npm - oxlint-plugin-react-doctor - Versions diffs - 0.5.5 → 0.5.6-dev.8908f98 - Mend

oxlint-plugin-react-doctor 0.5.5 → 0.5.6-dev.8908f98

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -323,9 +323,18 @@ const BROWSER_ARTIFACT_PATH_PATTERNS = [
 const AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN = /\b(?:exec|execSync|spawn|child_process|eval|new Function|vm\.run|readFile|writeFile|fs\.read|fs\.write|fetch|axios|http\.request|sandbox|runCode|executeCode)\b/;
 //#endregion
 //#region src/plugin/rules/security-scan/utils/is-browser-artifact-path.ts
-const isServerOnlyBuildArtifactPath = (relativePath) => /(?:^|\/)(?:\.next\/server|\.output\/server)\//.test(relativePath);
+const SERVER_BUILD_ROOT_SEGMENTS = new Set([".next", ".output"]);
+const isNonShippedBuildArtifactPath = (relativePath) => {
+	const segments = relativePath.split("/");
+	for (let index = 0; index < segments.length; index += 1) {
+		if (!SERVER_BUILD_ROOT_SEGMENTS.has(segments[index])) continue;
+		if (segments[index] === ".next" && segments[index + 1] === "dev") return true;
+		if (segments[index + 1] === "server" && index + 2 < segments.length) return true;
+	}
+	return false;
+};
 const isBrowserArtifactPath = (relativePath, isGeneratedBundle) => {
-	if (isServerOnlyBuildArtifactPath(relativePath)) return false;
+	if (isNonShippedBuildArtifactPath(relativePath)) return false;
 	if (isGeneratedBundle) return true;
 	if (relativePath.endsWith(".map")) return true;
 	return BROWSER_ARTIFACT_PATH_PATTERNS.some((pattern) => pattern.test(relativePath));
@@ -1108,6 +1117,11 @@ const getImportedNameFromModule = (contextNode, localIdentifierName, moduleSourc
 	if (info.source !== moduleSource) return null;
 	return info.imported;
 };
+const getImportSourceForName = (contextNode, localIdentifierName) => {
+	const lookup = getImportLookup(contextNode);
+	if (!lookup) return null;
+	return lookup.get(localIdentifierName)?.source ?? null;
+};
 //#endregion
 //#region src/plugin/utils/find-variable-initializer.ts
 const FUNCTION_LIKE_TYPES$1 = new Set([
@@ -1847,7 +1861,7 @@ const anchorAmbiguousText = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/anchor-has-content.ts
-const MESSAGE$51 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$57 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
 const anchorHasContent = defineRule({
 	id: "anchor-has-content",
 	title: "Anchor has no content",
@@ -1863,7 +1877,7 @@ const anchorHasContent = defineRule({
 		for (const attribute of ["title", "aria-label"]) if (hasJsxPropIgnoreCase(opening.attributes, attribute)) return;
 		context.report({
 			node: opening.name,
-			message: MESSAGE$51
+			message: MESSAGE$57
 		});
 	} })
 });
@@ -2257,7 +2271,7 @@ const parseJsxValue = (value) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/aria-activedescendant-has-tabindex.ts
-const MESSAGE$50 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
+const MESSAGE$56 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
 const ariaActivedescendantHasTabindex = defineRule({
 	id: "aria-activedescendant-has-tabindex",
 	title: "aria-activedescendant missing tabindex",
@@ -2275,14 +2289,14 @@ const ariaActivedescendantHasTabindex = defineRule({
 			if (tabIndexValue === null || tabIndexValue >= -1) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$50
+				message: MESSAGE$56
 			});
 			return;
 		}
 		if (isInteractiveElement(tag, node)) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$50
+			message: MESSAGE$56
 		});
 	} })
 });
@@ -4187,6 +4201,58 @@ const asyncParallel = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security/auth-token-in-web-storage.ts
+const MESSAGE$55 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
+const STORAGE_NAMES = new Set(["localStorage", "sessionStorage"]);
+const STORAGE_GLOBALS = new Set([
+	"window",
+	"globalThis",
+	"self"
+]);
+const SENSITIVE_KEY_PATTERN = /token|jwt|secret|password|passwd|credential|api[-_]?key|bearer|private[-_]?key/i;
+const isWebStorageObject = (node) => {
+	if (isNodeOfType(node, "Identifier")) return STORAGE_NAMES.has(node.name);
+	if (isNodeOfType(node, "MemberExpression") && !node.computed && isNodeOfType(node.object, "Identifier") && STORAGE_GLOBALS.has(node.object.name) && isNodeOfType(node.property, "Identifier")) return STORAGE_NAMES.has(node.property.name);
+	return false;
+};
+const staticMemberName = (member) => {
+	if (!member.computed && isNodeOfType(member.property, "Identifier")) return member.property.name;
+	if (member.computed && isNodeOfType(member.property, "Literal") && typeof member.property.value === "string") return member.property.value;
+	return null;
+};
+const authTokenInWebStorage = defineRule({
+	id: "auth-token-in-web-storage",
+	title: "Auth token in web storage",
+	severity: "warn",
+	recommendation: "Don't persist auth tokens (JWTs, access/refresh tokens, secrets) in `localStorage`/`sessionStorage`; they're readable by any XSS. Use an `HttpOnly` cookie set by the server.",
+	create: (context) => ({
+		CallExpression(node) {
+			const callee = node.callee;
+			if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+			if (!isNodeOfType(callee.property, "Identifier") || callee.property.name !== "setItem") return;
+			if (!isWebStorageObject(callee.object)) return;
+			const keyArgument = node.arguments?.[0];
+			if (!keyArgument || !isNodeOfType(keyArgument, "Literal") || typeof keyArgument.value !== "string") return;
+			if (!SENSITIVE_KEY_PATTERN.test(keyArgument.value)) return;
+			context.report({
+				node,
+				message: MESSAGE$55
+			});
+		},
+		AssignmentExpression(node) {
+			const target = node.left;
+			if (!isNodeOfType(target, "MemberExpression")) return;
+			if (!isWebStorageObject(target.object)) return;
+			const propertyName = staticMemberName(target);
+			if (!propertyName || !SENSITIVE_KEY_PATTERN.test(propertyName)) return;
+			context.report({
+				node: target,
+				message: MESSAGE$55
+			});
+		}
+	})
+});
+//#endregion
 //#region src/plugin/rules/a11y/autocomplete-valid.ts
 const buildMessage$25 = (value) => `Users who rely on autofill can't fill this field because \`${value}\` isn't a known token, so use a valid \`autoComplete\` token.`;
 const AUTOFILL_TOKENS = new Set([
@@ -4558,7 +4624,7 @@ const isPureEventBlockerHandler = (attribute) => {
 //#endregion
 //#region src/plugin/rules/a11y/click-events-have-key-events.ts
 const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
-const MESSAGE$49 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
+const MESSAGE$54 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
 const KEY_HANDLERS = [
 	"onKeyUp",
 	"onKeyDown",
@@ -4590,7 +4656,7 @@ const clickEventsHaveKeyEvents = defineRule({
 			if (KEY_HANDLERS.some((handler) => hasJsxPropIgnoreCase(node.attributes, handler))) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$49
+				message: MESSAGE$54
 			});
 		} };
 	}
@@ -4705,7 +4771,7 @@ const isReactComponentName = (name) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/control-has-associated-label.ts
-const MESSAGE$48 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$53 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_IGNORE_ELEMENTS = ["link", "canvas"];
 const DEFAULT_LABELLING_PROPS = [
 	"alt",
@@ -4866,7 +4932,7 @@ const controlHasAssociatedLabel = defineRule({
 			for (const child of node.children) if (checkChildForLabel(child, 1, checkContext)) return;
 			context.report({
 				node: opening,
-				message: MESSAGE$48
+				message: MESSAGE$53
 			});
 		} };
 	}
@@ -5292,6 +5358,38 @@ const noVagueButtonLabel = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/utils/has-jsx-spread-attribute.ts
+const hasJsxSpreadAttribute$1 = (attributes) => attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
+//#endregion
+//#region src/plugin/rules/a11y/dialog-has-accessible-name.ts
+const MESSAGE$52 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
+const DIALOG_ROLES = new Set(["dialog", "alertdialog"]);
+const NAME_PROVIDING_ATTRIBUTES = [
+	"aria-label",
+	"aria-labelledby",
+	"title"
+];
+const dialogHasAccessibleName = defineRule({
+	id: "dialog-has-accessible-name",
+	title: "Dialog without accessible name",
+	severity: "warn",
+	recommendation: "Give every `<dialog>` / `role=\"dialog\"` an accessible name with `aria-label` or `aria-labelledby` (referencing the dialog's title element).",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const tagName = node.name.name;
+		if (tagName[0] !== tagName[0]?.toLowerCase()) return;
+		const roleAttribute = hasJsxPropIgnoreCase(node.attributes, "role");
+		const roleValue = roleAttribute ? getJsxPropStringValue(roleAttribute) : null;
+		if (!(tagName === "dialog" || roleValue !== null && DIALOG_ROLES.has(roleValue))) return;
+		if (hasJsxSpreadAttribute$1(node.attributes)) return;
+		if (NAME_PROVIDING_ATTRIBUTES.some((attribute) => hasJsxPropIgnoreCase(node.attributes, attribute))) return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$52
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/utils/is-es5-component.ts
 const PRAGMA$2 = "React";
 const CREATE_CLASS = "createReactClass";
@@ -5326,7 +5424,7 @@ const isEs6Component = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/display-name.ts
