Changelog timeline
Shipped releases and pending changes across the public Critiq OSS repositories (critiq-core and critiq-rules), in one scrolling timeline. Released entries come from each package CHANGELOG; pending entries are unconsumed changesets queued for the next npm cut. Each row shows the affected packages, bump type, and release note text.
#Timeline
Showing 290 entries sorted by date (newest first). Released rows include the npm version; pending rows are queued for the next release.
Add Ruby bug-risk adapter facts for 8 new RB-RL rails framework rules: `has-and-belongs-to-many`, `dependent-option-cascade`, `helper-instance-variables`, `http-methods-without-params`, `deprecated-http-status-symbols`, `skip-filter-conditional`, `missing-inverse-of`, and `undefined-action-filter`.
1e2a570: Ship CloudFormation cfn-lint adapter support, 26 PHP analyzer parity adapter facts, and Ruby, Android, and Electron adapter facts. Prompt to install `@critiq/rules` when the configured catalog package is missing from local or global `node_modules`.
5fd870f: Add Wave 1 benchmark peer-gap facts for path-join user input, insecure HTTP server bootstrap, and Python path traversal user input.
846919c: feat(ruby): add batch 17 bug-risk and performance fact collectors (RB-RL1052-RB-RL1059)
846919c: Add 7 new Ruby bug-risk fact collectors for RB-LI batch 13: self-assignment (RB-LI1092), identical-binary-operands (RB-LI1093), branches-without-body (RB-LI1094), trailing-comma-attribute (RB-LI1099), equal-instead-of-equal (RB-LI1100), invalid-integer-times (RB-LI1101), and constant-in-block (RB-LI1102).
846919c: ruby: add 8 rails framework bug-risk facts (RB-RL1001-RB-RL1008)
846919c: ruby: add 8 rails framework bug-risk facts (RB-RL1009-RB-RL1016)
846919c: Add 8 new Ruby bug-risk fact collectors for RB-RL batch 13: `ruby.bug-risk.deprecated-find-by-dynamic` (RB-RL1017), `ruby.bug-risk.enum-array-syntax` (RB-RL1018), `ruby.bug-risk.enum-duplicate-values` (RB-RL1019), `ruby.bug-risk.rails-env-equality` (RB-RL1020), `ruby.bug-risk.exit-in-app-code` (RB-RL1021), `ruby.bug-risk.rails-root-join` (RB-RL1022), `ruby.bug-risk.where-first-over-find-by` (RB-RL1023), `ruby.bug-risk.all-each-to-find-each` (RB-RL1024).
846919c: feat: tune testing.flaky-timer-in-test fact for precision
846919c: feat: tune security.iframe-missing-sandbox-attribute fact for precision
846919c: Ruby batch 09 (RB-RL) adapter facts
7f0cce4: feat: add Java documentation fact collectors (java-doc.ts) for batch 05
846919c: Ruby batch 05 (RB-LI-1001, 1002, 1003) ambiguous method invocation rules
5fd870f: Improve Wave 2 benchmark peer-gap SAST facts for contextual Python weak hashes, request-tainted dynamic code execution, Flask markup precision, taint-gated DOM HTML sinks, and user-controlled RegExp construction.
82fd4d5: Add batch-01 JavaScript parity adapter facts:
82fd4d5: Add batch-03 JavaScript parity adapter facts:
82fd4d5: Add Vue Options API fact detectors (framework.vue.reserved-key-overwrite, framework.vue.computed-mutation, framework.vue.invalid-prop-type, framework.vue.data-object-declaration) to the TypeScript adapter for JavaScript parity batch 08.
0130a7f: feat: add 8 Ruby bug-risk fact collectors
0130a7f: Ruby adapter: add deprecated-big-decimal-new, symbol-boolean-name, circular-argument-reference, deprecated-class-methods, disjunctive-assignment-in-constructor fact collectors
0130a7f: Ruby adapter: add duplicate-constant-assignment, io-select-single-arg, bad-operand-order fact collectors
846919c: **async.infinite-loop fact**: Added YieldExpression detection to loopBodyHasExit
3c42355: Ship Wave 1 benchmark peer-gap SAST rules for path-join user input, insecure Express listen bootstrap, and Python path traversal user input.
3c42355: Ship Wave 2 benchmark peer-gap precision updates and the taint-gated `ts.security.user-controlled-regexp` rule.
b8c4d52: Add Go correctness unnecessary-dereference rule (strict preset) (batch 06)
b8ce737: Add 8 Rust correctness rules for batch 04 codes: hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.
b8ce737: Add 8 Rust correctness rules for batch 06: hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.
b8ce737: Add 8 Rust quality rules for batch 09: redundant-mem-replace-with-none, redundant-mem-replace-with-default, redundant-mem-replace-with-zero, fn-ptr-null-comparison, possible-missing-comma-in-array, non-utf8-literal-in-from-utf8-unchecked, size-of-val-on-reference, fn-ptr-to-non-pointer-cast.
b8ce737: Add 8 Rust quality rules (RS-W1013, RS-W1015, RS-W1016, RS-W1028, RS-W1039, RS-W1075, RS-W1081, RS-W1084)
2324763: Add parity aliases (`RS-W1086`, `RS-W1087`, `RS-W1089`, `RS-W1091`, `RS-W1093`, `RS-W1094`, `RS-W1100`, `RS-W1106`) to 8 existing `rust.quality.*` rules.
b8c4d52: Add Go correctness deferred-func-literal and redundant-type-declaration rules (strict preset) (batch 07)
b8c4d52: Add Go bug-risk and correctness rules (strict preset) (batch 09): gin.LoadHTMLGlob ill-formed pattern, Redis incorrect arg count, Redis unimplemented method, etcd invalid Compare operator, GORM Where/Updates zero-value exclusion, signedness casting, hidden goroutine
b8c4d52: Add 5 new Go performance rules (strict preset) (batch 11): reorder-operands, non-idiomatic-slice-zeroing, utf8-decode-rune, fmt-fprint, iowriter-write-string
b8c4d52: Add Go correctness rules (interface-any-preferred, unnecessary-else-return, bare-return, boolean-literal-in-expression, unexported-capital-name, http-nobody-nil, string-concat-simplify) and aliases (GO-R4004 on unnecessary-dereference) (batch 12, refactoring family)
b8c4d52: Add 5 new Go security rules (strict + security presets): decompression-bomb, http-dir-path-traversal, weak-file-permission, unsafe-defer-close, tainted-value-sink. Add alias mappings for GO-S2108 (pprof-exposed), GO-S2112/S2114 (net-http-missing-timeouts). Batch 13.
b8c4d52: Add 7 new Go bug-risk and correctness rules (strict preset): deprecated-redis-methods, impossible-interface-nil-check, duplicate-if-else-condition, etcd-getlogger-misuse, gorm-skip-default-transaction, gorm-dry-run-enabled, reflect-makefunc-usage. Batch 14.
b8c4d52: Add Go bug-risk rules (strict preset) (batch 10): poorly formed nilness guards, compound assignment misuse
a98a371: Add 8 Java correctness catalog rules for batch 13: unconditional-recursion, double-checked-locking, stream-reuse, array-index-bounds, sync-on-get-class, optional-null, stringbuilder-char-ctor, static-date-field.
a98a371: Add 8 Java OSS catalog rules for batch 14: unescaped-whitespace, unsupported-jdk-api, nan-comparison, read-resolve-return-type, serialization-method-signature, serializable-superclass, collection-remove-type-mismatch, setup-teardown-annotation.
