npm - oxlint-plugin-react-doctor - Versions diffs - 0.5.6-dev.f45cb29 → 0.5.7-dev.242bf69 - Mend

oxlint-plugin-react-doctor 0.5.6-dev.f45cb29 → 0.5.7-dev.242bf69

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -890,24 +890,64 @@ const advancedEventHandlerRefs = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/security-scan/utils/strip-comments-preserving-positions.ts
-const stripCommentsPreservingPositions = (content) => {
+const WHITESPACE_PATTERN = /\s/;
+const quotedLiteralHasWhitespace = (content, openQuoteIndex, delimiter) => {
+	for (let cursor = openQuoteIndex + 1; cursor < content.length; cursor += 1) {
+		const character = content[cursor];
+		if (character === "\\") {
+			cursor += 1;
+			continue;
+		}
+		if (character === delimiter) return false;
+		if (WHITESPACE_PATTERN.test(character)) return true;
+	}
+	return false;
+};
+const blankNonCodePreservingPositions = (content, blankStringContents) => {
 	const characters = content.split("");
 	let stringDelimiter = null;
+	let isBlankingString = false;
+	const templateExpressionDepths = [];
 	let index = 0;
+	const blankUnlessNewline = (offset) => {
+		if (offset < content.length && content[offset] !== "\n") characters[offset] = " ";
+	};
 	while (index < content.length) {
 		const character = content[index];
 		const nextCharacter = content[index + 1];
 		if (stringDelimiter !== null) {
 			if (character === "\\") {
+				if (isBlankingString) {
+					blankUnlessNewline(index);
+					blankUnlessNewline(index + 1);
+				}
 				index += 2;
 				continue;
 			}
-			if (character === stringDelimiter) stringDelimiter = null;
+			if (character === stringDelimiter) {
+				stringDelimiter = null;
+				index += 1;
+				continue;
+			}
+			if (blankStringContents && stringDelimiter === "`" && character === "$" && nextCharacter === "{") {
+				templateExpressionDepths.push(0);
+				stringDelimiter = null;
+				index += 2;
+				continue;
+			}
+			if (isBlankingString) blankUnlessNewline(index);
 			index += 1;
 			continue;
 		}
-		if (character === "\"" || character === "'" || character === "`") {
+		if (character === "\"" || character === "'") {
 			stringDelimiter = character;
+			isBlankingString = blankStringContents && quotedLiteralHasWhitespace(content, index, character);
+			index += 1;
+			continue;
+		}
+		if (character === "`") {
+			stringDelimiter = "`";
+			isBlankingString = blankStringContents;
 			index += 1;
 			continue;
 		}
@@ -926,29 +966,42 @@ const stripCommentsPreservingPositions = (content) => {
 					index += 2;
 					break;
 				}
-				if (content[index] !== "\n") characters[index] = " ";
+				blankUnlessNewline(index);
 				index += 1;
 			}
 			continue;
 		}
+		if (templateExpressionDepths.length > 0) {
+			const innermost = templateExpressionDepths.length - 1;
+			if (character === "{") templateExpressionDepths[innermost] += 1;
+			else if (character === "}") if (templateExpressionDepths[innermost] === 0) {
+				templateExpressionDepths.pop();
+				stringDelimiter = "`";
+				isBlankingString = blankStringContents;
+			} else templateExpressionDepths[innermost] -= 1;
+		}
 		index += 1;
 	}
 	return characters.join("");
 };
+const stripCommentsPreservingPositions = (content) => blankNonCodePreservingPositions(content, false);
+const stripCommentsAndStringLiteralsPreservingPositions = (content) => blankNonCodePreservingPositions(content, true);
 //#endregion
 //#region src/plugin/rules/security-scan/utils/scan-by-pattern.ts
 const strippedContentCache = /* @__PURE__ */ new WeakMap();
-const getScannableContent = (file) => {
+const stringStrippedContentCache = /* @__PURE__ */ new WeakMap();
+const getScannableContent = (file, ignoreStringLiterals = false) => {
 	if (!SOURCE_FILE_PATTERN.test(file.relativePath)) return file.content;
-	const cachedContent = strippedContentCache.get(file);
+	const cache = ignoreStringLiterals ? stringStrippedContentCache : strippedContentCache;
+	const cachedContent = cache.get(file);
 	if (cachedContent !== void 0) return cachedContent;
-	const strippedContent = stripCommentsPreservingPositions(file.content);
-	strippedContentCache.set(file, strippedContent);
+	const strippedContent = ignoreStringLiterals ? stripCommentsAndStringLiteralsPreservingPositions(file.content) : stripCommentsPreservingPositions(file.content);
+	cache.set(file, strippedContent);
 	return strippedContent;
 };
-const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, message }) => (file) => {
+const scanByPattern = ({ shouldScan, pattern, requireAll, suppressWhen, ignoreStringLiterals, message }) => (file) => {
 	if (!shouldScan(file)) return [];
-	const content = getScannableContent(file);
+	const content = getScannableContent(file, ignoreStringLiterals);
 	if (requireAll !== void 0 && !requireAll.every((gate) => gate.test(content))) return [];
 	const matchedPattern = (pattern instanceof RegExp ? [pattern] : pattern).find((candidate) => candidate.test(content));
 	if (matchedPattern === void 0) return [];
@@ -973,6 +1026,7 @@ const agentToolCapabilityRisk = defineRule({
 		shouldScan: (file) => isProductionSourcePath(file.relativePath) && AGENT_TOOL_CONTEXT_PATH_PATTERN.test(file.relativePath),
 		pattern: AGENT_TOOL_DEFINITION_PATTERN,
 		requireAll: [AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		ignoreStringLiterals: true,
 		message: "An agent-callable tool appears to expose network, filesystem, shell, or code-execution capability."
 	})
 });
@@ -1861,7 +1915,7 @@ const anchorAmbiguousText = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/anchor-has-content.ts
-const MESSAGE$57 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$59 = "Blind users can't follow this link because screen readers announce nothing, so add visible text, `aria-label`, or `aria-labelledby`.";
 const anchorHasContent = defineRule({
 	id: "anchor-has-content",
 	title: "Anchor has no content",
@@ -1877,7 +1931,7 @@ const anchorHasContent = defineRule({
 		for (const attribute of ["title", "aria-label"]) if (hasJsxPropIgnoreCase(opening.attributes, attribute)) return;
 		context.report({
 			node: opening.name,
-			message: MESSAGE$57
+			message: MESSAGE$59
 		});
 	} })
 });
@@ -2271,7 +2325,7 @@ const parseJsxValue = (value) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/aria-activedescendant-has-tabindex.ts
-const MESSAGE$56 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
+const MESSAGE$58 = "Keyboard users can't focus this element with `aria-activedescendant` because it isn't tabbable, so add `tabIndex={0}`.";
 const ariaActivedescendantHasTabindex = defineRule({
 	id: "aria-activedescendant-has-tabindex",
 	title: "aria-activedescendant missing tabindex",
@@ -2289,14 +2343,14 @@ const ariaActivedescendantHasTabindex = defineRule({
 			if (tabIndexValue === null || tabIndexValue >= -1) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$56
+				message: MESSAGE$58
 			});
 			return;
 		}
 		if (isInteractiveElement(tag, node)) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$56
+			message: MESSAGE$58
 		});
 	} })
 });
@@ -2965,7 +3019,7 @@ const ABSTRACT_ROLES = new Set([
 	"widget",
 	"window"
 ]);
-const PRESENTATION_ROLES$2 = new Set(["presentation", "none"]);
+const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
 //#endregion
 //#region src/plugin/rules/a11y/aria-role.ts
 const buildBaseMessage = (suffix) => `This \`role\` is not a valid ARIA role, so assistive tech cannot expose it correctly. Use a real, non-abstract role.${suffix}`;
@@ -3085,7 +3139,7 @@ const artifactBaasAuthoritySurface = defineRule({
 	scan: scanByPattern({
 		shouldScan: (file) => isBrowserArtifactPath(file.relativePath, file.isGeneratedBundle),
 		pattern: /\b(?:collection\s*\(\s*["'](?:boosts|sessions|sessions_admin|users|orgs|candidateJobs|conversations|documents|profiles)|from\s*\(\s*["'](?:users|profiles|documents|organizations|memberships)|creatorID|creatorId|providerId|ghostOrg|ownerId|orgId|tenantId|workspaceId|role|roles|isAdmin|SuperAdmin)\b/i,
-		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore|createClient)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket|supabase|SUPABASE_URL)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b/i],
+		requireAll: [/\b(?:initializeApp|firebase|firestore|getFirestore)\b[\s\S]{0,700}\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b|\b(?:apiKey|authDomain|projectId|databaseURL|storageBucket)\b[\s\S]{0,700}\b(?:firebase|firestore|getFirestore|initializeApp)\b|\bcreateClient\b[\s\S]{0,700}\b(?:supabase|SUPABASE_URL)\b|\b(?:supabase|SUPABASE_URL)\b[\s\S]{0,700}\bcreateClient\b/i],
 		message: "A browser artifact exposes Firebase/Supabase config together with sensitive collections or authorization fields."