-const MESSAGE$47 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
+const MESSAGE$51 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
 const DEFAULT_ADDITIONAL_HOCS = [
 	"observer",
 	"lazy",
@@ -5529,7 +5627,7 @@ const displayName = defineRule({
 		const reportAt = (node) => {
 			context.report({
 				node,
-				message: MESSAGE$47
+				message: MESSAGE$51
 			});
 		};
 		return {
@@ -7677,7 +7775,7 @@ const forbidElements = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/forward-ref-uses-ref.ts
-const MESSAGE$46 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
+const MESSAGE$50 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
 const forwardRefUsesRef = defineRule({
 	id: "forward-ref-uses-ref",
 	title: "forwardRef without ref parameter",
@@ -7697,7 +7795,7 @@ const forwardRefUsesRef = defineRule({
 		if (isNodeOfType(onlyParam, "RestElement")) return;
 		context.report({
 			node: inner,
-			message: MESSAGE$46
+			message: MESSAGE$50
 		});
 	} })
 });
@@ -7734,7 +7832,7 @@ const gitProviderUrlInjectionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/heading-has-content.ts
-const MESSAGE$45 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$49 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_HEADING_TAGS = [
 	"h1",
 	"h2",
@@ -7767,7 +7865,7 @@ const headingHasContent = defineRule({
 			if (isHiddenFromScreenReader(node, context.settings)) return;
 			context.report({
 				node,
-				message: MESSAGE$45
+				message: MESSAGE$49
 			});
 		} };
 	}
@@ -7905,7 +8003,7 @@ const hooksNoNanInDeps = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/html-has-lang.ts
-const MESSAGE$44 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
+const MESSAGE$48 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
 const resolveSettings$38 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { htmlTags: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.htmlHasLang ?? {} : {}).htmlTags ?? ["html"] };
@@ -7953,7 +8051,7 @@ const htmlHasLang = defineRule({
 			if (!lang) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$44
+					message: MESSAGE$48
 				});
 				return;
 			}
@@ -7961,13 +8059,13 @@ const htmlHasLang = defineRule({
 			if (verdict === "missing" || verdict === "empty") {
 				context.report({
 					node: lang,
-					message: MESSAGE$44
+					message: MESSAGE$48
 				});
 				return;
 			}
 			if (hasSpread && !lang) context.report({
 				node: node.name,
-				message: MESSAGE$44
+				message: MESSAGE$48
 			});
 		} };
 	}
@@ -8181,7 +8279,7 @@ const htmlNoNestedInteractive = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/iframe-has-title.ts
-const MESSAGE$43 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
+const MESSAGE$47 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
 const evaluateTitleValue = (value) => {
 	if (!value) return "missing";
 	if (isNodeOfType(value, "Literal")) {
@@ -8221,14 +8319,14 @@ const iframeHasTitle = defineRule({
 		if (!titleAttr) {
 			if (hasSpread || tag === "iframe") context.report({
 				node: node.name,
-				message: MESSAGE$43
+				message: MESSAGE$47
 			});
 			return;
 		}
 		const verdict = evaluateTitleValue(titleAttr.value);
 		if (verdict === "missing" || verdict === "empty") context.report({
 			node: titleAttr,
-			message: MESSAGE$43
+			message: MESSAGE$47
 		});
 	} })
 });
@@ -8332,7 +8430,7 @@ const iframeMissingSandbox = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/img-redundant-alt.ts
-const MESSAGE$42 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
+const MESSAGE$46 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
 const DEFAULT_COMPONENTS = ["img"];
 const DEFAULT_REDUNDANT_WORDS = [
 	"image",
@@ -8397,7 +8495,7 @@ const imgRedundantAlt = defineRule({
 			if (!altAttribute) return;
 			if (altValueRedundant(altAttribute, settings.words)) context.report({
 				node: altAttribute,
-				message: MESSAGE$42
+				message: MESSAGE$46
 			});
 		} };
 	}
@@ -8495,6 +8593,136 @@ const insecureCryptoRisk = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/find-matching-bracket.ts
+const findMatchingBracket = (content, openIndex) => {
+	const open = content[openIndex];
+	const close = open === "(" ? ")" : open === "{" ? "}" : open === "[" ? "]" : "";
+	if (close === "") return -1;
+	let depth = 0;
+	let stringDelimiter = null;
+	for (let index = openIndex; index < content.length; index += 1) {
+		const character = content[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === open) depth += 1;
+		else if (character === close) {
+			depth -= 1;
+			if (depth === 0) return index;
+		}
+	}
+	return -1;
+};
+//#endregion
+//#region src/plugin/rules/security-scan/insecure-session-cookie.ts
+const AUTH_COOKIE_NAME_TOKEN = `(?<![A-Za-z0-9])(?:session|sess|sid|connect\\.sid|auth|jwt|access[_-]?token|refresh[_-]?token|id[_-]?token)(?![A-Za-z0-9])`;
+const AUTH_COOKIE_NAME_LITERAL = `[\`"'][^\`"']*?${AUTH_COOKIE_NAME_TOKEN}[^\`"']*[\`"']`;
+const AUTH_COOKIE_SET_CALL_PATTERN = new RegExp(`(?:\\.cookies\\.set|cookies\\(\\s*\\)\\.set|\\.cookie)\\s*\\(\\s*${AUTH_COOKIE_NAME_LITERAL}`, "gi");
+const HTTP_ONLY_DISABLED_PATTERN = /httpOnly\s*:\s*false\b/i;
+const STRING_LITERAL_PATTERN = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'|`(?:[^`\\]|\\.)*`/g;
+const blankStringContents = (text) => {
+	const characters = text.split("");
+	let index = 0;
+	let stringDelimiter = null;
+	while (index < text.length) {
+		const character = text[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") {
+				index += 2;
+				continue;
+			}
+			if (character === stringDelimiter) stringDelimiter = null;
+			else if (character !== "\n") characters[index] = " ";
+			index += 1;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		index += 1;
+	}
+	return characters.join("");
+};
+const COOKIE_CONFIG_OPENER_PATTERN = /cookie\s*:\s*\{/gi;
+const CLIENT_AUTH_COOKIE_WRITE_PATTERN = new RegExp(`document\\.cookie\\s*=\\s*[\`"'][^\`"'=;]*?${AUTH_COOKIE_NAME_TOKEN}[^\`"'=;]*=`, "gi");
+const countTopLevelArguments = (argumentsSource) => {
+	if (argumentsSource.trim().length === 0) return 0;
+	let depth = 0;
+	let stringDelimiter = null;
+	let count = 1;
+	for (let index = 0; index < argumentsSource.length; index += 1) {
+		const character = argumentsSource[index];
+		if (stringDelimiter !== null) {
+			if (character === "\\") index += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (character === "(" || character === "[" || character === "{") depth += 1;
+		else if (character === ")" || character === "]" || character === "}") depth -= 1;
+		else if (character === "," && depth === 0) count += 1;
+	}
+	return count;
+};
+const addMatchFindings = (content, pattern, message, isInsecure, findings) => {
+	pattern.lastIndex = 0;
+	for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+		if (!isInsecure(match.index, match[0])) continue;
+		const location = getLocationAtIndex(content, match.index);
+		findings.push({
+			message,
+			line: location.line,
+			column: location.column
+		});
+	}
+};
+const insecureSessionCookie = defineRule({
+	id: "insecure-session-cookie",
+	title: "Auth cookie missing HttpOnly protection",
+	severity: "warn",
+	recommendation: "Set auth/session cookies server-side with `httpOnly: true`, `secure: true`, and `sameSite`. Cookies set via `document.cookie` or with `httpOnly: false` are readable by any XSS payload and can be stolen.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/cookie/i.test(content)) return [];
+		const findings = [];
+		const message = "An auth/session cookie is exposed to JavaScript (set via document.cookie, with httpOnly: false, or without cookie options), letting an XSS payload steal it.";
+		AUTH_COOKIE_SET_CALL_PATTERN.lastIndex = 0;
+		for (let match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content); match !== null; match = AUTH_COOKIE_SET_CALL_PATTERN.exec(content)) {
+			const openParenIndex = match.index + match[0].lastIndexOf("(");
+			const closeParenIndex = findMatchingBracket(content, openParenIndex);
+			if (closeParenIndex < 0) continue;
+			const argumentsSource = content.slice(openParenIndex + 1, closeParenIndex);
+			const hasNoOptions = countTopLevelArguments(argumentsSource) < 3;
+			const argumentsWithoutStrings = argumentsSource.replace(STRING_LITERAL_PATTERN, "");
+			if (!hasNoOptions && !HTTP_ONLY_DISABLED_PATTERN.test(argumentsWithoutStrings)) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		const blankedContent = blankStringContents(content);
+		COOKIE_CONFIG_OPENER_PATTERN.lastIndex = 0;
+		for (let match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent); match !== null; match = COOKIE_CONFIG_OPENER_PATTERN.exec(blankedContent)) {
+			const braceIndex = match.index + match[0].length - 1;
+			const closeBraceIndex = findMatchingBracket(blankedContent, braceIndex);
+			const block = closeBraceIndex >= 0 ? blankedContent.slice(braceIndex, closeBraceIndex) : blankedContent.slice(braceIndex, braceIndex + 400);
+			if (!HTTP_ONLY_DISABLED_PATTERN.test(block)) continue;
+			const location = getLocationAtIndex(blankedContent, match.index);
+			findings.push({
+				message,
+				line: location.line,
+				column: location.column
+			});
+		}
+		addMatchFindings(content, CLIENT_AUTH_COOKIE_WRITE_PATTERN, message, () => true, findings);
