oxlint-plugin-react-doctor 0.5.3-dev.0b30023 → 0.5.3-dev.eacdcf2

package/dist/index.js

@@ -267,19 +267,127 @@ const wrapCreateForReactJsxOnly = (create) => ((context) => {
 	return wrappedVisitors;
 });
 const defineRule = (rule) => {
+	if (!("create" in rule)) return {
+		...rule,
+		create: () => ({})
+	};
 	const tags = rule.tags;
-	const create = rule.create;
-	if (typeof create !== "function") return rule;
-	let wrappedCreate = create;
+	let wrappedCreate = rule.create;
 	if (tags?.includes("test-noise") && !tags?.includes("migration-hint")) wrappedCreate = wrapCreateForTestNoise(wrappedCreate);
 	if (tags?.includes("react-jsx-only")) wrappedCreate = wrapCreateForReactJsxOnly(wrappedCreate);
-	if (wrappedCreate === create) return rule;
+	if (wrappedCreate === rule.create) return rule;
 	return {
 		...rule,
 		create: wrappedCreate
 	};
 };
 //#endregion
+//#region src/plugin/rules/security-scan/utils/get-location-at-index.ts
+const getLocationAtIndex = (content, matchIndex) => {
+	if (matchIndex < 0) return {
+		line: 1,
+		column: 1
+	};
+	const lines = content.slice(0, matchIndex).split(/\r?\n/);
+	return {
+		line: lines.length,
+		column: (lines[lines.length - 1]?.length ?? 0) + 1
+	};
+};
+//#endregion
+//#region src/plugin/rules/security-scan/utils/get-match-location.ts
+const getMatchLocation = (content, pattern) => getLocationAtIndex(content, content.search(pattern));
+//#endregion
+//#region src/plugin/constants/security-scan.ts
+const TEXT_FILE_PATTERN = /\.(?:[cm]?[jt]sx?|json|jsonc|map|html?|mdx?|ya?ml|toml|sql|rules|env|txt|log|svg|xml|pem|key|crt|cert|pub|py|php)$/i;
+const DOTENV_FILE_PATTERN = /(?:^|\/)\.env(?:\.|$)/;
+const SOURCE_FILE_PATTERN = /\.(?:[cm]?[jt]sx?)$/i;
+const SCRIPT_SOURCE_FILE_PATTERN = /\.(?:[cm]?[jt]sx?|py|php)$/i;
+const DATABASE_SOURCE_FILE_PATTERN = /\.(?:[cm]?[jt]sx?|py)$/i;
+const SERVER_CONTEXT_PATTERN = /(?:^|\/)(?:api|backend|server|servers|middleware|route|routes|functions|lambdas|workers)(?:\/|$)|(?:^|\/)[^/]+\.server\.[cm]?[jt]sx?$/i;
+const TEST_CONTEXT_PATTERN = /(?:^|\/)(?:__fixtures__|__mocks__|__tests__|fixtures|mocks|test|tests|testdata|test-data|e2e|playwright)(?:\/|$)|\.(?:test|spec|e2e|e2e-spec|integration-test|fixture|fixtures|stories|story)\.[cm]?[jt]sx?$|(?:^|\/)(?:test_[^/]+|[^/]+_test|conftest)\.py$|\.env\.[^/]*(?:test|e2e)[^/]*$/i;
+const BUILD_SCRIPT_CONTEXT_PATTERN = /(?:^|\/)scripts(?:\/|$)/i;
+const DEMO_CONTEXT_PATTERN = /(?:^|\/)(?:examples?|tutorials?|demos?|samples?|playgrounds?)(?:\/|$)/i;
+const DOCUMENTATION_CONTEXT_PATTERN = /(?:^|\/)(?:README|CHANGELOG|CONTRIBUTING|PUBLISHING|DOCS)\.mdx?$|\.mdx?$/i;
+const GENERATED_SOURCE_CONTEXT_PATTERN = /(?:^|\/)(?:generated|__generated__|dist|build|coverage|out|storybook-static|vendor|vendors|third[-_]?party|libraries)(?:\/|$)|(?:^|\/)\.next\/|(?:^|\/)\.yarn\/|(?:^|\/)public\/(?:chunks?|assets?|build|dist|static)\/|(?:generated|\.gen)\.[cm]?[jt]sx?$|@\d+\.\d+\.\d+(?:[-.][\w.]+)?\.[cm]?js$|[.-]min\.[cm]?js$|\.asm\.js$|(?:^|\/)[\w-]+[.@-]\d+\.\d+\.\d+(?:[-.][\w.]+)?\//i;
+const GENERATED_BUNDLE_FILE_PATTERN = /\.(iife|umd|global|min)\.js$/i;
+const BROWSER_ARTIFACT_PATH_PATTERNS = [
+	/(?:^|\/)\.next\/static\//,
+	/(?:^|\/)\.output\/public\//,
+	/(?:^|\/)build\/static\//,
+	/(?:^|\/)dist\/assets\//,
+	/(?:^|\/)public\//,
+	/(?:^|\/)out\//,
+	/(?:^|\/)storybook-static\//
+];
+const AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN = /\b(?:exec|execSync|spawn|child_process|eval|new Function|vm\.run|readFile|writeFile|fs\.read|fs\.write|fetch|axios|http\.request|sandbox|runCode|executeCode)\b/;
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-browser-artifact-path.ts
+const isServerOnlyBuildArtifactPath = (relativePath) => /(?:^|\/)(?:\.next\/server|\.output\/server)\//.test(relativePath);
+const isBrowserArtifactPath = (relativePath, isGeneratedBundle) => {
+	if (isServerOnlyBuildArtifactPath(relativePath)) return false;
+	if (isGeneratedBundle) return true;
+	if (relativePath.endsWith(".map")) return true;
+	return BROWSER_ARTIFACT_PATH_PATTERNS.some((pattern) => pattern.test(relativePath));
+};
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-config-or-ci-path.ts
+const isConfigOrCiPath = (relativePath) => /(?:^|\/)(?:package\.json|Dockerfile|docker-compose\.ya?ml|\.github\/workflows\/[^/]+\.ya?ml|vercel\.json|next\.config\.[cm]?[jt]s|netlify\.toml)$/i.test(relativePath);
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-production-file-path.ts
+const isProductionFilePath = (relativePath, sourceFilePattern) => {
+	if (!sourceFilePattern.test(relativePath)) return false;
+	if (TEST_CONTEXT_PATTERN.test(relativePath)) return false;
+	if (BUILD_SCRIPT_CONTEXT_PATTERN.test(relativePath)) return false;
+	if (DOCUMENTATION_CONTEXT_PATTERN.test(relativePath)) return false;
+	if (GENERATED_SOURCE_CONTEXT_PATTERN.test(relativePath)) return false;
+	return true;
+};
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-production-source-path.ts
+const isProductionSourcePath = (relativePath) => {
+	return isProductionFilePath(relativePath, SOURCE_FILE_PATTERN);
+};
+//#endregion
+//#region src/plugin/rules/security-scan/active-static-asset.ts
+const SVG_ACTIVE_PATTERN = /<script\b|on(?:load|error|click|mouseover)\s*=/i;
+const DANGEROUS_ALLOW_SVG_PATTERN = /dangerouslyAllowSVG\s*:\s*true/i;
+const EXECUTABLE_SVG_EMBED_PATTERN = /<(?:object|embed|iframe)\b[^>]+(?:data|src)=["'][^"']+\.svg(?:\?[^"']*)?["']/i;
+const activeStaticAsset = defineRule({
+	id: "active-static-asset",
+	title: "Executable SVG exposure",
+	severity: "warn",
+	recommendation: "Prefer `<img>` for SVG images; if SVG must be served directly, use attachment disposition and a CSP that blocks scripts and objects.",
+	scan: (file) => {
+		const findings = [];
+		if (file.relativePath.endsWith(".svg") && isBrowserArtifactPath(file.relativePath, file.isGeneratedBundle)) {
+			if (SVG_ACTIVE_PATTERN.test(file.content)) {
+				const location = getMatchLocation(file.content, SVG_ACTIVE_PATTERN);
+				findings.push({
+					message: "A browser-reachable SVG contains script or event-handler code.",
+					line: location.line,
+					column: location.column,
+					severity: "error",
+					title: "Active SVG in public assets",
+					help: "Serve untrusted SVG as downloads, sanitize it, or isolate it on a cookieless asset origin with a restrictive CSP."
+				});
+			}
+			return findings;
+		}
+		if (!isProductionSourcePath(file.relativePath) && !isConfigOrCiPath(file.relativePath)) return findings;
+		const pattern = [DANGEROUS_ALLOW_SVG_PATTERN, EXECUTABLE_SVG_EMBED_PATTERN].find((candidate) => candidate.test(file.content));
+		if (pattern !== void 0) {
+			const location = getMatchLocation(file.content, pattern);
+			findings.push({
+				message: "The app enables or embeds SVG in an executable browser context.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/constants/library.ts
 const HEAVY_LIBRARIES = new Set([
 	"@monaco-editor/react",
@@ -772,6 +880,94 @@ const advancedEventHandlerRefs = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/strip-comments-preserving-positions.ts
+const stripCommentsPreservingPositions = (content) => {
+	const characters = content.split("");
+	let stringDelimiter = null;
+	let index = 0;
+	while (index < content.length) {
+		const character = content[index];
+		const nextCharacter = content[index + 1];
+		if (stringDelimiter !== null) {
+			if (character === "\\") {
+				index += 2;
+				continue;
+			}
+			if (character === stringDelimiter) stringDelimiter = null;
+			index += 1;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") {
+			stringDelimiter = character;
+			index += 1;
+			continue;
+		}
+		if (character === "/" && nextCharacter === "/") {
+			while (index < content.length && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && nextCharacter === "*") {
+			while (index < content.length) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+	return characters.join("");
+};
+//#endregion
+//#region src/plugin/rules/security-scan/utils/scan-by-pattern.ts
+const strippedContentCache = /* @__PURE__ */ new WeakMap();
+const getScannableContent = (file) => {
+	if (!SOURCE_FILE_PATTERN.test(file.relativePath)) return file.content;
+	const cachedContent = strippedContentCache.get(file);
+	if (cachedContent !== void 0) return cachedContent;
+	const strippedContent = stripCommentsPreservingPositions(file.content);
+	strippedContentCache.set(file, strippedContent);
+	return strippedContent;
+};
+const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, message }) => (file) => {
+	if (!shouldScan(file)) return [];
+	const content = getScannableContent(file);
+	if (requireAll !== void 0 && !requireAll.every((gate) => gate.test(content))) return [];
+	const matchedPattern = (pattern instanceof RegExp ? [pattern] : pattern).find((candidate) => candidate.test(content));
+	if (matchedPattern === void 0) return [];
+	if (suppressWhen !== void 0 && suppressWhen.test(content)) return [];
+	const { line, column } = getMatchLocation(content, matchedPattern);
+	return [{
+		message,
+		line,
+		column
+	}];
+};
+//#endregion
+//#region src/plugin/rules/security-scan/agent-tool-capability-risk.ts
+const AGENT_TOOL_DEFINITION_PATTERN = /\b(?:tool\s*\(\s*\{|createTool\s*\(|defineTool\s*\(|new\s+(?:DynamicTool|StructuredTool)\s*\()/;
+const AGENT_TOOL_CONTEXT_PATH_PATTERN = /(?:^|\/)(?:agents?|tools?|mcp)(?:\/|$)|(?:agent|tool|mcp)[^/]*\.[cm]?[jt]sx?$/i;
+const agentToolCapabilityRisk = defineRule({
+	id: "agent-tool-capability-risk",
+	title: "Agent tool exposes dangerous capability",
+	severity: "warn",
+	recommendation: "Treat tool inputs as prompt-injection controlled. Validate arguments, scope permissions per call, and avoid exposing shell/file/network primitives directly to agents.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath) && AGENT_TOOL_CONTEXT_PATH_PATTERN.test(file.relativePath),
+		pattern: AGENT_TOOL_DEFINITION_PATTERN,
+		requireAll: [AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		message: "An agent-callable tool appears to expose network, filesystem, shell, or code-execution capability."
+	})
+});
+//#endregion
 //#region src/plugin/utils/get-jsx-prop-string-value.ts
 const getJsxPropStringValue = (attribute) => {
 	const value = attribute.value;
@@ -2867,6 +3063,260 @@ const ariaUnsupportedElements = defineRule({
 		}
 	} })
 });
+const artifactBaasAuthoritySurface = defineRule({
+	id: "artifact-baas-authority-surface",
+	title: "BaaS authority map shipped in browser artifact",
+	severity: "warn",
+	recommendation: "Client BaaS config is often public, but shipped collection names plus owner, role, tenant, or admin fields give attackers a precise authorization map. Verify rules/RLS enforce every boundary server-side.",
+	scan: scanByPattern({
+		shouldScan: (file) => isBrowserArtifactPath(file.relativePath, file.isGeneratedBundle),
+		pattern: /\b(?:collection\s*\(\s*["'](?:boosts|sessions|sessions_admin|users|orgs|candidateJobs|conversations|documents|profiles)|from\s*\(\s*["'](?:users|profiles|documents|organizations|memberships)|creatorID|creatorId|providerId|ghostOrg|ownerId|orgId|tenantId|workspaceId|role|roles|isAdmin|SuperAdmin)\b/i,
+		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore|createClient)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket|supabase|SUPABASE_URL)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b/i],
+		message: "A browser artifact exposes Firebase/Supabase config together with sensitive collections or authorization fields."
