@fjall/eslint-plugin 2.18.1

package/LICENSE

@@ -0,0 +1,50 @@
+Fjall Proprietary Software Licence
+
+Copyright (c) 2026 Fjall. All rights reserved.
+
+This software, including all source, object, bundled, and minified forms
+("the Software"), is the proprietary and confidential property of Fjall.
+
+1. Permitted Use. Subject to the terms of this Licence, Fjall grants you
+   a non-exclusive, non-transferable, revocable licence to install the
+   Software via the npm registry and to execute it solely for the purpose
+   of deploying, operating, and managing your own applications and
+   infrastructure on cloud providers.
+
+2. Restrictions. You may NOT, and may not permit any third party to:
+   (a) copy, redistribute, sublicense, sell, rent, lease, or otherwise
+       transfer the Software;
+   (b) modify, adapt, translate, or create derivative works of the Software;
+   (c) reverse engineer, decompile, disassemble, deminify, or otherwise
+       attempt to derive the source code, structure, or organisation of
+       the Software, except to the minimum extent expressly permitted by
+       applicable mandatory law;
+   (d) use the Software, or any portion of it, to develop, train, or
+       improve any product or service that competes with Fjall;
+   (e) remove, alter, or obscure any proprietary notices contained in
+       the Software;
+   (f) publish, share, or otherwise disclose the Software or its contents
+       to any third party.
+
+3. Ownership. All right, title, and interest in and to the Software,
+   including all intellectual property rights, remain with Fjall. No
+   rights are granted except as expressly set out in this Licence.
+
+4. Termination. This Licence terminates automatically if you breach any
+   of its terms. Upon termination you must cease all use of the Software
+   and destroy all copies in your possession.
+
+5. Disclaimer of Warranty. THE SOFTWARE IS PROVIDED "AS IS" WITHOUT
+   WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
+   THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+   AND NON-INFRINGEMENT.
+
+6. Limitation of Liability. IN NO EVENT SHALL FJALL BE LIABLE FOR ANY
+   INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES
+   ARISING OUT OF OR RELATED TO THE SOFTWARE, EVEN IF ADVISED OF THE
+   POSSIBILITY OF SUCH DAMAGES.
+
+7. Governing Law. This Licence is governed by the laws of England and
+   Wales, without regard to conflict of laws principles.
+
+For commercial licensing enquiries, contact: contact@fjall.io

package/README.md

@@ -0,0 +1,31 @@
+# @fjall/eslint-plugin
+
+Flat-config ESLint plugin holding Fjall's internal coding-standard rules
+(credential masking, Zod strictness, tenant-isolation, AWS-SDK abort hygiene,
+CDK construct invariants, and more).
+
+It is the single source of truth shared between the Fjall monorepo and the
+Fjall web app — the web app consumes it from npm because it builds without a
+monorepo checkout. The rules encode Fjall-specific conventions and are not
+intended for use outside Fjall projects.
+
+## Usage
+
+```js
+// eslint.config.mjs (flat config)
+import fjall from "@fjall/eslint-plugin";
+
+export default [
+  {
+    plugins: { fjall },
+    rules: {
+      "fjall/zod-strict-required": "error",
+      "fjall/mask-error-message-at-boundary": "error"
+      // … enable the rules you need
+    }
+  }
+];
+```
+
+Every rule lives in its own file (`<rule-name>.js`); `index.js` is the barrel
+exposing them all under the `rules` map.