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/constants/event-handlers.ts
 const MOUSE_EVENT_HANDLERS = [
 	"onClick",
@@ -10624,7 +10852,7 @@ const jsxMaxDepth = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-comment-textnodes.ts
-const MESSAGE$41 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
+const MESSAGE$45 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
 const LITERAL_TEXT_TAGS = new Set([
 	"code",
 	"pre",
@@ -10660,7 +10888,7 @@ const jsxNoCommentTextnodes = defineRule({
 		if (isInsideLiteralTextTag(node)) return;
 		context.report({
 			node,
-			message: MESSAGE$41
+			message: MESSAGE$45
 		});
 	} })
 });
@@ -10691,7 +10919,7 @@ const isInsideFunctionScope = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-constructed-context-values.ts
-const MESSAGE$40 = "Every reader of this context redraws on each render because you build its `value` inline.";
+const MESSAGE$44 = "Every reader of this context redraws on each render because you build its `value` inline.";
 const CONTEXT_MODULES$1 = [
 	"react",
 	"use-context-selector",
@@ -10789,7 +11017,7 @@ const jsxNoConstructedContextValues = defineRule({
 					if (!isConstructedValue(innerExpression)) continue;
 					context.report({
 						node: attribute,
-						message: MESSAGE$40
+						message: MESSAGE$44
 					});
 				}
 			}
@@ -10875,7 +11103,7 @@ const isJsxAttributeOnIntrinsicHtmlElement = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts
-const MESSAGE$39 = "This child redraws every render because the prop gets brand new JSX each time.";
+const MESSAGE$43 = "This child redraws every render because the prop gets brand new JSX each time.";
 const KNOWN_SLOT_PROP_NAMES = new Set([
 	"icon",
 	"Icon",
@@ -11144,7 +11372,7 @@ const jsxNoJsxAsProp = defineRule({
 				if (!isJsxProducingExpression(expressionNode) && !followsRenderLocalJsxBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$39
+					message: MESSAGE$43
 				});
 			}
 		};
@@ -11432,7 +11660,7 @@ const DATA_ARRAY_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts
-const MESSAGE$38 = "This child redraws every render because the prop gets a brand new array each time.";
+const MESSAGE$42 = "This child redraws every render because the prop gets a brand new array each time.";
 const isDataArrayPropName = (propName) => {
 	if (DATA_ARRAY_PROP_NAMES.has(propName)) return true;
 	for (const suffix of DATA_ARRAY_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -11516,7 +11744,7 @@ const jsxNoNewArrayAsProp = defineRule({
 				if (!isArrayProducingExpression(expressionNode) && !followsRenderLocalArrayBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$38
+					message: MESSAGE$42
 				});
 			}
 		};
@@ -11774,7 +12002,7 @@ const SAFE_RECEIVER_NAMES = new Set([
 ]);
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts
-const MESSAGE$37 = "This child redraws every render because the prop gets a brand new function each time.";
+const MESSAGE$41 = "This child redraws every render because the prop gets a brand new function each time.";
 const isAccessorPredicateName = (propName) => {
 	for (const prefix of ACCESSOR_PREDICATE_PREFIXES) {
 		if (propName.length <= prefix.length) continue;
@@ -11980,7 +12208,7 @@ const jsxNoNewFunctionAsProp = defineRule({
 				if (!isFunctionProducingExpression(expressionNode) && !followsRenderLocalFunctionBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$37
+					message: MESSAGE$41
 				});
 			}
 		};
@@ -12200,7 +12428,7 @@ const CONFIG_OBJECT_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts
-const MESSAGE$36 = "This child redraws every render because the prop gets a brand new object each time.";
+const MESSAGE$40 = "This child redraws every render because the prop gets a brand new object each time.";
 const isConfigObjectPropName = (propName) => {
 	if (CONFIG_OBJECT_PROP_NAMES.has(propName)) return true;
 	for (const suffix of CONFIG_OBJECT_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -12288,7 +12516,7 @@ const jsxNoNewObjectAsProp = defineRule({
 				if (!isObjectProducingExpression(expressionNode) && !followsRenderLocalObjectBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$36
+					message: MESSAGE$40
 				});
 			}
 		};
@@ -12296,7 +12524,7 @@ const jsxNoNewObjectAsProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-script-url.ts
-const MESSAGE$35 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
+const MESSAGE$39 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
 const JAVASCRIPT_URL_PATTERN = /j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i;
 const resolveSettings$28 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
@@ -12337,7 +12565,7 @@ const jsxNoScriptUrl = defineRule({
 				if (!value || !isNodeOfType(value, "Literal") || typeof value.value !== "string") continue;
 				if (JAVASCRIPT_URL_PATTERN.test(value.value)) context.report({
 					node: attribute,
-					message: MESSAGE$35
+					message: MESSAGE$39
 				});
 			}
 		} };
@@ -12652,7 +12880,7 @@ const jsxPropsNoSpreadMulti = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-props-no-spreading.ts
-const MESSAGE$34 = "You can't tell what props reach this element when you spread them.";
+const MESSAGE$38 = "You can't tell what props reach this element when you spread them.";
 const resolveSettings$25 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.jsxPropsNoSpreading ?? {} : {};
@@ -12693,18 +12921,77 @@ const jsxPropsNoSpreading = defineRule({
 				}
 				context.report({
 					node: attribute,
-					message: MESSAGE$34
+					message: MESSAGE$38
 				});
 			}
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/jwt-insecure-verification.ts
+const NONE_ALGORITHM_PATTERN = /\b(?:alg|algorithms?)\s*:\s*\[?\s*["'`]none["'`]/gi;
+const isIndexInsideStringLiteral = (content, index) => {
+	let stringDelimiter = null;
+	const templateExpressionDepths = [];
+	for (let cursor = 0; cursor < index; cursor += 1) {
+		const character = content[cursor];
+		if (stringDelimiter === "`") {
+			if (character === "\\") cursor += 1;
+			else if (character === "`") stringDelimiter = null;
+			else if (character === "$" && content[cursor + 1] === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				cursor += 1;
+			}
+			continue;
+		}
+		if (stringDelimiter !== null) {
+			if (character === "\\") cursor += 1;
+			else if (character === stringDelimiter) stringDelimiter = null;
+			continue;
+		}
+		if (character === "\"" || character === "'" || character === "`") stringDelimiter = character;
+		else if (templateExpressionDepths.length > 0) {
+			const top = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[top] += 1;
+			else if (character === "}") if (templateExpressionDepths[top] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+			} else templateExpressionDepths[top] -= 1;
+		}
+	}
+	return stringDelimiter !== null;
+};
+const jwtInsecureVerification = defineRule({
+	id: "jwt-insecure-verification",
+	title: "JWT verified with the 'none' algorithm",
+	severity: "error",
+	recommendation: "Never accept the `none` algorithm; it disables signature verification and lets any forged token through. Pin the real algorithm(s) explicitly (`jwt.verify(token, key, { algorithms: ['RS256'] })`).",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!/\bjwt\b|jsonwebtoken|\bjose\b/i.test(content)) return [];
+		const findings = [];
+		NONE_ALGORITHM_PATTERN.lastIndex = 0;
+		for (let noneMatch = NONE_ALGORITHM_PATTERN.exec(content); noneMatch !== null; noneMatch = NONE_ALGORITHM_PATTERN.exec(content)) {
+			if (isIndexInsideStringLiteral(content, noneMatch.index)) continue;
+			const location = getLocationAtIndex(content, noneMatch.index);
+			findings.push({
+				message: "JWT is configured with the 'none' algorithm, which disables signature verification, so any forged token is accepted.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/key-lifecycle-risk.ts
 const keyLifecycleRisk = defineRule({
 	id: "key-lifecycle-risk",
 	title: "Long-lived key material in repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove private keys from source, rotate exposed credentials, prefer short-lived deploy credentials, and document revocation/expiry for release keys.",
 	scan: scanByPattern({
 		shouldScan: (file) => !TEST_CONTEXT_PATTERN.test(file.relativePath) && !DOCUMENTATION_CONTEXT_PATTERN.test(file.relativePath),
@@ -12862,7 +13149,7 @@ const labelHasAssociatedControl = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/lang.ts
-const MESSAGE$33 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
+const MESSAGE$37 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
 const COMMON_LANGUAGE_PRIMARY_TAGS = new Set([
 	"aa",
 	"ab",
@@ -13074,7 +13361,7 @@ const lang = defineRule({
 			if (expression.type === "Identifier" && expression.name === "undefined" || expression.type === "Literal" && expression.value === null) {
 				context.report({
 					node: langAttr,
-					message: MESSAGE$33
+					message: MESSAGE$37
 				});
 				return;
 			}
@@ -13083,7 +13370,7 @@ const lang = defineRule({
 		if (value === null) return;
 		if (!isValidLangTag(value)) context.report({
 			node: langAttr,
-			message: MESSAGE$33
+			message: MESSAGE$37
 		});
 	} })
 });
