npm - oxlint-plugin-react-doctor - Versions diffs - 0.5.5 → 0.5.6-dev.09dde18 - Mend

oxlint-plugin-react-doctor 0.5.5 → 0.5.6-dev.09dde18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -323,9 +323,18 @@ const BROWSER_ARTIFACT_PATH_PATTERNS = [
 const AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN = /\b(?:exec|execSync|spawn|child_process|eval|new Function|vm\.run|readFile|writeFile|fs\.read|fs\.write|fetch|axios|http\.request|sandbox|runCode|executeCode)\b/;
 //#endregion
 //#region src/plugin/rules/security-scan/utils/is-browser-artifact-path.ts
-const isServerOnlyBuildArtifactPath = (relativePath) => /(?:^|\/)(?:\.next\/server|\.output\/server)\//.test(relativePath);
+const SERVER_BUILD_ROOT_SEGMENTS = new Set([".next", ".output"]);
+const isNonShippedBuildArtifactPath = (relativePath) => {
+	const segments = relativePath.split("/");
+	for (let index = 0; index < segments.length; index += 1) {
+		if (!SERVER_BUILD_ROOT_SEGMENTS.has(segments[index])) continue;
+		if (segments[index] === ".next" && segments[index + 1] === "dev") return true;
+		if (segments[index + 1] === "server" && index + 2 < segments.length) return true;
+	}
+	return false;
+};
 const isBrowserArtifactPath = (relativePath, isGeneratedBundle) => {
-	if (isServerOnlyBuildArtifactPath(relativePath)) return false;
+	if (isNonShippedBuildArtifactPath(relativePath)) return false;
 	if (isGeneratedBundle) return true;
 	if (relativePath.endsWith(".map")) return true;
 	return BROWSER_ARTIFACT_PATH_PATTERNS.some((pattern) => pattern.test(relativePath));
@@ -1108,6 +1117,11 @@ const getImportedNameFromModule = (contextNode, localIdentifierName, moduleSourc
 	if (info.source !== moduleSource) return null;
 	return info.imported;
 };
+const getImportSourceForName = (contextNode, localIdentifierName) => {
+	const lookup = getImportLookup(contextNode);
+	if (!lookup) return null;
+	return lookup.get(localIdentifierName)?.source ?? null;
+};
 //#endregion
 //#region src/plugin/utils/find-variable-initializer.ts
 const FUNCTION_LIKE_TYPES$1 = new Set([
@@ -1847,7 +1861,7 @@ const anchorAmbiguousText = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/anchor-has-content.ts
-const MESSAGE$51 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$64 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
 const anchorHasContent = defineRule({
 	id: "anchor-has-content",
 	title: "Anchor has no content",
@@ -1863,7 +1877,7 @@ const anchorHasContent = defineRule({
 		for (const attribute of ["title", "aria-label"]) if (hasJsxPropIgnoreCase(opening.attributes, attribute)) return;
 		context.report({
 			node: opening.name,
-			message: MESSAGE$51
+			message: MESSAGE$64
 		});
 	} })
 });
@@ -2257,7 +2271,7 @@ const parseJsxValue = (value) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/aria-activedescendant-has-tabindex.ts
-const MESSAGE$50 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
+const MESSAGE$63 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
 const ariaActivedescendantHasTabindex = defineRule({
 	id: "aria-activedescendant-has-tabindex",
 	title: "aria-activedescendant missing tabindex",
@@ -2275,14 +2289,14 @@ const ariaActivedescendantHasTabindex = defineRule({
 			if (tabIndexValue === null || tabIndexValue >= -1) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$50
+				message: MESSAGE$63
 			});
 			return;
 		}
 		if (isInteractiveElement(tag, node)) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$50
+			message: MESSAGE$63
 		});
 	} })
 });
@@ -3090,6 +3104,76 @@ const AUTH_FUNCTION_NAMES = new Set([
 	"getAuth",
 	"validateSession"
 ]);
+const AUTH_STRONG_TOKEN_PATTERN = /^auth(?:n|z|ed|enticate[ds]?|enticating|entication|orize[ds]?|orizing|orization|orizer)?$/;
+const AUTH_STANDALONE_NOUN_TOKENS = new Set([
+	"signedin",
+	"loggedin",
+	"signin"
+]);
+const AUTH_ASSERTIVE_VERB_TOKENS = new Set([
+	"require",
+	"ensure",
+	"assert",
+	"verify",
+	"validate",
+	"check",
+	"protect",
+	"enforce",
+	"guard",
+	"gate",
+	"restrict",
+	"is",
+	"has",
+	"can",
+	"must"
+]);
+const AUTH_GETTER_VERB_TOKENS = new Set([
+	"get",
+	"fetch",
+	"load",
+	"read",
+	"resolve",
+	"retrieve",
+	"use"
+]);
+const AUTH_QUALIFIER_TOKENS = new Set([
+	"current",
+	"my",
+	"own"
+]);
+const AUTH_STRONG_NOUN_TOKENS = new Set([
+	"session",
+	"sessions",
+	"login",
+	"admin",
+	"admins",
+	"superadmin",
+	"superuser",
+	"role",
+	"roles",
+	"permission",
+	"permissions",
+	"jwt",
+	"identity",
+	"principal",
+	"credential",
+	"credentials"
+]);
+const AUTH_WEAK_NOUN_TOKENS = new Set([
+	"user",
+	"users",
+	"account",
+	"accounts",
+	"token",
+	"tokens",
+	"access",
+	"me",
+	"viewer",
+	"caller",
+	"subject",
+	"scope",
+	"scopes"
+]);
 const GENERIC_AUTH_METHOD_NAMES = new Set(["getUser"]);
 const AUTH_OBJECT_PATTERN = /(?:^|[._])(?:auth|authn|authz|clerk|session|jwt|firebase|supabase|nextauth|kinde|workos|stytch|descope|cognito|propelauth|lucia)/i;
 const SECRET_PATTERNS = [
@@ -4187,6 +4271,58 @@ const asyncParallel = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security/auth-token-in-web-storage.ts
+const MESSAGE$62 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
+const STORAGE_NAMES = new Set(["localStorage", "sessionStorage"]);
+const STORAGE_GLOBALS = new Set([
+	"window",
+	"globalThis",
+	"self"
+]);
+const SENSITIVE_KEY_PATTERN = /token|jwt|secret|password|passwd|credential|api[-_]?key|bearer|private[-_]?key/i;
+const isWebStorageObject = (node) => {
+	if (isNodeOfType(node, "Identifier")) return STORAGE_NAMES.has(node.name);
+	if (isNodeOfType(node, "MemberExpression") && !node.computed && isNodeOfType(node.object, "Identifier") && STORAGE_GLOBALS.has(node.object.name) && isNodeOfType(node.property, "Identifier")) return STORAGE_NAMES.has(node.property.name);
+	return false;
+};
+const staticMemberName = (member) => {
+	if (!member.computed && isNodeOfType(member.property, "Identifier")) return member.property.name;
+	if (member.computed && isNodeOfType(member.property, "Literal") && typeof member.property.value === "string") return member.property.value;
+	return null;
+};
+const authTokenInWebStorage = defineRule({
+	id: "auth-token-in-web-storage",
+	title: "Auth token in web storage",
+	severity: "warn",
+	recommendation: "Don't persist auth tokens (JWTs, access/refresh tokens, secrets) in `localStorage`/`sessionStorage`; they're readable by any XSS. Use an `HttpOnly` cookie set by the server.",
+	create: (context) => ({
+		CallExpression(node) {
+			const callee = node.callee;
+			if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+			if (!isNodeOfType(callee.property, "Identifier") || callee.property.name !== "setItem") return;
+			if (!isWebStorageObject(callee.object)) return;
+			const keyArgument = node.arguments?.[0];
+			if (!keyArgument || !isNodeOfType(keyArgument, "Literal") || typeof keyArgument.value !== "string") return;
+			if (!SENSITIVE_KEY_PATTERN.test(keyArgument.value)) return;
+			context.report({
+				node,
+				message: MESSAGE$62
+			});
+		},
+		AssignmentExpression(node) {
+			const target = node.left;
+			if (!isNodeOfType(target, "MemberExpression")) return;
+			if (!isWebStorageObject(target.object)) return;
+			const propertyName = staticMemberName(target);
+			if (!propertyName || !SENSITIVE_KEY_PATTERN.test(propertyName)) return;
+			context.report({
+				node: target,
+				message: MESSAGE$62
+			});
+		}
+	})
+});
+//#endregion
 //#region src/plugin/rules/a11y/autocomplete-valid.ts
 const buildMessage$25 = (value) => `Users who rely on autofill can't fill this field because \`${value}\` isn't a known token, so use a valid \`autoComplete\` token.`;
 const AUTOFILL_TOKENS = new Set([
@@ -4558,7 +4694,7 @@ const isPureEventBlockerHandler = (attribute) => {
 //#endregion
 //#region src/plugin/rules/a11y/click-events-have-key-events.ts
 const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
-const MESSAGE$49 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
+const MESSAGE$61 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
 const KEY_HANDLERS = [
 	"onKeyUp",
 	"onKeyDown",
@@ -4590,7 +4726,7 @@ const clickEventsHaveKeyEvents = defineRule({
 			if (KEY_HANDLERS.some((handler) => hasJsxPropIgnoreCase(node.attributes, handler))) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$49
+				message: MESSAGE$61
 			});
 		} };
 	}
@@ -4705,7 +4841,7 @@ const isReactComponentName = (name) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/control-has-associated-label.ts
-const MESSAGE$48 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$60 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_IGNORE_ELEMENTS = ["link", "canvas"];
 const DEFAULT_LABELLING_PROPS = [
 	"alt",
@@ -4866,7 +5002,7 @@ const controlHasAssociatedLabel = defineRule({
 			for (const child of node.children) if (checkChildForLabel(child, 1, checkContext)) return;
 			context.report({
 				node: opening,
-				message: MESSAGE$48
+				message: MESSAGE$60
 			});
 		} };
 	}
@@ -4995,6 +5131,7 @@ const dangerousHtmlSink = defineRule({
 		return findings;
 	}
 });
+const WCAG_CONTRAST_NORMAL_MIN = 4.5;
 const LONG_TRANSITION_DURATION_THRESHOLD_MS = 1e3;
 const VAGUE_BUTTON_LABELS = new Set([
 	"continue",
@@ -5292,6 +5429,38 @@ const noVagueButtonLabel = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/utils/has-jsx-spread-attribute.ts
+const hasJsxSpreadAttribute = (attributes) => attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
+//#endregion
+//#region src/plugin/rules/a11y/dialog-has-accessible-name.ts
+const MESSAGE$59 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
+const DIALOG_ROLES = new Set(["dialog", "alertdialog"]);
+const NAME_PROVIDING_ATTRIBUTES = [
+	"aria-label",
+	"aria-labelledby",
+	"title"
+];
+const dialogHasAccessibleName = defineRule({
+	id: "dialog-has-accessible-name",
+	title: "Dialog without accessible name",
+	severity: "warn",
+	recommendation: "Give every `<dialog>` / `role=\"dialog\"` an accessible name with `aria-label` or `aria-labelledby` (referencing the dialog's title element).",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const tagName = node.name.name;
+		if (tagName[0] !== tagName[0]?.toLowerCase()) return;
+		const roleAttribute = hasJsxPropIgnoreCase(node.attributes, "role");
+		const roleValue = roleAttribute ? getJsxPropStringValue(roleAttribute) : null;
+		if (!(tagName === "dialog" || roleValue !== null && DIALOG_ROLES.has(roleValue))) return;
+		if (hasJsxSpreadAttribute(node.attributes)) return;
+		if (NAME_PROVIDING_ATTRIBUTES.some((attribute) => hasJsxPropIgnoreCase(node.attributes, attribute))) return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$59
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/utils/is-es5-component.ts
 const PRAGMA$2 = "React";
 const CREATE_CLASS = "createReactClass";
@@ -5326,7 +5495,7 @@ const isEs6Component = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/display-name.ts
-const MESSAGE$47 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
+const MESSAGE$58 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
 const DEFAULT_ADDITIONAL_HOCS = [
 	"observer",
 	"lazy",
@@ -5529,7 +5698,7 @@ const displayName = defineRule({
 		const reportAt = (node) => {
 			context.report({
 				node,
-				message: MESSAGE$47
+				message: MESSAGE$58
 			});
 		};
 		return {
@@ -7677,7 +7846,7 @@ const forbidElements = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/forward-ref-uses-ref.ts
-const MESSAGE$46 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
+const MESSAGE$57 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
 const forwardRefUsesRef = defineRule({
 	id: "forward-ref-uses-ref",
 	title: "forwardRef without ref parameter",
@@ -7697,7 +7866,7 @@ const forwardRefUsesRef = defineRule({
 		if (isNodeOfType(onlyParam, "RestElement")) return;
 		context.report({
 			node: inner,
-			message: MESSAGE$46
+			message: MESSAGE$57
 		});
 	} })
 });
@@ -7734,7 +7903,7 @@ const gitProviderUrlInjectionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/heading-has-content.ts
-const MESSAGE$45 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$56 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_HEADING_TAGS = [
 	"h1",
 	"h2",
@@ -7767,7 +7936,7 @@ const headingHasContent = defineRule({
 			if (isHiddenFromScreenReader(node, context.settings)) return;
 			context.report({
 				node,
-				message: MESSAGE$45
+				message: MESSAGE$56
 			});
 		} };
 	}
@@ -7905,7 +8074,7 @@ const hooksNoNanInDeps = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/html-has-lang.ts
-const MESSAGE$44 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
+const MESSAGE$55 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
 const resolveSettings$38 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { htmlTags: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.htmlHasLang ?? {} : {}).htmlTags ?? ["html"] };
@@ -7953,7 +8122,7 @@ const htmlHasLang = defineRule({
 			if (!lang) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$44
+					message: MESSAGE$55
 				});
 				return;
 			}
@@ -7961,13 +8130,13 @@ const htmlHasLang = defineRule({
 			if (verdict === "missing" || verdict === "empty") {
 				context.report({
 					node: lang,
-					message: MESSAGE$44
+					message: MESSAGE$55
 				});
 				return;
 			}
 			if (hasSpread && !lang) context.report({
 				node: node.name,
-				message: MESSAGE$44
+				message: MESSAGE$55
 			});
 		} };
 	}
@@ -8181,7 +8350,7 @@ const htmlNoNestedInteractive = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/iframe-has-title.ts
-const MESSAGE$43 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
+const MESSAGE$54 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
 const evaluateTitleValue = (value) => {
 	if (!value) return "missing";
 	if (isNodeOfType(value, "Literal")) {
@@ -8221,14 +8390,14 @@ const iframeHasTitle = defineRule({
 		if (!titleAttr) {
 			if (hasSpread || tag === "iframe") context.report({
 				node: node.name,
-				message: MESSAGE$43
+				message: MESSAGE$54
 			});
 			return;
 		}
 		const verdict = evaluateTitleValue(titleAttr.value);
 		if (verdict === "missing" || verdict === "empty") context.report({
 			node: titleAttr,
-			message: MESSAGE$43
+			message: MESSAGE$54
 		});
 	} })
 });
@@ -8332,7 +8501,7 @@ const iframeMissingSandbox = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/img-redundant-alt.ts
-const MESSAGE$42 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
+const MESSAGE$53 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
 const DEFAULT_COMPONENTS = ["img"];
 const DEFAULT_REDUNDANT_WORDS = [
 	"image",
@@ -8397,7 +8566,7 @@ const imgRedundantAlt = defineRule({
 			if (!altAttribute) return;
 			if (altValueRedundant(altAttribute, settings.words)) context.report({
 				node: altAttribute,
-				message: MESSAGE$42
+				message: MESSAGE$53
 			});
 		} };
 	}
@@ -8495,6 +8664,136 @@ const insecureCryptoRisk = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/find-matching-bracket.ts
+const findMatchingBracket = (content, openIndex) => {
+	const open = content[openIndex];
+	const close = open === "(" ? ")" : open === "{" ? "}" : open === "[" ? "]" : "";
+	if (close === "") return -1;
+	let depth = 0;
+	let stringDelimiter = null;
+	for (let index = openIndex; index < content.length; index += 1) {
+		const character = content[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === open) depth += 1;
+		else if (character === close) {
+			depth -= 1;
+			if (depth === 0) return index;
+		}
+	}
+	return -1;
+};
+//#endregion
+//#region src/plugin/rules/security-scan/insecure-session-cookie.ts
+const AUTH_COOKIE_NAME_TOKEN = `(?<![A-Za-z0-9])(?:session|sess|sid|connect\\.sid|auth|jwt|access[_-]?token|refresh[_-]?token|id[_-]?token)(?![A-Za-z0-9])`;
+const AUTH_COOKIE_NAME_LITERAL = `[\`"'][^\`"']*?${AUTH_COOKIE_NAME_TOKEN}[^\`"']*[\`"']`;
+const AUTH_COOKIE_SET_CALL_PATTERN = new RegExp(`(?:\\.cookies\\.set|cookies\\(\\s*\\)\\.set|\\.cookie)\\s*\\(\\s*${AUTH_COOKIE_NAME_LITERAL}`, "gi");
+const HTTP_ONLY_DISABLED_PATTERN = /httpOnly\s*:\s*false\b/i;
+const STRING_LITERAL_PATTERN = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'|`(?:[^`\\]|\\.)*`/g;
+const blankStringContents = (text) => {
+	const characters = text.split("");
+	let index = 0;
+	let stringDelimiter = null;
+	while (index < text.length) {
+		const character = text[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") {
+				index += 2;
+				continue;
+			}
+			if (character === stringDelimiter) stringDelimiter = null;
+			else if (character !== "\n") characters[index] = " ";
+			index += 1;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		index += 1;