 	})
 });
@@ -3104,6 +3158,76 @@ const AUTH_FUNCTION_NAMES = new Set([
 	"getAuth",
 	"validateSession"
 ]);
+const AUTH_STRONG_TOKEN_PATTERN = /^auth(?:n|z|ed|enticate[ds]?|enticating|entication|orize[ds]?|orizing|orization|orizer)?$/;
+const AUTH_STANDALONE_NOUN_TOKENS = new Set([
+	"signedin",
+	"loggedin",
+	"signin"
+]);
+const AUTH_ASSERTIVE_VERB_TOKENS = new Set([
+	"require",
+	"ensure",
+	"assert",
+	"verify",
+	"validate",
+	"check",
+	"protect",
+	"enforce",
+	"guard",
+	"gate",
+	"restrict",
+	"is",
+	"has",
+	"can",
+	"must"
+]);
+const AUTH_GETTER_VERB_TOKENS = new Set([
+	"get",
+	"fetch",
+	"load",
+	"read",
+	"resolve",
+	"retrieve",
+	"use"
+]);
+const AUTH_QUALIFIER_TOKENS = new Set([
+	"current",
+	"my",
+	"own"
+]);
+const AUTH_STRONG_NOUN_TOKENS = new Set([
+	"session",
+	"sessions",
+	"login",
+	"admin",
+	"admins",
+	"superadmin",
+	"superuser",
+	"role",
+	"roles",
+	"permission",
+	"permissions",
+	"jwt",
+	"identity",
+	"principal",
+	"credential",
+	"credentials"
+]);
+const AUTH_WEAK_NOUN_TOKENS = new Set([
+	"user",
+	"users",
+	"account",
+	"accounts",
+	"token",
+	"tokens",
+	"access",
+	"me",
+	"viewer",
+	"caller",
+	"subject",
+	"scope",
+	"scopes"
+]);
 const GENERIC_AUTH_METHOD_NAMES = new Set(["getUser"]);
 const AUTH_OBJECT_PATTERN = /(?:^|[._])(?:auth|authn|authz|clerk|session|jwt|firebase|supabase|nextauth|kinde|workos|stytch|descope|cognito|propelauth|lucia)/i;
 const SECRET_PATTERNS = [
@@ -4202,7 +4326,7 @@ const asyncParallel = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/security/auth-token-in-web-storage.ts
-const MESSAGE$55 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
+const MESSAGE$57 = "Storing an auth token in `localStorage`/`sessionStorage` exposes it to any XSS on the page: JavaScript can read web storage and exfiltrate the token. Keep tokens in an `HttpOnly`, `Secure`, `SameSite` cookie instead.";
 const STORAGE_NAMES = new Set(["localStorage", "sessionStorage"]);
 const STORAGE_GLOBALS = new Set([
 	"window",
@@ -4236,7 +4360,7 @@ const authTokenInWebStorage = defineRule({
 			if (!SENSITIVE_KEY_PATTERN.test(keyArgument.value)) return;
 			context.report({
 				node,
-				message: MESSAGE$55
+				message: MESSAGE$57
 			});
 		},
 		AssignmentExpression(node) {
@@ -4247,7 +4371,7 @@ const authTokenInWebStorage = defineRule({
 			if (!propertyName || !SENSITIVE_KEY_PATTERN.test(propertyName)) return;
 			context.report({
 				node: target,
-				message: MESSAGE$55
+				message: MESSAGE$57
 			});
 		}
 	})
@@ -4586,6 +4710,14 @@ const checkedRequiresOnchangeOrReadonly = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/is-presentation-role.ts
+const isPresentationRole = (openingElement) => {
+	const roleAttribute = hasJsxPropIgnoreCase(openingElement.attributes, "role");
+	if (!roleAttribute) return false;
+	const value = getJsxPropStringValue(roleAttribute);
+	return value !== null && PRESENTATION_ROLES$1.has(value);
+};
+//#endregion
 //#region src/plugin/utils/is-pure-event-blocker-handler.ts
 const BLOCKER_METHOD_NAMES = new Set([
 	"stopPropagation",
@@ -4623,8 +4755,7 @@ const isPureEventBlockerHandler = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/click-events-have-key-events.ts
-const PRESENTATION_ROLES$1 = new Set(["presentation", "none"]);
-const MESSAGE$54 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
+const MESSAGE$56 = "Keyboard users can't trigger this click handler because there's no keyboard one, so add `onKeyUp`, `onKeyDown`, or `onKeyPress`.";
 const KEY_HANDLERS = [
 	"onKeyUp",
 	"onKeyDown",
@@ -4648,15 +4779,11 @@ const clickEventsHaveKeyEvents = defineRule({
 			if (!onClick) return;
 			if (isPureEventBlockerHandler(onClick)) return;
 			if (isHiddenFromScreenReader(node, context.settings)) return;
-			const roleAttribute = hasJsxPropIgnoreCase(node.attributes, "role");
-			if (roleAttribute) {
-				const roleValue = getJsxPropStringValue(roleAttribute);
-				if (roleValue && PRESENTATION_ROLES$1.has(roleValue)) return;
-			}
+			if (isPresentationRole(node)) return;
 			if (KEY_HANDLERS.some((handler) => hasJsxPropIgnoreCase(node.attributes, handler))) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$54
+				message: MESSAGE$56
 			});
 		} };
 	}
@@ -4771,7 +4898,7 @@ const isReactComponentName = (name) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/control-has-associated-label.ts
-const MESSAGE$53 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$55 = "Blind users can't tell what this control does because screen readers find no label, so add visible text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_IGNORE_ELEMENTS = ["link", "canvas"];
 const DEFAULT_LABELLING_PROPS = [
 	"alt",
@@ -4932,7 +5059,7 @@ const controlHasAssociatedLabel = defineRule({
 			for (const child of node.children) if (checkChildForLabel(child, 1, checkContext)) return;
 			context.report({
 				node: opening,
-				message: MESSAGE$53
+				message: MESSAGE$55
 			});
 		} };
 	}
@@ -5362,7 +5489,7 @@ const noVagueButtonLabel = defineRule({
 const hasJsxSpreadAttribute$1 = (attributes) => attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
 //#endregion
 //#region src/plugin/rules/a11y/dialog-has-accessible-name.ts
-const MESSAGE$52 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
+const MESSAGE$54 = "This dialog has no accessible name, so screen readers announce it as just “dialog.” Add `aria-label` or point `aria-labelledby` at its heading.";
 const DIALOG_ROLES = new Set(["dialog", "alertdialog"]);
 const NAME_PROVIDING_ATTRIBUTES = [
 	"aria-label",
@@ -5385,7 +5512,7 @@ const dialogHasAccessibleName = defineRule({
 		if (NAME_PROVIDING_ATTRIBUTES.some((attribute) => hasJsxPropIgnoreCase(node.attributes, attribute))) return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$52
+			message: MESSAGE$54
 		});
 	} })
 });
@@ -5424,7 +5551,7 @@ const isEs6Component = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/display-name.ts
-const MESSAGE$51 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
+const MESSAGE$53 = "This component shows up as Anonymous in React DevTools because it has no `displayName`.";
 const DEFAULT_ADDITIONAL_HOCS = [
 	"observer",
 	"lazy",
@@ -5623,11 +5750,11 @@ const displayName = defineRule({
 	category: "Architecture",
 	create: (context) => {
 		const settings = resolveSettings$44(context.settings);
-		const ignoreNamed = settings.ignoreTranspilerName ? false : true;
+		const ignoreNamed = !settings.ignoreTranspilerName;
 		const reportAt = (node) => {
 			context.report({
 				node,
-				message: MESSAGE$51
+				message: MESSAGE$53
 			});
 		};
 		return {
@@ -7775,7 +7902,7 @@ const forbidElements = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/forward-ref-uses-ref.ts
-const MESSAGE$50 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
+const MESSAGE$52 = "The parent can't reach this component's node because the `forwardRef` wrapper ignores `ref`.";
 const forwardRefUsesRef = defineRule({
 	id: "forward-ref-uses-ref",
 	title: "forwardRef without ref parameter",
@@ -7795,7 +7922,7 @@ const forwardRefUsesRef = defineRule({
 		if (isNodeOfType(onlyParam, "RestElement")) return;
 		context.report({
 			node: inner,
-			message: MESSAGE$50
+			message: MESSAGE$52
 		});
 	} })
 });
@@ -7832,7 +7959,7 @@ const gitProviderUrlInjectionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/heading-has-content.ts
-const MESSAGE$49 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
+const MESSAGE$51 = "Blind users can't use this heading to navigate because screen readers skip it empty, so add text, `aria-label`, or `aria-labelledby`.";
 const DEFAULT_HEADING_TAGS = [
 	"h1",
 	"h2",
@@ -7865,7 +7992,7 @@ const headingHasContent = defineRule({
 			if (isHiddenFromScreenReader(node, context.settings)) return;
 			context.report({
 				node,
-				message: MESSAGE$49
+				message: MESSAGE$51
 			});
 		} };
 	}
@@ -8003,7 +8130,7 @@ const hooksNoNanInDeps = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/html-has-lang.ts
-const MESSAGE$48 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
+const MESSAGE$50 = "Screen readers may mispronounce this page because it doesn't declare a language, so add a `lang` attribute like `en`.";
 const resolveSettings$38 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { htmlTags: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.htmlHasLang ?? {} : {}).htmlTags ?? ["html"] };
@@ -8046,26 +8173,17 @@ const htmlHasLang = defineRule({
 		return { JSXOpeningElement(node) {
 			const tag = getElementType(node, context.settings);
 			if (!tagSet.has(tag)) return;
-			const hasSpread = node.attributes.some((attribute) => isNodeOfType(attribute, "JSXSpreadAttribute"));
 			const lang = hasJsxPropIgnoreCase(node.attributes, "lang");
 			if (!lang) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$48
+					message: MESSAGE$50
 				});
 				return;
 			}
-			const verdict = evaluateLang(lang.value);
-			if (verdict === "missing" || verdict === "empty") {
-				context.report({
-					node: lang,
-					message: MESSAGE$48
-				});
-				return;
-			}
-			if (hasSpread && !lang) context.report({
-				node: node.name,
-				message: MESSAGE$48
+			if (evaluateLang(lang.value) === "empty") context.report({
+				node: lang,
+				message: MESSAGE$50
 			});
 		} };
 	}
@@ -8279,7 +8397,7 @@ const htmlNoNestedInteractive = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/iframe-has-title.ts
-const MESSAGE$47 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
+const MESSAGE$49 = "Screen reader users cannot identify this `<iframe>` because it has no title. Add a `title` that describes its content.";
 const evaluateTitleValue = (value) => {
 	if (!value) return "missing";
 	if (isNodeOfType(value, "Literal")) {
@@ -8319,14 +8437,14 @@ const iframeHasTitle = defineRule({
 		if (!titleAttr) {
 			if (hasSpread || tag === "iframe") context.report({
 				node: node.name,
-				message: MESSAGE$47
+				message: MESSAGE$49
 			});
 			return;
 		}
 		const verdict = evaluateTitleValue(titleAttr.value);
 		if (verdict === "missing" || verdict === "empty") context.report({
 			node: titleAttr,
-			message: MESSAGE$47
+			message: MESSAGE$49
 		});
 	} })
 });
@@ -8430,7 +8548,7 @@ const iframeMissingSandbox = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/img-redundant-alt.ts
-const MESSAGE$46 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
+const MESSAGE$48 = "Screen reader users hear \"image\" or \"photo\" twice because they already announce it, so describe what the image shows instead.";
 const DEFAULT_COMPONENTS = ["img"];