+	})
+});
+//#endregion
+//#region src/plugin/constants/security.ts
+const AUTH_FUNCTION_NAMES = new Set([
+	"auth",
+	"getSession",
+	"getServerSession",
+	"getUser",
+	"requireAuth",
+	"checkAuth",
+	"verifyAuth",
+	"authenticate",
+	"currentUser",
+	"getAuth",
+	"validateSession"
+]);
+const GENERIC_AUTH_METHOD_NAMES = new Set(["getUser"]);
+const AUTH_OBJECT_PATTERN = /(?:^|[._])(?:auth|authn|authz|clerk|session|jwt|firebase|supabase|nextauth|kinde|workos|stytch|descope|cognito|propelauth|lucia)/i;
+const SECRET_PATTERNS = [
+	/^sk_live_/,
+	/^sk_test_/,
+	/^AKIA[0-9A-Z]{16}$/,
+	/^ghp_[a-zA-Z0-9]{36}$/,
+	/^gho_[a-zA-Z0-9]{36}$/,
+	/^github_pat_/,
+	/^glpat-/,
+	/^xox[bporas]-/,
+	/^sk-[a-zA-Z0-9]{32,}$/
+];
+const SECRET_VALUE_PATTERNS = [
+	/\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/,
+	/\bAWS_SECRET_ACCESS_KEY\s*[:=]\s*["']?[A-Za-z0-9/+=]{35,}["']?/,
+	/\bgithub_pat_[A-Za-z0-9_]{30,}\b/,
+	/\bgh[pousr]_[A-Za-z0-9]{30,}\b/,
+	/\bglpat-[A-Za-z0-9_-]{20,}\b/,
+	/\bxox[baprs]-[A-Za-z0-9-]{20,}\b/,
+	/\bsk_(?:live|test)_[A-Za-z0-9]{16,}\b/,
+	/\brk_(?:live|test)_[A-Za-z0-9]{16,}\b/,
+	/\bsk-[A-Za-z0-9_-]{32,}\b/,
+	/\bsk-ant-api\d{2}-[A-Za-z0-9_-]{20,}\b/,
+	/\blin_(?:api|oauth)_[A-Za-z0-9]{20,}\b/,
+	/\bvercel_[A-Za-z0-9]{20,}\b/,
+	/\bsntrys_[A-Za-z0-9_-]{20,}\b/,
+	/\bkey-[a-f0-9]{32}\b/i,
+	/\bnpm_[A-Za-z0-9]{30,}\b/,
+	/\bSG\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\b/,
+	/https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/,
+	/https:\/\/discord(?:app)?\.com\/api\/webhooks\/\d+\/[A-Za-z0-9_-]+/,
+	/\bsb_secret_[A-Za-z0-9_]{20,}\b/,
+	/\bservice_role\b/i,
+	/"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----/,
+	/-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----/,
+	/\b(?:postgres|mysql|mongodb(?:\+srv)?|redis):\/\/[^:\s/@]+:(?!(?:pass(?:word)?|my[a-z]*pass(?:word)?|mysecretpassword|myusername|postgres|mysql|redis|root|admin|minioadmin|secret|example|changeme|change_me|test|guest|placeholder|default|user(?:name)?|x{3,}|\*{2,}|\$\{[^}]*\}|\$[A-Z_]+|<[^>]*>|%[\w.]+%|\{\{[^}]*\}\})@)[^@\s/]+@(?!(?:localhost|127\.0\.0\.1|0\.0\.0\.0|host\.docker\.internal)(?:[:/\s]|$))[^\s:/@]*\./i
+];
+const PUBLIC_ENV_SECRET_NAME_PATTERN = /\b(?:NEXT_PUBLIC|VITE|REACT_APP|EXPO_PUBLIC)_[A-Z0-9_]*(?:SECRET|TOKEN|PASSWORD|PRIVATE|DATABASE_URL|SERVICE_ROLE|AWS_ACCESS_KEY|AWS_SECRET)[A-Z0-9_]*\b/i;
+const FULL_ENV_LEAK_CONTEXT_PATTERN = /\b(?:process\.env|import\.meta\.env|window\.__[A-Z0-9_]*ENV[A-Z0-9_]*__|__[A-Z0-9_]*ENV[A-Z0-9_]*__)\b/;
+const FULL_ENV_LEAK_SECRET_NAME_PATTERN = /\b(?:DATABASE_URL|AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|MAILGUN_API_KEY|SALESFORCE_CLIENT_SECRET|OKTA_CLIENT_SECRET|SESSION_SECRET|COOKIE_SECRET|PRIVATE_KEY|SERVICE_ROLE)\b/;
+const TRUSTED_PUBLIC_SECRET_NAME_PATTERN = /(?:SENTRY_DSN|PUBLIC_KEY|PUBLISHABLE|ANON_KEY|POSTHOG_(?:PROJECT_)?TOKEN|POSTHOG_KEY|TLDRAW_LICENSE_KEY|CLERK_PUBLISHABLE_KEY|ALGOLIA_SEARCH_KEY|GC_API_KEY|GOOGLE_MAPS_API_KEY|MAPBOX_TOKEN|MIXPANEL_TOKEN|(?:NEXT_PUBLIC|VITE|REACT_APP|EXPO_PUBLIC)_(?:DISABLE|ENABLE|ALLOW|REQUIRE)_)/i;
+const PUBLIC_CLIENT_KEY_PATTERNS = [
+	/^appl_/,
+	/^goog_/,
+	/^amzn_/,
+	/^strp_/,
+	/^pk_(?:live|test)_/,
+	/^sb_publishable_/,
+	/^phc_/,
+	/^public-token-(?:live|test)-/,
+	/^pk\.eyJ/
+];
+const SECRET_UNAMBIGUOUS_PLACEHOLDER_VALUE_PATTERNS = [
+	/^[\s._\-*\u2022xX]{8,}$/,
+	/(?:\.{3,}|\u2026|[*\u2022]{3,})/,
+	/(?:^|[_\-\s])(?:your|redacted|masked|placeholder|replace[_\-\s]?me|changeme)(?:$|[_\-\s])/i,
+	/<[^>]*(?:auth|credential|key|password|secret|token|your|redacted|placeholder|masked)[^>]*>/i,
+	/\[[^\]]*(?:auth|credential|key|password|secret|token|your|redacted|placeholder|masked)[^\]]*\]/i,
+	/\{[^}]*(?:auth|credential|key|password|secret|token|your|redacted|placeholder|masked)[^}]*\}/i
+];
+const SECRET_CONTEXTUAL_PLACEHOLDER_VALUE_PATTERNS = [/(?:^|[_\-\s])(?:example|sample|dummy)(?:$|[_\-\s])/i];
+const SECRET_PLACEHOLDER_CONTEXT_PATTERN = /(?:placeholder|example|sample|dummy|masked|redacted|mask)/i;
+const SECRET_VARIABLE_PATTERN = /(?:api_?key|secret|token|password|credential|auth)/i;
+const SECRET_TOOLING_FILE_PATTERN = /(?:^|\/)[^/]+\.config\.[cm]?[jt]s$/;
+const SECRET_TOOLING_RC_FILE_PATTERN = /(?:^|\/)(?:\.[a-z-]+rc|[a-z-]+\.rc)\.[cm]?[jt]s$/;
+const SECRET_TEST_FILE_PATTERN = /(?:^|\/)[^/]+\.(?:test|spec|stories|story|fixture|fixtures)\.[cm]?[jt]sx?$/;
+const SECRET_SERVER_FILE_SUFFIX_PATTERN = /(?:^|\/)[^/]+\.server\.[cm]?[jt]sx?$/;
+const SECRET_SERVER_ENTRY_FILE_PATTERN = /(?:^|\/)(?:middleware|proxy|route)\.[cm]?[jt]sx?$/;
+const SECRET_NEXT_PAGES_API_FILE_PATTERN = /(?:^|\/)pages\/api\/.+\.[cm]?[jt]sx?$/;
+const SECRET_CLIENT_FILE_SUFFIX_PATTERN = /(?:^|\/)[^/]+\.(?:client|browser|web)\.[cm]?[jt]sx?$/;
+const SECRET_CLIENT_ENTRY_FILE_PATTERN = /(?:^|\/)(?:src\/)?(?:main|index|[Aa]pp|client)\.[cm]?[jt]sx?$/;
+const SECRET_SERVER_DIRECTORY_NAMES = new Set([
+	"backend",
+	"functions",
+	"lambdas",
+	"lambda",
+	"middleware",
+	"server",
+	"servers"
+]);
+const SECRET_SERVER_SOURCE_ROOT_OWNER_NAMES = new Set([
+	"api",
+	"backend",
+	"edge",
+	"function",
+	"functions",
+	"lambda",
+	"lambdas",
+	"server",
+	"servers",
+	"worker",
+	"workers"
+]);
+const SECRET_TEST_DIRECTORY_NAMES = new Set([
+	"__fixtures__",
+	"__mocks__",
+	"__tests__",
+	"fixtures",
+	"mocks",
+	"test",
+	"tests"
+]);
+const SECRET_TOOLING_DIRECTORY_NAMES = new Set([
+	"bin",
+	"config",
+	"configs",
+	"script",
+	"scripts",
+	"tooling",
+	"tools"
+]);
+const SECRET_CLIENT_SOURCE_DIRECTORY_NAMES = new Set([
+	"components",
+	"features",
+	"hooks",
+	"pages",
+	"ui",
+	"views",
+	"widgets"
+]);
+const SECRET_FALSE_POSITIVE_SUFFIXES = new Set([
+	"modal",
+	"label",
+	"text",
+	"title",
+	"name",
+	"id",
+	"url",
+	"path",
+	"route",
+	"page",
+	"param",
+	"field",
+	"column",
+	"header",
+	"placeholder",
+	"prefix",
+	"description",
+	"type",
+	"icon",
+	"class",
+	"style",
+	"variant",
+	"event",
+	"action",
+	"status",
+	"state",
+	"mode",
+	"flag",
+	"option",
+	"config",
+	"message",
+	"error",
+	"display",
+	"view",
+	"component",
+	"element",
+	"container",
+	"wrapper",
+	"button",
+	"link",
+	"input",
+	"select",
+	"dialog",
+	"menu",
+	"form",
+	"step",
+	"index",
+	"count",
+	"length",
+	"role",
+	"scope",
+	"context",
+	"provider",
+	"ref",
+	"handler",
+	"query",
+	"schema",
+	"constant"
+]);
+//#endregion
+//#region src/plugin/rules/security-scan/utils/escape-reg-exp.ts
+const escapeRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+//#endregion
+//#region src/plugin/rules/security-scan/utils/find-suspicious-public-env-secret-name.ts
+const findSuspiciousPublicEnvSecretNamePattern = (content) => {
+	for (const match of content.matchAll(new RegExp(PUBLIC_ENV_SECRET_NAME_PATTERN.source, "gi"))) {
+		const value = match[0] ?? "";
+		if (!TRUSTED_PUBLIC_SECRET_NAME_PATTERN.test(value)) return new RegExp(escapeRegExp(value));
+	}
+};
+//#endregion
+//#region src/plugin/rules/security-scan/utils/has-full-env-leak-shape.ts
+const hasFullEnvLeakShape = (content) => FULL_ENV_LEAK_CONTEXT_PATTERN.test(content) && FULL_ENV_LEAK_SECRET_NAME_PATTERN.test(content);
+//#endregion
+//#region src/plugin/rules/security-scan/utils/scan-artifact-leak.ts
+const scanArtifactLeak = (file, findLeakPattern, message) => {
+	if (DOCUMENTATION_CONTEXT_PATTERN.test(file.relativePath)) return [];
+	if (!isBrowserArtifactPath(file.relativePath, file.isGeneratedBundle)) return [];
+	const leakPattern = findLeakPattern(file.content);
+	if (leakPattern === void 0) return [];
+	const location = getMatchLocation(file.content, leakPattern);
+	return [{
+		message,
+		line: location.line,
+		column: location.column
+	}];
+};
+//#endregion
+//#region src/plugin/rules/security-scan/artifact-env-leak.ts
+const artifactEnvLeak = defineRule({
+	id: "artifact-env-leak",
+	title: "Server env leaked to browser artifact",
+	severity: "error",
+	recommendation: "Treat public env prefixes as publication, not secrecy; keep secret env vars server-only and rebuild after rotating leaked keys.",
+	scan: (file) => scanArtifactLeak(file, (content) => findSuspiciousPublicEnvSecretNamePattern(content) ?? (hasFullEnvLeakShape(content) ? FULL_ENV_LEAK_SECRET_NAME_PATTERN : void 0), "A browser artifact contains server-secret environment names or a full environment dump shape.")
+});
+//#endregion
+//#region src/plugin/rules/security-scan/artifact-secret-leak.ts
+const artifactSecretLeak = defineRule({
+	id: "artifact-secret-leak",
+	title: "Secret shipped in browser artifact",
+	severity: "error",
+	recommendation: "Remove the secret from client bundles/static assets, rotate it, and route privileged service calls through server-only code.",
+	scan: (file) => scanArtifactLeak(file, (content) => SECRET_VALUE_PATTERNS.find((pattern) => pattern.test(content)), "A browser-delivered artifact contains a secret-looking credential value.")
+});
 //#endregion
 //#region src/plugin/constants/js.ts
 const LOOP_TYPES = [
@@ -3835,6 +4285,17 @@ const autocompleteValid = defineRule({
 		} };
 	}
 });
+const buildPipelineSecretBoundary = defineRule({
+	id: "build-pipeline-secret-boundary",
+	title: "Build pipeline runs code near secrets",
+	severity: "warn",
+	recommendation: "Run dependency installs with scripts disabled before exposing secrets, isolate untrusted build code, and move signing/deploy authority into a narrow privileged step.",
+	scan: scanByPattern({
+		shouldScan: (file) => isConfigOrCiPath(file.relativePath) && !file.relativePath.endsWith("package.json"),
+		pattern: /(?:npm|pnpm|yarn|bun)\s+(?:install|ci)\b(?:(?!--ignore-scripts)[\s\S]){0,700}\bsecrets\.[A-Z0-9_]+|\bsecrets\.[A-Z0-9_]+(?:(?!--ignore-scripts)[\s\S]){0,700}(?:npm|pnpm|yarn|bun)\s+(?:install|ci)\b/i,
+		message: "The build or install pipeline can execute package lifecycle code while CI secrets may be present."