+	}
+	return characters.join("");
+};
+const COOKIE_CONFIG_OPENER_PATTERN = /cookie\s*:\s*\{/gi;
+const CLIENT_AUTH_COOKIE_WRITE_PATTERN = new RegExp(`document\\.cookie\\s*=\\s*[\`"'][^\`"'=;]*?${AUTH_COOKIE_NAME_TOKEN}[^\`"'=;]*=`, "gi");
+const countTopLevelArguments = (argumentsSource) => {
+	if (argumentsSource.trim().length === 0) return 0;
+	let depth = 0;
+	let stringDelimiter = null;
+	let count = 1;
+	for (let index = 0; index < argumentsSource.length; index += 1) {
+		const character = argumentsSource[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === "(" || character === "[" || character === "{") depth += 1;
+		else if (character === ")" || character === "]" || character === "}") depth -= 1;
+		else if (character === "," && depth === 0) count += 1;
+	}
+	return count;
+};
+const addMatchFindings = (content, pattern, message, isInsecure, findings) => {
+	pattern.lastIndex = 0;
+	for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+		if (!isInsecure(match.index, match[0])) continue;
+		const location = getLocationAtIndex(content, match.index);
+		findings.push({
+			message,
+			line: location.line,
+			column: location.column
+		});
+	}
+};
+const insecureSessionCookie = defineRule({
+	id: "insecure-session-cookie",
+	title: "Auth cookie missing HttpOnly protection",
+	severity: "warn",
+	recommendation: "Set auth/session cookies server-side with `httpOnly: true`, `secure: true`, and `sameSite`. Cookies set via `document.cookie` or with `httpOnly: false` are readable by any XSS payload and can be stolen.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/cookie/i.test(content)) return [];
+		const findings = [];
+		const message = "An auth/session cookie is exposed to JavaScript (set via document.cookie, with httpOnly: false, or without cookie options), letting an XSS payload steal it.";
+		AUTH_COOKIE_SET_CALL_PATTERN.lastIndex = 0;
+		for (let match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content); match !== null; match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content)) {
+			const openParenIndex = match.index + match[0].lastIndexOf("(");
+			const closeParenIndex = findMatchingBracket(content, openParenIndex);
+			if (closeParenIndex < 0) continue;
+			const argumentsSource = content.slice(openParenIndex + 1, closeParenIndex);
+			const hasNoOptions = countTopLevelArguments(argumentsSource) < 3;
+			const argumentsWithoutStrings = argumentsSource.replace(STRING_LITERAL_PATTERN, "");
+			if (!hasNoOptions && !HTTP_ONLY_DISABLED_PATTERN.test(argumentsWithoutStrings)) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		const blankedContent = blankStringContents(content);
+		COOKIE_CONFIG_OPENER_PATTERN.lastIndex = 0;
+		for (let match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent); match !== null; match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent)) {
+			const braceIndex = match.index + match[0].length - 1;
+			const closeBraceIndex = findMatchingBracket(blankedContent, braceIndex);
+			const block = closeBraceIndex >= 0 ? blankedContent.slice(braceIndex, closeBraceIndex) : blankedContent.slice(braceIndex, braceIndex + 400);
+			if (!HTTP_ONLY_DISABLED_PATTERN.test(block)) continue;
+			const location = getLocationAtIndex(blankedContent, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		addMatchFindings(content, CLIENT_AUTH_COOKIE_WRITE_PATTERN, message, () => true, findings);
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/constants/event-handlers.ts
 const MOUSE_EVENT_HANDLERS = [
 	"onClick",
@@ -10624,7 +10923,7 @@ const jsxMaxDepth = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-comment-textnodes.ts
-const MESSAGE$41 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
+const MESSAGE$52 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
 const LITERAL_TEXT_TAGS = new Set([
 	"code",
 	"pre",
@@ -10660,7 +10959,7 @@ const jsxNoCommentTextnodes = defineRule({
 		if (isInsideLiteralTextTag(node)) return;
 		context.report({
 			node,
-			message: MESSAGE$41
+			message: MESSAGE$52
 		});
 	} })
 });
@@ -10691,7 +10990,7 @@ const isInsideFunctionScope = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-constructed-context-values.ts
-const MESSAGE$40 = "Every reader of this context redraws on each render because you build its `value` inline.";
+const MESSAGE$51 = "Every reader of this context redraws on each render because you build its `value` inline.";
 const CONTEXT_MODULES$1 = [
 	"react",
 	"use-context-selector",
@@ -10789,7 +11088,7 @@ const jsxNoConstructedContextValues = defineRule({
 					if (!isConstructedValue(innerExpression)) continue;
 					context.report({
 						node: attribute,
-						message: MESSAGE$40
+						message: MESSAGE$51
 					});
 				}
 			}
@@ -10875,7 +11174,7 @@ const isJsxAttributeOnIntrinsicHtmlElement = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts
-const MESSAGE$39 = "This child redraws every render because the prop gets brand new JSX each time.";
+const MESSAGE$50 = "This child redraws every render because the prop gets brand new JSX each time.";
 const KNOWN_SLOT_PROP_NAMES = new Set([
 	"icon",
 	"Icon",
@@ -11144,7 +11443,7 @@ const jsxNoJsxAsProp = defineRule({
 				if (!isJsxProducingExpression(expressionNode) && !followsRenderLocalJsxBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$39
+					message: MESSAGE$50
 				});
 			}
 		};
@@ -11432,7 +11731,7 @@ const DATA_ARRAY_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts
-const MESSAGE$38 = "This child redraws every render because the prop gets a brand new array each time.";
+const MESSAGE$49 = "This child redraws every render because the prop gets a brand new array each time.";
 const isDataArrayPropName = (propName) => {
 	if (DATA_ARRAY_PROP_NAMES.has(propName)) return true;
 	for (const suffix of DATA_ARRAY_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -11516,7 +11815,7 @@ const jsxNoNewArrayAsProp = defineRule({
 				if (!isArrayProducingExpression(expressionNode) && !followsRenderLocalArrayBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$38
+					message: MESSAGE$49
 				});
 			}
 		};
@@ -11774,7 +12073,7 @@ const SAFE_RECEIVER_NAMES = new Set([
 ]);
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts
-const MESSAGE$37 = "This child redraws every render because the prop gets a brand new function each time.";
+const MESSAGE$48 = "This child redraws every render because the prop gets a brand new function each time.";
 const isAccessorPredicateName = (propName) => {
 	for (const prefix of ACCESSOR_PREDICATE_PREFIXES) {
 		if (propName.length <= prefix.length) continue;
@@ -11980,7 +12279,7 @@ const jsxNoNewFunctionAsProp = defineRule({
 				if (!isFunctionProducingExpression(expressionNode) && !followsRenderLocalFunctionBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$37
+					message: MESSAGE$48
 				});
 			}
 		};
@@ -12200,7 +12499,7 @@ const CONFIG_OBJECT_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts
-const MESSAGE$36 = "This child redraws every render because the prop gets a brand new object each time.";
+const MESSAGE$47 = "This child redraws every render because the prop gets a brand new object each time.";
 const isConfigObjectPropName = (propName) => {
 	if (CONFIG_OBJECT_PROP_NAMES.has(propName)) return true;
 	for (const suffix of CONFIG_OBJECT_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -12288,7 +12587,7 @@ const jsxNoNewObjectAsProp = defineRule({
 				if (!isObjectProducingExpression(expressionNode) && !followsRenderLocalObjectBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$36
+					message: MESSAGE$47
 				});
 			}
 		};
@@ -12296,7 +12595,7 @@ const jsxNoNewObjectAsProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-script-url.ts
-const MESSAGE$35 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
+const MESSAGE$46 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
 const JAVASCRIPT_URL_PATTERN = /j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i;
 const resolveSettings$28 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
@@ -12337,7 +12636,7 @@ const jsxNoScriptUrl = defineRule({
 				if (!value || !isNodeOfType(value, "Literal") || typeof value.value !== "string") continue;
 				if (JAVASCRIPT_URL_PATTERN.test(value.value)) context.report({
 					node: attribute,
-					message: MESSAGE$35
+					message: MESSAGE$46
 				});
 			}
 		} };
@@ -12652,7 +12951,7 @@ const jsxPropsNoSpreadMulti = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-props-no-spreading.ts
-const MESSAGE$34 = "You can't tell what props reach this element when you spread them.";
+const MESSAGE$45 = "You can't tell what props reach this element when you spread them.";
 const resolveSettings$25 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.jsxPropsNoSpreading ?? {} : {};
@@ -12693,18 +12992,77 @@ const jsxPropsNoSpreading = defineRule({
 				}
 				context.report({
 					node: attribute,
-					message: MESSAGE$34
+					message: MESSAGE$45
 				});
 			}
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/jwt-insecure-verification.ts
+const NONE_ALGORITHM_PATTERN = /\b(?:alg|algorithms?)\s*:\s*\[?\s*["'`]none["'`]/gi;
+const isIndexInsideStringLiteral = (content, index) => {
+	let stringDelimiter = null;
+	const templateExpressionDepths = [];
+	for (let cursor = 0; cursor < index; cursor += 1) {
+		const character = content[cursor];
+		if (stringDelimiter === "`") {
+			if (character === "\\") cursor += 1;
+			else if (character === "`") stringDelimiter = null;
+			else if (character === "$" && content[cursor + 1] === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				cursor += 1;
+			}
+			continue;
+		}
+		if (stringDelimiter !== null) {
+			if (character === "\\") cursor += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (templateExpressionDepths.length > 0) {
+			const top = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[top] += 1;
+			else if (character === "}") if (templateExpressionDepths[top] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+			} else templateExpressionDepths[top] -= 1;
+		}
+	}
+	return stringDelimiter !== null;
+};
+const jwtInsecureVerification = defineRule({
+	id: "jwt-insecure-verification",
+	title: "JWT verified with the 'none' algorithm",
+	severity: "error",
+	recommendation: "Never accept the `none` algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (`jwt.verify(token, key, { algorithms: ['RS256'] })`).",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/\bjwt\b|jsonwebtoken|\bjose\b/i.test(content)) return [];
+		const findings = [];
+		NONE_ALGORITHM_PATTERN.lastIndex = 0;
+		for (let noneMatch = NONE_ALGORITHM_PATTERN.exec(content); noneMatch !== null; noneMatch = NONE_ALGORITHM_PATTERN.exec(content)) {
+			if (isIndexInsideStringLiteral(content, noneMatch.index)) continue;
+			const location = getLocationAtIndex(content, noneMatch.index);
+			findings.push({
+				message: "JWT is configured with the 'none' algorithm, which disables signature verification, so any forged token is accepted.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/key-lifecycle-risk.ts
 const keyLifecycleRisk = defineRule({
 	id: "key-lifecycle-risk",
 	title: "Long-lived key material in repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove private keys from source, rotate exposed credentials, prefer short-lived deploy credentials, and document revocation/expiry for release keys.",
 	scan: scanByPattern({
 		shouldScan: (file) => !TEST_CONTEXT_PATTERN.test(file.relativePath) && !DOCUMENTATION_CONTEXT_PATTERN.test(file.relativePath),
@@ -12862,7 +13220,7 @@ const labelHasAssociatedControl = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/lang.ts
-const MESSAGE$33 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
+const MESSAGE$44 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
 const COMMON_LANGUAGE_PRIMARY_TAGS = new Set([
 	"aa",
 	"ab",
@@ -13074,7 +13432,7 @@ const lang = defineRule({
 			if (expression.type === "Identifier" && expression.name === "undefined" || expression.type === "Literal" && expression.value === null) {
 				context.report({
 					node: langAttr,
-					message: MESSAGE$33
+					message: MESSAGE$44
 				});
 				return;
 			}
@@ -13083,7 +13441,7 @@ const lang = defineRule({
 		if (value === null) return;
 		if (!isValidLangTag(value)) context.report({
 			node: langAttr,
-			message: MESSAGE$33
+			message: MESSAGE$44
 		});
 	} })
 });
@@ -13127,7 +13485,7 @@ const mdxSsrExecutionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/media-has-caption.ts
-const MESSAGE$32 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
+const MESSAGE$43 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
 const DEFAULT_AUDIO = ["audio"];
 const DEFAULT_VIDEO = ["video"];
 const DEFAULT_TRACK = ["track"];
@@ -13168,7 +13526,7 @@ const mediaHasCaption = defineRule({
 			if (!parent || !isNodeOfType(parent, "JSXElement")) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$32
+					message: MESSAGE$43
 				});
 				return;
 			}
@@ -13185,7 +13543,7 @@ const mediaHasCaption = defineRule({
 				return kindValue.value.toLowerCase() === "captions";
 			})) context.report({
 				node: node.name,
-				message: MESSAGE$32
+				message: MESSAGE$43
 			});
 		} };
 	}
@@ -14986,7 +15344,7 @@ const nextjsNoVercelOgImport = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-access-key.ts
-const MESSAGE$31 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
+const MESSAGE$42 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
 const isUndefinedIdentifier = (expression) => isNodeOfType(expression, "Identifier") && expression.name === "undefined";
 const noAccessKey = defineRule({
 	id: "no-access-key",
@@ -15003,7 +15361,7 @@ const noAccessKey = defineRule({
 		if (isNodeOfType(attributeValue, "Literal") && typeof attributeValue.value === "string") {
 			context.report({
 				node: accessKey,
-				message: MESSAGE$31
+				message: MESSAGE$42
 			});
 			return;
 		}
@@ -15013,7 +15371,7 @@ const noAccessKey = defineRule({
 			if (isUndefinedIdentifier(expression)) return;
 			context.report({
 				node: accessKey,
-				message: MESSAGE$31
+				message: MESSAGE$42
 			});
 		}
 	} })
@@ -15495,8 +15853,41 @@ const noAdjustStateOnPropChange = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/design/utils/get-string-from-class-name-attr.ts
+const getStringFromClassNameAttr = (node) => {
+	if (!isNodeOfType(node, "JSXOpeningElement")) return null;
+	const classAttr = findJsxAttribute(node.attributes ?? [], "className");
+	if (!classAttr?.value) return null;
+	if (isNodeOfType(classAttr.value, "Literal") && typeof classAttr.value.value === "string") return classAttr.value.value;
+	if (isNodeOfType(classAttr.value, "JSXExpressionContainer") && isNodeOfType(classAttr.value.expression, "Literal") && typeof classAttr.value.expression.value === "string") return classAttr.value.expression.value;
+	if (isNodeOfType(classAttr.value, "JSXExpressionContainer") && isNodeOfType(classAttr.value.expression, "TemplateLiteral") && classAttr.value.expression.quasis?.length === 1) return classAttr.value.expression.quasis[0].value?.raw ?? null;
+	return null;
+};
+//#endregion
+//#region src/plugin/rules/design/no-arbitrary-px-font-size.ts
+const ARBITRARY_PX_FONT_SIZE = /(?:^|\s)(?:\w+:)*text-\[(\d+(?:\.\d+)?)px\]/g;
+const noArbitraryPxFontSize = defineRule({
+	id: "no-arbitrary-px-font-size",
+	title: "Pixel arbitrary font size",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	category: "Accessibility",
+	recommendation: "Use `rem` for arbitrary font sizes (`text-[0.8125rem]`, not `text-[13px]`) so text scales with the user's root font-size preference. Pixels stay fine for `border-*` / `outline-*`.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		const classNameValue = getStringFromClassNameAttr(node);
+		if (!classNameValue) return;
+		for (const match of classNameValue.matchAll(ARBITRARY_PX_FONT_SIZE)) {
+			const rem = parseFloat(match[1]) / 16;
+			context.report({
+				node,
+				message: `\`text-[${match[1]}px]\` doesn't scale with the user's font-size preference — use rem, e.g. \`text-[${rem}rem]\`.`
+			});
+		}
+	} })
+});
+//#endregion
 //#region src/plugin/rules/a11y/no-aria-hidden-on-focusable.ts
-const MESSAGE$30 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
+const MESSAGE$41 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
 const noAriaHiddenOnFocusable = defineRule({
 	id: "no-aria-hidden-on-focusable",
 	title: "aria-hidden on focusable element",
@@ -15523,7 +15914,7 @@ const noAriaHiddenOnFocusable = defineRule({
 		const isImplicitlyFocusable = isInteractiveElement(tag, node);