@@ -13127,7 +13414,7 @@ const mdxSsrExecutionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/media-has-caption.ts
-const MESSAGE$32 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
+const MESSAGE$36 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
 const DEFAULT_AUDIO = ["audio"];
 const DEFAULT_VIDEO = ["video"];
 const DEFAULT_TRACK = ["track"];
@@ -13168,7 +13455,7 @@ const mediaHasCaption = defineRule({
 			if (!parent || !isNodeOfType(parent, "JSXElement")) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$32
+					message: MESSAGE$36
 				});
 				return;
 			}
@@ -13185,7 +13472,7 @@ const mediaHasCaption = defineRule({
 				return kindValue.value.toLowerCase() === "captions";
 			})) context.report({
 				node: node.name,
-				message: MESSAGE$32
+				message: MESSAGE$36
 			});
 		} };
 	}
@@ -14986,7 +15273,7 @@ const nextjsNoVercelOgImport = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-access-key.ts
-const MESSAGE$31 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
+const MESSAGE$35 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
 const isUndefinedIdentifier = (expression) => isNodeOfType(expression, "Identifier") && expression.name === "undefined";
 const noAccessKey = defineRule({
 	id: "no-access-key",
@@ -15003,7 +15290,7 @@ const noAccessKey = defineRule({
 		if (isNodeOfType(attributeValue, "Literal") && typeof attributeValue.value === "string") {
 			context.report({
 				node: accessKey,
-				message: MESSAGE$31
+				message: MESSAGE$35
 			});
 			return;
 		}
@@ -15013,7 +15300,7 @@ const noAccessKey = defineRule({
 			if (isUndefinedIdentifier(expression)) return;
 			context.report({
 				node: accessKey,
-				message: MESSAGE$31
+				message: MESSAGE$35
 			});
 		}
 	} })
@@ -15496,7 +15783,7 @@ const noAdjustStateOnPropChange = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-aria-hidden-on-focusable.ts
-const MESSAGE$30 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
+const MESSAGE$34 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
 const noAriaHiddenOnFocusable = defineRule({
 	id: "no-aria-hidden-on-focusable",
 	title: "aria-hidden on focusable element",
@@ -15523,7 +15810,7 @@ const noAriaHiddenOnFocusable = defineRule({
 		const isImplicitlyFocusable = isInteractiveElement(tag, node);
 		if (isExplicitlyFocusable || isImplicitlyFocusable) context.report({
 			node: ariaHidden,
-			message: MESSAGE$30
+			message: MESSAGE$34
 		});
 	} })
 });
@@ -15891,7 +16178,7 @@ const noArrayIndexAsKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-array-index-key.ts
-const MESSAGE$29 = "Your users can see & submit the wrong data when this list reorders.";
+const MESSAGE$33 = "Your users can see & submit the wrong data when this list reorders.";
 const SECOND_INDEX_METHODS = new Set([
 	"every",
 	"filter",
@@ -16095,7 +16382,7 @@ const noArrayIndexKey = defineRule({
 			}
 			context.report({
 				node: keyAttribute,
-				message: MESSAGE$29
+				message: MESSAGE$33
 			});
 		},
 		CallExpression(node) {
@@ -16115,15 +16402,35 @@ const noArrayIndexKey = defineRule({
 				if (propName !== "key") continue;
 				if (expressionUsesIndex(property.value, indexBinding.name)) context.report({
 					node: property,
-					message: MESSAGE$29
+					message: MESSAGE$33
 				});
 			}
 		}
 	})
 });
 //#endregion
+//#region src/plugin/rules/state-and-effects/no-async-effect-callback.ts
+const MESSAGE$32 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
+const noAsyncEffectCallback = defineRule({
+	id: "no-async-effect-callback",
+	title: "Async effect callback",
+	severity: "warn",
+	recommendation: "Don't make the effect callback `async`. Define an async function inside the effect and call it, then return a real cleanup function if you need one.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isHookCall$1(node, EFFECT_HOOK_NAMES$1)) return;
+		const callback = getEffectCallback(node);
+		if (!callback) return;
+		if (!isNodeOfType(callback, "ArrowFunctionExpression") && !isNodeOfType(callback, "FunctionExpression")) return;
+		if (!callback.async) return;
+		context.report({
+			node: callback,
+			message: MESSAGE$32
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/a11y/no-autofocus.ts
-const MESSAGE$28 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
+const MESSAGE$31 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
 const resolveSettings$21 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreNonDOM: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noAutofocus ?? {} : {}).ignoreNonDOM ?? true };
@@ -16179,7 +16486,7 @@ const noAutofocus = defineRule({
 			}
 			context.report({
 				node: autoFocusAttribute,
-				message: MESSAGE$28
+				message: MESSAGE$31
 			});
 		} };
 	}
@@ -16429,6 +16736,109 @@ const noBarrelImport = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/function-contains-react-render-output.ts
+const NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES = new Set([
+	"FunctionDeclaration",
+	"FunctionExpression",
+	"ArrowFunctionExpression",
+	"ClassDeclaration",
+	"ClassExpression"
+]);
+const isReactImport$1 = (symbol) => {
+	let importDeclaration = symbol.declarationNode?.parent;
+	while (importDeclaration && !isNodeOfType(importDeclaration, "ImportDeclaration")) importDeclaration = importDeclaration.parent ?? null;
+	if (!importDeclaration || !isNodeOfType(importDeclaration, "ImportDeclaration")) return false;
+	return importDeclaration.source.value === "react";
+};
+const getImportedName = (symbol) => {
+	if (symbol.kind !== "import") return null;
+	if (!isReactImport$1(symbol)) return null;
+	return getImportedName$1(symbol.declarationNode) ?? null;
+};
+const isReactNamespaceImport = (symbol) => {
+	if (symbol.kind !== "import") return false;
+	if (!isReactImport$1(symbol)) return false;
+	return isNodeOfType(symbol.declarationNode, "ImportDefaultSpecifier") || isNodeOfType(symbol.declarationNode, "ImportNamespaceSpecifier");
+};
+const isReactCreateElementIdentifierCall = (callee, scopes) => {
+	if (!isNodeOfType(callee, "Identifier")) return false;
+	const symbol = scopes.symbolFor(callee);
+	return Boolean(symbol && getImportedName(symbol) === "createElement");
+};
+const isReactCreateElementMemberCall = (callee, scopes) => {
+	if (!isNodeOfType(callee, "MemberExpression")) return false;
+	if (callee.computed) return false;
+	if (!isNodeOfType(callee.object, "Identifier")) return false;
+	if (!isNodeOfType(callee.property, "Identifier")) return false;
+	if (callee.property.name !== "createElement") return false;
+	const symbol = scopes.symbolFor(callee.object);
+	return Boolean(symbol && isReactNamespaceImport(symbol));
+};
+const isReactCreateElementCall = (node, scopes) => {
+	if (!isNodeOfType(node, "CallExpression")) return false;
+	return isReactCreateElementIdentifierCall(node.callee, scopes) || isReactCreateElementMemberCall(node.callee, scopes);
+};
+const containsRenderOutput = (node, rootNode, scopes) => {
+	if (node !== rootNode && NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES.has(node.type)) return false;
+	if (node.type === "JSXElement" || node.type === "JSXFragment") return true;
+	if (isReactCreateElementCall(node, scopes)) return true;
+	const nodeRecord = node;
+	for (const key of Object.keys(nodeRecord)) {
+		if (key === "parent") continue;
+		const child = nodeRecord[key];
+		if (Array.isArray(child)) {
+			for (const innerChild of child) if (isAstNode(innerChild) && containsRenderOutput(innerChild, rootNode, scopes)) return true;
+		} else if (isAstNode(child) && containsRenderOutput(child, rootNode, scopes)) return true;
+	}
+	return false;
+};
+const functionContainsReactRenderOutput = (functionNode, scopes) => containsRenderOutput(functionNode, functionNode, scopes);
+//#endregion
+//#region src/plugin/utils/is-component-declaration.ts
+const isComponentDeclaration = (node) => isNodeOfType(node, "FunctionDeclaration") && node.id !== null && Boolean(node.id?.name) && isUppercaseName(node.id.name);
+//#endregion
+//#region src/plugin/rules/react-builtins/no-call-component-as-function.ts
+const message = (name) => `\`${name}\` is a component, so calling it as a plain function (\`${name}(...)\`) runs it outside React: its hooks break, it gets no fiber/state, and memoization is lost. Render it as \`<${name} />\` instead.`;
+const symbolIsLocalComponent = (symbol, context) => {
+	const declaration = symbol.declarationNode;
+	if (isComponentDeclaration(declaration)) return functionContainsReactRenderOutput(declaration, context.scopes);
+	if (isComponentAssignment(declaration) && symbol.initializer) return functionContainsReactRenderOutput(symbol.initializer, context.scopes);
+	return false;
+};
+const noCallComponentAsFunction = defineRule({
+	id: "no-call-component-as-function",
+	title: "Component called as a function",
+	severity: "warn",
+	tags: ["test-noise"],
+	recommendation: "Render components as JSX (`<Component />`), never call them like functions (`Component(props)`). A direct call runs the component outside React and breaks hooks, state, and memoization.",
+	create: (context) => {
+		const renderedJsxNames = /* @__PURE__ */ new Set();
+		const candidateCalls = [];
+		return {
+			JSXOpeningElement(node) {
+				if (isNodeOfType(node.name, "JSXIdentifier") && isUppercaseName(node.name.name)) renderedJsxNames.add(node.name.name);