0f1fa17: Add 20 new `ts.correctness.*` catalog rules and wire 12 existing rules with parity aliases for JavaScript high/critical batches 01–04 (`JS-0024` through `JS-0231`).
a98a371: Add 8 Java correctness catalog rules batch 15: `java.correctness.unsafe-collection-downcast`, `java.correctness.annotation-check-always-false`, `java.correctness.unimplementable-interface`, `java.correctness.invalid-serial-version-uid`, `java.correctness.hashcode-on-array`, `java.correctness.loop-condition-never-true`, `java.correctness.non-terminating-loop`, `java.correctness.unsupported-method-call`.
a98a371: Add 7 Java correctness catalog rules batch 16: `java.correctness.sync-on-mutable-ref`, `java.correctness.unsync-static-lazy-init`, `java.correctness.boxed-boolean-conditional`, `java.correctness.sync-on-nullable-field`, `java.correctness.sync-on-public-field`, `java.correctness.thread-static-misuse`, `java.correctness.double-assignment`.
a98a371: Add 6 Java correctness catalog rules batch 17: `java.correctness.invalid-time-constants`, `java.correctness.comparator-downcast-sign-flip`, `java.correctness.cacheloader-null-return`, `java.correctness.incorrect-main-signature`, `java.correctness.enum-get-class`, `java.correctness.deprecated-thread-methods`.
a98a371: Add 5 new Java rules for batch 21 (JAVA-S): java.performance.thread-as-runnable, java.performance.url-in-collection, java.correctness.system-exit, java.performance.inefficient-string-constructor, java.performance.empty-string-constructor
a98a371: Add 5 new Java rules and 3 alias updates for batch 23 (JAVA-P): java.performance.string-to-string, java.performance.explicit-gc, java.performance.boxed-boolean-constructor, java.performance.boxed-integer-constructor, java.performance.boxed-double-constructor; add JAVA-P0057/P0062/P0063 aliases to existing rules
a98a371: Add 6 Java catalog rules (batch 24): java.correctness.prepared-statement-in-loop, java.correctness.assertion-in-production, java.correctness.array-compared-to-non-array, java.correctness.parameter-reassignment, java.testing.setup-without-super, java.testing.teardown-without-super; add JAVA-S0348 and JAVA-S0349 aliases to java.correctness.equals-on-array
a98a371: Add 8 bug risk (JAVA-E) correctness rules for Java: possible-null-access,
a98a371: Add 6 Java OSS catalog rules for batch 15: zoneid-invalid-timezone, timezone-invalid-id, instant-unsupported-temporal-unit, iterable-path-type, throw-null, hashtable-contains-value.
a09b194: Add `ts.correctness.new-expression-with-require` rule (JS-0261) and wire JS-0262/JS-0263 as parity aliases on existing `ts.security.unsafe-dirname-path-concat` and `ts.runtime.no-process-exit`.
b83af7d: Add 8 SQL style rules to the OSS catalog:
0f1fa17: Add 32 PHP high/critical batch correctness rules with alias mappings for existing security and hygiene rules.
b8c4d52: Add 2 new rules and 6 alias mappings for Go security parity:
a09b194: Add 7 new rules, 1 alias update for JavaScript batch-01 parity:
a09b194: Add 6 new rules for JavaScript batch-03 parity:
a09b194: Add 6 new rules for JavaScript parity batch 04 and 2 alias updates
a09b194: Add 2 new rules for JavaScript parity batch 05 and 5 alias updates
a09b194: Add 6 new TypeScript/JavaScript React class-component rules for JavaScript batch 06 parity:
a09b194: Add 8 AngularJS deprecated API rules to the OSS catalog (JavaScript parity batch 07):
a09b194: Add 4 TypeScript/JavaScript rules to the OSS catalog (JavaScript parity batch 12):
a09b194: Add `ts.correctness.this-outside-class` (JS-B002) and `ts.correctness.unused-expression` (JS-B003) rules for JavaScript high/critical batch 13 parity.
a09b194: Add JS-E family rules: `ts.vue.no-server-env-in-client-hooks` (JS-E1000), `ts.vue.no-browser-globals-in-created` (JS-E1001), `ts.next.no-document-import-outside-custom-document` (JS-E1002), `ts.next.no-head-import-in-custom-document` (JS-E1003), `ts.correctness.duplicate-export` (JS-E1004), `ts.correctness.namespace-import-unexported-name` (JS-E1007), `ts.correctness.unresolved-import` (JS-E1010). Add JS-E1009 alias to `ts.security.no-assign-mutable-export`.
bd4ef84: Add 20 new Python bandit security and code-quality rules: assert-outside-test, hardcoded-temp-directory, insecure-cipher, insecure-cipher-mode, insecure-xml-parser, telnet-usage, ftp-usage, insecure-crypto-import, xmlrpc-import, weak-crypto-key, insecure-ssl-version, ssh-host-key-validation, mako-insecure-templates, insecure-urllib-method, wildcard-subprocess-injection, redefined-builtin, global-statement, super-with-arguments, useless-return, and unnecessary-comprehension.
a09b194: Add six JS-W parity batch 16 rules: ts.correctness.non-existent-assignment-operators (JS-W1033), ts.correctness.no-href-with-nuxt-link (JS-W1034), ts.correctness.no-confusing-label-in-switch (JS-W1036), ts.testing.useless-assertion (JS-W1039), ts.correctness.flawed-string-comparison (JS-W1040), ts.correctness.simplify-boolean-return (JS-W1041).
b83af7d: Add PHP correctness rules for batch 01: missing-return-statement, uninitialized-typed-property, throw-non-exception with alias mappings PHP-E1001, PHP-E1004, PHP-E1008.
b83af7d: feat(php): add instanceof-invalid-type rule (PHP-E1009)
b83af7d: Add 5 SQL rules to the OSS catalog (batch 02):
a09b194: Add 8 new Vue deprecation/correctness rules (JavaScript parity batch 11, JS-0653 through JS-0660): `ts.vue.no-deprecated-scoped-slots`, `ts.vue.no-deprecated-model-option`, `ts.vue.no-deprecated-listeners`, `ts.vue.no-keycode-modifiers`, `ts.vue.no-deprecated-keycodes-config`, `ts.vue.no-slot-property-access`, `ts.vue.require-transition-conditional`, and `ts.vue.emits-validator-return-boolean`.
a09b194: Add 4 Vue Options API correctness rules to the OSS catalog (JavaScript parity batch 08):
b8ce737: Add 4 new Java rules for batch 04 (quality + testing)
b8ce737: feat: add 4 Java documentation rules (batch 05 — JAVA-D family)
b8ce737: Add 7 Java correctness rules for Batch 06 (JAVA-E family)
b8ce737: Add 5 Java performance rules for Batch 06 (JAVA-P family)
ffb64c8: Add eight high-severity Ruby catalog rules for IO shell invocation, Rails HTTP digest auth, validation-skipping updates, inline render modes, broad exception handling, and deprecated OpenSSL and URI APIs.
b8ce737: Add 8 Java correctness rules for Batch 08 (JAVA-E family)
b8ce737: Add 8 Java correctness rules for Batch 09 (JAVA-E family)
b8ce737: Add 5 Java correctness rules for Batch 10 (JAVA-E family)
4c8c448: Add 3 Java correctness catalog rules for batch 13: java.correctness.random-coerced-to-zero (JAVA-E1068), java.correctness.mutable-enum-fields (JAVA-E1069), java.correctness.noallocation-method-creates-object (JAVA-E1059). Update java.correctness.catch-null-pointer with alias JAVA-E1070 and bump severity to critical.
b8ce737: Add 5 Java OSS catalog rules for batch 14 (JAVA-E): collection-contains-self, collection-adds-self, modulus-multiplication-precedence, bitwise-or-never-equal, getter-setter-sync-mismatch. Add JAVA-E1081 alias to existing sync-on-string-literal rule.
b8ce737: Ship 4 new Java correctness rules for batch 15: `java.correctness.threadgroup-deprecated-methods` (E1108), `java.correctness.closeable-provides-injection` (E1103), `java.correctness.non-null-method-returns-null` (E1095), and `java.correctness.missing-enum-switch-elements` (E1082).
b8ce737: Add PHP correctness rules for batch 01 (PHP-E): php.correctness.undefined-function (PHP-E1000), php.correctness.undefined-method (PHP-E1002), php.correctness.invalid-static-method (PHP-E1003). Add alias PHP-E1007 to existing php.correctness.undefined-static-property rule.
b8ce737: Add `php.correctness.undefined-variable` (PHP-W1066) and `php.correctness.inaccessible-property` (PHP-W1067) rules to the PHP correctness catalog.
b8ce737: Add 2 Rust OSS quality rules: `rust.quality.deprecated-function-use` (RS-W1128, flags known deprecated std APIs) and `rust.quality.approximate-floating-constant` (RS-W1207, flags manual approximations of math constants like PI, E, TAU).
b8ce737: Add 3 new Java performance rules: java.performance.removeall-to-clear (JAVA-P1005, critical), java.performance.string-concat-in-loop (JAVA-P1006, high), and java.performance.expensive-method-on-ui-thread (JAVA-P1007, high).
df71073: Add 8 new Rust correctness rules (strict preset) for batch 03: self-not-Self-type, invalid-regex-literal, step-by-zero, iter-next-in-for-loop, empty-range-expression, erasing-operation, identical-binary-operands, syntax-error
923d706: Add Ruby bug-risk catalog rules: with-index-value-unused, with-object-value-unused, regex-literal-in-condition, predicate-method-without-parentheses, invalid-rescue-type, unsafe-safe-navigation-chain, inconsistent-safe-navigation, and safe-navigation-with-empty.