 		if (isExplicitlyFocusable || isImplicitlyFocusable) context.report({
 			node: ariaHidden,
-			message: MESSAGE$30
+			message: MESSAGE$41
 		});
 	} })
 });
@@ -15891,7 +16282,7 @@ const noArrayIndexAsKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-array-index-key.ts
-const MESSAGE$29 = "Your users can see & submit the wrong data when this list reorders.";
+const MESSAGE$40 = "Your users can see & submit the wrong data when this list reorders.";
 const SECOND_INDEX_METHODS = new Set([
 	"every",
 	"filter",
@@ -16095,7 +16486,7 @@ const noArrayIndexKey = defineRule({
 			}
 			context.report({
 				node: keyAttribute,
-				message: MESSAGE$29
+				message: MESSAGE$40
 			});
 		},
 		CallExpression(node) {
@@ -16115,15 +16506,35 @@ const noArrayIndexKey = defineRule({
 				if (propName !== "key") continue;
 				if (expressionUsesIndex(property.value, indexBinding.name)) context.report({
 					node: property,
-					message: MESSAGE$29
+					message: MESSAGE$40
 				});
 			}
 		}
 	})
 });
 //#endregion
+//#region src/plugin/rules/state-and-effects/no-async-effect-callback.ts
+const MESSAGE$39 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
+const noAsyncEffectCallback = defineRule({
+	id: "no-async-effect-callback",
+	title: "Async effect callback",
+	severity: "warn",
+	recommendation: "Don't make the effect callback `async`. Define an async function inside the effect and call it, then return a real cleanup function if you need one.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isHookCall$1(node, EFFECT_HOOK_NAMES$1)) return;
+		const callback = getEffectCallback(node);
+		if (!callback) return;
+		if (!isNodeOfType(callback, "ArrowFunctionExpression") && !isNodeOfType(callback, "FunctionExpression")) return;
+		if (!callback.async) return;
+		context.report({
+			node: callback,
+			message: MESSAGE$39
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/a11y/no-autofocus.ts
-const MESSAGE$28 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
+const MESSAGE$38 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
 const resolveSettings$21 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreNonDOM: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noAutofocus ?? {} : {}).ignoreNonDOM ?? true };
@@ -16179,12 +16590,45 @@ const noAutofocus = defineRule({
 			}
 			context.report({
 				node: autoFocusAttribute,
-				message: MESSAGE$28
+				message: MESSAGE$38
 			});
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/a11y/no-autoplay-without-muted.ts
+const MESSAGE$37 = "Autoplaying media with sound is hostile to your users (and browsers block it). Add `muted` (with `playsInline`) to the autoplaying `<video>` / `<audio>`, or drop `autoPlay`.";
+const resolveStaticBoolean = (attribute) => {
+	const value = attribute.value;
+	if (!value) return true;
+	const literal = isNodeOfType(value, "JSXExpressionContainer") ? value.expression : value;
+	if (isNodeOfType(literal, "Literal")) {
+		if (literal.value === true || literal.value === "true") return true;
+		if (literal.value === false || literal.value === "false") return false;
+	}
+	return null;
+};
+const noAutoplayWithoutMuted = defineRule({
+	id: "no-autoplay-without-muted",
+	title: "Autoplaying media without muted",
+	severity: "warn",
+	recommendation: "Always pair `autoPlay` with `muted` (and `playsInline`): `<video autoPlay muted loop playsInline />`. If the sound matters, drop `autoPlay` and let users start it.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const tagName = node.name.name;
+		if (tagName !== "video" && tagName !== "audio") return;
+		if (hasJsxSpreadAttribute(node.attributes)) return;
+		const autoPlay = hasJsxPropIgnoreCase(node.attributes, "autoplay");
+		if (!autoPlay || resolveStaticBoolean(autoPlay) !== true) return;
+		const muted = hasJsxPropIgnoreCase(node.attributes, "muted");
+		if (muted && resolveStaticBoolean(muted) !== false) return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$37
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/utils/create-relative-import-source.ts
 const createRelativeImportSource = (filename, targetFilePath) => {
 	const targetPathWithoutExtension = targetFilePath.slice(0, targetFilePath.length - path.extname(targetFilePath).length);
@@ -16429,6 +16873,109 @@ const noBarrelImport = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/function-contains-react-render-output.ts
+const NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES = new Set([
+	"FunctionDeclaration",
+	"FunctionExpression",
+	"ArrowFunctionExpression",
+	"ClassDeclaration",
+	"ClassExpression"
+]);
+const isReactImport$1 = (symbol) => {
+	let importDeclaration = symbol.declarationNode?.parent;
+	while (importDeclaration && !isNodeOfType(importDeclaration, "ImportDeclaration")) importDeclaration = importDeclaration.parent ?? null;
+	if (!importDeclaration || !isNodeOfType(importDeclaration, "ImportDeclaration")) return false;
+	return importDeclaration.source.value === "react";
+};
+const getImportedName = (symbol) => {
+	if (symbol.kind !== "import") return null;
+	if (!isReactImport$1(symbol)) return null;
+	return getImportedName$1(symbol.declarationNode) ?? null;
+};
+const isReactNamespaceImport = (symbol) => {
+	if (symbol.kind !== "import") return false;
+	if (!isReactImport$1(symbol)) return false;
+	return isNodeOfType(symbol.declarationNode, "ImportDefaultSpecifier") || isNodeOfType(symbol.declarationNode, "ImportNamespaceSpecifier");
+};
+const isReactCreateElementIdentifierCall = (callee, scopes) => {
+	if (!isNodeOfType(callee, "Identifier")) return false;
+	const symbol = scopes.symbolFor(callee);
+	return Boolean(symbol && getImportedName(symbol) === "createElement");
+};
+const isReactCreateElementMemberCall = (callee, scopes) => {
+	if (!isNodeOfType(callee, "MemberExpression")) return false;
+	if (callee.computed) return false;
+	if (!isNodeOfType(callee.object, "Identifier")) return false;
+	if (!isNodeOfType(callee.property, "Identifier")) return false;
+	if (callee.property.name !== "createElement") return false;
+	const symbol = scopes.symbolFor(callee.object);
+	return Boolean(symbol && isReactNamespaceImport(symbol));
+};
+const isReactCreateElementCall = (node, scopes) => {
+	if (!isNodeOfType(node, "CallExpression")) return false;
+	return isReactCreateElementIdentifierCall(node.callee, scopes) || isReactCreateElementMemberCall(node.callee, scopes);
+};
+const containsRenderOutput = (node, rootNode, scopes) => {
+	if (node !== rootNode && NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES.has(node.type)) return false;
+	if (node.type === "JSXElement" || node.type === "JSXFragment") return true;
+	if (isReactCreateElementCall(node, scopes)) return true;
+	const nodeRecord = node;
+	for (const key of Object.keys(nodeRecord)) {
+		if (key === "parent") continue;
+		const child = nodeRecord[key];
+		if (Array.isArray(child)) {
+			for (const innerChild of child) if (isAstNode(innerChild) && containsRenderOutput(innerChild, rootNode, scopes)) return true;
+		} else if (isAstNode(child) && containsRenderOutput(child, rootNode, scopes)) return true;
+	}
+	return false;
+};
+const functionContainsReactRenderOutput = (functionNode, scopes) => containsRenderOutput(functionNode, functionNode, scopes);
+//#endregion
+//#region src/plugin/utils/is-component-declaration.ts
+const isComponentDeclaration = (node) => isNodeOfType(node, "FunctionDeclaration") && node.id !== null && Boolean(node.id?.name) && isUppercaseName(node.id.name);
+//#endregion
+//#region src/plugin/rules/react-builtins/no-call-component-as-function.ts
+const message = (name) => `\`${name}\` is a component, so calling it as a plain function (\`${name}(...)\`) runs it outside React: its hooks break, it gets no fiber/state, and memoization is lost. Render it as \`<${name} />\` instead.`;
+const symbolIsLocalComponent = (symbol, context) => {
+	const declaration = symbol.declarationNode;
+	if (isComponentDeclaration(declaration)) return functionContainsReactRenderOutput(declaration, context.scopes);
+	if (isComponentAssignment(declaration) && symbol.initializer) return functionContainsReactRenderOutput(symbol.initializer, context.scopes);
+	return false;
+};
+const noCallComponentAsFunction = defineRule({
+	id: "no-call-component-as-function",
+	title: "Component called as a function",
+	severity: "warn",
+	tags: ["test-noise"],
+	recommendation: "Render components as JSX (`<Component />`), never call them like functions (`Component(props)`). A direct call runs the component outside React and breaks hooks, state, and memoization.",
+	create: (context) => {
+		const renderedJsxNames = /* @__PURE__ */ new Set();
+		const candidateCalls = [];
+		return {
+			JSXOpeningElement(node) {
+				if (isNodeOfType(node.name, "JSXIdentifier") && isUppercaseName(node.name.name)) renderedJsxNames.add(node.name.name);
+			},
+			CallExpression(node) {
+				if (isNodeOfType(node.callee, "Identifier") && isUppercaseName(node.callee.name)) candidateCalls.push({
+					node,
+					callee: node.callee,
+					name: node.callee.name
+				});
+			},
+			"Program:exit"() {
+				for (const candidate of candidateCalls) {
+					const symbol = context.scopes.symbolFor(candidate.callee);
+					if (!symbol) continue;
+					if (symbolIsLocalComponent(symbol, context) || symbol.kind === "import" && renderedJsxNames.has(candidate.name)) context.report({
+						node: candidate.node,
+						message: message(candidate.name)
+					});
+				}
+			}
+		};
+	}
+});
+//#endregion
 //#region src/plugin/utils/is-setter-identifier.ts
 const isSetterIdentifier = (name) => SETTER_PATTERN.test(name);
 //#endregion
@@ -16580,7 +17127,7 @@ const noChainStateUpdates = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-children-prop.ts
-const MESSAGE$27 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
+const MESSAGE$36 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
 const noChildrenProp = defineRule({
 	id: "no-children-prop",
 	title: "Children passed as a prop",
@@ -16592,7 +17139,7 @@ const noChildrenProp = defineRule({
 			if (node.name.name !== "children") return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$27
+				message: MESSAGE$36
 			});
 		},
 		CallExpression(node) {
@@ -16605,7 +17152,7 @@ const noChildrenProp = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "children" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "children") context.report({
 					node: propertyKey,
-					message: MESSAGE$27
+					message: MESSAGE$36
 				});
 			}
 		}
@@ -16613,7 +17160,7 @@ const noChildrenProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-clone-element.ts
-const MESSAGE$26 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
+const MESSAGE$35 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
 const noCloneElement = defineRule({
 	id: "no-clone-element",
 	title: "cloneElement makes child props fragile",
@@ -16626,7 +17173,7 @@ const noCloneElement = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "cloneElement") {
 			if (isImportedFromModule(node, "cloneElement", "react")) context.report({
 				node: callee,
-				message: MESSAGE$26
+				message: MESSAGE$35
 			});
 			return;
 		}
@@ -16639,7 +17186,7 @@ const noCloneElement = defineRule({
 			if (!isImportedFromModule(node, callee.object.name, "react")) return;
 			context.report({
 				node: callee,
-				message: MESSAGE$26
+				message: MESSAGE$35
 			});
 		}
 	} })
@@ -16688,7 +17235,7 @@ const enclosingComponentOrHookName = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-create-context-in-render.ts
-const MESSAGE$25 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
+const MESSAGE$34 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
 const CONTEXT_MODULES = [
 	"react",
 	"use-context-selector",
@@ -16724,7 +17271,32 @@ const noCreateContextInRender = defineRule({
 		if (!componentOrHookName) return;
 		context.report({
 			node,
-			message: `${MESSAGE$25} (called inside "${componentOrHookName}")`
+			message: `${MESSAGE$34} (called inside "${componentOrHookName}")`
+		});
+	} })
+});
+//#endregion
+//#region src/plugin/rules/react-builtins/no-create-ref-in-function-component.ts
+const MESSAGE$33 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
+const noCreateRefInFunctionComponent = defineRule({
+	id: "no-create-ref-in-function-component",
+	title: "createRef in function component",
+	severity: "warn",
+	recommendation: "Replace `createRef()` with the `useRef()` hook inside function components and hooks. `createRef` is only for class components.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isReactFunctionCall(node, "createRef")) return;
+		if (isNodeOfType(node.callee, "Identifier")) {
+			const symbol = context.scopes.symbolFor(node.callee);
+			if (symbol && symbol.kind !== "import") return;
+		}
+		const enclosingFunction = nearestEnclosingFunction(node);
+		if (!enclosingFunction) return;
+		const displayName = componentOrHookDisplayNameForFunction(enclosingFunction);
+		if (!displayName) return;
+		if (!(isReactHookName(displayName) || functionContainsReactRenderOutput(enclosingFunction, context.scopes))) return;
+		context.report({
+			node,
+			message: MESSAGE$33
 		});
 	} })
 });
@@ -16864,7 +17436,7 @@ const noCreateStoreInRender = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger.ts
-const MESSAGE$24 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
+const MESSAGE$32 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
 const noDanger = defineRule({
 	id: "no-danger",
 	title: "Raw HTML injection can run unsafe markup",
@@ -16877,7 +17449,7 @@ const noDanger = defineRule({
 			if (!propAttribute) return;
 			context.report({
 				node: propAttribute.name,
-				message: MESSAGE$24
+				message: MESSAGE$32
 			});
 		},
 		CallExpression(node) {
@@ -16889,7 +17461,7 @@ const noDanger = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "dangerouslySetInnerHTML" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "dangerouslySetInnerHTML") context.report({
 					node: propertyKey,
-					message: MESSAGE$24
+					message: MESSAGE$32
 				});
 			}
 		}
@@ -16897,7 +17469,7 @@ const noDanger = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger-with-children.ts
-const MESSAGE$23 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
+const MESSAGE$31 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
 const isLineBreak = (child) => {
 	if (!isNodeOfType(child, "JSXText")) return false;
 	return child.value.trim().length === 0 && child.value.includes("\n");
@@ -16967,7 +17539,7 @@ const noDangerWithChildren = defineRule({
 			if (!hasChildrenProp && !hasNestedChildren) return;
 			if (hasJsxPropIgnoreCase(opening.attributes, "dangerouslySetInnerHTML") || spreadPropsShape.hasDangerously) context.report({
 				node: opening,
-				message: MESSAGE$23
+				message: MESSAGE$31
 			});
 		},
 		CallExpression(node) {
@@ -16979,7 +17551,7 @@ const noDangerWithChildren = defineRule({
 			if (!propsShape.hasDangerously) return;
 			if (node.arguments.length >= 3 || propsShape.hasChildren) context.report({
 				node,
-				message: MESSAGE$23
+				message: MESSAGE$31
 			});
 		}
 	})
@@ -17144,6 +17716,37 @@ const noDefaultProps = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/utils/get-class-name-tokens.ts
+const getClassNameTokens = (classNameValue) => classNameValue.split(/\s+/).filter((token) => token.length > 0).map((token) => token.split(":").pop() ?? token);
+//#endregion
+//#region src/plugin/rules/design/no-deprecated-tailwind-class.ts
+const renameDeprecatedToken = (token) => {
+	if (token === "overflow-ellipsis") return "text-ellipsis";
+	if (token.startsWith("flex-shrink")) return token.replace("flex-shrink", "shrink");
+	if (token.startsWith("flex-grow")) return token.replace("flex-grow", "grow");
+	if (token.startsWith("bg-gradient-to-")) return token.replace("bg-gradient-to-", "bg-linear-to-");
+	return null;
+};
+const noDeprecatedTailwindClass = defineRule({
+	id: "no-deprecated-tailwind-class",
+	title: "Deprecated Tailwind v4 utility",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	requires: ["tailwind:4"],
+	recommendation: "Tailwind v4 renamed these utilities: `bg-gradient-*` → `bg-linear-*`, `flex-shrink-*` → `shrink-*`, `flex-grow-*` → `grow-*`, `overflow-ellipsis` → `text-ellipsis`. Use the new names.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		const classNameValue = getStringFromClassNameAttr(node);
+		if (!classNameValue) return;
+		for (const token of getClassNameTokens(classNameValue)) {
+			const replacement = renameDeprecatedToken(token);
+			if (replacement) context.report({
+				node,
