oxlint-plugin-react-doctor 0.5.6-dev.b08ca1c → 0.5.6-dev.b317164

package/dist/index.js

@@ -890,24 +890,64 @@ const advancedEventHandlerRefs = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/security-scan/utils/strip-comments-preserving-positions.ts
-const stripCommentsPreservingPositions = (content) => {
+const WHITESPACE_PATTERN = /\s/;
+const quotedLiteralHasWhitespace = (content, openQuoteIndex, delimiter) => {
+	for (let cursor = openQuoteIndex + 1; cursor < content.length; cursor += 1) {
+		const character = content[cursor];
+		if (character === "\\") {
+			cursor += 1;
+			continue;
+		}
+		if (character === delimiter) return false;
+		if (WHITESPACE_PATTERN.test(character)) return true;
+	}
+	return false;
+};
+const blankNonCodePreservingPositions = (content, blankStringContents) => {
 	const characters = content.split("");
 	let stringDelimiter = null;
+	let isBlankingString = false;
+	const templateExpressionDepths = [];
 	let index = 0;
+	const blankUnlessNewline = (offset) => {
+		if (offset < content.length && content[offset] !== "\n") characters[offset] = " ";
+	};
 	while (index < content.length) {
 		const character = content[index];
 		const nextCharacter = content[index + 1];
 		if (stringDelimiter !== null) {
 			if (character === "\\") {
+				if (isBlankingString) {
+					blankUnlessNewline(index);
+					blankUnlessNewline(index + 1);
+				}
 				index += 2;
 				continue;
 			}
-			if (character === stringDelimiter) stringDelimiter = null;
+			if (character === stringDelimiter) {
+				stringDelimiter = null;
+				index += 1;
+				continue;
+			}
+			if (blankStringContents && stringDelimiter === "`" && character === "$" && nextCharacter === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				index += 2;
+				continue;
+			}
+			if (isBlankingString) blankUnlessNewline(index);
 			index += 1;
 			continue;
 		}
-		if (character === "\"" || character === "'" || character === "`") {
+		if (character === "\"" || character === "'") {
 			stringDelimiter = character;
+			isBlankingString = blankStringContents && quotedLiteralHasWhitespace(content, index, character);
+			index += 1;
+			continue;
+		}
+		if (character === "`") {
+			stringDelimiter = "`";
+			isBlankingString = blankStringContents;
 			index += 1;
 			continue;
 		}
@@ -926,29 +966,42 @@ const stripCommentsPreservingPositions = (content) => {
 					index += 2;
 					break;
 				}
-				if (content[index] !== "\n") characters[index] = " ";
+				blankUnlessNewline(index);
 				index += 1;
 			}
 			continue;
 		}
+		if (templateExpressionDepths.length > 0) {
+			const innermost = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[innermost] += 1;
+			else if (character === "}") if (templateExpressionDepths[innermost] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+				isBlankingString = blankStringContents;
+			} else templateExpressionDepths[innermost] -= 1;
+		}
 		index += 1;
 	}
 	return characters.join("");
 };
+const stripCommentsPreservingPositions = (content) => blankNonCodePreservingPositions(content, false);
+const stripCommentsAndStringLiteralsPreservingPositions = (content) => blankNonCodePreservingPositions(content, true);
 //#endregion
 //#region src/plugin/rules/security-scan/utils/scan-by-pattern.ts
 const strippedContentCache = /* @__PURE__ */ new WeakMap();
-const getScannableContent = (file) => {
+const stringStrippedContentCache = /* @__PURE__ */ new WeakMap();
+const getScannableContent = (file, ignoreStringLiterals = false) => {
 	if (!SOURCE_FILE_PATTERN.test(file.relativePath)) return file.content;
-	const cachedContent = strippedContentCache.get(file);
+	const cache = ignoreStringLiterals ? stringStrippedContentCache : strippedContentCache;
+	const cachedContent = cache.get(file);
 	if (cachedContent !== void 0) return cachedContent;
-	const strippedContent = stripCommentsPreservingPositions(file.content);
-	strippedContentCache.set(file, strippedContent);
+	const strippedContent = ignoreStringLiterals ? stripCommentsAndStringLiteralsPreservingPositions(file.content) : stripCommentsPreservingPositions(file.content);
+	cache.set(file, strippedContent);
 	return strippedContent;
 };
-const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, message }) => (file) => {
+const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, ignoreStringLiterals, message }) => (file) => {
 	if (!shouldScan(file)) return [];
-	const content = getScannableContent(file);
+	const content = getScannableContent(file, ignoreStringLiterals);
 	if (requireAll !== void 0 && !requireAll.every((gate) => gate.test(content))) return [];
 	const matchedPattern = (pattern instanceof RegExp ? [pattern] : pattern).find((candidate) => candidate.test(content));
 	if (matchedPattern === void 0) return [];
@@ -973,6 +1026,7 @@ const agentToolCapabilityRisk = defineRule({
 		shouldScan: (file) => isProductionSourcePath(file.relativePath) && AGENT_TOOL_CONTEXT_PATH_PATTERN.test(file.relativePath),
 		pattern: AGENT_TOOL_DEFINITION_PATTERN,
 		requireAll: [AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		ignoreStringLiterals: true,
 		message: "An agent-callable tool appears to expose network, filesystem, shell, or code-execution capability."