 const DEFAULT_REDUNDANT_WORDS = [
 	"image",
@@ -8495,7 +8613,7 @@ const imgRedundantAlt = defineRule({
 			if (!altAttribute) return;
 			if (altValueRedundant(altAttribute, settings.words)) context.report({
 				node: altAttribute,
-				message: MESSAGE$46
+				message: MESSAGE$48
 			});
 		} };
 	}
@@ -8778,14 +8896,6 @@ const isNonInteractiveElement = (elementType, openingElement) => {
 //#region src/plugin/utils/is-non-interactive-role.ts
 const isNonInteractiveRole = (role) => NON_INTERACTIVE_ROLES.has(role);
 //#endregion
-//#region src/plugin/utils/is-presentation-role.ts
-const isPresentationRole = (openingElement) => {
-	const roleAttribute = hasJsxPropIgnoreCase(openingElement.attributes, "role");
-	if (!roleAttribute) return false;
-	const value = getJsxPropStringValue(roleAttribute);
-	return value !== null && PRESENTATION_ROLES$2.has(value);
-};
-//#endregion
 //#region src/plugin/rules/a11y/interactive-supports-focus.ts
 const buildTabbableMessage = (role) => `Keyboard users can't tab to this '${role}' because it isn't focusable, so add \`tabIndex={0}\`.`;
 const buildFocusableMessage = (role) => `Keyboard users can't focus this '${role}' because it can't receive focus, so add \`tabIndex={0}\` or \`tabIndex={-1}\`.`;
@@ -10560,6 +10670,24 @@ const hasJsxKeyAttribute = (openingElement) => {
 	return false;
 };
 //#endregion
+//#region src/plugin/utils/is-non-children-jsx-attribute-value.ts
+const ascendThroughJsxValueWrappers = (node) => {
+	let current = node;
+	while (current.parent) {
+		const parent = current.parent;
+		if (!(isNodeOfType(parent, "ChainExpression") || isNodeOfType(parent, "TSAsExpression") || isNodeOfType(parent, "TSSatisfiesExpression") || isNodeOfType(parent, "TSNonNullExpression") || isNodeOfType(parent, "LogicalExpression") || isNodeOfType(parent, "ConditionalExpression") && parent.test !== current)) break;
+		current = parent;
+	}
+	return current;
+};
+const isNonChildrenJsxAttributeValue = (node) => {
+	const container = ascendThroughJsxValueWrappers(node).parent;
+	if (!container || !isNodeOfType(container, "JSXExpressionContainer")) return false;
+	const attribute = container.parent;
+	if (!attribute || !isNodeOfType(attribute, "JSXAttribute")) return false;
+	return getJsxAttributeName(attribute.name) !== "children";
+};
+//#endregion
 //#region src/plugin/rules/react-builtins/jsx-key.ts
 const ITERATOR_METHOD_NAMES = new Set([
 	"map",
@@ -10598,6 +10726,7 @@ const findEnclosingIteratorContext = (jsxNode) => {
 			const arrayParent = parent.parent;
 			if (arrayParent && isNodeOfType(arrayParent, "Property")) return null;
 			if (arrayParent && isNodeOfType(arrayParent, "ArrayExpression")) return null;
+			if (isNonChildrenJsxAttributeValue(parent)) return null;
 			return { kind: "array" };
 		} else if (isNodeOfType(parent, "CallExpression")) {
 			const callee = parent.callee;
@@ -10610,10 +10739,13 @@ const findEnclosingIteratorContext = (jsxNode) => {
 			if (!targetArg) return null;
 			let walker = current;
 			while (walker && walker !== parent) {
-				if (walker === targetArg) return {
-					kind: "iterator",
-					callExpression: parent
-				};
+				if (walker === targetArg) {
+					if (isNonChildrenJsxAttributeValue(parent)) return null;
+					return {
+						kind: "iterator",
+						callExpression: parent
+					};
+				}
 				walker = walker.parent ?? null;
 			}
 			return null;
@@ -10852,7 +10984,7 @@ const jsxMaxDepth = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-comment-textnodes.ts
-const MESSAGE$45 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
+const MESSAGE$47 = "Your users see this comment as text on the page because `//` & `/*` aren't hidden in JSX.";
 const LITERAL_TEXT_TAGS = new Set([
 	"code",
 	"pre",
@@ -10888,7 +11020,7 @@ const jsxNoCommentTextnodes = defineRule({
 		if (isInsideLiteralTextTag(node)) return;
 		context.report({
 			node,
-			message: MESSAGE$45
+			message: MESSAGE$47
 		});
 	} })
 });
@@ -10919,7 +11051,7 @@ const isInsideFunctionScope = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-constructed-context-values.ts
-const MESSAGE$44 = "Every reader of this context redraws on each render because you build its `value` inline.";
+const MESSAGE$46 = "Every reader of this context redraws on each render because you build its `value` inline.";
 const CONTEXT_MODULES$1 = [
 	"react",
 	"use-context-selector",
@@ -11017,7 +11149,7 @@ const jsxNoConstructedContextValues = defineRule({
 					if (!isConstructedValue(innerExpression)) continue;
 					context.report({
 						node: attribute,
-						message: MESSAGE$44
+						message: MESSAGE$46
 					});
 				}
 			}
@@ -11103,7 +11235,7 @@ const isJsxAttributeOnIntrinsicHtmlElement = (attribute) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-jsx-as-prop.ts
-const MESSAGE$43 = "This child redraws every render because the prop gets brand new JSX each time.";
+const MESSAGE$45 = "This child redraws every render because the prop gets brand new JSX each time.";
 const KNOWN_SLOT_PROP_NAMES = new Set([
 	"icon",
 	"Icon",
@@ -11372,7 +11504,7 @@ const jsxNoJsxAsProp = defineRule({
 				if (!isJsxProducingExpression(expressionNode) && !followsRenderLocalJsxBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$43
+					message: MESSAGE$45
 				});
 			}
 		};
@@ -11660,7 +11792,7 @@ const DATA_ARRAY_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-array-as-prop.ts
-const MESSAGE$42 = "This child redraws every render because the prop gets a brand new array each time.";
+const MESSAGE$44 = "This child redraws every render because the prop gets a brand new array each time.";
 const isDataArrayPropName = (propName) => {
 	if (DATA_ARRAY_PROP_NAMES.has(propName)) return true;
 	for (const suffix of DATA_ARRAY_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -11744,7 +11876,7 @@ const jsxNoNewArrayAsProp = defineRule({
 				if (!isArrayProducingExpression(expressionNode) && !followsRenderLocalArrayBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$42
+					message: MESSAGE$44
 				});
 			}
 		};
@@ -12002,7 +12134,7 @@ const SAFE_RECEIVER_NAMES = new Set([
 ]);
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-function-as-prop.ts
-const MESSAGE$41 = "This child redraws every render because the prop gets a brand new function each time.";
+const MESSAGE$43 = "This child redraws every render because the prop gets a brand new function each time.";
 const isAccessorPredicateName = (propName) => {
 	for (const prefix of ACCESSOR_PREDICATE_PREFIXES) {
 		if (propName.length <= prefix.length) continue;
@@ -12208,7 +12340,7 @@ const jsxNoNewFunctionAsProp = defineRule({
 				if (!isFunctionProducingExpression(expressionNode) && !followsRenderLocalFunctionBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$41
+					message: MESSAGE$43
 				});
 			}
 		};
@@ -12428,7 +12560,7 @@ const CONFIG_OBJECT_PROP_SUFFIXES = [
 ];
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-new-object-as-prop.ts
-const MESSAGE$40 = "This child redraws every render because the prop gets a brand new object each time.";
+const MESSAGE$42 = "This child redraws every render because the prop gets a brand new object each time.";
 const isConfigObjectPropName = (propName) => {
 	if (CONFIG_OBJECT_PROP_NAMES.has(propName)) return true;
 	for (const suffix of CONFIG_OBJECT_PROP_SUFFIXES) if (propName.length > suffix.length && propName.endsWith(suffix)) return true;
@@ -12516,7 +12648,7 @@ const jsxNoNewObjectAsProp = defineRule({
 				if (!isObjectProducingExpression(expressionNode) && !followsRenderLocalObjectBinding(expressionNode, node)) return;
 				context.report({
 					node,
-					message: MESSAGE$40
+					message: MESSAGE$42
 				});
 			}
 		};
@@ -12524,7 +12656,7 @@ const jsxNoNewObjectAsProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-no-script-url.ts
-const MESSAGE$39 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
+const MESSAGE$41 = "A `javascript:` URL is an XSS hole that runs injected input as code.";
 const JAVASCRIPT_URL_PATTERN = /j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*:/i;
 const resolveSettings$28 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
@@ -12565,7 +12697,7 @@ const jsxNoScriptUrl = defineRule({
 				if (!value || !isNodeOfType(value, "Literal") || typeof value.value !== "string") continue;
 				if (JAVASCRIPT_URL_PATTERN.test(value.value)) context.report({
 					node: attribute,
-					message: MESSAGE$39
+					message: MESSAGE$41
 				});
 			}
 		} };
@@ -12880,7 +13012,7 @@ const jsxPropsNoSpreadMulti = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/jsx-props-no-spreading.ts
-const MESSAGE$38 = "You can't tell what props reach this element when you spread them.";
+const MESSAGE$40 = "You can't tell what props reach this element when you spread them.";
 const resolveSettings$25 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.jsxPropsNoSpreading ?? {} : {};
@@ -12921,7 +13053,7 @@ const jsxPropsNoSpreading = defineRule({
 				}
 				context.report({
 					node: attribute,
-					message: MESSAGE$38
+					message: MESSAGE$40
 				});
 			}
 		} };
@@ -13149,7 +13281,7 @@ const labelHasAssociatedControl = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/lang.ts
-const MESSAGE$37 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
+const MESSAGE$39 = "Screen readers can't pick the right voice because this `lang` isn't a real language code, so use a valid one like `en` or `en-US`.";
 const COMMON_LANGUAGE_PRIMARY_TAGS = new Set([
 	"aa",
 	"ab",
@@ -13361,7 +13493,7 @@ const lang = defineRule({
 			if (expression.type === "Identifier" && expression.name === "undefined" || expression.type === "Literal" && expression.value === null) {
 				context.report({
 					node: langAttr,
-					message: MESSAGE$37
+					message: MESSAGE$39
 				});
 				return;
 			}
@@ -13370,7 +13502,7 @@ const lang = defineRule({
 		if (value === null) return;
 		if (!isValidLangTag(value)) context.report({
 			node: langAttr,
-			message: MESSAGE$37
+			message: MESSAGE$39
 		});
 	} })
 });
@@ -13396,6 +13528,7 @@ const mcpToolCapabilityRisk = defineRule({
 		shouldScan: (file) => isProductionSourcePath(file.relativePath),
 		pattern: /\bserver\.\s*tool\s*\(|\bregisterTool\s*\(|\bsetRequestHandler\s*\(\s*CallToolRequestSchema/,
 		requireAll: [/\bfrom\s+["']@modelcontextprotocol\/sdk[^"']*["']|\bMcpServer\b|\bMcpAgent\b/, AGENT_TOOL_DANGEROUS_CAPABILITY_PATTERN],
+		ignoreStringLiterals: true,
 		message: "An MCP tool/resource/prompt handler appears to expose file, shell, network, or code-execution capability."
