eslint-plugin-sdl-2 1.0.4

package/docs/rules/no-window-open-without-noopener.md

@@ -0,0 +1,63 @@
+# no-window-open-without-noopener
+
+Require `noopener` when calling `window.open` with a `_blank` target.
+
+## Targeted pattern scope
+
+This rule targets `window.open(...)` calls where the second argument is the
+literal target `_blank`.
+
+## What this rule reports
+
+This rule reports `_blank` `window.open(...)` calls when the third `features`
+argument is missing or does not include `noopener`.
+
+## Why this rule exists
+
+Opening a new tab/window without `noopener` allows the opened page to access
+`window.opener`, which can enable tabnabbing and opener-based navigation abuse.
+
+## ❌ Incorrect
+
+```ts
+window.open("https://example.com", "_blank");
+window.open("https://example.com", "_blank", "noreferrer");
+```
+
+## ✅ Correct
+
+```ts
+window.open("https://example.com", "_blank", "noopener");
+window.open("https://example.com", "_blank", "noopener,noreferrer");
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-window-open-without-noopener": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only if your codebase avoids `_blank` navigation entirely or enforces a
+different audited opener-hardening abstraction.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-window-open-without-noopener.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R026
+
+- [MDN: Window.open()](https://developer.mozilla.org/docs/Web/API/Window/open)
+- [OWASP: Reverse Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)

package/docs/rules/no-winjs-html-unsafe.md

@@ -0,0 +1,60 @@
+# no-winjs-html-unsafe
+
+Disallow unsafe WinJS HTML helpers that bypass validation.
+
+## Targeted pattern scope
+
+This rule targets WinJS unsafe sink helpers such as:
+
+- `WinJS.Utilities.setInnerHTMLUnsafe(...)`
+- `WinJS.Utilities.setOuterHTMLUnsafe(...)`
+- `WinJS.Utilities.insertAdjacentHTMLUnsafe(...)`.
+
+## What this rule reports
+
+This rule reports direct use of WinJS unsafe HTML insertion helpers.
+
+## Why this rule exists
+
+Unsafe HTML helper APIs increase XSS risk when supplied with untrusted content.
+
+## ❌ Incorrect
+
+```ts
+WinJS.Utilities.setInnerHTMLUnsafe(element, userSuppliedHtml);
+```
+
+## ✅ Correct
+
+```ts
+WinJS.Utilities.setInnerHTML(element, trustedTemplateHtml);
+```
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-winjs-html-unsafe": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable only for fully controlled HTML templates with an audited trust chain.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-winjs-html-unsafe.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R027
+
+- [WinJS utilities API overview](https://learn.microsoft.com/en-us/previous-versions/windows/apps/br229839\(v=win.10\))

package/docs/rules/no-worker-blob-url.md

@@ -0,0 +1,86 @@
+---
+title: no-worker-blob-url
+---
+
+# no-worker-blob-url
+
+Disallow worker code-loading APIs that use `blob:` URLs or `URL.createObjectURL(...)` for executable scripts.
+
+## Targeted pattern scope
+
+This rule targets blob-backed worker code-loading through:
+
+- `new Worker(...)`
+- `new SharedWorker(...)`
+- `importScripts(...)`
+
+The rule reports both static `blob:` string URLs and direct
+`URL.createObjectURL(...)` calls passed into those sinks.
+
+## What this rule reports
+
+This rule reports worker code-loading expressions that source executable code
+from blob URLs or object URLs.
+
+## Why this rule exists
+
+Blob-backed worker bootstraps hide executable code behind dynamically generated
+object URLs. That makes code-loading harder to audit and can blur trust
+boundaries in worker startup paths.
+
+## ❌ Incorrect
+
+```ts
+new Worker(URL.createObjectURL(workerBlob));
+```
+
+```ts
+self.importScripts("blob:https://example.com/bootstrap");
+```
+
+## ✅ Correct
+
+```ts
+new Worker("https://cdn.example.com/worker.js");
+```
+
+```ts
+self.importScripts("https://cdn.example.com/worker-helpers.js");
+```
+
+## Behavior and migration notes
+
+This rule intentionally focuses on direct blob-backed worker code-loading
+expressions. Indirect variables and broader blob URL usage are out of scope.
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-worker-blob-url": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable this rule only if your project intentionally relies on blob-backed
+worker code-loading and that design has been reviewed and approved.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-worker-blob-url.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R067
+
+- [MDN: `Worker()`](https://developer.mozilla.org/en-US/docs/Web/API/Worker/Worker)
+- [MDN: `URL.createObjectURL()`](https://developer.mozilla.org/en-US/docs/Web/API/URL/createObjectURL_static)
+- [MDN: `importScripts()`](https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/importScripts)