+	})
+});
 //#endregion
 //#region src/plugin/utils/is-create-element-call.ts
 const memberChainContainsDocument = (memberExpression) => {
@@ -4135,6 +4596,19 @@ const clickEventsHaveKeyEvents = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/clickjacking-redirect-risk.ts
+const clickjackingRedirectRisk = defineRule({
+	id: "clickjacking-redirect-risk",
+	title: "Redirect or frame boundary risk",
+	severity: "warn",
+	recommendation: "Allowlist redirect origins/paths, set `frame-ancestors` for privileged pages, and avoid URL-prefilled privileged dialogs.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath) || isConfigOrCiPath(file.relativePath),
+		pattern: /\bredirect\s*\((?!\s*(?:await\s+)?[\w$]*(?:safe|valid|sanitiz|allowlist|whitelist)[\w$]*\s*\()[^)'"`\n]*\b(?:searchParams\.get|nextUrl\.searchParams|returnTo|callbackUrl|continue|next)\b|<iframe\b[\s\S]{0,700}\b(?:next=|continue=|redirect=|redirect_uri|userstoinvite|sharingaction|role=|\.\.)|frame-ancestors\s+(?:\*|'self'\s+\*)|X-Frame-Options["']?\s*:\s*["']?ALLOW/i,
+		message: "Redirect or framing configuration may let attacker-controlled URLs chain into privileged UI or clickjacking."
+	})
+});
+//#endregion
 //#region src/plugin/rules/client/client-localstorage-no-version.ts
 const VERSIONED_KEY_PATTERN = /(?:[._:-]v\d+|@\d+|\bv\d+\b)/i;
 const STORAGE_OBJECTS = new Set(["localStorage", "sessionStorage"]);
@@ -4203,6 +4677,23 @@ const clientPassiveEventListeners = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-dev-tooling-path.ts
+const isDevToolingPath = (relativePath) => /(?:^|\/)(?:tools?|scripts?)\/|(?:^|\/)management\/commands\/|(?:^|\/)(?:build|make|gulpfile|gruntfile)\.[cm]?[jt]s$/i.test(relativePath);
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-production-script-source-path.ts
+const isProductionScriptSourcePath = (relativePath) => isProductionFilePath(relativePath, SCRIPT_SOURCE_FILE_PATTERN);
+const commandExecutionInputRisk = defineRule({
+	id: "command-execution-input-risk",
+	title: "Command execution uses caller-shaped input",
+	severity: "error",
+	recommendation: "Avoid shell execution for caller-controlled values. Use fixed commands, argument arrays, strict allowlists, and no shell interpolation.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionScriptSourcePath(file.relativePath) && !isDevToolingPath(file.relativePath),
+		pattern: /(?:(?<![.\w$])(?:exec(?:Sync)?|spawn(?:Sync)?|system|passthru|proc_open|shell_exec)|\b(?:os\.system|subprocess\.(?:run|Popen|call)|(?:child_process|childProcess|cp)\.(?:exec|spawn)\w*))\s*\([^)]{0,220}(?:req\.|request\.|params\.|query\.|body\.|searchParams|\$_(?:GET|POST|REQUEST)|shell\s*=\s*true|f['"`][^'"`]*\{)/i,
+		message: "Command execution appears to include request, query, body, or shell-interpolated input."
+	})
+});
+//#endregion
 //#region src/plugin/utils/is-interactive-role.ts
 const isInteractiveRole = (role) => INTERACTIVE_ROLES.has(role);
 //#endregion
@@ -4380,6 +4871,130 @@ const controlHasAssociatedLabel = defineRule({
 		} };
 	}
 });
+//#endregion
+//#region src/plugin/rules/security-scan/cors-cookie-trust-risk.ts
+const corsCookieTrustRisk = defineRule({
+	id: "cors-cookie-trust-risk",
+	title: "Broad cookie or credentialed CORS trust",
+	severity: "warn",
+	recommendation: "Keep auth cookies host-only and HttpOnly, avoid credentialed CORS for less-trusted docs/vendor origins, and isolate documentation domains from app sessions.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath) || isConfigOrCiPath(file.relativePath),
+		pattern: /Access-Control-Allow-Credentials["']?\s*[:,]\s*["']?true[\s\S]{0,700}Access-Control-Allow-Origin["']?\s*[:,]\s*["']?(?:\*|https:\/\/docs\.|https:\/\/.*mintlify)|\b(?:session|auth|token|jwt)[^=\n]{0,80}\bDomain=\./i,
+		message: "Credentialed CORS or broad auth-cookie scope can make a docs/custom-domain XSS become account compromise."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/dangerous-html-sink.ts
+const DANGEROUS_HTML_PATTERN = /dangerouslySetInnerHTML|\.(?:inner|outer)HTML\s*[+]?=(?!=)|\.insertAdjacentHTML\s*\(|\bdocument\.write(?:ln)?\s*\(|\.(?:createContextualFragment|setHTMLUnsafe)\s*\(/;
+const HTML_VALUE_START_PATTERN = /(?:__html\s*:|\.(?:inner|outer)HTML\s*[+]?=(?!=)|\.insertAdjacentHTML\s*\(\s*[^,]*,|\bdocument\.write(?:ln)?\s*\(|\.(?:createContextualFragment|setHTMLUnsafe)\s*\()\s*([\s\S]*)/;
+const HTML_TAINT_PATTERN = /searchParams|query|params|request|req\.|response\.|result\.|data\.|await|fetch|props\.|children|content|html|body|text|message|\blocation\b|document\.cookie|\breferrer\b|\blocalStorage\b|\bsessionStorage\b|URLSearchParams|window\.name/i;
+const STRING_LITERAL_VALUE_PATTERN = /^(?:["'][^"']*["']|`[^`$]*`)\s*(?:\/\/[^\n]*)?\s*(?:[;,})\n]|$)/;
+const MODULE_CONSTANT_VALUE_PATTERN = /^[A-Z][A-Z0-9_]*\s*(?:\/\/[^\n]*)?\s*(?:[;,})\n]|$)/;
+const DOM_CONTENT_SOURCE_VALUE_PATTERN = /^[\w$]+(?:\??\.[\w$]+)*\??\.(?:inner|outer)HTML\b/;
+const SANITIZER_PATTERN = /\b(?:DOMPurify|sanitize\w*|purify|(?:escape|encode)[A-Za-z]*(?:Html|HTML|Entit\w*)|insane|xss)\b|(?<!un)safe|(?<!un)saniti[sz]/i;
+const SANITIZED_ASSIGNMENT_PATTERN = /=\s*[^\n;]*\b(?:DOMPurify\b|sanitize\w*\s*\(|purify\w*\s*\()/i;
+const DOM_CONTENT_ASSIGNMENT_PATTERN = /=\s*[\w$.?[\]]*\.(?:inner|outer)HTML\s*(?:[;,)\n]|$)/;
+const ENV_CONFIG_VALUE_PATTERN = /process\.env/;
+const I18N_VALUE_PATTERN = /\b(?:t|i18n|translate|formatMessage|intl)\s*[.(]/;
+const ESCAPING_SERIALIZER_CALL_PATTERN = /^(?:[\w$.]+\.)?(?:toHtml|render[A-Za-z]*(?:Html|HTML)|renderToString|renderToStaticMarkup|codeToHtml|codeToHast|highlight[A-Za-z]*)\s*\(/;
+const HIGHLIGHTER_LIBRARY_PATTERN = /\b(?:shiki|prism|hljs|highlightjs|getHighlighter|codeToHtml|codeToHast|refractor|lowlight|starry-night)\b|highlight\.js/i;
+const SERIALIZER_ASSIGNMENT_PATTERN = /=\s*[^\n;]*(?:\b(?:katex|shiki|hljs|prism|mermaid)\b|hast-util-to-html|renderHtmlFromRichText|(?:toHtml|render[A-Za-z]*(?:Html|HTML)|renderToString|renderToStaticMarkup|codeToHtml|codeToHast)\s*\()/i;
+const BARE_IDENTIFIER_VALUE_PATTERN = /^[\w$]+\s*(?:[;,})\n]|$)/;
+const MEMBER_OR_INDEX_ACCESS_VALUE_PATTERN = /^[\w$]+(?:\.[\w$]+|\[[^\]]*\])+\s*(?:[;,})\n]|$)/;
+const STYLE_TAG_BEFORE_SINK_PATTERN = /<style\b[^<>]*$/;
+const STYLE_TAG_LOOKBEHIND_LINES = 5;
+const EMAIL_TEMPLATE_PATH_PATTERN = /(?:^|\/)emails?(?:\/|$)|email[-_.]templates?(?:\/|$)|RawHtml|[A-Za-z]*[Ee]mail[A-Za-z]*\.(?:t|j)sx?/i;
+const INNERHTML_TARGET_PATTERN = /(?:^|[^\w$.])([\w$]+(?:\.[\w$]+)*)\.(?:(?:inner|outer)HTML\s*[+]?=(?!=)|insertAdjacentHTML\s*\()/;
+const LIVE_DOM_ATTACH_PATTERN = /\b(?:appendChild|append|prepend|before|after|replaceWith|replaceChild|replaceChildren|insertBefore|insertAdjacentElement)\s*\(/;
+const VALUE_LOOKAHEAD_LINES = 4;
+const VALUE_EXPRESSION_MAX_CHARS = 300;
+const STATIC_TEMPLATE_LOOKAHEAD_LINES = 60;
+const STATIC_TEMPLATE_MAX_CHARS = 5e3;
+const getTemplateInterpolations = (valueTail) => {
+	if (!valueTail.startsWith("`")) return null;
+	const closingBacktickIndex = valueTail.indexOf("`", 1);
+	if (closingBacktickIndex < 0 || closingBacktickIndex > STATIC_TEMPLATE_MAX_CHARS) return null;
+	const interpolations = valueTail.slice(1, closingBacktickIndex).match(/\$\{[^}]*\}/g);
+	return interpolations === null ? "" : interpolations.join(" ");
+};
+const isInertParseTarget = (target, fileContent) => {
+	const escapedTarget = escapeRegExp(target);
+	const escapedRoot = escapeRegExp(target.split(".")[0] ?? target);
+	if (new RegExp(`\\b${escapedRoot}\\s*=\\s*[^\\n;]*(?:getElementById|querySelector|getElementsBy|\\.current\\b|document\\.(?:body|head|documentElement))`).test(fileContent)) return false;
+	if (new RegExp(`${escapedTarget}\\s*=\\s*document\\.createElement\\(\\s*["'\`]template["'\`]`).test(fileContent)) return true;
+	if (new RegExp(`${escapedRoot}\\s*=\\s*[^\\n;]*\\bcreateElement\\(\\s*["'\`](?:style|textarea)["'\`]`).test(fileContent)) return true;
+	if (new RegExp(`${escapedRoot}\\s*=\\s*[^\\n;]*\\bcreateHTMLDocument\\s*\\(`).test(fileContent)) return true;
+	if (!new RegExp(`${escapedRoot}\\s*=\\s*[^\\n;]*\\bcreateElement\\s*\\(`).test(fileContent)) return false;
+	const attachedToLiveTreePattern = new RegExp(`${LIVE_DOM_ATTACH_PATTERN.source}[^)]*\\b${escapedRoot}\\b`);
+	const returnedAsNodePattern = new RegExp(`\\breturn\\b[^\\n]*\\b${escapedRoot}\\b(?!\\s*\\.\\s*(?:textContent|innerText|innerHTML|outerHTML))`);
+	if (attachedToLiveTreePattern.test(fileContent) || returnedAsNodePattern.test(fileContent)) return false;
+	return new RegExp(`\\b${escapedRoot}\\.(?:textContent|innerText|querySelector|querySelectorAll|children|childNodes)\\b`).test(fileContent);
+};
+const dangerousHtmlSink = defineRule({
+	id: "dangerous-html-sink",
+	title: "HTML injection sink with dynamic content",
+	severity: "warn",
+	recommendation: "Prefer rendering structured React nodes. If HTML is required, sanitize with a well-reviewed sanitizer and keep the trust boundary close to the sink.",
+	scan: (file) => {
+		if (file.isGeneratedBundle) return [];
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		if (EMAIL_TEMPLATE_PATH_PATTERN.test(file.relativePath)) return [];
+		if (!DANGEROUS_HTML_PATTERN.test(file.content)) return [];
+		const findings = [];
+		const lines = file.content.split("\n");
+		for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+			const line = lines[lineIndex] ?? "";
+			if (!DANGEROUS_HTML_PATTERN.test(line)) continue;
+			const codeBeforeSinkOnLine = line.slice(0, line.search(DANGEROUS_HTML_PATTERN)).replace(/"[^"]*"|'[^']*'|`[^`]*`/g, "");
+			if (/(?:^|[^:])\/\//.test(codeBeforeSinkOnLine) || /^\s*[/*]/.test(line)) continue;
+			const sinkWindow = lines.slice(lineIndex, lineIndex + 1 + VALUE_LOOKAHEAD_LINES).join("\n");
+			const valueMatch = HTML_VALUE_START_PATTERN.exec(sinkWindow);
+			if (valueMatch === null) continue;
+			const fullValueTail = (valueMatch[1] ?? "").trimStart();
+			const valueTail = fullValueTail.slice(0, VALUE_EXPRESSION_MAX_CHARS);
+			const terminatorIndex = valueTail.search(/[;}]/);
+			const valueExpression = terminatorIndex >= 0 ? valueTail.slice(0, terminatorIndex + 1) : valueTail;
+			if (STRING_LITERAL_VALUE_PATTERN.test(valueExpression)) continue;
+			if (MODULE_CONSTANT_VALUE_PATTERN.test(valueExpression)) continue;
+			if (DOM_CONTENT_SOURCE_VALUE_PATTERN.test(valueExpression) && !valueExpression.includes("+")) {
+				const afterDomRead = valueExpression.replace(DOM_CONTENT_SOURCE_VALUE_PATTERN, "");
+				if (!HTML_TAINT_PATTERN.test(afterDomRead)) continue;
+			}
+			const longValueTail = HTML_VALUE_START_PATTERN.exec(lines.slice(lineIndex, lineIndex + 1 + STATIC_TEMPLATE_LOOKAHEAD_LINES).join("\n"))?.[1]?.trimStart();
+			const templateInterpolations = getTemplateInterpolations(longValueTail ?? fullValueTail);
+			if (templateInterpolations === "") continue;
+			const judgedExpression = templateInterpolations ?? valueExpression;
+			if (SANITIZER_PATTERN.test(judgedExpression)) continue;
+			if (ENV_CONFIG_VALUE_PATTERN.test(judgedExpression)) continue;
+			if (I18N_VALUE_PATTERN.test(judgedExpression)) continue;
+			if (!HTML_TAINT_PATTERN.test(judgedExpression)) continue;
+			if (ESCAPING_SERIALIZER_CALL_PATTERN.test(valueExpression)) continue;
+			if (/highlighted/i.test(valueExpression)) continue;
+			if (/highlight/i.test(valueExpression) && HIGHLIGHTER_LIBRARY_PATTERN.test(file.content)) continue;
+			if (BARE_IDENTIFIER_VALUE_PATTERN.test(valueExpression) || MEMBER_OR_INDEX_ACCESS_VALUE_PATTERN.test(valueExpression)) {
+				const valueIdentifier = valueExpression.match(/^[\w$]+/)?.[0];
+				if (valueIdentifier !== void 0) {
+					const escapedIdentifier = escapeRegExp(valueIdentifier);
+					const fromSerializer = new RegExp(`\\b${escapedIdentifier}\\b\\s*${SERIALIZER_ASSIGNMENT_PATTERN.source}`, "i");
+					const fromSanitizer = new RegExp(`\\b${escapedIdentifier}\\b\\s*${SANITIZED_ASSIGNMENT_PATTERN.source}`, "i");
+					const fromDomContent = new RegExp(`\\b${escapedIdentifier}\\b\\s*${DOM_CONTENT_ASSIGNMENT_PATTERN.source}`);
+					if (fromSerializer.test(file.content) || fromSanitizer.test(file.content) || fromDomContent.test(file.content)) continue;
