counterfact · pmcelhaney · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/.github/issue-proposals/audit-security-detect-unsafe-regex-warnings.md b/.github/issue-proposals/audit-security-detect-unsafe-regex-warnings.md
@@ -0,0 +1,17 @@
+---
+title: Audit and resolve security/detect-unsafe-regex warnings
+parentIssue: 1901
+---
+
+Review each `security/detect-unsafe-regex` warning for potential ReDoS risk and either replace with safer regex patterns or annotate proven-safe usage.
+
+## Context and motivation
+
+Even with a small count, unsafe-regex findings can have high impact. Each pattern should be intentionally reviewed with input size and runtime behavior in mind.
+
+## Acceptance criteria
+
+- [ ] Every current `security/detect-unsafe-regex` warning has a documented disposition
+- [ ] Any vulnerable or questionable regex is rewritten to avoid catastrophic backtracking
+- [ ] Any suppression includes a proof-oriented safety note
+- [ ] Rule warnings are reduced or eliminated without changing intended behavior
diff --git a/...ssue-proposals/disable-import-no-named-as-default-member-for-js-yaml-interop.md b/...ssue-proposals/disable-import-no-named-as-default-member-for-js-yaml-interop.md
@@ -0,0 +1,17 @@
+---
+title: Disable import/no-named-as-default-member for js-yaml interop noise
+parentIssue: 1901
+---
+
+Disable `import/no-named-as-default-member` (or scope-disable it in affected test files) to remove false-positive warnings around `js-yaml` usage.
+
+## Context and motivation
+
+Current warnings are concentrated in test code and are not indicating real defects. Reducing this noise improves lint signal for higher-value findings.
+
+## Acceptance criteria
+
+- [ ] Existing warning sites are reviewed to confirm false-positive behavior
+- [ ] Lint configuration is updated with the narrowest practical disable strategy
+- [ ] No functional behavior changes are introduced in tests
+- [ ] `import/no-named-as-default-member` warnings are eliminated
diff --git a/...ssue-proposals/re-enable-or-remove-disabled-tests-for-jest-no-disabled-tests.md b/...ssue-proposals/re-enable-or-remove-disabled-tests-for-jest-no-disabled-tests.md
@@ -0,0 +1,17 @@
+---
+title: Re-enable or remove disabled tests for jest/no-disabled-tests
+parentIssue: 1901
+---
+
+Resolve `jest/no-disabled-tests` findings by re-enabling skipped tests or removing obsolete ones.
+
+## Context and motivation
+
+Disabled tests reduce confidence and can mask regressions over time. The remaining skipped tests should be intentional and temporary, or removed.
+
+## Acceptance criteria
+
+- [ ] Every currently skipped test is evaluated
+- [ ] Tests that should remain are re-enabled with passing behavior
+- [ ] Obsolete or no-longer-actionable skipped tests are removed
+- [ ] `jest/no-disabled-tests` warnings are eliminated
diff --git a/.github/issue-proposals/reduce-security-detect-non-literal-fs-filename-warnings.md b/.github/issue-proposals/reduce-security-detect-non-literal-fs-filename-warnings.md
@@ -0,0 +1,17 @@
+---
+title: Reduce security/detect-non-literal-fs-filename warnings
+parentIssue: 1901
+---
+
+Address `security/detect-non-literal-fs-filename` warnings by introducing consistent path validation and narrowly scoped suppressions for trusted internal paths.
+
+## Context and motivation
+
+This rule currently generates the largest warning volume. Most hits are in internal file generation and migration flows where dynamic paths are expected. We should reduce noise without weakening protection for untrusted inputs.
+
+## Acceptance criteria
+
+- [ ] All current `security/detect-non-literal-fs-filename` warning sites are triaged as either fixable or intentionally ignored
+- [ ] High-risk call sites that touch user-provided paths use explicit validation/normalization before file-system access
+- [ ] Any lint suppressions include an inline safety rationale
+- [ ] Net warning count for this rule is reduced
diff --git a/.github/issue-proposals/reduce-security-detect-object-injection-warnings.md b/.github/issue-proposals/reduce-security-detect-object-injection-warnings.md
@@ -0,0 +1,17 @@
+---
+title: Reduce security/detect-object-injection warnings
+parentIssue: 1901
+---
+
+Reduce `security/detect-object-injection` warnings by replacing ambiguous dynamic object indexing with safer access patterns or documenting trusted usage.
+
+## Context and motivation
+
+Many warnings come from map-like structures and route/context registries where dynamic keys are expected. We need a consistent pattern for safe keyed access so this rule remains useful.