 	})
 });
@@ -1861,7 +1915,7 @@ const anchorAmbiguousText = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/anchor-has-content.ts
-const MESSAGE$57 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$59 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
 const anchorHasContent = defineRule({
 	id: "anchor-has-content",
 	title: "Anchor has no content",
@@ -1877,7 +1931,7 @@ const anchorHasContent = defineRule({
 		for (const attribute of ["title", "aria-label"]) if (hasJsxPropIgnoreCase(opening.attributes, attribute)) return;
 		context.report({
 			node: opening.name,
-			message: MESSAGE$57
+			message: MESSAGE$59
 		});
 	} })
 });
@@ -2271,7 +2325,7 @@ const parseJsxValue = (value) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/aria-activedescendant-has-tabindex.ts
-const MESSAGE$56 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
+const MESSAGE$58 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
 const ariaActivedescendantHasTabindex = defineRule({
 	id: "aria-activedescendant-has-tabindex",
 	title: "aria-activedescendant missing tabindex",
@@ -2289,14 +2343,14 @@ const ariaActivedescendantHasTabindex = defineRule({
 			if (tabIndexValue === null || tabIndexValue >= -1) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$56
+				message: MESSAGE$58
 			});
 			return;
 		}
 		if (isInteractiveElement(tag, node)) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$56
+			message: MESSAGE$58
 		});
 	} })
 });
@@ -3085,7 +3139,7 @@ const artifactBaasAuthoritySurface = defineRule({
 	scan: scanByPattern({
 		shouldScan: (file) => isBrowserArtifactPath(file.relativePath, file.isGeneratedBundle),
 		pattern: /\b(?:collection\s*\(\s*["'](?:boosts|sessions|sessions_admin|users|orgs|candidateJobs|conversations|documents|profiles)|from\s*\(\s*["'](?:users|profiles|documents|organizations|memberships)|creatorID|creatorId|providerId|ghostOrg|ownerId|orgId|tenantId|workspaceId|role|roles|isAdmin|SuperAdmin)\b/i,
-		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore|createClient)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket|supabase|SUPABASE_URL)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b/i],
+		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b|\bcreateClient\b[\s\S]{0,700}\b(?:supabase|SUPABASE_URL)\b|\b(?:supabase|SUPABASE_URL)\b[\s\S]{0,700}\bcreateClient\b/i],
 		message: "A browser artifact exposes Firebase/Supabase config together with sensitive collections or authorization fields."
 	})
 });
@@ -4272,7 +4326,7 @@ const asyncParallel = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/security/auth-token-in-web-storage.ts
-const MESSAGE$55 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
+const MESSAGE$57 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
 const STORAGE_NAMES = new Set(["localStorage", "sessionStorage"]);
 const STORAGE_GLOBALS = new Set([
 	"window",
@@ -4306,7 +4360,7 @@ const authTokenInWebStorage = defineRule({
 			if (!SENSITIVE_KEY_PATTERN.test(keyArgument.value)) return;
 			context.report({
 				node,
-				message: MESSAGE$55
+				message: MESSAGE$57
 			});
 		},
 		AssignmentExpression(node) {
@@ -4317,7 +4371,7 @@ const authTokenInWebStorage = defineRule({
 			if (!propertyName || !SENSITIVE_KEY_PATTERN.test(propertyName)) return;
 			context.report({
 				node: target,
-				message: MESSAGE$55
+				message: MESSAGE$57
 			});
 		}
 	})
@@ -4694,7 +4748,7 @@ const isPureEventBlockerHandler = (attribute) => {
 //#endregion
 //#region src/plugin/rules/a11y/click-events-have-key-events.ts
 const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
-const MESSAGE$54 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
+const MESSAGE$56 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
 const KEY_HANDLERS = [
 	"onKeyUp",
 	"onKeyDown",
@@ -4726,7 +4780,7 @@ const clickEventsHaveKeyEvents = defineRule({
 			if (KEY_HANDLERS.some((handler) => hasJsxPropIgnoreCase(node.attributes, handler))) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$54
+				message: MESSAGE$56
 			});
 		} };
 	}
@@ -4841,7 +4895,7 @@ const isReactComponentName = (name) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/control-has-associated-label.ts
-const MESSAGE$53 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$55 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_IGNORE_ELEMENTS = ["link", "canvas"];
 const DEFAULT_LABELLING_PROPS = [
 	"alt",
@@ -5002,7 +5056,7 @@ const controlHasAssociatedLabel = defineRule({
 			for (const child of node.children) if (checkChildForLabel(child, 1, checkContext)) return;
 			context.report({
 				node: opening,
-				message: MESSAGE$53
+				message: MESSAGE$55
 			});
 		} };
 	}
@@ -5432,7 +5486,7 @@ const noVagueButtonLabel = defineRule({
 const hasJsxSpreadAttribute$1 = (attributes) => attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
 //#endregion
 //#region src/plugin/rules/a11y/dialog-has-accessible-name.ts
-const MESSAGE$52 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
+const MESSAGE$54 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
 const DIALOG_ROLES = new Set(["dialog", "alertdialog"]);
 const NAME_PROVIDING_ATTRIBUTES = [
 	"aria-label",
@@ -5455,7 +5509,7 @@ const dialogHasAccessibleName = defineRule({
 		if (NAME_PROVIDING_ATTRIBUTES.some((attribute) => hasJsxPropIgnoreCase(node.attributes, attribute))) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$52
+			message: MESSAGE$54
 		});
 	} })
 });
@@ -5494,7 +5548,7 @@ const isEs6Component = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/display-name.ts
-const MESSAGE$51 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
+const MESSAGE$53 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
 const DEFAULT_ADDITIONAL_HOCS = [
 	"observer",
 	"lazy",
@@ -5697,7 +5751,7 @@ const displayName = defineRule({
 		const reportAt = (node) => {
 			context.report({
 				node,
-				message: MESSAGE$51
+				message: MESSAGE$53
 			});
 		};
 		return {
@@ -7845,7 +7899,7 @@ const forbidElements = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/forward-ref-uses-ref.ts
-const MESSAGE$50 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
+const MESSAGE$52 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
 const forwardRefUsesRef = defineRule({
 	id: "forward-ref-uses-ref",
 	title: "forwardRef without ref parameter",
@@ -7865,7 +7919,7 @@ const forwardRefUsesRef = defineRule({
 		if (isNodeOfType(onlyParam, "RestElement")) return;
 		context.report({
 			node: inner,
-			message: MESSAGE$50
+			message: MESSAGE$52
 		});
 	} })
 });
@@ -7902,7 +7956,7 @@ const gitProviderUrlInjectionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/heading-has-content.ts