923d706: Add Ruby bug-risk catalog rules: argument-overwritten-before-use, bad-rescue-ordering, outer-variable-shadowed, suppressed-exceptions, to-json-without-argument, unreachable-code, unused-method-arguments, and useless-access-modifier.
923d706: feat: add 8 Ruby bug-risk rules
923d706: Add Ruby bug-risk rules: ruby.bug-risk.end-in-method, ruby.bug-risk.return-in-ensure, ruby.bug-risk.flip-flop-operator, ruby.bug-risk.heredoc-method-order, ruby.bug-risk.unintended-string-concatenation, ruby.bug-risk.ineffective-access-modifier, ruby.bug-risk.interpolation-in-single-quote
923d706: Add 8 Ruby bug risk rules: non-local exit from iterator, unsafe number conversion, bad magic comment order, grouped parentheses in function calls, invalid percent string literal, invalid percent symbol array, unnecessary require, and unnecessary splat.
923d706: Add deprecated-big-decimal-new, symbol-boolean-name, circular-argument-reference, deprecated-class-methods, disjunctive-assignment-in-constructor rules
923d706: Add duplicate-constant-assignment, io-select-single-arg, bad-operand-order rules
2324763: feat: consolidate duplicate timeout/retry rules into single correctness rule
2324763: **ts.correctness.infinite-loop**: precision + severity + message tuning
2324763: Add five high-severity Ruby OSS catalog rules: callback-order, routes-match-single-verb, redundant-foreign-key, callback-override, and irreversible-migration.
df71073: Add 8 new Rust security rules (strict + security presets) for batch 07: open-redirect, invisible-unicode, const-to-mut-ptr, raw-slice-to-ptr, differently-sized-slice-conversion, actix-namedfile-path-traversal, potentially-vulnerable-regex, global-write-permission
2324763: feat(ruby): add 8 RB-RL bug-risk catalog rules for batch 15
2324763: feat(ruby): add 6 new rules for batch 17 (RB-RL1052-RB-RL1059)
2324763: Add ruby.performance.prefer-delete-prefix and ruby.performance.prefer-delete-suffix rules (RB-PR1026, RB-PR1027).
2324763: Ruby batch 05 (RB-LI-1001, 1002, 1003) ambiguous method invocation rules
2324763: Add Ruby bug-risk catalog rules for batch 12 (RB-LI1079–RB-LI1091).
2324763: Add 7 new Ruby bug-risk rules for RB-LI batch 13: `ruby.bug-risk.self-assignment`, `ruby.bug-risk.identical-binary-operands`, `ruby.bug-risk.branches-without-body`, `ruby.bug-risk.trailing-comma-attribute`, `ruby.bug-risk.equal-instead-of-equal`, `ruby.bug-risk.invalid-integer-times`, `ruby.bug-risk.constant-in-block`. Also adds RB-LI1096 alias to existing `ruby.bug-risk.unnecessary-require`.
2324763: feat(ruby): add 8 RB-PR performance catalog rules for batch 16
2324763: ruby: add 8 rails framework bug-risk rules (RB-RL1001-RB-RL1008)
2324763: ruby: add 8 rails framework bug-risk rules (RB-RL1009-RB-RL1016)
2324763: Add 8 new Ruby bug-risk rules for RB-RL batch 13: `ruby.bug-risk.deprecated-find-by-dynamic` (RB-RL1017), `ruby.bug-risk.enum-array-syntax` (RB-RL1018), `ruby.bug-risk.enum-duplicate-values` (RB-RL1019), `ruby.bug-risk.rails-env-equality` (RB-RL1020), `ruby.bug-risk.exit-in-app-code` (RB-RL1021), `ruby.bug-risk.rails-root-join` (RB-RL1022), `ruby.bug-risk.where-first-over-find-by` (RB-RL1023), `ruby.bug-risk.all-each-to-find-each` (RB-RL1024).
b8c4d52: Add 8 new Go correctness rules (strict preset) (batch 03): unreachable-switch-case, duplicate-function-arguments, duplicate-branch-body, duplicate-switch-cases, identical-binary-operands, flag-pointer-immediate-deref, terminal-call-with-defer, nil-error-returned
2324763: Add 4 new `rust.security.*` catalog rules (`manual-error-type-id`, `unsafe-remove-dir-all`, `misused-bitwise-xor`, `missing-regex-anchor`) and add RS-S parity aliases to `weak-rsa-key-size`, `bind-all-interfaces`, `insecure-temp-file`, and `weak-crypto-import`.
2324763: feat: tune no-deprecated-react-dom-root-api for precision — exclude DefinitelyTyped v15/v16 type-tests and embed SDKs
2324763: feat: tune no-flaky-timer-test for precision — exempt performance clocks and micro-delays
2324763: feat: tune ts.security.iframe-missing-sandbox-attribute for precision
2324763: feat: tune rust.testing.ignore-without-ticket-reference rule
2324763: feat: tune ts.security.no-javascript-url for precision — exclude test files, GitHub Actions, and DefinitelyTyped; lower severity to medium
2324763: Ruby batch 09 (RB-RL) bug-risk / framework rules
2324763: Add 8 new Ruby bug-risk catalog rules (RB-RL1025..RB-RL1032): `has-and-belongs-to-many`, `dependent-option-cascade`, `helper-instance-variables`, `http-methods-without-params`, `deprecated-http-status-symbols`, `skip-filter-conditional`, `missing-inverse-of`, and `undefined-action-filter`.
ffb64c8: Extend `ts.security.open-redirect` and `ts.security.ssrf` catalog scope to Python with RuleSpec fixtures.
df71073: Add 8 Rust correctness rules for batch 04: mistyped-suffix, forget-drop-on-reference, forget-drop-on-copy-type, nan-comparison, non-octal-permissions, non-binding-let-on-lock, unit-argument, unit-comparison.
b8c4d52: Add 5 new Go correctness rules (strict preset) (batch 04): off-by-one-index, incomplete-nil-check, boolean-simplification, suspicious-regex-pattern, integer-truncation
df71073: Add 8 Rust correctness rules for batch 05: transmute-integer-to-nonzero, transmute-int-to-fn-ptr, transmute-int-lit-to-raw-ptr, transmute-float-char-to-ref-or-ptr, transmute-integer-to-char, transmute-number-to-slice-or-array, transmute-tuple-to-slice-or-array, print-in-display-impl.
df71073: Add 8 Rust quality rules for batch 09: potentially-incomplete-ascii-range, inaccurate-duration-calculation, map-followed-by-count, iter-nth-instead-of-get, iter-count-instead-of-len, replace-same-pattern-and-replacement, clone-on-double-reference, non-owned-rc-pointer-into-vec.
df71073: Add `rust.correctness.ignored-future-value` rule.
df71073: Add rust.performance.single-char-string-literal-pattern rule (batch 08)
b8c4d52: Add go.doc.malformed-deprecated-comment rule (batch 08)
a98a371: Add `java.correctness.unterminated-assertion-chain` rule to detect bare `assertThat()` / `verify()` calls without a terminal assertion method.
b83af7d: Add PHP correctness rules for batch 03: unused-constructor-parameter (PHP-W1037), echo-invalid-value (PHP-W1041), print-invalid-value (PHP-W1044), invalid-string-interpolation-type (PHP-W1043)
b83af7d: Add PHP correctness rules for batch 04: undefined-static-property (PHP-W1034), attribute-on-property (PHP-W1035)
b8ce737: Add 7 new `java.correctness.*` catalog rules for batch 11: shift-out-of-range (JAVA-E0399), oddness-check-fails-negative (JAVA-E0405), hasnext-invokes-next (JAVA-E0409), thread-sleep-with-lock (JAVA-E0410), string-format-arg-mismatch (JAVA-E1001), bad-short-circuit-null-check (JAVA-E1003), and wait-notify-on-thread (JAVA-E1004).
b8ce737: Add 8 new `java.correctness.*` catalog rules for batch 12: switch-statement-labels (JAVA-E1005), week-year-in-date-pattern (JAVA-E1006), jump-in-finally (JAVA-E1007), default-package-spring-scan (JAVA-E1009), case-insensitive-regex-lacks-unicode (JAVA-E1010), assert-self-comparison (JAVA-E1012), optional-get-without-present-check (JAVA-E1013), and iterable-iterator-returns-this (JAVA-E1015).