+			},
+			CallExpression(node) {
+				if (isNodeOfType(node.callee, "Identifier") && isUppercaseName(node.callee.name)) candidateCalls.push({
+					node,
+					callee: node.callee,
+					name: node.callee.name
+				});
+			},
+			"Program:exit"() {
+				for (const candidate of candidateCalls) {
+					const symbol = context.scopes.symbolFor(candidate.callee);
+					if (!symbol) continue;
+					if (symbolIsLocalComponent(symbol, context) || symbol.kind === "import" && renderedJsxNames.has(candidate.name)) context.report({
+						node: candidate.node,
+						message: message(candidate.name)
+					});
+				}
+			}
+		};
+	}
+});
+//#endregion
 //#region src/plugin/utils/is-setter-identifier.ts
 const isSetterIdentifier = (name) => SETTER_PATTERN.test(name);
 //#endregion
@@ -16580,7 +16990,7 @@ const noChainStateUpdates = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-children-prop.ts
-const MESSAGE$27 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
+const MESSAGE$30 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
 const noChildrenProp = defineRule({
 	id: "no-children-prop",
 	title: "Children passed as a prop",
@@ -16592,7 +17002,7 @@ const noChildrenProp = defineRule({
 			if (node.name.name !== "children") return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$27
+				message: MESSAGE$30
 			});
 		},
 		CallExpression(node) {
@@ -16605,7 +17015,7 @@ const noChildrenProp = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "children" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "children") context.report({
 					node: propertyKey,
-					message: MESSAGE$27
+					message: MESSAGE$30
 				});
 			}
 		}
@@ -16613,7 +17023,7 @@ const noChildrenProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-clone-element.ts
-const MESSAGE$26 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
+const MESSAGE$29 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
 const noCloneElement = defineRule({
 	id: "no-clone-element",
 	title: "cloneElement makes child props fragile",
@@ -16626,7 +17036,7 @@ const noCloneElement = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "cloneElement") {
 			if (isImportedFromModule(node, "cloneElement", "react")) context.report({
 				node: callee,
-				message: MESSAGE$26
+				message: MESSAGE$29
 			});
 			return;
 		}
@@ -16639,7 +17049,7 @@ const noCloneElement = defineRule({
 			if (!isImportedFromModule(node, callee.object.name, "react")) return;
 			context.report({
 				node: callee,
-				message: MESSAGE$26
+				message: MESSAGE$29
 			});
 		}
 	} })
@@ -16688,7 +17098,7 @@ const enclosingComponentOrHookName = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-create-context-in-render.ts
-const MESSAGE$25 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
+const MESSAGE$28 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
 const CONTEXT_MODULES = [
 	"react",
 	"use-context-selector",
@@ -16724,7 +17134,32 @@ const noCreateContextInRender = defineRule({
 		if (!componentOrHookName) return;
 		context.report({
 			node,
-			message: `${MESSAGE$25} (called inside "${componentOrHookName}")`
+			message: `${MESSAGE$28} (called inside "${componentOrHookName}")`
+		});
+	} })
+});
+//#endregion
+//#region src/plugin/rules/react-builtins/no-create-ref-in-function-component.ts
+const MESSAGE$27 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
+const noCreateRefInFunctionComponent = defineRule({
+	id: "no-create-ref-in-function-component",
+	title: "createRef in function component",
+	severity: "warn",
+	recommendation: "Replace `createRef()` with the `useRef()` hook inside function components and hooks. `createRef` is only for class components.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isReactFunctionCall(node, "createRef")) return;
+		if (isNodeOfType(node.callee, "Identifier")) {
+			const symbol = context.scopes.symbolFor(node.callee);
+			if (symbol && symbol.kind !== "import") return;
+		}
+		const enclosingFunction = nearestEnclosingFunction(node);
+		if (!enclosingFunction) return;
+		const displayName = componentOrHookDisplayNameForFunction(enclosingFunction);
+		if (!displayName) return;
+		if (!(isReactHookName(displayName) || functionContainsReactRenderOutput(enclosingFunction, context.scopes))) return;
+		context.report({
+			node,
+			message: MESSAGE$27
 		});
 	} })
 });
@@ -16864,7 +17299,7 @@ const noCreateStoreInRender = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger.ts
-const MESSAGE$24 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
+const MESSAGE$26 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
 const noDanger = defineRule({
 	id: "no-danger",
 	title: "Raw HTML injection can run unsafe markup",
@@ -16877,7 +17312,7 @@ const noDanger = defineRule({
 			if (!propAttribute) return;
 			context.report({
 				node: propAttribute.name,
-				message: MESSAGE$24
+				message: MESSAGE$26
 			});
 		},
 		CallExpression(node) {
@@ -16889,7 +17324,7 @@ const noDanger = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "dangerouslySetInnerHTML" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "dangerouslySetInnerHTML") context.report({
 					node: propertyKey,
-					message: MESSAGE$24
+					message: MESSAGE$26
 				});
 			}
 		}
@@ -16897,7 +17332,7 @@ const noDanger = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger-with-children.ts
-const MESSAGE$23 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
+const MESSAGE$25 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
 const isLineBreak = (child) => {
 	if (!isNodeOfType(child, "JSXText")) return false;
 	return child.value.trim().length === 0 && child.value.includes("\n");
@@ -16967,7 +17402,7 @@ const noDangerWithChildren = defineRule({
 			if (!hasChildrenProp && !hasNestedChildren) return;
 			if (hasJsxPropIgnoreCase(opening.attributes, "dangerouslySetInnerHTML") || spreadPropsShape.hasDangerously) context.report({
 				node: opening,
-				message: MESSAGE$23
+				message: MESSAGE$25
 			});
 		},
 		CallExpression(node) {
@@ -16979,7 +17414,7 @@ const noDangerWithChildren = defineRule({
 			if (!propsShape.hasDangerously) return;
 			if (node.arguments.length >= 3 || propsShape.hasChildren) context.report({
 				node,
-				message: MESSAGE$23
+				message: MESSAGE$25
 			});
 		}
 	})
@@ -17556,7 +17991,7 @@ const isSetStateCallInLifecycle = (setStateCall, lifecycleNames, options = {}) =
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-mount-set-state.ts
 const LIFECYCLE_NAMES$2 = new Set(["componentDidMount"]);
-const MESSAGE$22 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
+const MESSAGE$24 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
 const resolveSettings$20 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidMountSetState ?? {} : {}).mode ?? "allowed" };
@@ -17575,7 +18010,7 @@ const noDidMountSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$2, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$22
+				message: MESSAGE$24
 			});
 		} };
 	}
@@ -17583,7 +18018,7 @@ const noDidMountSetState = defineRule({
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-update-set-state.ts
 const LIFECYCLE_NAMES$1 = new Set(["componentDidUpdate"]);
-const MESSAGE$21 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
+const MESSAGE$23 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
 const resolveSettings$19 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidUpdateSetState ?? {} : {}).mode ?? "allowed" };
@@ -17602,7 +18037,7 @@ const noDidUpdateSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$1, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$21
+				message: MESSAGE$23
 			});
 		} };
 	}
@@ -17625,7 +18060,7 @@ const isStateMemberExpression = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-direct-mutation-state.ts
-const MESSAGE$20 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
+const MESSAGE$22 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
 const shouldIgnoreMutation = (node) => {
 	let isConstructor = false;
 	let isInsideCallExpression = false;
@@ -17647,7 +18082,7 @@ const reportIfStateMutation = (context, reportNode, target) => {
 	if (shouldIgnoreMutation(reportNode)) return;
 	context.report({
 		node: reportNode,
-		message: MESSAGE$20
+		message: MESSAGE$22
 	});
 };
 const noDirectMutationState = defineRule({
@@ -19235,7 +19670,7 @@ const ALLOWED_NAMESPACES = new Set([
 	"ReactDOM",
 	"ReactDom"
 ]);
-const MESSAGE$19 = "`findDOMNode` crashes your app in React 19 because it was removed.";
+const MESSAGE$21 = "`findDOMNode` crashes your app in React 19 because it was removed.";
 const noFindDomNode = defineRule({
 	id: "no-find-dom-node",
 	title: "findDOMNode breaks component encapsulation",
@@ -19246,7 +19681,7 @@ const noFindDomNode = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "findDOMNode") {
 			context.report({
 				node: callee,
-				message: MESSAGE$19
+				message: MESSAGE$21
 			});
 			return;
 		}
@@ -19257,7 +19692,7 @@ const noFindDomNode = defineRule({
 			if (callee.property.name !== "findDOMNode") return;
 			context.report({
 				node: callee.property,
-				message: MESSAGE$19
+				message: MESSAGE$21
 			});
 		}
 	} })