-const MESSAGE$49 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$51 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_HEADING_TAGS = [
 	"h1",
 	"h2",
@@ -7935,7 +7989,7 @@ const headingHasContent = defineRule({
 			if (isHiddenFromScreenReader(node, context.settings)) return;
 			context.report({
 				node,
-				message: MESSAGE$49
+				message: MESSAGE$51
 			});
 		} };
 	}
@@ -8073,7 +8127,7 @@ const hooksNoNanInDeps = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/html-has-lang.ts
-const MESSAGE$48 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
+const MESSAGE$50 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
 const resolveSettings$38 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { htmlTags: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.htmlHasLang ?? {} : {}).htmlTags ?? ["html"] };
@@ -8121,7 +8175,7 @@ const htmlHasLang = defineRule({
 			if (!lang) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$48
+					message: MESSAGE$50
 				});
 				return;
 			}
@@ -8129,13 +8183,13 @@ const htmlHasLang = defineRule({
 			if (verdict === "missing" || verdict === "empty") {
 				context.report({
 					node: lang,
-					message: MESSAGE$48
+					message: MESSAGE$50
 				});
 				return;
 			}
 			if (hasSpread && !lang) context.report({
 				node: node.name,
-				message: MESSAGE$48
+				message: MESSAGE$50
 			});
 		} };
 	}
@@ -8349,7 +8403,7 @@ const htmlNoNestedInteractive = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/iframe-has-title.ts
-const MESSAGE$47 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
+const MESSAGE$49 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
 const evaluateTitleValue = (value) => {
 	if (!value) return "missing";
 	if (isNodeOfType(value, "Literal")) {
@@ -8389,14 +8443,14 @@ const iframeHasTitle = defineRule({
 		if (!titleAttr) {
 			if (hasSpread || tag === "iframe") context.report({
 				node: node.name,
-				message: MESSAGE$47
+				message: MESSAGE$49
 			});
 			return;
 		}
 		const verdict = evaluateTitleValue(titleAttr.value);
 		if (verdict === "missing" || verdict === "empty") context.report({
 			node: titleAttr,
-			message: MESSAGE$47
+			message: MESSAGE$49
 		});
 	} })
 });
@@ -8500,7 +8554,7 @@ const iframeMissingSandbox = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/img-redundant-alt.ts
-const MESSAGE$46 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
+const MESSAGE$48 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
 const DEFAULT_COMPONENTS = ["img"];
 const DEFAULT_REDUNDANT_WORDS = [
 	"image",
@@ -8565,7 +8619,7 @@ const imgRedundantAlt = defineRule({
 			if (!altAttribute) return;
 			if (altValueRedundant(altAttribute, settings.words)) context.report({
 				node: altAttribute,
-				message: MESSAGE$46
+				message: MESSAGE$48
 			});
 		} };
 	}
@@ -10922,7 +10976,7 @@ const jsxMaxDepth = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-comment-textnodes.ts
-const MESSAGE$45 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
+const MESSAGE$47 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
 const LITERAL_TEXT_TAGS = new Set([
 	"code",
 	"pre",
@@ -10958,7 +11012,7 @@ const jsxNoCommentTextnodes = defineRule({
 		if (isInsideLiteralTextTag(node)) return;
 		context.report({
 			node,
-			message: MESSAGE$45
+			message: MESSAGE$47
 		});
 	} })
 });
@@ -10989,7 +11043,7 @@ const isInsideFunctionScope = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-constructed-context-values.ts
-const MESSAGE$44 = "Every reader of this context redraws on each render because you build its `value` inline.";
+const MESSAGE$46 = "Every reader of this context redraws on each render because you build its `value` inline.";
 const CONTEXT_MODULES$1 = [
 	"react",
 	"use-context-selector",
@@ -11087,7 +11141,7 @@ const jsxNoConstructedContextValues = defineRule({
 					if (!isConstructedValue(innerExpression)) continue;
 					context.report({
 						node: attribute,
-						message: MESSAGE$44
+						message: MESSAGE$46
 					});
 				}
 			}
@@ -11173,7 +11227,7 @@ const isJsxAttributeOnIntrinsicHtmlElement = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts
-const MESSAGE$43 = "This child redraws every render because the prop gets brand new JSX each time.";
+const MESSAGE$45 = "This child redraws every render because the prop gets brand new JSX each time.";
 const KNOWN_SLOT_PROP_NAMES = new Set([
 	"icon",
 	"Icon",
@@ -11442,7 +11496,7 @@ const jsxNoJsxAsProp = defineRule({
 				if (!isJsxProducingExpression(expressionNode) && !followsRenderLocalJsxBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$43
+					message: MESSAGE$45
 				});
 			}
 		};
@@ -11730,7 +11784,7 @@ const DATA_ARRAY_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts
-const MESSAGE$42 = "This child redraws every render because the prop gets a brand new array each time.";
+const MESSAGE$44 = "This child redraws every render because the prop gets a brand new array each time.";
 const isDataArrayPropName = (propName) => {
 	if (DATA_ARRAY_PROP_NAMES.has(propName)) return true;
 	for (const suffix of DATA_ARRAY_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -11814,7 +11868,7 @@ const jsxNoNewArrayAsProp = defineRule({
 				if (!isArrayProducingExpression(expressionNode) && !followsRenderLocalArrayBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$42
+					message: MESSAGE$44
 				});
 			}
 		};
@@ -12072,7 +12126,7 @@ const SAFE_RECEIVER_NAMES = new Set([
 ]);
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts
-const MESSAGE$41 = "This child redraws every render because the prop gets a brand new function each time.";
+const MESSAGE$43 = "This child redraws every render because the prop gets a brand new function each time.";
 const isAccessorPredicateName = (propName) => {
 	for (const prefix of ACCESSOR_PREDICATE_PREFIXES) {
 		if (propName.length <= prefix.length) continue;
@@ -12278,7 +12332,7 @@ const jsxNoNewFunctionAsProp = defineRule({
 				if (!isFunctionProducingExpression(expressionNode) && !followsRenderLocalFunctionBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$41
+					message: MESSAGE$43
 				});
 			}
 		};
@@ -12498,7 +12552,7 @@ const CONFIG_OBJECT_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts
-const MESSAGE$40 = "This child redraws every render because the prop gets a brand new object each time.";
+const MESSAGE$42 = "This child redraws every render because the prop gets a brand new object each time.";
 const isConfigObjectPropName = (propName) => {
 	if (CONFIG_OBJECT_PROP_NAMES.has(propName)) return true;
