oxlint-plugin-react-doctor 0.5.5 → 0.5.6-dev.0a7edbd

package/dist/index.js

@@ -323,9 +323,18 @@ const BROWSER_ARTIFACT_PATH_PATTERNS = [
 const AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN = /\b(?:exec|execSync|spawn|child_process|eval|new Function|vm\.run|readFile|writeFile|fs\.read|fs\.write|fetch|axios|http\.request|sandbox|runCode|executeCode)\b/;
 //#endregion
 //#region src/plugin/rules/security-scan/utils/is-browser-artifact-path.ts
-const isServerOnlyBuildArtifactPath = (relativePath) => /(?:^|\/)(?:\.next\/server|\.output\/server)\//.test(relativePath);
+const SERVER_BUILD_ROOT_SEGMENTS = new Set([".next", ".output"]);
+const isNonShippedBuildArtifactPath = (relativePath) => {
+	const segments = relativePath.split("/");
+	for (let index = 0; index < segments.length; index += 1) {
+		if (!SERVER_BUILD_ROOT_SEGMENTS.has(segments[index])) continue;
+		if (segments[index] === ".next" && segments[index + 1] === "dev") return true;
+		if (segments[index + 1] === "server" && index + 2 < segments.length) return true;
+	}
+	return false;
+};
 const isBrowserArtifactPath = (relativePath, isGeneratedBundle) => {
-	if (isServerOnlyBuildArtifactPath(relativePath)) return false;
+	if (isNonShippedBuildArtifactPath(relativePath)) return false;
 	if (isGeneratedBundle) return true;
 	if (relativePath.endsWith(".map")) return true;
 	return BROWSER_ARTIFACT_PATH_PATTERNS.some((pattern) => pattern.test(relativePath));
@@ -1108,6 +1117,11 @@ const getImportedNameFromModule = (contextNode, localIdentifierName, moduleSourc
 	if (info.source !== moduleSource) return null;
 	return info.imported;
 };
+const getImportSourceForName = (contextNode, localIdentifierName) => {
+	const lookup = getImportLookup(contextNode);
+	if (!lookup) return null;
+	return lookup.get(localIdentifierName)?.source ?? null;
+};
 //#endregion
 //#region src/plugin/utils/find-variable-initializer.ts
 const FUNCTION_LIKE_TYPES$1 = new Set([
@@ -1847,7 +1861,7 @@ const anchorAmbiguousText = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/anchor-has-content.ts
-const MESSAGE$51 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$57 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
 const anchorHasContent = defineRule({
 	id: "anchor-has-content",
 	title: "Anchor has no content",
@@ -1863,7 +1877,7 @@ const anchorHasContent = defineRule({
 		for (const attribute of ["title", "aria-label"]) if (hasJsxPropIgnoreCase(opening.attributes, attribute)) return;
 		context.report({
 			node: opening.name,
-			message: MESSAGE$51
+			message: MESSAGE$57
 		});
 	} })
 });
@@ -2257,7 +2271,7 @@ const parseJsxValue = (value) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/aria-activedescendant-has-tabindex.ts
-const MESSAGE$50 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
+const MESSAGE$56 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
 const ariaActivedescendantHasTabindex = defineRule({
 	id: "aria-activedescendant-has-tabindex",
 	title: "aria-activedescendant missing tabindex",
@@ -2275,14 +2289,14 @@ const ariaActivedescendantHasTabindex = defineRule({
 			if (tabIndexValue === null || tabIndexValue >= -1) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$50
+				message: MESSAGE$56
 			});
 			return;
 		}
 		if (isInteractiveElement(tag, node)) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$50
+			message: MESSAGE$56
 		});
 	} })
 });
@@ -3090,6 +3104,76 @@ const AUTH_FUNCTION_NAMES = new Set([
 	"getAuth",
 	"validateSession"
 ]);
+const AUTH_STRONG_TOKEN_PATTERN = /^auth(?:n|z|ed|enticate[ds]?|enticating|entication|orize[ds]?|orizing|orization|orizer)?$/;
+const AUTH_STANDALONE_NOUN_TOKENS = new Set([
+	"signedin",
+	"loggedin",
+	"signin"
+]);
+const AUTH_ASSERTIVE_VERB_TOKENS = new Set([
+	"require",
+	"ensure",
+	"assert",
+	"verify",
+	"validate",
+	"check",
+	"protect",
+	"enforce",
+	"guard",
+	"gate",
+	"restrict",
+	"is",
+	"has",
+	"can",
+	"must"
+]);
+const AUTH_GETTER_VERB_TOKENS = new Set([
+	"get",
+	"fetch",
+	"load",
+	"read",
+	"resolve",
+	"retrieve",
+	"use"
+]);
+const AUTH_QUALIFIER_TOKENS = new Set([
+	"current",
+	"my",
+	"own"
+]);
+const AUTH_STRONG_NOUN_TOKENS = new Set([
+	"session",
+	"sessions",
+	"login",
+	"admin",
+	"admins",
+	"superadmin",
+	"superuser",
+	"role",
+	"roles",
+	"permission",
+	"permissions",
+	"jwt",
+	"identity",
+	"principal",
+	"credential",
+	"credentials"
+]);
+const AUTH_WEAK_NOUN_TOKENS = new Set([
+	"user",
+	"users",
+	"account",
+	"accounts",
+	"token",
+	"tokens",
+	"access",
+	"me",
+	"viewer",
+	"caller",
+	"subject",
+	"scope",
+	"scopes"
+]);
 const GENERIC_AUTH_METHOD_NAMES = new Set(["getUser"]);
 const AUTH_OBJECT_PATTERN = /(?:^|[._])(?:auth|authn|authz|clerk|session|jwt|firebase|supabase|nextauth|kinde|workos|stytch|descope|cognito|propelauth|lucia)/i;
 const SECRET_PATTERNS = [
@@ -4187,6 +4271,58 @@ const asyncParallel = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security/auth-token-in-web-storage.ts
+const MESSAGE$55 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
+const STORAGE_NAMES = new Set(["localStorage", "sessionStorage"]);
+const STORAGE_GLOBALS = new Set([
+	"window",
+	"globalThis",
+	"self"
+]);
+const SENSITIVE_KEY_PATTERN = /token|jwt|secret|password|passwd|credential|api[-_]?key|bearer|private[-_]?key/i;
+const isWebStorageObject = (node) => {
+	if (isNodeOfType(node, "Identifier")) return STORAGE_NAMES.has(node.name);
+	if (isNodeOfType(node, "MemberExpression") && !node.computed && isNodeOfType(node.object, "Identifier") && STORAGE_GLOBALS.has(node.object.name) && isNodeOfType(node.property, "Identifier")) return STORAGE_NAMES.has(node.property.name);
+	return false;
+};
+const staticMemberName = (member) => {
+	if (!member.computed && isNodeOfType(member.property, "Identifier")) return member.property.name;
+	if (member.computed && isNodeOfType(member.property, "Literal") && typeof member.property.value === "string") return member.property.value;
+	return null;
+};
+const authTokenInWebStorage = defineRule({
+	id: "auth-token-in-web-storage",
+	title: "Auth token in web storage",
+	severity: "warn",
+	recommendation: "Don't persist auth tokens (JWTs, access/refresh tokens, secrets) in `localStorage`/`sessionStorage`; they're readable by any XSS. Use an `HttpOnly` cookie set by the server.",
+	create: (context) => ({
+		CallExpression(node) {
+			const callee = node.callee;
+			if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+			if (!isNodeOfType(callee.property, "Identifier") || callee.property.name !== "setItem") return;
+			if (!isWebStorageObject(callee.object)) return;
+			const keyArgument = node.arguments?.[0];
+			if (!keyArgument || !isNodeOfType(keyArgument, "Literal") || typeof keyArgument.value !== "string") return;
+			if (!SENSITIVE_KEY_PATTERN.test(keyArgument.value)) return;
+			context.report({
+				node,
+				message: MESSAGE$55
+			});
+		},
+		AssignmentExpression(node) {
+			const target = node.left;
+			if (!isNodeOfType(target, "MemberExpression")) return;
+			if (!isWebStorageObject(target.object)) return;
+			const propertyName = staticMemberName(target);
+			if (!propertyName || !SENSITIVE_KEY_PATTERN.test(propertyName)) return;
+			context.report({
+				node: target,
+				message: MESSAGE$55
+			});
+		}
+	})
+});
+//#endregion
 //#region src/plugin/rules/a11y/autocomplete-valid.ts
 const buildMessage$25 = (value) => `Users who rely on autofill can't fill this field because \`${value}\` isn't a known token, so use a valid \`autoComplete\` token.`;
 const AUTOFILL_TOKENS = new Set([
@@ -4558,7 +4694,7 @@ const isPureEventBlockerHandler = (attribute) => {
 //#endregion
 //#region src/plugin/rules/a11y/click-events-have-key-events.ts
 const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
-const MESSAGE$49 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
+const MESSAGE$54 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
 const KEY_HANDLERS = [
 	"onKeyUp",
 	"onKeyDown",
@@ -4590,7 +4726,7 @@ const clickEventsHaveKeyEvents = defineRule({
 			if (KEY_HANDLERS.some((handler) => hasJsxPropIgnoreCase(node.attributes, handler))) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$49
+				message: MESSAGE$54
 			});
 		} };
 	}
@@ -4705,7 +4841,7 @@ const isReactComponentName = (name) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/control-has-associated-label.ts
-const MESSAGE$48 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$53 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_IGNORE_ELEMENTS = ["link", "canvas"];
 const DEFAULT_LABELLING_PROPS = [
 	"alt",
@@ -4866,7 +5002,7 @@ const controlHasAssociatedLabel = defineRule({
 			for (const child of node.children) if (checkChildForLabel(child, 1, checkContext)) return;
 			context.report({
 				node: opening,
-				message: MESSAGE$48
+				message: MESSAGE$53
 			});
 		} };
 	}
@@ -5292,6 +5428,38 @@ const noVagueButtonLabel = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/utils/has-jsx-spread-attribute.ts
+const hasJsxSpreadAttribute$1 = (attributes) => attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
+//#endregion
+//#region src/plugin/rules/a11y/dialog-has-accessible-name.ts
+const MESSAGE$52 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
+const DIALOG_ROLES = new Set(["dialog", "alertdialog"]);
+const NAME_PROVIDING_ATTRIBUTES = [
+	"aria-label",
+	"aria-labelledby",
+	"title"
+];
+const dialogHasAccessibleName = defineRule({
+	id: "dialog-has-accessible-name",
+	title: "Dialog without accessible name",
+	severity: "warn",