package/constructor-validates-public-construct.js

@@ -0,0 +1,351 @@
+/**
+ * ESLint Rule: constructor-validates-public-construct
+ *
+ * Enforces `.claude/rules/generator-standards.md § "Public-Construct Validation
+ * Discipline"`: a public construct that is both direct-instantiable
+ * (`new EcsCompute(stack, id, props)`) AND reachable through a factory
+ * (`ComputeFactory.build(...)`) MUST self-validate inside its constructor.
+ * Placing the call only in the factory's pre-construction hook leaves every
+ * direct-instantiation consumer (other patterns, generator-emitted code,
+ * tests) bypassing the check.
+ *
+ * Detection shape (intra-file only):
+ *   1. Collect every top-level `function validate<Anything>(props: T)` or
+ *      `function validate<Anything>Props(props: T)` declaration. Map the
+ *      param type name `T` -> validator function name(s).
+ *   2. For each exported `class X extends Y { constructor(_, _, props: T) { ... } }`
+ *      whose third constructor parameter is typed `T` and where the file
+ *      defines a validator for `T`, the constructor body MUST contain a
+ *      `CallExpression` invoking one of the validators with `props`.
+ *   3. Report on the constructor when the call is missing (messageId:
+ *      `constructorMissingValidatorCall`).
+ *   4. When the call IS present but is NOT the first statement after
+ *      `super(scope, id)`, report (messageId:
+ *      `constructorValidatorNotFirstStatement`). A `this.* = …` assignment
+ *      or `const x = …` declaration before the validator means props were
+ *      partially trusted before being validated.
+ *
+ * Detection limitations (acknowledged ceiling):
+ *   - Intra-file only. The cross-file layered-validation case (resources-vs-
+ *     patterns mirroring) is covered by the sibling `paired-ecs-validation`
+ *     rule.
+ *   - Match-by-param-type-name. A validator with `props: IRelationalDatabaseProps`
+ *     pairs with a class whose constructor takes `props: IRelationalDatabaseProps`.
+ *     If the class's prop type is a union or intersection that resolves to
+ *     the same shape but uses a different alias, the rule will not pair them
+ *     and the runtime-test discipline in `code-quality.md § "ESLint-Mandated
+ *     Validations Need Direct Runtime Tests"` is the backstop.
+ *   - Only checks the constructor body. Calls inside private helper methods
+ *     invoked from the constructor (`this.validateProps(props)`) do not
+ *     count — the discipline says the call lives at the top of the
+ *     constructor, immediately after `super(scope, id)`, where it is
+ *     unambiguously reached for every code path.
+ *   - Argument identity check is by name only (`props`). A validator called
+ *     with a derived value (`validateProps({...props, vpc: injected})`)
+ *     still satisfies the rule textually; the constructor's typed parameter
+ *     remains the canonical input.
+ *   - Direct-export shape only: `export class X {}` / `export default class X`.
+ *     A class declared without inline export and re-exported via
+ *     `export { X }` is not currently detected — `isExported()` walks
+ *     `classNode.parent` only. Widen this if a real consumer ships the
+ *     sibling-re-export shape; current `lib/{patterns,resources}/` callers
+ *     all use the inline form.
+ *   - Position check tolerates exactly one leading `super(scope, id)` call.
+ *     TypeScript-only declarations (parameter-property decorators, type-only
+ *     declarations) are stripped by the TS parser before the visitor sees the
+ *     body, so they do not count toward statement ordering. The check does NOT
+ *     tolerate `this.* = …` assignments or `const x = …` declarations before
+ *     the validator call — those mean state was mutated on partially-trusted
+ *     props.
+ *
+ * Pair with runtime tests (MANDATORY per `code-quality.md § "ESLint-Mandated
+ * Validations Need Direct Runtime Tests"`): every public construct this rule
+ * covers needs a direct-instantiation test that asserts the throw fires on
+ * bad input. The rule covers existence; the runtime test covers behaviour.
+ */
+
+const VALIDATOR_NAME_RE = /^validate[A-Z][A-Za-z0-9_]*$/;
+
+function extractTypeName(typeAnnotation) {
+  if (!typeAnnotation || typeAnnotation.type !== "TSTypeAnnotation")
+    return null;
+  const inner = typeAnnotation.typeAnnotation;
+  if (!inner) return null;
+  if (inner.type === "TSTypeReference") {
+    const tn = inner.typeName;
+    if (tn && tn.type === "Identifier") return tn.name;
+    if (
+      tn &&
+      tn.type === "TSQualifiedName" &&
+      tn.right &&
+      tn.right.type === "Identifier"