package/docs/rules/no-worker-data-url.md

@@ -0,0 +1,85 @@
+---
+title: no-worker-data-url
+---
+
+# no-worker-data-url
+
+Disallow worker code-loading APIs that use static `data:` URLs for executable scripts.
+
+## Targeted pattern scope
+
+This rule targets static `data:` URLs passed to:
+
+- `new Worker(...)`
+- `new SharedWorker(...)`
+- `importScripts(...)`
+
+The rule also covers `window`, `self`, and `globalThis` member access forms.
+
+## What this rule reports
+
+This rule reports `data:` URLs only when they are used as worker code-loading
+inputs. It does not report other non-worker `data:` URL usage.
+
+## Why this rule exists
+
+A `data:` URL in a worker entrypoint or `importScripts(...)` call embeds
+executable JavaScript directly in the URL value. That makes code loading harder
+to review and can blur trust boundaries in worker bootstrap paths.
+
+## ❌ Incorrect
+
+```ts
+new Worker("data:text/javascript,postMessage('hi')");
+```
+
+```ts
+self.importScripts("data:text/javascript,bootstrap()");
+```
+
+## ✅ Correct
+
+```ts
+new Worker("https://cdn.example.com/worker.js");
+```
+
+```ts
+self.importScripts("https://cdn.example.com/worker-helpers.js");
+```
+
+## Behavior and migration notes
+
+This rule intentionally focuses on static `data:` URLs in worker code-loading
+APIs. Dynamic worker URLs and other worker-related risks are out of scope.
+
+## ESLint flat config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [
+ {
+  plugins: { sdl },
+  rules: {
+   "sdl/no-worker-data-url": "error",
+  },
+ },
+];
+```
+
+## When not to use it
+
+Disable this rule only if your project intentionally relies on worker code from
+`data:` URLs and that design has been reviewed and approved.
+
+## Package documentation
+
+- [Rule source](../../src/rules/no-worker-data-url.ts)
+
+## Further reading
+
+> **Rule catalog ID:** R065
+
+- [MDN: `Worker()`](https://developer.mozilla.org/en-US/docs/Web/API/Worker/Worker)
+- [MDN: `importScripts()`](https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope/importScripts)
+- [MDN: `data:` URLs](https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Schemes/data)

