 10 (JAVA-E family)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

4c8c448: Add 3 Java correctness catalog rules for batch 13: java.correctness.random-coerced-to-zero (JAVA-E1068), java.correctness.mutable-enum-fields (JAVA-E1069), java.correctness.noallocation-method-creates-object (JAVA-E1059). Update java.correctness.catch-null-pointer with alias JAVA-E1070 and bump severity to critical.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 5 Java OSS catalog rules for batch 14 (JAVA-E): collection-contains-self, collection-adds-self, modulus-multiplication-precedence, bitwise-or-never-equal, getter-setter-sync-mismatch. Add JAVA-E1081 alias to existing sync-on-string-literal rule.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Ship 4 new Java correctness rules for batch 15: `java.correctness.threadgroup-deprecated-methods` (E1108), `java.correctness.closeable-provides-injection` (E1103), `java.correctness.non-null-method-returns-null` (E1095), and `java.correctness.missing-enum-switch-elements` (E1082).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add PHP correctness rules for batch 01 (PHP-E): php.correctness.undefined-function (PHP-E1000), php.correctness.undefined-method (PHP-E1002), php.correctness.invalid-static-method (PHP-E1003). Add alias PHP-E1007 to existing php.correctness.undefined-static-property rule.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add `php.correctness.undefined-variable` (PHP-W1066) and `php.correctness.inaccessible-property` (PHP-W1067) rules to the PHP correctness catalog.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 2 Rust OSS quality rules: `rust.quality.deprecated-function-use` (RS-W1128, flags known deprecated std APIs) and `rust.quality.approximate-floating-constant` (RS-W1207, flags manual approximations of math constants like PI, E, TAU).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8ce737: Add 3 new Java performance rules: java.performance.removeall-to-clear (JAVA-P1005, critical), java.performance.string-concat-in-loop (JAVA-P1006, high), and java.performance.expensive-method-on-ui-thread (JAVA-P1007, high).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

df71073: Add 8 new Rust correctness rules (strict preset) for batch 03: self-not-Self-type, invalid-regex-literal, step-by-zero, iter-next-in-for-loop, empty-range-expression, erasing-operation, identical-binary-operands, syntax-error

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: Add Ruby bug-risk catalog rules: with-index-value-unused, with-object-value-unused, regex-literal-in-condition, predicate-method-without-parentheses, invalid-rescue-type, unsafe-safe-navigation-chain, inconsistent-safe-navigation, and safe-navigation-with-empty.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: Add Ruby bug-risk catalog rules: argument-overwritten-before-use, bad-rescue-ordering, outer-variable-shadowed, suppressed-exceptions, to-json-without-argument, unreachable-code, unused-method-arguments, and useless-access-modifier.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: feat: add 8 Ruby bug-risk rules

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: Add Ruby bug-risk rules: ruby.bug-risk.end-in-method, ruby.bug-risk.return-in-ensure, ruby.bug-risk.flip-flop-operator, ruby.bug-risk.heredoc-method-order, ruby.bug-risk.unintended-string-concatenation, ruby.bug-risk.ineffective-access-modifier, ruby.bug-risk.interpolation-in-single-quote

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: Add 8 Ruby bug risk rules: non-local exit from iterator, unsafe number conversion, bad magic comment order, grouped parentheses in function calls, invalid percent string literal, invalid percent symbol array, unnecessary require, and unnecessary splat.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: Add deprecated-big-decimal-new, symbol-boolean-name, circular-argument-reference, deprecated-class-methods, disjunctive-assignment-in-constructor rules

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

923d706: Add duplicate-constant-assignment, io-select-single-arg, bad-operand-order rules

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat: consolidate duplicate timeout/retry rules into single correctness rule

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: **ts.correctness.infinite-loop**: precision + severity + message tuning

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add five high-severity Ruby OSS catalog rules: callback-order, routes-match-single-verb, redundant-foreign-key, callback-override, and irreversible-migration.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

df71073: Add 8 new Rust security rules (strict + security presets) for batch 07: open-redirect, invisible-unicode, const-to-mut-ptr, raw-slice-to-ptr, differently-sized-slice-conversion, actix-namedfile-path-traversal, potentially-vulnerable-regex, global-write-permission

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat(ruby): add 8 RB-RL bug-risk catalog rules for batch 15

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat(ruby): add 6 new rules for batch 17 (RB-RL1052-RB-RL1059)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add ruby.performance.prefer-delete-prefix and ruby.performance.prefer-delete-suffix rules (RB-PR1026, RB-PR1027).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Ruby batch 05 (RB-LI-1001, 1002, 1003) ambiguous method invocation rules

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add Ruby bug-risk catalog rules for batch 12 (RB-LI1079–RB-LI1091).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add 7 new Ruby bug-risk rules for RB-LI batch 13: `ruby.bug-risk.self-assignment`, `ruby.bug-risk.identical-binary-operands`, `ruby.bug-risk.branches-without-body`, `ruby.bug-risk.trailing-comma-attribute`, `ruby.bug-risk.equal-instead-of-equal`, `ruby.bug-risk.invalid-integer-times`, `ruby.bug-risk.constant-in-block`. Also adds RB-LI1096 alias to existing `ruby.bug-risk.unnecessary-require`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat(ruby): add 8 RB-PR performance catalog rules for batch 16

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: ruby: add 8 rails framework bug-risk rules (RB-RL1001-RB-RL1008)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: ruby: add 8 rails framework bug-risk rules (RB-RL1009-RB-RL1016)

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add 8 new Ruby bug-risk rules for RB-RL batch 13: `ruby.bug-risk.deprecated-find-by-dynamic` (RB-RL1017), `ruby.bug-risk.enum-array-syntax` (RB-RL1018), `ruby.bug-risk.enum-duplicate-values` (RB-RL1019), `ruby.bug-risk.rails-env-equality` (RB-RL1020), `ruby.bug-risk.exit-in-app-code` (RB-RL1021), `ruby.bug-risk.rails-root-join` (RB-RL1022), `ruby.bug-risk.where-first-over-find-by` (RB-RL1023), `ruby.bug-risk.all-each-to-find-each` (RB-RL1024).

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add 8 new Go correctness rules (strict preset) (batch 03): unreachable-switch-case, duplicate-function-arguments, duplicate-branch-body, duplicate-switch-cases, identical-binary-operands, flag-pointer-immediate-deref, terminal-call-with-defer, nil-error-returned

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add 4 new `rust.security.*` catalog rules (`manual-error-type-id`, `unsafe-remove-dir-all`, `misused-bitwise-xor`, `missing-regex-anchor`) and add RS-S parity aliases to `weak-rsa-key-size`, `bind-all-interfaces`, `insecure-temp-file`, and `weak-crypto-import`.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat: tune no-deprecated-react-dom-root-api for precision — exclude DefinitelyTyped v15/v16 type-tests and embed SDKs

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat: tune no-flaky-timer-test for precision — exempt performance clocks and micro-delays

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat: tune ts.security.iframe-missing-sandbox-attribute for precision

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat: tune rust.testing.ignore-without-ticket-reference rule

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: feat: tune ts.security.no-javascript-url for precision — exclude test files, GitHub Actions, and DefinitelyTyped; lower severity to medium

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Ruby batch 09 (RB-RL) bug-risk / framework rules

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

2324763: Add 8 new Ruby bug-risk catalog rules (RB-RL1025..RB-RL1032): `has-and-belongs-to-many`, `dependent-option-cascade`, `helper-instance-variables`, `http-methods-without-params`, `deprecated-http-status-symbols`, `skip-filter-conditional`, `missing-inverse-of`, and `undefined-action-filter`.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

ffb64c8: Extend `ts.security.open-redirect` and `ts.security.ssrf` catalog scope to Python with RuleSpec fixtures.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

df71073: Add 8 Rust correctness rules for batch 04: mistyped-suffix, forget-drop-on-reference, forget-drop-on-copy-type, nan-comparison, non-octal-permissions, non-binding-let-on-lock, unit-argument, unit-comparison.