+    ) {
+      return tn.right.name;
+    }
+  }
+  return null;
+}
+
+function getParamTypeName(param) {
+  if (!param) return null;
+  if (param.type === "Identifier") return extractTypeName(param.typeAnnotation);
+  if (
+    param.type === "AssignmentPattern" &&
+    param.left &&
+    param.left.type === "Identifier"
+  ) {
+    return extractTypeName(param.left.typeAnnotation);
+  }
+  return null;
+}
+
+function getParamName(param) {
+  if (!param) return null;
+  if (param.type === "Identifier") return param.name;
+  if (
+    param.type === "AssignmentPattern" &&
+    param.left &&
+    param.left.type === "Identifier"
+  ) {
+    return param.left.name;
+  }
+  return null;
+}
+
+/** Walk the constructor body's statements and any nested BlockStatement to
+ *  find a CallExpression whose callee.name is one of `validatorNames` and
+ *  whose first argument is the identifier `propsName`. Searches the whole
+ *  body — the discipline prefers first-line-after-super, but call from any
+ *  branch satisfies the structural existence check. The runtime-test rule
+ *  backstops "called but on the wrong path". */
+function constructorCallsAnyValidator(
+  constructorBody,
+  validatorNames,
+  propsName
+) {
+  if (!constructorBody || constructorBody.type !== "BlockStatement")
+    return false;
+  const stack = [...constructorBody.body];
+  while (stack.length > 0) {
+    const node = stack.pop();
+    if (!node || typeof node !== "object") continue;
+    if (node.type === "ExpressionStatement" && node.expression) {
+      stack.push(node.expression);
+      continue;
+    }
+    if (node.type === "CallExpression") {
+      const callee = node.callee;
+      if (
+        callee &&
+        callee.type === "Identifier" &&
+        validatorNames.has(callee.name) &&
+        node.arguments.length >= 1 &&
+        node.arguments[0].type === "Identifier" &&
+        node.arguments[0].name === propsName
+      ) {
+        return true;
+      }
+      stack.push(callee);
+      for (const arg of node.arguments) stack.push(arg);
+      continue;
+    }
+    if (node.type === "BlockStatement") {
+      for (const stmt of node.body) stack.push(stmt);
+      continue;
+    }
+    if (node.type === "IfStatement") {
+      stack.push(node.consequent);
+      if (node.alternate) stack.push(node.alternate);
+      continue;
+    }
+    if (node.type === "SwitchStatement") {
+      for (const c of node.cases) for (const s of c.consequent) stack.push(s);
+      continue;
+    }
+    if (node.type === "TryStatement") {
+      stack.push(node.block);
+      if (node.handler && node.handler.body) stack.push(node.handler.body);
+      if (node.finalizer) stack.push(node.finalizer);
+      continue;
+    }
+    for (const key of Object.keys(node)) {
+      const child = node[key];
+      if (key === "parent" || child === null || typeof child !== "object")
+        continue;
+      if (Array.isArray(child)) {
+        for (const c of child) if (c && typeof c === "object") stack.push(c);
+      } else {
+        stack.push(child);
+      }
+    }
+  }
+  return false;
+}
+
+function isSuperCallStatement(stmt) {
+  return (
+    stmt &&
+    stmt.type === "ExpressionStatement" &&
+    stmt.expression &&
+    stmt.expression.type === "CallExpression" &&
+    stmt.expression.callee &&
+    stmt.expression.callee.type === "Super"
+  );
+}
+
+function isValidatorCallStatement(stmt, validatorNames, propsName) {
+  return (
+    stmt &&
+    stmt.type === "ExpressionStatement" &&
+    stmt.expression &&
+    stmt.expression.type === "CallExpression" &&
+    stmt.expression.callee &&
+    stmt.expression.callee.type === "Identifier" &&
+    validatorNames.has(stmt.expression.callee.name) &&
+    stmt.expression.arguments.length >= 1 &&
+    stmt.expression.arguments[0].type === "Identifier" &&
+    stmt.expression.arguments[0].name === propsName
+  );
+}
+
+/** Anything between super() and the validator (this.* assignment, const
+ *  decl, if statement, helper call) reads or mutates partially-trusted
+ *  props — rejected. When there is no super() call, the validator MUST be
+ *  the first statement in the constructor body. */
+function constructorValidatorIsFirstAfterSuper(
+  constructorBody,
+  validatorNames,
+  propsName
+) {
+  if (!constructorBody || constructorBody.type !== "BlockStatement")
+    return false;
+  const body = constructorBody.body;
+  if (body.length === 0) return false;
+  const firstAfterSuperIdx = isSuperCallStatement(body[0]) ? 1 : 0;
+  return isValidatorCallStatement(
+    body[firstAfterSuperIdx],
+    validatorNames,
+    propsName
+  );
+}
+
+function isExported(classNode) {