Add Ruby adapter facts for callback ordering (RB-LI1103), routes match misuse (RB-LI1104), redundant foreign key (RB-LI1105), callback override (RB-LI1106), and irreversible migration (RB-LI1107).
feat(ruby): add 8 RB-RL bug-risk collectors for batch 15
Add ruby.performance.prefer-delete-prefix and ruby.performance.prefer-delete-suffix fact collectors (RB-PR1026, RB-PR1027).
Add Ruby bug-risk adapter facts for batch 12 (RB-LI1079–RB-LI1091): useless-comparison, else-without-rescue, useless-setter-call, mixed-regex-captures, unqualified-constant, duplicate-elsif-block, unreachable-loop, and multiple-rescues-for-same-exception.
feat(ruby): add 8 RB-PR performance collectors for batch 16
Add Rust security adapter facts for the RS-S batch 05: manual `Error::type_id` override detection, `remove_dir_all` (TOCTOU) flagging, crate `create_dir`/`create_dir_all` in `/tmp/` to insecure-temp-file, brace-grouped weak crypto import patterns, integer-literal XOR mistaken for exponentiation, and unanchored `Regex::new` pattern detection.
feat: tune rust.testing.ignore-without-ticket-reference fact for precision
Java performance: add 3 new adapter fact collectors for JAVA-P1005 (removeall-to-clear), JAVA-P1006 (string-concat-in-loop), and JAVA-P1007 (expensive-method-on-ui-thread).
Add Ruby bug-risk adapter facts: with-index-value-unused, with-object-value-unused, regex-literal-in-condition, predicate-method-without-parentheses, invalid-rescue-type, unsafe-safe-navigation-chain, inconsistent-safe-navigation, and safe-navigation-with-empty.
Add Ruby bug-risk adapter facts: argument-overwritten-before-use, bad-rescue-ordering, outer-variable-shadowed, suppressed-exceptions, to-json-without-argument, unreachable-code, unused-method-arguments, and useless-access-modifier.
Add Ruby bug-risk adapter facts: end-in-method, return-in-ensure, flip-flop-operator, heredoc-method-order, unintended-string-concatenation, ineffective-access-modifier, interpolation-in-single-quote
Add 8 Ruby bug risk adapter facts: non-local exit from iterator, unsafe number conversion, bad magic comment order, grouped parentheses in function calls, invalid percent string literal, invalid percent symbol array, unnecessary require, and unnecessary splat.
Add Java quality/testing fact collectors for batch 04 parity
Add 7 Java correctness fact collectors for Batch 06 (JAVA-E family)
Add 5 Java performance fact collectors for Batch 06 (JAVA-P family)
Add 8 Java correctness fact collectors for Batch 08 (JAVA-E family)
Add 8 Java correctness fact collectors for Batch 09 (JAVA-E family)
Add 5 Java correctness fact collectors for Batch 10 (JAVA-E family)
Add 7 new Java correctness fact collectors for batch 11: shift-out-of-range (E0399), oddness-check-fails-negative (E0405), hasnext-invokes-next (E0409), thread-sleep-with-lock (E0410), string-format-arg-mismatch (E1001), bad-short-circuit-null-check (E1003), and wait-notify-on-thread (E1004).
Add 8 new Java correctness fact collectors for batch 12: switch-statement-labels (E1005), week-year-in-date-pattern (E1006), jump-in-finally (E1007), default-package-spring-scan (E1009), case-insensitive-regex-lacks-unicode (E1010), assert-self-comparison (E1012), optional-get-without-present-check (E1013), and iterable-iterator-returns-this (E1015).
Add 3 Java correctness adapter facts for batch 13: random-coerced-to-zero (JAVA-E1068), mutable-enum-fields (JAVA-E1069), noallocation-method-creates-object (JAVA-E1059). Alias-only update for catch-null-pointer (JAVA-E1070).
Add 5 Java correctness adapter facts for batch 14 (JAVA-E): collection-contains-self (E1076), collection-adds-self (E1077), modulus-multiplication-precedence (E1080), bitwise-or-never-equal (E1073), getter-setter-sync-mismatch (E1074). Alias JAVA-E1081 added to existing sync-on-string-literal rule.
Add Java correctness adapter facts for batch 15: deprecated ThreadGroup methods, Closeable values via @Provides/@Inject, non-null method returns null, and missing enum elements in switch.
Add PHP correctness heuristic facts for batch 01 (PHP-E): undefined-function, undefined-method, invalid-static-method. Extend collectPhpClassBodies to also collect method names for method resolution heuristics.
Add `php.correctness.undefined-variable` and `php.correctness.inaccessible-property` fact collectors. `collectPhpClassPropertyInfo` extended to include property visibility and same-file parent class resolution.
Add 8 Rust correctness fact collectors for batch 04 codes (RS-E1017 through RS-E1025): hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.
Add Rust quality adapter facts for batch 09: redundant-mem-replace-with-none/default/zero, fn-ptr-null-comparison, possible-missing-comma-in-array, non-utf8-literal-in-from-utf8-unchecked, size-of-val-on-reference, fn-ptr-to-non-pointer-cast.
Add 8 Rust correctness fact collectors for batch 06: hash-unit-value, transmute-ptr-to-ref, transmute-ref-to-ptr, transmute-ptr-to-ptr, forget-drop-on-non-drop-type, unhandled-io-result, transmute-t-to-ptr-ref, transmute-integer-to-bool.
Add Rust OSS quality rule collectors for RS-W1128 (deprecated function use) and RS-W1207 (approximate floating constant). New fact kinds: `rust.quality.deprecated-function-use`, `rust.quality.approximate-floating-constant`.
Add 8 Rust quality fact collectors (RS-W1013, RS-W1015, RS-W1016, RS-W1028, RS-W1039, RS-W1075, RS-W1081, RS-W1084)
Add `language.new-expression-with-require` fact detector for JS-0261 parity (detects `new require()` expressions as likely bugs).
Add two new security fact collectors for Go (batch 09):
Add batch 04 adapter facts for JavaScript parity (JS-0359, JS-0360, JS-0363, JS-0365, JS-0368, JS-0386)
Add React maintenance pattern facts for JavaScript batch 05 (JS-0424, JS-0435)
Add 6 new React class-component adapter facts for JavaScript batch 06 parity:
Add 8 AngularJS deprecated API fact collectors for JavaScript parity batch 07:
Add 4 TypeScript/JavaScript fact collectors for JavaScript parity batch 12:
Add `language.this-outside-class` and `language.unused-expression` fact detectors for JavaScript parity batch 13 (JS-B002, JS-B003). `this-outside-class` flags `this` usage outside class bodies; `unused-expression` flags expression statements without side effects.
Add adapter facts for JS-E batch 15: Nuxt lifecycle hooks (process.server/client/browser in client hooks, browser globals in created/beforeCreate), Next.js import rules (next/document outside _document, next/head in _document), and duplicate export detection.
Add TypeScript adapter facts for JS-W parity batch 16: non-existent assignment operators (language.non-existent-assignment-operator), confusing label in switch (language.confusing-label-in-switch), flawed string comparison (language.flawed-string-comparison), complex boolean return (language.complex-boolean-return), NuxtLink href misuse (nuxt-correctness.nuxt-link-href), and useless test assertions (testing.useless-assertion).