 	for (const suffix of CONFIG_OBJECT_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -12586,7 +12640,7 @@ const jsxNoNewObjectAsProp = defineRule({
 				if (!isObjectProducingExpression(expressionNode) && !followsRenderLocalObjectBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$40
+					message: MESSAGE$42
 				});
 			}
 		};
@@ -12594,7 +12648,7 @@ const jsxNoNewObjectAsProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-script-url.ts
-const MESSAGE$39 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
+const MESSAGE$41 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
 const JAVASCRIPT_URL_PATTERN = /j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i;
 const resolveSettings$28 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
@@ -12635,7 +12689,7 @@ const jsxNoScriptUrl = defineRule({
 				if (!value || !isNodeOfType(value, "Literal") || typeof value.value !== "string") continue;
 				if (JAVASCRIPT_URL_PATTERN.test(value.value)) context.report({
 					node: attribute,
-					message: MESSAGE$39
+					message: MESSAGE$41
 				});
 			}
 		} };
@@ -12950,7 +13004,7 @@ const jsxPropsNoSpreadMulti = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-props-no-spreading.ts
-const MESSAGE$38 = "You can't tell what props reach this element when you spread them.";
+const MESSAGE$40 = "You can't tell what props reach this element when you spread them.";
 const resolveSettings$25 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.jsxPropsNoSpreading ?? {} : {};
@@ -12991,7 +13045,7 @@ const jsxPropsNoSpreading = defineRule({
 				}
 				context.report({
 					node: attribute,
-					message: MESSAGE$38
+					message: MESSAGE$40
 				});
 			}
 		} };
@@ -13219,7 +13273,7 @@ const labelHasAssociatedControl = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/lang.ts
-const MESSAGE$37 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
+const MESSAGE$39 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
 const COMMON_LANGUAGE_PRIMARY_TAGS = new Set([
 	"aa",
 	"ab",
@@ -13431,7 +13485,7 @@ const lang = defineRule({
 			if (expression.type === "Identifier" && expression.name === "undefined" || expression.type === "Literal" && expression.value === null) {
 				context.report({
 					node: langAttr,
-					message: MESSAGE$37
+					message: MESSAGE$39
 				});
 				return;
 			}
@@ -13440,7 +13494,7 @@ const lang = defineRule({
 		if (value === null) return;
 		if (!isValidLangTag(value)) context.report({
 			node: langAttr,
-			message: MESSAGE$37
+			message: MESSAGE$39
 		});
 	} })
 });
@@ -13466,6 +13520,7 @@ const mcpToolCapabilityRisk = defineRule({
 		shouldScan: (file) => isProductionSourcePath(file.relativePath),
 		pattern: /\bserver\.\s*tool\s*\(|\bregisterTool\s*\(|\bsetRequestHandler\s*\(\s*CallToolRequestSchema/,
 		requireAll: [/\bfrom\s+["']@modelcontextprotocol\/sdk[^"']*["']|\bMcpServer\b|\bMcpAgent\b/, AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		ignoreStringLiterals: true,
 		message: "An MCP tool/resource/prompt handler appears to expose file, shell, network, or code-execution capability."
 	})
 });
@@ -13484,7 +13539,7 @@ const mdxSsrExecutionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/media-has-caption.ts
-const MESSAGE$36 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
+const MESSAGE$38 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
 const DEFAULT_AUDIO = ["audio"];
 const DEFAULT_VIDEO = ["video"];
 const DEFAULT_TRACK = ["track"];
@@ -13525,7 +13580,7 @@ const mediaHasCaption = defineRule({
 			if (!parent || !isNodeOfType(parent, "JSXElement")) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$36
+					message: MESSAGE$38
 				});
 				return;
 			}
@@ -13542,7 +13597,7 @@ const mediaHasCaption = defineRule({
 				return kindValue.value.toLowerCase() === "captions";
 			})) context.report({
 				node: node.name,
-				message: MESSAGE$36
+				message: MESSAGE$38
 			});
 		} };
 	}
@@ -15343,7 +15398,7 @@ const nextjsNoVercelOgImport = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-access-key.ts
-const MESSAGE$35 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
+const MESSAGE$37 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
 const isUndefinedIdentifier = (expression) => isNodeOfType(expression, "Identifier") && expression.name === "undefined";
 const noAccessKey = defineRule({
 	id: "no-access-key",
@@ -15360,7 +15415,7 @@ const noAccessKey = defineRule({
 		if (isNodeOfType(attributeValue, "Literal") && typeof attributeValue.value === "string") {
 			context.report({
 				node: accessKey,
-				message: MESSAGE$35
+				message: MESSAGE$37
 			});
 			return;
 		}
@@ -15370,7 +15425,7 @@ const noAccessKey = defineRule({
 			if (isUndefinedIdentifier(expression)) return;
 			context.report({
 				node: accessKey,
-				message: MESSAGE$35
+				message: MESSAGE$37
 			});
 		}
 	} })
@@ -15853,7 +15908,7 @@ const noAdjustStateOnPropChange = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-aria-hidden-on-focusable.ts
-const MESSAGE$34 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
+const MESSAGE$36 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
 const noAriaHiddenOnFocusable = defineRule({
 	id: "no-aria-hidden-on-focusable",
 	title: "aria-hidden on focusable element",
@@ -15880,7 +15935,7 @@ const noAriaHiddenOnFocusable = defineRule({
 		const isImplicitlyFocusable = isInteractiveElement(tag, node);
 		if (isExplicitlyFocusable || isImplicitlyFocusable) context.report({
 			node: ariaHidden,
-			message: MESSAGE$34
+			message: MESSAGE$36
 		});
 	} })
 });
@@ -16248,7 +16303,7 @@ const noArrayIndexAsKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-array-index-key.ts
-const MESSAGE$33 = "Your users can see & submit the wrong data when this list reorders.";
+const MESSAGE$35 = "Your users can see & submit the wrong data when this list reorders.";
 const SECOND_INDEX_METHODS = new Set([
 	"every",
 	"filter",
@@ -16452,7 +16507,7 @@ const noArrayIndexKey = defineRule({
 			}
 			context.report({
 				node: keyAttribute,
-				message: MESSAGE$33
+				message: MESSAGE$35
 			});
 		},
 		CallExpression(node) {
@@ -16472,7 +16527,7 @@ const noArrayIndexKey = defineRule({
 				if (propName !== "key") continue;
 				if (expressionUsesIndex(property.value, indexBinding.name)) context.report({
 					node: property,
-					message: MESSAGE$33
+					message: MESSAGE$35
 				});
 			}
 		}
@@ -16480,7 +16535,7 @@ const noArrayIndexKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-async-effect-callback.ts
-const MESSAGE$32 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