+	recommendation: "Give every `<dialog>` / `role=\"dialog\"` an accessible name with `aria-label` or `aria-labelledby` (referencing the dialog's title element).",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const tagName = node.name.name;
+		if (tagName[0] !== tagName[0]?.toLowerCase()) return;
+		const roleAttribute = hasJsxPropIgnoreCase(node.attributes, "role");
+		const roleValue = roleAttribute ? getJsxPropStringValue(roleAttribute) : null;
+		if (!(tagName === "dialog" || roleValue !== null && DIALOG_ROLES.has(roleValue))) return;
+		if (hasJsxSpreadAttribute$1(node.attributes)) return;
+		if (NAME_PROVIDING_ATTRIBUTES.some((attribute) => hasJsxPropIgnoreCase(node.attributes, attribute))) return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$52
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/utils/is-es5-component.ts
 const PRAGMA$2 = "React";
 const CREATE_CLASS = "createReactClass";
@@ -5326,7 +5494,7 @@ const isEs6Component = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/display-name.ts
-const MESSAGE$47 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
+const MESSAGE$51 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
 const DEFAULT_ADDITIONAL_HOCS = [
 	"observer",
 	"lazy",
@@ -5529,7 +5697,7 @@ const displayName = defineRule({
 		const reportAt = (node) => {
 			context.report({
 				node,
-				message: MESSAGE$47
+				message: MESSAGE$51
 			});
 		};
 		return {
@@ -7677,7 +7845,7 @@ const forbidElements = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/forward-ref-uses-ref.ts
-const MESSAGE$46 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
+const MESSAGE$50 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
 const forwardRefUsesRef = defineRule({
 	id: "forward-ref-uses-ref",
 	title: "forwardRef without ref parameter",
@@ -7697,7 +7865,7 @@ const forwardRefUsesRef = defineRule({
 		if (isNodeOfType(onlyParam, "RestElement")) return;
 		context.report({
 			node: inner,
-			message: MESSAGE$46
+			message: MESSAGE$50
 		});
 	} })
 });
@@ -7734,7 +7902,7 @@ const gitProviderUrlInjectionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/heading-has-content.ts
-const MESSAGE$45 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$49 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_HEADING_TAGS = [
 	"h1",
 	"h2",
@@ -7767,7 +7935,7 @@ const headingHasContent = defineRule({
 			if (isHiddenFromScreenReader(node, context.settings)) return;
 			context.report({
 				node,
-				message: MESSAGE$45
+				message: MESSAGE$49
 			});
 		} };
 	}
@@ -7905,7 +8073,7 @@ const hooksNoNanInDeps = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/html-has-lang.ts
-const MESSAGE$44 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
+const MESSAGE$48 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
 const resolveSettings$38 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { htmlTags: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.htmlHasLang ?? {} : {}).htmlTags ?? ["html"] };
@@ -7953,7 +8121,7 @@ const htmlHasLang = defineRule({
 			if (!lang) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$44
+					message: MESSAGE$48
 				});
 				return;
 			}
@@ -7961,13 +8129,13 @@ const htmlHasLang = defineRule({
 			if (verdict === "missing" || verdict === "empty") {
 				context.report({
 					node: lang,
-					message: MESSAGE$44
+					message: MESSAGE$48
 				});
 				return;
 			}
 			if (hasSpread && !lang) context.report({
 				node: node.name,
-				message: MESSAGE$44
+				message: MESSAGE$48
 			});
 		} };
 	}
@@ -8181,7 +8349,7 @@ const htmlNoNestedInteractive = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/iframe-has-title.ts
-const MESSAGE$43 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
+const MESSAGE$47 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
 const evaluateTitleValue = (value) => {
 	if (!value) return "missing";
 	if (isNodeOfType(value, "Literal")) {
@@ -8221,14 +8389,14 @@ const iframeHasTitle = defineRule({
 		if (!titleAttr) {
 			if (hasSpread || tag === "iframe") context.report({
 				node: node.name,
-				message: MESSAGE$43
+				message: MESSAGE$47
 			});
 			return;
 		}
 		const verdict = evaluateTitleValue(titleAttr.value);
 		if (verdict === "missing" || verdict === "empty") context.report({
 			node: titleAttr,
-			message: MESSAGE$43
+			message: MESSAGE$47
 		});
 	} })
 });
@@ -8332,7 +8500,7 @@ const iframeMissingSandbox = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/img-redundant-alt.ts
-const MESSAGE$42 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
+const MESSAGE$46 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
 const DEFAULT_COMPONENTS = ["img"];
 const DEFAULT_REDUNDANT_WORDS = [
 	"image",
@@ -8397,7 +8565,7 @@ const imgRedundantAlt = defineRule({
 			if (!altAttribute) return;
 			if (altValueRedundant(altAttribute, settings.words)) context.report({
 				node: altAttribute,
-				message: MESSAGE$42
+				message: MESSAGE$46
 			});
 		} };
 	}
@@ -8495,6 +8663,136 @@ const insecureCryptoRisk = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/find-matching-bracket.ts
+const findMatchingBracket = (content, openIndex) => {
+	const open = content[openIndex];
+	const close = open === "(" ? ")" : open === "{" ? "}" : open === "[" ? "]" : "";
+	if (close === "") return -1;
+	let depth = 0;
+	let stringDelimiter = null;
+	for (let index = openIndex; index < content.length; index += 1) {
+		const character = content[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === open) depth += 1;
+		else if (character === close) {
+			depth -= 1;
+			if (depth === 0) return index;
+		}
+	}
+	return -1;
+};
+//#endregion
+//#region src/plugin/rules/security-scan/insecure-session-cookie.ts
+const AUTH_COOKIE_NAME_TOKEN = `(?<![A-Za-z0-9])(?:session|sess|sid|connect\\.sid|auth|jwt|access[_-]?token|refresh[_-]?token|id[_-]?token)(?![A-Za-z0-9])`;
+const AUTH_COOKIE_NAME_LITERAL = `[\`"'][^\`"']*?${AUTH_COOKIE_NAME_TOKEN}[^\`"']*[\`"']`;
+const AUTH_COOKIE_SET_CALL_PATTERN = new RegExp(`(?:\\.cookies\\.set|cookies\\(\\s*\\)\\.set|\\.cookie)\\s*\\(\\s*${AUTH_COOKIE_NAME_LITERAL}`, "gi");
+const HTTP_ONLY_DISABLED_PATTERN = /httpOnly\s*:\s*false\b/i;
+const STRING_LITERAL_PATTERN = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'|`(?:[^`\\]|\\.)*`/g;
+const blankStringContents = (text) => {
+	const characters = text.split("");
+	let index = 0;
+	let stringDelimiter = null;
+	while (index < text.length) {
+		const character = text[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") {
+				index += 2;
+				continue;
+			}
+			if (character === stringDelimiter) stringDelimiter = null;
+			else if (character !== "\n") characters[index] = " ";
+			index += 1;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		index += 1;
+	}
+	return characters.join("");
+};
+const COOKIE_CONFIG_OPENER_PATTERN = /cookie\s*:\s*\{/gi;
+const CLIENT_AUTH_COOKIE_WRITE_PATTERN = new RegExp(`document\\.cookie\\s*=\\s*[\`"'][^\`"'=;]*?${AUTH_COOKIE_NAME_TOKEN}[^\`"'=;]*=`, "gi");
+const countTopLevelArguments = (argumentsSource) => {
+	if (argumentsSource.trim().length === 0) return 0;
+	let depth = 0;
+	let stringDelimiter = null;
+	let count = 1;
+	for (let index = 0; index < argumentsSource.length; index += 1) {
+		const character = argumentsSource[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === "(" || character === "[" || character === "{") depth += 1;
+		else if (character === ")" || character === "]" || character === "}") depth -= 1;
+		else if (character === "," && depth === 0) count += 1;
+	}
+	return count;
+};
+const addMatchFindings = (content, pattern, message, isInsecure, findings) => {
+	pattern.lastIndex = 0;
+	for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+		if (!isInsecure(match.index, match[0])) continue;
+		const location = getLocationAtIndex(content, match.index);
+		findings.push({
+			message,
+			line: location.line,
+			column: location.column
+		});
+	}
+};
+const insecureSessionCookie = defineRule({
+	id: "insecure-session-cookie",
+	title: "Auth cookie missing HttpOnly protection",
+	severity: "warn",
+	recommendation: "Set auth/session cookies server-side with `httpOnly: true`, `secure: true`, and `sameSite`. Cookies set via `document.cookie` or with `httpOnly: false` are readable by any XSS payload and can be stolen.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/cookie/i.test(content)) return [];
+		const findings = [];
+		const message = "An auth/session cookie is exposed to JavaScript (set via document.cookie, with httpOnly: false, or without cookie options), letting an XSS payload steal it.";
+		AUTH_COOKIE_SET_CALL_PATTERN.lastIndex = 0;
+		for (let match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content); match !== null; match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content)) {
+			const openParenIndex = match.index + match[0].lastIndexOf("(");
+			const closeParenIndex = findMatchingBracket(content, openParenIndex);
+			if (closeParenIndex < 0) continue;
+			const argumentsSource = content.slice(openParenIndex + 1, closeParenIndex);
+			const hasNoOptions = countTopLevelArguments(argumentsSource) < 3;
+			const argumentsWithoutStrings = argumentsSource.replace(STRING_LITERAL_PATTERN, "");
+			if (!hasNoOptions && !HTTP_ONLY_DISABLED_PATTERN.test(argumentsWithoutStrings)) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		const blankedContent = blankStringContents(content);
+		COOKIE_CONFIG_OPENER_PATTERN.lastIndex = 0;
+		for (let match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent); match !== null; match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent)) {
+			const braceIndex = match.index + match[0].length - 1;