+				}
+			}
+			const sinkTargetMatch = INNERHTML_TARGET_PATTERN.exec(line);
+			if (sinkTargetMatch?.[1] !== void 0 && isInertParseTarget(sinkTargetMatch[1], file.content)) continue;
+			const textBeforeSink = lines.slice(Math.max(0, lineIndex - STYLE_TAG_LOOKBEHIND_LINES), lineIndex + 1).join("\n").slice(0, -line.length + line.search(DANGEROUS_HTML_PATTERN));
+			if (STYLE_TAG_BEFORE_SINK_PATTERN.test(textBeforeSink)) continue;
+			findings.push({
+				message: "HTML is injected from a dynamic-looking source, which can become XSS if the value is user-controlled or unsanitized.",
+				line: lineIndex + 1,
+				column: line.search(/\S/) + 1
+			});
+		}
+		return findings;
+	}
+});
 const LONG_TRANSITION_DURATION_THRESHOLD_MS = 1e3;
 const VAGUE_BUTTON_LABELS = new Set([
 	"continue",
@@ -6774,6 +7389,56 @@ const expoNoNonInlinedEnv = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-client-source-path.ts
+const isClientSourcePath = (relativePath) => {
+	if (!isProductionSourcePath(relativePath)) return false;
+	if (SERVER_CONTEXT_PATTERN.test(relativePath)) return false;
+	return true;
+};
+//#endregion
+//#region src/plugin/rules/security-scan/firebase-client-owned-authz-field.ts
+const CLIENT_DATABASE_EVIDENCE_PATTERN = /firebase|firestore|supabase|\b(?:setDoc|addDoc)\s*\(/i;
+const firebaseClientOwnedAuthzField = defineRule({
+	id: "firebase-client-owned-authz-field",
+	title: "Client writes authorization field",
+	severity: "error",
+	recommendation: "Derive authority fields on the server or enforce them in Firebase/Supabase rules; never trust client-provided owner, org, or role values.",
+	scan: scanByPattern({
+		shouldScan: (file) => isClientSourcePath(file.relativePath) && (CLIENT_DATABASE_EVIDENCE_PATTERN.test(file.content) || CLIENT_DATABASE_EVIDENCE_PATTERN.test(file.relativePath)),
+		pattern: /(?:\b(?:setDoc|updateDoc|addDoc)\s*\(|(?:\b(?:firebase|firestore|getFirestore)\b|\bcollection\s*\(|\.collection\s*\()[\s\S]{0,500}\.(?:set|update|add)\s*\()[\s\S]{0,700}\b(?:ownerId|ownerID|creatorId|creatorID|providerId|providerID|orgId|orgID|tenantId|tenantID|workspaceId|workspaceID|ghostOrg|role|roles|isAdmin)\b/i,
+		message: "Client code writes an ownership, tenant, or role field that should be server-owned and immutable."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-firebase-rules-path.ts
+const isFirebaseRulesPath = (relativePath) => /(?:^|\/)(?:firestore\.rules|storage\.rules|database\.rules\.json)$/.test(relativePath);
+//#endregion
+//#region src/plugin/rules/security-scan/firebase-permissive-rules.ts
+const firebasePermissiveRules = defineRule({
+	id: "firebase-permissive-rules",
+	title: "Permissive Firebase security rule",
+	severity: "error",
+	recommendation: "Bind every read/write to `request.auth.uid`, immutable ownership, and tenant membership instead of treating sign-in as authorization.",
+	scan: scanByPattern({
+		shouldScan: (file) => isFirebaseRulesPath(file.relativePath),
+		pattern: /allow\s+(?:read|write|create|update|delete|list|get|read,\s*write)\s*:\s*if\s+(?:true|request\.auth\s*!=\s*null)\s*;?/i,
+		message: "Firebase rules grant broad access to everyone or to any signed-in user, which is the Chattr/Firewreck failure mode."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/firebase-query-filter-as-auth.ts
+const firebaseQueryFilterAsAuth = defineRule({
+	id: "firebase-query-filter-as-auth",
+	title: "Firestore query filter used as authorization",
+	severity: "warn",
+	recommendation: "Make sure Firestore rules compare the requested document against `request.auth.uid` and trusted membership data.",
+	scan: scanByPattern({
+		shouldScan: (file) => isClientSourcePath(file.relativePath),
+		pattern: /\.where\s*\(\s*["'](?:uid|userId|userID|ownerId|ownerID|orgId|orgID|tenantId|tenantID|role)["']\s*,\s*["']==["']/i,
+		message: "Firestore query code filters by an auth-shaped field; filtering is not authorization unless rules enforce the same boundary."
+	})
+});
+//#endregion
 //#region src/plugin/utils/compile-glob.ts
 /**
 * Compiles a simple glob pattern (only `*` as a wildcard) into an
@@ -7037,6 +7702,37 @@ const forwardRefUsesRef = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/security-scan/git-provider-url-injection-risk.ts
+const GIT_PROVIDER_HOST_PATTERN = /api\.github\.com|github\.com|gitlab\.com|bitbucket\.org/gi;
+const TEMPLATE_INTERPOLATION_PATTERN = /\$\{([^}]*)\}/g;
+const EXTERNAL_INPUT_PATTERN = /\b(?:params|searchParams|query|req|request|input|payload)\s*[.[]|\buntrusted|\bdecodeURI\w*/;
+const ENCODED_INTERPOLATION_PATTERN = /encodeURIComponent\s*\(/;
+const INTERPOLATION_LOOKAHEAD_CHARS = 200;
+const gitProviderUrlInjectionRisk = defineRule({
+	id: "git-provider-url-injection-risk",
+	title: "Git provider URL built from interpolation",
+	severity: "warn",
+	recommendation: "Validate owner, repo, org, and branch identifiers against strict slugs and build URLs with URL/path encoders instead of raw interpolation.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const findings = [];
+		for (const hostMatch of file.content.matchAll(GIT_PROVIDER_HOST_PATTERN)) {
+			const rawTail = file.content.slice(hostMatch.index, hostMatch.index + INTERPOLATION_LOOKAHEAD_CHARS);
+			const templateEndIndex = rawTail.indexOf("`");
+			const urlTail = templateEndIndex >= 0 ? rawTail.slice(0, templateEndIndex) : rawTail;
+			if (!Array.from(urlTail.matchAll(TEMPLATE_INTERPOLATION_PATTERN)).some((interpolation) => EXTERNAL_INPUT_PATTERN.test(interpolation[1] ?? "") && !ENCODED_INTERPOLATION_PATTERN.test(interpolation[1] ?? ""))) continue;
+			const location = getLocationAtIndex(file.content, hostMatch.index);
+			findings.push({
+				message: "GitHub/GitLab/Bitbucket URL construction interpolates path components that may be attacker-controlled.",
+				line: location.line,
+				column: location.column
+			});
+			break;
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/a11y/heading-has-content.ts
 const MESSAGE$45 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_HEADING_TAGS = [
@@ -7707,6 +8403,98 @@ const imgRedundantAlt = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/import-metadata-execution-risk.ts
+const PROCESS_MODULE_EVIDENCE_PATTERN = /child_process|childProcess|execa|subprocess|Deno\.run/;
+const EXECUTION_WITH_BARE_CALLS_PATTERN = /(?:\b(?:eval|new\s+Function|vm\.runIn\w*)|(?<![.\w$])(?:exec(?:File)?(?:Sync)?|spawn(?:Sync)?)|\b(?:child_process|childProcess|cp)\.(?:exec|spawn)\w*)\s*\([^;]{0,200}(?<!["'])\b(?:exif|metadata|manifest|preset|plugin|upload|drop(?:ped|s)?\b|archive|zip|unzip|untar)(?!\w*["'])/;
+const EXECUTION_WITHOUT_BARE_CALLS_PATTERN = /(?:\b(?:eval|new\s+Function|vm\.runIn\w*)|\b(?:child_process|childProcess|cp)\.(?:exec|spawn)\w*)\s*\([^;]{0,200}(?<!["'])\b(?:exif|metadata|manifest|preset|plugin|upload|drop(?:ped|s)?\b|archive|zip|unzip|untar)(?!\w*["'])/;
+const EXECUTION_RISK_MESSAGE = "Imported metadata, uploads, or plugin manifests appear to reach code execution.";
+const scanWithBareCalls = scanByPattern({
+	shouldScan: () => true,
+	pattern: EXECUTION_WITH_BARE_CALLS_PATTERN,
+	message: EXECUTION_RISK_MESSAGE
+});
+const scanWithoutBareCalls = scanByPattern({
+	shouldScan: () => true,
+	pattern: EXECUTION_WITHOUT_BARE_CALLS_PATTERN,
+	message: EXECUTION_RISK_MESSAGE
+});
+const importMetadataExecutionRisk = defineRule({
+	id: "import-metadata-execution-risk",
+	title: "Imported metadata reaches code execution",
+	severity: "error",
+	recommendation: "Parse imported metadata as data with strict schemas; do not evaluate EXIF, manifests, presets, dropped files, or archives.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		return PROCESS_MODULE_EVIDENCE_PATTERN.test(file.content) ? scanWithBareCalls(file) : scanWithoutBareCalls(file);
+	}
+});
+//#endregion
+//#region src/plugin/rules/security-scan/insecure-crypto-risk.ts
+const WEAK_HASH_PATTERN = /createHash\s*\(\s*["'](?:md5|sha1)["']|\bmd5\s*\(/gi;
+const SECURITY_CONTEXT_PATTERN = /\b(?:password|token|secret|signature|signing|auth|credential|session|cookie|csrf|api.?key)\b/i;
+const DEPRECATED_CIPHER_API_PATTERN = /(?<!cipher\.)\bcreate(?:Cipher|Decipher)\s*\(/;
+const WEAK_CIPHER_ALGORITHM_PATTERN = /\bcreate(?:Cipher|Decipher)iv\s*\(\s*["'](?:des|des3|des-?ede3?|rc4|rc2|bf|blowfish)\b/i;
+const WEAK_CIPHER_NAME_PATTERN = /\b(?:DES|RC4|Blowfish)\b/;
+const CIPHER_CONTEXT_PATTERN = /\b(?:cipher|decipher|encrypt|decrypt|crypto)\b/i;
+const UNSAFE_SIGNATURE_COMPARISON_PATTERN = /[A-Za-z_$][\w$.]*signature[\w$]*(?:\([^)]*\))?\s*(?:===?|!==?)\s*[A-Za-z_$][\w$.]*(?:\([^)]*\))?|[A-Za-z_$][\w$.]*(?:\([^)]*\))?\s*(?:===?|!==?)\s*[A-Za-z_$][\w$.]*signature[\w$]*(?:\([^)]*\))?/i;
+const ENUM_MEMBER_COMPARAND_PATTERN = /(?:===?|!==?)\s*[A-Z](?:[a-z]|[A-Z0-9_]*\b(?!\s*[.(]))|^[A-Z](?:[a-z]|[A-Z0-9_]*\b(?!\s*[.(]))[\w$.]*(?:\([^)]*\))?\s*(?:===?|!==?)/;
+const SIGNATURE_METADATA_IDENTIFIER_PATTERN = /signature(?:Method|Type|Status|Algorithm|Kind|Mode|Version)\b/i;
+const BOOLEAN_COMPARAND_PATTERN = /(?:===?|!==?)\s*(?:true|false|null|undefined)\b/;
+const CLIENT_COMPONENT_FILE_PATTERN = /\.[cm]?[jt]sx$/i;
+const TIMING_SAFE_COMPARISON_PATTERN = /timingSafeEqual|timing.?safe/i;
+const PROTOCOL_MANDATED_HASH_CONTEXT_PATTERN = /gravatar|digest[-_ ]?auth|oauth[-_ ]?1|\b_id\b|\betag\b|checksum|cache[-_ ]?key|fingerprint/i;
+const SECURITY_RANDOM_CONTEXT_PATTERN = /token|secret|password|nonce|salt|csrf|credential|otp/i;
+const UI_NONCE_CONTEXT_PATTERN = /(?:focus|render|refresh|remount|redraw|animation|layout|cache|update)[-_]?nonce/i;
+const MATH_RANDOM_CALL_PATTERN = /Math\.random\s*\(/g;
+const SECURITY_CONTEXT_WINDOW_CHARS = 250;
+const findMatchIndexNearContext = (content, pattern, contextPattern, excludeContextPattern) => {
+	for (const callMatch of content.matchAll(pattern)) {
+		const surroundingText = content.slice(Math.max(0, callMatch.index - SECURITY_CONTEXT_WINDOW_CHARS), callMatch.index + SECURITY_CONTEXT_WINDOW_CHARS);
+		if (!contextPattern.test(surroundingText)) continue;
+		if (excludeContextPattern?.test(surroundingText)) continue;
+		return callMatch.index;
+	}
+	return -1;
+};
+const findRandomCallIndexWithSameLineContext = (content, pattern, contextPattern, excludeContextPattern) => {
+	for (const callMatch of content.matchAll(pattern)) {
+		const lineStartIndex = content.lastIndexOf("\n", callMatch.index) + 1;
+		const lineEndCandidate = content.indexOf("\n", callMatch.index);
+		const lineEndIndex = lineEndCandidate < 0 ? content.length : lineEndCandidate;
+		const lineText = content.slice(lineStartIndex, lineEndIndex);
+		if (excludeContextPattern.test(lineText)) continue;
+		if (contextPattern.test(lineText)) return callMatch.index;
+	}
+	return -1;
+};
+const insecureCryptoRisk = defineRule({
+	id: "insecure-crypto-risk",
+	title: "Weak cryptography in security context",
+	severity: "warn",
+	recommendation: "Use modern primitives, `crypto.randomBytes` / Web Crypto randomness, and timing-safe comparisons for signatures, digests, tokens, and auth material.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		if (DEMO_CONTEXT_PATTERN.test(file.relativePath)) return [];
+		if (PROTOCOL_MANDATED_HASH_CONTEXT_PATTERN.test(file.relativePath)) return [];
+		let matchIndex = findMatchIndexNearContext(file.content, WEAK_HASH_PATTERN, SECURITY_CONTEXT_PATTERN, PROTOCOL_MANDATED_HASH_CONTEXT_PATTERN);
+		if (matchIndex < 0) matchIndex = file.content.search(WEAK_CIPHER_ALGORITHM_PATTERN);
+		if (matchIndex < 0) matchIndex = file.content.search(DEPRECATED_CIPHER_API_PATTERN);
+		if (matchIndex < 0 && CIPHER_CONTEXT_PATTERN.test(file.content)) matchIndex = file.content.search(WEAK_CIPHER_NAME_PATTERN);
+		if (matchIndex < 0 && !TIMING_SAFE_COMPARISON_PATTERN.test(file.content) && !CLIENT_COMPONENT_FILE_PATTERN.test(file.relativePath)) {
+			const comparisonMatch = UNSAFE_SIGNATURE_COMPARISON_PATTERN.exec(file.content);
+			if (comparisonMatch !== null && !ENUM_MEMBER_COMPARAND_PATTERN.test(comparisonMatch[0]) && !SIGNATURE_METADATA_IDENTIFIER_PATTERN.test(comparisonMatch[0]) && !BOOLEAN_COMPARAND_PATTERN.test(comparisonMatch[0])) matchIndex = comparisonMatch.index;