+  const parent = classNode.parent;
+  if (!parent) return false;
+  return (
+    parent.type === "ExportNamedDeclaration" ||
+    parent.type === "ExportDefaultDeclaration"
+  );
+}
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Public CDK constructs in lib/{patterns,resources} that have a sibling `validate*Props` function in the same file MUST call that validator inside their constructor body. Otherwise direct `new X(...)` consumers bypass validation that the factory hook performs.",
+      category: "Best Practices",
+      recommended: true
+    },
+    messages: {
+      constructorMissingValidatorCall:
+        'Public construct `{{className}}` takes `props: {{propType}}` but its constructor does not call `{{validators}}` — the validator(s) defined in this file for `{{propType}}`. Add the call as the first statement after `super(scope, id)` so direct `new {{className}}(...)` consumers do not bypass validation. See .claude/rules/generator-standards.md § "Public-Construct Validation Discipline".',
+      constructorValidatorNotFirstStatement:
+        'Public construct `{{className}}` calls `{{validators}}` but not as the first statement after `super(scope, id)`. A `this.* = …` assignment or `const x = …` declaration before the validator means partially-trusted props were already read or stored. Move the validator call to immediately after `super(scope, id)`. See .claude/rules/generator-standards.md § "Public-Construct Validation Discipline".'
+    },
+    schema: []
+  },
+
+  create(context) {
+    /** Map<paramTypeName, Set<validatorFunctionName>> */
+    const validatorsByPropType = new Map();
+    /** Array of {classNode, className, propType, propsName, constructorNode} */
+    const candidateClasses = [];
+
+    function recordValidator(node) {
+      if (!node.id || !VALIDATOR_NAME_RE.test(node.id.name)) return;
+      if (!node.params || node.params.length === 0) return;
+      const typeName = getParamTypeName(node.params[0]);
+      if (!typeName) return;
+      const set = validatorsByPropType.get(typeName) ?? new Set();
+      set.add(node.id.name);
+      validatorsByPropType.set(typeName, set);
+    }
+
+    return {
+      "Program > FunctionDeclaration"(node) {
+        recordValidator(node);
+      },
+      "Program > ExportNamedDeclaration > FunctionDeclaration"(node) {
+        recordValidator(node);
+      },
+
+      ClassDeclaration(node) {
+        if (!node.id) return;
+        if (!isExported(node)) return;
+        const ctor = node.body.body.find(
+          (m) =>
+            m.type === "MethodDefinition" &&
+            m.kind === "constructor" &&
+            m.value &&
+            m.value.params
+        );
+        if (!ctor) return;
+        // CDK construct signature is `(scope, id, props)` — validators target props at index 2.
+        if (ctor.value.params.length < 3) return;
+        const propsParam = ctor.value.params[2];
+        const propType = getParamTypeName(propsParam);
+        const propsName = getParamName(propsParam);
+        if (!propType || !propsName) return;
+        candidateClasses.push({
+          classNode: node,
+          className: node.id.name,
+          propType,
+          propsName,
+          constructorNode: ctor
+        });
+      },
+
+      // Run at Program:exit so validator declarations below the class are still in scope.
+      "Program:exit"() {
+        for (const c of candidateClasses) {
+          const validators = validatorsByPropType.get(c.propType);
+          if (!validators || validators.size === 0) continue;
+          const found = constructorCallsAnyValidator(
+            c.constructorNode.value.body,
+            validators,
+            c.propsName
+          );
+          if (!found) {
+            context.report({
+              node: c.constructorNode,
+              messageId: "constructorMissingValidatorCall",
+              data: {
+                className: c.className,
+                propType: c.propType,
+                validators: [...validators].sort().join(", ")
+              }
+            });
+            continue;
+          }
+          const isFirst = constructorValidatorIsFirstAfterSuper(
+            c.constructorNode.value.body,
+            validators,
+            c.propsName
+          );
+          if (!isFirst) {
+            context.report({
+              node: c.constructorNode,
+              messageId: "constructorValidatorNotFirstStatement",
+              data: {
+                className: c.className,
+                validators: [...validators].sort().join(", ")
+              }
+            });
+          }
+        }
+      }
+    };
+  }
+};