@critiq/rules
Jun 13critiq-rulesv0.4.0minor

b8c4d52: Add 5 new Go correctness rules (strict preset) (batch 04): off-by-one-index, incomplete-nil-check, boolean-simplification, suspicious-regex-pattern, integer-truncation

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

df71073: Add 8 Rust correctness rules for batch 05: transmute-integer-to-nonzero, transmute-int-to-fn-ptr, transmute-int-lit-to-raw-ptr, transmute-float-char-to-ref-or-ptr, transmute-integer-to-char, transmute-number-to-slice-or-array, transmute-tuple-to-slice-or-array, print-in-display-impl.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

df71073: Add 8 Rust quality rules for batch 09: potentially-incomplete-ascii-range, inaccurate-duration-calculation, map-followed-by-count, iter-nth-instead-of-get, iter-count-instead-of-len, replace-same-pattern-and-replacement, clone-on-double-reference, non-owned-rc-pointer-into-vec.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

df71073: Add `rust.correctness.ignored-future-value` rule.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

df71073: Add rust.performance.single-char-string-literal-pattern rule (batch 08)

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8c4d52: Add go.doc.malformed-deprecated-comment rule (batch 08)

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

a98a371: Add `java.correctness.unterminated-assertion-chain` rule to detect bare `assertThat()` / `verify()` calls without a terminal assertion method.

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b83af7d: Add PHP correctness rules for batch 03: unused-constructor-parameter (PHP-W1037), echo-invalid-value (PHP-W1041), print-invalid-value (PHP-W1044), invalid-string-interpolation-type (PHP-W1043)

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b83af7d: Add PHP correctness rules for batch 04: undefined-static-property (PHP-W1034), attribute-on-property (PHP-W1035)

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8ce737: Add 7 new `java.correctness.*` catalog rules for batch 11: shift-out-of-range (JAVA-E0399), oddness-check-fails-negative (JAVA-E0405), hasnext-invokes-next (JAVA-E0409), thread-sleep-with-lock (JAVA-E0410), string-format-arg-mismatch (JAVA-E1001), bad-short-circuit-null-check (JAVA-E1003), and wait-notify-on-thread (JAVA-E1004).

@critiq/rules
Jun 13critiq-rulesv0.4.0patch

b8ce737: Add 8 new `java.correctness.*` catalog rules for batch 12: switch-statement-labels (JAVA-E1005), week-year-in-date-pattern (JAVA-E1006), jump-in-finally (JAVA-E1007), default-package-spring-scan (JAVA-E1009), case-insensitive-regex-lacks-unicode (JAVA-E1010), assert-self-comparison (JAVA-E1012), optional-get-without-present-check (JAVA-E1013), and iterable-iterator-returns-this (JAVA-E1015).

@critiq/rules
Jun 12critiq-corependingminor

Add Ruby adapter facts for callback ordering (RB-LI1103), routes match misuse (RB-LI1104), redundant foreign key (RB-LI1105), callback override (RB-LI1106), and irreversible migration (RB-LI1107).

@critiq/adapter-shared
Jun 12critiq-corependingminor

feat(ruby): add 8 RB-RL bug-risk collectors for batch 15

@critiq/adapter-shared@critiq/adapter-ruby
Jun 12critiq-corependingminor

Add ruby.performance.prefer-delete-prefix and ruby.performance.prefer-delete-suffix fact collectors (RB-PR1026, RB-PR1027).

@critiq/adapter-ruby@critiq/adapter-shared
Jun 12critiq-corependingminor

Add Ruby bug-risk adapter facts for batch 12 (RB-LI1079–RB-LI1091): useless-comparison, else-without-rescue, useless-setter-call, mixed-regex-captures, unqualified-constant, duplicate-elsif-block, unreachable-loop, and multiple-rescues-for-same-exception.

@critiq/adapter-shared
Jun 12critiq-corependingminor

feat(ruby): add 8 RB-PR performance collectors for batch 16

@critiq/adapter-shared@critiq/adapter-ruby
Jun 12critiq-corependingminor

Add Rust security adapter facts for the RS-S batch 05: manual `Error::type_id` override detection, `remove_dir_all` (TOCTOU) flagging, crate `create_dir`/`create_dir_all` in `/tmp/` to insecure-temp-file, brace-grouped weak crypto import patterns, integer-literal XOR mistaken for exponentiation, and unanchored `Regex::new` pattern detection.

@critiq/adapter-shared
Jun 12critiq-corependingminor

feat: tune rust.testing.ignore-without-ticket-reference fact for precision

@critiq/adapter-rust
Jun 11critiq-corependingpatch

Java performance: add 3 new adapter fact collectors for JAVA-P1005 (removeall-to-clear), JAVA-P1006 (string-concat-in-loop), and JAVA-P1007 (expensive-method-on-ui-thread).

@critiq/adapter-shared@critiq/adapter-java
Jun 11critiq-corependingminor

Add Ruby bug-risk adapter facts: with-index-value-unused, with-object-value-unused, regex-literal-in-condition, predicate-method-without-parentheses, invalid-rescue-type, unsafe-safe-navigation-chain, inconsistent-safe-navigation, and safe-navigation-with-empty.

@critiq/adapter-shared
Jun 11critiq-corependingminor

Add Ruby bug-risk adapter facts: argument-overwritten-before-use, bad-rescue-ordering, outer-variable-shadowed, suppressed-exceptions, to-json-without-argument, unreachable-code, unused-method-arguments, and useless-access-modifier.

@critiq/adapter-shared
Jun 11critiq-corependingminor

Add Ruby bug-risk adapter facts: end-in-method, return-in-ensure, flip-flop-operator, heredoc-method-order, unintended-string-concatenation, ineffective-access-modifier, interpolation-in-single-quote

@critiq/adapter-ruby@critiq/adapter-shared
Jun 11critiq-corependingminor

Add 8 Ruby bug risk adapter facts: non-local exit from iterator, unsafe number conversion, bad magic comment order, grouped parentheses in function calls, invalid percent string literal, invalid percent symbol array, unnecessary require, and unnecessary splat.

@critiq/adapter-shared@critiq/adapter-ruby
Jun 10critiq-corependingpatch

Add Java quality/testing fact collectors for batch 04 parity

@critiq/adapter-java@critiq/adapter-shared
Jun 10critiq-corependingpatch

Add 7 Java correctness fact collectors for Batch 06 (JAVA-E family)

@critiq/adapter-shared@critiq/adapter-java
Jun 10critiq-corependingpatch

Add 5 Java performance fact collectors for Batch 06 (JAVA-P family)

@critiq/adapter-shared@critiq/adapter-java
Jun 10critiq-corependingpatch

Add 8 Java correctness fact collectors for Batch 08 (JAVA-E family)

@critiq/adapter-shared@critiq/adapter-java
Jun 10critiq-corependingpatch

Add 8 Java correctness fact collectors for Batch 09 (JAVA-E family)

@critiq/adapter-shared@critiq/adapter-java
Jun 10critiq-corependingpatch

Add 5 Java correctness fact collectors for Batch 10 (JAVA-E family)

@critiq/adapter-shared@critiq/adapter-java
Jun 10critiq-corependingpatch

Add 7 new Java correctness fact collectors for batch 11: shift-out-of-range (E0399), oddness-check-fails-negative (E0405), hasnext-invokes-next (E0409), thread-sleep-with-lock (E0410), string-format-arg-mismatch (E1001), bad-short-circuit-null-check (E1003), and wait-notify-on-thread (E1004).