+const MESSAGE$34 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
 const noAsyncEffectCallback = defineRule({
 	id: "no-async-effect-callback",
 	title: "Async effect callback",
@@ -16494,13 +16549,13 @@ const noAsyncEffectCallback = defineRule({
 		if (!callback.async) return;
 		context.report({
 			node: callback,
-			message: MESSAGE$32
+			message: MESSAGE$34
 		});
 	} })
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-autofocus.ts
-const MESSAGE$31 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
+const MESSAGE$33 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
 const resolveSettings$21 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreNonDOM: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noAutofocus ?? {} : {}).ignoreNonDOM ?? true };
@@ -16556,7 +16611,7 @@ const noAutofocus = defineRule({
 			}
 			context.report({
 				node: autoFocusAttribute,
-				message: MESSAGE$31
+				message: MESSAGE$33
 			});
 		} };
 	}
@@ -17060,7 +17115,7 @@ const noChainStateUpdates = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-children-prop.ts
-const MESSAGE$30 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
+const MESSAGE$32 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
 const noChildrenProp = defineRule({
 	id: "no-children-prop",
 	title: "Children passed as a prop",
@@ -17072,7 +17127,7 @@ const noChildrenProp = defineRule({
 			if (node.name.name !== "children") return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$30
+				message: MESSAGE$32
 			});
 		},
 		CallExpression(node) {
@@ -17085,7 +17140,7 @@ const noChildrenProp = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "children" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "children") context.report({
 					node: propertyKey,
-					message: MESSAGE$30
+					message: MESSAGE$32
 				});
 			}
 		}
@@ -17093,7 +17148,7 @@ const noChildrenProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-clone-element.ts
-const MESSAGE$29 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
+const MESSAGE$31 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
 const noCloneElement = defineRule({
 	id: "no-clone-element",
 	title: "cloneElement makes child props fragile",
@@ -17106,7 +17161,7 @@ const noCloneElement = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "cloneElement") {
 			if (isImportedFromModule(node, "cloneElement", "react")) context.report({
 				node: callee,
-				message: MESSAGE$29
+				message: MESSAGE$31
 			});
 			return;
 		}
@@ -17119,7 +17174,7 @@ const noCloneElement = defineRule({
 			if (!isImportedFromModule(node, callee.object.name, "react")) return;
 			context.report({
 				node: callee,
-				message: MESSAGE$29
+				message: MESSAGE$31
 			});
 		}
 	} })
@@ -17168,7 +17223,7 @@ const enclosingComponentOrHookName = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-create-context-in-render.ts
-const MESSAGE$28 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
+const MESSAGE$30 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
 const CONTEXT_MODULES = [
 	"react",
 	"use-context-selector",
@@ -17204,13 +17259,13 @@ const noCreateContextInRender = defineRule({
 		if (!componentOrHookName) return;
 		context.report({
 			node,
-			message: `${MESSAGE$28} (called inside "${componentOrHookName}")`
+			message: `${MESSAGE$30} (called inside "${componentOrHookName}")`
 		});
 	} })
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-create-ref-in-function-component.ts
-const MESSAGE$27 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
+const MESSAGE$29 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
 const noCreateRefInFunctionComponent = defineRule({
 	id: "no-create-ref-in-function-component",
 	title: "createRef in function component",
@@ -17229,7 +17284,7 @@ const noCreateRefInFunctionComponent = defineRule({
 		if (!(isReactHookName(displayName) || functionContainsReactRenderOutput(enclosingFunction, context.scopes))) return;
 		context.report({
 			node,
-			message: MESSAGE$27
+			message: MESSAGE$29
 		});
 	} })
 });
@@ -17369,7 +17424,7 @@ const noCreateStoreInRender = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger.ts
-const MESSAGE$26 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
+const MESSAGE$28 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
 const noDanger = defineRule({
 	id: "no-danger",
 	title: "Raw HTML injection can run unsafe markup",
@@ -17382,7 +17437,7 @@ const noDanger = defineRule({
 			if (!propAttribute) return;
 			context.report({
 				node: propAttribute.name,
-				message: MESSAGE$26
+				message: MESSAGE$28
 			});
 		},
 		CallExpression(node) {
@@ -17394,7 +17449,7 @@ const noDanger = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "dangerouslySetInnerHTML" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "dangerouslySetInnerHTML") context.report({
 					node: propertyKey,
-					message: MESSAGE$26
+					message: MESSAGE$28
 				});
 			}
 		}
@@ -17402,7 +17457,7 @@ const noDanger = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger-with-children.ts
-const MESSAGE$25 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
+const MESSAGE$27 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
 const isLineBreak = (child) => {
 	if (!isNodeOfType(child, "JSXText")) return false;
 	return child.value.trim().length === 0 && child.value.includes("\n");
@@ -17472,7 +17527,7 @@ const noDangerWithChildren = defineRule({
 			if (!hasChildrenProp && !hasNestedChildren) return;
 			if (hasJsxPropIgnoreCase(opening.attributes, "dangerouslySetInnerHTML") || spreadPropsShape.hasDangerously) context.report({
 				node: opening,
-				message: MESSAGE$25
+				message: MESSAGE$27
 			});
 		},
 		CallExpression(node) {
@@ -17484,7 +17539,7 @@ const noDangerWithChildren = defineRule({
 			if (!propsShape.hasDangerously) return;
 			if (node.arguments.length >= 3 || propsShape.hasChildren) context.report({
 				node,
-				message: MESSAGE$25
+				message: MESSAGE$27
 			});
 		}
 	})
@@ -18061,7 +18116,7 @@ const isSetStateCallInLifecycle = (setStateCall, lifecycleNames, options = {}) =
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-mount-set-state.ts
 const LIFECYCLE_NAMES$2 = new Set(["componentDidMount"]);
-const MESSAGE$24 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
+const MESSAGE$26 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
 const resolveSettings$20 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidMountSetState ?? {} : {}).mode ?? "allowed" };
@@ -18080,7 +18135,7 @@ const noDidMountSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$2, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$24