+			const closeBraceIndex = findMatchingBracket(blankedContent, braceIndex);
+			const block = closeBraceIndex >= 0 ? blankedContent.slice(braceIndex, closeBraceIndex) : blankedContent.slice(braceIndex, braceIndex + 400);
+			if (!HTTP_ONLY_DISABLED_PATTERN.test(block)) continue;
+			const location = getLocationAtIndex(blankedContent, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		addMatchFindings(content, CLIENT_AUTH_COOKIE_WRITE_PATTERN, message, () => true, findings);
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/constants/event-handlers.ts
 const MOUSE_EVENT_HANDLERS = [
 	"onClick",
@@ -10624,7 +10922,7 @@ const jsxMaxDepth = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-comment-textnodes.ts
-const MESSAGE$41 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
+const MESSAGE$45 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
 const LITERAL_TEXT_TAGS = new Set([
 	"code",
 	"pre",
@@ -10660,7 +10958,7 @@ const jsxNoCommentTextnodes = defineRule({
 		if (isInsideLiteralTextTag(node)) return;
 		context.report({
 			node,
-			message: MESSAGE$41
+			message: MESSAGE$45
 		});
 	} })
 });
@@ -10691,7 +10989,7 @@ const isInsideFunctionScope = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-constructed-context-values.ts
-const MESSAGE$40 = "Every reader of this context redraws on each render because you build its `value` inline.";
+const MESSAGE$44 = "Every reader of this context redraws on each render because you build its `value` inline.";
 const CONTEXT_MODULES$1 = [
 	"react",
 	"use-context-selector",
@@ -10789,7 +11087,7 @@ const jsxNoConstructedContextValues = defineRule({
 					if (!isConstructedValue(innerExpression)) continue;
 					context.report({
 						node: attribute,
-						message: MESSAGE$40
+						message: MESSAGE$44
 					});
 				}
 			}
@@ -10875,7 +11173,7 @@ const isJsxAttributeOnIntrinsicHtmlElement = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts
-const MESSAGE$39 = "This child redraws every render because the prop gets brand new JSX each time.";
+const MESSAGE$43 = "This child redraws every render because the prop gets brand new JSX each time.";
 const KNOWN_SLOT_PROP_NAMES = new Set([
 	"icon",
 	"Icon",
@@ -11144,7 +11442,7 @@ const jsxNoJsxAsProp = defineRule({
 				if (!isJsxProducingExpression(expressionNode) && !followsRenderLocalJsxBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$39
+					message: MESSAGE$43
 				});
 			}
 		};
@@ -11432,7 +11730,7 @@ const DATA_ARRAY_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts
-const MESSAGE$38 = "This child redraws every render because the prop gets a brand new array each time.";
+const MESSAGE$42 = "This child redraws every render because the prop gets a brand new array each time.";
 const isDataArrayPropName = (propName) => {
 	if (DATA_ARRAY_PROP_NAMES.has(propName)) return true;
 	for (const suffix of DATA_ARRAY_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -11516,7 +11814,7 @@ const jsxNoNewArrayAsProp = defineRule({
 				if (!isArrayProducingExpression(expressionNode) && !followsRenderLocalArrayBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$38
+					message: MESSAGE$42
 				});
 			}
 		};
@@ -11774,7 +12072,7 @@ const SAFE_RECEIVER_NAMES = new Set([
 ]);
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts
-const MESSAGE$37 = "This child redraws every render because the prop gets a brand new function each time.";
+const MESSAGE$41 = "This child redraws every render because the prop gets a brand new function each time.";
 const isAccessorPredicateName = (propName) => {
 	for (const prefix of ACCESSOR_PREDICATE_PREFIXES) {
 		if (propName.length <= prefix.length) continue;
@@ -11980,7 +12278,7 @@ const jsxNoNewFunctionAsProp = defineRule({
 				if (!isFunctionProducingExpression(expressionNode) && !followsRenderLocalFunctionBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$37
+					message: MESSAGE$41
 				});
 			}
 		};
@@ -12200,7 +12498,7 @@ const CONFIG_OBJECT_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts
-const MESSAGE$36 = "This child redraws every render because the prop gets a brand new object each time.";
+const MESSAGE$40 = "This child redraws every render because the prop gets a brand new object each time.";
 const isConfigObjectPropName = (propName) => {
 	if (CONFIG_OBJECT_PROP_NAMES.has(propName)) return true;
 	for (const suffix of CONFIG_OBJECT_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -12288,7 +12586,7 @@ const jsxNoNewObjectAsProp = defineRule({
 				if (!isObjectProducingExpression(expressionNode) && !followsRenderLocalObjectBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$36
+					message: MESSAGE$40
 				});
 			}
 		};
@@ -12296,7 +12594,7 @@ const jsxNoNewObjectAsProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-script-url.ts
-const MESSAGE$35 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
+const MESSAGE$39 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
 const JAVASCRIPT_URL_PATTERN = /j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i;
 const resolveSettings$28 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
@@ -12337,7 +12635,7 @@ const jsxNoScriptUrl = defineRule({
 				if (!value || !isNodeOfType(value, "Literal") || typeof value.value !== "string") continue;
 				if (JAVASCRIPT_URL_PATTERN.test(value.value)) context.report({
 					node: attribute,
-					message: MESSAGE$35
+					message: MESSAGE$39
 				});
 			}
 		} };
@@ -12652,7 +12950,7 @@ const jsxPropsNoSpreadMulti = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-props-no-spreading.ts
-const MESSAGE$34 = "You can't tell what props reach this element when you spread them.";
+const MESSAGE$38 = "You can't tell what props reach this element when you spread them.";
 const resolveSettings$25 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.jsxPropsNoSpreading ?? {} : {};
@@ -12693,18 +12991,77 @@ const jsxPropsNoSpreading = defineRule({
 				}
 				context.report({
 					node: attribute,
-					message: MESSAGE$34
+					message: MESSAGE$38
 				});
 			}
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/jwt-insecure-verification.ts
+const NONE_ALGORITHM_PATTERN = /\b(?:alg|algorithms?)\s*:\s*\[?\s*["'`]none["'`]/gi;
+const isIndexInsideStringLiteral = (content, index) => {
+	let stringDelimiter = null;
+	const templateExpressionDepths = [];
+	for (let cursor = 0; cursor < index; cursor += 1) {
+		const character = content[cursor];
+		if (stringDelimiter === "`") {
+			if (character === "\\") cursor += 1;
+			else if (character === "`") stringDelimiter = null;
+			else if (character === "$" && content[cursor + 1] === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				cursor += 1;
+			}
+			continue;
+		}
+		if (stringDelimiter !== null) {
+			if (character === "\\") cursor += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (templateExpressionDepths.length > 0) {
+			const top = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[top] += 1;
+			else if (character === "}") if (templateExpressionDepths[top] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+			} else templateExpressionDepths[top] -= 1;
+		}
+	}
+	return stringDelimiter !== null;
+};
+const jwtInsecureVerification = defineRule({
+	id: "jwt-insecure-verification",
+	title: "JWT verified with the 'none' algorithm",
+	severity: "error",
+	recommendation: "Never accept the `none` algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (`jwt.verify(token, key, { algorithms: ['RS256'] })`).",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/\bjwt\b|jsonwebtoken|\bjose\b/i.test(content)) return [];
+		const findings = [];
+		NONE_ALGORITHM_PATTERN.lastIndex = 0;
+		for (let noneMatch = NONE_ALGORITHM_PATTERN.exec(content); noneMatch !== null; noneMatch = NONE_ALGORITHM_PATTERN.exec(content)) {
+			if (isIndexInsideStringLiteral(content, noneMatch.index)) continue;
+			const location = getLocationAtIndex(content, noneMatch.index);
+			findings.push({
+				message: "JWT is configured with the 'none' algorithm, which disables signature verification, so any forged token is accepted.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/key-lifecycle-risk.ts
 const keyLifecycleRisk = defineRule({
 	id: "key-lifecycle-risk",
 	title: "Long-lived key material in repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove private keys from source, rotate exposed credentials, prefer short-lived deploy credentials, and document revocation/expiry for release keys.",
 	scan: scanByPattern({
 		shouldScan: (file) => !TEST_CONTEXT_PATTERN.test(file.relativePath) && !DOCUMENTATION_CONTEXT_PATTERN.test(file.relativePath),
@@ -12862,7 +13219,7 @@ const labelHasAssociatedControl = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/lang.ts
-const MESSAGE$33 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
+const MESSAGE$37 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
 const COMMON_LANGUAGE_PRIMARY_TAGS = new Set([
 	"aa",
 	"ab",
@@ -13074,7 +13431,7 @@ const lang = defineRule({
 			if (expression.type === "Identifier" && expression.name === "undefined" || expression.type === "Literal" && expression.value === null) {
 				context.report({
 					node: langAttr,
-					message: MESSAGE$33
+					message: MESSAGE$37
 				});
 				return;
 			}
@@ -13083,7 +13440,7 @@ const lang = defineRule({
 		if (value === null) return;
 		if (!isValidLangTag(value)) context.report({
 			node: langAttr,
-			message: MESSAGE$33
+			message: MESSAGE$37
 		});
 	} })
 });
@@ -13127,7 +13484,7 @@ const mdxSsrExecutionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/media-has-caption.ts