+				message: `\`${token}\` was renamed in Tailwind v4 and no longer applies — use \`${replacement}\`.`
+			});
+		}
+	} })
+});
+//#endregion
 //#region src/plugin/utils/is-initial-only-prop-name.ts
 const isInitialOnlyPropName = (propName) => {
 	if (propName === "initialValue" || propName === "defaultValue" || propName === "seedValue") return true;
@@ -17556,7 +18159,7 @@ const isSetStateCallInLifecycle = (setStateCall, lifecycleNames, options = {}) =
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-mount-set-state.ts
 const LIFECYCLE_NAMES$2 = new Set(["componentDidMount"]);
-const MESSAGE$22 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
+const MESSAGE$30 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
 const resolveSettings$20 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidMountSetState ?? {} : {}).mode ?? "allowed" };
@@ -17575,7 +18178,7 @@ const noDidMountSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$2, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$22
+				message: MESSAGE$30
 			});
 		} };
 	}
@@ -17583,7 +18186,7 @@ const noDidMountSetState = defineRule({
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-update-set-state.ts
 const LIFECYCLE_NAMES$1 = new Set(["componentDidUpdate"]);
-const MESSAGE$21 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
+const MESSAGE$29 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
 const resolveSettings$19 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidUpdateSetState ?? {} : {}).mode ?? "allowed" };
@@ -17602,7 +18205,7 @@ const noDidUpdateSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$1, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$21
+				message: MESSAGE$29
 			});
 		} };
 	}
@@ -17625,7 +18228,7 @@ const isStateMemberExpression = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-direct-mutation-state.ts
-const MESSAGE$20 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
+const MESSAGE$28 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
 const shouldIgnoreMutation = (node) => {
 	let isConstructor = false;
 	let isInsideCallExpression = false;
@@ -17647,7 +18250,7 @@ const reportIfStateMutation = (context, reportNode, target) => {
 	if (shouldIgnoreMutation(reportNode)) return;
 	context.report({
 		node: reportNode,
-		message: MESSAGE$20
+		message: MESSAGE$28
 	});
 };
 const noDirectMutationState = defineRule({
@@ -17857,6 +18460,26 @@ const noDocumentStartViewTransition = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-document-write.ts
+const MESSAGE$27 = "`document.write()` blocks parsing, is ignored (or wipes the page) after load, and is flagged by browsers as a performance anti-pattern. Build DOM nodes or set `innerHTML`/`textContent` on a target element instead.";
+const WRITE_METHODS = new Set(["write", "writeln"]);
+const noDocumentWrite = defineRule({
+	id: "no-document-write",
+	title: "document.write/writeln",
+	severity: "warn",
+	recommendation: "Don't use `document.write()`/`document.writeln()`. Append DOM nodes or set `innerHTML`/`textContent` on a specific element instead.",
+	create: (context) => ({ CallExpression(node) {
+		const callee = node.callee;
+		if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+		if (!isNodeOfType(callee.object, "Identifier") || callee.object.name !== "document") return;
+		if (!isNodeOfType(callee.property, "Identifier") || !WRITE_METHODS.has(callee.property.name)) return;
+		context.report({
+			node,
+			message: MESSAGE$27
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/bundle-size/no-dynamic-import-path.ts
 const noDynamicImportPath = defineRule({
 	id: "no-dynamic-import-path",
@@ -19235,7 +19858,7 @@ const ALLOWED_NAMESPACES = new Set([
 	"ReactDOM",
 	"ReactDom"
 ]);
-const MESSAGE$19 = "`findDOMNode` crashes your app in React 19 because it was removed.";
+const MESSAGE$26 = "`findDOMNode` crashes your app in React 19 because it was removed.";
 const noFindDomNode = defineRule({
 	id: "no-find-dom-node",
 	title: "findDOMNode breaks component encapsulation",
@@ -19246,7 +19869,7 @@ const noFindDomNode = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "findDOMNode") {
 			context.report({
 				node: callee,
-				message: MESSAGE$19
+				message: MESSAGE$26
 			});
 			return;
 		}
@@ -19257,7 +19880,7 @@ const noFindDomNode = defineRule({
 			if (callee.property.name !== "findDOMNode") return;
 			context.report({
 				node: callee.property,
-				message: MESSAGE$19
+				message: MESSAGE$26
 			});
 		}
 	} })
@@ -19298,6 +19921,41 @@ const noFullLodashImport = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/design/no-full-viewport-width.ts
+const FULL_VIEWPORT_WIDTH_CLASS = /(?:^|\s)(?:min-)?w-(?:screen|\[100vw\])(?:$|\s)/;
+const WIDTH_KEYS = new Set(["width", "minWidth"]);
+const MESSAGE$25 = "`100vw` is wider than the viewport whenever a scrollbar is visible, so it triggers horizontal scroll on most desktops. Use `w-full` / `width: 100%` (with the parent's padding) for a full-bleed element.";
+const noFullViewportWidth = defineRule({
+	id: "no-full-viewport-width",
+	title: "Full viewport width causes overflow",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	recommendation: "Prefer `w-full` (`width: 100%`) over `w-screen` / `100vw`. `100vw` ignores the scrollbar gutter and overflows horizontally.",
+	create: (context) => ({
+		JSXAttribute(node) {
+			const expression = getInlineStyleExpression(node);
+			if (!expression) return;
+			for (const property of expression.properties ?? []) {
+				const key = getStylePropertyKey(property);
+				if (!key || !WIDTH_KEYS.has(key)) continue;
+				const value = getStylePropertyStringValue(property);
+				if (value && value.trim().toLowerCase() === "100vw") context.report({
+					node: property,
+					message: MESSAGE$25
+				});
+			}
+		},
+		JSXOpeningElement(node) {
+			const classNameValue = getStringFromClassNameAttr(node);
+			if (!classNameValue) return;
+			if (FULL_VIEWPORT_WIDTH_CLASS.test(classNameValue)) context.report({
+				node,
+				message: MESSAGE$25
+			});
+		}
+	})
+});
+//#endregion
 //#region src/plugin/rules/architecture/no-generic-handler-names.ts
 const noGenericHandlerNames = defineRule({
 	id: "no-generic-handler-names",
@@ -19320,64 +19978,6 @@ const noGenericHandlerNames = defineRule({
 	} })
 });
 //#endregion
-//#region src/plugin/utils/function-contains-react-render-output.ts
-const NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES = new Set([
-	"FunctionDeclaration",
-	"FunctionExpression",
-	"ArrowFunctionExpression",
-	"ClassDeclaration",
-	"ClassExpression"
-]);
-const isReactImport$1 = (symbol) => {
-	let importDeclaration = symbol.declarationNode?.parent;
-	while (importDeclaration && !isNodeOfType(importDeclaration, "ImportDeclaration")) importDeclaration = importDeclaration.parent ?? null;
-	if (!importDeclaration || !isNodeOfType(importDeclaration, "ImportDeclaration")) return false;
-	return importDeclaration.source.value === "react";
-};
-const getImportedName = (symbol) => {
-	if (symbol.kind !== "import") return null;
-	if (!isReactImport$1(symbol)) return null;
-	return getImportedName$1(symbol.declarationNode) ?? null;
-};
-const isReactNamespaceImport = (symbol) => {
-	if (symbol.kind !== "import") return false;
-	if (!isReactImport$1(symbol)) return false;
-	return isNodeOfType(symbol.declarationNode, "ImportDefaultSpecifier") || isNodeOfType(symbol.declarationNode, "ImportNamespaceSpecifier");
-};
-const isReactCreateElementIdentifierCall = (callee, scopes) => {
-	if (!isNodeOfType(callee, "Identifier")) return false;
-	const symbol = scopes.symbolFor(callee);
-	return Boolean(symbol && getImportedName(symbol) === "createElement");
-};
-const isReactCreateElementMemberCall = (callee, scopes) => {
-	if (!isNodeOfType(callee, "MemberExpression")) return false;
-	if (callee.computed) return false;
-	if (!isNodeOfType(callee.object, "Identifier")) return false;
-	if (!isNodeOfType(callee.property, "Identifier")) return false;
-	if (callee.property.name !== "createElement") return false;
-	const symbol = scopes.symbolFor(callee.object);
-	return Boolean(symbol && isReactNamespaceImport(symbol));
-};
-const isReactCreateElementCall = (node, scopes) => {
-	if (!isNodeOfType(node, "CallExpression")) return false;
-	return isReactCreateElementIdentifierCall(node.callee, scopes) || isReactCreateElementMemberCall(node.callee, scopes);
-};
-const containsRenderOutput = (node, rootNode, scopes) => {
-	if (node !== rootNode && NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES.has(node.type)) return false;
-	if (node.type === "JSXElement" || node.type === "JSXFragment") return true;
-	if (isReactCreateElementCall(node, scopes)) return true;
-	const nodeRecord = node;
-	for (const key of Object.keys(nodeRecord)) {
-		if (key === "parent") continue;
-		const child = nodeRecord[key];
-		if (Array.isArray(child)) {
-			for (const innerChild of child) if (isAstNode(innerChild) && containsRenderOutput(innerChild, rootNode, scopes)) return true;
-		} else if (isAstNode(child) && containsRenderOutput(child, rootNode, scopes)) return true;
-	}
-	return false;
-};
-const functionContainsReactRenderOutput = (functionNode, scopes) => containsRenderOutput(functionNode, functionNode, scopes);
-//#endregion
 //#region src/plugin/rules/architecture/no-giant-component.ts
 const noGiantComponent = defineRule({
 	id: "no-giant-component",
@@ -19418,7 +20018,7 @@ const noGiantComponent = defineRule({
 });
 //#endregion
 //#region src/plugin/constants/style.ts
-const LAYOUT_PROPERTIES = new Set([
+const LAYOUT_PROPERTIES$1 = new Set([
 	"width",
 	"height",
 	"top",
@@ -19488,17 +20088,6 @@ const noGlobalCssVariableAnimation = defineRule({
 	} })
 });
 //#endregion
-//#region src/plugin/rules/design/utils/get-string-from-class-name-attr.ts
-const getStringFromClassNameAttr = (node) => {
-	if (!isNodeOfType(node, "JSXOpeningElement")) return null;
-	const classAttr = findJsxAttribute(node.attributes ?? [], "className");
-	if (!classAttr?.value) return null;
-	if (isNodeOfType(classAttr.value, "Literal") && typeof classAttr.value.value === "string") return classAttr.value.value;
-	if (isNodeOfType(classAttr.value, "JSXExpressionContainer") && isNodeOfType(classAttr.value.expression, "Literal") && typeof classAttr.value.expression.value === "string") return classAttr.value.expression.value;
-	if (isNodeOfType(classAttr.value, "JSXExpressionContainer") && isNodeOfType(classAttr.value.expression, "TemplateLiteral") && classAttr.value.expression.quasis?.length === 1) return classAttr.value.expression.quasis[0].value?.raw ?? null;
-	return null;
-};
-//#endregion
 //#region src/plugin/rules/design/no-gradient-text.ts
 const noGradientText = defineRule({
 	id: "no-gradient-text",
@@ -19556,6 +20145,26 @@ const noGrayOnColoredBackground = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/performance/no-img-lazy-with-high-fetchpriority.ts
+const MESSAGE$24 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
+const noImgLazyWithHighFetchpriority = defineRule({
+	id: "no-img-lazy-with-high-fetchpriority",
+	title: "Lazy image with high fetchPriority",
+	severity: "warn",
+	recommendation: "Don't combine `loading=\"lazy\"` with `fetchPriority=\"high\"`. A high-priority image (usually the LCP) should load eagerly; a lazy image is by definition not high priority.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier") || node.name.name !== "img") return;
+		const loadingAttribute = hasJsxPropIgnoreCase(node.attributes, "loading");
+		if (!loadingAttribute || getJsxPropStringValue(loadingAttribute)?.toLowerCase() !== "lazy") return;
+		const fetchPriorityAttribute = hasJsxPropIgnoreCase(node.attributes, "fetchPriority");
+		if (!fetchPriorityAttribute || getJsxPropStringValue(fetchPriorityAttribute)?.toLowerCase() !== "high") return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$24
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/state-and-effects/no-initialize-state.ts
 const noInitializeState = defineRule({
 	id: "no-initialize-state",
@@ -19785,8 +20394,31 @@ const noIsMounted = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-json-parse-stringify-clone.ts
+const MESSAGE$23 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
+const isJsonMethodCall = (node, method) => {
+	if (!isNodeOfType(node, "CallExpression")) return false;
+	const callee = node.callee;
+	return isNodeOfType(callee, "MemberExpression") && !callee.computed && isNodeOfType(callee.object, "Identifier") && callee.object.name === "JSON" && isNodeOfType(callee.property, "Identifier") && callee.property.name === method;
+};
+const noJsonParseStringifyClone = defineRule({
+	id: "no-json-parse-stringify-clone",
+	title: "JSON parse/stringify deep clone",
+	severity: "warn",
+	recommendation: "Replace `JSON.parse(JSON.stringify(value))` with `structuredClone(value)`. It is faster and preserves Dates, Maps, Sets, and cyclic references.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isJsonMethodCall(node, "parse")) return;
+		const firstArgument = node.arguments?.[0];
+		if (!firstArgument || !isJsonMethodCall(firstArgument, "stringify")) return;
+		context.report({
+			node,
+			message: MESSAGE$23
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/correctness/no-jsx-element-type.ts
-const MESSAGE$18 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
+const MESSAGE$22 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
 const isJsxElementTypeReference = (node) => {
 	if (!isNodeOfType(node, "TSTypeReference")) return false;
 	const typeName = node.typeName;
@@ -19803,7 +20435,7 @@ const checkReturnType = (context, returnType) => {
 	if (!typeAnnotation) return;
 	if (isJsxElementTypeReference(typeAnnotation)) context.report({
 		node: typeAnnotation,
-		message: MESSAGE$18
+		message: MESSAGE$22
 	});
 };
 const noJsxElementType = defineRule({
@@ -19913,7 +20545,7 @@ const noLayoutPropertyAnimation = defineRule({
 			let propertyName = null;
 			if (isNodeOfType(property.key, "Identifier")) propertyName = property.key.name;
 			else if (isNodeOfType(property.key, "Literal") && typeof property.key.value === "string") propertyName = property.key.value;
-			if (propertyName && LAYOUT_PROPERTIES.has(propertyName)) context.report({
+			if (propertyName && LAYOUT_PROPERTIES$1.has(propertyName)) context.report({
 				node: property,
 				message: `This stutters because animating "${propertyName}" makes the browser redo page layout every frame, so animate transform or scale instead, or use the layout prop`
 			});
@@ -20103,13 +20735,138 @@ const noLongTransitionDuration = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/design/utils/get-style-property-number-value.ts
+const getStylePropertyNumberValue = (property) => {
+	if (!isNodeOfType(property, "Property")) return null;
+	if (isNodeOfType(property.value, "Literal") && typeof property.value.value === "number") return property.value.value;
+	if (isNodeOfType(property.value, "UnaryExpression") && property.value.operator === "-" && isNodeOfType(property.value.argument, "Literal") && typeof property.value.argument.value === "number") return -property.value.argument.value;
+	return null;
+};
+//#endregion
+//#region src/plugin/rules/design/utils/get-wcag-contrast-ratio.ts
+const linearizeChannel = (channel) => {
+	const normalized = channel / 255;
+	return normalized <= .03928 ? normalized / 12.92 : Math.pow((normalized + .055) / 1.055, 2.4);
+};
+const relativeLuminance = (color) => .2126 * linearizeChannel(color.red) + .7152 * linearizeChannel(color.green) + .0722 * linearizeChannel(color.blue);
+const getWcagContrastRatio = (foreground, background) => {
+	const foregroundLuminance = relativeLuminance(foreground);
+	const backgroundLuminance = relativeLuminance(background);
+	const lighter = Math.max(foregroundLuminance, backgroundLuminance);
+	const darker = Math.min(foregroundLuminance, backgroundLuminance);
+	return (lighter + .05) / (darker + .05);
+};
+//#endregion
+//#region src/plugin/rules/design/no-low-contrast-inline-style.ts
+const UNRESOLVABLE = new Set([
+	"transparent",
+	"currentcolor",
+	"inherit",
+	"initial",
+	"unset",
+	"revert",
+	"none"
+]);
+const resolveOpaqueColor = (raw) => {
+	const value = raw.trim().toLowerCase();
+	if (UNRESOLVABLE.has(value)) return null;
+	if (value === "white") return {
+		red: 255,
+		green: 255,
+		blue: 255
+	};
+	if (value === "black") return {
+		red: 0,
+		green: 0,
+		blue: 0
+	};
+	if (value.startsWith("var(")) return null;
+	if (/^#(?:[0-9a-f]{4}|[0-9a-f]{8})$/.test(value)) return null;
+	if (value.startsWith("hsl") || value.startsWith("oklch")) return null;
+	if (value.startsWith("rgb")) {
