la-stack 0.4.2

Fast, stack-allocated linear algebra for fixed dimensions
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

---
# Repository-owned Semgrep/OpenGrep rules.
#
# Keep this file small and project-specific. Broad default/community rules tend
# to duplicate Clippy, cargo-audit, and CodeQL. These rules encode local Rust
# and workflow policies that are easier to express structurally than with Clippy.

rules:
  - id: la-stack.rust.no-stdio-diagnostics-in-src
    languages:
      - rust
    severity: WARNING
    message: "Avoid stdout/stderr diagnostics in library src/ code."
    metadata:
      category: maintainability
      rationale: "Library code should return data or typed errors rather than printing diagnostics."
    paths:
      include:
        - "/src/**/*.rs"
    patterns:
      - pattern-either:
          - pattern: println!(...)
          - pattern: eprintln!(...)
      - pattern-not-inside: |
          mod tests {
              ...
          }
      - pattern-not-inside: |
          #[cfg(test)]
          mod $MOD {
              ...
          }
      - pattern-not-inside: |
          #[cfg(test)]
          fn $FUNC(...) {
              ...
          }

  - id: la-stack.rust.no-nonfinite-unwrap-defaults
    languages:
      - rust
    severity: WARNING
    message: "Do not hide failed floating-point conversion with NaN or infinity defaults."
    metadata:
      category: correctness
      rationale: "Non-finite values must surface as typed errors with source-location metadata."
    paths:
      include:
        - "/src/**/*.rs"
    pattern-either:
      - pattern: $VALUE.unwrap_or(f64::NAN)
      - pattern: $VALUE.unwrap_or(f64::INFINITY)
      - pattern: $VALUE.unwrap_or(f64::NEG_INFINITY)
      - pattern: $VALUE.unwrap_or(std::f64::NAN)
      - pattern: $VALUE.unwrap_or(std::f64::INFINITY)
      - pattern: $VALUE.unwrap_or(std::f64::NEG_INFINITY)
      - pattern: $VALUE.unwrap_or_else(|| f64::NAN)
      - pattern: $VALUE.unwrap_or_else(|| f64::INFINITY)
      - pattern: $VALUE.unwrap_or_else(|| f64::NEG_INFINITY)

  - id: la-stack.rust.no-public-infallible-raw-f64-constructors
    languages:
      - rust
    severity: WARNING
    message: "Raw f64 Matrix/Vector constructors must be fallible public APIs; keep infallible literal helpers crate-private."
    metadata:
      category: correctness
      rationale: >-
        Matrix and Vector store only finite values. Public raw constructors must
        return Result so callers receive LaError::NonFinite instead of a panic;
        infallible construction is reserved for crate-private validated/literal
        paths.
    paths:
      include:
        - "/src/**/*.rs"
        - "/tests/semgrep/src/project_rules/raw_f64_constructors.rs"
    pattern-regex: '(?m)^\s*pub\s+(?:const\s+)?fn\s+(?:new|from_rows)\s*\([^)]*(?:\[\s*f64\s*;\s*D\s*\]|\[\s*\[\s*f64\s*;\s*D\s*\]\s*;\s*D\s*\])[^)]*\)\s*->\s*(?:Self|(?:Matrix|Vector)\s*<)'

  - id: la-stack.rust.no-public-api-panic-paths
    languages:
      - regex
    severity: WARNING
    message: "Public APIs should expose fallibility with Result/Option instead of panic/assert/unwrap paths."
    metadata:
      category: correctness
      rationale: >-
        Public functions returning plain values should be genuinely infallible
        for all representable inputs. Caller-visible failure belongs in
        Result/Option; panic-only paths make recoverable conditions look
        infallible.
    paths:
      include:
        - "/src/**/*.rs"
        - "/tests/semgrep/src/project_rules/public_api_panic_paths.rs"
    pattern-regex: '(?ms)^\s*pub\s+(?:const\s+|async\s+|unsafe\s+)*fn\s+[A-Za-z_][A-Za-z0-9_]*[^;{]*\{(?:(?!^\s*\}).|\n){0,1000}(?:panic!|assert!|debug_assert!|unreachable!|\.unwrap\s*\(|\.expect\s*\()'