-const MESSAGE$32 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
+const MESSAGE$36 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
 const DEFAULT_AUDIO = ["audio"];
 const DEFAULT_VIDEO = ["video"];
 const DEFAULT_TRACK = ["track"];
@@ -13168,7 +13525,7 @@ const mediaHasCaption = defineRule({
 			if (!parent || !isNodeOfType(parent, "JSXElement")) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$32
+					message: MESSAGE$36
 				});
 				return;
 			}
@@ -13185,7 +13542,7 @@ const mediaHasCaption = defineRule({
 				return kindValue.value.toLowerCase() === "captions";
 			})) context.report({
 				node: node.name,
-				message: MESSAGE$32
+				message: MESSAGE$36
 			});
 		} };
 	}
@@ -14986,7 +15343,7 @@ const nextjsNoVercelOgImport = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-access-key.ts
-const MESSAGE$31 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
+const MESSAGE$35 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
 const isUndefinedIdentifier = (expression) => isNodeOfType(expression, "Identifier") && expression.name === "undefined";
 const noAccessKey = defineRule({
 	id: "no-access-key",
@@ -15003,7 +15360,7 @@ const noAccessKey = defineRule({
 		if (isNodeOfType(attributeValue, "Literal") && typeof attributeValue.value === "string") {
 			context.report({
 				node: accessKey,
-				message: MESSAGE$31
+				message: MESSAGE$35
 			});
 			return;
 		}
@@ -15013,7 +15370,7 @@ const noAccessKey = defineRule({
 			if (isUndefinedIdentifier(expression)) return;
 			context.report({
 				node: accessKey,
-				message: MESSAGE$31
+				message: MESSAGE$35
 			});
 		}
 	} })
@@ -15496,7 +15853,7 @@ const noAdjustStateOnPropChange = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-aria-hidden-on-focusable.ts
-const MESSAGE$30 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
+const MESSAGE$34 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
 const noAriaHiddenOnFocusable = defineRule({
 	id: "no-aria-hidden-on-focusable",
 	title: "aria-hidden on focusable element",
@@ -15523,7 +15880,7 @@ const noAriaHiddenOnFocusable = defineRule({
 		const isImplicitlyFocusable = isInteractiveElement(tag, node);
 		if (isExplicitlyFocusable || isImplicitlyFocusable) context.report({
 			node: ariaHidden,
-			message: MESSAGE$30
+			message: MESSAGE$34
 		});
 	} })
 });
@@ -15891,7 +16248,7 @@ const noArrayIndexAsKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-array-index-key.ts
-const MESSAGE$29 = "Your users can see & submit the wrong data when this list reorders.";
+const MESSAGE$33 = "Your users can see & submit the wrong data when this list reorders.";
 const SECOND_INDEX_METHODS = new Set([
 	"every",
 	"filter",
@@ -16095,7 +16452,7 @@ const noArrayIndexKey = defineRule({
 			}
 			context.report({
 				node: keyAttribute,
-				message: MESSAGE$29
+				message: MESSAGE$33
 			});
 		},
 		CallExpression(node) {
@@ -16115,15 +16472,35 @@ const noArrayIndexKey = defineRule({
 				if (propName !== "key") continue;
 				if (expressionUsesIndex(property.value, indexBinding.name)) context.report({
 					node: property,
-					message: MESSAGE$29
+					message: MESSAGE$33
 				});
 			}
 		}
 	})
 });
 //#endregion
+//#region src/plugin/rules/state-and-effects/no-async-effect-callback.ts
+const MESSAGE$32 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
+const noAsyncEffectCallback = defineRule({
+	id: "no-async-effect-callback",
+	title: "Async effect callback",
+	severity: "warn",
+	recommendation: "Don't make the effect callback `async`. Define an async function inside the effect and call it, then return a real cleanup function if you need one.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isHookCall$1(node, EFFECT_HOOK_NAMES$1)) return;
+		const callback = getEffectCallback(node);
+		if (!callback) return;
+		if (!isNodeOfType(callback, "ArrowFunctionExpression") && !isNodeOfType(callback, "FunctionExpression")) return;
+		if (!callback.async) return;
+		context.report({
+			node: callback,
+			message: MESSAGE$32
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/a11y/no-autofocus.ts
-const MESSAGE$28 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
+const MESSAGE$31 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
 const resolveSettings$21 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreNonDOM: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noAutofocus ?? {} : {}).ignoreNonDOM ?? true };
@@ -16179,7 +16556,7 @@ const noAutofocus = defineRule({
 			}
 			context.report({
 				node: autoFocusAttribute,
-				message: MESSAGE$28
+				message: MESSAGE$31
 			});
 		} };
 	}
@@ -16429,6 +16806,109 @@ const noBarrelImport = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/function-contains-react-render-output.ts
+const NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES = new Set([
+	"FunctionDeclaration",
+	"FunctionExpression",
+	"ArrowFunctionExpression",
+	"ClassDeclaration",
+	"ClassExpression"
+]);
+const isReactImport$1 = (symbol) => {
+	let importDeclaration = symbol.declarationNode?.parent;
+	while (importDeclaration && !isNodeOfType(importDeclaration, "ImportDeclaration")) importDeclaration = importDeclaration.parent ?? null;
+	if (!importDeclaration || !isNodeOfType(importDeclaration, "ImportDeclaration")) return false;
+	return importDeclaration.source.value === "react";
+};
+const getImportedName = (symbol) => {
+	if (symbol.kind !== "import") return null;
+	if (!isReactImport$1(symbol)) return null;
+	return getImportedName$1(symbol.declarationNode) ?? null;
+};
+const isReactNamespaceImport = (symbol) => {
+	if (symbol.kind !== "import") return false;
+	if (!isReactImport$1(symbol)) return false;
+	return isNodeOfType(symbol.declarationNode, "ImportDefaultSpecifier") || isNodeOfType(symbol.declarationNode, "ImportNamespaceSpecifier");
+};
+const isReactCreateElementIdentifierCall = (callee, scopes) => {
+	if (!isNodeOfType(callee, "Identifier")) return false;
+	const symbol = scopes.symbolFor(callee);
+	return Boolean(symbol && getImportedName(symbol) === "createElement");
+};
+const isReactCreateElementMemberCall = (callee, scopes) => {
+	if (!isNodeOfType(callee, "MemberExpression")) return false;
+	if (callee.computed) return false;
+	if (!isNodeOfType(callee.object, "Identifier")) return false;
+	if (!isNodeOfType(callee.property, "Identifier")) return false;
+	if (callee.property.name !== "createElement") return false;
+	const symbol = scopes.symbolFor(callee.object);
+	return Boolean(symbol && isReactNamespaceImport(symbol));
+};
+const isReactCreateElementCall = (node, scopes) => {
+	if (!isNodeOfType(node, "CallExpression")) return false;
+	return isReactCreateElementIdentifierCall(node.callee, scopes) || isReactCreateElementMemberCall(node.callee, scopes);
+};
+const containsRenderOutput = (node, rootNode, scopes) => {
+	if (node !== rootNode && NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES.has(node.type)) return false;
+	if (node.type === "JSXElement" || node.type === "JSXFragment") return true;
+	if (isReactCreateElementCall(node, scopes)) return true;
+	const nodeRecord = node;
+	for (const key of Object.keys(nodeRecord)) {
+		if (key === "parent") continue;
+		const child = nodeRecord[key];
+		if (Array.isArray(child)) {
+			for (const innerChild of child) if (isAstNode(innerChild) && containsRenderOutput(innerChild, rootNode, scopes)) return true;
+		} else if (isAstNode(child) && containsRenderOutput(child, rootNode, scopes)) return true;
+	}
+	return false;
+};
+const functionContainsReactRenderOutput = (functionNode, scopes) => containsRenderOutput(functionNode, functionNode, scopes);
+//#endregion
+//#region src/plugin/utils/is-component-declaration.ts
+const isComponentDeclaration = (node) => isNodeOfType(node, "FunctionDeclaration") && node.id !== null && Boolean(node.id?.name) && isUppercaseName(node.id.name);
+//#endregion
+//#region src/plugin/rules/react-builtins/no-call-component-as-function.ts
+const message = (name) => `\`${name}\` is a component, so calling it as a plain function (\`${name}(...)\`) runs it outside React: its hooks break, it gets no fiber/state, and memoization is lost. Render it as \`<${name} />\` instead.`;
+const symbolIsLocalComponent = (symbol, context) => {
+	const declaration = symbol.declarationNode;
+	if (isComponentDeclaration(declaration)) return functionContainsReactRenderOutput(declaration, context.scopes);
+	if (isComponentAssignment(declaration) && symbol.initializer) return functionContainsReactRenderOutput(symbol.initializer, context.scopes);
+	return false;
+};
+const noCallComponentAsFunction = defineRule({
+	id: "no-call-component-as-function",
+	title: "Component called as a function",
+	severity: "warn",
+	tags: ["test-noise"],
+	recommendation: "Render components as JSX (`<Component />`), never call them like functions (`Component(props)`). A direct call runs the component outside React and breaks hooks, state, and memoization.",
+	create: (context) => {
+		const renderedJsxNames = /* @__PURE__ */ new Set();
+		const candidateCalls = [];
+		return {
+			JSXOpeningElement(node) {
+				if (isNodeOfType(node.name, "JSXIdentifier") && isUppercaseName(node.name.name)) renderedJsxNames.add(node.name.name);
+			},
+			CallExpression(node) {
+				if (isNodeOfType(node.callee, "Identifier") && isUppercaseName(node.callee.name)) candidateCalls.push({
+					node,
+					callee: node.callee,
+					name: node.callee.name
+				});
+			},
+			"Program:exit"() {
+				for (const candidate of candidateCalls) {
+					const symbol = context.scopes.symbolFor(candidate.callee);