+		const inner = value.slice(value.indexOf("(") + 1, value.lastIndexOf(")"));
+		if (inner.includes("/") || inner.split(",").length >= 4) return null;
+	}
+	return parseColorToRgb(value);
+};
+const toPx = (property) => {
+	const numberValue = getStylePropertyNumberValue(property);
+	if (numberValue !== null) return numberValue;
+	const stringValue = getStylePropertyStringValue(property);
+	if (stringValue === null) return null;
+	const pxMatch = stringValue.match(/^([\d.]+)px$/);
+	if (pxMatch) return parseFloat(pxMatch[1]);
+	const remMatch = stringValue.match(/^([\d.]+)rem$/);
+	if (remMatch) return parseFloat(remMatch[1]) * 16;
+	return null;
+};
+const isBoldWeight = (property) => {
+	const numberValue = getStylePropertyNumberValue(property);
+	if (numberValue !== null) return numberValue >= 700;
+	const stringValue = getStylePropertyStringValue(property);
+	if (stringValue === null) return false;
+	if (stringValue === "bold" || stringValue === "bolder") return true;
+	const numericWeight = Number(stringValue);
+	return Number.isFinite(numericWeight) && numericWeight >= 700;
+};
+const noLowContrastInlineStyle = defineRule({
+	id: "no-low-contrast-inline-style",
+	title: "Low-contrast text in inline style",
+	tags: ["test-noise"],
+	severity: "warn",
+	category: "Accessibility",
+	recommendation: "Text needs a WCAG contrast ratio of at least 4.5:1 (3:1 for large/bold text) against its background. Darken or lighten one of the colors until it passes.",
+	create: (context) => ({ JSXAttribute(node) {
+		const expression = getInlineStyleExpression(node);
+		if (!expression) return;
+		const properties = expression.properties ?? [];
+		if (properties.some((property) => property.type === "SpreadElement")) return;
+		let foreground = null;
+		let backgroundColorRaw = null;
+		let backgroundShorthandRaw = null;
+		let backgroundIsUnknown = false;
+		let fontSizePx = null;
+		let isBold = false;
+		for (const property of properties) {
+			const key = getStylePropertyKey(property);
+			if (!key) continue;
+			if (key === "backgroundImage") {
+				backgroundIsUnknown = true;
+				continue;
+			}
+			if (key === "fontSize" && property.type === "Property") {
+				fontSizePx = toPx(property);
+				continue;
+			}
+			if (key === "fontWeight" && property.type === "Property") {
+				isBold = isBoldWeight(property);
+				continue;
+			}
+			const stringValue = getStylePropertyStringValue(property);
+			if (key === "color") {
+				if (stringValue !== null) foreground = resolveOpaqueColor(stringValue);
+			} else if (key === "backgroundColor") backgroundColorRaw = stringValue;
+			else if (key === "background") if (stringValue === null) backgroundIsUnknown = true;
+			else backgroundShorthandRaw = stringValue;
+		}
+		if (backgroundIsUnknown) return;
+		if (backgroundColorRaw !== null && backgroundShorthandRaw !== null) return;
+		const backgroundRaw = backgroundColorRaw ?? backgroundShorthandRaw;
+		const background = backgroundRaw === null ? null : resolveOpaqueColor(backgroundRaw);
+		if (!foreground || !background) return;
+		const threshold = fontSizePx === null || fontSizePx >= 24 || isBold && fontSizePx >= 18.66 ? 3 : WCAG_CONTRAST_NORMAL_MIN;
+		const ratio = getWcagContrastRatio(foreground, background);
+		if (ratio < threshold) context.report({
+			node,
+			message: `Your users struggle to read this text: its contrast against the background is ${ratio.toFixed(2)}:1, below the ${threshold}:1 WCAG minimum, so darken or lighten one of the colors.`
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/utils/is-boolean-prefixed-prop-name.ts
 const BOOLEAN_PROP_PREFIX_PATTERN = /^(?:is|has|should|can|show|hide|enable|disable|with)[A-Z]/;
 const isBooleanPrefixedPropName = (propName) => BOOLEAN_PROP_PREFIX_PATTERN.test(propName);
 //#endregion
-//#region src/plugin/utils/is-component-declaration.ts
-const isComponentDeclaration = (node) => isNodeOfType(node, "FunctionDeclaration") && node.id !== null && Boolean(node.id?.name) && isUppercaseName(node.id.name);
-//#endregion
 //#region src/plugin/rules/architecture/no-many-boolean-props.ts
 const collectBooleanLikePropsFromBody = (componentBody, propsParamName) => {
 	const found = /* @__PURE__ */ new Set();
@@ -20261,7 +21018,7 @@ const noMoment = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-multi-comp.ts
-const MESSAGE$17 = "This file declares several components, so each component is harder to find, test, and change.";
+const MESSAGE$21 = "This file declares several components, so each component is harder to find, test, and change.";
 const resolveSettings$16 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreStateless: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noMultiComp ?? {} : {}).ignoreStateless ?? false };
@@ -20583,7 +21340,7 @@ const noMultiComp = defineRule({
 			if (isSmallFeatureModule || isLargeFeatureModule || isVeryLargeFeatureModule) return;
 			for (const component of flagged.slice(1)) context.report({
 				node: component.reportNode,
-				message: MESSAGE$17
+				message: MESSAGE$21
 			});
 		} };
 	}
@@ -20751,7 +21508,7 @@ const resolveReducerFunction = (node, currentFilename) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-mutating-reducer-state.ts
-const MESSAGE$16 = "This reducer changes state in place, so your update is silently skipped.";
+const MESSAGE$20 = "This reducer changes state in place, so your update is silently skipped.";
 const SAME_REFERENCE_ARRAY_RETURN_METHODS = new Set([
 	"copyWithin",
 	"fill",
@@ -20961,7 +21718,7 @@ const analyzeReactUseReducerFunctionForStateMutation = (context, functionNode, r
 			reportedNodes.add(options.crossFileConsumerCallSite);
 			context.report({
 				node: options.crossFileConsumerCallSite,
-				message: `${MESSAGE$16} (mutation in imported reducer at \`${options.crossFileSourceDisplay}\`)`
+				message: `${MESSAGE$20} (mutation in imported reducer at \`${options.crossFileSourceDisplay}\`)`
 			});
 			return;
 		}
@@ -20970,7 +21727,7 @@ const analyzeReactUseReducerFunctionForStateMutation = (context, functionNode, r
 			reportedNodes.add(mutation.node);
 			context.report({
 				node: mutation.node,
-				message: MESSAGE$16
+				message: MESSAGE$20
 			});
 		}
 	};
@@ -21242,7 +21999,7 @@ const noNoninteractiveElementToInteractiveRole = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-noninteractive-tabindex.ts
-const MESSAGE$15 = "Keyboard users get stuck focusing this element they can't act on because `tabIndex` makes it tabbable, so remove it.";
+const MESSAGE$19 = "Keyboard users get stuck focusing this element they can't act on because `tabIndex` makes it tabbable, so remove it.";
 const resolveSettings$14 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noNoninteractiveTabindex ?? {} : {};
@@ -21270,7 +22027,7 @@ const noNoninteractiveTabindex = defineRule({
 			if (numeric === null) {
 				if (isNodeOfType(tabIndexValue, "JSXExpressionContainer") && !settings.allowExpressionValues) context.report({
 					node: tabIndex,
-					message: MESSAGE$15
+					message: MESSAGE$19
 				});
 				return;
 			}
@@ -21283,7 +22040,7 @@ const noNoninteractiveTabindex = defineRule({
 			if (!roleAttribute) {
 				context.report({
 					node: tabIndex,
-					message: MESSAGE$15
+					message: MESSAGE$19
 				});
 				return;
 			}
@@ -21297,20 +22054,12 @@ const noNoninteractiveTabindex = defineRule({
 			}
 			context.report({
 				node: tabIndex,
-				message: MESSAGE$15
+				message: MESSAGE$19
 			});
 		} };
 	}
 });
 //#endregion
-//#region src/plugin/rules/design/utils/get-style-property-number-value.ts
-const getStylePropertyNumberValue = (property) => {
-	if (!isNodeOfType(property, "Property")) return null;
-	if (isNodeOfType(property.value, "Literal") && typeof property.value.value === "number") return property.value.value;
-	if (isNodeOfType(property.value, "UnaryExpression") && property.value.operator === "-" && isNodeOfType(property.value.argument, "Literal") && typeof property.value.argument.value === "number") return -property.value.argument.value;
-	return null;
-};
-//#endregion
 //#region src/plugin/rules/design/no-outline-none.ts
 const noOutlineNone = defineRule({
 	id: "no-outline-none",
@@ -21988,7 +22737,7 @@ const noRandomKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-react-children.ts
-const MESSAGE$14 = "`React.Children` traversal depends on the runtime child shape, so wrapping or unwrapping a child can silently change what gets visited.";
+const MESSAGE$18 = "`React.Children` traversal depends on the runtime child shape, so wrapping or unwrapping a child can silently change what gets visited.";
 const isChildrenIdentifier = (node, contextNode) => {
 	if (!isNodeOfType(node, "Identifier") || node.name !== "Children") return false;
 	return isImportedFromModule(contextNode, "Children", "react");
@@ -22014,13 +22763,13 @@ const noReactChildren = defineRule({
 		if (isChildrenIdentifier(memberObject, node)) {
 			context.report({
 				node: calleeOuter,
-				message: MESSAGE$14
+				message: MESSAGE$18
 			});
 			return;
 		}
 		if (isReactNamespaceMember(memberObject, node)) context.report({
 			node: calleeOuter,
-			message: MESSAGE$14
+			message: MESSAGE$18
 		});
 	} })
 });
@@ -22131,6 +22880,86 @@ const noReact19DeprecatedApis = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/design/no-redundant-display-class.ts
+const BLOCK_DEFAULT_TAGS = new Set([
+	"div",
+	"p",
+	"section",
+	"article",
+	"main",
+	"header",
+	"footer",
+	"nav",
+	"aside",
+	"figure",
+	"figcaption",
+	"blockquote",
+	"form",
+	"fieldset",
+	"address",
+	"pre",
+	"ul",
+	"ol",
+	"dl",
+	"dt",
+	"dd",
+	"h1",
+	"h2",
+	"h3",
+	"h4",
+	"h5",
+	"h6"
+]);
+const INLINE_DEFAULT_TAGS = new Set([
+	"span",
+	"a",
+	"b",
+	"i",
+	"em",
+	"strong",
+	"small",
+	"code",
+	"abbr",
+	"cite",
+	"label",
+	"mark",
+	"q",
+	"s",
+	"u",
+	"sub",
+	"sup",
+	"kbd",
+	"samp",
+	"var",
+	"time"
+]);
+const STANDALONE_BLOCK = /(?:^|\s)block(?:$|\s)/;
+const STANDALONE_INLINE = /(?:^|\s)inline(?:$|\s)/;
+const noRedundantDisplayClass = defineRule({
+	id: "no-redundant-display-class",
+	title: "Redundant display utility",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	recommendation: "Drop the display class that matches the element's default (`block` on a `<div>`, `inline` on a `<span>`). It is pure noise; keep only display changes like `flex`, `grid`, or `hidden`.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const tagName = node.name.name;
+		const classNameValue = getStringFromClassNameAttr(node);
+		if (!classNameValue) return;
+		if (BLOCK_DEFAULT_TAGS.has(tagName) && STANDALONE_BLOCK.test(classNameValue)) {
+			context.report({
+				node,
+				message: `\`block\` is the default display of \`<${tagName}>\`, so the class does nothing — remove it.`
+			});
+			return;
+		}
+		if (INLINE_DEFAULT_TAGS.has(tagName) && STANDALONE_INLINE.test(classNameValue)) context.report({
+			node,
+			message: `\`inline\` is the default display of \`<${tagName}>\`, so the class does nothing — remove it.`
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/constants/aria-element-roles.ts
 const ELEMENT_ROLE_PAIRS = [
 	["a", "link"],
@@ -22343,7 +23172,7 @@ const noRenderPropChildren = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-render-return-value.ts
-const MESSAGE$13 = "Your app breaks in React 19 because `ReactDOM.render` returns nothing there.";
+const MESSAGE$17 = "Your app breaks in React 19 because `ReactDOM.render` returns nothing there.";
 const isReactDomRenderCall = (node) => {
 	if (!isNodeOfType(node.callee, "MemberExpression")) return false;
 	if (!isNodeOfType(node.callee.object, "Identifier")) return false;
@@ -22367,7 +23196,7 @@ const noRenderReturnValue = defineRule({
 		if (!isUsedAsReturnValue(node.parent)) return;
 		context.report({
 			node: node.callee,
-			message: MESSAGE$13
+			message: MESSAGE$17
 		});
 	} })
 });
@@ -22527,11 +23356,17 @@ const classifySecretFileExposure = (filename, options = {}) => {
 	return "unknown";
 };
 //#endregion
-//#region src/plugin/utils/get-identifier-trailing-word.ts
-const getIdentifierTrailingWord = (identifierName) => {
-	return identifierName.match(/[A-Z]+(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|\d+/g)?.at(-1)?.toLowerCase() ?? identifierName.toLowerCase();
+//#region src/plugin/utils/tokenize-identifier-words.ts
+const IDENTIFIER_WORD_PATTERN = /[A-Z]+(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|\d+/g;
+const tokenizeIdentifierWords = (identifierName) => {
+	const words = identifierName.match(IDENTIFIER_WORD_PATTERN);
+	if (!words) return [];
+	return words.map((word) => word.toLowerCase());
 };
 //#endregion
+//#region src/plugin/utils/get-identifier-trailing-word.ts
+const getIdentifierTrailingWord = (identifierName) => tokenizeIdentifierWords(identifierName).at(-1) ?? identifierName.toLowerCase();
+//#endregion
 //#region src/plugin/constants/tanstack.ts
 const TANSTACK_ROUTE_FILE_PATTERN = /\/routes\//;
 const TANSTACK_ROOT_ROUTE_FILE_PATTERN = /__root\.(tsx?|jsx?)$/;
@@ -23059,7 +23894,7 @@ const getParentComponent = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-set-state.ts
-const MESSAGE$12 = "`this.setState` keeps local class state in a project that forbids it, so state ownership becomes harder to reason about.";
+const MESSAGE$16 = "`this.setState` keeps local class state in a project that forbids it, so state ownership becomes harder to reason about.";
 const noSetState = defineRule({
 	id: "no-set-state",
 	title: "Local class state forbidden",
@@ -23074,7 +23909,7 @@ const noSetState = defineRule({
 		if (!getParentComponent(node)) return;
 		context.report({
 			node: node.callee,
-			message: MESSAGE$12
+			message: MESSAGE$16
 		});
 	} })
 });
@@ -23236,7 +24071,7 @@ const isAbstractRole = (openingElement, settings) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/no-static-element-interactions.ts
-const MESSAGE$11 = "Screen reader users can't tell this click handler is interactive because it has no `role`, so add a `role` or use a button or link.";
+const MESSAGE$15 = "Screen reader users can't tell this click handler is interactive because it has no `role`, so add a `role` or use a button or link.";
 const DEFAULT_HANDLERS = [
 	"onClick",
 	"onMouseDown",
@@ -23296,7 +24131,7 @@ const noStaticElementInteractions = defineRule({
 			if (!roleAttribute || !roleAttribute.value) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$11
+					message: MESSAGE$15
 				});
 				return;
 			}
@@ -23306,19 +24141,66 @@ const noStaticElementInteractions = defineRule({
 				if (firstRole && (isInteractiveRole(firstRole) || isNonInteractiveRole(firstRole))) return;
 				context.report({
 					node: node.name,
-					message: MESSAGE$11
+					message: MESSAGE$15
 				});
 				return;
 			}
 			if (isNodeOfType(attributeValue, "JSXExpressionContainer") && settings.allowExpressionValues) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$11
+				message: MESSAGE$15
 			});
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/react-builtins/no-string-false-on-boolean-attribute.ts
+const BOOLEAN_ATTRIBUTES = new Set([
+	"disabled",
+	"checked",
+	"readonly",
+	"required",
+	"selected",
+	"multiple",
+	"autofocus",
+	"autoplay",
+	"controls",
+	"loop",
+	"muted",
+	"open",
+	"reversed",
+	"default",
+	"novalidate",
+	"formnovalidate",
+	"playsinline",
+	"itemscope",
+	"allowfullscreen"
+]);
+const noStringFalseOnBooleanAttribute = defineRule({
+	id: "no-string-false-on-boolean-attribute",
+	title: "String true/false on a boolean attribute",
+	severity: "warn",
+	recommendation: "Use the boolean form on boolean attributes: `disabled` / `disabled={true}` / `disabled={false}`, not `disabled=\"false\"`. A non-empty string is truthy, so `=\"false\"` actually turns the attribute ON.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const firstCharacter = node.name.name.charCodeAt(0);
+		if (firstCharacter < 97 || firstCharacter > 122) return;
+		for (const attribute of node.attributes) {
+			if (!isNodeOfType(attribute, "JSXAttribute")) continue;
+			if (!isNodeOfType(attribute.name, "JSXIdentifier")) continue;
+			if (!BOOLEAN_ATTRIBUTES.has(attribute.name.name.toLowerCase())) continue;
+			const value = getJsxPropStringValue(attribute);
+			if (value !== "false" && value !== "true") continue;
+			const attributeName = attribute.name.name;
+			const guidance = value === "false" ? `which React treats as truthy, so the attribute is applied even though you wrote "false". Use \`${attributeName}={false}\` (or omit the attribute) to keep it off` : `but a boolean attribute takes a boolean, not the string "true". Use \`${attributeName}\` or \`${attributeName}={true}\``;