Add PHP correctness facts for batch 03 rules: unused-constructor-parameter, echo-invalid-value, print-invalid-value, invalid-string-interpolation-type
Add PHP correctness facts for batch 04 rules: undefined-static-property (PHP-W1034), attribute-on-property (PHP-W1035)
Add PHP correctness heuristic facts for batch 01: missing-return-statement, uninitialized-typed-property, throw-non-exception.
feat(php): add instanceof-invalid-type fact collector for PHP-E1009 parity
Add Vue 2→3 migration fact detectors (JavaScript parity batch 11, JS-0653 through JS-0660): deprecated `$scopedSlots`, deprecated `model` option, deprecated `$listeners`, numeric keycode modifier proxy, deprecated `Vue.config.keyCodes`, `$slots` property access without function call, `Transition`/`TransitionGroup` proxy, and emits validator return checking.
Add 8 new Go correctness fact collectors (batch 03): unreachable-switch-case, duplicate-function-arguments, duplicate-branch-body, duplicate-switch-cases, identical-binary-operands, flag-pointer-immediate-deref, terminal-call-with-defer, nil-error-returned
Add 5 new Go correctness fact collectors (batch 04): off-by-one-index, incomplete-nil-check, boolean-simplification, suspicious-regex-pattern, integer-truncation
Add Go correctness unnecessary-dereference fact collector (batch 06)
Add Go correctness deferred-func-literal and redundant-type-declaration fact collectors (batch 07)
Add go.doc domain with malformed-deprecated-comment fact collector (batch 08)
Add Go bug-risk fact collectors (batch 09): gin.LoadHTMLGlob pattern, Redis arg count and unimplemented methods, etcd Compare operator, GORM Where/Updates zero values, signedness casting, hidden goroutine
Add 5 Go performance adapter facts (batch 11): `go.performance.reorder-operands`, `go.performance.non-idiomatic-slice-zeroing`, `go.performance.utf8-decode-rune`, `go.performance.fmt-fprint`, `go.performance.iowriter-write-string`
Add Go correctness fact collectors (batch 12, refactoring family)
Add Go security adapter facts for decompression-bomb, http-dir-path-traversal, weak-file-permission, unsafe-defer-close, and tainted-value-sink (batch 13)
Add Go bug-risk adapter facts for deprecated Redis methods, etcd GetLogger misuse, GORM SkipDefaultTransaction/DryRun, reflect.MakeFunc, and correctness heuristics for interface nil check and duplicate if-else conditions (batch 14)
Add Go bug-risk fact collectors (batch 10): poorly formed nilness guards, compound assignment misuse
Add 8 Java correctness adapter facts for batch 13: unconditional-recursion (E1017), double-checked-locking (E1018), stream-reuse (E1019), array-index-bounds (E1020), sync-on-get-class (E1021), optional-null (E1022), stringbuilder-char-ctor (E1023), static-date-field (E1024).
Add 8 Java correctness/testing adapter facts for batch 14: unescaped-whitespace (E1029), unsupported-jdk-api (E1030), nan-comparison (E1031), read-resolve-return-type (E1032), serialization-method-signature (E1033), serializable-superclass (E1034), collection-remove-type-mismatch (E1036), setup-teardown-annotation (E1028).
Add Java correctness adapter facts for batch 15 (E1037–E1048): unsafe collection downcast, annotation check always false, unimplementable interface, invalid serialVersionUID, hashCode on array, loop condition never true, non-terminating loop, unsupported method call.
Add Java correctness adapter facts for batch 16 (E1051–E1063): sync on mutable ref, unsynchronized static lazy init, boxed boolean conditional, sync on nullable field, sync on public field, thread static misuse, double assignment.
Add Java correctness adapter facts for batch 17 (E1099, E1102, E1104–E1107): invalid time constants, comparator downcast sign flip, CacheLoader null return, incorrect main signature, enum getClass, deprecated Thread methods.
Add Java adapter facts for batch 21 (JAVA-S): thread-as-runnable, url-in-collection, empty-string-constructor, inefficient-string-constructor (performance); system-exit (correctness)
Add `unterminatedAssertChain` fact to detect bare `assertThat()` / `verify()` calls that are not terminated with a chained assertion method.
Add Java adapter facts for batch 23 (JAVA-P): string-to-string, explicit-gc, boxed-boolean-constructor, boxed-integer-constructor, boxed-double-constructor (performance)
Add Java adapter facts for batch 24 (JAVA-S): prepared-statement-in-loop, assertion-in-production, array-compared-to-non-array, parameter-reassignment (correctness); setup-without-super, teardown-without-super (testing)
Add Java bug risk fact collectors for batch 19 (JAVA-E). Emits 8 new fact kinds in `java-correctness.ts`: possible-null-access, possible-null-access-exception, invalidated-iterator, mutable-data-exposed, duration-with-nanos-misuse, indexof-reversed-arguments, ncopies-argument-order, class-isinstance-on-class.
Add 6 Java correctness adapter facts for batch 15: zoneid-invalid-timezone (JAVA-E1092), timezone-invalid-id (JAVA-E1093), instant-unsupported-temporal-unit (JAVA-E1094), iterable-path-type (JAVA-E1096), throw-null (JAVA-E1097), hashtable-contains-value (JAVA-E1098).
Add TypeScript/JavaScript language correctness adapter facts for high/critical batches 01–04: scope hygiene, class syntax, regexp backreferences, multiline ASI hazards, negative-zero comparisons, switch fallthrough, and related patterns.
Add PHP structure correctness facts for high/critical batch parity (32 new heuristic collectors).
Add Python bandit security and code quality adapter facts: assert-outside-test, hardcoded-temp-directory, insecure-cipher, insecure-cipher-mode, insecure-xml-parser, telnet-usage, ftp-usage, insecure-crypto-import, xmlrpc-import, weak-crypto-key, insecure-ssl-version, ssh-host-key-validation, mako-insecure-templates, insecure-urllib-method, wildcard-subprocess-injection, and related patterns.
Add Ruby Rails API and high-severity security facts for IO shell invocation, HTTP digest auth, validation-skipping ActiveRecord calls, inline render modes, broad exception handling, and deprecated OpenSSL and URI APIs.
Add 8 new Rust correctness fact collectors for batch 03: self-not-Self-type, invalid-regex-literal, step-by-zero, iter-next-in-for-loop, empty-range-expression, erasing-operation, identical-binary-operands, syntax-error
Add 8 Rust correctness fact collectors for batch 04 (RS-E1009 through RS-E1016): mistyped-suffix, forget-drop-on-reference, forget-drop-on-copy-type, nan-comparison, non-octal-permissions, non-binding-let-on-lock, unit-argument, unit-comparison.
Add 8 Rust correctness fact collectors for batch 05 (RS-E1026 through RS-E1034): transmute-integer-to-nonzero, transmute-int-to-fn-ptr, transmute-int-lit-to-raw-ptr, transmute-float-char-to-ref-or-ptr, transmute-integer-to-char, transmute-number-to-slice-or-array, transmute-tuple-to-slice-or-array, print-in-display-impl.
Add 8 new Rust security fact collectors for batch 07: open-redirect, invisible-unicode, const-to-mut-ptr, raw-slice-to-ptr, differently-sized-slice-conversion, actix-namedfile-path-traversal, potentially-vulnerable-regex, global-write-permission
Add 8 Rust quality fact collectors for batch 09 (RS-W1086 through RS-W1106): potentially-incomplete-ascii-range, inaccurate-duration-calculation, map-followed-by-count, iter-nth-instead-of-get, iter-count-instead-of-len, replace-same-pattern-and-replacement, clone-on-double-reference, non-owned-rc-pointer-into-vec.
Add `rust.correctness.ignored-future-value` fact collector.
Add Rust single-char string literal pattern fact collector (batch 08)
Add Python open-redirect and SSRF fact collectors, and gate Django `mark_safe` on request-tainted arguments.
Ship CloudFormation cfn-lint adapter support, 26 PHP analyzer parity adapter facts, and Ruby, Android, and Electron adapter facts. Prompt to install `@critiq/rules` when the configured catalog package is missing from local or global `node_modules`.