+				message: MESSAGE$26
 			});
 		} };
 	}
@@ -18088,7 +18143,7 @@ const noDidMountSetState = defineRule({
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-update-set-state.ts
 const LIFECYCLE_NAMES$1 = new Set(["componentDidUpdate"]);
-const MESSAGE$23 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
+const MESSAGE$25 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
 const resolveSettings$19 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidUpdateSetState ?? {} : {}).mode ?? "allowed" };
@@ -18107,7 +18162,7 @@ const noDidUpdateSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$1, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$23
+				message: MESSAGE$25
 			});
 		} };
 	}
@@ -18130,7 +18185,7 @@ const isStateMemberExpression = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-direct-mutation-state.ts
-const MESSAGE$22 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
+const MESSAGE$24 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
 const shouldIgnoreMutation = (node) => {
 	let isConstructor = false;
 	let isInsideCallExpression = false;
@@ -18152,7 +18207,7 @@ const reportIfStateMutation = (context, reportNode, target) => {
 	if (shouldIgnoreMutation(reportNode)) return;
 	context.report({
 		node: reportNode,
-		message: MESSAGE$22
+		message: MESSAGE$24
 	});
 };
 const noDirectMutationState = defineRule({
@@ -18362,6 +18417,26 @@ const noDocumentStartViewTransition = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-document-write.ts
+const MESSAGE$23 = "`document.write()` blocks parsing, is ignored (or wipes the page) after load, and is flagged by browsers as a performance anti-pattern. Build DOM nodes or set `innerHTML`/`textContent` on a target element instead.";
+const WRITE_METHODS = new Set(["write", "writeln"]);
+const noDocumentWrite = defineRule({
+	id: "no-document-write",
+	title: "document.write/writeln",
+	severity: "warn",
+	recommendation: "Don't use `document.write()`/`document.writeln()`. Append DOM nodes or set `innerHTML`/`textContent` on a specific element instead.",
+	create: (context) => ({ CallExpression(node) {
+		const callee = node.callee;
+		if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+		if (!isNodeOfType(callee.object, "Identifier") || callee.object.name !== "document") return;
+		if (!isNodeOfType(callee.property, "Identifier") || !WRITE_METHODS.has(callee.property.name)) return;
+		context.report({
+			node,
+			message: MESSAGE$23
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/bundle-size/no-dynamic-import-path.ts
 const noDynamicImportPath = defineRule({
 	id: "no-dynamic-import-path",
@@ -19740,7 +19815,7 @@ const ALLOWED_NAMESPACES = new Set([
 	"ReactDOM",
 	"ReactDom"
 ]);
-const MESSAGE$21 = "`findDOMNode` crashes your app in React 19 because it was removed.";
+const MESSAGE$22 = "`findDOMNode` crashes your app in React 19 because it was removed.";
 const noFindDomNode = defineRule({
 	id: "no-find-dom-node",
 	title: "findDOMNode breaks component encapsulation",
@@ -19751,7 +19826,7 @@ const noFindDomNode = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "findDOMNode") {
 			context.report({
 				node: callee,
-				message: MESSAGE$21
+				message: MESSAGE$22
 			});
 			return;
 		}
@@ -19762,7 +19837,7 @@ const noFindDomNode = defineRule({
 			if (callee.property.name !== "findDOMNode") return;
 			context.report({
 				node: callee.property,
-				message: MESSAGE$21
+				message: MESSAGE$22
 			});
 		}
 	} })
@@ -20004,7 +20079,7 @@ const noGrayOnColoredBackground = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/performance/no-img-lazy-with-high-fetchpriority.ts
-const MESSAGE$20 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
+const MESSAGE$21 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
 const noImgLazyWithHighFetchpriority = defineRule({
 	id: "no-img-lazy-with-high-fetchpriority",
 	title: "Lazy image with high fetchPriority",
@@ -20018,7 +20093,7 @@ const noImgLazyWithHighFetchpriority = defineRule({
 		if (!fetchPriorityAttribute || getJsxPropStringValue(fetchPriorityAttribute)?.toLowerCase() !== "high") return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$20
+			message: MESSAGE$21
 		});
 	} })
 });
@@ -20253,7 +20328,7 @@ const noIsMounted = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/js-performance/no-json-parse-stringify-clone.ts
-const MESSAGE$19 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
+const MESSAGE$20 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
 const isJsonMethodCall = (node, method) => {
 	if (!isNodeOfType(node, "CallExpression")) return false;
 	const callee = node.callee;
@@ -20270,13 +20345,13 @@ const noJsonParseStringifyClone = defineRule({
 		if (!firstArgument || !isJsonMethodCall(firstArgument, "stringify")) return;
 		context.report({
 			node,
-			message: MESSAGE$19
+			message: MESSAGE$20
 		});
 	} })
 });
 //#endregion
 //#region src/plugin/rules/correctness/no-jsx-element-type.ts
-const MESSAGE$18 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
+const MESSAGE$19 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
 const isJsxElementTypeReference = (node) => {
 	if (!isNodeOfType(node, "TSTypeReference")) return false;
 	const typeName = node.typeName;
@@ -20293,7 +20368,7 @@ const checkReturnType = (context, returnType) => {
 	if (!typeAnnotation) return;
 	if (isJsxElementTypeReference(typeAnnotation)) context.report({
 		node: typeAnnotation,
-		message: MESSAGE$18
+		message: MESSAGE$19
 	});
 };
 const noJsxElementType = defineRule({
@@ -20748,7 +20823,7 @@ const noMoment = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-multi-comp.ts
-const MESSAGE$17 = "This file declares several components, so each component is harder to find, test, and change.";
+const MESSAGE$18 = "This file declares several components, so each component is harder to find, test, and change.";
 const resolveSettings$16 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreStateless: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noMultiComp ?? {} : {}).ignoreStateless ?? false };
@@ -21070,7 +21145,7 @@ const noMultiComp = defineRule({
 			if (isSmallFeatureModule || isLargeFeatureModule || isVeryLargeFeatureModule) return;
 			for (const component of flagged.slice(1)) context.report({
 				node: component.reportNode,
-				message: MESSAGE$17
+				message: MESSAGE$18
 			});
 		} };
 	}
@@ -21238,7 +21313,7 @@ const resolveReducerFunction = (node, currentFilename) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-mutating-reducer-state.ts
-const MESSAGE$16 = "This reducer changes state in place, so your update is silently skipped.";