@@ -19320,64 +19755,6 @@ const noGenericHandlerNames = defineRule({
 	} })
 });
 //#endregion
-//#region src/plugin/utils/function-contains-react-render-output.ts
-const NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES = new Set([
-	"FunctionDeclaration",
-	"FunctionExpression",
-	"ArrowFunctionExpression",
-	"ClassDeclaration",
-	"ClassExpression"
-]);
-const isReactImport$1 = (symbol) => {
-	let importDeclaration = symbol.declarationNode?.parent;
-	while (importDeclaration && !isNodeOfType(importDeclaration, "ImportDeclaration")) importDeclaration = importDeclaration.parent ?? null;
-	if (!importDeclaration || !isNodeOfType(importDeclaration, "ImportDeclaration")) return false;
-	return importDeclaration.source.value === "react";
-};
-const getImportedName = (symbol) => {
-	if (symbol.kind !== "import") return null;
-	if (!isReactImport$1(symbol)) return null;
-	return getImportedName$1(symbol.declarationNode) ?? null;
-};
-const isReactNamespaceImport = (symbol) => {
-	if (symbol.kind !== "import") return false;
-	if (!isReactImport$1(symbol)) return false;
-	return isNodeOfType(symbol.declarationNode, "ImportDefaultSpecifier") || isNodeOfType(symbol.declarationNode, "ImportNamespaceSpecifier");
-};
-const isReactCreateElementIdentifierCall = (callee, scopes) => {
-	if (!isNodeOfType(callee, "Identifier")) return false;
-	const symbol = scopes.symbolFor(callee);
-	return Boolean(symbol && getImportedName(symbol) === "createElement");
-};
-const isReactCreateElementMemberCall = (callee, scopes) => {
-	if (!isNodeOfType(callee, "MemberExpression")) return false;
-	if (callee.computed) return false;
-	if (!isNodeOfType(callee.object, "Identifier")) return false;
-	if (!isNodeOfType(callee.property, "Identifier")) return false;
-	if (callee.property.name !== "createElement") return false;
-	const symbol = scopes.symbolFor(callee.object);
-	return Boolean(symbol && isReactNamespaceImport(symbol));
-};
-const isReactCreateElementCall = (node, scopes) => {
-	if (!isNodeOfType(node, "CallExpression")) return false;
-	return isReactCreateElementIdentifierCall(node.callee, scopes) || isReactCreateElementMemberCall(node.callee, scopes);
-};
-const containsRenderOutput = (node, rootNode, scopes) => {
-	if (node !== rootNode && NESTED_RENDER_EVIDENCE_BOUNDARY_TYPES.has(node.type)) return false;
-	if (node.type === "JSXElement" || node.type === "JSXFragment") return true;
-	if (isReactCreateElementCall(node, scopes)) return true;
-	const nodeRecord = node;
-	for (const key of Object.keys(nodeRecord)) {
-		if (key === "parent") continue;
-		const child = nodeRecord[key];
-		if (Array.isArray(child)) {
-			for (const innerChild of child) if (isAstNode(innerChild) && containsRenderOutput(innerChild, rootNode, scopes)) return true;
-		} else if (isAstNode(child) && containsRenderOutput(child, rootNode, scopes)) return true;
-	}
-	return false;
-};
-const functionContainsReactRenderOutput = (functionNode, scopes) => containsRenderOutput(functionNode, functionNode, scopes);
-//#endregion
 //#region src/plugin/rules/architecture/no-giant-component.ts
 const noGiantComponent = defineRule({
 	id: "no-giant-component",
@@ -19556,6 +19933,26 @@ const noGrayOnColoredBackground = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/performance/no-img-lazy-with-high-fetchpriority.ts
+const MESSAGE$20 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
+const noImgLazyWithHighFetchpriority = defineRule({
+	id: "no-img-lazy-with-high-fetchpriority",
+	title: "Lazy image with high fetchPriority",
+	severity: "warn",
+	recommendation: "Don't combine `loading=\"lazy\"` with `fetchPriority=\"high\"`. A high-priority image (usually the LCP) should load eagerly; a lazy image is by definition not high priority.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier") || node.name.name !== "img") return;
+		const loadingAttribute = hasJsxPropIgnoreCase(node.attributes, "loading");
+		if (!loadingAttribute || getJsxPropStringValue(loadingAttribute)?.toLowerCase() !== "lazy") return;
+		const fetchPriorityAttribute = hasJsxPropIgnoreCase(node.attributes, "fetchPriority");
+		if (!fetchPriorityAttribute || getJsxPropStringValue(fetchPriorityAttribute)?.toLowerCase() !== "high") return;
+		context.report({
+			node: node.name,
+			message: MESSAGE$20
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/state-and-effects/no-initialize-state.ts
 const noInitializeState = defineRule({
 	id: "no-initialize-state",
@@ -19785,6 +20182,29 @@ const noIsMounted = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-json-parse-stringify-clone.ts
+const MESSAGE$19 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
+const isJsonMethodCall = (node, method) => {
+	if (!isNodeOfType(node, "CallExpression")) return false;
+	const callee = node.callee;
+	return isNodeOfType(callee, "MemberExpression") && !callee.computed && isNodeOfType(callee.object, "Identifier") && callee.object.name === "JSON" && isNodeOfType(callee.property, "Identifier") && callee.property.name === method;
+};
+const noJsonParseStringifyClone = defineRule({
+	id: "no-json-parse-stringify-clone",
+	title: "JSON parse/stringify deep clone",
+	severity: "warn",
+	recommendation: "Replace `JSON.parse(JSON.stringify(value))` with `structuredClone(value)`. It is faster and preserves Dates, Maps, Sets, and cyclic references.",
+	create: (context) => ({ CallExpression(node) {
+		if (!isJsonMethodCall(node, "parse")) return;
+		const firstArgument = node.arguments?.[0];
+		if (!firstArgument || !isJsonMethodCall(firstArgument, "stringify")) return;
+		context.report({
+			node,
+			message: MESSAGE$19
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/correctness/no-jsx-element-type.ts
 const MESSAGE$18 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
 const isJsxElementTypeReference = (node) => {
@@ -20107,9 +20527,6 @@ const noLongTransitionDuration = defineRule({
 const BOOLEAN_PROP_PREFIX_PATTERN = /^(?:is|has|should|can|show|hide|enable|disable|with)[A-Z]/;
 const isBooleanPrefixedPropName = (propName) => BOOLEAN_PROP_PREFIX_PATTERN.test(propName);
 //#endregion
-//#region src/plugin/utils/is-component-declaration.ts
-const isComponentDeclaration = (node) => isNodeOfType(node, "FunctionDeclaration") && node.id !== null && Boolean(node.id?.name) && isUppercaseName(node.id.name);
-//#endregion
 //#region src/plugin/rules/architecture/no-many-boolean-props.ts
 const collectBooleanLikePropsFromBody = (componentBody, propsParamName) => {
 	const found = /* @__PURE__ */ new Set();
@@ -27035,6 +27452,8 @@ const publicEnvSecretName = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/tanstack-query/query-destructure-result.ts
+const TANSTACK_QUERY_PACKAGE_PATTERN = /^@tanstack\/[\w-]*query[\w-]*$/;
+const isTanstackQuerySource = (source) => TANSTACK_QUERY_PACKAGE_PATTERN.test(source) || source === "react-query";
 const queryDestructureResult = defineRule({
 	id: "query-destructure-result",
 	title: "Whole query result subscribes to every field",
@@ -27047,6 +27466,8 @@ const queryDestructureResult = defineRule({
 		if (!node.init || !isNodeOfType(node.init, "CallExpression")) return;
 		const calleeName = isNodeOfType(node.init.callee, "Identifier") ? node.init.callee.name : null;
 		if (!calleeName || !TANSTACK_QUERY_HOOKS.has(calleeName)) return;
+		const importSource = getImportSourceForName(node, calleeName);
+		if (importSource !== null && !isTanstackQuerySource(importSource)) return;
 		context.report({
 			node: node.id,
 			message: `Destructure ${calleeName}() results instead of assigning the whole query object, so TanStack Query only subscribes to the fields you use.`
@@ -27889,6 +28310,7 @@ const repositorySecretFile = defineRule({
 	id: "repository-secret-file",
 	title: "Secret file checked into repository",
 	severity: "error",
+	committedFilesOnly: true,
 	recommendation: "Remove committed env files, service-account credentials, npm auth tokens, and webhook URLs; rotate exposed values and keep only redacted examples in source.",
 	scan: (file) => {
 		if (!isRepositorySecretFilePath(file.relativePath)) return [];
@@ -27905,6 +28327,20 @@ const repositorySecretFile = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/security-scan/request-body-mass-assignment.ts
+const REQUEST_INPUT_SOURCE = "(?:req|request|ctx\\.req|ctx\\.request)\\.(?:body|query|params)|await\\s+(?:req|request)\\.json\\(\\s*\\)";
+const requestBodyMassAssignment = defineRule({
+	id: "request-body-mass-assignment",
+	title: "Request input spread without field allowlist",
+	severity: "warn",
+	recommendation: "Assign explicit, allowlisted fields (or validate with a strict schema and no `.passthrough()`) instead of spreading/merging request input. Otherwise the client can set ownership, role, or price columns (mass assignment) or pollute the prototype.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: [new RegExp(`\\.\\.\\.\\s*(?:${REQUEST_INPUT_SOURCE})`, "i"), new RegExp(`(?:Object\\.assign\\s*\\(|_\\.(?:merge|mergeWith|defaultsDeep)\\s*\\(|(?:^|[^.\\w])(?:merge|defaultsDeep)\\s*\\()[\\s\\S]{0,80}?(?:${REQUEST_INPUT_SOURCE})`, "i")],
+		message: "Request input is spread or merged into an object without a field allowlist, enabling mass assignment (client-set owner/role/price fields) or prototype pollution."