package/docs/rules/overview.md

@@ -0,0 +1,111 @@
+---
+title: Overview
+description: README-style overview for eslint-plugin-sdl-2.
+---
+
+# eslint-plugin-sdl-2
+
+SDL-focused ESLint plugin with modern flat-config presets and TypeScript-first
+rule implementations.
+
+The plugin targets common security pitfalls and risky web/runtime APIs that are
+often surfaced during security reviews.
+
+## Installation
+
+```bash
+npm install --save-dev eslint-plugin-sdl-2
+```
+
+## Quick start (Flat Config)
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [...sdl.configs.recommended];
+```
+
+## Available presets
+
+- `sdl.configs.common`
+- `sdl.configs.typescript`
+- `sdl.configs.angular`
+- `sdl.configs.angularjs`
+- `sdl.configs.node`
+- `sdl.configs.react`
+- `sdl.configs.electron`
+- `sdl.configs.required`
+- `sdl.configs.recommended`
+
+See [Presets](./presets/index.md) for examples and per-preset rule tables.
+
+## Rules
+
+Custom rules currently documented:
+
+- `no-angular-bypass-sanitizer`
+- `no-angular-sanitization-trusted-urls`
+- `no-angularjs-bypass-sce`
+- `no-angularjs-enable-svg`
+- `no-angularjs-sanitization-whitelist`
+- `no-child-process-exec`
+- `no-cookies`
+- `no-document-domain`
+- `no-document-execcommand-insert-html`
+- `no-document-parse-html-unsafe`
+- `no-document-write`
+- `no-domparser-html-without-sanitization`
+- `no-domparser-svg-without-sanitization`
+- `no-dynamic-import-unsafe-url`
+- `no-electron-allow-running-insecure-content`
+- `no-electron-dangerous-blink-features`
+- `no-electron-disable-context-isolation`
+- `no-electron-disable-sandbox`
+- `no-electron-disable-web-security`
+- `no-electron-enable-webview-tag`
+- `no-electron-enable-remote-module`
+- `no-electron-experimental-features`
+- `no-electron-expose-raw-ipc-renderer`
+- `no-electron-insecure-certificate-error-handler`
+- `no-electron-node-integration`
+- `no-electron-permission-check-handler-allow-all`
+- `no-electron-untrusted-open-external`
+- `no-electron-webview-insecure-webpreferences`
+- `no-html-method`
+- `no-http-request-to-insecure-protocol`
+- `no-iframe-srcdoc`
+- `no-inner-html`
+- `no-insecure-random`
+- `no-insecure-tls-agent-options`
+- `no-insecure-url`
+- `no-location-javascript-url`
+- `no-message-event-without-origin-check`
+- `no-msapp-exec-unsafe`
+- `no-node-tls-check-server-identity-bypass`
+- `no-node-tls-legacy-protocol`
+- `no-node-tls-reject-unauthorized-zero`
+- `no-node-tls-security-level-zero`
+- `no-node-vm-run-in-context`
+- `no-node-vm-source-text-module`
+- `no-node-worker-threads-eval`
+- `no-nonnull-assertion-on-security-input`
+- `no-postmessage-star-origin`
+- `no-postmessage-without-origin-allowlist`
+- `no-range-create-contextual-fragment`
+- `no-script-src-data-url`
+- `no-script-text`
+- `no-service-worker-unsafe-script-url`
+- `no-set-html-unsafe`
+- `no-trusted-types-policy-pass-through`
+- `no-unsafe-alloc`
+- `no-unsafe-cast-to-trusted-types`
+- `no-window-open-without-noopener`
+- `no-winjs-html-unsafe`
+- `no-worker-blob-url`
+- `no-worker-data-url`
+
+## Next steps
+
+- Open [Getting Started](./getting-started.md).
+- Review [Presets](./presets/index.md) for rollout options.
+- Browse rule docs in the sidebar.

package/docs/rules/presets/angular.md

@@ -0,0 +1,35 @@
+---
+title: Angular preset
+---
+
+# 🅰️ Angular
+
+Use for Angular-focused security rules.
+
+## Config key
+
+```ts
+sdl.configs.angular;
+```
+
+## Flat Config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [...sdl.configs.angular];
+```
+
+## Rules in this preset
+
+- `Fix` legend:
+  - `🔧` = autofixable
+  - `💡` = suggestions available
+  - `—` = report only
+
+| Rule | Fix |
+| --- | :-: |
+| [`no-angular-bypass-sanitizer`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angular-bypass-sanitizer) | — |
+| [`no-angular-bypass-security-trust-html`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angular-bypass-security-trust-html) | — |
+| [`no-angular-innerhtml-binding`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angular-innerhtml-binding) | — |
+| [`no-angular-sanitization-trusted-urls`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angular-sanitization-trusted-urls) | — |