+					if (!symbol) continue;
+					if (symbolIsLocalComponent(symbol, context) || symbol.kind === "import" && renderedJsxNames.has(candidate.name)) context.report({
+						node: candidate.node,
+						message: message(candidate.name)
+					});
+				}
+			}
+		};
+	}
+});
+//#endregion
 //#region src/plugin/utils/is-setter-identifier.ts
 const isSetterIdentifier = (name) => SETTER_PATTERN.test(name);
 //#endregion
@@ -16580,7 +17060,7 @@ const noChainStateUpdates = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-children-prop.ts
-const MESSAGE$27 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
+const MESSAGE$30 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
 const noChildrenProp = defineRule({
 	id: "no-children-prop",
 	title: "Children passed as a prop",
@@ -16592,7 +17072,7 @@ const noChildrenProp = defineRule({
 			if (node.name.name !== "children") return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$27
+				message: MESSAGE$30
 			});
 		},
 		CallExpression(node) {
@@ -16605,7 +17085,7 @@ const noChildrenProp = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "children" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "children") context.report({
 					node: propertyKey,
-					message: MESSAGE$27
+					message: MESSAGE$30
 				});
 			}
 		}
@@ -16613,7 +17093,7 @@ const noChildrenProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-clone-element.ts
-const MESSAGE$26 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
+const MESSAGE$29 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
 const noCloneElement = defineRule({
 	id: "no-clone-element",
 	title: "cloneElement makes child props fragile",
@@ -16626,7 +17106,7 @@ const noCloneElement = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "cloneElement") {
 			if (isImportedFromModule(node, "cloneElement", "react")) context.report({
 				node: callee,
-				message: MESSAGE$26
+				message: MESSAGE$29
 			});
 			return;
 		}
@@ -16639,7 +17119,7 @@ const noCloneElement = defineRule({
 			if (!isImportedFromModule(node, callee.object.name, "react")) return;
 			context.report({
 				node: callee,
-				message: MESSAGE$26
+				message: MESSAGE$29
 			});
 		}
 	} })
@@ -16688,7 +17168,7 @@ const enclosingComponentOrHookName = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-create-context-in-render.ts
-const MESSAGE$25 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
+const MESSAGE$28 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
 const CONTEXT_MODULES = [
 	"react",
 	"use-context-selector",
@@ -16724,7 +17204,32 @@ const noCreateContextInRender = defineRule({
 		if (!componentOrHookName) return;
 		context.report({
 			node,
-			message: `${MESSAGE$25} (called inside "${componentOrHookName}")`
+			message: `${MESSAGE$28} (called inside "${componentOrHookName}")`
+		});
+	} })
+});
+//#endregion
+//#region src/plugin/rules/react-builtins/no-create-ref-in-function-component.ts
+const MESSAGE$27 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
+const noCreateRefInFunctionComponent = defineRule({
+	id: "no-create-ref-in-function-component",
+	title: "createRef in function component",
+	severity: "warn",
+	recommendation: "Replace `createRef()` with the `useRef()` hook inside function components and hooks. `createRef` is only for class components.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isReactFunctionCall(node, "createRef")) return;
+		if (isNodeOfType(node.callee, "Identifier")) {
+			const symbol = context.scopes.symbolFor(node.callee);
+			if (symbol && symbol.kind !== "import") return;
+		}
+		const enclosingFunction = nearestEnclosingFunction(node);
+		if (!enclosingFunction) return;
+		const displayName = componentOrHookDisplayNameForFunction(enclosingFunction);
+		if (!displayName) return;
+		if (!(isReactHookName(displayName) || functionContainsReactRenderOutput(enclosingFunction, context.scopes))) return;
+		context.report({
+			node,
+			message: MESSAGE$27
 		});
 	} })
 });
@@ -16864,7 +17369,7 @@ const noCreateStoreInRender = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger.ts
-const MESSAGE$24 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
+const MESSAGE$26 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
 const noDanger = defineRule({
 	id: "no-danger",
 	title: "Raw HTML injection can run unsafe markup",
@@ -16877,7 +17382,7 @@ const noDanger = defineRule({
 			if (!propAttribute) return;
 			context.report({
 				node: propAttribute.name,
-				message: MESSAGE$24
+				message: MESSAGE$26
 			});
 		},
 		CallExpression(node) {
@@ -16889,7 +17394,7 @@ const noDanger = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "dangerouslySetInnerHTML" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "dangerouslySetInnerHTML") context.report({
 					node: propertyKey,
-					message: MESSAGE$24
+					message: MESSAGE$26
 				});
 			}
 		}
@@ -16897,7 +17402,7 @@ const noDanger = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger-with-children.ts
-const MESSAGE$23 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
+const MESSAGE$25 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
 const isLineBreak = (child) => {
 	if (!isNodeOfType(child, "JSXText")) return false;
 	return child.value.trim().length === 0 && child.value.includes("\n");
@@ -16967,7 +17472,7 @@ const noDangerWithChildren = defineRule({
 			if (!hasChildrenProp && !hasNestedChildren) return;
 			if (hasJsxPropIgnoreCase(opening.attributes, "dangerouslySetInnerHTML") || spreadPropsShape.hasDangerously) context.report({
 				node: opening,
-				message: MESSAGE$23
+				message: MESSAGE$25
 			});
 		},
 		CallExpression(node) {
@@ -16979,7 +17484,7 @@ const noDangerWithChildren = defineRule({
 			if (!propsShape.hasDangerously) return;
 			if (node.arguments.length >= 3 || propsShape.hasChildren) context.report({
 				node,
-				message: MESSAGE$23
+				message: MESSAGE$25
 			});
 		}
 	})
@@ -17556,7 +18061,7 @@ const isSetStateCallInLifecycle = (setStateCall, lifecycleNames, options = {}) =
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-mount-set-state.ts
 const LIFECYCLE_NAMES$2 = new Set(["componentDidMount"]);
-const MESSAGE$22 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
+const MESSAGE$24 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
 const resolveSettings$20 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidMountSetState ?? {} : {}).mode ?? "allowed" };
@@ -17575,7 +18080,7 @@ const noDidMountSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$2, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$22
+				message: MESSAGE$24
 			});
 		} };
 	}
@@ -17583,7 +18088,7 @@ const noDidMountSetState = defineRule({
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-update-set-state.ts
 const LIFECYCLE_NAMES$1 = new Set(["componentDidUpdate"]);
-const MESSAGE$21 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
+const MESSAGE$23 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
 const resolveSettings$19 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidUpdateSetState ?? {} : {}).mode ?? "allowed" };
@@ -17602,7 +18107,7 @@ const noDidUpdateSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$1, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$21
+				message: MESSAGE$23
 			});
 		} };
 	}
@@ -17625,7 +18130,7 @@ const isStateMemberExpression = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-direct-mutation-state.ts
-const MESSAGE$20 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
+const MESSAGE$22 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
 const shouldIgnoreMutation = (node) => {
 	let isConstructor = false;
 	let isInsideCallExpression = false;
@@ -17647,7 +18152,7 @@ const reportIfStateMutation = (context, reportNode, target) => {
 	if (shouldIgnoreMutation(reportNode)) return;
 	context.report({
 		node: reportNode,
-		message: MESSAGE$20
+		message: MESSAGE$22
 	});
 };
 const noDirectMutationState = defineRule({
@@ -19235,7 +19740,7 @@ const ALLOWED_NAMESPACES = new Set([
 	"ReactDOM",
 	"ReactDom"
 ]);
-const MESSAGE$19 = "`findDOMNode` crashes your app in React 19 because it was removed.";
+const MESSAGE$21 = "`findDOMNode` crashes your app in React 19 because it was removed.";
 const noFindDomNode = defineRule({
 	id: "no-find-dom-node",
 	title: "findDOMNode breaks component encapsulation",
@@ -19246,7 +19751,7 @@ const noFindDomNode = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "findDOMNode") {
 			context.report({
 				node: callee,
-				message: MESSAGE$19
+				message: MESSAGE$21
 			});
 			return;
 		}
@@ -19257,7 +19762,7 @@ const noFindDomNode = defineRule({
 			if (callee.property.name !== "findDOMNode") return;
 			context.report({
 				node: callee.property,
-				message: MESSAGE$19
+				message: MESSAGE$21
 			});
 		}
 	} })
@@ -19320,64 +19825,6 @@ const noGenericHandlerNames = defineRule({
 	} })
 });
 //#endregion
-//#region src/plugin/utils/function-contains-react-render-output.ts
-const NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES = new Set([
-	"FunctionDeclaration",
-	"FunctionExpression",
-	"ArrowFunctionExpression",
-	"ClassDeclaration",
-	"ClassExpression"
-]);
-const isReactImport$1 = (symbol) => {
-	let importDeclaration = symbol.declarationNode?.parent;
-	while (importDeclaration && !isNodeOfType(importDeclaration, "ImportDeclaration")) importDeclaration = importDeclaration.parent ?? null;
-	if (!importDeclaration || !isNodeOfType(importDeclaration, "ImportDeclaration")) return false;
-	return importDeclaration.source.value === "react";
-};
-const getImportedName = (symbol) => {