package/human-readable-durations.js

@@ -0,0 +1,103 @@
+/**
+ * ESLint Rule: human-readable-durations
+ *
+ * User-facing messages should format durations in human-readable form.
+ * Users shouldn't see raw milliseconds like "1800000ms" - show "30 minutes" instead.
+ *
+ * Detects patterns like:
+ * - `${timeout}ms`
+ * - `${duration}ms`
+ * - `after ${timeoutMs}ms`
+ */
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "suggestion",
+    docs: {
+      description:
+        "Require human-readable duration formatting in user messages",
+      category: "User Experience",
+      recommended: false
+    },
+    messages: {
+      rawMs:
+        "Format durations for humans. Instead of '${...}ms', use: const minutes = Math.floor({{variable}} / MS_PER_MINUTE); `${minutes} minutes`",
+      rawSeconds:
+        "Consider formatting seconds for humans when > 60. Use minutes for longer durations."
+    },
+    schema: []
+  },
+
+  create(context) {
+    return {
+      TemplateLiteral(node) {
+        const reported = new Set(); // Track reported expressions to avoid duplicates
+
+        // Check each quasi (string part) and expression pair
+        // Pattern: `... ${someVar}ms ...` where the next quasi starts with "ms"
+        for (let i = 0; i < node.expressions.length; i++) {
+          const nextQuasi = node.quasis[i + 1];
+          if (!nextQuasi) continue;
+
+          const nextQuasiValue =
+            nextQuasi.value.raw || nextQuasi.value.cooked || "";
+
+          // Check if the quasi immediately after this expression starts with "ms"
+          if (/^ms\b/.test(nextQuasiValue)) {
+            const expr = node.expressions[i];
+            const exprKey = `${expr.range[0]}-${expr.range[1]}`;
+
+            // Skip if already reported or if it's a formatted duration
+            if (reported.has(exprKey) || isFormattedDuration(expr, context)) {
+              continue;
+            }
+
+            reported.add(exprKey);
+            const variableName = getVariableName(expr);
+
+            context.report({
+              node: expr,
+              messageId: "rawMs",
+              data: { variable: variableName }
+            });
+          }
+        }
+      }
+    };
+  }
+};
+
+/**
+ * Get a variable name from an expression for error messages
+ */
+function getVariableName(expr) {
+  if (expr.type === "Identifier") {
+    return expr.name;
+  }
+  if (expr.type === "MemberExpression" && expr.property.type === "Identifier") {
+    return expr.property.name;
+  }
+  return "duration";
+}
+
+/**
+ * Check if expression is already a formatted duration (e.g., minutes calculation)
+ */
+function isFormattedDuration(expr, context) {
+  const sourceCode = context.sourceCode;
+  const exprText = sourceCode.getText(expr);
+
+  // Already formatted patterns
+  const formattedPatterns = [
+    /minute/i,
+    /second/i,
+    /hour/i,
+    /MS_PER_/,
+    /\.toFixed\(/,
+    /Math\.floor\(/,
+    /Math\.round\(/
+  ];
+
+  return formattedPatterns.some((pattern) => pattern.test(exprText));
+}