+
+## Acceptance criteria
+
+- [ ] All current `security/detect-object-injection` warning sites are triaged
+- [ ] Risky dynamic lookups are refactored (for example, validated key guards or `Map` usage)
+- [ ] Remaining suppressions include clear justification for why access is safe
+- [ ] Net warning count for this rule is reduced
diff --git a/...b/issue-proposals/refactor-conditional-tests-for-jest-no-conditional-in-test.md b/...b/issue-proposals/refactor-conditional-tests-for-jest-no-conditional-in-test.md
@@ -0,0 +1,17 @@
+---
+title: Refactor conditional tests for jest/no-conditional-in-test
+parentIssue: 1901
+---
+
+Refactor test cases that trigger `jest/no-conditional-in-test` so assertions are deterministic and intent remains clear.
+
+## Context and motivation
+
+The rule catches conditional logic that can hide assertion paths. Some current uses are intentional helper patterns, while others can be simplified.
+
+## Acceptance criteria
+
+- [ ] Current warning sites are reviewed and categorized as refactor or keep-with-justification
+- [ ] Refactorable tests are rewritten to avoid in-test branching
+- [ ] Any remaining exceptions are narrowly suppressed with rationale
+- [ ] Net warning count for this rule is reduced
diff --git a/.github/issue-proposals/resolve-jest-expect-expect-warnings.md b/.github/issue-proposals/resolve-jest-expect-expect-warnings.md
@@ -0,0 +1,17 @@
+---
+title: Resolve jest/expect-expect warnings
+parentIssue: 1901
+---
+
+Address `jest/expect-expect` warnings by adding explicit assertions or using approved assertion patterns for helper-driven tests.
+
+## Context and motivation
+
+Some tests rely on side-effect or thrown-error pathways that are not always detected by the rule. We should make assertions explicit where practical.
+
+## Acceptance criteria
+
+- [ ] Current warning sites are triaged
+- [ ] Tests that can include direct assertions are updated
+- [ ] Legitimate helper patterns are configured or suppressed in a narrow, documented way
+- [ ] Net warning count for this rule is reduced
diff --git a/.../issue-proposals/update-capture-groups-for-regexp-prefer-named-capture-group.md b/.../issue-proposals/update-capture-groups-for-regexp-prefer-named-capture-group.md
@@ -0,0 +1,16 @@
+---
+title: Update regex capture groups for regexp/prefer-named-capture-group
+parentIssue: 1901
+---
+
+Apply mechanical regex updates for `regexp/prefer-named-capture-group` warnings using named or non-capturing groups as appropriate.
+
+## Context and motivation
+
+This is low-risk cleanup with small warning count. The update should improve readability while preserving behavior.
+
+## Acceptance criteria
+
+- [ ] All current warning sites are updated to named or non-capturing capture groups
+- [ ] Existing behavior is preserved by tests
+- [ ] `regexp/prefer-named-capture-group` warnings are eliminated
diff --git a/docs/development/lint-warning-recommendations.md b/docs/development/lint-warning-recommendations.md
@@ -0,0 +1,20 @@
+# Lint warning recommendations
+
+Baseline (2026-04-16): `yarn lint` reports 123 warnings across 8 rules.
+
+| Rule | Warnings | Recommendation | Why |
+| --- | ---: | --- | --- |
+| `security/detect-non-literal-fs-filename` | 50 | Selectively fix or ignore violations | Most hits are expected dynamic paths in file-system tooling; keep the rule for signal, but use validation wrappers and targeted ignores where inputs are trusted. |
+| `security/detect-object-injection` | 42 | Selectively fix or ignore violations | Many hits are dynamic key lookups on known maps. Keep the rule, but prefer `Map`/guarded access in risky paths and suppress known-safe cases. |
+| `jest/no-conditional-in-test` | 17 | Selectively fix or ignore violations | Some conditionals are legitimate for shared test helpers/table-driven cases; rewrite simple cases, keep explicit ignores for intentional patterns. |
+| `import/no-named-as-default-member` | 4 | Disable it | Current warnings are false-positive noise from `js-yaml` interop in tests; disabling improves signal-to-noise. |
+| `regexp/prefer-named-capture-group` | 3 | Fix violations | Small, mechanical updates (`(?:...)` or named groups) improve readability and can be fixed quickly. |
+| `jest/expect-expect` | 3 | Selectively fix or ignore violations | Some tests assert by expecting thrown errors/side effects through helpers; add explicit assertions where possible and ignore intentional patterns. |
+| `security/detect-unsafe-regex` | 2 | Selectively fix or ignore violations | One warning is from tooling config; review each regex for ReDoS risk and suppress only proven-safe patterns. |
+| `jest/no-disabled-tests` | 2 | Fix violations | Skipped tests should be either re-enabled or removed to avoid long-term blind spots. |
+
+## Suggested priority
+
+1. Fix now: `regexp/prefer-named-capture-group`, `jest/no-disabled-tests`
+2. Selective cleanup: `security/*`, `jest/no-conditional-in-test`, `jest/expect-expect`
+3. Disable: `import/no-named-as-default-member`