Add nine Ruby catalog rules for residual Rails security and bug-risk coverage (batches 2 and 3).
Add four Ruby general security catalog rules for dynamic execution, Kernel.open pipe mode, insecure JSON loaders, and debugger calls.
Add 157 CloudFormation catalog rules mapping cfn-lint parity codes (`E*`, `W*`, `I*`) to `cfn.*` rule ids with observation-based specs.
Add 26 PHP catalog rules: one security rule (`unsafe-new-static`), 23 correctness rules, and one performance rule (`expensive-loop-condition`).
Add CloudFormation cfn-lint adapter with `cloudformation` language support and `cfn.lint.finding` facts for catalog rule matching.
Add 26 PHP analyzer parity adapter facts across correctness, baseline security, and performance: empty array/bracket access, deprecated unset cast and libxml entity loader, duplicate declarations, nested functions and switches, break/continue outside loops, abstract methods outside abstract classes, useless unset/post-increment, invalid regex and cookie options, TODO/FIXME markers, self-assignment, default-parameter ordering, empty function bodies and code blocks, unknown magic methods, case-insensitive define, deprecated filter constants, redundant string cast concat, missing member visibility, function comparison, and unsafe `new static`. Fix PHP-native performance detection for expensive loop conditions (replacing generic polyglot heuristics where PHP-specific analysis applies).
Add Ruby residual security and bug-risk adapter facts.
Add Ruby general security adapter facts for dynamic code execution, Kernel.open pipe mode, insecure JSON loaders, and debugger breakpoints.
Add TypeScript adapter facts for React maintenance and security JSX patterns (bind in props, prop spreads, lifecycle setState, direct state mutation, target=\_blank rel, duplicate attributes, and this in function components).
Add TypeScript runtime and language security fact collectors for `with` statements, `arguments.callee`, `javascript:` URLs, native prototype extension, global native reassignment, non-Error throws, blocking dialogs, `process.exit`, and unsafe `__dirname` path concatenation.
Add Express and Node.js security rules for permissive CORS with credentials, synchronous child-process execution, blocking `readFileSync` in handlers, and mutable module exports.
Add nine React maintenance and security rules with recommended and strict preset membership, plus security preset coverage for target=\_blank without noopener.
Ship twenty Java correctness and security catalog rules with RuleSpec fixtures.
Add eleven PHP correctness and baseline security catalog rules covering duplicate array keys, switch defaults, error suppression, unreachable code, nullsafe by-reference returns, dynamic eval, unsafe includes, weak ciphers, session ID generation, XXE, and debug exposure.
Ship 16 new Python correctness and security catalog rules covering control-flow defects, subprocess shell usage, dynamic execution, YAML loading, temp file APIs, network bind exposure, debugger imports, Jinja autoescape, and Django/Flask framework hardening gaps.
Ship 7 new Rust correctness catalog rules covering mutex guards held across `.await`, blocking sleep and `block_on` inside `async fn`, forgotten join handles, unbounded channels, `std::sync::Mutex` in async functions, and unchecked slice indexing with variable indices.
Ship twelve Rust general security catalog rules covering network bind exposure, TLS configuration baseline, weak cipher suites, JWT verification, temp file hygiene, SSH host key checks, weak crypto imports, RSA key size, shell command spawn, YAML deserialization, and panic-prone async handlers.
Add TypeScript catalog rules for async correctness, await-in-loop performance, and empty-function quality.
Add ten `ts.correctness.*` rules for TypeScript/JavaScript language correctness patterns backed by new adapter facts.
Add TypeScript security and runtime catalog rules for `with` statements, `arguments.callee`, `javascript:` URLs, native prototype extension, global native reassignment, non-Error throws, blocking dialogs, `process.exit`, and unsafe `__dirname` path concatenation.
Ship 6 new Go baseline security catalog rules covering listens that bind to all interfaces, imports of the `unsafe` package, `ssh.InsecureIgnoreHostKey()` host-key callbacks, deprecated `ioutil.TempFile`/`ioutil.TempDir` temporary file helpers, RSA key sizes below 2048 bits, and imports of broken or deprecated `crypto/md5`, `crypto/des`, `crypto/rc4`, and `crypto/sha1` packages.
Ship 7 new Go correctness catalog rules covering nil map assignment, deferred `Close` before the matching `err` check, nil `context.Context` arguments, `time.Tick` leaks, `WaitGroup.Add` inside the launched goroutine, dropped `append` results, and `defer` statements inside loop bodies.
Ship seven Go general security catalog rules: JWT signature verification, TLS minimum version, SSLv2/SSLv3 protocol rejection, weak TLS cipher suites, pprof endpoint exposure, weak bcrypt cost, and predictable math/rand seeding.
Ship 6 new Java audit security catalog rules covering unsafe Jackson polymorphic deserialization, XXE on `DocumentBuilderFactory` / `SAXParserFactory` / `TransformerFactory` / `XMLInputFactory`, Hibernate `Session.createQuery` and `createNativeQuery` string concatenation, the shell form of `Runtime.getRuntime().exec(String)`, and predictable `SecureRandom` seeding.
Ship 6 new Java correctness catalog rules covering empty catch blocks, `.equals` on array references, synchronizing on string literals, catching `NullPointerException`, unguarded `Optional.get()` calls, and control-flow statements inside `finally` blocks.
Add Go baseline security adapter facts covering listens that bind to all interfaces, imports of the `unsafe` package, `ssh.InsecureIgnoreHostKey()` host-key callbacks, deprecated `ioutil.TempFile`/`ioutil.TempDir` temporary file helpers, `rsa.GenerateKey` and `rsa.GenerateMultiPrimeKey` invocations below 2048 bits, and imports of broken or deprecated `crypto/md5`, `crypto/des`, `crypto/rc4`, and `crypto/sha1` packages.
Add Go correctness adapter facts for nil map assignment, deferred `Close` before the matching `err` check, nil `context.Context` arguments, `time.Tick` leaks, `WaitGroup.Add` inside the launched goroutine, dropped `append` results, and `defer` statements inside loop bodies.
Add Go general security fact collectors covering JWT signature verification, TLS configuration baseline, weak cipher suites, pprof exposure, weak bcrypt cost, and predictable math/rand seeding.
Add Java audit security adapter facts covering unsafe Jackson default typing, XXE-prone `DocumentBuilderFactory` / `SAXParserFactory` / `TransformerFactory` / `XMLInputFactory` usage, Hibernate `Session.createQuery` and `createNativeQuery` string concatenation, the shell form of `Runtime.getRuntime().exec(String)`, and `SecureRandom` constructors seeded with literal or short byte arrays.
Add Java correctness adapter facts for empty catch blocks, `.equals` on array references, synchronization on string literals, catching `NullPointerException`, unguarded `Optional.get()` calls, and control-flow statements inside `finally` blocks.
Add Java general security, audit security, and correctness fact collectors for twenty new catalog rules.
Add PHP baseline security adapter facts for dynamic eval, unsafe include with user input, weak ciphers, insecure session ID generation, XML external entity exposure, and debug function leakage.
Add PHP correctness adapter facts for duplicate array keys, multiple switch defaults, error suppression with `@`, unreachable statements after `return` or `throw`, and nullsafe operators in by-reference arrow functions.
Add Python correctness and general security adapter facts for bare except handlers, mutable defaults, subprocess shell mode, dynamic code execution, insecure YAML loading, debugger imports, and expanded Django/Flask framework security checks.
Add Rust correctness adapter facts for mutex guards held across `.await`, blocking sleep and `block_on` inside `async fn`, forgotten join handles, unbounded channels, `std::sync::Mutex` in async functions, and unchecked slice indexing with variable indices.
Add Rust general security fact collectors covering network bind exposure, TLS configuration baseline, weak cipher suites, JWT verification, temp file hygiene, SSH host key checks, weak crypto imports, RSA key size, shell command spawn, YAML deserialization, and panic-prone async handlers.
Add Express security fact detectors for permissive CORS with credentials, synchronous child-process execution, blocking file reads in handlers, and mutable module exports. Extend Express error-handler disclosure detection to cover `err.stack` payloads.