@critiq/adapter-java@critiq/adapter-shared
Jun 10critiq-corependingpatch

Add 8 new Java correctness fact collectors for batch 12: switch-statement-labels (E1005), week-year-in-date-pattern (E1006), jump-in-finally (E1007), default-package-spring-scan (E1009), case-insensitive-regex-lacks-unicode (E1010), assert-self-comparison (E1012), optional-get-without-present-check (E1013), and iterable-iterator-returns-this (E1015).

@critiq/adapter-java@critiq/adapter-shared
Jun 10critiq-corependingpatch

Add 3 Java correctness adapter facts for batch 13: random-coerced-to-zero (JAVA-E1068), mutable-enum-fields (JAVA-E1069), noallocation-method-creates-object (JAVA-E1059). Alias-only update for catch-null-pointer (JAVA-E1070).

@critiq/adapter-java@critiq/adapter-shared
Jun 10critiq-corependingminor

Add 5 Java correctness adapter facts for batch 14 (JAVA-E): collection-contains-self (E1076), collection-adds-self (E1077), modulus-multiplication-precedence (E1080), bitwise-or-never-equal (E1073), getter-setter-sync-mismatch (E1074). Alias JAVA-E1081 added to existing sync-on-string-literal rule.

@critiq/adapter-java@critiq/adapter-shared
Jun 10critiq-corependingpatch

Add Java correctness adapter facts for batch 15: deprecated ThreadGroup methods, Closeable values via @Provides/@Inject, non-null method returns null, and missing enum elements in switch.

@critiq/adapter-shared
Jun 10critiq-corependingminor

Add PHP correctness heuristic facts for batch 01 (PHP-E): undefined-function, undefined-method, invalid-static-method. Extend collectPhpClassBodies to also collect method names for method resolution heuristics.

@critiq/adapter-shared
Jun 10critiq-corependingminor

Add `php.correctness.undefined-variable` and `php.correctness.inaccessible-property` fact collectors. `collectPhpClassPropertyInfo` extended to include property visibility and same-file parent class resolution.

@critiq/adapter-shared
Jun 10critiq-corependingpatch

Add 8 Rust correctness fact collectors for batch 04 codes (RS-E1017 through RS-E1025): hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.

@critiq/adapter-shared
Jun 10critiq-corependingminor

Add Rust quality adapter facts for batch 09: redundant-mem-replace-with-none/default/zero, fn-ptr-null-comparison, possible-missing-comma-in-array, non-utf8-literal-in-from-utf8-unchecked, size-of-val-on-reference, fn-ptr-to-non-pointer-cast.

@critiq/adapter-shared
Jun 10critiq-corependingminor

Add 8 Rust correctness fact collectors for batch 06: hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.

@critiq/adapter-shared@critiq/adapter-rust
Jun 10critiq-corependingminor

Add Rust OSS quality rule collectors for RS-W1128 (deprecated function use) and RS-W1207 (approximate floating constant). New fact kinds: `rust.quality.deprecated-function-use`, `rust.quality.approximate-floating-constant`.

@critiq/adapter-shared@critiq/adapter-rust
Jun 10critiq-corependingpatch

Add 8 Rust quality fact collectors (RS-W1013, RS-W1015, RS-W1016, RS-W1028, RS-W1039, RS-W1075, RS-W1081, RS-W1084)

@critiq/adapter-shared
Jun 9critiq-corependingpatch

Add `language.new-expression-with-require` fact detector for JS-0261 parity (detects `new require()` expressions as likely bugs).

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add two new security fact collectors for Go (batch 09):

@critiq/adapter-shared@critiq/adapter-go
Jun 9critiq-corependingminor

Add batch 04 adapter facts for JavaScript parity (JS-0359, JS-0360, JS-0363, JS-0365, JS-0368, JS-0386)

@critiq/adapter-typescript
Jun 9critiq-corependingpatch

Add React maintenance pattern facts for JavaScript batch 05 (JS-0424, JS-0435)

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add 6 new React class-component adapter facts for JavaScript batch 06 parity:

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add 8 AngularJS deprecated API fact collectors for JavaScript parity batch 07:

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add 4 TypeScript/JavaScript fact collectors for JavaScript parity batch 12:

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add `language.this-outside-class` and `language.unused-expression` fact detectors for JavaScript parity batch 13 (JS-B002, JS-B003). `this-outside-class` flags `this` usage outside class bodies; `unused-expression` flags expression statements without side effects.

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add adapter facts for JS-E batch 15: Nuxt lifecycle hooks (process.server/client/browser in client hooks, browser globals in created/beforeCreate), Next.js import rules (next/document outside _document, next/head in _document), and duplicate export detection.

@critiq/adapter-typescript
Jun 9critiq-corependingminor

Add TypeScript adapter facts for JS-W parity batch 16: non-existent assignment operators (language.non-existent-assignment-operator), confusing label in switch (language.confusing-label-in-switch), flawed string comparison (language.flawed-string-comparison), complex boolean return (language.complex-boolean-return), NuxtLink href misuse (nuxt-correctness.nuxt-link-href), and useless test assertions (testing.useless-assertion).

@critiq/adapter-typescript
Jun 9critiq-corependingpatch

Add PHP correctness facts for batch 03 rules: unused-constructor-parameter, echo-invalid-value, print-invalid-value, invalid-string-interpolation-type

@critiq/adapter-shared@critiq/adapter-php
Jun 9critiq-corependingpatch

Add PHP correctness facts for batch 04 rules: undefined-static-property (PHP-W1034), attribute-on-property (PHP-W1035)

@critiq/adapter-shared@critiq/adapter-php
Jun 9critiq-corependingpatch

Add PHP correctness heuristic facts for batch 01: missing-return-statement, uninitialized-typed-property, throw-non-exception.

@critiq/adapter-shared
Jun 9critiq-corependingpatch

feat(php): add instanceof-invalid-type fact collector for PHP-E1009 parity

@critiq/adapter-shared@critiq/adapter-php
Jun 9critiq-corependingminor

Add Vue 2→3 migration fact detectors (JavaScript parity batch 11, JS-0653 through JS-0660): deprecated `$scopedSlots`, deprecated `model` option, deprecated `$listeners`, numeric keycode modifier proxy, deprecated `Vue.config.keyCodes`, `$slots` property access without function call, `Transition`/`TransitionGroup` proxy, and emits validator return checking.