+	})
+});
+//#endregion
 //#region src/plugin/utils/function-body-has-return-with-value.ts
 const functionBodyHasReturnWithValue = (functionNode) => {
 	if (functionNode.type === "ArrowFunctionExpression" && "body" in functionNode) {
@@ -34330,6 +34766,17 @@ const scope = defineRule({
 		});
 	} })
 });
+const secretInFallback = defineRule({
+	id: "secret-in-fallback",
+	title: "Hardcoded secret fallback for env var",
+	severity: "error",
+	recommendation: "Remove the literal fallback and fail closed (throw when the variable is unset). The hardcoded value is a committed secret, and the `??`/`||` default makes the app run with it in any environment that forgot to set the var.",
+	scan: scanByPattern({
+		shouldScan: (file) => isProductionSourcePath(file.relativePath),
+		pattern: /\bprocess\.env\.(?![A-Z0-9_]*(?:PUBLIC|PUBLISHABLE|ANON)\b)[A-Z][A-Z0-9_]*(?:SECRET|TOKEN|PASSWORD|PASSWD|PRIVATE_KEY|API_?KEY|APIKEY|ACCESS_KEY|CLIENT_SECRET|CREDENTIAL|SIGNING_KEY|ENCRYPTION_KEY|WEBHOOK_SECRET|SERVICE_ROLE)[A-Z0-9_]*(?<!_(?:NAME|HEADER|ENDPOINT|URL|URI|ID|PREFIX|SUFFIX|PARAM|PARAMS|FIELD|ISSUER|AUDIENCE|ALGORITHM|ALG|REGION|BUCKET|HOST|HOSTNAME|PORT|PATH|VERSION|SCOPE|TYPE|FORMAT|EXPIRY|TTL))\s*(?:\?\?|\|\|)\s*(["'`])(?!(?:changeme|change[_-]?me|placeholder|your[_-]|example|sample|dummy|development|local|todo|replace[_-]?me|https?:\/\/|x{3,}|\*{3,}))[^"'`\n]{8,}\1/i,
+		message: "A secret env var has a hardcoded string fallback: the literal is a committed secret and the app fails open (uses it) when the variable is unset."
+	})
+});
 //#endregion
 //#region src/plugin/rules/react-builtins/self-closing-comp.ts
 const MESSAGE$2 = "This tag has no children, so the closing tag adds noise without changing output.";
@@ -35139,8 +35586,11 @@ const supabaseClientOwnedAuthzField = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/is-supabase-migration-path.ts
+const isSupabaseMigrationPath = (relativePath) => /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+//#endregion
 //#region src/plugin/rules/security-scan/utils/is-sql-path.ts
-const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || /(?:^|\/)supabase\/(?:migrations|schemas)\//.test(relativePath);
+const isSqlPath = (relativePath) => relativePath.endsWith(".sql") || isSupabaseMigrationPath(relativePath);
 const supabaseRlsPolicyRisk = defineRule({
 	id: "supabase-rls-policy-risk",
 	title: "Permissive Supabase RLS policy",
@@ -35158,6 +35608,210 @@ const supabaseRlsPolicyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/utils/sanitize-sql-for-scan.ts
+const DOLLAR_QUOTE_TAG_PATTERN = /^\$[A-Za-z_]?\w*\$/;
+const CODE_BODY_KEYWORDS = new Set([
+	"do",
+	"plpgsql",
+	"sql",
+	"plpython3u",
+	"plpythonu",
+	"plperl",
+	"plperlu",
+	"plv8"
+]);
+const precedingKeyword = (content, beforeIndex) => {
+	let lookBack = beforeIndex - 1;
+	while (lookBack >= 0 && /\s/.test(content[lookBack] ?? "")) lookBack -= 1;
+	let wordStart = lookBack;
+	while (wordStart >= 0 && /[A-Za-z0-9_]/.test(content[wordStart] ?? "")) wordStart -= 1;
+	return content.slice(wordStart + 1, lookBack + 1).toLowerCase();
+};
+const blankCodeBodyInterior = (content, characters, start, end) => {
+	let index = start;
+	let inExecuteStatement = false;
+	while (index < end) {
+		const character = content[index];
+		if (character === ";") {
+			inExecuteStatement = false;
+			index += 1;
+			continue;
+		}
+		if (/[A-Za-z_]/.test(character)) {
+			let wordEnd = index;
+			while (wordEnd < end && /[A-Za-z0-9_]/.test(content[wordEnd] ?? "")) wordEnd += 1;
+			if (content.slice(index, wordEnd).toLowerCase() === "execute") inExecuteStatement = true;
+			index = wordEnd;
+			continue;
+		}
+		if (character === "'") {
+			const keepVisible = inExecuteStatement;
+			if (!keepVisible) characters[index] = " ";
+			index += 1;
+			while (index < end) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						if (!keepVisible) {
+							characters[index] = " ";
+							characters[index + 1] = " ";
+						}
+						index += 2;
+						continue;
+					}
+					if (!keepVisible) characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (!keepVisible && content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < end) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < end && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < end) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+};
+const sanitizeSqlForScan = (content) => {
+	const characters = content.split("");
+	let index = 0;
+	while (index < content.length) {
+		const character = content[index];
+		if (character === "-" && content[index + 1] === "-") {
+			while (index < content.length && content[index] !== "\n") {
+				characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "/" && content[index + 1] === "*") {
+			while (index < content.length) {
+				if (content[index] === "*" && content[index + 1] === "/") {
+					characters[index] = " ";
+					characters[index + 1] = " ";
+					index += 2;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "'") {
+			characters[index] = " ";
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "'") {
+					if (content[index + 1] === "'") {
+						characters[index] = " ";
+						characters[index + 1] = " ";
+						index += 2;
+						continue;
+					}
+					characters[index] = " ";
+					index += 1;
+					break;
+				}
+				if (content[index] !== "\n") characters[index] = " ";
+				index += 1;
+			}
+			continue;
+		}
+		if (character === "$") {
+			const tagMatch = DOLLAR_QUOTE_TAG_PATTERN.exec(content.slice(index));
+			if (tagMatch !== null) {
+				const tag = tagMatch[0];
+				const closeIndex = content.indexOf(tag, index + tag.length);
+				const endIndex = closeIndex < 0 ? content.length : closeIndex + tag.length;
+				const keyword = precedingKeyword(content, index);
+				if (CODE_BODY_KEYWORDS.has(keyword)) blankCodeBodyInterior(content, characters, index + tag.length, endIndex);
+				else for (let blankIndex = index; blankIndex < endIndex; blankIndex += 1) if (content[blankIndex] !== "\n") characters[blankIndex] = " ";
+				index = endIndex;
+				continue;
+			}
+		}
+		if (character === "\"") {
+			index += 1;
+			while (index < content.length) {
+				if (content[index] === "\"") {
+					if (content[index + 1] === "\"") {
+						index += 2;
+						continue;
+					}
+					index += 1;
+					break;
+				}
+				index += 1;
+			}
+			continue;
+		}
+		index += 1;
+	}
+	return characters.join("");
+};
+//#endregion
+//#region src/plugin/rules/security-scan/supabase-table-missing-rls.ts
+const CREATE_PUBLIC_TABLE_PATTERN = /create\s+(?:unlogged\s+)?table\s+(?:if\s+not\s+exists\s+)?(?!(?:auth|storage|realtime|vault|extensions|graphql|graphql_public|pgbouncer|net|supabase_functions|supabase_migrations|cron|pgsodium|pgmq|information_schema|pg_catalog|pg_temp|private|internal)\s*\.)(?:public\s*\.\s*)?["`]?([A-Za-z_][\w$]*)["`]?(?:\s*\(|\s+as\b)/gi;
+const enableRlsForTablePattern = (tableName) => new RegExp(`alter\\s+table\\s+(?:if\\s+exists\\s+)?(?:only\\s+)?(?:public\\s*\\.\\s*)?["\`]?${escapeRegExp(tableName)}["\`]?\\s+(?:force\\s+)?enable\\s+row\\s+level\\s+security`, "i");
+const supabaseTableMissingRls = defineRule({
+	id: "supabase-table-missing-rls",
+	title: "Supabase table created without Row Level Security",
+	severity: "error",
+	recommendation: "Enable RLS in the same migration (`alter table <name> enable row level security;`) and add `auth.uid()`-scoped policies for select/insert/update/delete. A public table without RLS is fully readable and writable with the public anon key.",
+	scan: (file) => {
+		if (!isSupabaseMigrationPath(file.relativePath)) return [];
+		const content = sanitizeSqlForScan(file.content);
+		if (!/create\s+(?:unlogged\s+)?table/i.test(content)) return [];
+		const findings = [];
+		CREATE_PUBLIC_TABLE_PATTERN.lastIndex = 0;
+		for (let match = CREATE_PUBLIC_TABLE_PATTERN.exec(content); match !== null; match = CREATE_PUBLIC_TABLE_PATTERN.exec(content)) {
+			const tableName = match[1];
+			if (tableName === void 0) continue;
+			if (enableRlsForTablePattern(tableName).test(content.slice(match.index))) continue;
+			const location = getLocationAtIndex(content, match.index);
+			findings.push({
+				message: "Supabase migration creates a public table but never enables Row Level Security, leaving every row exposed to the anon key.",
+				line: location.line,
+				column: location.column
+			});
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/svg-filter-clickjacking-risk.ts
 const svgFilterClickjackingRisk = defineRule({
 	id: "svg-filter-clickjacking-risk",
@@ -35856,6 +36510,47 @@ const tenantStaticProxyRisk = defineRule({
 	})
 });
 //#endregion
+//#region src/plugin/rules/security-scan/unsafe-json-in-html.ts
+const SINK_JSON_STRINGIFY_PATTERNS = [/dangerouslySetInnerHTML\s*=\s*\{\{\s*__html\s*:[\s\S]{0,300}?\bJSON\.stringify\s*\(/gi, /<script\b[^>]*>(?:(?!<\/script>)[\s\S]){0,300}?\bJSON\.stringify\s*\(/gi];
+const RETURN_ESCAPE_PATTERN = /^[\s)]*\.replace\s*\([^)]*(?:\\u003[cC]|&lt;|<)/;
+const ESCAPE_WRAPPER_PATTERN = /(?:\b(?:escapeHtml|escapeJSON|escapeJson|htmlEscape|jsesc)|(?<![.\w])(?:serialize|serializeJavascript|devalue|uneval|superjson))\s*\(\s*$/i;
+const JSON_STRINGIFY_TOKEN_PATTERN = /\bJSON\.stringify\s*\($/i;
+const RETURN_LOOKAHEAD_CHARS = 160;
+const unsafeJsonInHtml = defineRule({
+	id: "unsafe-json-in-html",