 	})
 });
@@ -13414,7 +13547,7 @@ const mdxSsrExecutionRisk = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/media-has-caption.ts
-const MESSAGE$36 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
+const MESSAGE$38 = "Deaf and hard-of-hearing users need captions for this media. Add a `<track kind=\"captions\">` inside the `<audio>` or `<video>`.";
 const DEFAULT_AUDIO = ["audio"];
 const DEFAULT_VIDEO = ["video"];
 const DEFAULT_TRACK = ["track"];
@@ -13455,7 +13588,7 @@ const mediaHasCaption = defineRule({
 			if (!parent || !isNodeOfType(parent, "JSXElement")) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$36
+					message: MESSAGE$38
 				});
 				return;
 			}
@@ -13472,7 +13605,7 @@ const mediaHasCaption = defineRule({
 				return kindValue.value.toLowerCase() === "captions";
 			})) context.report({
 				node: node.name,
-				message: MESSAGE$36
+				message: MESSAGE$38
 			});
 		} };
 	}
@@ -15273,7 +15406,7 @@ const nextjsNoVercelOgImport = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-access-key.ts
-const MESSAGE$35 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
+const MESSAGE$37 = "Screen reader users can lose their shortcuts because `accessKey` clashes with them, so remove it.";
 const isUndefinedIdentifier = (expression) => isNodeOfType(expression, "Identifier") && expression.name === "undefined";
 const noAccessKey = defineRule({
 	id: "no-access-key",
@@ -15290,7 +15423,7 @@ const noAccessKey = defineRule({
 		if (isNodeOfType(attributeValue, "Literal") && typeof attributeValue.value === "string") {
 			context.report({
 				node: accessKey,
-				message: MESSAGE$35
+				message: MESSAGE$37
 			});
 			return;
 		}
@@ -15300,7 +15433,7 @@ const noAccessKey = defineRule({
 			if (isUndefinedIdentifier(expression)) return;
 			context.report({
 				node: accessKey,
-				message: MESSAGE$35
+				message: MESSAGE$37
 			});
 		}
 	} })
@@ -15783,7 +15916,7 @@ const noAdjustStateOnPropChange = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-aria-hidden-on-focusable.ts
-const MESSAGE$34 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
+const MESSAGE$36 = "Screen reader users tab to this focusable element but hear nothing because `aria-hidden` skips it, so remove `aria-hidden` or stop it being focusable.";
 const noAriaHiddenOnFocusable = defineRule({
 	id: "no-aria-hidden-on-focusable",
 	title: "aria-hidden on focusable element",
@@ -15810,7 +15943,7 @@ const noAriaHiddenOnFocusable = defineRule({
 		const isImplicitlyFocusable = isInteractiveElement(tag, node);
 		if (isExplicitlyFocusable || isImplicitlyFocusable) context.report({
 			node: ariaHidden,
-			message: MESSAGE$34
+			message: MESSAGE$36
 		});
 	} })
 });
@@ -16178,7 +16311,7 @@ const noArrayIndexAsKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-array-index-key.ts
-const MESSAGE$33 = "Your users can see & submit the wrong data when this list reorders.";
+const MESSAGE$35 = "Your users can see & submit the wrong data when this list reorders.";
 const SECOND_INDEX_METHODS = new Set([
 	"every",
 	"filter",
@@ -16382,7 +16515,7 @@ const noArrayIndexKey = defineRule({
 			}
 			context.report({
 				node: keyAttribute,
-				message: MESSAGE$33
+				message: MESSAGE$35
 			});
 		},
 		CallExpression(node) {
@@ -16402,7 +16535,7 @@ const noArrayIndexKey = defineRule({
 				if (propName !== "key") continue;
 				if (expressionUsesIndex(property.value, indexBinding.name)) context.report({
 					node: property,
-					message: MESSAGE$33
+					message: MESSAGE$35
 				});
 			}
 		}
@@ -16410,7 +16543,7 @@ const noArrayIndexKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-async-effect-callback.ts
-const MESSAGE$32 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
+const MESSAGE$34 = "The `useEffect` callback is `async`, so it returns a Promise instead of a cleanup function. React calls that Promise as cleanup (a no-op) and the effect can race on unmount. Put the async work in an inner function and call it.";
 const noAsyncEffectCallback = defineRule({
 	id: "no-async-effect-callback",
 	title: "Async effect callback",
@@ -16424,13 +16557,13 @@ const noAsyncEffectCallback = defineRule({
 		if (!callback.async) return;
 		context.report({
 			node: callback,
-			message: MESSAGE$32
+			message: MESSAGE$34
 		});
 	} })
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-autofocus.ts
-const MESSAGE$31 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
+const MESSAGE$33 = "`autoFocus` moves focus on load, which can disrupt screen reader and keyboard users. Remove it and let users choose where to focus.";
 const resolveSettings$21 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreNonDOM: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noAutofocus ?? {} : {}).ignoreNonDOM ?? true };
@@ -16486,7 +16619,7 @@ const noAutofocus = defineRule({
 			}
 			context.report({
 				node: autoFocusAttribute,
-				message: MESSAGE$31
+				message: MESSAGE$33
 			});
 		} };
 	}
@@ -16990,7 +17123,7 @@ const noChainStateUpdates = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-children-prop.ts
-const MESSAGE$30 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
+const MESSAGE$32 = "A `children` prop can override or hide nested children, so the component may render different content than the JSX shows.";
 const noChildrenProp = defineRule({
 	id: "no-children-prop",
 	title: "Children passed as a prop",
@@ -17002,7 +17135,7 @@ const noChildrenProp = defineRule({
 			if (node.name.name !== "children") return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$30
+				message: MESSAGE$32
 			});
 		},
 		CallExpression(node) {
@@ -17015,7 +17148,7 @@ const noChildrenProp = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "children" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "children") context.report({
 					node: propertyKey,
-					message: MESSAGE$30
+					message: MESSAGE$32
 				});
 			}
 		}
@@ -17023,7 +17156,7 @@ const noChildrenProp = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-clone-element.ts
-const MESSAGE$29 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
+const MESSAGE$31 = "`React.cloneElement` couples the parent to the child's prop shape, so child prop changes can silently break injected behavior.";
 const noCloneElement = defineRule({
 	id: "no-clone-element",
 	title: "cloneElement makes child props fragile",
@@ -17036,7 +17169,7 @@ const noCloneElement = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "cloneElement") {
 			if (isImportedFromModule(node, "cloneElement", "react")) context.report({
 				node: callee,
-				message: MESSAGE$29
+				message: MESSAGE$31
 			});
 			return;
 		}
@@ -17049,7 +17182,7 @@ const noCloneElement = defineRule({
 			if (!isImportedFromModule(node, callee.object.name, "react")) return;
 			context.report({
 				node: callee,
-				message: MESSAGE$29
+				message: MESSAGE$31
 			});
 		}
 	} })
@@ -17098,7 +17231,7 @@ const enclosingComponentOrHookName = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-create-context-in-render.ts
-const MESSAGE$28 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
+const MESSAGE$30 = "createContext() builds a new context every render, so every consumer gets cut off & resets.";
 const CONTEXT_MODULES = [
 	"react",
 	"use-context-selector",
@@ -17134,13 +17267,13 @@ const noCreateContextInRender = defineRule({
 		if (!componentOrHookName) return;
 		context.report({
 			node,
-			message: `${MESSAGE$28} (called inside "${componentOrHookName}")`
+			message: `${MESSAGE$30} (called inside "${componentOrHookName}")`
 		});
 	} })
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-create-ref-in-function-component.ts
-const MESSAGE$27 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
+const MESSAGE$29 = "`createRef()` in a function component allocates a brand-new ref on every render, so it never holds a value between renders. Use the `useRef()` hook instead.";
 const noCreateRefInFunctionComponent = defineRule({
 	id: "no-create-ref-in-function-component",
 	title: "createRef in function component",
@@ -17159,7 +17292,7 @@ const noCreateRefInFunctionComponent = defineRule({
 		if (!(isReactHookName(displayName) || functionContainsReactRenderOutput(enclosingFunction, context.scopes))) return;
 		context.report({
 			node,
-			message: MESSAGE$27
+			message: MESSAGE$29
 		});
 	} })
 });
@@ -17299,12 +17432,13 @@ const noCreateStoreInRender = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger.ts
-const MESSAGE$26 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
+const MESSAGE$28 = "`dangerouslySetInnerHTML` is an XSS hole that runs attacker-controlled HTML in your users' browsers.";
 const noDanger = defineRule({
 	id: "no-danger",
 	title: "Raw HTML injection can run unsafe markup",
 	severity: "warn",
 	category: "Security",
+	defaultEnabled: false,
 	recommendation: "Render trusted content as React children so attacker-controlled HTML cannot run in users' browsers.",
 	create: (context) => ({
 		JSXOpeningElement(node) {
@@ -17312,7 +17446,7 @@ const noDanger = defineRule({
 			if (!propAttribute) return;
 			context.report({
 				node: propAttribute.name,
-				message: MESSAGE$26