-	if (symbol.kind !== "import") return null;
-	if (!isReactImport$1(symbol)) return null;
-	return getImportedName$1(symbol.declarationNode) ?? null;
-};
-const isReactNamespaceImport = (symbol) => {
-	if (symbol.kind !== "import") return false;
-	if (!isReactImport$1(symbol)) return false;
-	return isNodeOfType(symbol.declarationNode, "ImportDefaultSpecifier") || isNodeOfType(symbol.declarationNode, "ImportNamespaceSpecifier");
-};
-const isReactCreateElementIdentifierCall = (callee, scopes) => {
-	if (!isNodeOfType(callee, "Identifier")) return false;
-	const symbol = scopes.symbolFor(callee);
-	return Boolean(symbol && getImportedName(symbol) === "createElement");
-};
-const isReactCreateElementMemberCall = (callee, scopes) => {
-	if (!isNodeOfType(callee, "MemberExpression")) return false;
-	if (callee.computed) return false;
-	if (!isNodeOfType(callee.object, "Identifier")) return false;
-	if (!isNodeOfType(callee.property, "Identifier")) return false;
-	if (callee.property.name !== "createElement") return false;
-	const symbol = scopes.symbolFor(callee.object);
-	return Boolean(symbol && isReactNamespaceImport(symbol));
-};
-const isReactCreateElementCall = (node, scopes) => {
-	if (!isNodeOfType(node, "CallExpression")) return false;
-	return isReactCreateElementIdentifierCall(node.callee, scopes) || isReactCreateElementMemberCall(node.callee, scopes);
-};
-const containsRenderOutput = (node, rootNode, scopes) => {
-	if (node !== rootNode && NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES.has(node.type)) return false;
-	if (node.type === "JSXElement" || node.type === "JSXFragment") return true;
-	if (isReactCreateElementCall(node, scopes)) return true;
-	const nodeRecord = node;
-	for (const key of Object.keys(nodeRecord)) {
-		if (key === "parent") continue;
-		const child = nodeRecord[key];
-		if (Array.isArray(child)) {
-			for (const innerChild of child) if (isAstNode(innerChild) && containsRenderOutput(innerChild, rootNode, scopes)) return true;
-		} else if (isAstNode(child) && containsRenderOutput(child, rootNode, scopes)) return true;
-	}
-	return false;
-};
-const functionContainsReactRenderOutput = (functionNode, scopes) => containsRenderOutput(functionNode, functionNode, scopes);
-//#endregion
 //#region src/plugin/rules/architecture/no-giant-component.ts
 const noGiantComponent = defineRule({
 	id: "no-giant-component",
@@ -19556,6 +20003,26 @@ const noGrayOnColoredBackground = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/performance/no-img-lazy-with-high-fetchpriority.ts
+const MESSAGE$20 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
+const noImgLazyWithHighFetchpriority = defineRule({
+	id: "no-img-lazy-with-high-fetchpriority",
+	title: "Lazy image with high fetchPriority",
+	severity: "warn",
+	recommendation: "Don't combine `loading=\"lazy\"` with `fetchPriority=\"high\"`. A high-priority image (usually the LCP) should load eagerly; a lazy image is by definition not high priority.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier") || node.name.name !== "img") return;
+		const loadingAttribute = hasJsxPropIgnoreCase(node.attributes, "loading");
+		if (!loadingAttribute || getJsxPropStringValue(loadingAttribute)?.toLowerCase() !== "lazy") return;
+		const fetchPriorityAttribute = hasJsxPropIgnoreCase(node.attributes, "fetchPriority");
+		if (!fetchPriorityAttribute || getJsxPropStringValue(fetchPriorityAttribute)?.toLowerCase() !== "high") return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$20
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/state-and-effects/no-initialize-state.ts
 const noInitializeState = defineRule({
 	id: "no-initialize-state",
@@ -19785,6 +20252,29 @@ const noIsMounted = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-json-parse-stringify-clone.ts
+const MESSAGE$19 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
+const isJsonMethodCall = (node, method) => {
+	if (!isNodeOfType(node, "CallExpression")) return false;
+	const callee = node.callee;
+	return isNodeOfType(callee, "MemberExpression") && !callee.computed && isNodeOfType(callee.object, "Identifier") && callee.object.name === "JSON" && isNodeOfType(callee.property, "Identifier") && callee.property.name === method;
+};
+const noJsonParseStringifyClone = defineRule({
+	id: "no-json-parse-stringify-clone",
+	title: "JSON parse/stringify deep clone",
+	severity: "warn",
+	recommendation: "Replace `JSON.parse(JSON.stringify(value))` with `structuredClone(value)`. It is faster and preserves Dates, Maps, Sets, and cyclic references.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isJsonMethodCall(node, "parse")) return;
+		const firstArgument = node.arguments?.[0];
+		if (!firstArgument || !isJsonMethodCall(firstArgument, "stringify")) return;
+		context.report({
+			node,
+			message: MESSAGE$19
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/correctness/no-jsx-element-type.ts
 const MESSAGE$18 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
 const isJsxElementTypeReference = (node) => {
@@ -20107,9 +20597,6 @@ const noLongTransitionDuration = defineRule({
 const BOOLEAN_PROP_PREFIX_PATTERN = /^(?:is|has|should|can|show|hide|enable|disable|with)[A-Z]/;
 const isBooleanPrefixedPropName = (propName) => BOOLEAN_PROP_PREFIX_PATTERN.test(propName);
 //#endregion
-//#region src/plugin/utils/is-component-declaration.ts
-const isComponentDeclaration = (node) => isNodeOfType(node, "FunctionDeclaration") && node.id !== null && Boolean(node.id?.name) && isUppercaseName(node.id.name);
-//#endregion
 //#region src/plugin/rules/architecture/no-many-boolean-props.ts
 const collectBooleanLikePropsFromBody = (componentBody, propsParamName) => {
 	const found = /* @__PURE__ */ new Set();
@@ -22527,11 +23014,17 @@ const classifySecretFileExposure = (filename, options = {}) => {
 	return "unknown";
 };
 //#endregion
-//#region src/plugin/utils/get-identifier-trailing-word.ts
-const getIdentifierTrailingWord = (identifierName) => {
-	return identifierName.match(/[A-Z]+(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|\d+/g)?.at(-1)?.toLowerCase() ?? identifierName.toLowerCase();
+//#region src/plugin/utils/tokenize-identifier-words.ts
+const IDENTIFIER_WORD_PATTERN = /[A-Z]+(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|\d+/g;
+const tokenizeIdentifierWords = (identifierName) => {
+	const words = identifierName.match(IDENTIFIER_WORD_PATTERN);
+	if (!words) return [];
+	return words.map((word) => word.toLowerCase());
 };
 //#endregion
+//#region src/plugin/utils/get-identifier-trailing-word.ts
+const getIdentifierTrailingWord = (identifierName) => tokenizeIdentifierWords(identifierName).at(-1) ?? identifierName.toLowerCase();
+//#endregion
 //#region src/plugin/constants/tanstack.ts
 const TANSTACK_ROUTE_FILE_PATTERN = /\/routes\//;
 const TANSTACK_ROOT_ROUTE_FILE_PATTERN = /__root\.(tsx?|jsx?)$/;
@@ -27035,6 +27528,8 @@ const publicEnvSecretName = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/tanstack-query/query-destructure-result.ts
+const TANSTACK_QUERY_PACKAGE_PATTERN = /^@tanstack\/[\w-]*query[\w-]*$/;
+const isTanstackQuerySource = (source) => TANSTACK_QUERY_PACKAGE_PATTERN.test(source) || source === "react-query";
 const queryDestructureResult = defineRule({
 	id: "query-destructure-result",
 	title: "Whole query result subscribes to every field",
@@ -27047,6 +27542,8 @@ const queryDestructureResult = defineRule({
 		if (!node.init || !isNodeOfType(node.init, "CallExpression")) return;
 		const calleeName = isNodeOfType(node.init.callee, "Identifier") ? node.init.callee.name : null;
 		if (!calleeName || !TANSTACK_QUERY_HOOKS.has(calleeName)) return;
+		const importSource = getImportSourceForName(node, calleeName);
+		if (importSource !== null && !isTanstackQuerySource(importSource)) return;
 		context.report({
 			node: node.id,
 			message: `Destructure ${calleeName}() results instead of assigning the whole query object, so TanStack Query only subscribes to the fields you use.`
@@ -27889,6 +28386,7 @@ const repositorySecretFile = defineRule({
 	id: "repository-secret-file",
 	title: "Secret file checked into repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove committed env files, service-account credentials, npm auth tokens, and webhook URLs; rotate exposed values and keep only redacted examples in source.",
 	scan: (file) => {
 		if (!isRepositorySecretFilePath(file.relativePath)) return [];
@@ -27905,6 +28403,20 @@ const repositorySecretFile = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/request-body-mass-assignment.ts
+const REQUEST_INPUT_SOURCE = "(?:req|request|ctx\\.req|ctx\\.request)\\.(?:body|query|params)|await\\s+(?:req|request)\\.json\\(\\s*\\)";
+const requestBodyMassAssignment = defineRule({
+	id: "request-body-mass-assignment",
+	title: "Request input spread without field allowlist",
+	severity: "warn",
+	recommendation: "Assign explicit, allowlisted fields (or validate with a strict schema and no `.passthrough()`) instead of spreading/merging request input. Otherwise the client can set ownership, role, or price columns (mass assignment) or pollute the prototype.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: [new RegExp(`\\.\\.\\.\\s*(?:${REQUEST_INPUT_SOURCE})`, "i"), new RegExp(`(?:Object\\.assign\\s*\\(|_\\.(?:merge|mergeWith|defaultsDeep)\\s*\\(|(?:^|[^.\\w])(?:merge|defaultsDeep)\\s*\\()[\\s\\S]{0,80}?(?:${REQUEST_INPUT_SOURCE})`, "i")],
+		message: "Request input is spread or merged into an object without a field allowlist, enabling mass assignment (client-set owner/role/price fields) or prototype pollution."