+		}
+		if (matchIndex < 0) matchIndex = findRandomCallIndexWithSameLineContext(file.content, MATH_RANDOM_CALL_PATTERN, SECURITY_RANDOM_CONTEXT_PATTERN, UI_NONCE_CONTEXT_PATTERN);
+		if (matchIndex < 0) return [];
+		const location = getLocationAtIndex(file.content, matchIndex);
+		return [{
+			message: "Code uses weak hashes, deprecated ciphers, timing-unsafe comparisons, or Math.random in a security-shaped context.",
+			line: location.line,
+			column: location.column
+		}];
+	}
+});
+//#endregion
 //#region src/plugin/constants/event-handlers.ts
 const MOUSE_EVENT_HANDLERS = [
 	"onClick",
@@ -11912,6 +12700,19 @@ const jsxPropsNoSpreading = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/key-lifecycle-risk.ts
+const keyLifecycleRisk = defineRule({
+	id: "key-lifecycle-risk",
+	title: "Long-lived key material in repository",
+	severity: "error",
+	recommendation: "Remove private keys from source, rotate exposed credentials, prefer short-lived deploy credentials, and document revocation/expiry for release keys.",
+	scan: scanByPattern({
+		shouldScan: (file) => !TEST_CONTEXT_PATTERN.test(file.relativePath) && !DOCUMENTATION_CONTEXT_PATTERN.test(file.relativePath),
+		pattern: /(?<!(?:placeholder|example|sample|dummy|fake)[\s\S]{0,40})-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----(?:\s|\\r|\\n)*[A-Za-z0-9+/=][A-Za-z0-9+/=\s]{38,}(?![^-]{0,160}\.\.\.)|\b(?:SSH_PRIVATE_KEY|GPG_PRIVATE_KEY|DEPLOY_KEY|SIGNING_KEY)\b\s*[:=]\s*["'][^"'\n]{16,}["']/i,
+		message: "Private or long-lived release key material appears in the repository."
+	})
+});
+//#endregion
 //#region src/plugin/rules/a11y/label-has-associated-control.ts
 const MESSAGE_NO_LABEL = "Blind users can't identify this field because screen readers find no label text, so add visible text, `aria-label`, or `aria-labelledby`.";
 const MESSAGE_NO_CONTROL = "Screen reader users can't tell which input this label names because it's tied to none, so add `htmlFor` or wrap the input inside it.";
@@ -12287,6 +13088,44 @@ const lang = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/security-scan/local-rpc-native-bridge-risk.ts
+const localRpcNativeBridgeRisk = defineRule({
+	id: "local-rpc-native-bridge-risk",
+	title: "Weak localhost native bridge boundary",
+	severity: "warn",
+	recommendation: "Use exact origin allowlists after URL parsing, per-request nonces, narrow methods, and never expose install/update commands to arbitrary web pages.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /\b(?:127\.0\.0\.1|localhost|Access-Control-Allow-Origin|websocket|WebSocket)\b[\s\S]{0,700}(?:\b(?:UpdateApp|InstallApp|child_process)\b|(?<![.\w$])(?:exec(?:File)?(?:Sync)?|spawn(?:Sync)?)\s*\()/i,
+		message: "Code appears to bridge browser code to localhost/native capabilities with weak origin or update/install checks."
+	})
+});
+const mcpToolCapabilityRisk = defineRule({
+	id: "mcp-tool-capability-risk",
+	title: "MCP tool exposes dangerous capability",
+	severity: "warn",
+	recommendation: "MCP tool calls run with the connecting client's authority. Validate inputs, enforce per-tool authorization, and avoid raw filesystem/shell/network access where possible.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /\bserver\.\s*tool\s*\(|\bregisterTool\s*\(|\bsetRequestHandler\s*\(\s*CallToolRequestSchema/,
+		requireAll: [/\bfrom\s+["']@modelcontextprotocol\/sdk[^"']*["']|\bMcpServer\b|\bMcpAgent\b/, AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		message: "An MCP tool/resource/prompt handler appears to expose file, shell, network, or code-execution capability."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/mdx-ssr-execution-risk.ts
+const mdxSsrExecutionRisk = defineRule({
+	id: "mdx-ssr-execution-risk",
+	title: "Server-rendered MDX can execute code",
+	severity: "warn",
+	recommendation: "Use a constrained compiler for untrusted content, disable expressions/raw HTML, sandbox renderers, and avoid caching attacker-controlled output across tenants.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /(?:@mdx-js\/mdx|next-mdx-remote|\b(?:MDXRemote|compileMDX|evaluateMdx)\b)[\s\S]{0,700}\b(?:repo|customer|tenant|user[-_]?(?:content|markdown|mdx|input|provided|generated|submitted)|untrusted|searchParams|req\.|request\.|fetch\s*\(|prisma\.|db\.|database|rehypeRaw|allowDangerousHtml)/i,
+		message: "MDX/markdown rendering code may evaluate user or repository content during SSR or static generation."
+	})
+});
+//#endregion
 //#region src/plugin/rules/a11y/media-has-caption.ts
 const MESSAGE$32 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
 const DEFAULT_AUDIO = ["audio"];
@@ -13484,6 +14323,20 @@ const FILENAME_TO_LANG = {
 const resolveLang = (filename) => {
 	return FILENAME_TO_LANG[path.extname(filename).toLowerCase()] ?? "tsx";
 };
+const parseSourceText = (filename, sourceText) => {
+	try {
+		const result = parseSync(filename, sourceText, {
+			astType: "ts",
+			lang: resolveLang(filename)
+		});
+		if (result.errors.some((parseError) => parseError.severity === "Error")) return null;
+		const parsedProgram = result.program;
+		attachParentReferences(parsedProgram);
+		return parsedProgram;
+	} catch {
+		return null;
+	}
+};
 const parseCache = /* @__PURE__ */ new Map();
 const parseSourceFile = (absoluteFilePath) => {
 	let fileStat;
@@ -13515,19 +14368,7 @@ const parseSourceFile = (absoluteFilePath) => {
 		});
 		return null;
 	}
-	let parsedProgram = null;
-	try {
-		const result = parseSync(absoluteFilePath, sourceText, {
-			astType: "ts",
-			lang: resolveLang(absoluteFilePath)
-		});
-		if (!result.errors.some((parseError) => parseError.severity === "Error")) {
-			parsedProgram = result.program;
-			attachParentReferences(parsedProgram);
-		}
-	} catch {
-		parsedProgram = null;
-	}
+	const parsedProgram = parseSourceText(absoluteFilePath, sourceText);
 	parseCache.set(absoluteFilePath, {
 		mtimeMs: fileStat.mtimeMs,
 		size: fileStat.size,
@@ -21536,7 +22377,7 @@ const isUndefinedNode = (node) => {
 	if (node === null || node === void 0) return true;
 	return isNodeOfType(node, "Identifier") && node.name === "undefined";
 };
-const getNodeText = (node) => {
+const getNodeText$1 = (node) => {
 	if (!node) return "";
 	return JSON.stringify(node, (key, value) => {
 		if (key === "parent" || key === "loc" || key === "range" || key === "start" || key === "end") return;
@@ -21554,7 +22395,7 @@ const isSetStateToInitialValue = (analysis, setterRef) => {
 	if (isUndefinedNode(setStateToValue) && isUndefinedNode(stateInitialValue)) return true;
 	if (setStateToValue == null && stateInitialValue == null) return true;
 	if (setStateToValue && !stateInitialValue || !setStateToValue && stateInitialValue) return false;
-	return getNodeText(setStateToValue) === getNodeText(stateInitialValue);
+	return getNodeText$1(setStateToValue) === getNodeText$1(stateInitialValue);
 };
 const countUseStates = (analysis, componentNode) => {
 	if (!componentNode) return 0;
@@ -21618,173 +22459,6 @@ const noScaleFromZero = defineRule({
 	} })
 });
 //#endregion
-//#region src/plugin/constants/security.ts
-const AUTH_FUNCTION_NAMES = new Set([
-	"auth",
-	"getSession",
-	"getServerSession",
-	"getUser",
-	"requireAuth",
-	"checkAuth",
-	"verifyAuth",
-	"authenticate",
-	"currentUser",
-	"getAuth",
-	"validateSession"
-]);
-const GENERIC_AUTH_METHOD_NAMES = new Set(["getUser"]);
-const AUTH_OBJECT_PATTERN = /(?:^|[._])(?:auth|authn|authz|clerk|session|jwt|firebase|supabase|nextauth|kinde|workos|stytch|descope|cognito|propelauth|lucia)/i;
-const SECRET_PATTERNS = [
-	/^sk_live_/,
-	/^sk_test_/,
-	/^AKIA[0-9A-Z]{16}$/,
-	/^ghp_[a-zA-Z0-9]{36}$/,
-	/^gho_[a-zA-Z0-9]{36}$/,
-	/^github_pat_/,
-	/^glpat-/,
-	/^xox[bporas]-/,
-	/^sk-[a-zA-Z0-9]{32,}$/
-];
-const PUBLIC_CLIENT_KEY_PATTERNS = [
-	/^appl_/,
-	/^goog_/,
-	/^amzn_/,
-	/^strp_/,
-	/^pk_(?:live|test)_/,
-	/^sb_publishable_/,
-	/^phc_/,
-	/^public-token-(?:live|test)-/,
-	/^pk\.eyJ/
-];
-const SECRET_UNAMBIGUOUS_PLACEHOLDER_VALUE_PATTERNS = [
-	/^[\s._\-*\u2022xX]{8,}$/,
-	/(?:\.{3,}|\u2026|[*\u2022]{3,})/,
-	/(?:^|[_\-\s])(?:your|redacted|masked|placeholder|replace[_\-\s]?me|changeme)(?:$|[_\-\s])/i,
-	/<[^>]*(?:auth|credential|key|password|secret|token|your|redacted|placeholder|masked)[^>]*>/i,
-	/\[[^\]]*(?:auth|credential|key|password|secret|token|your|redacted|placeholder|masked)[^\]]*\]/i,
-	/\{[^}]*(?:auth|credential|key|password|secret|token|your|redacted|placeholder|masked)[^}]*\}/i
-];
-const SECRET_CONTEXTUAL_PLACEHOLDER_VALUE_PATTERNS = [/(?:^|[_\-\s])(?:example|sample|dummy)(?:$|[_\-\s])/i];
-const SECRET_PLACEHOLDER_CONTEXT_PATTERN = /(?:placeholder|example|sample|dummy|masked|redacted|mask)/i;
-const SECRET_VARIABLE_PATTERN = /(?:api_?key|secret|token|password|credential|auth)/i;
-const SECRET_TOOLING_FILE_PATTERN = /(?:^|\/)[^/]+\.config\.[cm]?[jt]s$/;
-const SECRET_TOOLING_RC_FILE_PATTERN = /(?:^|\/)(?:\.[a-z-]+rc|[a-z-]+\.rc)\.[cm]?[jt]s$/;
-const SECRET_TEST_FILE_PATTERN = /(?:^|\/)[^/]+\.(?:test|spec|stories|story|fixture|fixtures)\.[cm]?[jt]sx?$/;
-const SECRET_SERVER_FILE_SUFFIX_PATTERN = /(?:^|\/)[^/]+\.server\.[cm]?[jt]sx?$/;
-const SECRET_SERVER_ENTRY_FILE_PATTERN = /(?:^|\/)(?:middleware|proxy|route)\.[cm]?[jt]sx?$/;
-const SECRET_NEXT_PAGES_API_FILE_PATTERN = /(?:^|\/)pages\/api\/.+\.[cm]?[jt]sx?$/;
-const SECRET_CLIENT_FILE_SUFFIX_PATTERN = /(?:^|\/)[^/]+\.(?:client|browser|web)\.[cm]?[jt]sx?$/;
-const SECRET_CLIENT_ENTRY_FILE_PATTERN = /(?:^|\/)(?:src\/)?(?:main|index|[Aa]pp|client)\.[cm]?[jt]sx?$/;
-const SECRET_SERVER_DIRECTORY_NAMES = new Set([
-	"backend",
-	"functions",
-	"lambdas",
-	"lambda",
-	"middleware",
-	"server",
-	"servers"
-]);
-const SECRET_SERVER_SOURCE_ROOT_OWNER_NAMES = new Set([
-	"api",
-	"backend",
-	"edge",
-	"function",
-	"functions",
-	"lambda",
-	"lambdas",
-	"server",
-	"servers",
-	"worker",
-	"workers"
-]);
-const SECRET_TEST_DIRECTORY_NAMES = new Set([
-	"__fixtures__",
-	"__mocks__",
-	"__tests__",
-	"fixtures",
-	"mocks",
-	"test",
-	"tests"
-]);
-const SECRET_TOOLING_DIRECTORY_NAMES = new Set([
-	"bin",
-	"config",
-	"configs",
-	"script",
-	"scripts",
-	"tooling",
-	"tools"
-]);
-const SECRET_CLIENT_SOURCE_DIRECTORY_NAMES = new Set([
-	"components",
-	"features",
-	"hooks",
-	"pages",
-	"ui",
-	"views",
-	"widgets"
-]);
-const SECRET_FALSE_POSITIVE_SUFFIXES = new Set([
-	"modal",
-	"label",
-	"text",
-	"title",
-	"name",
-	"id",
-	"url",
-	"path",
-	"route",
-	"page",
-	"param",
-	"field",
-	"column",
-	"header",
-	"placeholder",
-	"prefix",
-	"description",
-	"type",
-	"icon",
-	"class",
-	"style",
-	"variant",
-	"event",
-	"action",
-	"status",
-	"state",
-	"mode",
-	"flag",
-	"option",
-	"config",
-	"message",
-	"error",
-	"display",
-	"view",
-	"component",
-	"element",
-	"container",
-	"wrapper",
-	"button",
-	"link",
-	"input",
-	"select",
-	"dialog",
-	"menu",
-	"form",
-	"step",
-	"index",
-	"count",
-	"length",
-	"role",
-	"scope",
-	"context",
-	"provider",
-	"ref",
-	"handler",
-	"query",
-	"schema",
-	"constant"
-]);
-//#endregion
 //#region src/plugin/utils/classify-secret-file-exposure.ts
 const SOURCE_FILE_EXTENSION_PATTERN = /\.[cm]?[jt]sx?$/;
 const CLIENT_SOURCE_FILE_EXTENSION_PATTERN = /\.[cm]?[jt]sx$/;
@@ -24521,6 +25195,17 @@ const noZIndex9999 = defineRule({
 		}
 	})
 });
+const nosqlInjectionRisk = defineRule({
+	id: "nosql-injection-risk",
+	title: "NoSQL query accepts operator-shaped input",
+	severity: "warn",
+	recommendation: "Coerce scalar fields before querying, reject operator keys from client input, and avoid `$where` or request-derived regexes.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionFilePath(file.relativePath, DATABASE_SOURCE_FILE_PATTERN),
+		pattern: /\$where\s*['"]?\s*:\s*(?:f?['"`][^'"`]{0,200}\$\{|function|f['"])|\.find\s*\(\s*JSON\.parse\s*\(\s*(?:req|request)\.|\.aggregate\s*\(\s*\[?\s*\{[^}]{0,400}\$where|\bnew\s+RegExp\s*\(\s*(?:req|request)\.|\$regex['"]?\s*:\s*(?:req|request)\./i,
+		message: "Code appears to pass raw JSON, regex, or `$where` style input into a NoSQL query."