+				message: MESSAGE$28
 			});
 		},
 		CallExpression(node) {
@@ -17324,7 +17458,7 @@ const noDanger = defineRule({
 				const propertyKey = property.key;
 				if (isNodeOfType(propertyKey, "Identifier") && propertyKey.name === "dangerouslySetInnerHTML" || isNodeOfType(propertyKey, "Literal") && propertyKey.value === "dangerouslySetInnerHTML") context.report({
 					node: propertyKey,
-					message: MESSAGE$26
+					message: MESSAGE$28
 				});
 			}
 		}
@@ -17332,7 +17466,7 @@ const noDanger = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-danger-with-children.ts
-const MESSAGE$25 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
+const MESSAGE$27 = "React throws an error when you set both children & `dangerouslySetInnerHTML`.";
 const isLineBreak = (child) => {
 	if (!isNodeOfType(child, "JSXText")) return false;
 	return child.value.trim().length === 0 && child.value.includes("\n");
@@ -17402,7 +17536,7 @@ const noDangerWithChildren = defineRule({
 			if (!hasChildrenProp && !hasNestedChildren) return;
 			if (hasJsxPropIgnoreCase(opening.attributes, "dangerouslySetInnerHTML") || spreadPropsShape.hasDangerously) context.report({
 				node: opening,
-				message: MESSAGE$25
+				message: MESSAGE$27
 			});
 		},
 		CallExpression(node) {
@@ -17414,7 +17548,7 @@ const noDangerWithChildren = defineRule({
 			if (!propsShape.hasDangerously) return;
 			if (node.arguments.length >= 3 || propsShape.hasChildren) context.report({
 				node,
-				message: MESSAGE$25
+				message: MESSAGE$27
 			});
 		}
 	})
@@ -17991,7 +18125,7 @@ const isSetStateCallInLifecycle = (setStateCall, lifecycleNames, options = {}) =
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-mount-set-state.ts
 const LIFECYCLE_NAMES$2 = new Set(["componentDidMount"]);
-const MESSAGE$24 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
+const MESSAGE$26 = "Your users see an extra render right after mount when you call `setState` in `componentDidMount`.";
 const resolveSettings$20 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidMountSetState ?? {} : {}).mode ?? "allowed" };
@@ -18010,7 +18144,7 @@ const noDidMountSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$2, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$24
+				message: MESSAGE$26
 			});
 		} };
 	}
@@ -18018,7 +18152,7 @@ const noDidMountSetState = defineRule({
 //#endregion
 //#region src/plugin/rules/react-builtins/no-did-update-set-state.ts
 const LIFECYCLE_NAMES$1 = new Set(["componentDidUpdate"]);
-const MESSAGE$23 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
+const MESSAGE$25 = "Calling setState in componentDidUpdate can trigger another update immediately, loop forever, and freeze the component.";
 const resolveSettings$19 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { mode: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noDidUpdateSetState ?? {} : {}).mode ?? "allowed" };
@@ -18037,7 +18171,7 @@ const noDidUpdateSetState = defineRule({
 			if (!isSetStateCallInLifecycle(node, LIFECYCLE_NAMES$1, { disallowInNestedFunctions: mode === "disallow-in-func" })) return;
 			context.report({
 				node: node.callee,
-				message: MESSAGE$23
+				message: MESSAGE$25
 			});
 		} };
 	}
@@ -18060,7 +18194,7 @@ const isStateMemberExpression = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-direct-mutation-state.ts
-const MESSAGE$22 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
+const MESSAGE$24 = "Your users see stale data because mutating `this.state` by hand never redraws & gets overwritten.";
 const shouldIgnoreMutation = (node) => {
 	let isConstructor = false;
 	let isInsideCallExpression = false;
@@ -18082,7 +18216,7 @@ const reportIfStateMutation = (context, reportNode, target) => {
 	if (shouldIgnoreMutation(reportNode)) return;
 	context.report({
 		node: reportNode,
-		message: MESSAGE$22
+		message: MESSAGE$24
 	});
 };
 const noDirectMutationState = defineRule({
@@ -18292,6 +18426,26 @@ const noDocumentStartViewTransition = defineRule({
 	} })
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-document-write.ts
+const MESSAGE$23 = "`document.write()` blocks parsing, is ignored (or wipes the page) after load, and is flagged by browsers as a performance anti-pattern. Build DOM nodes or set `innerHTML`/`textContent` on a target element instead.";
+const WRITE_METHODS = new Set(["write", "writeln"]);
+const noDocumentWrite = defineRule({
+	id: "no-document-write",
+	title: "document.write/writeln",
+	severity: "warn",
+	recommendation: "Don't use `document.write()`/`document.writeln()`. Append DOM nodes or set `innerHTML`/`textContent` on a specific element instead.",
+	create: (context) => ({ CallExpression(node) {
+		const callee = node.callee;
+		if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+		if (!isNodeOfType(callee.object, "Identifier") || callee.object.name !== "document") return;
+		if (!isNodeOfType(callee.property, "Identifier") || !WRITE_METHODS.has(callee.property.name)) return;
+		context.report({
+			node,
+			message: MESSAGE$23
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/bundle-size/no-dynamic-import-path.ts
 const noDynamicImportPath = defineRule({
 	id: "no-dynamic-import-path",
@@ -19670,7 +19824,7 @@ const ALLOWED_NAMESPACES = new Set([
 	"ReactDOM",
 	"ReactDom"
 ]);
-const MESSAGE$21 = "`findDOMNode` crashes your app in React 19 because it was removed.";
+const MESSAGE$22 = "`findDOMNode` crashes your app in React 19 because it was removed.";
 const noFindDomNode = defineRule({
 	id: "no-find-dom-node",
 	title: "findDOMNode breaks component encapsulation",
@@ -19681,7 +19835,7 @@ const noFindDomNode = defineRule({
 		if (isNodeOfType(callee, "Identifier") && callee.name === "findDOMNode") {
 			context.report({
 				node: callee,
-				message: MESSAGE$21
+				message: MESSAGE$22
 			});
 			return;
 		}
@@ -19692,7 +19846,7 @@ const noFindDomNode = defineRule({
 			if (callee.property.name !== "findDOMNode") return;
 			context.report({
 				node: callee.property,
-				message: MESSAGE$21
+				message: MESSAGE$22
 			});
 		}
 	} })
@@ -19934,7 +20088,7 @@ const noGrayOnColoredBackground = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/performance/no-img-lazy-with-high-fetchpriority.ts
-const MESSAGE$20 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
+const MESSAGE$21 = "`<img loading=\"lazy\">` defers the request while `fetchPriority=\"high\"` asks the browser to rush it, so the two directives contradict each other. Drop one: keep `fetchPriority=\"high\"` (and eager loading) for an LCP image, or `loading=\"lazy\"` for a below-the-fold one.";
 const noImgLazyWithHighFetchpriority = defineRule({
 	id: "no-img-lazy-with-high-fetchpriority",
 	title: "Lazy image with high fetchPriority",
@@ -19948,7 +20102,7 @@ const noImgLazyWithHighFetchpriority = defineRule({
 		if (!fetchPriorityAttribute || getJsxPropStringValue(fetchPriorityAttribute)?.toLowerCase() !== "high") return;
 		context.report({
 			node: node.name,
-			message: MESSAGE$20
+			message: MESSAGE$21
 		});
 	} })
 });
@@ -20045,15 +20199,20 @@ const noInlineExhaustiveStyle = defineRule({
 	severity: "warn",
 	tags: ["test-noise", "react-jsx-only"],
 	recommendation: "Move the styles to a CSS class, CSS module, Tailwind utilities, or a styled component. Big inline objects are hard to read and rebuild on every update.",
-	create: (context) => ({ JSXAttribute(node) {
-		const expression = getInlineStyleExpression(node);
-		if (!expression) return;
-		const propertyCount = expression.properties?.filter((property) => isNodeOfType(property, "Property")).length ?? 0;
-		if (propertyCount >= 8) context.report({
-			node: expression,
-			message: `This inline style has ${propertyCount} properties, which is hard to read & rebuilds every render. Move it to a CSS class, CSS module, or styled component.`
-		});
-	} })
+	create: (context) => {
+		if (isGeneratedImageRenderContext(context)) return {};
+		return { JSXAttribute(node) {
+			const expression = getInlineStyleExpression(node);
+			if (!expression) return;
+			const propertyCount = expression.properties?.filter((property) => isNodeOfType(property, "Property")).length ?? 0;
+			if (propertyCount < 8) return;
+			if (isGeneratedImageRenderContext(context, node.parent ?? void 0)) return;
+			context.report({
+				node: expression,
+				message: `This inline style has ${propertyCount} properties, which is hard to read & rebuilds every render. Move it to a CSS class, CSS module, or styled component.`
+			});
+		} };
+	}
 });
 //#endregion
 //#region src/plugin/rules/performance/no-inline-prop-on-memo-component.ts
@@ -20183,7 +20342,7 @@ const noIsMounted = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/js-performance/no-json-parse-stringify-clone.ts
-const MESSAGE$19 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
+const MESSAGE$20 = "`JSON.parse(JSON.stringify(x))` deep-clones by re-serializing: it is slow on large objects and silently drops `undefined`, functions, `Date`/`Map`/`Set`, and cyclic references. Use `structuredClone(x)`.";
 const isJsonMethodCall = (node, method) => {
 	if (!isNodeOfType(node, "CallExpression")) return false;