+	})
+});
+//#endregion
 //#region src/plugin/utils/function-body-has-return-with-value.ts
 const functionBodyHasReturnWithValue = (functionNode) => {
 	if (functionNode.type === "ArrowFunctionExpression" && "body" in functionNode) {
@@ -34330,6 +34842,17 @@ const scope = defineRule({
 		});
 	} })
 });
+const secretInFallback = defineRule({
+	id: "secret-in-fallback",
+	title: "Hardcoded secret fallback for env var",
+	severity: "error",
+	recommendation: "Remove the literal fallback and fail closed (throw when the variable is unset). The hardcoded value is a committed secret, and the `??`/`||` default makes the app run with it in any environment that forgot to set the var.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /\bprocess\.env\.(?![A-Z0-9_]*(?:PUBLIC|PUBLISHABLE|ANON)\b)[A-Z][A-Z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|PRIVATE_KEY|API_?KEY|APIKEY|ACCESS_KEY|CLIENT_SECRET|CREDENTIAL|SIGNING_KEY|ENCRYPTION_KEY|WEBHOOK_SECRET|SERVICE_ROLE)[A-Z0-9_]*(?<!_(?:NAME|HEADER|ENDPOINT|URL|URI|ID|PREFIX|SUFFIX|PARAM|PARAMS|FIELD|ISSUER|AUDIENCE|ALGORITHM|ALG|REGION|BUCKET|HOST|HOSTNAME|PORT|PATH|VERSION|SCOPE|TYPE|FORMAT|EXPIRY|TTL))\s*(?:\?\?|\|\|)\s*(["'`])(?!(?:changeme|change[_-]?me|placeholder|your[_-]|example|sample|dummy|development|local|todo|replace[_-]?me|https?:\/\/|x{3,}|\*{3,}))[^"'`\n]{8,}\1/i,
+		message: "A secret env var has a hardcoded string fallback: the literal is a committed secret and the app fails open (uses it) when the variable is unset."
+	})
+});
 //#endregion
 //#region src/plugin/rules/react-builtins/self-closing-comp.ts
 const MESSAGE$2 = "This tag has no children, so the closing tag adds noise without changing output.";
@@ -34448,6 +34971,47 @@ const serverAfterNonblocking = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/is-auth-guard-name.ts
+const SIGNED_IN_HEAD_TOKENS = new Set([
+	"signed",
+	"logged",
+	"sign"
+]);
+const mergeSignedInTokens = (tokens) => {
+	const mergedTokens = [];
+	for (let tokenIndex = 0; tokenIndex < tokens.length; tokenIndex += 1) {
+		const currentToken = tokens[tokenIndex];
+		if (SIGNED_IN_HEAD_TOKENS.has(currentToken) && tokens[tokenIndex + 1] === "in") {
+			mergedTokens.push(`${currentToken}in`);
+			tokenIndex += 1;
+			continue;
+		}
+		mergedTokens.push(currentToken);
+	}
+	return mergedTokens;
+};
+const isAuthGuardName = (calleeName) => {
+	const tokens = mergeSignedInTokens(tokenizeIdentifierWords(calleeName));
+	if (tokens.length === 0) return false;
+	let hasAssertiveVerb = false;
+	let hasGetterVerb = false;
+	let hasQualifier = false;
+	let hasStrongNoun = false;
+	let hasWeakNoun = false;
+	for (const token of tokens) {
+		if (AUTH_STRONG_TOKEN_PATTERN.test(token) || AUTH_STANDALONE_NOUN_TOKENS.has(token)) return true;
+		if (AUTH_ASSERTIVE_VERB_TOKENS.has(token)) hasAssertiveVerb = true;
+		if (AUTH_GETTER_VERB_TOKENS.has(token)) hasGetterVerb = true;
+		if (AUTH_QUALIFIER_TOKENS.has(token)) hasQualifier = true;
+		if (AUTH_STRONG_NOUN_TOKENS.has(token)) hasStrongNoun = true;
+		if (AUTH_WEAK_NOUN_TOKENS.has(token)) hasWeakNoun = true;
+	}
+	if (hasAssertiveVerb && (hasStrongNoun || hasWeakNoun)) return true;
+	if (hasGetterVerb && hasStrongNoun) return true;
+	if (hasQualifier && hasWeakNoun) return true;
+	return false;
+};
+//#endregion
 //#region src/plugin/rules/server/server-auth-actions.ts
 const isAsyncFunctionLikeNode = (node) => {
 	if (!node) return false;
@@ -34490,9 +35054,13 @@ const isMemberCallAuthRelated = (receiverNode, methodName, genericMethodNames) =
 const getAuthCallName = (callExpression, allowedFunctionNames, genericMethodNames) => {
 	const calleeNode = unwrapTypeWrappedCallee(callExpression.callee);
 	if (!calleeNode) return null;
-	if (isNodeOfType(calleeNode, "Identifier")) return allowedFunctionNames.has(calleeNode.name) ? calleeNode.name : null;
+	if (isNodeOfType(calleeNode, "Identifier")) {
+		const calleeName = calleeNode.name;
+		return allowedFunctionNames.has(calleeName) || isAuthGuardName(calleeName) ? calleeName : null;
+	}
 	if (isNodeOfType(calleeNode, "MemberExpression") && isNodeOfType(calleeNode.property, "Identifier")) {
 		const methodName = calleeNode.property.name;
+		if (isAuthGuardName(methodName)) return methodName;
 		if (!allowedFunctionNames.has(methodName)) return null;
 		if (!isMemberCallAuthRelated(calleeNode.object, methodName, genericMethodNames)) return null;
 		return methodName;
@@ -35139,8 +35707,11 @@ const supabaseClientOwnedAuthzField = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-supabase-migration-path.ts
+const isSupabaseMigrationPath = (relativePath) => /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+//#endregion
 //#region src/plugin/rules/security-scan/utils/is-sql-path.ts
-const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || isSupabaseMigrationPath(relativePath);
 const supabaseRlsPolicyRisk = defineRule({
 	id: "supabase-rls-policy-risk",
 	title: "Permissive Supabase RLS policy",
@@ -35158,6 +35729,210 @@ const supabaseRlsPolicyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/sanitize-sql-for-scan.ts
+const DOLLAR_QUOTE_TAG_PATTERN = /^\$[A-Za-z_]?\w*\$/;
+const CODE_BODY_KEYWORDS = new Set([
+	"do",
+	"plpgsql",
+	"sql",
+	"plpython3u",
+	"plpythonu",
+	"plperl",
+	"plperlu",
+	"plv8"
+]);
+const precedingKeyword = (content, beforeIndex) => {
+	let lookBack = beforeIndex - 1;
+	while (lookBack >= 0 && /\s/.test(content[lookBack] ?? "")) lookBack -= 1;
+	let wordStart = lookBack;
+	while (wordStart >= 0 && /[A-Za-z0-9_]/.test(content[wordStart] ?? "")) wordStart -= 1;
+	return content.slice(wordStart + 1, lookBack + 1).toLowerCase();
+};
+const blankCodeBodyInterior = (content, characters, start, end) => {
+	let index = start;
+	let inExecuteStatement = false;
+	while (index < end) {
+		const character = content[index];
+		if (character === ";") {
+			inExecuteStatement = false;
+			index += 1;
+			continue;
+		}
+		if (/[A-Za-z_]/.test(character)) {
+			let wordEnd = index;
+			while (wordEnd < end && /[A-Za-z0-9_]/.test(content[wordEnd] ?? "")) wordEnd += 1;
+			if (content.slice(index, wordEnd).toLowerCase() === "execute") inExecuteStatement = true;
+			index = wordEnd;
+			continue;
+		}
+		if (character === "'") {
+			const keepVisible = inExecuteStatement;
+			if (!keepVisible) characters[index] = " ";
+			index += 1;
+			while (index < end) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						if (!keepVisible) {
+							characters[index] = " ";
+							characters[index + 1] = " ";
+						}
+						index += 2;
+						continue;
+					}
+					if (!keepVisible) characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (!keepVisible && content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < end) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < end && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < end) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+};
+const sanitizeSqlForScan = (content) => {
+	const characters = content.split("");
+	let index = 0;
+	while (index < content.length) {
+		const character = content[index];
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < content.length && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < content.length) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "'") {
+			characters[index] = " ";
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						characters[index] = " ";
+						characters[index + 1] = " ";
+						index += 2;
+						continue;
+					}
+					characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "$") {
+			const tagMatch = DOLLAR_QUOTE_TAG_PATTERN.exec(content.slice(index));
+			if (tagMatch !== null) {
+				const tag = tagMatch[0];
+				const closeIndex = content.indexOf(tag, index + tag.length);
+				const endIndex = closeIndex < 0 ? content.length : closeIndex + tag.length;
+				const keyword = precedingKeyword(content, index);
+				if (CODE_BODY_KEYWORDS.has(keyword)) blankCodeBodyInterior(content, characters, index + tag.length, endIndex);
+				else for (let blankIndex = index; blankIndex < endIndex; blankIndex += 1) if (content[blankIndex] !== "\n") characters[blankIndex] = " ";
+				index = endIndex;
+				continue;
+			}
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+	return characters.join("");
+};
+//#endregion
+//#region src/plugin/rules/security-scan/supabase-table-missing-rls.ts
+const CREATE_PUBLIC_TABLE_PATTERN = /create\s+(?:unlogged\s+)?table\s+(?:if\s+not\s+exists\s+)?(?!(?:auth|storage|realtime|vault|extensions|graphql|graphql_public|pgbouncer|net|supabase_functions|supabase_migrations|cron|pgsodium|pgmq|information_schema|pg_catalog|pg_temp|private|internal)\s*\.)(?:public\s*\.\s*)?["`]?([A-Za-z_][\w$]*)["`]?(?:\s*\(|\s+as\b)/gi;
+const enableRlsForTablePattern = (tableName) => new RegExp(`alter\\s+table\\s+(?:if\\s+exists\\s+)?(?:only\\s+)?(?:public\\s*\\.\\s*)?["\`]?${escapeRegExp(tableName)}["\`]?\\s+(?:force\\s+)?enable\\s+row\\s+level\\s+security`, "i");
+const supabaseTableMissingRls = defineRule({
+	id: "supabase-table-missing-rls",
+	title: "Supabase table created without Row Level Security",
+	severity: "error",
+	recommendation: "Enable RLS in the same migration (`alter table <name> enable row level security;`) and add `auth.uid()`-scoped policies for select/insert/update/delete. A public table without RLS is fully readable and writable with the public anon key.",
+	scan: (file) => {
+		if (!isSupabaseMigrationPath(file.relativePath)) return [];
+		const content = sanitizeSqlForScan(file.content);
+		if (!/create\s+(?:unlogged\s+)?table/i.test(content)) return [];
+		const findings = [];
+		CREATE_PUBLIC_TABLE_PATTERN.lastIndex = 0;
+		for (let match = CREATE_PUBLIC_TABLE_PATTERN.exec(content); match !== null; match = CREATE_PUBLIC_TABLE_PATTERN.exec(content)) {
+			const tableName = match[1];
+			if (tableName === void 0) continue;