+const MESSAGE$17 = "This reducer changes state in place, so your update is silently skipped.";
 const SAME_REFERENCE_ARRAY_RETURN_METHODS = new Set([
 	"copyWithin",
 	"fill",
@@ -21448,7 +21523,7 @@ const analyzeReactUseReducerFunctionForStateMutation = (context, functionNode, r
 			reportedNodes.add(options.crossFileConsumerCallSite);
 			context.report({
 				node: options.crossFileConsumerCallSite,
-				message: `${MESSAGE$16} (mutation in imported reducer at \`${options.crossFileSourceDisplay}\`)`
+				message: `${MESSAGE$17} (mutation in imported reducer at \`${options.crossFileSourceDisplay}\`)`
 			});
 			return;
 		}
@@ -21457,7 +21532,7 @@ const analyzeReactUseReducerFunctionForStateMutation = (context, functionNode, r
 			reportedNodes.add(mutation.node);
 			context.report({
 				node: mutation.node,
-				message: MESSAGE$16
+				message: MESSAGE$17
 			});
 		}
 	};
@@ -21729,7 +21804,7 @@ const noNoninteractiveElementToInteractiveRole = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-noninteractive-tabindex.ts
-const MESSAGE$15 = "Keyboard users get stuck focusing this element they can't act on because `tabIndex` makes it tabbable, so remove it.";
+const MESSAGE$16 = "Keyboard users get stuck focusing this element they can't act on because `tabIndex` makes it tabbable, so remove it.";
 const resolveSettings$14 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noNoninteractiveTabindex ?? {} : {};
@@ -21757,7 +21832,7 @@ const noNoninteractiveTabindex = defineRule({
 			if (numeric === null) {
 				if (isNodeOfType(tabIndexValue, "JSXExpressionContainer") && !settings.allowExpressionValues) context.report({
 					node: tabIndex,
-					message: MESSAGE$15
+					message: MESSAGE$16
 				});
 				return;
 			}
@@ -21770,7 +21845,7 @@ const noNoninteractiveTabindex = defineRule({
 			if (!roleAttribute) {
 				context.report({
 					node: tabIndex,
-					message: MESSAGE$15
+					message: MESSAGE$16
 				});
 				return;
 			}
@@ -21784,7 +21859,7 @@ const noNoninteractiveTabindex = defineRule({
 			}
 			context.report({
 				node: tabIndex,
-				message: MESSAGE$15
+				message: MESSAGE$16
 			});
 		} };
 	}
@@ -22475,7 +22550,7 @@ const noRandomKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-react-children.ts
-const MESSAGE$14 = "`React.Children` traversal depends on the runtime child shape, so wrapping or unwrapping a child can silently change what gets visited.";
+const MESSAGE$15 = "`React.Children` traversal depends on the runtime child shape, so wrapping or unwrapping a child can silently change what gets visited.";
 const isChildrenIdentifier = (node, contextNode) => {
 	if (!isNodeOfType(node, "Identifier") || node.name !== "Children") return false;
 	return isImportedFromModule(contextNode, "Children", "react");
@@ -22501,13 +22576,13 @@ const noReactChildren = defineRule({
 		if (isChildrenIdentifier(memberObject, node)) {
 			context.report({
 				node: calleeOuter,
-				message: MESSAGE$14
+				message: MESSAGE$15
 			});
 			return;
 		}
 		if (isReactNamespaceMember(memberObject, node)) context.report({
 			node: calleeOuter,
-			message: MESSAGE$14
+			message: MESSAGE$15
 		});
 	} })
 });
@@ -22830,7 +22905,7 @@ const noRenderPropChildren = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-render-return-value.ts
-const MESSAGE$13 = "Your app breaks in React 19 because `ReactDOM.render` returns nothing there.";
+const MESSAGE$14 = "Your app breaks in React 19 because `ReactDOM.render` returns nothing there.";
 const isReactDomRenderCall = (node) => {
 	if (!isNodeOfType(node.callee, "MemberExpression")) return false;
 	if (!isNodeOfType(node.callee.object, "Identifier")) return false;
@@ -22854,7 +22929,7 @@ const noRenderReturnValue = defineRule({
 		if (!isUsedAsReturnValue(node.parent)) return;
 		context.report({
 			node: node.callee,
-			message: MESSAGE$13
+			message: MESSAGE$14
 		});
 	} })
 });
@@ -23552,7 +23627,7 @@ const getParentComponent = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-set-state.ts
-const MESSAGE$12 = "`this.setState` keeps local class state in a project that forbids it, so state ownership becomes harder to reason about.";
+const MESSAGE$13 = "`this.setState` keeps local class state in a project that forbids it, so state ownership becomes harder to reason about.";
 const noSetState = defineRule({
 	id: "no-set-state",
 	title: "Local class state forbidden",
@@ -23567,7 +23642,7 @@ const noSetState = defineRule({
 		if (!getParentComponent(node)) return;
 		context.report({
 			node: node.callee,
-			message: MESSAGE$12
+			message: MESSAGE$13
 		});
 	} })
 });
@@ -23729,7 +23804,7 @@ const isAbstractRole = (openingElement, settings) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/no-static-element-interactions.ts
-const MESSAGE$11 = "Screen reader users can't tell this click handler is interactive because it has no `role`, so add a `role` or use a button or link.";
+const MESSAGE$12 = "Screen reader users can't tell this click handler is interactive because it has no `role`, so add a `role` or use a button or link.";
 const DEFAULT_HANDLERS = [
 	"onClick",
 	"onMouseDown",
@@ -23789,7 +23864,7 @@ const noStaticElementInteractions = defineRule({
 			if (!roleAttribute || !roleAttribute.value) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$11
+					message: MESSAGE$12
 				});
 				return;
 			}
@@ -23799,19 +23874,66 @@ const noStaticElementInteractions = defineRule({
 				if (firstRole && (isInteractiveRole(firstRole) || isNonInteractiveRole(firstRole))) return;
 				context.report({
 					node: node.name,
-					message: MESSAGE$11
+					message: MESSAGE$12
 				});
 				return;
 			}
 			if (isNodeOfType(attributeValue, "JSXExpressionContainer") && settings.allowExpressionValues) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$11
+				message: MESSAGE$12
 			});
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/react-builtins/no-string-false-on-boolean-attribute.ts
+const BOOLEAN_ATTRIBUTES = new Set([
+	"disabled",
+	"checked",
+	"readonly",
+	"required",
+	"selected",
+	"multiple",
+	"autofocus",
+	"autoplay",
+	"controls",
+	"loop",
+	"muted",
+	"open",
+	"reversed",
+	"default",
+	"novalidate",
+	"formnovalidate",
+	"playsinline",
+	"itemscope",
+	"allowfullscreen"
+]);
+const noStringFalseOnBooleanAttribute = defineRule({
+	id: "no-string-false-on-boolean-attribute",
+	title: "String true/false on a boolean attribute",
+	severity: "warn",