Add TypeScript adapter facts for async correctness, await-in-loop performance, and empty-function quality checks.
Add TypeScript language correctness fact detectors for control flow in finally blocks, NaN/typeof comparisons, duplicate if-else conditions, array callbacks, promise rejection values, subclass constructors, array sort/for-in idioms.
Rework the public CLI release contract around `@critiq/cli`, including the tag-driven npm publish workflow, GitHub release generation from conventional commits, and packaged release verification for the self-contained CLI artifact.
Add `critiq check --format sarif` and `critiq check --format html` exports for security-platform ingestion and human-readable handoff workflows. Keep `audit` and `rules` format support scoped to `pretty|json` while documenting the new check-specific formats.
Add Go and framework security fact collectors through the shared polyglot `go-security` domain and `@critiq/adapter-go` wiring. Includes Go open redirect and SSRF facts (reused by existing multi-language rules), Go-specific sensitive egress, tar path traversal, net/http timeout posture, Gin CORS/proxy/binding checks, Echo/Fiber binding and upload checks, template trusted-type misuse, plus broader Go request-source and SQL helper (`Raw`/`RawContext`) coverage.
Add Java Spring framework security fact collectors (`java-framework-security` in `@critiq/adapter-shared`), wire them from `@critiq/adapter-java`, extend Java scan extensions with Spring Boot `application`/`bootstrap` `*.yml` plus `.html`/`.htm` for template-oriented findings, and stop folding wildcard actuator exposure into `security.spring-debug-exposure` (debug and verbose logging only there).
Add PHP framework security fact coverage on top of the existing polyglot baseline by wiring new shared collectors into `@critiq/adapter-php`. The shipped slice includes Laravel mass assignment, sensitive CSRF exclusions, unsafe raw Blade output, Symfony debug/CSRF posture checks, WordPress nonce-capability and unprepared SQL signals, plus session/cookie hardening, wildcard CORS-with-credentials, insecure plaintext transport, unsafe upload handling, and sensitive data egress facts.
Add Ruby on Rails security fact collectors to the Ruby adapter via the shared polyglot `ruby-rails-security` domain. Covers strong-parameter misuse, CSRF protection disabled, unsafe HTML output, unsafe render, unsafe session/cookie stores, detailed-exceptions enabled, open redirects, sensitive data egress, and unauthenticated Sidekiq Web mounts.
Add Rust framework security fact collectors through the shared polyglot `rust-framework-security` domain and `@critiq/adapter-rust` wiring for Axum body limits and tower-http CORS, Actix CORS with credentials, Rocket handler panics and raw HTML, Warp async blocking and unwraps, SQLx/Diesel `format!` interpolation, and Tera-style template context inserts without sanitization.
Extend the TypeScript adapter public security collectors with stronger Node.js framework hardening signals, including Express default-session and cookie sameSite posture, Express parser suppression in explicit dev-only branches, Fastify public listen posture without `trustProxy`, Fastify route-level excessive `bodyLimit` checks, Apollo Server dev tooling plugin exposure heuristics, internal-only suppression for Apollo missing-query-limit posture, GraphQL multipart upload posture when Apollo CSRF is explicitly disabled, NestJS sensitive-route SkipThrottle compensating-control suppression, Nuxt `runtimeConfig.public` secret-shaped keys, and Astro `vite.define` wiring of secret-like `process.env` values into `import.meta.env.PUBLIC_*` keys.
Add public parity runtime support for dependency-policy facts, shared processor egress recipes, cross-language filesystem depth facts, and complete default adapter package declarations.
Extend the TypeScript adapter for `ts.react.no-effect-fetch-without-cancellation` (and related facts): treat GraphQL client-style `.query`/`.mutate` calls and `graphql-request` imports as network sources, honor Apollo-style `context.fetchOptions.signal`, suppress when the enclosing component uses `useLoaderData` / `useRouteLoaderData`, and respect common stale-response guard patterns (`cancelled`/`ignore` flags with cleanup).
Helmet option hardening, static `dotfiles: 'allow'`, unsafe CSP response literals, Ajv insecure configuration, `parseString` on untrusted XML, Express production error disclosure, request-driven array indexing, user-controlled static mounts, legacy `Buffer()` usage, React iframe `sandbox`, JWT `none` signing, and narrowed Electron `shell.openExternal` heuristics.
Expand public performance fact coverage across TypeScript custom detectors, project analysis emitters, and shared polyglot adapters. Add cross-language runtime eligibility improvements and adapter test coverage for new performance parity signals.
Add `critiq audit secrets` and a parent `critiq audit --help` command. Extend `critiq check --format json` with an additive `secretsScan` field on the envelope. `critiq check` now runs an advisory secret scan (does not affect check exit code).
Add TypeScript and polyglot quality-maintainability fact emitters for the quality rule expansion, including project-level wide-public-surface, barrel-cycle, and dead-export analysis hooks.
Extend the public TypeScript and JavaScript adapter with six React JSX parity fact kinds covering legacy lifecycle methods, `findDOMNode`, string refs, image alt text, positive `tabIndex`, and click-only custom controls.
Add TypeScript testing hygiene custom facts, project-scoped edge-case and production-or-test-boundary emitters, shared test-path helpers and polyglot testing-hygiene collectors, and align sandbox-style scans with `includeTests` where needed for rule validation.
Ship public-directory `JS-0xxx` core-correctness facts via the bundled TypeScript adapter: `language.assignment-in-condition`, `language.duplicate-function-parameter`, `language.duplicate-object-key`, `language.duplicate-switch-case`, `language.async-promise-executor`, `language.assignment-to-import-binding`, `language.self-assignment`, `language.identical-comparison-operands`, and `language.duplicate-import-source`, collected from `collectTypescriptCoreLanguageCorrectnessFacts`.
Emit additional React UI facts for external-analyzer parity: invalid anchor href targets, `aria-activedescendant` owners that are not keyboard focusable, widget roles without a non-negative tabIndex, semantic text elements with interactive roles, combined click and keyboard handlers without a widget role, pointer or key handlers without click or widget roles, and deprecated `react-dom` root APIs plus `createFactory`. Extend JSX element and event helper utilities accordingly.
Add `--staged` for `critiq check` and `critiq audit secrets` to scan `git diff --cached` index blobs. Extend `.critiq/config.yaml` with optional `secretsScan` (`ignorePaths`, `disabledDetectors`, `suppressFingerprints`). Ship sample `pre-commit` and `pre-push` hook scripts under `scripts/hooks/`.
Add language facts for empty non-function blocks, catch-parameter reassignment, and regexp patterns that embed unusual ASCII control characters, backing three new `ts.correctness.*` catalog rules. Treat `regex.pattern` as pattern source text: decode common escapes (`\xNN`, `\uNNNN`, `\u{...}`, and `\v`/`\f`/`\b`) so controls such as `\x02` are detected while tab, LF, and CR remain allowed (including via `\t`, `\n`, `\r`, and matching hex escapes).
Extend the TypeScript adapter with two new logging/disclosure facts and broaden recognized logger families. New facts `security.log-injection` and `security.debug-statement-in-source` cover request-controlled values flowing into pino, winston, bunyan, or consola messages and leftover `debugger;` / `console.trace()` calls in production paths. Existing `security.sensitive-data-in-logs-and-telemetry` and `security.information-leakage` now also recognize the broader pino/winston/bunyan/consola logger family sinks.
Ship Python framework security facts for Django, DRF, Flask, and FastAPI via the regex polyglot adapter (`python-framework-security` helpers and `@critiq/adapter-python` wiring).
Extend the Java adapter with new security fact collectors and Spring Boot support. Adds polyglot domains for insecure servlet cookies, open redirects, response-writer XSS, sensitive data egress, and Spring config debug exposure (`spring-config-debug-exposure`), wired through `@critiq/adapter-java` and shared polyglot analysis.
Add React error boundary and accessibility fact collectors to the TypeScript adapter. New `react-accessibility` custom facts cover missing error boundaries, missing accessibility labels, derived-state-from-props, index-as-key in dynamic lists, and uncontrolled-to-controlled input transitions, with project-analysis fact emitters wired into the runtime.