@critiq/adapter-typescript
Jun 8critiq-corependingminor

Add 8 new Go correctness fact collectors (batch 03): unreachable-switch-case, duplicate-function-arguments, duplicate-branch-body, duplicate-switch-cases, identical-binary-operands, flag-pointer-immediate-deref, terminal-call-with-defer, nil-error-returned

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add 5 new Go correctness fact collectors (batch 04): off-by-one-index, incomplete-nil-check, boolean-simplification, suspicious-regex-pattern, integer-truncation

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go correctness unnecessary-dereference fact collector (batch 06)

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go correctness deferred-func-literal and redundant-type-declaration fact collectors (batch 07)

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add go.doc domain with malformed-deprecated-comment fact collector (batch 08)

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go bug-risk fact collectors (batch 09): gin.LoadHTMLGlob pattern, Redis arg count and unimplemented methods, etcd Compare operator, GORM Where/Updates zero values, signedness casting, hidden goroutine

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add 5 Go performance adapter facts (batch 11): `go.performance.reorder-operands`, `go.performance.non-idiomatic-slice-zeroing`, `go.performance.utf8-decode-rune`, `go.performance.fmt-fprint`, `go.performance.iowriter-write-string`

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go correctness fact collectors (batch 12, refactoring family)

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go security adapter facts for decompression-bomb, http-dir-path-traversal, weak-file-permission, unsafe-defer-close, and tainted-value-sink (batch 13)

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go bug-risk adapter facts for deprecated Redis methods, etcd GetLogger misuse, GORM SkipDefaultTransaction/DryRun, reflect.MakeFunc, and correctness heuristics for interface nil check and duplicate if-else conditions (batch 14)

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Go bug-risk fact collectors (batch 10): poorly formed nilness guards, compound assignment misuse

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add 8 Java correctness adapter facts for batch 13: unconditional-recursion (E1017), double-checked-locking (E1018), stream-reuse (E1019), array-index-bounds (E1020), sync-on-get-class (E1021), optional-null (E1022), stringbuilder-char-ctor (E1023), static-date-field (E1024).

@critiq/adapter-java
Jun 8critiq-corependingminor

Add 8 Java correctness/testing adapter facts for batch 14: unescaped-whitespace (E1029), unsupported-jdk-api (E1030), nan-comparison (E1031), read-resolve-return-type (E1032), serialization-method-signature (E1033), serializable-superclass (E1034), collection-remove-type-mismatch (E1036), setup-teardown-annotation (E1028).

@critiq/adapter-java@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Java correctness adapter facts for batch 15 (E1037–E1048): unsafe collection downcast, annotation check always false, unimplementable interface, invalid serialVersionUID, hashCode on array, loop condition never true, non-terminating loop, unsupported method call.

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Java correctness adapter facts for batch 16 (E1051–E1063): sync on mutable ref, unsynchronized static lazy init, boxed boolean conditional, sync on nullable field, sync on public field, thread static misuse, double assignment.

@critiq/adapter-shared
Jun 8critiq-corependingminor

Add Java correctness adapter facts for batch 17 (E1099, E1102, E1104–E1107): invalid time constants, comparator downcast sign flip, CacheLoader null return, incorrect main signature, enum getClass, deprecated Thread methods.

@critiq/adapter-shared
Jun 8critiq-corependingpatch

Add Java adapter facts for batch 21 (JAVA-S): thread-as-runnable, url-in-collection, empty-string-constructor, inefficient-string-constructor (performance); system-exit (correctness)

@critiq/adapter-shared@critiq/adapter-java
Jun 8critiq-corependingpatch

Add `unterminatedAssertChain` fact to detect bare `assertThat()` / `verify()` calls that are not terminated with a chained assertion method.

@critiq/adapter-shared
Jun 8critiq-corependingpatch

Add Java adapter facts for batch 23 (JAVA-P): string-to-string, explicit-gc, boxed-boolean-constructor, boxed-integer-constructor, boxed-double-constructor (performance)

@critiq/adapter-shared@critiq/adapter-java
Jun 8critiq-corependingpatch

Add Java adapter facts for batch 24 (JAVA-S): prepared-statement-in-loop, assertion-in-production, array-compared-to-non-array, parameter-reassignment (correctness); setup-without-super, teardown-without-super (testing)

@critiq/adapter-shared@critiq/adapter-java
Jun 8critiq-corependingpatch

Add Java bug risk fact collectors for batch 19 (JAVA-E). Emits 8 new fact kinds in `java-correctness.ts`: possible-null-access, possible-null-access-exception, invalidated-iterator, mutable-data-exposed, duration-with-nanos-misuse, indexof-reversed-arguments, ncopies-argument-order, class-isinstance-on-class.

@critiq/adapter-java
Jun 8critiq-corependingminor

Add 6 Java correctness adapter facts for batch 15: zoneid-invalid-timezone (JAVA-E1092), timezone-invalid-id (JAVA-E1093), instant-unsupported-temporal-unit (JAVA-E1094), iterable-path-type (JAVA-E1096), throw-null (JAVA-E1097), hashtable-contains-value (JAVA-E1098).

@critiq/adapter-java@critiq/adapter-shared
Jun 7critiq-corependingminor

Add TypeScript/JavaScript language correctness adapter facts for high/critical batches 01–04: scope hygiene, class syntax, regexp backreferences, multiline ASI hazards, negative-zero comparisons, switch fallthrough, and related patterns.

@critiq/adapter-typescript
Jun 7critiq-corependingminor

Add PHP structure correctness facts for high/critical batch parity (32 new heuristic collectors).

@critiq/adapter-php@critiq/adapter-shared
Jun 7critiq-corependingminor

Add Python bandit security and code quality adapter facts: assert-outside-test, hardcoded-temp-directory, insecure-cipher, insecure-cipher-mode, insecure-xml-parser, telnet-usage, ftp-usage, insecure-crypto-import, xmlrpc-import, weak-crypto-key, insecure-ssl-version, ssh-host-key-validation, mako-insecure-templates, insecure-urllib-method, wildcard-subprocess-injection, and related patterns.

@critiq/adapter-python@critiq/adapter-shared
Jun 7critiq-corependingminor

Add Ruby Rails API and high-severity security facts for IO shell invocation, HTTP digest auth, validation-skipping ActiveRecord calls, inline render modes, broad exception handling, and deprecated OpenSSL and URI APIs.

@critiq/adapter-ruby@critiq/adapter-shared
Jun 7critiq-corependingminor

Add 8 new Rust correctness fact collectors for batch 03: self-not-Self-type, invalid-regex-literal, step-by-zero, iter-next-in-for-loop, empty-range-expression, erasing-operation, identical-binary-operands, syntax-error

@critiq/adapter-rust
Jun 7critiq-corependingpatch

Add 8 Rust correctness fact collectors for batch 04 (RS-E1009 through RS-E1016): mistyped-suffix, forget-drop-on-reference, forget-drop-on-copy-type, nan-comparison, non-octal-permissions, non-binding-let-on-lock, unit-argument, unit-comparison.

@critiq/adapter-shared
Jun 7critiq-corependingpatch

Add 8 Rust correctness fact collectors for batch 05 (RS-E1026 through RS-E1034): transmute-integer-to-nonzero, transmute-int-to-fn-ptr, transmute-int-lit-to-raw-ptr, transmute-float-char-to-ref-or-ptr, transmute-integer-to-char, transmute-number-to-slice-or-array, transmute-tuple-to-slice-or-array, print-in-display-impl.