+	})
+});
 //#endregion
 //#region src/plugin/utils/is-framework-route-or-special-filename.ts
 const sourceFileExtensionGroup = NEXTJS_SOURCE_FILE_EXTENSION_GROUP;
@@ -25073,6 +25758,116 @@ const onlyExportComponents = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/package-metadata-secret.ts
+const packageMetadataSecret = defineRule({
+	id: "package-metadata-secret",
+	title: "Secret-like package metadata",
+	severity: "warn",
+	recommendation: "Keep secrets out of package metadata and generated reports; they are often published to registries, logs, or browser artifacts.",
+	scan: (file) => {
+		if (!file.relativePath.endsWith("package.json")) return [];
+		const pattern = findSuspiciousPublicEnvSecretNamePattern(file.content) ?? SECRET_VALUE_PATTERNS.find((candidate) => candidate.test(file.content));
+		if (pattern === void 0) return [];
+		const location = getMatchLocation(file.content, pattern);
+		return [{
+			message: "Package metadata contains secret-like values or public env secret names.",
+			line: location.line,
+			column: location.column
+		}];
+	}
+});
+const pathTraversalRisk = defineRule({
+	id: "path-traversal-risk",
+	title: "Filesystem path uses caller input",
+	severity: "warn",
+	recommendation: "Resolve paths against a fixed base directory, reject traversal after normalization, and map user-visible identifiers to server-owned paths.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath) && !isDevToolingPath(file.relativePath),
+		pattern: /\b(?:readFile|readFileSync|writeFile|writeFileSync)\s*\(\s*(?:req\.|request\.|params\.|query\.|body\.|parsed\.|`[^`]*(?<![-.\w$'"])(?:req\.|request\.|params\.|query\.|body\.))|\bpath\.(?:join|resolve)\s*\([^)]*(?<![-.\w$'"])(?:req\.|request\.|params\.|query\.|body\.|parsed\.)/,
+		message: "Filesystem access appears to use request, query, params, or body data as part of the path."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/plugin-update-trust-risk.ts
+const UPDATER_TRUST_PATTERN = /\b(?:repoUrl|updateUrl|UpdateApp|InstallApp|auto.?updater?|installer|curl(?!\s+(?:-T\b|--upload-file\b))|wget)\b[\s\S]{0,250}(?:\.(?:zip|exe|dmg|appimage|msi|deb|rpm)\b|\.tar\.gz\b|\|\s*(?:bash|sh)\b)/i;
+const CHECKSUM_VERIFICATION_PATTERN = /sha(?:256|512|1)sum|--checksum|checksum=|EXPECTED_SHA|gpg\s+--verify|\.sha(?:256|512)\b/i;
+const EXECUTION_CONTEXT_PATTERN = /\b(?:child_process|childProcess|execa|os\.system|subprocess\.|Deno\.run|autoUpdater|electron-updater)\b|\b(?:exec(?:File)?(?:Sync)?|spawn(?:Sync)?)\s*\(/;
+const pluginUpdateTrustRisk = defineRule({
+	id: "plugin-update-trust-risk",
+	title: "Plugin or updater trust boundary risk",
+	severity: "warn",
+	recommendation: "Require signed updates/plugins, pin trusted repositories, verify hashes before execution, and keep custom repository installs behind explicit warnings.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath) && !isConfigOrCiPath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!UPDATER_TRUST_PATTERN.test(content)) return [];
+		if (CHECKSUM_VERIFICATION_PATTERN.test(content)) return [];
+		if (SOURCE_FILE_PATTERN.test(file.relativePath) && !EXECUTION_CONTEXT_PATTERN.test(content)) return [];
+		const location = getMatchLocation(content, UPDATER_TRUST_PATTERN);
+		return [{
+			message: "Code appears to download, install, update, or execute plugin/updater content across a trust boundary.",
+			line: location.line,
+			column: location.column
+		}];
+	}
+});
+//#endregion
+//#region src/plugin/rules/security-scan/postmessage-origin-risk.ts
+const POSTMESSAGE_ORIGIN_CHECK_PATTERN = /origin(?!al)|\.source\s*[!=]==?/i;
+const MESSAGE_DATA_READ_PATTERN = /\b(?:event|e|evt|msg|message)\.data\b/;
+const SAME_APPLICATION_CHANNEL_TARGET_PATTERN = /port\d?\b|worker|channel|broadcast|socket|\bws\b|\bsse\b|eventsource|^self\.|^source\./i;
+const WORKER_FILE_PATH_PATTERN = /worker/i;
+const getNodeStartIndex = (node) => "start" in node && typeof node.start === "number" ? node.start : -1;
+const getNodeText = (content, node) => {
+	const startIndex = getNodeStartIndex(node);
+	const endIndex = "end" in node && typeof node.end === "number" ? node.end : -1;
+	if (startIndex < 0 || endIndex < 0) return "";
+	return content.slice(startIndex, endIndex);
+};
+const getMessageHandlerTarget = (content, node) => {
+	if (node.type === "CallExpression") {
+		const calleeText = isAstNode(node.callee) ? getNodeText(content, node.callee) : "";
+		if (!calleeText.endsWith("addEventListener")) return null;
+		const firstArgument = node.arguments[0];
+		return isAstNode(firstArgument) && firstArgument.type === "Literal" && firstArgument.value === "message" ? calleeText : null;
+	}
+	if (node.type === "AssignmentExpression" && isAstNode(node.left)) {
+		const leftText = getNodeText(content, node.left);
+		return leftText.endsWith(".onmessage") ? leftText : null;
+	}
+	return null;
+};
+const postmessageOriginRisk = defineRule({
+	id: "postmessage-origin-risk",
+	title: "postMessage handler without origin check",
+	severity: "warn",
+	recommendation: "Validate `event.origin` against an exact allowlist before using `event.data`, especially when an iframe or parent window can be attacker-controlled.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		if (WORKER_FILE_PATH_PATTERN.test(file.relativePath)) return [];
+		const ast = parseSourceText(file.absolutePath, file.content);
+		if (ast === null) return [];
+		const findings = [];
+		walkAst(ast, (node) => {
+			const targetText = getMessageHandlerTarget(file.content, node);
+			if (targetText === null) return;
+			if (SAME_APPLICATION_CHANNEL_TARGET_PATTERN.test(targetText)) return;
+			const nodeText = getNodeText(file.content, node);
+			const messageDataIndex = nodeText.search(MESSAGE_DATA_READ_PATTERN);
+			if (messageDataIndex < 0) return;
+			const originCheckIndex = nodeText.search(POSTMESSAGE_ORIGIN_CHECK_PATTERN);
+			if (originCheckIndex >= 0 && originCheckIndex < messageDataIndex) return;
+			const location = getLocationAtIndex(file.content, getNodeStartIndex(node));
+			findings.push({
+				message: "A message event handler reads cross-window messages without an obvious origin check.",
+				line: location.line,
+				column: location.column
+			});
+		});
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/preact/preact-no-children-length.ts
 const ARRAY_READ_METHOD_NAMES = new Set([
 	"length",
@@ -26193,6 +26988,51 @@ const preferUseReducer = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-public-debug-artifact-path.ts
+const LOCALE_DIRECTORY_PATTERN = /(?:^|\/)(?:locales?|i18n|lang|langs|translations?)\//i;
+const isPublicDebugArtifactPath = (relativePath) => isBrowserArtifactPath(relativePath, GENERATED_BUNDLE_FILE_PATTERN.test(relativePath)) && !LOCALE_DIRECTORY_PATTERN.test(relativePath) && /(?:^|\/)(?:\.env(?:\.[^/]*)?|[^/]*(?:debug|crash|trace|stack|report|dump|phpinfo)[^/]*\.(?:txt|log|json|html?)|[^/]+\.log)$/i.test(relativePath);
+//#endregion
+//#region src/plugin/rules/security-scan/public-debug-artifact.ts
+const publicDebugArtifact = defineRule({
+	id: "public-debug-artifact",
+	title: "Public debug artifact",
+	severity: "warn",
+	recommendation: "Remove debug artifacts from public output; logs and dumps often reveal source paths, internal routes, tokens, or environment snapshots.",
+	scan: (file) => {
+		if (!isPublicDebugArtifactPath(file.relativePath)) return [];
+		const finding = {
+			message: "A browser-reachable debug, log, dump, report, or env artifact is present.",
+			line: 1,
+			column: 1
+		};
+		return [SECRET_VALUE_PATTERNS.some((pattern) => pattern.test(file.content)) ? {
+			...finding,
+			severity: "error"
+		} : finding];
+	}
+});
+//#endregion
+//#region src/plugin/rules/security-scan/public-env-secret-name.ts
+const DOCS_DIRECTORY_PATTERN = /(?:^|\/)docs?\//i;
+const publicEnvSecretName = defineRule({
+	id: "public-env-secret-name",
+	title: "Secret-like public env variable",
+	severity: "warn",
+	recommendation: "Public env prefixes are inlined into browser bundles. Rename public values to non-secret names, and keep tokens, passwords, private keys, and service-role credentials server-only.",
+	scan: (file) => {
+		if (!isClientSourcePath(file.relativePath)) return [];
+		if (DOCS_DIRECTORY_PATTERN.test(file.relativePath)) return [];
+		const pattern = findSuspiciousPublicEnvSecretNamePattern(file.content);
+		if (pattern === void 0) return [];
+		const location = getMatchLocation(file.content, pattern);
+		return [{
+			message: "Client code references a public env variable whose name looks like a secret or privileged credential.",
+			line: location.line,
+			column: location.column
+		}];
+	}
+});
+//#endregion
 //#region src/plugin/rules/tanstack-query/query-destructure-result.ts
 const queryDestructureResult = defineRule({
 	id: "query-destructure-result",
@@ -26385,6 +27225,30 @@ const queryStableQueryClient = defineRule({
 		};
 	}
 });
+const rawSqlInjectionRisk = defineRule({
+	id: "raw-sql-injection-risk",
+	title: "Raw SQL built outside parameter binding",
+	severity: "warn",
+	recommendation: "Keep user input in driver parameters or ORM bind variables. Avoid unsafe/raw SQL helpers and string interpolation for queries.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionScriptSourcePath(file.relativePath),
+		pattern: [
+			/\$queryRawUnsafe\s*\(/,
+			/\$executeRawUnsafe\s*\(/,
+			/\bPrisma\.raw\s*\((?!\s*(?:["'][^"'\n]*["']\s*[,)]|`[^`$]*`))/,
+			/\bsql\.\s*(?:raw|unsafe)\s*\((?!\s*(?:["'][^"'\n]*["']\s*[,)]|`[^`$]*`))/,
+			/\b(?:client|pool|conn)\.query\s*\(\s*['"`]\s*(?:SELECT|INSERT|UPDATE|DELETE)\b[^)]{0,400}\$\{(?!\s*[\w$.]*(?:sanitiz|escape|quote)[\w$]*\s*\()/i,
+			/\.query\s*\(\s*['"`][^'"`]{0,200}['"`]\s*\+/,
+			/\.(?:where|orderBy|having)Raw\s*\((?!\s*(?:["'][^"'\n]*["']\s*[,)]|`[^`$]*`))/,
+			/\bcursor\.execute\s*\(\s*f['"]/,
+			/\bcursor\.execute\s*\(\s*(?:"[^"]{0,400}"|'[^']{0,400}')\s*(?:%|\.format\s*\(|\+)/,
+			/\b(?:engine|session)\.execute\s*\(\s*(?:text\s*\(\s*)?f['"]/,
+			/\$[\w]+->(?:query|exec|prepare|executeQuery|executeStatement|createQuery|createNativeQuery)\s*\(\s*(?:"[^"]{0,400}"|'[^']{0,400}')\s*\.\s*\$/,
+			/mysqli_query\s*\(\s*[^,]+,\s*(?:"[^"]{0,400}"|'[^']{0,400}')\s*\.\s*\$/
+		],
+		message: "Code uses a raw SQL escape hatch or string-built query shape that can bypass parameter binding."
