npm - @critiq/rules - Versions diffs - 0.0.2 → 0.2.0 - Mend

@critiq/rules 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (396) hide show

package/rules/typescript/ts.security.insecure-helmet-hardening-options.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.insecure-helmet-hardening-options
+  title: Avoid disabling core Helmet protections
+  summary: Helmet should keep nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy enabled unless another gateway enforces them.
+  rationale: Turning off individual Helmet middlewares removes baseline HTTP hardening that is a high-signal misconfiguration risk.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - express
+    - headers
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.insecure-helmet-hardening-options
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.86
+    tags:
+      - security
+      - express
+      - headers
+  message:
+    title: "Review disabled Helmet option in ${captures.issue.text}"
+    summary: "${captures.issue.text} disables a Helmet protection that should usually remain enabled."
+  remediation:
+    summary: Remove false overrides for nosniff, HSTS, DNS prefetch control, Expect-CT, and referrer policy unless a documented compensating control applies.

package/rules/typescript/ts.security.insecure-password-hash-configuration.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid legacy Argon2 password hash modes
   summary: Password hashing should not use `argon2i` or `argon2d` when safer modern modes are available.
   rationale: Older Argon2 modes are weaker choices for password storage than the modern hybrid mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Prefer `argon2id` and keep the password hash configuration aligned with current password-storage guidance.

package/rules/typescript/ts.security.insecure-websocket-transport.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use secure WebSocket transport
   summary: WebSocket clients should not connect over cleartext `ws://` when sensitive application data is involved.
   rationale: Cleartext WebSocket transport exposes application traffic to interception and manipulation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Security Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html
   tags:
     - security
     - transport
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Switch the endpoint to `wss://` and keep certificate validation enabled.

package/rules/typescript/ts.security.insufficiently-random-values.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use enough entropy for secrets and tokens
   summary: Secret-bearing tokens and secrets should use at least 16 bytes of cryptographic entropy.
   rationale: Short random values are harder to brute-force than predictable values, but they can still be guessed faster than modern secret-bearing flows should allow.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` uses a cryptographically random source, but not enough entropy for a secret-bearing value."
   remediation:
     summary: Generate at least 16 bytes of entropy for reset tokens, invitation codes, session secrets, and similar secret-bearing values.

package/rules/typescript/ts.security.jwt-insecure-signing-algorithm.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.jwt-insecure-signing-algorithm
+  title: Do not sign JWTs with the none algorithm
+  summary: JSON Web Token signing options must not enable the none algorithm.
+  rationale: The none algorithm allows tokens to be accepted without verification, defeating authentication.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
+  tags:
+    - security
+    - jwt
+    - authentication
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ts.security.jwt-insecure-signing-algorithm
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: critical
+    confidence: 0.95
+    tags:
+      - security
+      - jwt
+  message:
+    title: "Remove insecure JWT algorithm from ${captures.issue.text}"
+    summary: "${captures.issue.text} is configured with the none algorithm or algorithm list."
+  remediation:
+    summary: Require asymmetric or HMAC algorithms explicitly and reject none at signing and verification layers.

package/rules/typescript/ts.security.jwt-not-revoked.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Add a JWT revocation hook
   summary: Express JWT middleware should check revocation state when bearer tokens can be invalidated early.
   rationale: Signature validation alone does not handle logout, compromise, or forced token invalidation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - authentication
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Add an `isRevoked` callback or equivalent revocation check for tokens that can be invalidated before expiry.

package/rules/typescript/ts.security.jwt-sensitive-claims.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Remove sensitive claims from JWT payloads
   summary: JWT payloads should avoid embedding PII or secrets unless absolutely required.
   rationale: Client-visible tokens often outlive a single request and can leak more data than intended.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-287
+      title: Improper Authentication
+    - kind: owasp
+      title: JSON Web Token Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
   tags:
     - security
     - privacy
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Keep JWT claims minimal. Prefer stable identifiers, not direct PII or secret-bearing fields.

package/rules/typescript/ts.security.legacy-buffer-constructor.rule.yaml ADDED Viewed

@@ -0,0 +1,45 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.legacy-buffer-constructor
+  title: Replace legacy Buffer constructors
+  summary: Use Buffer.from, Buffer.alloc, or Buffer.allocUnsafe instead of the deprecated Buffer constructor.
+  rationale: Legacy constructors behave differently across Node versions and are harder to audit for safe allocation.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - node
+    - memory
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.legacy-buffer-constructor
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.9
+    tags:
+      - security
+      - node
+  message:
+    title: "Replace ${captures.issue.text}"
+    summary: "${captures.issue.text} uses the deprecated Buffer constructor API."
+  remediation:
+    summary: Prefer Buffer.from for encoded data and Buffer.alloc for zero-filled buffers sized by trusted logic.

