millionco · aidenybai · Jun 8, 2026 · Jun 8, 2026 · Jun 9, 2026 · Jun 9, 2026
diff --git a/.changeset/cool-fans-fly.md b/.changeset/cool-fans-fly.md
@@ -0,0 +1,6 @@
+---
+"react-doctor": patch
+"oxlint-plugin-react-doctor": patch
+---
+
+Refine security posture scanner false positives while preserving coverage for Firebase compat writes, public scripts, private key material, and unsafe signature comparisons. Share oxlint AST parsing utilities through an explicit plugin subpath.
diff --git a/packages/core/src/run-inspect.ts b/packages/core/src/run-inspect.ts
@@ -324,7 +324,6 @@ export const runInspect = <HooksR = never>(
         Stream.tap((diagnostic) => reporterService.emit(diagnostic)),
       );
 
-    // ── Phase: environment checks ──────────────────────────────────
     const environmentDiagnostics: ReadonlyArray<Diagnostic> = isDiffMode
       ? []
       : [

diff --git a/packages/core/src/services/linter.ts b/packages/core/src/services/linter.ts
@@ -3,6 +3,7 @@ import * as Effect from "effect/Effect";
 import * as Layer from "effect/Layer";
 import * as Ref from "effect/Ref";
 import * as Stream from "effect/Stream";
+import reactDoctorPlugin, { checkSecurityPosture } from "oxlint-plugin-react-doctor";
 import type { Diagnostic, ProjectInfo, ReactDoctorConfig } from "../types/index.js";
 import { OxlintSpawnFailed, ReactDoctorError } from "../errors.js";
 import { OxlintConcurrency, OxlintOutputMaxBytes, OxlintSpawnTimeoutMs } from "../refs.js";
@@ -53,6 +54,19 @@ const ensureReactDoctorError = (cause: unknown): ReactDoctorError =>
     ? cause
     : new ReactDoctorError({ reason: new OxlintSpawnFailed({ cause }) });
 
+const isSecurityPostureDiagnosticEnabled = (
+  diagnostic: Diagnostic,
+  ignoredTags: ReadonlySet<string> | undefined,
+): boolean => {
+  const rule = reactDoctorPlugin.rules[diagnostic.rule];
+  if (!rule) return true;
+  if (!rule.tags) return true;
+  for (const tag of rule.tags) {
+    if (ignoredTags?.has(tag)) return false;
+  }
+  return true;
+};
+
 /**
  * `Linter` is the cross-backend service for "produce diagnostics for
  * an input." Today the only live layer is `layerOxlint` — wrapping
@@ -107,7 +121,7 @@ export class Linter extends Context.Service<
             const outputMaxBytes = yield* OxlintOutputMaxBytes;
             const concurrency = yield* OxlintConcurrency;
             const collectedFailures: string[] = [];
-            const diagnostics = yield* Effect.tryPromise({
+            const oxlintDiagnostics = yield* Effect.tryPromise({
               try: () =>
                 runOxlint({
                   rootDirectory: input.rootDirectory,
@@ -130,6 +144,15 @@ export class Linter extends Context.Service<
                 }),
               catch: ensureReactDoctorError,
             });
+            const diagnostics =
+              input.includePaths === undefined
+                ? [
+                    ...oxlintDiagnostics,
+                    ...checkSecurityPosture(input.rootDirectory).filter((diagnostic) =>
+                      isSecurityPostureDiagnosticEnabled(diagnostic, input.ignoredTags),
+                    ),
+                  ]
+                : oxlintDiagnostics;
             if (collectedFailures.length > 0) {
               yield* Ref.update(partialFailures, (existing) => [...existing, ...collectedFailures]);
             }
-Original file line number
+Diff line change
@@ Expand Up / @@ -324,7 +324,6 @@ export const runInspect = <HooksR = never>( @@
             Stream.tap((diagnostic) => reporterService.emit(diagnostic)),
           );
-        // ── Phase: environment checks ──────────────────────────────────
         const environmentDiagnostics: ReadonlyArray<Diagnostic> = isDiffMode
           ? []
           : [
@@ Expand Down @@