@critiq/adapter-shared
Jun 7critiq-corependingminor

Add 8 new Rust security fact collectors for batch 07: open-redirect, invisible-unicode, const-to-mut-ptr, raw-slice-to-ptr, differently-sized-slice-conversion, actix-namedfile-path-traversal, potentially-vulnerable-regex, global-write-permission

@critiq/adapter-rust@critiq/adapter-shared
Jun 7critiq-corependingpatch

Add 8 Rust quality fact collectors for batch 09 (RS-W1086 through RS-W1106): potentially-incomplete-ascii-range, inaccurate-duration-calculation, map-followed-by-count, iter-nth-instead-of-get, iter-count-instead-of-len, replace-same-pattern-and-replacement, clone-on-double-reference, non-owned-rc-pointer-into-vec.

@critiq/adapter-shared
Jun 7critiq-corependingpatch

Add `rust.correctness.ignored-future-value` fact collector.

@critiq/adapter-shared
Jun 7critiq-corependingminor

Add Rust single-char string literal pattern fact collector (batch 08)

@critiq/adapter-shared
Jun 6critiq-corependingpatch

Add Python open-redirect and SSRF fact collectors, and gate Django `mark_safe` on request-tainted arguments.

@critiq/adapter-shared@critiq/adapter-python
Jun 6critiq-corev0.3.0minor

Ship CloudFormation cfn-lint adapter support, 26 PHP analyzer parity adapter facts, and Ruby, Android, and Electron adapter facts. Prompt to install `@critiq/rules` when the configured catalog package is missing from local or global `node_modules`.

@critiq/cli
Jun 6critiq-rulesv0.3.0minor

Add nine Ruby catalog rules for residual Rails security and bug-risk coverage (batches 2 and 3).

@critiq/rules
Jun 6critiq-rulesv0.3.0minor

Add four Ruby general security catalog rules for dynamic execution, Kernel.open pipe mode, insecure JSON loaders, and debugger calls.

@critiq/rules
Jun 6critiq-rulesv0.3.0minor

Add 157 CloudFormation catalog rules mapping cfn-lint parity codes (`E*`, `W*`, `I*`) to `cfn.*` rule ids with observation-based specs.

@critiq/rules
Jun 6critiq-rulesv0.3.0minor

Add 26 PHP catalog rules: one security rule (`unsafe-new-static`), 23 correctness rules, and one performance rule (`expensive-loop-condition`).

@critiq/rules
Jun 5critiq-corependingminor

Add CloudFormation cfn-lint adapter with `cloudformation` language support and `cfn.lint.finding` facts for catalog rule matching.

@critiq/core-ir@critiq/core-rules-dsl@critiq/core-catalog@critiq/adapter-cloudformation@critiq/check-runner
Jun 5critiq-corependingminor

Add 26 PHP analyzer parity adapter facts across correctness, baseline security, and performance: empty array/bracket access, deprecated unset cast and libxml entity loader, duplicate declarations, nested functions and switches, break/continue outside loops, abstract methods outside abstract classes, useless unset/post-increment, invalid regex and cookie options, TODO/FIXME markers, self-assignment, default-parameter ordering, empty function bodies and code blocks, unknown magic methods, case-insensitive define, deprecated filter constants, redundant string cast concat, missing member visibility, function comparison, and unsafe `new static`. Fix PHP-native performance detection for expensive loop conditions (replacing generic polyglot heuristics where PHP-specific analysis applies).

@critiq/adapter-php@critiq/adapter-shared
Jun 3critiq-corependingminor

Add Ruby residual security and bug-risk adapter facts.

@critiq/adapter-ruby@critiq/adapter-shared
Jun 3critiq-corependingminor

Add Ruby general security adapter facts for dynamic code execution, Kernel.open pipe mode, insecure JSON loaders, and debugger breakpoints.

@critiq/adapter-ruby@critiq/adapter-shared
Jun 3critiq-corev0.2.0minor

Add TypeScript adapter facts for React maintenance and security JSX patterns (bind in props, prop spreads, lifecycle setState, direct state mutation, target=\_blank rel, duplicate attributes, and this in function components).

@critiq/cli
Jun 3critiq-corev0.2.0minor

Add TypeScript runtime and language security fact collectors for `with` statements, `arguments.callee`, `javascript:` URLs, native prototype extension, global native reassignment, non-Error throws, blocking dialogs, `process.exit`, and unsafe `__dirname` path concatenation.

@critiq/cli
Jun 3critiq-rulesv0.2.0minor

Add Express and Node.js security rules for permissive CORS with credentials, synchronous child-process execution, blocking `readFileSync` in handlers, and mutable module exports.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Add nine React maintenance and security rules with recommended and strict preset membership, plus security preset coverage for target=\_blank without noopener.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship twenty Java correctness and security catalog rules with RuleSpec fixtures.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Add eleven PHP correctness and baseline security catalog rules covering duplicate array keys, switch defaults, error suppression, unreachable code, nullsafe by-reference returns, dynamic eval, unsafe includes, weak ciphers, session ID generation, XXE, and debug exposure.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship 16 new Python correctness and security catalog rules covering control-flow defects, subprocess shell usage, dynamic execution, YAML loading, temp file APIs, network bind exposure, debugger imports, Jinja autoescape, and Django/Flask framework hardening gaps.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship 7 new Rust correctness catalog rules covering mutex guards held across `.await`, blocking sleep and `block_on` inside `async fn`, forgotten join handles, unbounded channels, `std::sync::Mutex` in async functions, and unchecked slice indexing with variable indices.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship twelve Rust general security catalog rules covering network bind exposure, TLS configuration baseline, weak cipher suites, JWT verification, temp file hygiene, SSH host key checks, weak crypto imports, RSA key size, shell command spawn, YAML deserialization, and panic-prone async handlers.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Add TypeScript catalog rules for async correctness, await-in-loop performance, and empty-function quality.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Add ten `ts.correctness.*` rules for TypeScript/JavaScript language correctness patterns backed by new adapter facts.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Add TypeScript security and runtime catalog rules for `with` statements, `arguments.callee`, `javascript:` URLs, native prototype extension, global native reassignment, non-Error throws, blocking dialogs, `process.exit`, and unsafe `__dirname` path concatenation.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship 6 new Go baseline security catalog rules covering listens that bind to all interfaces, imports of the `unsafe` package, `ssh.InsecureIgnoreHostKey()` host-key callbacks, deprecated `ioutil.TempFile`/`ioutil.TempDir` temporary file helpers, RSA key sizes below 2048 bits, and imports of broken or deprecated `crypto/md5`, `crypto/des`, `crypto/rc4`, and `crypto/sha1` packages.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship 7 new Go correctness catalog rules covering nil map assignment, deferred `Close` before the matching `err` check, nil `context.Context` arguments, `time.Tick` leaks, `WaitGroup.Add` inside the launched goroutine, dropped `append` results, and `defer` statements inside loop bodies.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship seven Go general security catalog rules: JWT signature verification, TLS minimum version, SSLv2/SSLv3 protocol rejection, weak TLS cipher suites, pprof endpoint exposure, weak bcrypt cost, and predictable math/rand seeding.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship 6 new Java audit security catalog rules covering unsafe Jackson polymorphic deserialization, XXE on `DocumentBuilderFactory` / `SAXParserFactory` / `TransformerFactory` / `XMLInputFactory`, Hibernate `Session.createQuery` and `createNativeQuery` string concatenation, the shell form of `Runtime.getRuntime().exec(String)`, and predictable `SecureRandom` seeding.

@critiq/rules
Jun 3critiq-rulesv0.2.0minor

Ship 6 new Java correctness catalog rules covering empty catch blocks, `.equals` on array references, synchronizing on string literals, catching `NullPointerException`, unguarded `Optional.get()` calls, and control-flow statements inside `finally` blocks.