package/docs/rules/presets/angularjs.md

@@ -0,0 +1,36 @@
+---
+title: AngularJS preset
+---
+
+# 🧭 AngularJS
+
+Use for AngularJS-specific sanitization and SCE policy rules.
+
+## Config key
+
+```ts
+sdl.configs.angularjs;
+```
+
+## Flat Config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [...sdl.configs.angularjs];
+```
+
+## Rules in this preset
+
+- `Fix` legend:
+  - `🔧` = autofixable
+  - `💡` = suggestions available
+  - `—` = report only
+
+| Rule | Fix |
+| --- | :-: |
+| [`no-angularjs-bypass-sce`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angularjs-bypass-sce) | — |
+| [`no-angularjs-enable-svg`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angularjs-enable-svg) | — |
+| [`no-angularjs-ng-bind-html-without-sanitize`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angularjs-ng-bind-html-without-sanitize) | — |
+| [`no-angularjs-sanitization-whitelist`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angularjs-sanitization-whitelist) | — |
+| [`no-angularjs-sce-resource-url-wildcard`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-angularjs-sce-resource-url-wildcard) | — |

package/docs/rules/presets/common.md

@@ -0,0 +1,59 @@
+---
+title: Common preset
+---
+
+# 🟢 Common
+
+Use for baseline browser/runtime security checks in JavaScript or TypeScript
+projects.
+
+## Config key
+
+```ts
+sdl.configs.common;
+```
+
+## Flat Config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [...sdl.configs.common];
+```
+
+## Rules in this preset
+
+- `Fix` legend:
+  - `🔧` = autofixable
+  - `💡` = suggestions available
+  - `—` = report only
+
+| Rule | Fix |
+| --- | :-: |
+| [`no-cookies`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-cookies) | — |
+| [`no-document-domain`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-document-domain) | — |
+| [`no-document-execcommand-insert-html`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-document-execcommand-insert-html) | — |
+| [`no-document-parse-html-unsafe`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-document-parse-html-unsafe) | — |
+| [`no-document-write`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-document-write) | — |
+| [`no-domparser-html-without-sanitization`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-domparser-html-without-sanitization) | — |
+| [`no-domparser-svg-without-sanitization`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-domparser-svg-without-sanitization) | — |
+| [`no-dynamic-import-unsafe-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-dynamic-import-unsafe-url) | — |
+| [`no-html-method`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-html-method) | — |
+| [`no-iframe-srcdoc`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-iframe-srcdoc) | — |
+| [`no-inner-html`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-inner-html) | — |
+| [`no-insecure-random`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-insecure-random) | — |
+| [`no-insecure-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-insecure-url) | 🔧 |
+| [`no-location-javascript-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-location-javascript-url) | — |
+| [`no-message-event-without-origin-check`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-message-event-without-origin-check) | — |
+| [`no-msapp-exec-unsafe`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-msapp-exec-unsafe) | — |
+| [`no-postmessage-star-origin`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-postmessage-star-origin) | 💡 |
+| [`no-postmessage-without-origin-allowlist`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-postmessage-without-origin-allowlist) | — |
+| [`no-range-create-contextual-fragment`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-range-create-contextual-fragment) | — |
+| [`no-script-src-data-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-script-src-data-url) | — |
+| [`no-script-text`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-script-text) | — |
+| [`no-service-worker-unsafe-script-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-service-worker-unsafe-script-url) | — |
+| [`no-set-html-unsafe`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-set-html-unsafe) | — |
+| [`no-window-open-without-noopener`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-window-open-without-noopener) | — |
+| [`no-winjs-html-unsafe`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-winjs-html-unsafe) | — |
+| [`no-worker-blob-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-worker-blob-url) | — |
+| [`no-worker-data-url`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-worker-data-url) | — |