Add TypeScript adapter security fact collectors for Angular, NestJS, and Next.js. New custom facts cover Angular DOM sanitizer bypass (`angular-dom-sanitizer`), NestJS hardening (`nestjs-security`: Helmet ordering, global validation pipe, throttling, whitelist), Next.js Server Actions local auth (`next-server-actions`), and shared `node-framework-bootstrap` / `react-next-best-practices` helpers used by these detectors.
Add the tag-driven release pipeline for `@critiq/rules`, including Changesets enforcement, GitHub release note generation, clean-install package verification, and the generated README rule-count badge source.
Add `ts.correctness.empty-block-statement`, `ts.correctness.reassign-catch-binding`, and `ts.correctness.regexp-pattern-unusual-control-character` with catalog specs and fixtures.
Add eight OSS Rust framework rules (`rust.security.*`), RuleSpecs under `specs/rust`, catalog entries, refreshed rule counts and badges, and catalog sync tests including the `rust` spec directory.
Add OSS TypeScript and JavaScript framework security rules covering Angular, NestJS, Apollo, Express, Fastify, Next.js, React, Nuxt, and Astro: - `ts.security.angular-dom-sanitizer-bypass-untrusted-input` - `ts.security.apollo-server-csrf-disabled` - `ts.security.apollo-server-introspection-exposure` - `ts.security.apollo-server-missing-query-limits` - `ts.security.apollo-server-graphql-dev-tooling-exposure` - `ts.security.graphql-upload-without-csrf-guard` - `ts.security.express-unbounded-body-parser` - `ts.security.fastify-excessive-body-limit` - `ts.security.fastify-public-bind-without-trust-proxy` - `ts.security.nuxt-public-runtime-secret` - `ts.security.astro-vite-public-secret-define` - `ts.security.nestjs-helmet-after-route-mount` - `ts.security.nestjs-missing-global-validation-pipe` - `ts.security.nestjs-skip-throttle-sensitive-route` - `ts.security.nestjs-validation-pipe-without-whitelist` - `ts.next.server-action-missing-local-auth` - `ts.react.no-effect-fetch-without-cancellation` Includes matching RuleSpecs and fixtures, and refreshes catalog counts and badges.
Add public parity catalog coverage for dependency-version policy, cross-language processor egress, upload filename handling, archive extraction paths, and permissive file permissions.
Add nine `ts.correctness.*` catalog rules aligned to the public JavaScript directory `JS-0xxx` first wave, with fixtures and per-rule specs; register rules in `recommended` and `strict` presets.
new `ts.security.*` rules for insecure Helmet hardening options, literal CSP unsafe directives, Ajv `allErrors` without strict mode, `xml2js` `parseString` on request-shaped input, Express error-handler information disclosure, request-driven array indexes, user-controlled `express.static` mount paths, `express.static` `dotfiles: 'allow'`, legacy `Buffer()` constructors, iframe `sandbox` omissions, JWT `none` signing, and Electron dangerous `webPreferences`, IPC origin checks, local store hardening, and narrowed `shell.openExternal` URL sources; catalog and rule specs updated.
Add the public TypeScript performance expansion rule set (`ts.performance.no-*`) with catalog entries, RuleSpecs, and fixtures. Add polyglot performance parity catalog rules and fixtures for Go, Java, PHP, Python, Ruby, and Rust, and refresh shipped rule-count documentation artifacts.
Add the ten new TypeScript quality-maintainability rules with catalog entries, docs metadata, and RuleSpec fixtures for boolean parameter traps, primitive obsession, public surface width, barrel cycles, hidden side effects, mixed abstraction, ambiguous abbreviations, inconsistent error shape, temporal coupling, and dead exports.
Add six OSS React and JSX parity rules: `ts.react.no-legacy-lifecycle`, `ts.react.no-find-dom-node`, `ts.react.no-string-ref`, `ts.react.no-img-missing-alt-text`, `ts.react.no-positive-tabindex`, and `ts.react.no-click-without-keyboard-handler`, with matching RuleSpecs, fixtures, and catalog entries.
Add eight OSS React and JSX parity rules (`ts.react.*`) covering invalid anchors, `aria-activedescendant` focus hosts, widget roles without tabindex, interactive roles on semantic elements, keyboard interactions without widget roles, synthetic pointer or key handlers without roles, deprecated `react-dom` render-style APIs, and deprecated `createFactory`. Includes RuleSpec source fixtures, catalog wiring, refreshed rule counts, per-language `project-common` observation fixtures for existing performance specs, and corrected performance RuleSpec expectations where invalid observations already contained matching facts.
Ship seven `ts.testing.*` catalog rules plus polyglot testing hygiene rules for Go, Java, PHP, Python, Ruby, and Rust with RuleSpecs and fixtures.
Add two TypeScript/JavaScript security rules (`ts.security.log-injection`, `ts.security.debug-statement-in-source`), matching RuleSpecs and fixtures, and refresh catalog counts and badges (121 -> 123). Targets the broader pino/winston/bunyan/consola logger families and leftover `console.trace()` calls in production paths.
Add nine OSS Python framework rules (`py.security.*`), RuleSpecs under `specs/python`, refreshed catalog counts and badges, and README category breakdown including the Python slice.
Add five OSS Java security rules (`java.security.*`): `android-screenshot-exposure`, `android-world-readable-mode`, `reflected-output-from-request`, `servlet-insecure-cookie`, and `spring-debug-exposure`. Also extends the existing `ts.security.open-redirect` and `ts.security.sensitive-data-egress` rules to cover Java targets with new Java fixtures. Refreshes catalog counts and badges.
Add five OSS React rules (`ts.react.*`): `no-accessibility-label-missing`, `no-derived-state-from-props`, `no-index-as-key-in-dynamic-list`, `no-missing-error-boundary`, and `no-uncontrolled-to-controlled-input`, with matching RuleSpecs and observation fixtures. Refreshes catalog counts and badges.
Add eleven OSS Go security rules (`go.security.*`): `echo-sensitive-binding-without-validation`, `echo-unsafe-multipart-upload`, `fiber-sensitive-binding-without-validation`, `fiber-unsafe-multipart-upload`, `gin-sensitive-binding-without-validation`, `gin-trust-all-proxies`, `gin-wildcard-cors-with-credentials`, `net-http-missing-timeouts`, `sensitive-data-egress`, `tar-path-traversal`, and `template-unescaped-request-value`. Also extends `ts.security.open-redirect` and `ts.security.ssrf` to include Go findings, adds RuleSpecs/fixtures (including Go fixtures in TypeScript rule specs), and refreshes catalog counts and badges.
Add seven OSS Java framework rules (`java.security.spring-permit-all-default`, `java.security.spring-csrf-globally-disabled`, `java.security.spring-actuator-sensitive-exposure`, `java.security.spring-actuator-health-details-always`, `java.security.spring-webmvc-unrestricted-data-binding`, `java.security.jpa-concatenated-query`, `java.security.template-unescaped-user-output`), RuleSpecs under `specs/java`, catalog entries, refreshed rule counts and badges, and adjust the `java.security.spring-debug-exposure` catalog spec for the narrower `security.spring-debug-exposure` fact surface.
Add twelve OSS PHP security rules (`php.security.*`) for Laravel, Symfony, and WordPress framework risks plus parity hardening checks: mass assignment, sensitive CSRF exclusions, unsafe Blade output, Symfony debug and CSRF posture, missing nonce/capability checks, unprepared SQL, insecure session/cookie and CORS settings, insecure plaintext transport, unsafe upload handling, and PHP sensitive data egress. Includes full RuleSpecs/fixtures, catalog registration, and updated rule-count documentation/badge assets.
Add nine OSS Ruby on Rails security rules (`ruby.security.*`): `rails-csrf-disabled`, `rails-detailed-exceptions-enabled`, `rails-open-redirect`, `rails-unsafe-html-output`, `rails-unsafe-render`, `rails-unsafe-session-or-cookie-store`, `rails-unsafe-strong-parameters`, `sensitive-data-egress`, and `sidekiq-web-unauthenticated-mount`. Includes matching RuleSpecs and Ruby/ERB fixtures, and refreshes catalog counts and badges.