Playground
Pick a flagship rule, edit the code, toggle the plugins, copy a real eslint.config.js. Phase 1c — Monaco editor + plugin toggle strip + verified static findings; live in-browser linting (oxlint WASM) arrives in Phase 2.
Pick an example
CWE-327 · Algorithm confusion
Phase 1c · live linting in Phase 2jwt/no-algorithm-none
JWT algorithm confusion — accepting tokens with `alg: "none"` lets attackers forge any payload.
Plugins enabled · 1/1
Code · editable
Findings · 1
Algorithm 'none' allows unsigned JWTs to pass verification (CWE-327). Drop 'none' from the algorithms allow-list.
Read the rule
Built for the PLAYGROUND_SPEC.md roadmap · inspired by OXC Playground.
About the examples
Each of the 6 examples corresponds to one of our flagship rules. The findings list shows what our rule emits when run against the snippet on the left — captured directly from the rule's test corpus, not invented for marketing. The "Read the rule" link takes you to the canonical docs page where you can read the detection logic, CWE / OWASP mapping, and configuration options.