---
rules:
- id: la-stack.rust.no-stdio-diagnostics-in-src
languages:
- rust
severity: WARNING
message: "Avoid stdout/stderr diagnostics in library src/ code."
metadata:
category: maintainability
rationale: "Library code should return data or typed errors rather than printing diagnostics."
paths:
include:
- "/src/**/*.rs"
patterns:
- pattern-either:
- pattern: println!(...)
- pattern: eprintln!(...)
- pattern-not-inside: |
mod tests {
...
}
- pattern-not-inside: |
#[cfg(test)]
mod $MOD {
...
}
- pattern-not-inside: |
#[cfg(test)]
fn $FUNC(...) {
...
}
- id: la-stack.rust.no-nonfinite-unwrap-defaults
languages:
- rust
severity: WARNING
message: "Do not hide failed floating-point conversion with NaN or infinity defaults."
metadata:
category: correctness
rationale: "Non-finite values must surface as typed errors with source-location metadata."
paths:
include:
- "/src/**/*.rs"
pattern-either:
- pattern: $VALUE.unwrap_or(f64::NAN)
- pattern: $VALUE.unwrap_or(f64::INFINITY)
- pattern: $VALUE.unwrap_or(f64::NEG_INFINITY)
- pattern: $VALUE.unwrap_or(std::f64::NAN)
- pattern: $VALUE.unwrap_or(std::f64::INFINITY)
- pattern: $VALUE.unwrap_or(std::f64::NEG_INFINITY)
- pattern: $VALUE.unwrap_or_else(|| f64::NAN)
- pattern: $VALUE.unwrap_or_else(|| f64::INFINITY)
- pattern: $VALUE.unwrap_or_else(|| f64::NEG_INFINITY)
- id: la-stack.rust.no-public-infallible-raw-f64-constructors
languages:
- rust
severity: WARNING
message: "Raw f64 Matrix/Vector constructors must be fallible public APIs; keep infallible literal helpers crate-private."
metadata:
category: correctness
rationale: >-
Matrix and Vector store only finite values. Public raw constructors must
return Result so callers receive LaError::NonFinite instead of a panic;
infallible construction is reserved for crate-private validated/literal
paths.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/raw_f64_constructors.rs"
pattern-regex: '(?m)^\s*pub\s+(?:const\s+)?fn\s+(?:new|from_rows)\s*\([^)]*(?:\[\s*f64\s*;\s*D\s*\]|\[\s*\[\s*f64\s*;\s*D\s*\]\s*;\s*D\s*\])[^)]*\)\s*->\s*(?:Self|(?:Matrix|Vector)\s*<)'
- id: la-stack.rust.no-public-unchecked-finite-constructors
languages:
- rust
severity: WARNING
message: "Unchecked Matrix/Vector constructors must stay crate-private; public callers must parse through fallible constructors."
metadata:
category: correctness
rationale: >-
Matrix and Vector are finite proof types. Public unchecked constructors
would let downstream callers bypass parsing and construct invalid finite
proofs.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/finite_api_contract.rs"
pattern-regex: '(?m)^\s*pub\s+(?:const\s+)?fn\s+(?:new_unchecked|from_rows_unchecked)\s*\('
- id: la-stack.rust.no-public-matrix-vector-storage-fields
languages:
- regex
severity: WARNING
message: "Matrix/Vector storage fields must stay private so callers cannot bypass finite parsing."
metadata:
category: correctness
rationale: >-
Matrix and Vector carry the finite-entry invariant. Public or crate-public
raw storage fields allow construction or mutation paths that bypass the
parsing boundary.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/finite_api_contract.rs"
pattern-regex: '(?ms)^\s*pub\s+struct\s+(?:Matrix|Vector)\s*(?:<[^>{]*>)?\s*\{(?:(?!^\s*\}).|\n)*^\s*pub(?:\([^)]*\))?\s+(?:rows|data)\s*:'
- id: la-stack.rust.no-public-raw-linear-algebra-modules
languages:
- regex
severity: WARNING
message: "Keep matrix/vector modules private; re-export only the curated public API from crate root/prelude."
metadata:
category: api
rationale: >-
The matrix and vector modules contain crate-internal unchecked helpers.
Making the modules public would expose implementation details that
bypass the clean API surface.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/finite_api_contract.rs"
pattern-regex: '(?m)^\s*pub\s+mod\s+(?:matrix|vector)\s*;'
- id: la-stack.rust.no-legacy-solve-vec-api
languages:
- regex
severity: WARNING
message: "Use the clean solve API name; do not reintroduce solve_vec."
metadata:
category: api
rationale: >-
Lu::solve and Ldlt::solve are the clean API because Vector is already
the finite right-hand-side proof type.
paths:
include:
- "/src/**/*.rs"
- "/benches/**/*.rs"
- "/examples/**/*.rs"
- "/tests/**/*.rs"
- "/README.md"
exclude:
- "/tests/semgrep/src/project_rules/raw_f64_constructors.rs"
- "/tests/semgrep/src/project_rules/public_api_panic_paths.rs"
- "/tests/semgrep/src/project_rules/bench_example_usage.rs"
pattern-regex: '\bsolve_vec\b'
- id: la-stack.rust.no-public-api-panic-paths
languages:
- regex
severity: WARNING
message: "Public APIs should expose fallibility with Result/Option instead of panic/assert/unwrap paths."