+	recommendation: "Use the boolean form on boolean attributes: `disabled` / `disabled={true}` / `disabled={false}`, not `disabled=\"false\"`. A non-empty string is truthy, so `=\"false\"` actually turns the attribute ON.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const firstCharacter = node.name.name.charCodeAt(0);
+		if (firstCharacter < 97 || firstCharacter > 122) return;
+		for (const attribute of node.attributes) {
+			if (!isNodeOfType(attribute, "JSXAttribute")) continue;
+			if (!isNodeOfType(attribute.name, "JSXIdentifier")) continue;
+			if (!BOOLEAN_ATTRIBUTES.has(attribute.name.name.toLowerCase())) continue;
+			const value = getJsxPropStringValue(attribute);
+			if (value !== "false" && value !== "true") continue;
+			const attributeName = attribute.name.name;
+			const guidance = value === "false" ? `which React treats as truthy, so the attribute is applied even though you wrote "false". Use \`${attributeName}={false}\` (or omit the attribute) to keep it off` : `but a boolean attribute takes a boolean, not the string "true". Use \`${attributeName}\` or \`${attributeName}={true}\``;
+			context.report({
+				node: attribute,
+				message: `\`${attributeName}="${value}"\` passes the string "${value}", ${guidance}.`
+			});
+		}
+	} })
+});
+//#endregion
 //#region src/plugin/rules/react-builtins/no-string-refs.ts
 const STRING_IN_REF_MESSAGE = "Your component can't reach this node because string refs don't work in modern React.";
 const THIS_REFS_MESSAGE = "Your component can't reach its nodes because `this.refs` is empty in modern React.";
@@ -23862,6 +23984,27 @@ const noStringRefs = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-sync-xhr.ts
+const MESSAGE$11 = "A synchronous `XMLHttpRequest` (`.open(method, url, false)`) freezes the main thread until the request finishes, blocking all rendering and input. Use `fetch()` or an async XHR (`open(method, url, true)`).";
+const isFalseLiteral = (node) => isNodeOfType(node, "Literal") && node.value === false;
+const noSyncXhr = defineRule({
+	id: "no-sync-xhr",
+	title: "Synchronous XMLHttpRequest",
+	severity: "warn",
+	recommendation: "Never open an XMLHttpRequest synchronously (`async` = `false`). It blocks the main thread. Use `fetch()` or pass `true` and handle the response asynchronously.",
+	create: (context) => ({ CallExpression(node) {
+		const callee = node.callee;
+		if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+		if (!isNodeOfType(callee.property, "Identifier") || callee.property.name !== "open") return;
+		const asyncArgument = node.arguments?.[2];
+		if (!asyncArgument || !isFalseLiteral(stripParenExpression(asyncArgument))) return;
+		context.report({
+			node,
+			message: MESSAGE$11
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/react-builtins/no-this-in-sfc.ts
 const MESSAGE$10 = "This value is `undefined` because function components have no `this`.";
 const isInsideClassMethod = (node, customClassFactoryNames) => {
@@ -35437,13 +35580,7 @@ const serverNoMutableModuleState = defineRule({
 const collectDeclaredNames = (declaration) => {
 	const names = /* @__PURE__ */ new Set();
 	if (!isNodeOfType(declaration, "VariableDeclaration")) return names;
-	for (const declarator of declaration.declarations ?? []) if (isNodeOfType(declarator.id, "Identifier")) names.add(declarator.id.name);
-	else if (isNodeOfType(declarator.id, "ObjectPattern")) {
-		for (const property of declarator.id.properties ?? []) if (isNodeOfType(property, "Property") && isNodeOfType(property.value, "Identifier")) names.add(property.value.name);
-		else if (isNodeOfType(property, "RestElement") && isNodeOfType(property.argument, "Identifier")) names.add(property.argument.name);
-	} else if (isNodeOfType(declarator.id, "ArrayPattern")) {
-		for (const element of declarator.id.elements ?? []) if (isNodeOfType(element, "Identifier")) names.add(element.name);
-	}
+	for (const declarator of declaration.declarations ?? []) collectPatternNames(declarator.id, names);
 	return names;
 };
 const declarationStartsWithAwait = (declaration) => {
@@ -35453,11 +35590,15 @@ const declarationStartsWithAwait = (declaration) => {
 };
 const declarationReadsAnyName = (declaration, names) => {
 	if (names.size === 0) return false;
+	if (!isNodeOfType(declaration, "VariableDeclaration")) return false;
 	let didRead = false;
-	walkAst(declaration, (child) => {
-		if (didRead) return;
-		if (isNodeOfType(child, "Identifier") && names.has(child.name)) didRead = true;
-	});
+	for (const declarator of declaration.declarations ?? []) {
+		if (!declarator.init) continue;
+		walkAst(declarator.init, (child) => {
+			if (didRead) return;
+			if (isNodeOfType(child, "Identifier") && names.has(child.name)) didRead = true;
+		});
+	}
 	return didRead;
 };
 const serverSequentialIndependentAwait = defineRule({
@@ -36717,7 +36858,7 @@ const urlPrefilledPrivilegedAction = defineRule({
 	recommendation: "Require server-side validation and explicit confirmation for URL-sourced invite, role, permission, redirect, or sharing parameters.",
 	scan: scanByPattern({
 		shouldScan: (file) => isClientSourcePath(file.relativePath),
-		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?)\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
+		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?(?:[\w$]+\s*\.\s*){0,4})\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
 		message: "Client code reads sensitive action state from the URL, which can pre-fill invites, roles, redirects, or sharing flows with attacker values."
 	})
 });
@@ -39173,6 +39314,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noDocumentStartViewTransition.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-document-write",
+		id: "no-document-write",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noDocumentWrite,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-dynamic-import-path",
 		id: "no-dynamic-import-path",
@@ -39982,6 +40134,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noStaticElementInteractions.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-string-false-on-boolean-attribute",
+		id: "no-string-false-on-boolean-attribute",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noStringFalseOnBooleanAttribute,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noStringFalseOnBooleanAttribute.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-string-refs",
 		id: "no-string-refs",
@@ -39994,6 +40158,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noStringRefs.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-sync-xhr",
+		id: "no-sync-xhr",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noSyncXhr,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-this-in-sfc",
 		id: "no-this-in-sfc",