+			if (enableRlsForTablePattern(tableName).test(content.slice(match.index))) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message: "Supabase migration creates a public table but never enables Row Level Security, leaving every row exposed to the anon key.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/svg-filter-clickjacking-risk.ts
 const svgFilterClickjackingRisk = defineRule({
 	id: "svg-filter-clickjacking-risk",
@@ -35856,6 +36631,47 @@ const tenantStaticProxyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/unsafe-json-in-html.ts
+const SINK_JSON_STRINGIFY_PATTERNS = [/dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:[\s\S]{0,300}?\bJSON\.stringify\s*\(/gi, /<script\b[^>]*>(?:(?!<\/script>)[\s\S]){0,300}?\bJSON\.stringify\s*\(/gi];
+const RETURN_ESCAPE_PATTERN = /^[\s)]*\.replace\s*\([^)]*(?:\\u003[cC]|&lt;|<)/;
+const ESCAPE_WRAPPER_PATTERN = /(?:\b(?:escapeHtml|escapeJSON|escapeJson|htmlEscape|jsesc)|(?<![.\w])(?:serialize|serializeJavascript|devalue|uneval|superjson))\s*\(\s*$/i;
+const JSON_STRINGIFY_TOKEN_PATTERN = /\bJSON\.stringify\s*\($/i;
+const RETURN_LOOKAHEAD_CHARS = 160;
+const unsafeJsonInHtml = defineRule({
+	id: "unsafe-json-in-html",
+	title: "Unescaped JSON in HTML or script sink",
+	severity: "warn",
+	recommendation: "JSON.stringify does not HTML-escape, so a `<\/script>` (or `<`) in the data breaks out and becomes XSS. Use an HTML-safe serializer (serialize-javascript, devalue) or escape `<`, `>`, and `&`, or pass data via a JSON `<script type=\"application/json\">` read with JSON.parse.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!content.includes("JSON.stringify")) return [];
+		const findings = [];
+		const seenIndices = /* @__PURE__ */ new Set();
+		for (const pattern of SINK_JSON_STRINGIFY_PATTERNS) {
+			pattern.lastIndex = 0;
+			for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+				const beforeStringify = match[0].replace(JSON_STRINGIFY_TOKEN_PATTERN, "");
+				if (ESCAPE_WRAPPER_PATTERN.test(beforeStringify)) continue;
+				const closeParenIndex = findMatchingBracket(content, match.index + match[0].length - 1);
+				if (closeParenIndex >= 0) {
+					const afterReturn = content.slice(closeParenIndex + 1, closeParenIndex + 1 + RETURN_LOOKAHEAD_CHARS);
+					if (RETURN_ESCAPE_PATTERN.test(afterReturn)) continue;
+				}
+				if (seenIndices.has(match.index)) continue;
+				seenIndices.add(match.index);
+				const location = getLocationAtIndex(content, match.index);
+				findings.push({
+					message: "JSON.stringify is embedded in HTML/script markup without HTML-escaping; data containing `<\/script>` or `<` breaks out and becomes XSS.",
+					line: location.line,
+					column: location.column
+				});
+			}
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/untrusted-redirect-following.ts
 const OUTBOUND_FETCH_CALL_PATTERN = /(?:(?<![.\w$])fetch|\baxios\.\s*(?:get|post|put|delete|head)|\bgot|\bgot\.\s*(?:get|post))\s*\(\s*([^,)]+)/;
 const CALLER_STYLE_URL_NAME_PATTERN = /\b(?:url|targetUrl|callbackUrl|redirectUrl|webhookUrl|companyUrl|websiteUrl|domainUrl|imageUrl|fetchUrl|next|return_to|returnTo|destination|location)\b/i;
@@ -36003,7 +36819,7 @@ const voidDomElementsNoChildren = defineRule({
 //#region src/plugin/rules/security-scan/webhook-signature-risk.ts
 const WEBHOOK_HANDLER_PATTERN = /(?:^|\/)[^/]*webhook[^/]*\/|(?:^|\/)[^/]*webhook[^/]*\.[cm]?[jt]s$|\bwebhook\b/i;
 const WEBHOOK_ENTRYPOINT_PATTERN = /\b(?:export\s+(?:async\s+)?function\s+POST|export\s+const\s+(?:POST|handler|webhook)|webhookHandler|webhookRoute)\b/i;
-const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = /verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/i;
+const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = new RegExp(`${/verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/.source}|${/\b[A-Za-z]{0,40}(?:verif|valid|check|assert|authenticat|compare|guard)[A-Za-z]{0,40}(?:secret|signature|hmac|webhook|digest)[A-Za-z]{0,40}\s*\(/.source}`, "i");
 const OUTBOUND_WEBHOOK_URL_MENTION_PATTERN = /webhook[\s_-]?ur[il]\w*/gi;
 const OUTBOUND_WEBHOOK_CONFIG_PATTERN = /process\.env\.\w*WEBHOOK_URL|\b(?:send|post|dispatch|publish|notify)\w*Webhook/;
 const REQUEST_READ_PATTERN = /\b(?:req|request)\b/;
@@ -36663,6 +37479,17 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/auth-token-in-web-storage",
+		id: "auth-token-in-web-storage",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...authTokenInWebStorage,
+			framework: "global",
+			category: "Security"
+		}
+	},
 	{
 		key: "react-doctor/autocomplete-valid",
 		id: "autocomplete-valid",
@@ -36879,6 +37706,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noVagueButtonLabel.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/dialog-has-accessible-name",
+		id: "dialog-has-accessible-name",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...dialogHasAccessibleName,
+			framework: "global",
+			category: "Accessibility",
+			requires: [...new Set(["react", ...dialogHasAccessibleName.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/display-name",
 		id: "display-name",
@@ -37164,6 +38003,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...insecureCryptoRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/insecure-session-cookie",
+		id: "insecure-session-cookie",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...insecureSessionCookie,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...insecureSessionCookie.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/interactive-supports-focus",
 		id: "interactive-supports-focus",
@@ -37606,6 +38457,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...jsxPropsNoSpreading.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/jwt-insecure-verification",
+		id: "jwt-insecure-verification",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...jwtInsecureVerification,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...jwtInsecureVerification.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/key-lifecycle-risk",
 		id: "key-lifecycle-risk",
@@ -38014,6 +38877,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noArrayIndexKey.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-async-effect-callback",
+		id: "no-async-effect-callback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noAsyncEffectCallback,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noAsyncEffectCallback.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-autofocus",
 		id: "no-autofocus",
@@ -38037,6 +38912,18 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/no-call-component-as-function",
+		id: "no-call-component-as-function",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noCallComponentAsFunction,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noCallComponentAsFunction.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-cascading-set-state",
 		id: "no-cascading-set-state",
@@ -38097,6 +38984,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noCreateContextInRender.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-create-ref-in-function-component",
+		id: "no-create-ref-in-function-component",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noCreateRefInFunctionComponent,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noCreateRefInFunctionComponent.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-create-store-in-render",
 		id: "no-create-store-in-render",
@@ -38471,6 +39370,18 @@ const reactDoctorRules = [
 			category: "Accessibility"
 		}
 	},
+	{
+		key: "react-doctor/no-img-lazy-with-high-fetchpriority",
+		id: "no-img-lazy-with-high-fetchpriority",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noImgLazyWithHighFetchpriority,
+			framework: "global",
+			category: "Performance",
+			requires: [...new Set(["react", ...noImgLazyWithHighFetchpriority.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-initialize-state",
 		id: "no-initialize-state",
@@ -38541,6 +39452,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noIsMounted.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-json-parse-stringify-clone",
+		id: "no-json-parse-stringify-clone",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noJsonParseStringifyClone,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-jsx-element-type",
 		id: "no-jsx-element-type",
@@ -39756,6 +40678,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...repositorySecretFile.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/request-body-mass-assignment",
+		id: "request-body-mass-assignment",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...requestBodyMassAssignment,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...requestBodyMassAssignment.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/require-render-return",
 		id: "require-render-return",
@@ -40344,6 +41278,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...scope.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/secret-in-fallback",
+		id: "secret-in-fallback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...secretInFallback,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...secretInFallback.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/self-closing-comp",
 		id: "self-closing-comp",
@@ -40500,6 +41446,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...supabaseRlsPolicyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/supabase-table-missing-rls",
+		id: "supabase-table-missing-rls",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...supabaseTableMissingRls,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...supabaseTableMissingRls.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/svg-filter-clickjacking-risk",
 		id: "svg-filter-clickjacking-risk",
@@ -40690,6 +41648,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...tenantStaticProxyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/unsafe-json-in-html",
+		id: "unsafe-json-in-html",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...unsafeJsonInHtml,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...unsafeJsonInHtml.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/untrusted-redirect-following",
 		id: "untrusted-redirect-following",