+	})
+});
 //#endregion
 //#region src/plugin/rules/architecture/react-compiler-no-manual-memoization.ts
 const REMOVAL_MESSAGE_BY_REACT_API_NAME = new Map([
@@ -27015,6 +27879,31 @@ const renderingUsetransitionLoading = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-repository-secret-file-path.ts
+const isRepositorySecretFilePath = (relativePath) => DOTENV_FILE_PATTERN.test(relativePath) || /(?:^|\/)\.npmrc$/.test(relativePath) || /(?:^|\/)[^/]*(?:credential|credentials|service-account|serviceAccount|firebase-admin|google-service-account|gcp-service-account)[^/]*\.(?:json|env|pem|key)$/i.test(relativePath);
+//#endregion
+//#region src/plugin/rules/security-scan/repository-secret-file.ts
+const isRepositorySecretExamplePath = (relativePath) => /(?:^|\/)\.env\.(?:example|sample|template|dist|defaults?)$|(?:^|\/)[^/]*(?:example|sample|template)[^/]*\.(?:env|json|pem|key)$/i.test(relativePath);
+const repositorySecretFile = defineRule({
+	id: "repository-secret-file",
+	title: "Secret file checked into repository",
+	severity: "error",
+	recommendation: "Remove committed env files, service-account credentials, npm auth tokens, and webhook URLs; rotate exposed values and keep only redacted examples in source.",
+	scan: (file) => {
+		if (!isRepositorySecretFilePath(file.relativePath)) return [];
+		if (isRepositorySecretExamplePath(file.relativePath)) return [];
+		if (TEST_CONTEXT_PATTERN.test(file.relativePath)) return [];
+		const pattern = SECRET_VALUE_PATTERNS.find((candidate) => candidate.test(file.content)) ?? findSuspiciousPublicEnvSecretNamePattern(file.content);
+		if (pattern === void 0) return [];
+		const location = getMatchLocation(file.content, pattern);
+		return [{
+			message: "A repository credential/config file contains secret-looking values.",
+			line: location.line,
+			column: location.column
+		}];
+	}
+});
+//#endregion
 //#region src/plugin/utils/function-body-has-return-with-value.ts
 const functionBodyHasReturnWithValue = (functionNode) => {
 	if (functionNode.type === "ArrowFunctionExpression" && "body" in functionNode) {
@@ -34236,6 +35125,50 @@ const stylePropObject = defineRule({
 		};
 	}
 });
+const supabaseClientOwnedAuthzField = defineRule({
+	id: "supabase-client-owned-authz-field",
+	title: "Client writes Supabase authorization field",
+	severity: "error",
+	recommendation: "Use RLS policies based on `auth.uid()` and server-owned membership rows; do not trust client-provided owner, org, or role columns.",
+	scan: scanByPattern({
+		shouldScan: (file) => isClientSourcePath(file.relativePath),
+		pattern: /\b(?:ownerId|ownerID|creatorId|creatorID|userId|userID|uid|providerId|providerID|orgId|orgID|tenantId|tenantID|teamId|teamID|workspaceId|workspaceID|ghostOrg|role|roles|isAdmin|admin)\b/,
+		requireAll: [/\b(?:supabase\b|\.from\s*\(\s*["'][^"']+["']\s*\))[\s\S]{0,700}\b(?:insert|upsert|update)\s*\(\s*(?:\{|\[?\s*\{)[\s\S]{0,700}\b(?:ownerId|creatorId|userId|orgId|tenantId|role|isAdmin)\b/i],
+		message: "Client Supabase code appears to write user, tenant, owner, or role fields that should be enforced by RLS."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/utils/is-sql-path.ts
+const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+const supabaseRlsPolicyRisk = defineRule({
+	id: "supabase-rls-policy-risk",
+	title: "Permissive Supabase RLS policy",
+	severity: "error",
+	recommendation: "Keep public-read policies explicit, but gate inserts, updates, deletes, and service-role bypasses behind `auth.uid()` plus trusted tenant membership.",
+	scan: scanByPattern({
+		shouldScan: (file) => isSqlPath(file.relativePath),
+		pattern: [
+			/disable\s+row\s+level\s+security/i,
+			/create\s+policy[\s\S]{0,700}auth\.role\(\)\s*=\s*["']service_role["']/i,
+			/create\s+policy[\s\S]{0,700}\bfor\s+(?:all|insert|update|delete)\b[\s\S]{0,500}\b(?:using|with\s+check)\s*\(\s*true\s*\)/i,
+			/create\s+policy(?:(?!\bfor\s+select\b)[\s\S]){0,700}\b(?:using|with\s+check)\s*\(\s*true\s*\)/i
+		],
+		message: "Supabase policy SQL disables RLS, permits writes broadly, or references a service-role bypass."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/svg-filter-clickjacking-risk.ts
+const svgFilterClickjackingRisk = defineRule({
+	id: "svg-filter-clickjacking-risk",
+	title: "SVG-filtered iframe clickjacking primitive",
+	severity: "warn",
+	recommendation: "Avoid filtering cross-origin iframes. Use `frame-ancestors` on sensitive pages and keep SVG filters away from embedded privileged UI.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /<iframe\b[\s\S]{0,700}\bfilter\s*:\s*["']?url\(#|filter\s*:\s*url\(#.*[\s\S]{0,700}<iframe\b|<fe(?:DisplacementMap|ColorMatrix|Composite|Tile|Morphology)\b[\s\S]{0,700}<iframe\b/i,
+		message: "An iframe is rendered through an SVG/CSS filter, which can support advanced clickjacking or visual exfiltration tricks."
+	})
+});
 //#endregion
 //#region src/plugin/rules/a11y/tabindex-no-positive.ts
 const MESSAGE = "Keyboard users get jumped out of the normal order by a positive `tabIndex`, so use `0` or `-1`.";
@@ -34901,6 +35834,76 @@ const tanstackStartServerFnValidateInput = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-server-route-source-path.ts
+const isServerRouteSourcePath = (relativePath) => {
+	if (!isProductionSourcePath(relativePath)) return false;
+	if (SERVER_CONTEXT_PATTERN.test(relativePath)) return true;
+	return /(?:^|\/)(?:middleware|route)\.[cm]?[jt]sx?$/.test(relativePath);
+};
+//#endregion
+//#region src/plugin/rules/security-scan/tenant-static-proxy-risk.ts
+const tenantStaticProxyRisk = defineRule({
+	id: "tenant-static-proxy-risk",
+	title: "Tenant-controlled static asset proxy",
+	severity: "warn",
+	recommendation: "Bind tenant identity to the trusted host or authenticated org, canonicalize after decoding, reject traversal, and never let one tenant choose another tenant's asset prefix.",
+	scan: scanByPattern({
+		shouldScan: (file) => isServerRouteSourcePath(file.relativePath),
+		pattern: /\b(?:fetch|path\.join|getObject\w*|GetObjectCommand|getSignedUrl|createReadStream)\s*\([^;]{0,200}(?:\$\{[^}]{0,100}\b(?:tenant|subdomain|workspace|hostPattern|(?<!\.)organization(?:Id|Slug)?)\b|\b(?:tenant|subdomain|workspace)(?:Id|Slug|Name)?\b\s*[,)+\].])/i,
+		message: "Route code appears to compose tenant or subdomain input into a static/CDN/object-store fetch path."
+	})
+});
+//#endregion
+//#region src/plugin/rules/security-scan/untrusted-redirect-following.ts
+const OUTBOUND_FETCH_CALL_PATTERN = /(?:(?<![.\w$])fetch|\baxios\.\s*(?:get|post|put|delete|head)|\bgot|\bgot\.\s*(?:get|post))\s*\(\s*([^,)]+)/;
+const CALLER_STYLE_URL_NAME_PATTERN = /\b(?:url|targetUrl|callbackUrl|redirectUrl|webhookUrl|companyUrl|websiteUrl|domainUrl|imageUrl|fetchUrl|next|return_to|returnTo|destination|location)\b/i;
+const REQUEST_INPUT_EXPRESSION_PATTERN = /\breq\.|\brequest\.(?:query|body|params|nextUrl)|\bsearchParams\b|\bparams\.|\bbody\.|\bquery\./;
+const SAFE_REDIRECT_MODE_PATTERN = /\bredirect\s*:\s*["'](?:manual|error)["']/;
+const isRequestSourcedUrlExpression = (urlExpression, fileContent) => {
+	if (REQUEST_INPUT_EXPRESSION_PATTERN.test(urlExpression)) return true;
+	const identifierMatch = /^[\w$]+$/.exec(urlExpression.trim());
+	if (identifierMatch === null) return false;
+	return new RegExp(`(?:const|let|var)[^=;\\n]{0,80}\\b${identifierMatch[0]}\\b[^=;\\n]{0,80}=[^;\\n]*(?:\\breq\\.|\\brequest\\.|\\bsearchParams\\b|\\bparams\\.|\\bbody\\.|\\bquery\\.|\\$_(?:GET|POST|REQUEST))`).test(fileContent);
+};
+const untrustedRedirectFollowing = defineRule({
+	id: "untrusted-redirect-following",
+	title: "Server fetch follows redirects for caller-shaped URL",
+	severity: "warn",
+	recommendation: "Use `redirect: \"manual\"` or equivalent and re-validate every redirect target before following it to avoid SSRF redirect bypasses.",
+	scan: (file) => {
+		if (!isServerRouteSourcePath(file.relativePath)) return [];
+		if (!OUTBOUND_FETCH_CALL_PATTERN.test(file.content)) return [];
+		const findings = [];
+		const lines = file.content.split("\n");
+		for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+			const line = lines[lineIndex] ?? "";
+			const fetchMatch = line.match(OUTBOUND_FETCH_CALL_PATTERN);
+			const urlExpression = fetchMatch?.[1] ?? "";
+			if (!fetchMatch || !CALLER_STYLE_URL_NAME_PATTERN.test(urlExpression)) continue;
+			if (!isRequestSourcedUrlExpression(urlExpression, file.content)) continue;
+			const fetchWindow = lines.slice(lineIndex, lineIndex + 5).join("\n");
+			if (SAFE_REDIRECT_MODE_PATTERN.test(fetchWindow)) continue;
+			findings.push({
+				message: "Server-side fetch code appears to follow redirects for a URL shaped like caller-controlled input.",
+				line: lineIndex + 1,
+				column: line.search(/\S/) + 1
+			});
+		}
+		return findings;
+	}
+});
+const urlPrefilledPrivilegedAction = defineRule({
+	id: "url-prefilled-privileged-action",
+	title: "URL pre-fills a privileged action",
+	severity: "warn",
+	recommendation: "Require server-side validation and explicit confirmation for URL-sourced invite, role, permission, redirect, or sharing parameters.",
+	scan: scanByPattern({
+		shouldScan: (file) => isClientSourcePath(file.relativePath),
+		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?)\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
+		message: "Client code reads sensitive action state from the URL, which can pre-fill invites, roles, redirects, or sharing flows with attacker values."
+	})
+});
+//#endregion
 //#region src/plugin/rules/bundle-size/use-lazy-motion.ts
 const useLazyMotion = defineRule({
 	id: "use-lazy-motion",
@@ -34995,6 +35998,33 @@ const voidDomElementsNoChildren = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/webhook-signature-risk.ts
+const WEBHOOK_HANDLER_PATTERN = /(?:^|\/)[^/]*webhook[^/]*\/|(?:^|\/)[^/]*webhook[^/]*\.[cm]?[jt]s$|\bwebhook\b/i;
+const WEBHOOK_ENTRYPOINT_PATTERN = /\b(?:export\s+(?:async\s+)?function\s+POST|export\s+const\s+(?:POST|handler|webhook)|webhookHandler|webhookRoute)\b/i;
+const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = /verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/i;
+const OUTBOUND_WEBHOOK_URL_MENTION_PATTERN = /webhook[\s_-]?ur[il]\w*/gi;
+const OUTBOUND_WEBHOOK_CONFIG_PATTERN = /process\.env\.\w*WEBHOOK_URL|\b(?:send|post|dispatch|publish|notify)\w*Webhook/;
+const REQUEST_READ_PATTERN = /\b(?:req|request)\b/;
+const COMMENT_OR_STRING_PATTERN = /\/\/[^\n]*|\/\*[\s\S]*?\*\/|"(?:\\.|[^"\\\n])*"|'(?:\\.|[^'\\\n])*'|`(?:\\.|[^`\\])*`/g;
+const webhookSignatureRisk = defineRule({
+	id: "webhook-signature-risk",
+	title: "Webhook handler lacks signature verification",
+	severity: "warn",
+	recommendation: "Verify provider signatures before parsing or acting on webhook bodies. Use provider SDK helpers or HMAC verification with timing-safe comparison.",
+	scan: scanByPattern({
+		shouldScan: (file) => {
+			if (!isProductionSourcePath(file.relativePath)) return false;
+			if (OUTBOUND_WEBHOOK_CONFIG_PATTERN.test(file.content)) return false;
+			const judgeableContent = file.content.replace(COMMENT_OR_STRING_PATTERN, "").replace(OUTBOUND_WEBHOOK_URL_MENTION_PATTERN, "");
+			return WEBHOOK_HANDLER_PATTERN.test(file.relativePath) || WEBHOOK_HANDLER_PATTERN.test(judgeableContent);
+		},
+		pattern: WEBHOOK_ENTRYPOINT_PATTERN,
+		requireAll: [REQUEST_READ_PATTERN],
+		suppressWhen: WEBHOOK_SIGNATURE_VERIFICATION_PATTERN,
+		message: "Webhook handler code does not show an obvious signature verification step."