+			context.report({
+				node: attribute,
+				message: `\`${attributeName}="${value}"\` passes the string "${value}", ${guidance}.`
+			});
+		}
+	} })
+});
+//#endregion
 //#region src/plugin/rules/react-builtins/no-string-refs.ts
 const STRING_IN_REF_MESSAGE = "Your component can't reach this node because string refs don't work in modern React.";
 const THIS_REFS_MESSAGE = "Your component can't reach its nodes because `this.refs` is empty in modern React.";
@@ -23369,8 +24251,154 @@ const noStringRefs = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/design/no-svg-currentcolor-with-fill-class.ts
+const hasColorUtility = (classNameValue, prefix) => classNameValue.split(/\s+/).some((token) => {
+	if (token.includes(":")) return false;
+	if (!token.startsWith(prefix)) return false;
+	const value = token.slice(prefix.length);
+	if (value === "" || value === "current") return false;
+	if (/^\d/.test(value) || /^\[\d/.test(value)) return false;
+	return true;
+});
+const isCurrentColor = (attribute) => {
+	const value = getJsxPropStringValue(attribute);
+	return value !== null && value.trim().toLowerCase() === "currentcolor";
+};
+const noSvgCurrentcolorWithFillClass = defineRule({
+	id: "no-svg-currentcolor-with-fill-class",
+	title: "currentColor fights a fill/stroke class",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	recommendation: "Pick one source of truth: drop the `fill=\"currentColor\"` attribute and keep the `fill-*` class, or use `fill-current` to inherit the text color. Having both means the class silently wins.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		const classNameValue = getStringFromClassNameAttr(node);
+		if (!classNameValue) return;
+		for (const paint of ["fill", "stroke"]) {
+			const attribute = findJsxAttribute(node.attributes, paint);
+			if (attribute && isCurrentColor(attribute) && hasColorUtility(classNameValue, `${paint}-`)) {
+				context.report({
+					node: attribute,
+					message: `\`${paint}="currentColor"\` and a \`${paint}-*\` color class on the same element conflict — the class wins. Remove one, or use \`${paint}-current\` to inherit the text color.`
+				});
+				return;
+			}
+		}
+	} })
+});
+//#endregion
+//#region src/plugin/rules/js-performance/no-sync-xhr.ts
+const MESSAGE$14 = "A synchronous `XMLHttpRequest` (`.open(method, url, false)`) freezes the main thread until the request finishes, blocking all rendering and input. Use `fetch()` or an async XHR (`open(method, url, true)`).";
+const isFalseLiteral = (node) => isNodeOfType(node, "Literal") && node.value === false;
+const noSyncXhr = defineRule({
+	id: "no-sync-xhr",
+	title: "Synchronous XMLHttpRequest",
+	severity: "warn",
+	recommendation: "Never open an XMLHttpRequest synchronously (`async` = `false`). It blocks the main thread. Use `fetch()` or pass `true` and handle the response asynchronously.",
+	create: (context) => ({ CallExpression(node) {
+		const callee = node.callee;
+		if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+		if (!isNodeOfType(callee.property, "Identifier") || callee.property.name !== "open") return;
+		const asyncArgument = node.arguments?.[2];
+		if (!asyncArgument || !isFalseLiteral(stripParenExpression(asyncArgument))) return;
+		context.report({
+			node,
+			message: MESSAGE$14
+		});
+	} })
+});
+//#endregion
+//#region src/plugin/rules/design/no-tailwind-layout-transition.ts
+const ARBITRARY_TRANSITION_PROPERTY = /transition-\[([^\]]+)\]/g;
+const LAYOUT_PROPERTIES = new Set([
+	"width",
+	"height",
+	"min-width",
+	"max-width",
+	"min-height",
+	"max-height",
+	"top",
+	"left",
+	"right",
+	"bottom",
+	"inset",
+	"inset-block",
+	"inset-inline",
+	"margin",
+	"margin-top",
+	"margin-right",
+	"margin-bottom",
+	"margin-left",
+	"margin-block",
+	"margin-inline",
+	"padding",
+	"padding-top",
+	"padding-right",
+	"padding-bottom",
+	"padding-left",
+	"padding-block",
+	"padding-inline"
+]);
+const noTailwindLayoutTransition = defineRule({
+	id: "no-tailwind-layout-transition",
+	title: "Animating a layout property",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	category: "Performance",
+	recommendation: "Animate `transform` and `opacity` instead, since they skip layout and run on the compositor. For height, animate `grid-template-rows` from `0fr` to `1fr`.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		const classNameValue = getStringFromClassNameAttr(node);
+		if (!classNameValue) return;
+		for (const transitionMatch of classNameValue.matchAll(ARBITRARY_TRANSITION_PROPERTY)) {
+			const animatedProperties = transitionMatch[1];
+			const layoutProperty = animatedProperties.split(",").map((property) => property.trim()).find((property) => LAYOUT_PROPERTIES.has(property));
+			if (layoutProperty) context.report({
+				node,
+				message: `Your users see janky animation because \`transition-[${animatedProperties}]\` animates "${layoutProperty}", a layout property the browser recomputes every frame, so animate transform & opacity instead.`
+			});
+		}
+	} })
+});
+//#endregion
+//#region src/plugin/rules/a11y/no-target-blank-without-rel.ts
+const MESSAGE$13 = "`<a target=\"_blank\">` without `rel=\"noopener\"` lets the opened page script your tab via `window.opener` (reverse tabnabbing). Add `rel=\"noopener noreferrer\"`.";
+const targetIsBlank = (attribute) => {
+	const stringValue = getJsxPropStringValue(attribute);
+	if (stringValue !== null) return stringValue === "_blank";
+	const value = attribute.value;
+	if (value && isNodeOfType(value, "JSXExpressionContainer")) {
+		const expression = value.expression;
+		if (isNodeOfType(expression, "Literal") && expression.value === "_blank") return true;
+	}
+	return false;
+};
+const noTargetBlankWithoutRel = defineRule({
+	id: "no-target-blank-without-rel",
+	title: "target=_blank without rel=noopener",
+	severity: "warn",
+	recommendation: "Add `rel=\"noopener noreferrer\"` to every `target=\"_blank\"` link. `noopener` blocks reverse tabnabbing; `noreferrer` also strips the `Referer` header.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const tagName = node.name.name;
+		if (tagName !== "a" && tagName !== "area") return;
+		if (hasJsxSpreadAttribute(node.attributes)) return;
+		const targetAttribute = findJsxAttribute(node.attributes, "target");
+		if (!targetAttribute || !targetIsBlank(targetAttribute)) return;
+		const relAttribute = findJsxAttribute(node.attributes, "rel");
+		if (relAttribute) {
+			const relValue = getJsxPropStringValue(relAttribute);
+			if (relValue === null) return;
+			const tokens = relValue.toLowerCase().split(/\s+/);
+			if (tokens.includes("noopener") || tokens.includes("noreferrer")) return;
+		}
+		context.report({
+			node: node.name,
+			message: MESSAGE$13
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/react-builtins/no-this-in-sfc.ts
-const MESSAGE$10 = "This value is `undefined` because function components have no `this`.";
+const MESSAGE$12 = "This value is `undefined` because function components have no `this`.";
 const isInsideClassMethod = (node, customClassFactoryNames) => {
 	let ancestor = node.parent;
 	while (ancestor) {
@@ -23439,7 +24467,7 @@ const noThisInSfc = defineRule({
 			if (!looksLikeFunctionComponent(enclosingFunction)) return;
 			context.report({
 				node,
-				message: MESSAGE$10
+				message: MESSAGE$12
 			});
 		} };
 	}
@@ -23477,26 +24505,39 @@ const noTinyText = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/performance/no-transition-all.ts
+const hasTransitionAllClass = (classNameValue) => getClassNameTokens(classNameValue).some((token) => token === "transition-all");
+const TAILWIND_MESSAGE = "Your users see janky animation because `transition-all` animates every property that changes, including expensive layout ones and instant ones like focus rings. Name the properties: `transition-colors`, `transition-opacity`, or `transition-transform`.";
 const noTransitionAll = defineRule({
 	id: "no-transition-all",
 	title: "transition: all animates everything",
 	tags: ["test-noise"],
 	severity: "warn",
 	recommendation: "List the specific properties: `transition: \"opacity 200ms, transform 200ms\"`. In Tailwind, use `transition-colors`, `transition-opacity`, or `transition-transform`",
-	create: (context) => ({ JSXAttribute(node) {
-		if (!isNodeOfType(node.name, "JSXIdentifier") || node.name.name !== "style") return;
-		if (!isNodeOfType(node.value, "JSXExpressionContainer")) return;
-		const expression = node.value.expression;
-		if (!isNodeOfType(expression, "ObjectExpression")) return;
-		for (const property of expression.properties ?? []) {
-			if (!isNodeOfType(property, "Property")) continue;
-			if ((isNodeOfType(property.key, "Identifier") ? property.key.name : null) !== "transition") continue;
-			if (isNodeOfType(property.value, "Literal") && typeof property.value.value === "string" && property.value.value.startsWith("all")) context.report({
-				node: property,
-				message: "This can stutter because transition: \"all\" animates every property, even slow layout ones, so list only the properties you actually change"
+	create: (context) => ({
+		JSXAttribute(node) {
+			if (!isNodeOfType(node.name, "JSXIdentifier") || node.name.name !== "style") return;
+			if (!isNodeOfType(node.value, "JSXExpressionContainer")) return;
+			const expression = node.value.expression;
+			if (!isNodeOfType(expression, "ObjectExpression")) return;
+			for (const property of expression.properties ?? []) {
+				if (!isNodeOfType(property, "Property")) continue;
+				const key = isNodeOfType(property.key, "Identifier") ? property.key.name : null;
+				if (key !== "transition" && key !== "transitionProperty") continue;
+				if (isNodeOfType(property.value, "Literal") && typeof property.value.value === "string" && property.value.value.trim().startsWith("all")) context.report({
+					node: property,
+					message: "This can stutter because transition: \"all\" animates every property, even slow layout ones, so list only the properties you actually change"
+				});
+			}
+		},
+		JSXOpeningElement(node) {
+			const classNameValue = getStringFromClassNameAttr(node);
+			if (!classNameValue) return;
+			if (hasTransitionAllClass(classNameValue)) context.report({
+				node,
+				message: TAILWIND_MESSAGE
 			});
 		}
-	} })
+	})
 });
 //#endregion
 //#region src/plugin/rules/correctness/no-uncontrolled-input.ts
@@ -23540,7 +24581,6 @@ const collectUndefinedInitialStateNames = (componentBody) => {
 	}
 	return stateNames;
 };
-const hasJsxSpreadAttribute = (attributes) => attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
 const noUncontrolledInput = defineRule({
 	id: "no-uncontrolled-input",
 	title: "Uncontrolled input value",
@@ -23644,6 +24684,38 @@ const noUnescapedEntities = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/a11y/no-uninformative-aria-label.ts
+const UNINFORMATIVE_LABELS = new Set([
+	"icon",
+	"button",
+	"image",
+	"img",
+	"link",
+	"graphic",
+	"svg",
+	"picture",
+	"element",
+	"field",
+	"input"
+]);
+const MESSAGE$11 = "An `aria-label` should name the action or destination, not the element type — this value tells screen-reader users nothing. Use something like `aria-label=\"Search\"` or `aria-label=\"Close dialog\"`.";
+const noUninformativeAriaLabel = defineRule({
+	id: "no-uninformative-aria-label",
+	title: "Uninformative aria-label",
+	severity: "warn",
+	recommendation: "Name the action, not the element type: `aria-label=\"Search\"`, not `aria-label=\"icon\"` or `aria-label=\"button\"`.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		const ariaLabel = findJsxAttribute(node.attributes, "aria-label");
+		if (!ariaLabel) return;
+		const labelValue = getJsxPropStringValue(ariaLabel);
+		if (labelValue === null) return;
+		if (UNINFORMATIVE_LABELS.has(labelValue.trim().toLowerCase())) context.report({
+			node: ariaLabel,
+			message: MESSAGE$11
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/constants/dom-aria-properties.ts
 const ARIA_PROPERTY_NAMES = new Set([
 	"activedescendant",
@@ -25115,7 +26187,7 @@ const noWideLetterSpacing = defineRule({
 //#endregion
 //#region src/plugin/rules/react-builtins/no-will-update-set-state.ts
 const LIFECYCLE_NAMES = new Set(["componentWillUpdate", "UNSAFE_componentWillUpdate"]);
-const MESSAGE$9 = "Calling setState in componentWillUpdate can trigger another update immediately, loop forever, and freeze the component.";
+const MESSAGE$10 = "Calling setState in componentWillUpdate can trigger another update immediately, loop forever, and freeze the component.";
 const resolveSettings$7 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noWillUpdateSetState ?? {} : {}).mode ?? "allowed" };
@@ -25149,7 +26221,7 @@ const noWillUpdateSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, activeLifecycleNames, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$9
+				message: MESSAGE$10
 			});
 		} };
 	}
@@ -26027,7 +27099,7 @@ const preactNoRenderArguments = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/preact/preact-prefer-ondblclick.ts
-const MESSAGE$8 = "Your users get no response from `onDoubleClick` in Preact core, where it never fires, so use `onDblClick` instead, which matches the DOM event name.";
+const MESSAGE$9 = "Your users get no response from `onDoubleClick` in Preact core, where it never fires, so use `onDblClick` instead, which matches the DOM event name.";
 const preactPreferOndblclick = defineRule({
 	id: "preact-prefer-ondblclick",
 	title: "onDoubleClick instead of onDblClick",
@@ -26042,7 +27114,7 @@ const preactPreferOndblclick = defineRule({
 		if (!onDoubleClickAttribute) return;
 		context.report({
 			node: onDoubleClickAttribute,
-			message: MESSAGE$8
+			message: MESSAGE$9
 		});
 	} })
 });
@@ -26082,6 +27154,42 @@ const preactPreferOninput = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/design/prefer-dvh-over-vh.ts
+const FULL_VIEWPORT_HEIGHT_CLASS = /(?:^|\s)(?:\w+:)*(?:min-)?h-(?:screen|\[100vh\])(?=$|[\s])/;
+const HEIGHT_KEYS = new Set(["height", "minHeight"]);
+const MESSAGE$8 = "`100vh` is taller than the visible viewport on mobile (it ignores the browser's dynamic toolbars), so full-height layouts get clipped. Use the dynamic-viewport unit: `h-dvh` / `min-h-dvh` (or `100dvh`).";
+const preferDvhOverVh = defineRule({
+	id: "prefer-dvh-over-vh",
+	title: "Use dvh instead of vh for full height",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	requires: ["tailwind:3.4"],
+	recommendation: "Prefer `dvh` over `vh` for full-height elements. `100vh` overflows under mobile browser chrome; `100dvh` tracks the visible viewport. (`h-dvh`/`min-h-dvh` need Tailwind 3.4+.)",
+	create: (context) => ({
+		JSXAttribute(node) {
+			const expression = getInlineStyleExpression(node);
+			if (!expression) return;
+			for (const property of expression.properties ?? []) {
+				const key = getStylePropertyKey(property);
+				if (!key || !HEIGHT_KEYS.has(key)) continue;
+				const value = getStylePropertyStringValue(property);
+				if (value && value.trim().toLowerCase() === "100vh") context.report({
+					node: property,
+					message: MESSAGE$8
+				});
+			}
+		},
+		JSXOpeningElement(node) {
+			const classNameValue = getStringFromClassNameAttr(node);
+			if (!classNameValue) return;
+			if (FULL_VIEWPORT_HEIGHT_CLASS.test(classNameValue)) context.report({
+				node,
+				message: MESSAGE$8
+			});
+		}
+	})
+});
+//#endregion
 //#region src/plugin/rules/bundle-size/prefer-dynamic-import.ts
 const preferDynamicImport = defineRule({
 	id: "prefer-dynamic-import",
@@ -26673,6 +27781,26 @@ const preferTagOverRole = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/design/prefer-truncate-shorthand.ts
+const HAS_OVERFLOW_HIDDEN = /(?:^|\s)overflow-hidden(?:$|\s)/;
+const HAS_TEXT_ELLIPSIS = /(?:^|\s)text-ellipsis(?:$|\s)/;
+const HAS_WHITESPACE_NOWRAP = /(?:^|\s)whitespace-nowrap(?:$|\s)/;
+const preferTruncateShorthand = defineRule({
+	id: "prefer-truncate-shorthand",
+	title: "Use truncate shorthand",
+	tags: ["design", "test-noise"],
+	severity: "warn",
+	recommendation: "Replace `overflow-hidden text-ellipsis whitespace-nowrap` with the single Tailwind `truncate` utility, which sets all three.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		const classNameValue = getStringFromClassNameAttr(node);
+		if (!classNameValue) return;
+		if (HAS_OVERFLOW_HIDDEN.test(classNameValue) && HAS_TEXT_ELLIPSIS.test(classNameValue) && HAS_WHITESPACE_NOWRAP.test(classNameValue)) context.report({
+			node,
+			message: "`overflow-hidden text-ellipsis whitespace-nowrap` is exactly what the `truncate` utility does — collapse the three classes into `truncate`."