  - id: la-stack.rust.public-error-enums-non-exhaustive
    languages:
      - rust
    severity: WARNING
    message: "Public error enums must be #[non_exhaustive] so adding variants remains API-safe."
    metadata:
      category: maintainability
      rationale: "Error enums grow as diagnostics become more precise; non-exhaustive public enums keep that growth additive for downstream callers."
    paths:
      include:
        - "/src/**/*.rs"
    pattern-regex: '(?m)(?<!#\[non_exhaustive\]\n)^\s*pub\s+enum\s+[A-Za-z_][A-Za-z0-9_]*Error(?:<[^>{}]*)?\s*\{'

  - id: la-stack.rust.no-unwrap-expect-in-doctests
    languages:
      - generic
    severity: WARNING
    message: "Use fallible doctest flow instead of unwrap() or expect() in public documentation examples."
    metadata:
      category: correctness
      rationale: >-
        Public Rust documentation examples should model typed error handling
        with Result and ? rather than teaching panic-based control flow.
    paths:
      include:
        - "/src/**/*.rs"
        - "/tests/semgrep/doctests/**/*.txt"
      exclude:
        - "/tests/semgrep/src/**"
    pattern-regex: '^\s*//[!/]\s*(?:#\s*)?.*(?:\b[\w:]+|[\]\)])\.(unwrap|expect)\s*\('

  - id: la-stack.rust.no-unwrap-expect-in-benches-examples
    languages:
      - rust
    severity: WARNING
    message: "Use explicit fixture error handling instead of unwrap() or expect() in benchmarks and examples."
    metadata:
      category: correctness
      rationale: >-
        Benchmarks and public examples should keep failure modes explicit so
        users and CI see the operation that failed instead of a panic-only
        unwrap/expect path.
    paths:
      include:
        - "/benches/**/*.rs"
        - "/examples/**/*.rs"
        - "/tests/semgrep/src/project_rules/bench_example_usage.rs"
    pattern-either:
      - pattern: $VALUE.unwrap()
      - pattern: $VALUE.expect(...)

  - id: la-stack.github-actions.external-action-sha-pinned
    languages:
      - regex
    severity: WARNING
    message: "Pin external GitHub Actions to a full 40-character commit SHA."
    metadata:
      category: security
      rationale: "Moving tags can change workflow behavior without review."
    paths:
      include:
        - "/.github/workflows/**/*.yml"
        - "/.github/workflows/**/*.yaml"
    patterns:
      - pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@(?![a-fA-F0-9]{40}(?:\s+#|$))[^\s#]+'

  - id: la-stack.github-actions.external-action-approved-allowlist
    languages:
      - regex
    severity: WARNING
    message: "Use only approved external GitHub Actions, or update the repository allowlist deliberately."
    metadata:
      category: security
      rationale: "A small allowlist keeps workflow supply-chain review explicit."
    paths:
      include:
        - "/.github/workflows/**/*.yml"
        - "/.github/workflows/**/*.yaml"
    patterns:
      - pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)(?!(?:actions/checkout|actions/cache|actions/download-artifact|actions/github-script|actions/setup-python|actions/upload-artifact|actions-rust-lang/setup-rust-toolchain|astral-sh/setup-uv|codacy/codacy-analysis-cli-action|codecov/codecov-action|github/codeql-action/(?:upload-sarif|init|analyze)|taiki-e/cache-cargo-install-action|zizmorcore/zizmor-action)@)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@'

  - id: la-stack.github-actions.external-action-version-comment
    languages:
      - regex
    severity: WARNING
    message: "Keep a readable version comment next to external GitHub Action SHA pins."
    metadata:
      category: maintainability
      rationale: "Version comments make Dependabot updates and human review manageable."
    paths:
      include:
        - "/.github/workflows/**/*.yml"
        - "/.github/workflows/**/*.yaml"
    patterns:
      - pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@[a-fA-F0-9]{40}\s*$'

  - id: la-stack.docs.check-before-fix-command-order
    languages:
      - regex
    severity: WARNING
    message: "Document non-mutating just check commands before mutating just fix commands."
    metadata:
      category: maintainability
      rationale: "User-facing workflow docs should encourage validation before mutation."
    paths:
      include:
        - "/AGENTS.md"
        - "/README.md"
        - "/docs/**/*.md"
        - "/justfile"
      exclude:
        - "/docs/archive/**"
    patterns:
      - pattern-regex: '(?ms)\bjust\s+fix\b.{0,400}\bjust\s+check\b|\bjust\s+python-fix\b.{0,400}\bjust\s+python-check\b'