 	const callee = node.callee;
@@ -20200,13 +20359,13 @@ const noJsonParseStringifyClone = defineRule({
 		if (!firstArgument || !isJsonMethodCall(firstArgument, "stringify")) return;
 		context.report({
 			node,
-			message: MESSAGE$19
+			message: MESSAGE$20
 		});
 	} })
 });
 //#endregion
 //#region src/plugin/rules/correctness/no-jsx-element-type.ts
-const MESSAGE$18 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
+const MESSAGE$19 = "`JSX.Element` is too narrow: it excludes `null`, strings, numbers, and fragments that components commonly return. Use `React.ReactNode` instead.";
 const isJsxElementTypeReference = (node) => {
 	if (!isNodeOfType(node, "TSTypeReference")) return false;
 	const typeName = node.typeName;
@@ -20223,7 +20382,7 @@ const checkReturnType = (context, returnType) => {
 	if (!typeAnnotation) return;
 	if (isJsxElementTypeReference(typeAnnotation)) context.report({
 		node: typeAnnotation,
-		message: MESSAGE$18
+		message: MESSAGE$19
 	});
 };
 const noJsxElementType = defineRule({
@@ -20678,7 +20837,7 @@ const noMoment = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-multi-comp.ts
-const MESSAGE$17 = "This file declares several components, so each component is harder to find, test, and change.";
+const MESSAGE$18 = "This file declares several components, so each component is harder to find, test, and change.";
 const resolveSettings$16 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	return { ignoreStateless: (typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noMultiComp ?? {} : {}).ignoreStateless ?? false };
@@ -21000,7 +21159,7 @@ const noMultiComp = defineRule({
 			if (isSmallFeatureModule || isLargeFeatureModule || isVeryLargeFeatureModule) return;
 			for (const component of flagged.slice(1)) context.report({
 				node: component.reportNode,
-				message: MESSAGE$17
+				message: MESSAGE$18
 			});
 		} };
 	}
@@ -21168,7 +21327,7 @@ const resolveReducerFunction = (node, currentFilename) => {
 };
 //#endregion
 //#region src/plugin/rules/state-and-effects/no-mutating-reducer-state.ts
-const MESSAGE$16 = "This reducer changes state in place, so your update is silently skipped.";
+const MESSAGE$17 = "This reducer changes state in place, so your update is silently skipped.";
 const SAME_REFERENCE_ARRAY_RETURN_METHODS = new Set([
 	"copyWithin",
 	"fill",
@@ -21378,7 +21537,7 @@ const analyzeReactUseReducerFunctionForStateMutation = (context, functionNode, r
 			reportedNodes.add(options.crossFileConsumerCallSite);
 			context.report({
 				node: options.crossFileConsumerCallSite,
-				message: `${MESSAGE$16} (mutation in imported reducer at \`${options.crossFileSourceDisplay}\`)`
+				message: `${MESSAGE$17} (mutation in imported reducer at \`${options.crossFileSourceDisplay}\`)`
 			});
 			return;
 		}
@@ -21387,7 +21546,7 @@ const analyzeReactUseReducerFunctionForStateMutation = (context, functionNode, r
 			reportedNodes.add(mutation.node);
 			context.report({
 				node: mutation.node,
-				message: MESSAGE$16
+				message: MESSAGE$17
 			});
 		}
 	};
@@ -21659,7 +21818,7 @@ const noNoninteractiveElementToInteractiveRole = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/a11y/no-noninteractive-tabindex.ts
-const MESSAGE$15 = "Keyboard users get stuck focusing this element they can't act on because `tabIndex` makes it tabbable, so remove it.";
+const MESSAGE$16 = "Keyboard users get stuck focusing this element they can't act on because `tabIndex` makes it tabbable, so remove it.";
 const resolveSettings$14 = (settings) => {
 	const reactDoctor = settings?.["react-doctor"];
 	const ruleSettings = typeof reactDoctor === "object" && reactDoctor !== null ? reactDoctor.noNoninteractiveTabindex ?? {} : {};
@@ -21687,7 +21846,7 @@ const noNoninteractiveTabindex = defineRule({
 			if (numeric === null) {
 				if (isNodeOfType(tabIndexValue, "JSXExpressionContainer") && !settings.allowExpressionValues) context.report({
 					node: tabIndex,
-					message: MESSAGE$15
+					message: MESSAGE$16
 				});
 				return;
 			}
@@ -21700,7 +21859,7 @@ const noNoninteractiveTabindex = defineRule({
 			if (!roleAttribute) {
 				context.report({
 					node: tabIndex,
-					message: MESSAGE$15
+					message: MESSAGE$16
 				});
 				return;
 			}
@@ -21714,7 +21873,7 @@ const noNoninteractiveTabindex = defineRule({
 			}
 			context.report({
 				node: tabIndex,
-				message: MESSAGE$15
+				message: MESSAGE$16
 			});
 		} };
 	}
@@ -22405,7 +22564,7 @@ const noRandomKey = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-react-children.ts
-const MESSAGE$14 = "`React.Children` traversal depends on the runtime child shape, so wrapping or unwrapping a child can silently change what gets visited.";
+const MESSAGE$15 = "`React.Children` traversal depends on the runtime child shape, so wrapping or unwrapping a child can silently change what gets visited.";
 const isChildrenIdentifier = (node, contextNode) => {
 	if (!isNodeOfType(node, "Identifier") || node.name !== "Children") return false;
 	return isImportedFromModule(contextNode, "Children", "react");
@@ -22431,13 +22590,13 @@ const noReactChildren = defineRule({
 		if (isChildrenIdentifier(memberObject, node)) {
 			context.report({
 				node: calleeOuter,
-				message: MESSAGE$14
+				message: MESSAGE$15
 			});
 			return;
 		}
 		if (isReactNamespaceMember(memberObject, node)) context.report({
 			node: calleeOuter,
-			message: MESSAGE$14
+			message: MESSAGE$15
 		});
 	} })
 });
@@ -22760,7 +22919,7 @@ const noRenderPropChildren = defineRule({
 });
 //#endregion
 //#region src/plugin/rules/react-builtins/no-render-return-value.ts
-const MESSAGE$13 = "Your app breaks in React 19 because `ReactDOM.render` returns nothing there.";
+const MESSAGE$14 = "Your app breaks in React 19 because `ReactDOM.render` returns nothing there.";
 const isReactDomRenderCall = (node) => {
 	if (!isNodeOfType(node.callee, "MemberExpression")) return false;
 	if (!isNodeOfType(node.callee.object, "Identifier")) return false;
@@ -22784,7 +22943,7 @@ const noRenderReturnValue = defineRule({
 		if (!isUsedAsReturnValue(node.parent)) return;
 		context.report({
 			node: node.callee,
-			message: MESSAGE$13
+			message: MESSAGE$14
 		});
 	} })
 });
@@ -22944,11 +23103,17 @@ const classifySecretFileExposure = (filename, options = {}) => {
 	return "unknown";
 };
 //#endregion
-//#region src/plugin/utils/get-identifier-trailing-word.ts
-const getIdentifierTrailingWord = (identifierName) => {
-	return identifierName.match(/[A-Z]+(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|\d+/g)?.at(-1)?.toLowerCase() ?? identifierName.toLowerCase();
+//#region src/plugin/utils/tokenize-identifier-words.ts
+const IDENTIFIER_WORD_PATTERN = /[A-Z]+(?=[A-Z][a-z]|\b)|[A-Z]?[a-z]+|\d+/g;
+const tokenizeIdentifierWords = (identifierName) => {
+	const words = identifierName.match(IDENTIFIER_WORD_PATTERN);
+	if (!words) return [];
+	return words.map((word) => word.toLowerCase());
 };
 //#endregion
+//#region src/plugin/utils/get-identifier-trailing-word.ts
+const getIdentifierTrailingWord = (identifierName) => tokenizeIdentifierWords(identifierName).at(-1) ?? identifierName.toLowerCase();
+//#endregion
 //#region src/plugin/constants/tanstack.ts
 const TANSTACK_ROUTE_FILE_PATTERN = /\/routes\//;
 const TANSTACK_ROOT_ROUTE_FILE_PATTERN = /__root\.(tsx?|jsx?)$/;
@@ -23476,7 +23641,7 @@ const getParentComponent = (node) => {
 };
 //#endregion
 //#region src/plugin/rules/react-builtins/no-set-state.ts
-const MESSAGE$12 = "`this.setState` keeps local class state in a project that forbids it, so state ownership becomes harder to reason about.";
+const MESSAGE$13 = "`this.setState` keeps local class state in a project that forbids it, so state ownership becomes harder to reason about.";
 const noSetState = defineRule({
 	id: "no-set-state",
 	title: "Local class state forbidden",
@@ -23491,7 +23656,7 @@ const noSetState = defineRule({
 		if (!getParentComponent(node)) return;
 		context.report({
 			node: node.callee,
-			message: MESSAGE$12
+			message: MESSAGE$13
 		});
 	} })
 });
@@ -23653,7 +23818,7 @@ const isAbstractRole = (openingElement, settings) => {
 };
 //#endregion
 //#region src/plugin/rules/a11y/no-static-element-interactions.ts
-const MESSAGE$11 = "Screen reader users can't tell this click handler is interactive because it has no `role`, so add a `role` or use a button or link.";
+const MESSAGE$12 = "Screen reader users can't tell this click handler is interactive because it has no `role`, so add a `role` or use a button or link.";
 const DEFAULT_HANDLERS = [
 	"onClick",
 	"onMouseDown",
@@ -23713,7 +23878,7 @@ const noStaticElementInteractions = defineRule({
 			if (!roleAttribute || !roleAttribute.value) {
 				context.report({
 					node: node.name,
-					message: MESSAGE$11
+					message: MESSAGE$12
 				});
 				return;
 			}
@@ -23723,19 +23888,66 @@ const noStaticElementInteractions = defineRule({
 				if (firstRole && (isInteractiveRole(firstRole) || isNonInteractiveRole(firstRole))) return;
 				context.report({
 					node: node.name,
-					message: MESSAGE$11
+					message: MESSAGE$12
 				});
 				return;
 			}