@critiq/rules
May 2026
May 19critiq-corependingminor

Add Go baseline security adapter facts covering listens that bind to all interfaces, imports of the `unsafe` package, `ssh.InsecureIgnoreHostKey()` host-key callbacks, deprecated `ioutil.TempFile`/`ioutil.TempDir` temporary file helpers, `rsa.GenerateKey` and `rsa.GenerateMultiPrimeKey` invocations below 2048 bits, and imports of broken or deprecated `crypto/md5`, `crypto/des`, `crypto/rc4`, and `crypto/sha1` packages.

@critiq/adapter-go@critiq/adapter-shared
May 19critiq-corependingminor

Add Go correctness adapter facts for nil map assignment, deferred `Close` before the matching `err` check, nil `context.Context` arguments, `time.Tick` leaks, `WaitGroup.Add` inside the launched goroutine, dropped `append` results, and `defer` statements inside loop bodies.

@critiq/adapter-go@critiq/adapter-shared
May 19critiq-corependingminor

Add Go general security fact collectors covering JWT signature verification, TLS configuration baseline, weak cipher suites, pprof exposure, weak bcrypt cost, and predictable math/rand seeding.

@critiq/adapter-shared@critiq/adapter-go
May 19critiq-corependingminor

Add Java audit security adapter facts covering unsafe Jackson default typing, XXE-prone `DocumentBuilderFactory` / `SAXParserFactory` / `TransformerFactory` / `XMLInputFactory` usage, Hibernate `Session.createQuery` and `createNativeQuery` string concatenation, the shell form of `Runtime.getRuntime().exec(String)`, and `SecureRandom` constructors seeded with literal or short byte arrays.

@critiq/adapter-java@critiq/adapter-shared
May 19critiq-corependingminor

Add Java correctness adapter facts for empty catch blocks, `.equals` on array references, synchronization on string literals, catching `NullPointerException`, unguarded `Optional.get()` calls, and control-flow statements inside `finally` blocks.

@critiq/adapter-java@critiq/adapter-shared
May 19critiq-corependingminor

Add Java general security, audit security, and correctness fact collectors for twenty new catalog rules.

@critiq/adapter-shared@critiq/adapter-java
May 19critiq-corependingminor

Add PHP baseline security adapter facts for dynamic eval, unsafe include with user input, weak ciphers, insecure session ID generation, XML external entity exposure, and debug function leakage.

@critiq/adapter-php@critiq/adapter-shared
May 19critiq-corependingminor

Add PHP correctness adapter facts for duplicate array keys, multiple switch defaults, error suppression with `@`, unreachable statements after `return` or `throw`, and nullsafe operators in by-reference arrow functions.

@critiq/adapter-php@critiq/adapter-shared
May 19critiq-corependingminor

Add Python correctness and general security adapter facts for bare except handlers, mutable defaults, subprocess shell mode, dynamic code execution, insecure YAML loading, debugger imports, and expanded Django/Flask framework security checks.

@critiq/adapter-python@critiq/adapter-shared
May 19critiq-corependingminor

Add Rust correctness adapter facts for mutex guards held across `.await`, blocking sleep and `block_on` inside `async fn`, forgotten join handles, unbounded channels, `std::sync::Mutex` in async functions, and unchecked slice indexing with variable indices.

@critiq/adapter-rust@critiq/adapter-shared
May 19critiq-corependingminor

Add Rust general security fact collectors covering network bind exposure, TLS configuration baseline, weak cipher suites, JWT verification, temp file hygiene, SSH host key checks, weak crypto imports, RSA key size, shell command spawn, YAML deserialization, and panic-prone async handlers.

@critiq/adapter-shared@critiq/adapter-rust
May 18critiq-corependingminor

Add Express security fact detectors for permissive CORS with credentials, synchronous child-process execution, blocking file reads in handlers, and mutable module exports. Extend Express error-handler disclosure detection to cover `err.stack` payloads.

@critiq/adapter-typescript
May 18critiq-corependingminor

Add TypeScript adapter facts for async correctness, await-in-loop performance, and empty-function quality checks.

@critiq/adapter-typescript
May 18critiq-corependingminor

Add TypeScript language correctness fact detectors for control flow in finally blocks, NaN/typeof comparisons, duplicate if-else conditions, array callbacks, promise rejection values, subclass constructors, array sort/for-in idioms.

@critiq/adapter-typescript
May 15critiq-corev0.1.0minor

Rework the public CLI release contract around `@critiq/cli`, including the tag-driven npm publish workflow, GitHub release generation from conventional commits, and packaged release verification for the self-contained CLI artifact.

@critiq/cli
May 15critiq-corev0.1.0minor

Add `critiq check --format sarif` and `critiq check --format html` exports for security-platform ingestion and human-readable handoff workflows. Keep `audit` and `rules` format support scoped to `pretty|json` while documenting the new check-specific formats.

@critiq/cli
May 15critiq-corev0.1.0patch

Add Go and framework security fact collectors through the shared polyglot `go-security` domain and `@critiq/adapter-go` wiring. Includes Go open redirect and SSRF facts (reused by existing multi-language rules), Go-specific sensitive egress, tar path traversal, net/http timeout posture, Gin CORS/proxy/binding checks, Echo/Fiber binding and upload checks, template trusted-type misuse, plus broader Go request-source and SQL helper (`Raw`/`RawContext`) coverage.

@critiq/cli
May 15critiq-corev0.1.0patch

Add Java Spring framework security fact collectors (`java-framework-security` in `@critiq/adapter-shared`), wire them from `@critiq/adapter-java`, extend Java scan extensions with Spring Boot `application`/`bootstrap` `*.yml` plus `.html`/`.htm` for template-oriented findings, and stop folding wildcard actuator exposure into `security.spring-debug-exposure` (debug and verbose logging only there).

@critiq/cli
May 15critiq-corev0.1.0patch

Add PHP framework security fact coverage on top of the existing polyglot baseline by wiring new shared collectors into `@critiq/adapter-php`. The shipped slice includes Laravel mass assignment, sensitive CSRF exclusions, unsafe raw Blade output, Symfony debug/CSRF posture checks, WordPress nonce-capability and unprepared SQL signals, plus session/cookie hardening, wildcard CORS-with-credentials, insecure plaintext transport, unsafe upload handling, and sensitive data egress facts.

@critiq/cli
May 15critiq-corev0.1.0patch

Add Ruby on Rails security fact collectors to the Ruby adapter via the shared polyglot `ruby-rails-security` domain. Covers strong-parameter misuse, CSRF protection disabled, unsafe HTML output, unsafe render, unsafe session/cookie stores, detailed-exceptions enabled, open redirects, sensitive data egress, and unauthenticated Sidekiq Web mounts.

@critiq/cli
May 15critiq-corev0.1.0patch

Add Rust framework security fact collectors through the shared polyglot `rust-framework-security` domain and `@critiq/adapter-rust` wiring for Axum body limits and tower-http CORS, Actix CORS with credentials, Rocket handler panics and raw HTML, Warp async blocking and unwraps, SQLx/Diesel `format!` interpolation, and Tera-style template context inserts without sanitization.