+	})
+});
+//#endregion
 //#region src/plugin/rules/zod/utils/zod-ast.ts
 const ZOD_MODULE = "zod";
 const getStaticPropertyName = (member) => {
@@ -35405,6 +36435,18 @@ const zodV4PreferTopLevelStringFormats = defineRule({
 //#endregion
 //#region src/plugin/rule-registry.ts
 const reactDoctorRules = [
+	{
+		key: "react-doctor/active-static-asset",
+		id: "active-static-asset",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...activeStaticAsset,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...activeStaticAsset.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/activity-wraps-effect-heavy-subtree",
 		id: "activity-wraps-effect-heavy-subtree",
@@ -35429,6 +36471,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...advancedEventHandlerRefs.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/agent-tool-capability-risk",
+		id: "agent-tool-capability-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...agentToolCapabilityRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...agentToolCapabilityRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/alt-text",
 		id: "alt-text",
@@ -35537,6 +36591,42 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...ariaUnsupportedElements.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/artifact-baas-authority-surface",
+		id: "artifact-baas-authority-surface",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...artifactBaasAuthoritySurface,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...artifactBaasAuthoritySurface.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/artifact-env-leak",
+		id: "artifact-env-leak",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...artifactEnvLeak,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...artifactEnvLeak.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/artifact-secret-leak",
+		id: "artifact-secret-leak",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...artifactSecretLeak,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...artifactSecretLeak.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/async-await-in-loop",
 		id: "async-await-in-loop",
@@ -35583,6 +36673,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...autocompleteValid.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/build-pipeline-secret-boundary",
+		id: "build-pipeline-secret-boundary",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...buildPipelineSecretBoundary,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...buildPipelineSecretBoundary.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/button-has-type",
 		id: "button-has-type",
@@ -35619,6 +36721,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...clickEventsHaveKeyEvents.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/clickjacking-redirect-risk",
+		id: "clickjacking-redirect-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...clickjackingRedirectRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...clickjackingRedirectRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/client-localstorage-no-version",
 		id: "client-localstorage-no-version",
@@ -35643,6 +36757,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...clientPassiveEventListeners.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/command-execution-input-risk",
+		id: "command-execution-input-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...commandExecutionInputRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...commandExecutionInputRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/control-has-associated-label",
 		id: "control-has-associated-label",
@@ -35655,6 +36781,30 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...controlHasAssociatedLabel.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/cors-cookie-trust-risk",
+		id: "cors-cookie-trust-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...corsCookieTrustRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...corsCookieTrustRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/dangerous-html-sink",
+		id: "dangerous-html-sink",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...dangerousHtmlSink,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...dangerousHtmlSink.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/design-no-em-dash-in-jsx-text",
 		id: "design-no-em-dash-in-jsx-text",
@@ -35775,6 +36925,42 @@ const reactDoctorRules = [
 			tags: [...new Set(["react-native", ...expoNoNonInlinedEnv.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/firebase-client-owned-authz-field",
+		id: "firebase-client-owned-authz-field",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...firebaseClientOwnedAuthzField,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...firebaseClientOwnedAuthzField.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/firebase-permissive-rules",
+		id: "firebase-permissive-rules",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...firebasePermissiveRules,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...firebasePermissiveRules.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/firebase-query-filter-as-auth",
+		id: "firebase-query-filter-as-auth",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...firebaseQueryFilterAsAuth,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...firebaseQueryFilterAsAuth.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/forbid-component-props",
 		id: "forbid-component-props",
@@ -35823,6 +37009,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...forwardRefUsesRef.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/git-provider-url-injection-risk",
+		id: "git-provider-url-injection-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...gitProviderUrlInjectionRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...gitProviderUrlInjectionRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/heading-has-content",
 		id: "heading-has-content",
@@ -35940,6 +37138,30 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...imgRedundantAlt.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/import-metadata-execution-risk",
+		id: "import-metadata-execution-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...importMetadataExecutionRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...importMetadataExecutionRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/insecure-crypto-risk",
+		id: "insecure-crypto-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...insecureCryptoRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...insecureCryptoRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/interactive-supports-focus",
 		id: "interactive-supports-focus",
@@ -36382,6 +37604,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...jsxPropsNoSpreading.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/key-lifecycle-risk",
+		id: "key-lifecycle-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...keyLifecycleRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...keyLifecycleRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/label-has-associated-control",
 		id: "label-has-associated-control",
@@ -36406,6 +37640,42 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...lang.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/local-rpc-native-bridge-risk",
+		id: "local-rpc-native-bridge-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...localRpcNativeBridgeRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...localRpcNativeBridgeRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/mcp-tool-capability-risk",
+		id: "mcp-tool-capability-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...mcpToolCapabilityRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...mcpToolCapabilityRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/mdx-ssr-execution-risk",
+		id: "mdx-ssr-execution-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...mdxSsrExecutionRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...mdxSsrExecutionRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/media-has-caption",
 		id: "media-has-caption",
@@ -37951,6 +39221,18 @@ const reactDoctorRules = [
 			category: "Maintainability"
 		}
 	},
+	{
+		key: "react-doctor/nosql-injection-risk",
+		id: "nosql-injection-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...nosqlInjectionRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...nosqlInjectionRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/only-export-components",
 		id: "only-export-components",
@@ -37963,6 +39245,54 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...onlyExportComponents.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/package-metadata-secret",
+		id: "package-metadata-secret",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...packageMetadataSecret,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...packageMetadataSecret.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/path-traversal-risk",
+		id: "path-traversal-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...pathTraversalRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...pathTraversalRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/plugin-update-trust-risk",
+		id: "plugin-update-trust-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...pluginUpdateTrustRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...pluginUpdateTrustRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/postmessage-origin-risk",
+		id: "postmessage-origin-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...postmessageOriginRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...postmessageOriginRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/preact-no-children-length",
 		id: "preact-no-children-length",
@@ -38158,6 +39488,30 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...preferUseReducer.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/public-debug-artifact",
+		id: "public-debug-artifact",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...publicDebugArtifact,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...publicDebugArtifact.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/public-env-secret-name",
+		id: "public-env-secret-name",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...publicEnvSecretName,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...publicEnvSecretName.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/query-destructure-result",
 		id: "query-destructure-result",
@@ -38235,6 +39589,18 @@ const reactDoctorRules = [
 			category: "Bugs"
 		}
 	},
+	{
+		key: "react-doctor/raw-sql-injection-risk",
+		id: "raw-sql-injection-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...rawSqlInjectionRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...rawSqlInjectionRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/react-compiler-no-manual-memoization",
 		id: "react-compiler-no-manual-memoization",
@@ -38376,6 +39742,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...renderingUsetransitionLoading.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/repository-secret-file",
+		id: "repository-secret-file",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...repositorySecretFile,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...repositorySecretFile.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/require-render-return",
 		id: "require-render-return",
@@ -39096,6 +40474,42 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...stylePropObject.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/supabase-client-owned-authz-field",
+		id: "supabase-client-owned-authz-field",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...supabaseClientOwnedAuthzField,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...supabaseClientOwnedAuthzField.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/supabase-rls-policy-risk",
+		id: "supabase-rls-policy-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...supabaseRlsPolicyRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...supabaseRlsPolicyRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/svg-filter-clickjacking-risk",
+		id: "svg-filter-clickjacking-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...svgFilterClickjackingRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...svgFilterClickjackingRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/tabindex-no-positive",
 		id: "tabindex-no-positive",
@@ -39262,6 +40676,42 @@ const reactDoctorRules = [
 			category: "Bugs"
 		}
 	},
+	{
+		key: "react-doctor/tenant-static-proxy-risk",
+		id: "tenant-static-proxy-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...tenantStaticProxyRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...tenantStaticProxyRisk.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/untrusted-redirect-following",
+		id: "untrusted-redirect-following",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...untrustedRedirectFollowing,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...untrustedRedirectFollowing.tags ?? []])]
+		}
+	},
+	{
+		key: "react-doctor/url-prefilled-privileged-action",
+		id: "url-prefilled-privileged-action",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...urlPrefilledPrivilegedAction,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...urlPrefilledPrivilegedAction.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/use-lazy-motion",
 		id: "use-lazy-motion",
@@ -39285,6 +40735,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...voidDomElementsNoChildren.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/webhook-signature-risk",
+		id: "webhook-signature-risk",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...webhookSignatureRisk,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...webhookSignatureRisk.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/zod-v4-no-deprecated-error-apis",
 		id: "zod-v4-no-deprecated-error-apis",
@@ -39855,7 +41317,8 @@ const toKeyedSeverity = (entries) => entries.map((entry) => ({
 	severity: entry.rule.severity
 }));
 const isRecommendedByDefault = (entry) => entry.rule.defaultEnabled !== false;
-const collectReactDoctorRulesByFramework = (frameworkName) => reactDoctorRules.filter((entry) => entry.rule.framework === frameworkName && isRecommendedByDefault(entry));
+const isScanRule = (entry) => entry.rule.scan !== void 0;
+const collectReactDoctorRulesByFramework = (frameworkName) => reactDoctorRules.filter((entry) => entry.rule.framework === frameworkName && isRecommendedByDefault(entry) && !isScanRule(entry));
 const collectExternalRulesBySource = (source) => EXTERNAL_RULES.filter((rule) => rule.source === source);
 const collectFrameworkSpecificRuleKeys = () => {
 	const collected = /* @__PURE__ */ new Set();
@@ -39952,14 +41415,36 @@ const REACT_NATIVE_RULES = toRuleMap(toKeyedSeverity(collectReactDoctorRulesByFr
 const TANSTACK_START_RULES = toRuleMap(toKeyedSeverity(collectReactDoctorRulesByFramework("tanstack-start")));
 const TANSTACK_QUERY_RULES = toRuleMap(toKeyedSeverity(collectReactDoctorRulesByFramework("tanstack-query")));
 const PREACT_RULES = toRuleMap(toKeyedSeverity(collectReactDoctorRulesByFramework("preact")));
-const ALL_REACT_DOCTOR_RULES = toRuleMap(toKeyedSeverity(REACT_DOCTOR_RULES));
+const ALL_REACT_DOCTOR_RULES = toRuleMap(toKeyedSeverity(REACT_DOCTOR_RULES.filter((entry) => !isScanRule(entry))));
 const ALL_REACT_DOCTOR_RULE_KEYS = new Set(REACT_DOCTOR_RULES.map((rule) => rule.key));
 const FRAMEWORK_SPECIFIC_RULE_KEYS = collectFrameworkSpecificRuleKeys();
 const REACT_COMPILER_RULES = toRuleMap(collectExternalRulesBySource("react-compiler"));
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-probably-text-file.ts
+const isProbablyTextFile = (relativePath) => TEXT_FILE_PATTERN.test(relativePath) || DOTENV_FILE_PATTERN.test(relativePath);
+//#endregion
+//#region src/plugin/rules/security-scan/utils/classify-security-scan-file.ts
+const classifySecurityScanFile = (relativePath) => {
+	const isGeneratedBundleByName = GENERATED_BUNDLE_FILE_PATTERN.test(relativePath);
+	if (isRepositorySecretFilePath(relativePath) || isSqlPath(relativePath) || isFirebaseRulesPath(relativePath) || isConfigOrCiPath(relativePath)) return {
+		bucket: "priority",
+		isGeneratedBundleByName
+	};
+	if (isBrowserArtifactPath(relativePath, isGeneratedBundleByName)) return {
+		bucket: "artifact",
+		isGeneratedBundleByName
+	};
+	if (isProbablyTextFile(relativePath)) return {
+		bucket: "other",
+		isGeneratedBundleByName
+	};
+	return null;
+};
+const shouldReadSecurityScanContent = (relativePath, isGeneratedBundle) => isGeneratedBundle || isProbablyTextFile(relativePath) || isConfigOrCiPath(relativePath) || isRepositorySecretFilePath(relativePath);
+//#endregion
 //#region src/index.ts
 var src_default = plugin;
 //#endregion
-export { ALL_REACT_DOCTOR_RULES, ALL_REACT_DOCTOR_RULE_KEYS, EXTERNAL_RULES, FRAMEWORK_SPECIFIC_RULE_KEYS, MOTION_LIBRARY_PACKAGES, NEXTJS_RULES, PREACT_RULES, REACT_COMPILER_RULES, REACT_DOCTOR_RULES, REACT_NATIVE_DEPENDENCY_NAMES, REACT_NATIVE_DEPENDENCY_PREFIXES, REACT_NATIVE_RULES, RECOMMENDED_RULES, RULES, TANSTACK_QUERY_RULES, TANSTACK_START_RULES, src_default as default, isReactNativeDependencyName };
+export { ALL_REACT_DOCTOR_RULES, ALL_REACT_DOCTOR_RULE_KEYS, EXTERNAL_RULES, FRAMEWORK_SPECIFIC_RULE_KEYS, MOTION_LIBRARY_PACKAGES, NEXTJS_RULES, PREACT_RULES, REACT_COMPILER_RULES, REACT_DOCTOR_RULES, REACT_NATIVE_DEPENDENCY_NAMES, REACT_NATIVE_DEPENDENCY_PREFIXES, REACT_NATIVE_RULES, RECOMMENDED_RULES, RULES, TANSTACK_QUERY_RULES, TANSTACK_START_RULES, classifySecurityScanFile, src_default as default, isReactNativeDependencyName, shouldReadSecurityScanContent };
 
 //# sourceMappingURL=index.js.map