 			if (isNodeOfType(attributeValue, "JSXExpressionContainer") && settings.allowExpressionValues) return;
 			context.report({
 				node: node.name,
-				message: MESSAGE$11
+				message: MESSAGE$12
 			});
 		} };
 	}
 });
 //#endregion
+//#region src/plugin/rules/react-builtins/no-string-false-on-boolean-attribute.ts
+const BOOLEAN_ATTRIBUTES = new Set([
+	"disabled",
+	"checked",
+	"readonly",
+	"required",
+	"selected",
+	"multiple",
+	"autofocus",
+	"autoplay",
+	"controls",
+	"loop",
+	"muted",
+	"open",
+	"reversed",
+	"default",
+	"novalidate",
+	"formnovalidate",
+	"playsinline",
+	"itemscope",
+	"allowfullscreen"
+]);
+const noStringFalseOnBooleanAttribute = defineRule({
+	id: "no-string-false-on-boolean-attribute",
+	title: "String true/false on a boolean attribute",
+	severity: "warn",
+	recommendation: "Use the boolean form on boolean attributes: `disabled` / `disabled={true}` / `disabled={false}`, not `disabled=\"false\"`. A non-empty string is truthy, so `=\"false\"` actually turns the attribute ON.",
+	create: (context) => ({ JSXOpeningElement(node) {
+		if (!isNodeOfType(node.name, "JSXIdentifier")) return;
+		const firstCharacter = node.name.name.charCodeAt(0);
+		if (firstCharacter < 97 || firstCharacter > 122) return;
+		for (const attribute of node.attributes) {
+			if (!isNodeOfType(attribute, "JSXAttribute")) continue;
+			if (!isNodeOfType(attribute.name, "JSXIdentifier")) continue;
+			if (!BOOLEAN_ATTRIBUTES.has(attribute.name.name.toLowerCase())) continue;
+			const value = getJsxPropStringValue(attribute);
+			if (value !== "false" && value !== "true") continue;
+			const attributeName = attribute.name.name;
+			const guidance = value === "false" ? `which React treats as truthy, so the attribute is applied even though you wrote "false". Use \`${attributeName}={false}\` (or omit the attribute) to keep it off` : `but a boolean attribute takes a boolean, not the string "true". Use \`${attributeName}\` or \`${attributeName}={true}\``;
+			context.report({
+				node: attribute,
+				message: `\`${attributeName}="${value}"\` passes the string "${value}", ${guidance}.`
+			});
+		}
+	} })
+});
+//#endregion
 //#region src/plugin/rules/react-builtins/no-string-refs.ts
 const STRING_IN_REF_MESSAGE = "Your component can't reach this node because string refs don't work in modern React.";
 const THIS_REFS_MESSAGE = "Your component can't reach its nodes because `this.refs` is empty in modern React.";
@@ -23786,6 +23998,27 @@ const noStringRefs = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/rules/js-performance/no-sync-xhr.ts
+const MESSAGE$11 = "A synchronous `XMLHttpRequest` (`.open(method, url, false)`) freezes the main thread until the request finishes, blocking all rendering and input. Use `fetch()` or an async XHR (`open(method, url, true)`).";
+const isFalseLiteral = (node) => isNodeOfType(node, "Literal") && node.value === false;
+const noSyncXhr = defineRule({
+	id: "no-sync-xhr",
+	title: "Synchronous XMLHttpRequest",
+	severity: "warn",
+	recommendation: "Never open an XMLHttpRequest synchronously (`async` = `false`). It blocks the main thread. Use `fetch()` or pass `true` and handle the response asynchronously.",
+	create: (context) => ({ CallExpression(node) {
+		const callee = node.callee;
+		if (!isNodeOfType(callee, "MemberExpression") || callee.computed) return;
+		if (!isNodeOfType(callee.property, "Identifier") || callee.property.name !== "open") return;
+		const asyncArgument = node.arguments?.[2];
+		if (!asyncArgument || !isFalseLiteral(stripParenExpression(asyncArgument))) return;
+		context.report({
+			node,
+			message: MESSAGE$11
+		});
+	} })
+});
+//#endregion
 //#region src/plugin/rules/react-builtins/no-this-in-sfc.ts
 const MESSAGE$10 = "This value is `undefined` because function components have no `this`.";
 const isInsideClassMethod = (node, customClassFactoryNames) => {
@@ -25195,15 +25428,8 @@ const expressionContainsJsxOrCreateElement = (root) => {
 	visit(root);
 	return found;
 };
-const classExtendsReactComponent$1 = (classNode) => {
-	const superClass = classNode.superClass;
-	if (!superClass) return false;
-	if (isNodeOfType(superClass, "Identifier") && (superClass.name === "Component" || superClass.name === "PureComponent")) return true;
-	if (isNodeOfType(superClass, "MemberExpression") && isNodeOfType(superClass.object, "Identifier") && superClass.object.name === "React" && isNodeOfType(superClass.property, "Identifier") && (superClass.property.name === "Component" || superClass.property.name === "PureComponent")) return true;
-	return false;
-};
 const isReactClassComponent = (classNode) => {
-	if (classExtendsReactComponent$1(classNode)) return true;
+	if (isEs6Component(classNode)) return true;
 	return expressionContainsJsxOrCreateElement(classNode);
 };
 const findEnclosingComponent = (node) => {
@@ -25363,7 +25589,7 @@ const noUnstableNestedComponents = defineRule({
 	create: (context) => {
 		const settings = resolveSettings$8(context.settings);
 		const renderPropRegex = compileGlob(settings.propNamePattern);
-		const reportCandidate = (candidateNode, reportNode, candidateName) => {
+		const reportCandidate = (candidateNode, reportNode) => {
 			if (isFirstArgumentOfHocCall(candidateNode)) return;
 			if (isReturnOfMapCallback(candidateNode)) return;
 			const propInfo = isComponentDeclaredInProp(candidateNode);
@@ -25384,7 +25610,7 @@ const noUnstableNestedComponents = defineRule({
 			const inferredName = inferFunctionLikeName(node);
 			const propInfo = isComponentDeclaredInProp(node);
 			if (!(inferredName !== null && isReactComponentName(inferredName) || propInfo !== null || isObjectCallbackCandidate(node))) return;
-			reportCandidate(node, node, inferredName);
+			reportCandidate(node, node);
 		};
 		return {
 			FunctionDeclaration: checkFunctionLike,
@@ -25394,18 +25620,18 @@ const noUnstableNestedComponents = defineRule({
 				if (!node.id) return;
 				if (!isReactComponentName(node.id.name)) return;
 				if (!isReactClassComponent(node)) return;
-				reportCandidate(node, node, node.id.name);
+				reportCandidate(node, node);
 			},
 			ClassExpression(node) {
 				const inferredName = node.id?.name ?? inferFunctionLikeName(node);
 				if (!inferredName || !isReactComponentName(inferredName)) return;
 				if (!isReactClassComponent(node)) return;
-				reportCandidate(node, node, inferredName);
+				reportCandidate(node, node);
 			},
 			CallExpression(node) {
 				if (!isHocCallee$1(node)) return;
 				if (!hocCallContainsComponent(node)) return;
-				reportCandidate(node, node, null);
+				reportCandidate(node, node);
 			}
 		};
 	}
@@ -25845,13 +26071,6 @@ const skipTsExpression = (expression) => {
 	if (expression.type === "TSAsExpression" || expression.type === "TSSatisfiesExpression" || expression.type === "TSNonNullExpression") return skipTsExpression(expression.expression);
 	return expression;
 };
-const classExtendsReactComponent = (classNode) => {
-	const superClass = classNode.superClass;
-	if (!superClass) return false;
-	if (isNodeOfType(superClass, "Identifier") && (superClass.name === "Component" || superClass.name === "PureComponent")) return true;
-	if (isNodeOfType(superClass, "MemberExpression") && isNodeOfType(superClass.object, "Identifier") && superClass.object.name === "React" && isNodeOfType(superClass.property, "Identifier") && (superClass.property.name === "Component" || superClass.property.name === "PureComponent")) return true;
-	return false;
-};
 const isReactCreateContext = (initializer) => {
 	if (!initializer) return false;
 	const expression = skipTsExpression(initializer);
@@ -26042,7 +26261,7 @@ const onlyExportComponents = defineRule({
 						if (stripped.id) {
 							const idNode = stripped.id;
 							isExportedNodeIds.add(stripped);
-							if (isReactComponentName(idNode.name) && classExtendsReactComponent(stripped)) hasReactExport = true;
+							if (isReactComponentName(idNode.name) && isEs6Component(stripped)) hasReactExport = true;
 							else exports.push({
 								kind: "non-component",
 								reportNode: idNode
@@ -26102,7 +26321,7 @@ const onlyExportComponents = defineRule({
 							exports.push(classifyExport(declaration.id.name, declaration.id, true, null, state));
 						} else if (isNodeOfType(declaration, "ClassDeclaration") && declaration.id) {
 							isExportedNodeIds.add(declaration);
-							if (isReactComponentName(declaration.id.name) && classExtendsReactComponent(declaration)) exports.push({ kind: "react-component" });
+							if (isReactComponentName(declaration.id.name) && isEs6Component(declaration)) exports.push({ kind: "react-component" });
 							else exports.push({
 								kind: "non-component",
 								reportNode: declaration.id
@@ -34895,6 +35114,47 @@ const serverAfterNonblocking = defineRule({
 	}
 });
 //#endregion
+//#region src/plugin/utils/is-auth-guard-name.ts
+const SIGNED_IN_HEAD_TOKENS = new Set([
+	"signed",
+	"logged",
+	"sign"
+]);
+const mergeSignedInTokens = (tokens) => {
+	const mergedTokens = [];
+	for (let tokenIndex = 0; tokenIndex < tokens.length; tokenIndex += 1) {
+		const currentToken = tokens[tokenIndex];
+		if (SIGNED_IN_HEAD_TOKENS.has(currentToken) && tokens[tokenIndex + 1] === "in") {