package/rules/typescript/ts.security.log-injection.rule.yaml ADDED Viewed

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.log-injection
+  title: Sanitize user-controlled values before they reach log messages
+  summary: Logger calls in pino, winston, bunyan, and consola should not interpolate or concatenate request input directly into the message text.
+  rationale: Unsanitized request data in log messages enables CRLF injection, control-character smuggling, and downstream log-parser confusion. Wrapping the value with a structured field, JSON encoder, or CRLF-stripping replace neutralizes the vector.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-532
+      title: Insertion of Sensitive Information into Log File
+    - kind: owasp
+      title: Logging Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
+  tags:
+    - security
+    - logging
+    - input-validation
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.log-injection
+    bind: issue
+emit:
+  finding:
+    category: security.input-validation
+    severity: medium
+    confidence: 0.85
+    tags:
+      - security
+      - logging
+      - input-validation
+  message:
+    title: Sanitize user-controlled values before reaching `${captures.issue.text}`
+    summary: "`${captures.issue.text}` interpolates request data into a log message without an obvious sanitizer."
+  remediation:
+    summary: Pass request data as a structured field, JSON-encode it, or strip CRLF and control characters before concatenating it into the log message.

package/rules/typescript/ts.security.manual-html-sanitization.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Avoid ad hoc HTML sanitization
   summary: Hand-rolled HTML escaping and sanitization should be replaced with vetted sanitizers or safe rendering paths.
   rationale: String replacement chains miss edge cases and are easy to bypass as rendering behavior evolves.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - xss
@@ -35,3 +44,4 @@ emit:
   remediation:
     summary: Use a vetted sanitizer or framework-native escaping model instead of string replacement chains.

package/rules/typescript/ts.security.missing-authorization-before-sensitive-action.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing authorization before sensitive action
   summary: Sensitive backend actions should be guarded by an authorization or permission check.
   rationale: Calling destructive or privileged actions without an authorization guard increases the risk of broken access control.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` performs a sensitive action without a matching authorization guard."
   remediation:
     summary: Add an explicit authorization or permission check before the sensitive action executes.

package/rules/typescript/ts.security.missing-integrity-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Use authenticated encryption for secrets and tokens
   summary: Session, cookie, and token encryption should provide integrity protection in the same helper.
   rationale: Confidentiality-only encryption leaves secret-bearing values vulnerable to tampering unless the code also applies an integrity check or uses an authenticated mode.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-327
+      title: Use of a Broken or Risky Cryptographic Algorithm
+    - kind: owasp
+      title: Cryptographic Storage Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
   tags:
     - security
     - cryptography
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` encrypts a secret-bearing value without authenticated encryption or a same-helper integrity check."
   remediation:
     summary: Prefer authenticated encryption such as AES-GCM, or pair non-AEAD encryption with an explicit integrity check in the same helper.

package/rules/typescript/ts.security.missing-message-origin-check.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Verify `message` event origins
   summary: "`message` handlers should validate `event.origin` before trusting cross-window data."
   rationale: Without an origin check, hostile pages can post crafted messages into the handler.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-79
+      title: Cross-site Scripting (XSS)
+    - kind: owasp
+      title: Cross Site Scripting Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
   tags:
     - security
     - browser
@@ -34,3 +43,4 @@ emit:
     summary: "`${captures.issue.text}` handles cross-window messages without validating the sender origin."
   remediation:
     summary: Gate the handler on a strict allowlist of expected origins before reading `event.data`.

package/rules/typescript/ts.security.missing-ownership-validation.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing ownership validation
   summary: Resource identifiers from request input should be checked against the caller before sensitive actions run.
   rationale: Authorization alone is not enough when handlers act on caller-provided resource ids that may belong to someone else.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-862
+      title: Missing Authorization
+    - kind: owasp
+      title: Authorization Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html
   tags:
     - security
     - authorization
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` is used in a sensitive path without a matching ownership check."
   remediation:
     summary: Compare the request-derived resource id to the authenticated caller or load the resource through an ownership-enforcing query.

package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml CHANGED Viewed

@@ -5,6 +5,15 @@ metadata:
   title: Missing request timeout or retry protection
   summary: External calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows.
   rationale: Authentication and dependency calls that have neither timeout nor retry protection fail unpredictably under network stress.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
   tags:
     - security
     - resilience
@@ -33,3 +42,4 @@ emit:
     summary: "`${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
   remediation:
     summary: Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical.