package/docs/rules/presets/electron.md

@@ -0,0 +1,51 @@
+---
+title: Electron preset
+---
+
+# ⚡ Electron
+
+Use for Electron security checks around webPreferences and Node integration.
+
+## Config key
+
+```ts
+sdl.configs.electron;
+```
+
+## Flat Config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [...sdl.configs.electron];
+```
+
+## Rules in this preset
+
+- `Fix` legend:
+  - `🔧` = autofixable
+  - `💡` = suggestions available
+  - `—` = report only
+
+| Rule | Fix |
+| --- | :-: |
+| [`no-electron-allow-running-insecure-content`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-allow-running-insecure-content) | 🔧 |
+| [`no-electron-dangerous-blink-features`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-dangerous-blink-features) | — |
+| [`no-electron-disable-context-isolation`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-disable-context-isolation) | 🔧 |
+| [`no-electron-disable-sandbox`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-disable-sandbox) | 🔧 |
+| [`no-electron-disable-web-security`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-disable-web-security) | 🔧 |
+| [`no-electron-enable-remote-module`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-enable-remote-module) | 🔧 |
+| [`no-electron-enable-webview-tag`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-enable-webview-tag) | 🔧 |
+| [`no-electron-experimental-features`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-experimental-features) | 🔧 |
+| [`no-electron-expose-raw-ipc-renderer`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-expose-raw-ipc-renderer) | — |
+| [`no-electron-insecure-certificate-error-handler`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-insecure-certificate-error-handler) | — |
+| [`no-electron-insecure-certificate-verify-proc`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-insecure-certificate-verify-proc) | — |
+| [`no-electron-insecure-permission-request-handler`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-insecure-permission-request-handler) | — |
+| [`no-electron-node-integration`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-node-integration) | 🔧 |
+| [`no-electron-permission-check-handler-allow-all`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-permission-check-handler-allow-all) | — |
+| [`no-electron-unchecked-ipc-sender`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-unchecked-ipc-sender) | — |
+| [`no-electron-unrestricted-navigation`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-unrestricted-navigation) | — |
+| [`no-electron-untrusted-open-external`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-untrusted-open-external) | — |
+| [`no-electron-webview-allowpopups`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-webview-allowpopups) | 🔧 |
+| [`no-electron-webview-insecure-webpreferences`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-webview-insecure-webpreferences) | — |
+| [`no-electron-webview-node-integration`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-electron-webview-node-integration) | 🔧 |

package/docs/rules/presets/index.md

@@ -0,0 +1,26 @@
+---
+title: Presets
+description: Preset reference and selection guide for eslint-plugin-SDL-2.
+---
+
+# Presets
+
+Use these presets to compose SDL-oriented linting in flat config.
+
+## Preset catalog
+
+- [Common](./common.md)
+- [TypeScript](./typescript.md)
+- [Angular](./angular.md)
+- [AngularJS](./angularjs.md)
+- [Node](./node.md)
+- [React](./react.md)
+- [Electron](./electron.md)
+- [Required](./required.md)
+- [Recommended](./recommended.md)
+
+Each preset page in this section includes:
+
+- when to use it
+- exact config key
+- copy/paste flat config snippet

package/docs/rules/presets/node.md

@@ -0,0 +1,43 @@
+---
+title: Node preset
+---
+
+# 🟩 Node
+
+Use for Node.js-specific runtime safety checks.
+
+## Config key
+
+```ts
+sdl.configs.node;
+```
+
+## Flat Config example
+
+```ts
+import sdl from "eslint-plugin-sdl-2";
+
+export default [...sdl.configs.node];
+```
+
+## Rules in this preset
+
+- `Fix` legend:
+  - `🔧` = autofixable
+  - `💡` = suggestions available
+  - `—` = report only
+
+| Rule | Fix |
+| --- | :-: |
+| [`no-child-process-exec`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-child-process-exec) | — |
+| [`no-child-process-shell-true`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-child-process-shell-true) | — |
+| [`no-http-request-to-insecure-protocol`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-http-request-to-insecure-protocol) | 🔧 |
+| [`no-insecure-tls-agent-options`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-insecure-tls-agent-options) | 🔧 |
+| [`no-node-tls-check-server-identity-bypass`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-tls-check-server-identity-bypass) | — |
+| [`no-node-tls-legacy-protocol`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-tls-legacy-protocol) | — |
+| [`no-node-tls-reject-unauthorized-zero`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-tls-reject-unauthorized-zero) | 💡 |
+| [`no-node-tls-security-level-zero`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-tls-security-level-zero) | — |
+| [`no-node-vm-run-in-context`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-vm-run-in-context) | — |
+| [`no-node-vm-source-text-module`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-vm-source-text-module) | — |
+| [`no-node-worker-threads-eval`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-node-worker-threads-eval) | — |
+| [`no-unsafe-alloc`](https://nick2bad4u.github.io/eslint-plugin-SDL-2/docs/rules/no-unsafe-alloc) | 🔧 |