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/state-and-effects/prefer-use-effect-event.ts
 const collectFunctionTypedLocalBindings = (componentBody) => {
 	const functionTypedLocals = /* @__PURE__ */ new Set();
@@ -27035,6 +28163,8 @@ const publicEnvSecretName = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/tanstack-query/query-destructure-result.ts
+const TANSTACK_QUERY_PACKAGE_PATTERN = /^@tanstack\/[\w-]*query[\w-]*$/;
+const isTanstackQuerySource = (source) => TANSTACK_QUERY_PACKAGE_PATTERN.test(source) || source === "react-query";
 const queryDestructureResult = defineRule({
 	id: "query-destructure-result",
 	title: "Whole query result subscribes to every field",
@@ -27047,6 +28177,8 @@ const queryDestructureResult = defineRule({
 		if (!node.init || !isNodeOfType(node.init, "CallExpression")) return;
 		const calleeName = isNodeOfType(node.init.callee, "Identifier") ? node.init.callee.name : null;
 		if (!calleeName || !TANSTACK_QUERY_HOOKS.has(calleeName)) return;
+		const importSource = getImportSourceForName(node, calleeName);
+		if (importSource !== null && !isTanstackQuerySource(importSource)) return;
 		context.report({
 			node: node.id,
 			message: `Destructure ${calleeName}() results instead of assigning the whole query object, so TanStack Query only subscribes to the fields you use.`
@@ -27889,6 +29021,7 @@ const repositorySecretFile = defineRule({
 	id: "repository-secret-file",
 	title: "Secret file checked into repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove committed env files, service-account credentials, npm auth tokens, and webhook URLs; rotate exposed values and keep only redacted examples in source.",
 	scan: (file) => {
 		if (!isRepositorySecretFilePath(file.relativePath)) return [];
@@ -27905,6 +29038,20 @@ const repositorySecretFile = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/request-body-mass-assignment.ts
+const REQUEST_INPUT_SOURCE = "(?:req|request|ctx\\.req|ctx\\.request)\\.(?:body|query|params)|await\\s+(?:req|request)\\.json\\(\\s*\\)";
+const requestBodyMassAssignment = defineRule({
+	id: "request-body-mass-assignment",
+	title: "Request input spread without field allowlist",
+	severity: "warn",
+	recommendation: "Assign explicit, allowlisted fields (or validate with a strict schema and no `.passthrough()`) instead of spreading/merging request input. Otherwise the client can set ownership, role, or price columns (mass assignment) or pollute the prototype.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: [new RegExp(`\\.\\.\\.\\s*(?:${REQUEST_INPUT_SOURCE})`, "i"), new RegExp(`(?:Object\\.assign\\s*\\(|_\\.(?:merge|mergeWith|defaultsDeep)\\s*\\(|(?:^|[^.\\w])(?:merge|defaultsDeep)\\s*\\()[\\s\\S]{0,80}?(?:${REQUEST_INPUT_SOURCE})`, "i")],
+		message: "Request input is spread or merged into an object without a field allowlist, enabling mass assignment (client-set owner/role/price fields) or prototype pollution."
+	})
+});
+//#endregion
 //#region src/plugin/utils/function-body-has-return-with-value.ts
 const functionBodyHasReturnWithValue = (functionNode) => {
 	if (functionNode.type === "ArrowFunctionExpression" && "body" in functionNode) {
@@ -34330,6 +35477,17 @@ const scope = defineRule({
 		});
 	} })
 });
+const secretInFallback = defineRule({
+	id: "secret-in-fallback",
+	title: "Hardcoded secret fallback for env var",
+	severity: "error",
+	recommendation: "Remove the literal fallback and fail closed (throw when the variable is unset). The hardcoded value is a committed secret, and the `??`/`||` default makes the app run with it in any environment that forgot to set the var.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /\bprocess\.env\.(?![A-Z0-9_]*(?:PUBLIC|PUBLISHABLE|ANON)\b)[A-Z][A-Z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|PRIVATE_KEY|API_?KEY|APIKEY|ACCESS_KEY|CLIENT_SECRET|CREDENTIAL|SIGNING_KEY|ENCRYPTION_KEY|WEBHOOK_SECRET|SERVICE_ROLE)[A-Z0-9_]*(?<!_(?:NAME|HEADER|ENDPOINT|URL|URI|ID|PREFIX|SUFFIX|PARAM|PARAMS|FIELD|ISSUER|AUDIENCE|ALGORITHM|ALG|REGION|BUCKET|HOST|HOSTNAME|PORT|PATH|VERSION|SCOPE|TYPE|FORMAT|EXPIRY|TTL))\s*(?:\?\?|\|\|)\s*(["'`])(?!(?:changeme|change[_-]?me|placeholder|your[_-]|example|sample|dummy|development|local|todo|replace[_-]?me|https?:\/\/|x{3,}|\*{3,}))[^"'`\n]{8,}\1/i,
+		message: "A secret env var has a hardcoded string fallback: the literal is a committed secret and the app fails open (uses it) when the variable is unset."
+	})
+});
 //#endregion
 //#region src/plugin/rules/react-builtins/self-closing-comp.ts
 const MESSAGE$2 = "This tag has no children, so the closing tag adds noise without changing output.";
@@ -34448,6 +35606,47 @@ const serverAfterNonblocking = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/is-auth-guard-name.ts
+const SIGNED_IN_HEAD_TOKENS = new Set([
+	"signed",
+	"logged",
+	"sign"
+]);
+const mergeSignedInTokens = (tokens) => {
+	const mergedTokens = [];
+	for (let tokenIndex = 0; tokenIndex < tokens.length; tokenIndex += 1) {
+		const currentToken = tokens[tokenIndex];
+		if (SIGNED_IN_HEAD_TOKENS.has(currentToken) && tokens[tokenIndex + 1] === "in") {
+			mergedTokens.push(`${currentToken}in`);
+			tokenIndex += 1;
+			continue;
+		}
+		mergedTokens.push(currentToken);
+	}
+	return mergedTokens;
+};
+const isAuthGuardName = (calleeName) => {
+	const tokens = mergeSignedInTokens(tokenizeIdentifierWords(calleeName));
+	if (tokens.length === 0) return false;
+	let hasAssertiveVerb = false;
+	let hasGetterVerb = false;
+	let hasQualifier = false;
+	let hasStrongNoun = false;
+	let hasWeakNoun = false;
+	for (const token of tokens) {
+		if (AUTH_STRONG_TOKEN_PATTERN.test(token) || AUTH_STANDALONE_NOUN_TOKENS.has(token)) return true;
+		if (AUTH_ASSERTIVE_VERB_TOKENS.has(token)) hasAssertiveVerb = true;
+		if (AUTH_GETTER_VERB_TOKENS.has(token)) hasGetterVerb = true;
+		if (AUTH_QUALIFIER_TOKENS.has(token)) hasQualifier = true;
+		if (AUTH_STRONG_NOUN_TOKENS.has(token)) hasStrongNoun = true;
+		if (AUTH_WEAK_NOUN_TOKENS.has(token)) hasWeakNoun = true;
+	}
+	if (hasAssertiveVerb && (hasStrongNoun || hasWeakNoun)) return true;
+	if (hasGetterVerb && hasStrongNoun) return true;
+	if (hasQualifier && hasWeakNoun) return true;
+	return false;
+};
+//#endregion
 //#region src/plugin/rules/server/server-auth-actions.ts
 const isAsyncFunctionLikeNode = (node) => {
 	if (!node) return false;
@@ -34490,9 +35689,13 @@ const isMemberCallAuthRelated = (receiverNode, methodName, genericMethodNames) =
 const getAuthCallName = (callExpression, allowedFunctionNames, genericMethodNames) => {
 	const calleeNode = unwrapTypeWrappedCallee(callExpression.callee);
 	if (!calleeNode) return null;
-	if (isNodeOfType(calleeNode, "Identifier")) return allowedFunctionNames.has(calleeNode.name) ? calleeNode.name : null;
+	if (isNodeOfType(calleeNode, "Identifier")) {
+		const calleeName = calleeNode.name;
+		return allowedFunctionNames.has(calleeName) || isAuthGuardName(calleeName) ? calleeName : null;
+	}
 	if (isNodeOfType(calleeNode, "MemberExpression") && isNodeOfType(calleeNode.property, "Identifier")) {
 		const methodName = calleeNode.property.name;
+		if (isAuthGuardName(methodName)) return methodName;
 		if (!allowedFunctionNames.has(methodName)) return null;
 		if (!isMemberCallAuthRelated(calleeNode.object, methodName, genericMethodNames)) return null;
 		return methodName;
@@ -35139,8 +36342,11 @@ const supabaseClientOwnedAuthzField = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-supabase-migration-path.ts
+const isSupabaseMigrationPath = (relativePath) => /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+//#endregion
 //#region src/plugin/rules/security-scan/utils/is-sql-path.ts
-const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || isSupabaseMigrationPath(relativePath);
 const supabaseRlsPolicyRisk = defineRule({
 	id: "supabase-rls-policy-risk",
 	title: "Permissive Supabase RLS policy",
@@ -35158,6 +36364,210 @@ const supabaseRlsPolicyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/sanitize-sql-for-scan.ts
+const DOLLAR_QUOTE_TAG_PATTERN = /^\$[A-Za-z_]?\w*\$/;
+const CODE_BODY_KEYWORDS = new Set([
+	"do",
+	"plpgsql",
+	"sql",
+	"plpython3u",
+	"plpythonu",
+	"plperl",
+	"plperlu",
+	"plv8"
+]);
+const precedingKeyword = (content, beforeIndex) => {
+	let lookBack = beforeIndex - 1;
+	while (lookBack >= 0 && /\s/.test(content[lookBack] ?? "")) lookBack -= 1;
+	let wordStart = lookBack;
+	while (wordStart >= 0 && /[A-Za-z0-9_]/.test(content[wordStart] ?? "")) wordStart -= 1;
+	return content.slice(wordStart + 1, lookBack + 1).toLowerCase();
+};
+const blankCodeBodyInterior = (content, characters, start, end) => {
+	let index = start;
+	let inExecuteStatement = false;
+	while (index < end) {
+		const character = content[index];
+		if (character === ";") {
+			inExecuteStatement = false;
+			index += 1;
+			continue;
+		}
+		if (/[A-Za-z_]/.test(character)) {
+			let wordEnd = index;
+			while (wordEnd < end && /[A-Za-z0-9_]/.test(content[wordEnd] ?? "")) wordEnd += 1;
+			if (content.slice(index, wordEnd).toLowerCase() === "execute") inExecuteStatement = true;
+			index = wordEnd;
+			continue;
+		}
+		if (character === "'") {
+			const keepVisible = inExecuteStatement;
+			if (!keepVisible) characters[index] = " ";
+			index += 1;
+			while (index < end) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						if (!keepVisible) {
+							characters[index] = " ";
+							characters[index + 1] = " ";
+						}
+						index += 2;
+						continue;
+					}
+					if (!keepVisible) characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (!keepVisible && content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < end) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < end && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < end) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+};
+const sanitizeSqlForScan = (content) => {
+	const characters = content.split("");
+	let index = 0;
+	while (index < content.length) {
+		const character = content[index];
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < content.length && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < content.length) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "'") {
+			characters[index] = " ";
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						characters[index] = " ";
+						characters[index + 1] = " ";
+						index += 2;
+						continue;
+					}
+					characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "$") {
+			const tagMatch = DOLLAR_QUOTE_TAG_PATTERN.exec(content.slice(index));
+			if (tagMatch !== null) {
+				const tag = tagMatch[0];
+				const closeIndex = content.indexOf(tag, index + tag.length);
+				const endIndex = closeIndex < 0 ? content.length : closeIndex + tag.length;
+				const keyword = precedingKeyword(content, index);
+				if (CODE_BODY_KEYWORDS.has(keyword)) blankCodeBodyInterior(content, characters, index + tag.length, endIndex);
+				else for (let blankIndex = index; blankIndex < endIndex; blankIndex += 1) if (content[blankIndex] !== "\n") characters[blankIndex] = " ";
+				index = endIndex;
+				continue;
+			}
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+	return characters.join("");
+};
+//#endregion
+//#region src/plugin/rules/security-scan/supabase-table-missing-rls.ts
+const CREATE_PUBLIC_TABLE_PATTERN = /create\s+(?:unlogged\s+)?table\s+(?:if\s+not\s+exists\s+)?(?!(?:auth|storage|realtime|vault|extensions|graphql|graphql_public|pgbouncer|net|supabase_functions|supabase_migrations|cron|pgsodium|pgmq|information_schema|pg_catalog|pg_temp|private|internal)\s*\.)(?:public\s*\.\s*)?["`]?([A-Za-z_][\w$]*)["`]?(?:\s*\(|\s+as\b)/gi;
+const enableRlsForTablePattern = (tableName) => new RegExp(`alter\\s+table\\s+(?:if\\s+exists\\s+)?(?:only\\s+)?(?:public\\s*\\.\\s*)?["\`]?${escapeRegExp(tableName)}["\`]?\\s+(?:force\\s+)?enable\\s+row\\s+level\\s+security`, "i");
+const supabaseTableMissingRls = defineRule({
+	id: "supabase-table-missing-rls",
+	title: "Supabase table created without Row Level Security",
+	severity: "error",
+	recommendation: "Enable RLS in the same migration (`alter table <name> enable row level security;`) and add `auth.uid()`-scoped policies for select/insert/update/delete. A public table without RLS is fully readable and writable with the public anon key.",
+	scan: (file) => {
+		if (!isSupabaseMigrationPath(file.relativePath)) return [];
+		const content = sanitizeSqlForScan(file.content);
+		if (!/create\s+(?:unlogged\s+)?table/i.test(content)) return [];
+		const findings = [];
+		CREATE_PUBLIC_TABLE_PATTERN.lastIndex = 0;
+		for (let match = CREATE_PUBLIC_TABLE_PATTERN.exec(content); match !== null; match = CREATE_PUBLIC_TABLE_PATTERN.exec(content)) {
+			const tableName = match[1];
+			if (tableName === void 0) continue;
+			if (enableRlsForTablePattern(tableName).test(content.slice(match.index))) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message: "Supabase migration creates a public table but never enables Row Level Security, leaving every row exposed to the anon key.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/svg-filter-clickjacking-risk.ts
 const svgFilterClickjackingRisk = defineRule({
 	id: "svg-filter-clickjacking-risk",
@@ -35856,6 +37266,47 @@ const tenantStaticProxyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/unsafe-json-in-html.ts
+const SINK_JSON_STRINGIFY_PATTERNS = [/dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:[\s\S]{0,300}?\bJSON\.stringify\s*\(/gi, /<script\b[^>]*>(?:(?!<\/script>)[\s\S]){0,300}?\bJSON\.stringify\s*\(/gi];
+const RETURN_ESCAPE_PATTERN = /^[\s)]*\.replace\s*\([^)]*(?:\\u003[cC]|&lt;|<)/;
+const ESCAPE_WRAPPER_PATTERN = /(?:\b(?:escapeHtml|escapeJSON|escapeJson|htmlEscape|jsesc)|(?<![.\w])(?:serialize|serializeJavascript|devalue|uneval|superjson))\s*\(\s*$/i;
+const JSON_STRINGIFY_TOKEN_PATTERN = /\bJSON\.stringify\s*\($/i;
+const RETURN_LOOKAHEAD_CHARS = 160;
+const unsafeJsonInHtml = defineRule({
+	id: "unsafe-json-in-html",
+	title: "Unescaped JSON in HTML or script sink",
+	severity: "warn",
+	recommendation: "JSON.stringify does not HTML-escape, so a `<\/script>` (or `<`) in the data breaks out and becomes XSS. Use an HTML-safe serializer (serialize-javascript, devalue) or escape `<`, `>`, and `&`, or pass data via a JSON `<script type=\"application/json\">` read with JSON.parse.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!content.includes("JSON.stringify")) return [];