+	title: "Unescaped JSON in HTML or script sink",
+	severity: "warn",
+	recommendation: "JSON.stringify does not HTML-escape, so a `<\/script>` (or `<`) in the data breaks out and becomes XSS. Use an HTML-safe serializer (serialize-javascript, devalue) or escape `<`, `>`, and `&`, or pass data via a JSON `<script type=\"application/json\">` read with JSON.parse.",
+	scan: (file) => {
+		if (!isProductionSourcePath(file.relativePath)) return [];
+		const content = getScannableContent(file);
+		if (!content.includes("JSON.stringify")) return [];
+		const findings = [];
+		const seenIndices = /* @__PURE__ */ new Set();
+		for (const pattern of SINK_JSON_STRINGIFY_PATTERNS) {
+			pattern.lastIndex = 0;
+			for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+				const beforeStringify = match[0].replace(JSON_STRINGIFY_TOKEN_PATTERN, "");
+				if (ESCAPE_WRAPPER_PATTERN.test(beforeStringify)) continue;
+				const closeParenIndex = findMatchingBracket(content, match.index + match[0].length - 1);
+				if (closeParenIndex >= 0) {
+					const afterReturn = content.slice(closeParenIndex + 1, closeParenIndex + 1 + RETURN_LOOKAHEAD_CHARS);
+					if (RETURN_ESCAPE_PATTERN.test(afterReturn)) continue;
+				}
+				if (seenIndices.has(match.index)) continue;
+				seenIndices.add(match.index);
+				const location = getLocationAtIndex(content, match.index);
+				findings.push({
+					message: "JSON.stringify is embedded in HTML/script markup without HTML-escaping; data containing `<\/script>` or `<` breaks out and becomes XSS.",
+					line: location.line,
+					column: location.column
+				});
+			}
+		}
+		return findings;
+	}
+});
+//#endregion
 //#region src/plugin/rules/security-scan/untrusted-redirect-following.ts
 const OUTBOUND_FETCH_CALL_PATTERN = /(?:(?<![.\w$])fetch|\baxios\.\s*(?:get|post|put|delete|head)|\bgot|\bgot\.\s*(?:get|post))\s*\(\s*([^,)]+)/;
 const CALLER_STYLE_URL_NAME_PATTERN = /\b(?:url|targetUrl|callbackUrl|redirectUrl|webhookUrl|companyUrl|websiteUrl|domainUrl|imageUrl|fetchUrl|next|return_to|returnTo|destination|location)\b/i;
@@ -36003,7 +36698,7 @@ const voidDomElementsNoChildren = defineRule({
 //#region src/plugin/rules/security-scan/webhook-signature-risk.ts
 const WEBHOOK_HANDLER_PATTERN = /(?:^|\/)[^/]*webhook[^/]*\/|(?:^|\/)[^/]*webhook[^/]*\.[cm]?[jt]s$|\bwebhook\b/i;
 const WEBHOOK_ENTRYPOINT_PATTERN = /\b(?:export\s+(?:async\s+)?function\s+POST|export\s+const\s+(?:POST|handler|webhook)|webhookHandler|webhookRoute)\b/i;
-const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = /verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/i;
+const WEBHOOK_SIGNATURE_VERIFICATION_PATTERN = new RegExp(`${/verifySignature|verify.*signature|verify\w*(?:Webhook|Auth)|constructEvent|createHmac|timingSafeEqual|svix|webhookSecret|stripe\.webhooks|["'][\w-]*signature["']/.source}|${/\b[A-Za-z]{0,40}(?:verif|valid|check|assert|authenticat|compare|guard)[A-Za-z]{0,40}(?:secret|signature|hmac|webhook|digest)[A-Za-z]{0,40}\s*\(/.source}`, "i");
 const OUTBOUND_WEBHOOK_URL_MENTION_PATTERN = /webhook[\s_-]?ur[il]\w*/gi;
 const OUTBOUND_WEBHOOK_CONFIG_PATTERN = /process\.env\.\w*WEBHOOK_URL|\b(?:send|post|dispatch|publish|notify)\w*Webhook/;
 const REQUEST_READ_PATTERN = /\b(?:req|request)\b/;
@@ -36663,6 +37358,17 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/auth-token-in-web-storage",
+		id: "auth-token-in-web-storage",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...authTokenInWebStorage,
+			framework: "global",
+			category: "Security"
+		}
+	},
 	{
 		key: "react-doctor/autocomplete-valid",
 		id: "autocomplete-valid",
@@ -36879,6 +37585,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noVagueButtonLabel.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/dialog-has-accessible-name",
+		id: "dialog-has-accessible-name",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...dialogHasAccessibleName,
+			framework: "global",
+			category: "Accessibility",
+			requires: [...new Set(["react", ...dialogHasAccessibleName.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/display-name",
 		id: "display-name",
@@ -37164,6 +37882,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...insecureCryptoRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/insecure-session-cookie",
+		id: "insecure-session-cookie",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...insecureSessionCookie,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...insecureSessionCookie.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/interactive-supports-focus",
 		id: "interactive-supports-focus",
@@ -37606,6 +38336,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...jsxPropsNoSpreading.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/jwt-insecure-verification",
+		id: "jwt-insecure-verification",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...jwtInsecureVerification,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...jwtInsecureVerification.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/key-lifecycle-risk",
 		id: "key-lifecycle-risk",
@@ -38014,6 +38756,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noArrayIndexKey.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-async-effect-callback",
+		id: "no-async-effect-callback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noAsyncEffectCallback,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noAsyncEffectCallback.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-autofocus",
 		id: "no-autofocus",
@@ -38037,6 +38791,18 @@ const reactDoctorRules = [
 			category: "Performance"
 		}
 	},
+	{
+		key: "react-doctor/no-call-component-as-function",
+		id: "no-call-component-as-function",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noCallComponentAsFunction,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noCallComponentAsFunction.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-cascading-set-state",
 		id: "no-cascading-set-state",
@@ -38097,6 +38863,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noCreateContextInRender.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-create-ref-in-function-component",
+		id: "no-create-ref-in-function-component",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noCreateRefInFunctionComponent,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noCreateRefInFunctionComponent.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-create-store-in-render",
 		id: "no-create-store-in-render",
@@ -38471,6 +39249,18 @@ const reactDoctorRules = [
 			category: "Accessibility"
 		}
 	},
+	{
+		key: "react-doctor/no-img-lazy-with-high-fetchpriority",
+		id: "no-img-lazy-with-high-fetchpriority",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noImgLazyWithHighFetchpriority,
+			framework: "global",
+			category: "Performance",
+			requires: [...new Set(["react", ...noImgLazyWithHighFetchpriority.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-initialize-state",
 		id: "no-initialize-state",
@@ -38541,6 +39331,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noIsMounted.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-json-parse-stringify-clone",
+		id: "no-json-parse-stringify-clone",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noJsonParseStringifyClone,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-jsx-element-type",
 		id: "no-jsx-element-type",
@@ -39756,6 +40557,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...repositorySecretFile.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/request-body-mass-assignment",
+		id: "request-body-mass-assignment",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...requestBodyMassAssignment,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...requestBodyMassAssignment.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/require-render-return",
 		id: "require-render-return",
@@ -40344,6 +41157,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...scope.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/secret-in-fallback",
+		id: "secret-in-fallback",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...secretInFallback,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...secretInFallback.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/self-closing-comp",
 		id: "self-closing-comp",
@@ -40500,6 +41325,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...supabaseRlsPolicyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/supabase-table-missing-rls",
+		id: "supabase-table-missing-rls",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...supabaseTableMissingRls,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...supabaseTableMissingRls.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/svg-filter-clickjacking-risk",
 		id: "svg-filter-clickjacking-risk",
@@ -40690,6 +41527,18 @@ const reactDoctorRules = [
 			tags: [...new Set(["security-scan", ...tenantStaticProxyRisk.tags ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/unsafe-json-in-html",
+		id: "unsafe-json-in-html",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...unsafeJsonInHtml,
+			framework: "global",
+			category: "Security",
+			tags: [...new Set(["security-scan", ...unsafeJsonInHtml.tags ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/untrusted-redirect-following",
 		id: "untrusted-redirect-following",