package/rules/typescript/ts.security.nestjs-helmet-after-route-mount.rule.yaml ADDED Viewed

@@ -0,0 +1,50 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-helmet-after-route-mount
+  title: Register Helmet before Nest route mounts
+  summary: Nest bootstrap files should apply Helmet before mounting path-bound routers.
+  rationale: Middleware order determines whether framed routes inherit Helmet protections; mounting routers too early widens exposure.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-helmet-after-route-mount
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.8
+    tags:
+      - security
+      - nestjs
+  message:
+    title: Move Helmet ahead of routed middleware
+    summary: Helmet runs after a route-mounted `app.use` in this Nest bootstrap.
+  remediation:
+    summary: Call `helmet()` before registering routers bound to external paths unless another gateway applies equivalent protections.

package/rules/typescript/ts.security.nestjs-missing-global-validation-pipe.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-missing-global-validation-pipe
+  title: Add a global Nest ValidationPipe
+  summary: Nest bootstrap entries should register `ValidationPipe` globally when controllers parse bodies or DTOs.
+  rationale: Without a validation pipe unexpected fields can reach controllers and weaken input hygiene.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-missing-global-validation-pipe
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.68
+    tags:
+      - security
+      - nestjs
+  message:
+    title: Register `useGlobalPipes` with ValidationPipe
+    summary: Nest bootstrap completes without calling `useGlobalPipes`.
+  remediation:
+    summary: >-
+      Call app.useGlobalPipes with ValidationPipe using whitelist and forbidNonWhitelisted flags near bootstrap completion.

package/rules/typescript/ts.security.nestjs-skip-throttle-sensitive-route.rule.yaml ADDED Viewed

@@ -0,0 +1,51 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-skip-throttle-sensitive-route
+  title: Do not skip throttling on credential routes
+  summary: Sensitive Nest routes should not disable `@nestjs/throttler` protections without a compensating throttle.
+  rationale: Authentication endpoints are brute-force magnets; removing throttling removes basic abuse resistance.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-skip-throttle-sensitive-route
+    bind: issue
+emit:
+  finding:
+    category: security.authentication
+    severity: medium
+    confidence: 0.79
+    tags:
+      - security
+      - nestjs
+      - throttling
+  message:
+    title: Restore throttling for brute-force sensitive handlers
+    summary: "`${captures.issue.text}` disables throttling on an authentication-sensitive route."
+  remediation:
+    summary: Remove `@SkipThrottle()` or pair it with an explicit `@Throttle` policy tuned for the handler.

package/rules/typescript/ts.security.nestjs-validation-pipe-without-whitelist.rule.yaml ADDED Viewed

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.nestjs-validation-pipe-without-whitelist
+  title: Harden Nest ValidationPipe with whitelist mode
+  summary: Global ValidationPipe instances should enable whitelist-style stripping for unexpected fields.
+  rationale: Allowing undeclared fields preserves attack surface for mass-assignment style bugs.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-20
+      title: Improper Input Validation
+    - kind: owasp
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
+    - kind: url
+      title: Node.js security best practices
+      url: https://nodejs.org/en/learn/getting-started/security-best-practices
+    - kind: url
+      title: NestJS security
+      url: https://docs.nestjs.com/security/authentication
+  tags:
+    - security
+    - nestjs
+    - rules-catalog
+  stability: experimental
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.nestjs-validation-pipe-without-whitelist
+    bind: issue
+emit:
+  finding:
+    category: security.misconfiguration
+    severity: medium
+    confidence: 0.74
+    tags:
+      - security
+      - nestjs
+  message:
+    title: Enable ValidationPipe whitelist hardening
+    summary: >-
+      ValidationPipe is configured without literal whitelist true.
+  remediation:
+    summary: >-
+      Enable whitelist true and usually forbidNonWhitelisted true on the global ValidationPipe.

package/rules/typescript/ts.security.no-alert-confirm-prompt.rule.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.no-alert-confirm-prompt
+  title: Avoid blocking dialog APIs
+  summary: Do not call `alert`, `confirm`, or `prompt` in application code.
+  rationale: Blocking dialogs freeze the UI thread, are easy to abuse for social engineering, and are inappropriate for production UX.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  tags:
+    - security
+    - ux
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: security.alert-confirm-prompt
+    bind: issue
+emit:
+  finding:
+    category: security.ux
+    severity: medium
+    confidence: 0.93
+    tags:
+      - security
+      - ux
+  message:
+    title: Avoid blocking dialog APIs
+    summary: "`${captures.issue.text}` uses a blocking browser dialog that should not ship in application code."
+  remediation:
+    summary: Replace blocking dialogs with in-app UI components or structured notifications.