@critiq/cli
May 15critiq-corev0.1.0patch

Extend the TypeScript adapter public security collectors with stronger Node.js framework hardening signals, including Express default-session and cookie sameSite posture, Express parser suppression in explicit dev-only branches, Fastify public listen posture without `trustProxy`, Fastify route-level excessive `bodyLimit` checks, Apollo Server dev tooling plugin exposure heuristics, internal-only suppression for Apollo missing-query-limit posture, GraphQL multipart upload posture when Apollo CSRF is explicitly disabled, NestJS sensitive-route SkipThrottle compensating-control suppression, Nuxt `runtimeConfig.public` secret-shaped keys, and Astro `vite.define` wiring of secret-like `process.env` values into `import.meta.env.PUBLIC_*` keys.

@critiq/cli
May 15critiq-corev0.1.0patch

Add public parity runtime support for dependency-policy facts, shared processor egress recipes, cross-language filesystem depth facts, and complete default adapter package declarations.

@critiq/cli
May 15critiq-corev0.1.0patch

Extend the TypeScript adapter for `ts.react.no-effect-fetch-without-cancellation` (and related facts): treat GraphQL client-style `.query`/`.mutate` calls and `graphql-request` imports as network sources, honor Apollo-style `context.fetchOptions.signal`, suppress when the enclosing component uses `useLoaderData` / `useRouteLoaderData`, and respect common stale-response guard patterns (`cancelled`/`ignore` flags with cleanup).

@critiq/cli
May 15critiq-corev0.1.0patch

Helmet option hardening, static `dotfiles: 'allow'`, unsafe CSP response literals, Ajv insecure configuration, `parseString` on untrusted XML, Express production error disclosure, request-driven array indexing, user-controlled static mounts, legacy `Buffer()` usage, React iframe `sandbox`, JWT `none` signing, and narrowed Electron `shell.openExternal` heuristics.

@critiq/cli
May 15critiq-corev0.1.0patch

Expand public performance fact coverage across TypeScript custom detectors, project analysis emitters, and shared polyglot adapters. Add cross-language runtime eligibility improvements and adapter test coverage for new performance parity signals.

@critiq/cli
May 15critiq-corev0.1.0minor

Add `critiq audit secrets` and a parent `critiq audit --help` command. Extend `critiq check --format json` with an additive `secretsScan` field on the envelope. `critiq check` now runs an advisory secret scan (does not affect check exit code).

@critiq/cli
May 15critiq-corev0.1.0patch

Add TypeScript and polyglot quality-maintainability fact emitters for the quality rule expansion, including project-level wide-public-surface, barrel-cycle, and dead-export analysis hooks.

@critiq/cli
May 15critiq-corev0.1.0patch

Extend the public TypeScript and JavaScript adapter with six React JSX parity fact kinds covering legacy lifecycle methods, `findDOMNode`, string refs, image alt text, positive `tabIndex`, and click-only custom controls.

@critiq/cli
May 15critiq-corev0.1.0patch

Add TypeScript testing hygiene custom facts, project-scoped edge-case and production-or-test-boundary emitters, shared test-path helpers and polyglot testing-hygiene collectors, and align sandbox-style scans with `includeTests` where needed for rule validation.

@critiq/cli
May 15critiq-corev0.1.0patch

Ship public-directory `JS-0xxx` core-correctness facts via the bundled TypeScript adapter: `language.assignment-in-condition`, `language.duplicate-function-parameter`, `language.duplicate-object-key`, `language.duplicate-switch-case`, `language.async-promise-executor`, `language.assignment-to-import-binding`, `language.self-assignment`, `language.identical-comparison-operands`, and `language.duplicate-import-source`, collected from `collectTypescriptCoreLanguageCorrectnessFacts`.

@critiq/cli
May 15critiq-corev0.1.0patch

Emit additional React UI facts for external-analyzer parity: invalid anchor href targets, `aria-activedescendant` owners that are not keyboard focusable, widget roles without a non-negative tabIndex, semantic text elements with interactive roles, combined click and keyboard handlers without a widget role, pointer or key handlers without click or widget roles, and deprecated `react-dom` root APIs plus `createFactory`. Extend JSX element and event helper utilities accordingly.

@critiq/cli
May 15critiq-corev0.1.0minor

Add `--staged` for `critiq check` and `critiq audit secrets` to scan `git diff --cached` index blobs. Extend `.critiq/config.yaml` with optional `secretsScan` (`ignorePaths`, `disabledDetectors`, `suppressFingerprints`). Ship sample `pre-commit` and `pre-push` hook scripts under `scripts/hooks/`.

@critiq/cli
May 15critiq-corev0.1.0minor

Add language facts for empty non-function blocks, catch-parameter reassignment, and regexp patterns that embed unusual ASCII control characters, backing three new `ts.correctness.*` catalog rules. Treat `regex.pattern` as pattern source text: decode common escapes (`\xNN`, `\uNNNN`, `\u{...}`, and `\v`/`\f`/`\b`) so controls such as `\x02` are detected while tab, LF, and CR remain allowed (including via `\t`, `\n`, `\r`, and matching hex escapes).

@critiq/cli
May 15critiq-corev0.1.0patch

Extend the TypeScript adapter with two new logging/disclosure facts and broaden recognized logger families. New facts `security.log-injection` and `security.debug-statement-in-source` cover request-controlled values flowing into pino, winston, bunyan, or consola messages and leftover `debugger;` / `console.trace()` calls in production paths. Existing `security.sensitive-data-in-logs-and-telemetry` and `security.information-leakage` now also recognize the broader pino/winston/bunyan/consola logger family sinks.

@critiq/cli
May 15critiq-corev0.1.0patch

Ship Python framework security facts for Django, DRF, Flask, and FastAPI via the regex polyglot adapter (`python-framework-security` helpers and `@critiq/adapter-python` wiring).

@critiq/cli
May 15critiq-corev0.1.0patch

Extend the Java adapter with new security fact collectors and Spring Boot support. Adds polyglot domains for insecure servlet cookies, open redirects, response-writer XSS, sensitive data egress, and Spring config debug exposure (`spring-config-debug-exposure`), wired through `@critiq/adapter-java` and shared polyglot analysis.

@critiq/cli
May 15critiq-corev0.1.0patch

Add React error boundary and accessibility fact collectors to the TypeScript adapter. New `react-accessibility` custom facts cover missing error boundaries, missing accessibility labels, derived-state-from-props, index-as-key in dynamic lists, and uncontrolled-to-controlled input transitions, with project-analysis fact emitters wired into the runtime.

@critiq/cli
May 15critiq-corev0.1.0patch

Add TypeScript adapter security fact collectors for Angular, NestJS, and Next.js. New custom facts cover Angular DOM sanitizer bypass (`angular-dom-sanitizer`), NestJS hardening (`nestjs-security`: Helmet ordering, global validation pipe, throttling, whitelist), Next.js Server Actions local auth (`next-server-actions`), and shared `node-framework-bootstrap` / `react-next-best-practices` helpers used by these detectors.

@critiq/cli
May 15critiq-rulesv0.1.0minor

Add the tag-driven release pipeline for `@critiq/rules`, including Changesets enforcement, GitHub release note generation, clean-install package verification, and the generated README rule-count badge source.