metadata:
category: correctness
rationale: >-
Public functions returning plain values should be genuinely infallible
for all representable inputs. Caller-visible failure belongs in
Result/Option; panic-only paths make recoverable conditions look
infallible.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/src/project_rules/public_api_panic_paths.rs"
pattern-regex: '(?ms)^\s*pub\s+(?:const\s+|async\s+|unsafe\s+)*fn\s+[A-Za-z_][A-Za-z0-9_]*[^;{]*\{(?:(?!^\s*\}).|\n){0,1000}(?:panic!|assert!|debug_assert!|unreachable!|\.unwrap\s*\(|\.expect\s*\()'
- id: la-stack.rust.public-error-enums-non-exhaustive
languages:
- rust
severity: WARNING
message: "Public error enums must be #[non_exhaustive] so adding variants remains API-safe."
metadata:
category: maintainability
rationale: "Error enums grow as diagnostics become more precise; non-exhaustive public enums keep that growth additive for downstream callers."
paths:
include:
- "/src/**/*.rs"
pattern-regex: '(?m)(?<!#\[non_exhaustive\]\n)^\s*pub\s+enum\s+[A-Za-z_][A-Za-z0-9_]*Error(?:<[^>{}]*)?\s*\{'
- id: la-stack.rust.no-unwrap-expect-in-doctests
languages:
- generic
severity: WARNING
message: "Use fallible doctest flow instead of unwrap() or expect() in public documentation examples."
metadata:
category: correctness
rationale: >-
Public Rust documentation examples should model typed error handling
with Result and ? rather than teaching panic-based control flow.
paths:
include:
- "/src/**/*.rs"
- "/tests/semgrep/doctests/**/*.txt"
exclude:
- "/tests/semgrep/src/**"
pattern-regex: '^\s*//[!/]\s*(?:#\s*)?.*(?:\b[\w:]+|[\]\)])\.(unwrap|expect)\s*\('
- id: la-stack.rust.no-unwrap-expect-in-readme-doctest-mirrors
languages:
- regex
severity: WARNING
message: "Use fallible flow instead of unwrap() or expect() in src/lib.rs README doctest mirrors."
metadata:
category: correctness
rationale: >-
The private readme_doctests module in src/lib.rs keeps README examples
executable for docs.rs-facing documentation. Those mirrors should model
the same fallible Result/? flow as the public examples they verify.
paths:
include:
- "/src/lib.rs"
- "/tests/semgrep/src/project_rules/readme_doctest_mirrors.rs"
pattern-regex: '(?ms)^\s*mod\s+readme_doctests(?:_[A-Za-z0-9_]+)?\s*\{(?:(?!^\}).|\n)*(?:\.unwrap\s*\(|\.expect\s*\()'
- id: la-stack.rust.no-unwrap-expect-in-benches-examples
languages:
- rust
severity: WARNING
message: "Use explicit fixture error handling instead of unwrap() or expect() in benchmarks and examples."
metadata:
category: correctness
rationale: >-
Benchmarks and public examples should keep failure modes explicit so
users and CI see the operation that failed instead of a panic-only
unwrap/expect path.
paths:
include:
- "/benches/**/*.rs"
- "/examples/**/*.rs"
- "/tests/semgrep/src/project_rules/bench_example_usage.rs"
pattern-either:
- pattern: $VALUE.unwrap()
- pattern: $VALUE.expect(...)
- id: la-stack.github-actions.external-action-sha-pinned
languages:
- regex
severity: WARNING
message: "Pin external GitHub Actions to a full 40-character commit SHA."
metadata:
category: security
rationale: "Moving tags can change workflow behavior without review."
paths:
include:
- "/.github/workflows/**/*.yml"
- "/.github/workflows/**/*.yaml"
patterns:
- pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@(?![a-fA-F0-9]{40}(?:\s+#|$))[^\s#]+'
- id: la-stack.github-actions.external-action-approved-allowlist
languages:
- regex
severity: WARNING
message: "Use only approved external GitHub Actions, or update the repository allowlist deliberately."
metadata:
category: security
rationale: "A small allowlist keeps workflow supply-chain review explicit."
paths:
include:
- "/.github/workflows/**/*.yml"
- "/.github/workflows/**/*.yaml"
patterns:
- pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)(?!(?:actions/checkout|actions/cache|actions/download-artifact|actions/github-script|actions/setup-python|actions/upload-artifact|actions-rust-lang/setup-rust-toolchain|astral-sh/setup-uv|codacy/codacy-analysis-cli-action|codecov/codecov-action|github/codeql-action/(?:upload-sarif|init|analyze)|taiki-e/cache-cargo-install-action|zizmorcore/zizmor-action)@)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@'
- id: la-stack.github-actions.external-action-version-comment
languages:
- regex
severity: WARNING
message: "Keep a readable version comment next to external GitHub Action SHA pins."
metadata:
category: maintainability
rationale: "Version comments make Dependabot updates and human review manageable."
paths:
include:
- "/.github/workflows/**/*.yml"
- "/.github/workflows/**/*.yaml"
patterns:
- pattern-regex: '(?m)^\s*uses:\s*(?!\./)(?!docker://)[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:/[A-Za-z0-9_.-]+)?@[a-fA-F0-9]{40}\s*$'
- id: la-stack.docs.check-before-fix-command-order
languages:
- regex
severity: WARNING
message: "Document non-mutating just check commands before mutating just fix commands."
metadata:
category: maintainability
rationale: "User-facing workflow docs should encourage validation before mutation."
paths:
include:
- "/AGENTS.md"
- "/README.md"
- "/docs/**/*.md"
- "/justfile"
exclude:
- "/docs/archive/**"
patterns:
- pattern-regex: '(?ms)\bjust\s+fix\b.{0,400}\bjust\s+check\b|\bjust\s+python-fix\b.{0,400}\bjust\s+python-check\b'