+		const findings = [];
+		const seenIndices = /* @__PURE__ */ new Set();
+		for (const pattern of SINK_JSON_STRINGIFY_PATTERNS) {
+			pattern.lastIndex = 0;
+			for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+				const beforeStringify = match[0].replace(JSON_STRINGIFY_TOKEN_PATTERN, "");
+				if (ESCAPE_WRAPPER_PATTERN.test(beforeStringify)) continue;
+				const closeParenIndex = findMatchingBracket(content, match.index + match[0].length - 1);
+				if (closeParenIndex >= 0) {
+					const afterReturn = content.slice(closeParenIndex + 1, closeParenIndex + 1 + RETURN_LOOKAHEAD_CHARS);
+					if (RETURN_ESCAPE_PATTERN.test(afterReturn)) continue;
+				}
+				if (seenIndices.has(match.index)) continue;
+				seenIndices.add(match.index);
+				const location = getLocationAtIndex(content, match.index);
+				findings.push({
+					message: "JSON.stringify is embedded in HTML/script markup without HTML-escaping; data containing `<\/script>` or `<` breaks out and becomes XSS.",
+					line: location.line,
+					column: location.column
+				});
+			}
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/untrusted-redirect-following.ts
 const OUTBOUND_FETCH_CALL_PATTERN = /(?:(?<![.\w$])fetch|\baxios\.\s*(?:get|post|put|delete|head)|\bgot|\bgot\.\s*(?:get|post))\s*\(\s*([^,)]+)/;
 const CALLER_STYLE_URL_NAME_PATTERN = /\b(?:url|targetUrl|callbackUrl|redirectUrl|webhookUrl|companyUrl|websiteUrl|domainUrl|imageUrl|fetchUrl|next|return_to|returnTo|destination|location)\b/i;
@@ -36003,7 +37454,7 @@ const voidDomElementsNoChildren = defineRule({
 //#region src/plugin/rules/security-scan/webhook-signature-risk.ts
 const WEBHOOK_HANDLER_PATTERN = /(?:^|\/)[^/]*webhook[^/]*\/|(?:^|\/)[^/]*webhook[^/]*\.[cm]?[jt]s$|\bwebhook\b/i;
 const WEBHOOK_ENTRYPOINT_PATTERN = /\b(?:export\s+(?:async\s+)?function\s+POST|export\s+const\s+(?:POST|handler|webhook)|webhookHandler|webhookRoute)\b/i;
-const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = /verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/i;
+const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = new RegExp(`${/verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/.source}|${/\b[A-Za-z]{0,40}(?:verif|valid|check|assert|authenticat|compare|guard)[A-Za-z]{0,40}(?:secret|signature|hmac|webhook|digest)[A-Za-z]{0,40}\s*\(/.source}`, "i");
 const OUTBOUND_WEBHOOK_URL_MENTION_PATTERN = /webhook[\s_-]?ur[il]\w*/gi;
 const OUTBOUND_WEBHOOK_CONFIG_PATTERN = /process\.env\.\w*WEBHOOK_URL|\b(?:send|post|dispatch|publish|notify)\w*Webhook/;
 const REQUEST_READ_PATTERN = /\b(?:req|request)\b/;
@@ -36663,6 +38114,17 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/auth-token-in-web-storage",
+		id: "auth-token-in-web-storage",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...authTokenInWebStorage,
+			framework: "global",
+			category: "Security"
+		}
+	},
 	{
 		key: "react-doctor/autocomplete-valid",
 		id: "autocomplete-valid",
@@ -36879,6 +38341,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noVagueButtonLabel.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/dialog-has-accessible-name",
+		id: "dialog-has-accessible-name",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...dialogHasAccessibleName,
+			framework: "global",
+			category: "Accessibility",
+			requires: [...new Set(["react", ...dialogHasAccessibleName.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/display-name",
 		id: "display-name",
@@ -37164,6 +38638,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...insecureCryptoRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/insecure-session-cookie",
+		id: "insecure-session-cookie",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...insecureSessionCookie,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...insecureSessionCookie.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/interactive-supports-focus",
 		id: "interactive-supports-focus",
@@ -37606,6 +39092,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...jsxPropsNoSpreading.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/jwt-insecure-verification",
+		id: "jwt-insecure-verification",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...jwtInsecureVerification,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...jwtInsecureVerification.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/key-lifecycle-risk",
 		id: "key-lifecycle-risk",
@@ -37979,6 +39477,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noAdjustStateOnPropChange.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-arbitrary-px-font-size",
+		id: "no-arbitrary-px-font-size",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noArbitraryPxFontSize,
+			framework: "global",
+			category: "Accessibility"
+		}
+	},
 	{
 		key: "react-doctor/no-aria-hidden-on-focusable",
 		id: "no-aria-hidden-on-focusable",
@@ -38014,6 +39523,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noArrayIndexKey.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-async-effect-callback",
+		id: "no-async-effect-callback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noAsyncEffectCallback,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noAsyncEffectCallback.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-autofocus",
 		id: "no-autofocus",
@@ -38026,6 +39547,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noAutofocus.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-autoplay-without-muted",
+		id: "no-autoplay-without-muted",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noAutoplayWithoutMuted,
+			framework: "global",
+			category: "Accessibility",
+			requires: [...new Set(["react", ...noAutoplayWithoutMuted.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-barrel-import",
 		id: "no-barrel-import",
@@ -38037,6 +39570,18 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/no-call-component-as-function",
+		id: "no-call-component-as-function",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noCallComponentAsFunction,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noCallComponentAsFunction.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-cascading-set-state",
 		id: "no-cascading-set-state",
@@ -38097,6 +39642,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noCreateContextInRender.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-create-ref-in-function-component",
+		id: "no-create-ref-in-function-component",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noCreateRefInFunctionComponent,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noCreateRefInFunctionComponent.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-create-store-in-render",
 		id: "no-create-store-in-render",
@@ -38155,6 +39712,17 @@ const reactDoctorRules = [
 			category: "Maintainability"
 		}
 	},
+	{
+		key: "react-doctor/no-deprecated-tailwind-class",
+		id: "no-deprecated-tailwind-class",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noDeprecatedTailwindClass,
+			framework: "global",
+			category: "Maintainability"
+		}
+	},
 	{
 		key: "react-doctor/no-derived-state",
 		id: "no-derived-state",
@@ -38274,6 +39842,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noDocumentStartViewTransition.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-document-write",
+		id: "no-document-write",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noDocumentWrite,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-dynamic-import-path",
 		id: "no-dynamic-import-path",
@@ -38415,6 +39994,17 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/no-full-viewport-width",
+		id: "no-full-viewport-width",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noFullViewportWidth,
+			framework: "global",
+			category: "Maintainability"
+		}
+	},
 	{
 		key: "react-doctor/no-generic-handler-names",
 		id: "no-generic-handler-names",
@@ -38471,6 +40061,18 @@ const reactDoctorRules = [
 			category: "Accessibility"
 		}
 	},
+	{
+		key: "react-doctor/no-img-lazy-with-high-fetchpriority",
+		id: "no-img-lazy-with-high-fetchpriority",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noImgLazyWithHighFetchpriority,
+			framework: "global",
+			category: "Performance",
+			requires: [...new Set(["react", ...noImgLazyWithHighFetchpriority.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-initialize-state",
 		id: "no-initialize-state",
@@ -38541,6 +40143,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noIsMounted.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-json-parse-stringify-clone",
+		id: "no-json-parse-stringify-clone",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noJsonParseStringifyClone,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-jsx-element-type",
 		id: "no-jsx-element-type",
@@ -38631,6 +40244,17 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/no-low-contrast-inline-style",
+		id: "no-low-contrast-inline-style",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noLowContrastInlineStyle,
+			framework: "global",
+			category: "Accessibility"
+		}
+	},
 	{
 		key: "react-doctor/no-many-boolean-props",
 		id: "no-many-boolean-props",
@@ -38908,6 +40532,17 @@ const reactDoctorRules = [
 			category: "Maintainability"
 		}
 	},
+	{
+		key: "react-doctor/no-redundant-display-class",
+		id: "no-redundant-display-class",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noRedundantDisplayClass,
+			framework: "global",
+			category: "Maintainability"
+		}
+	},
 	{
 		key: "react-doctor/no-redundant-roles",
 		id: "no-redundant-roles",
@@ -39060,6 +40695,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noStaticElementInteractions.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-string-false-on-boolean-attribute",
+		id: "no-string-false-on-boolean-attribute",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noStringFalseOnBooleanAttribute,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noStringFalseOnBooleanAttribute.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-string-refs",
 		id: "no-string-refs",
@@ -39072,6 +40719,51 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noStringRefs.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-svg-currentcolor-with-fill-class",
+		id: "no-svg-currentcolor-with-fill-class",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noSvgCurrentcolorWithFillClass,
+			framework: "global",
+			category: "Maintainability"
+		}
+	},
+	{
+		key: "react-doctor/no-sync-xhr",
+		id: "no-sync-xhr",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noSyncXhr,
+			framework: "global",
+			category: "Performance"
+		}
+	},
+	{
+		key: "react-doctor/no-tailwind-layout-transition",
+		id: "no-tailwind-layout-transition",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noTailwindLayoutTransition,
+			framework: "global",
+			category: "Performance"
+		}
+	},
+	{
+		key: "react-doctor/no-target-blank-without-rel",
+		id: "no-target-blank-without-rel",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noTargetBlankWithoutRel,
+			framework: "global",
+			category: "Accessibility",
+			requires: [...new Set(["react", ...noTargetBlankWithoutRel.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-this-in-sfc",
 		id: "no-this-in-sfc",
@@ -39141,6 +40833,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noUnescapedEntities.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-uninformative-aria-label",
+		id: "no-uninformative-aria-label",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noUninformativeAriaLabel,
+			framework: "global",
+			category: "Accessibility",
+			requires: [...new Set(["react", ...noUninformativeAriaLabel.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-unknown-property",
 		id: "no-unknown-property",
@@ -39350,6 +41054,17 @@ const reactDoctorRules = [
 			category: "Bugs"
 		}
 	},
+	{
+		key: "react-doctor/prefer-dvh-over-vh",
+		id: "prefer-dvh-over-vh",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...preferDvhOverVh,
+			framework: "global",
+			category: "Maintainability"
+		}
+	},
 	{
 		key: "react-doctor/prefer-dynamic-import",
 		id: "prefer-dynamic-import",
@@ -39454,6 +41169,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...preferTagOverRole.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/prefer-truncate-shorthand",
+		id: "prefer-truncate-shorthand",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...preferTruncateShorthand,
+			framework: "global",
+			category: "Maintainability"
+		}
+	},
 	{
 		key: "react-doctor/prefer-use-effect-event",
 		id: "prefer-use-effect-event",
@@ -39756,6 +41482,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...repositorySecretFile.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/request-body-mass-assignment",
+		id: "request-body-mass-assignment",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...requestBodyMassAssignment,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...requestBodyMassAssignment.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/require-render-return",
 		id: "require-render-return",
@@ -40344,6 +42082,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...scope.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/secret-in-fallback",
+		id: "secret-in-fallback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...secretInFallback,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...secretInFallback.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/self-closing-comp",
 		id: "self-closing-comp",
@@ -40500,6 +42250,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...supabaseRlsPolicyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/supabase-table-missing-rls",
+		id: "supabase-table-missing-rls",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...supabaseTableMissingRls,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...supabaseTableMissingRls.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/svg-filter-clickjacking-risk",
 		id: "svg-filter-clickjacking-risk",
@@ -40690,6 +42452,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...tenantStaticProxyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/unsafe-json-in-html",
+		id: "unsafe-json-in-html",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...unsafeJsonInHtml,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...unsafeJsonInHtml.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/untrusted-redirect-following",
 		id: "untrusted-redirect-following",