Interlace ESLint
ESLint Interlace
Secure CodingRules

require-human-approval-for-critical-actions

Require human confirmation before destructive or financial LLM actions.

Require human confirmation before destructive or financial LLM actions.

OWASP LLM Top 10 2025: LLM06 - Excessive Agency
CWE: CWE-284
Severity: 🔴 Critical

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-284 OWASP:A01 CVSS:7.5 | Improper Access Control detected | HIGH
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A01_2021/

Message Components

ComponentPurposeExample
Risk StandardsSecurity benchmarksCWE-284 OWASP:A01 CVSS:7.5
Issue DescriptionSpecific vulnerabilityImproper Access Control detected
Severity & ComplianceImpact assessmentHIGH
Fix InstructionActionable remediationFollow the remediation steps below
Technical TruthOfficial referenceOWASP Top 10

Rule Details

Requires explicit human approval for critical actions (delete, transfer, payment, destroy).

❌ Incorrect

await deleteUser(userId);
await transferMoney(amount);
await processPayment(card);

✅ Correct

if (await confirmed(user, 'delete')) {
  await deleteResource(id);
}

const approved = await requireApproval(user, action);
if (approved) {
  await transferFunds(amount);
}

Options

{
  "secure-coding/require-human-approval-for-critical-actions": [
    "error",
    {
      "criticalActions": ["delete", "transfer", "payment", "destroy"]
    }
  ]
}

Best Practices

Implement 2FA for critical actions. Log all approval requests and decisions.

Version

Introduced in v2.3.0

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

require-https-only

This rule security rule for mobile applications.

require-input-sanitization-for-llm

Enforce input sanitization before LLM API calls.

On this page

Error Message FormatMessage ComponentsRule Details❌ Incorrect✅ CorrectOptionsBest PracticesVersionKnown False NegativesValues from VariablesWrapper FunctionsDynamic Invocation