@critiq/rules
May 15critiq-rulesv0.1.0minor

Add `ts.correctness.empty-block-statement`, `ts.correctness.reassign-catch-binding`, and `ts.correctness.regexp-pattern-unusual-control-character` with catalog specs and fixtures.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add eight OSS Rust framework rules (`rust.security.*`), RuleSpecs under `specs/rust`, catalog entries, refreshed rule counts and badges, and catalog sync tests including the `rust` spec directory.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add OSS TypeScript and JavaScript framework security rules covering Angular, NestJS, Apollo, Express, Fastify, Next.js, React, Nuxt, and Astro: - `ts.security.angular-dom-sanitizer-bypass-untrusted-input` - `ts.security.apollo-server-csrf-disabled` - `ts.security.apollo-server-introspection-exposure` - `ts.security.apollo-server-missing-query-limits` - `ts.security.apollo-server-graphql-dev-tooling-exposure` - `ts.security.graphql-upload-without-csrf-guard` - `ts.security.express-unbounded-body-parser` - `ts.security.fastify-excessive-body-limit` - `ts.security.fastify-public-bind-without-trust-proxy` - `ts.security.nuxt-public-runtime-secret` - `ts.security.astro-vite-public-secret-define` - `ts.security.nestjs-helmet-after-route-mount` - `ts.security.nestjs-missing-global-validation-pipe` - `ts.security.nestjs-skip-throttle-sensitive-route` - `ts.security.nestjs-validation-pipe-without-whitelist` - `ts.next.server-action-missing-local-auth` - `ts.react.no-effect-fetch-without-cancellation` Includes matching RuleSpecs and fixtures, and refreshes catalog counts and badges.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add public parity catalog coverage for dependency-version policy, cross-language processor egress, upload filename handling, archive extraction paths, and permissive file permissions.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add nine `ts.correctness.*` catalog rules aligned to the public JavaScript directory `JS-0xxx` first wave, with fixtures and per-rule specs; register rules in `recommended` and `strict` presets.

@critiq/rules
May 15critiq-rulesv0.1.0patch

new `ts.security.*` rules for insecure Helmet hardening options, literal CSP unsafe directives, Ajv `allErrors` without strict mode, `xml2js` `parseString` on request-shaped input, Express error-handler information disclosure, request-driven array indexes, user-controlled `express.static` mount paths, `express.static` `dotfiles: 'allow'`, legacy `Buffer()` constructors, iframe `sandbox` omissions, JWT `none` signing, and Electron dangerous `webPreferences`, IPC origin checks, local store hardening, and narrowed `shell.openExternal` URL sources; catalog and rule specs updated.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add the public TypeScript performance expansion rule set (`ts.performance.no-*`) with catalog entries, RuleSpecs, and fixtures. Add polyglot performance parity catalog rules and fixtures for Go, Java, PHP, Python, Ruby, and Rust, and refresh shipped rule-count documentation artifacts.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add the ten new TypeScript quality-maintainability rules with catalog entries, docs metadata, and RuleSpec fixtures for boolean parameter traps, primitive obsession, public surface width, barrel cycles, hidden side effects, mixed abstraction, ambiguous abbreviations, inconsistent error shape, temporal coupling, and dead exports.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add six OSS React and JSX parity rules: `ts.react.no-legacy-lifecycle`, `ts.react.no-find-dom-node`, `ts.react.no-string-ref`, `ts.react.no-img-missing-alt-text`, `ts.react.no-positive-tabindex`, and `ts.react.no-click-without-keyboard-handler`, with matching RuleSpecs, fixtures, and catalog entries.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add eight OSS React and JSX parity rules (`ts.react.*`) covering invalid anchors, `aria-activedescendant` focus hosts, widget roles without tabindex, interactive roles on semantic elements, keyboard interactions without widget roles, synthetic pointer or key handlers without roles, deprecated `react-dom` render-style APIs, and deprecated `createFactory`. Includes RuleSpec source fixtures, catalog wiring, refreshed rule counts, per-language `project-common` observation fixtures for existing performance specs, and corrected performance RuleSpec expectations where invalid observations already contained matching facts.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Ship seven `ts.testing.*` catalog rules plus polyglot testing hygiene rules for Go, Java, PHP, Python, Ruby, and Rust with RuleSpecs and fixtures.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add two TypeScript/JavaScript security rules (`ts.security.log-injection`, `ts.security.debug-statement-in-source`), matching RuleSpecs and fixtures, and refresh catalog counts and badges (121 -> 123). Targets the broader pino/winston/bunyan/consola logger families and leftover `console.trace()` calls in production paths.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add nine OSS Python framework rules (`py.security.*`), RuleSpecs under `specs/python`, refreshed catalog counts and badges, and README category breakdown including the Python slice.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add five OSS Java security rules (`java.security.*`): `android-screenshot-exposure`, `android-world-readable-mode`, `reflected-output-from-request`, `servlet-insecure-cookie`, and `spring-debug-exposure`. Also extends the existing `ts.security.open-redirect` and `ts.security.sensitive-data-egress` rules to cover Java targets with new Java fixtures. Refreshes catalog counts and badges.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add five OSS React rules (`ts.react.*`): `no-accessibility-label-missing`, `no-derived-state-from-props`, `no-index-as-key-in-dynamic-list`, `no-missing-error-boundary`, and `no-uncontrolled-to-controlled-input`, with matching RuleSpecs and observation fixtures. Refreshes catalog counts and badges.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add eleven OSS Go security rules (`go.security.*`): `echo-sensitive-binding-without-validation`, `echo-unsafe-multipart-upload`, `fiber-sensitive-binding-without-validation`, `fiber-unsafe-multipart-upload`, `gin-sensitive-binding-without-validation`, `gin-trust-all-proxies`, `gin-wildcard-cors-with-credentials`, `net-http-missing-timeouts`, `sensitive-data-egress`, `tar-path-traversal`, and `template-unescaped-request-value`. Also extends `ts.security.open-redirect` and `ts.security.ssrf` to include Go findings, adds RuleSpecs/fixtures (including Go fixtures in TypeScript rule specs), and refreshes catalog counts and badges.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add seven OSS Java framework rules (`java.security.spring-permit-all-default`, `java.security.spring-csrf-globally-disabled`, `java.security.spring-actuator-sensitive-exposure`, `java.security.spring-actuator-health-details-always`, `java.security.spring-webmvc-unrestricted-data-binding`, `java.security.jpa-concatenated-query`, `java.security.template-unescaped-user-output`), RuleSpecs under `specs/java`, catalog entries, refreshed rule counts and badges, and adjust the `java.security.spring-debug-exposure` catalog spec for the narrower `security.spring-debug-exposure` fact surface.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add twelve OSS PHP security rules (`php.security.*`) for Laravel, Symfony, and WordPress framework risks plus parity hardening checks: mass assignment, sensitive CSRF exclusions, unsafe Blade output, Symfony debug and CSRF posture, missing nonce/capability checks, unprepared SQL, insecure session/cookie and CORS settings, insecure plaintext transport, unsafe upload handling, and PHP sensitive data egress. Includes full RuleSpecs/fixtures, catalog registration, and updated rule-count documentation/badge assets.

@critiq/rules
May 15critiq-rulesv0.1.0patch

Add nine OSS Ruby on Rails security rules (`ruby.security.*`): `rails-csrf-disabled`, `rails-detailed-exceptions-enabled`, `rails-open-redirect`, `rails-unsafe-html-output`, `rails-unsafe-render`, `rails-unsafe-session-or-cookie-store`, `rails-unsafe-strong-parameters`, `sensitive-data-egress`, and `sidekiq-web-unauthenticated-mount`. Includes matching RuleSpecs and Ruby/ERB fixtures, and refreshes catalog counts and badges.

@critiq/rules