+			mergedTokens.push(`${currentToken}in`);
+			tokenIndex += 1;
+			continue;
+		}
+		mergedTokens.push(currentToken);
+	}
+	return mergedTokens;
+};
+const isAuthGuardName = (calleeName) => {
+	const tokens = mergeSignedInTokens(tokenizeIdentifierWords(calleeName));
+	if (tokens.length === 0) return false;
+	let hasAssertiveVerb = false;
+	let hasGetterVerb = false;
+	let hasQualifier = false;
+	let hasStrongNoun = false;
+	let hasWeakNoun = false;
+	for (const token of tokens) {
+		if (AUTH_STRONG_TOKEN_PATTERN.test(token) || AUTH_STANDALONE_NOUN_TOKENS.has(token)) return true;
+		if (AUTH_ASSERTIVE_VERB_TOKENS.has(token)) hasAssertiveVerb = true;
+		if (AUTH_GETTER_VERB_TOKENS.has(token)) hasGetterVerb = true;
+		if (AUTH_QUALIFIER_TOKENS.has(token)) hasQualifier = true;
+		if (AUTH_STRONG_NOUN_TOKENS.has(token)) hasStrongNoun = true;
+		if (AUTH_WEAK_NOUN_TOKENS.has(token)) hasWeakNoun = true;
+	}
+	if (hasAssertiveVerb && (hasStrongNoun || hasWeakNoun)) return true;
+	if (hasGetterVerb && hasStrongNoun) return true;
+	if (hasQualifier && hasWeakNoun) return true;
+	return false;
+};
+//#endregion
 //#region src/plugin/rules/server/server-auth-actions.ts
 const isAsyncFunctionLikeNode = (node) => {
 	if (!node) return false;
@@ -34937,9 +35197,13 @@ const isMemberCallAuthRelated = (receiverNode, methodName, genericMethodNames) =
 const getAuthCallName = (callExpression, allowedFunctionNames, genericMethodNames) => {
 	const calleeNode = unwrapTypeWrappedCallee(callExpression.callee);
 	if (!calleeNode) return null;
-	if (isNodeOfType(calleeNode, "Identifier")) return allowedFunctionNames.has(calleeNode.name) ? calleeNode.name : null;
+	if (isNodeOfType(calleeNode, "Identifier")) {
+		const calleeName = calleeNode.name;
+		return allowedFunctionNames.has(calleeName) || isAuthGuardName(calleeName) ? calleeName : null;
+	}
 	if (isNodeOfType(calleeNode, "MemberExpression") && isNodeOfType(calleeNode.property, "Identifier")) {
 		const methodName = calleeNode.property.name;
+		if (isAuthGuardName(methodName)) return methodName;
 		if (!allowedFunctionNames.has(methodName)) return null;
 		if (!isMemberCallAuthRelated(calleeNode.object, methodName, genericMethodNames)) return null;
 		return methodName;
@@ -35161,6 +35425,7 @@ const serverFetchWithoutRevalidate = defineRule({
 			CallExpression(node) {
 				if (!isServerSideFile) return;
 				if (!isFetchCall(node)) return;
+				if (isMutatingFetchCall(node)) return;
 				const optionsArg = node.arguments?.[1];
 				if (optionsArg && objectExpressionHasNextRevalidate(optionsArg)) return;
 				const urlArg = node.arguments?.[0];
@@ -35316,13 +35581,7 @@ const serverNoMutableModuleState = defineRule({
 const collectDeclaredNames = (declaration) => {
 	const names = /* @__PURE__ */ new Set();
 	if (!isNodeOfType(declaration, "VariableDeclaration")) return names;
-	for (const declarator of declaration.declarations ?? []) if (isNodeOfType(declarator.id, "Identifier")) names.add(declarator.id.name);
-	else if (isNodeOfType(declarator.id, "ObjectPattern")) {
-		for (const property of declarator.id.properties ?? []) if (isNodeOfType(property, "Property") && isNodeOfType(property.value, "Identifier")) names.add(property.value.name);
-		else if (isNodeOfType(property, "RestElement") && isNodeOfType(property.argument, "Identifier")) names.add(property.argument.name);
-	} else if (isNodeOfType(declarator.id, "ArrayPattern")) {
-		for (const element of declarator.id.elements ?? []) if (isNodeOfType(element, "Identifier")) names.add(element.name);
-	}
+	for (const declarator of declaration.declarations ?? []) collectPatternNames(declarator.id, names);
 	return names;
 };
 const declarationStartsWithAwait = (declaration) => {
@@ -35332,11 +35591,15 @@ const declarationStartsWithAwait = (declaration) => {
 };
 const declarationReadsAnyName = (declaration, names) => {
 	if (names.size === 0) return false;
+	if (!isNodeOfType(declaration, "VariableDeclaration")) return false;
 	let didRead = false;
-	walkAst(declaration, (child) => {
-		if (didRead) return;
-		if (isNodeOfType(child, "Identifier") && names.has(child.name)) didRead = true;
-	});
+	for (const declarator of declaration.declarations ?? []) {
+		if (!declarator.init) continue;
+		walkAst(declarator.init, (child) => {
+			if (didRead) return;
+			if (isNodeOfType(child, "Identifier") && names.has(child.name)) didRead = true;
+		});
+	}
 	return didRead;
 };
 const serverSequentialIndependentAwait = defineRule({
@@ -36596,7 +36859,7 @@ const urlPrefilledPrivilegedAction = defineRule({
 	recommendation: "Require server-side validation and explicit confirmation for URL-sourced invite, role, permission, redirect, or sharing parameters.",
 	scan: scanByPattern({
 		shouldScan: (file) => isClientSourcePath(file.relativePath),
-		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?)\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
+		pattern: /(?<!(?:safe|valid|sanitiz|relativ|allowlist|whitelist)[\w$]*\(\s*(?:new\s+)?(?:[\w$]+\s*\.\s*){0,4})\b(?:searchParams|useSearchParams\s*\(\s*\)|URLSearchParams\s*\([^)]{0,120}\))(?:[?!])?\.get(?:All)?\s*\(\s*["'](?:userstoinvite|role|permission|sharingaction|invite|admin|next|continue|returnTo|redirect_uri|callbackUrl)["']|\bsearchParams\.(?:userstoinvite|role|permission|sharingaction|invite|admin|returnTo|redirect_uri|callbackUrl)\b/i,
 		message: "Client code reads sensitive action state from the URL, which can pre-fill invites, roles, redirects, or sharing flows with attacker values."
 	})
 });
@@ -39052,6 +39315,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noDocumentStartViewTransition.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-document-write",
+		id: "no-document-write",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noDocumentWrite,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-dynamic-import-path",
 		id: "no-dynamic-import-path",
@@ -39861,6 +40135,18 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noStaticElementInteractions.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-string-false-on-boolean-attribute",
+		id: "no-string-false-on-boolean-attribute",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noStringFalseOnBooleanAttribute,
+			framework: "global",
+			category: "Bugs",
+			requires: [...new Set(["react", ...noStringFalseOnBooleanAttribute.requires ?? []])]
+		}
+	},
 	{
 		key: "react-doctor/no-string-refs",
 		id: "no-string-refs",
@@ -39873,6 +40159,17 @@ const reactDoctorRules = [
 			requires: [...new Set(["react", ...noStringRefs.requires ?? []])]
 		}
 	},
+	{
+		key: "react-doctor/no-sync-xhr",
+		id: "no-sync-xhr",
+		source: "react-doctor",
+		originallyExternal: false,
+		rule: {
+			...noSyncXhr,
+			framework: "global",
+			category: "Performance"
+		}
+	},
 	{
 		key: "react-doctor/no-this-in-sfc",
 		id: "no-this-in-sfc",
@@ -41981,32 +42278,6 @@ const computeUnconditionalSet = (cfg) => {
 	}
 	return unconditional;
 };
-const computeDominatesExit = (cfg) => {
-	const reachableToExit = /* @__PURE__ */ new Set();
-	const queue = [cfg.exit];
-	while (queue.length > 0) {
-		const block = queue.shift();
-		if (reachableToExit.has(block)) continue;
-		reachableToExit.add(block);
-		for (const edge of block.predecessors) queue.push(edge.from);
-	}
-	const dominatesExit = /* @__PURE__ */ new Set();
-	const visit = (block) => {
-		if (block === cfg.exit) return true;
-		if (dominatesExit.has(block)) return true;
-		if (block.successors.length === 0) return false;
-		dominatesExit.add(block);
-		let allReach = true;
-		for (const edge of block.successors) if (!visit(edge.to)) {
-			allReach = false;
-			break;
-		}
-		if (!allReach) dominatesExit.delete(block);
-		return allReach;
-	};
-	for (const block of cfg.blocks) visit(block);
-	return dominatesExit;
-};
 const analyzeControlFlow = (program) => {
 	nextBlockId = 0;
 	const functionCfgs = /* @__PURE__ */ new Map();
@@ -42014,8 +42285,7 @@ const analyzeControlFlow = (program) => {
 		const cfg = buildFunctionCfg(functionNode, body);
 		functionCfgs.set(functionNode, {
 			cfg,
-			unconditionalSet: computeUnconditionalSet(cfg),
-			dominatesExitSet: computeDominatesExit(cfg)
+			unconditionalSet: computeUnconditionalSet(cfg)
 		});
 	};
 	if (isNodeOfType(program, "Program")) buildFor(program, {
@@ -42058,20 +42328,10 @@ const analyzeControlFlow = (program) => {
 		if (!block) return true;
 		return entry.unconditionalSet.has(block);
 	};
-	const dominatesExit = (node) => {
-		const owner = enclosingFunction(node);
-		if (!owner) return true;
-		const entry = functionCfgs.get(owner);
-		if (!entry) return true;
-		const block = entry.cfg.blockOf(node);
-		if (!block) return true;
-		return entry.dominatesExitSet.has(block);
-	};
 	return {
 		cfgFor,
 		enclosingFunction,
-		isUnconditionalFromEntry,
-		dominatesExit
+		isUnconditionalFromEntry
 	};
 };
 //#endregion
@@ -42096,8 +42356,7 @@ const buildFallbackScopes = () => ({
 const FALLBACK_CFG = {
 	cfgFor: () => null,
 	enclosingFunction: () => null,
-	isUnconditionalFromEntry: () => false,
-	dominatesExit: () => false
+	isUnconditionalFromEntry: () => false
 };
 const wrapWithSemanticContext = (rule) => ({
 	...rule,