package/iam-secrets-arn-suffix.js

@@ -0,0 +1,79 @@
+/**
+ * ESLint Rule: iam-secrets-arn-suffix
+ *
+ * Flags IAM resource ARN strings scoping a Secrets Manager secret with a bare
+ * `*` suffix instead of `-*`. AWS Secrets Manager appends a 6-character random
+ * ID after a `-` separator (e.g. `my-secret-AbCdEf`), so a bare `*` widens to
+ * sibling secrets:
+ *
+ *   `:secret:my-secret*`   matches `my-secret-AbCdEf` AND `my-secret2-XyZw1A`
+ *   `:secret:my-secret-*`  matches only `my-secret-<6char>` siblings
+ *
+ * No autofix — the right repair depends on whether the upstream is a name
+ * (append `-`) or a pre-formed ARN (re-architect).
+ *
+ * Per `.claude/rules/security-standards.md`.
+ */
+
+const SECRET_SEGMENT = /:secret:([^"`\s]+?)\*(?!\*)/g;
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow Secrets Manager ARN scoping with a bare `*` suffix; require `-*` to delimit the AWS-generated 6-char suffix and avoid sibling-secret access.",
+      category: "Possible Errors",
+      recommended: true
+    },
+    messages: {
+      bareWildcard:
+        "IAM resource `:secret:{{name}}*` matches sibling secrets (e.g. `{{name}}2-AbCdEf`). Use `:secret:{{name}}-*` to scope to the AWS-generated 6-char suffix only. See .claude/rules/security-standards.md."
+    },
+    schema: []
+  },
+
+  create(context) {
+    function reconstructTemplate(node) {
+      let out = "";
+      const quasis = node.quasis;
+      const expressions = node.expressions;
+      for (let i = 0; i < quasis.length; i++) {
+        out += quasis[i].value.cooked ?? quasis[i].value.raw;
+        if (i < expressions.length) {
+          out += "${_}";
+        }
+      }
+      return out;
+    }
+
+    function checkString(node, value) {
+      if (!value.includes(":secret:")) return;
+      SECRET_SEGMENT.lastIndex = 0;
+      let match;
+      while ((match = SECRET_SEGMENT.exec(value)) !== null) {
+        const name = match[1];
+        if (name === "") continue;
+        const lastChar = name[name.length - 1];
+        if (lastChar === "-") continue;
+        if (lastChar === "}" && name.endsWith("-}")) continue;
+        context.report({
+          node,
+          messageId: "bareWildcard",
+          data: { name }
+        });
+      }
+    }
+
+    return {
+      TemplateLiteral(node) {
+        checkString(node, reconstructTemplate(node));
+      },
+      Literal(node) {
+        if (typeof node.value !== "string") return;
+        checkString(node, node.value);
+      }
+    };
+  }
+};

package/index.js

@@ -0,0 +1,61 @@
+import noThrowInServices from "./no-throw-in-services.js";
+import zodStrictRequired from "./zod-strict-required.js";
+import zodCompanionType from "./zod-companion-type.js";
+import preferSetHas from "./prefer-set-has.js";
+import humanReadableDurations from "./human-readable-durations.js";
+import preferWithAgentFlags from "./prefer-with-agent-flags.js";
+import noEmptyStringEnvFallthrough from "./no-empty-string-env-fallthrough.js";
+import maskErrorMessageAtBoundary from "./mask-error-message-at-boundary.js";
+import maskBeforeTruncate from "./mask-before-truncate.js";
+import noZodOptionalStringEmptyTrap from "./no-zod-optional-string-empty-trap.js";
+import noZodEnumRedeclaringNamedConstant from "./no-zod-enum-redeclaring-named-constant.js";
+import noRawCdkPropertiesOnPublicConstructs from "./no-raw-cdk-properties-on-public-constructs.js";
+import noClickhouseInternalReexport from "./no-clickhouse-internal-reexport.js";
+import noVacuousCdkSynthRegex from "./no-vacuous-cdk-synth-regex.js";
+import pairedEcsValidation from "./paired-ecs-validation.js";
+import iamSecretsArnSuffix from "./iam-secrets-arn-suffix.js";
+import noRawBlockDeviceVolume from "./no-raw-block-device-volume.js";
+import constructorValidatesPublicConstruct from "./constructor-validates-public-construct.js";
+import noUndefinedPropInConstructId from "./no-undefined-prop-in-construct-id.js";
+import noMaskIdentityMock from "./no-mask-identity-mock.js";
+import noDuplicateFjallUtilHelper from "./no-duplicate-fjall-util-helper.js";
+import noL2AsgLifecycleHook from "./no-l2-asg-lifecycle-hook.js";
+import noTierStageConflation from "./no-tier-stage-conflation.js";
+import noBareSdkAbortTimeout from "./no-bare-sdk-abort-timeout.js";
+import requireAbortPrecheckInSdkLoop from "./require-abort-precheck-in-sdk-loop.js";
+import noClassicConnectedAccountAssume from "./no-classic-connected-account-assume.js";
+import noRawDbTransaction from "./no-raw-db-transaction.js";
+
+export default {
+  rules: {
+    "no-throw-in-services": noThrowInServices,
+    "zod-strict-required": zodStrictRequired,
+    "zod-companion-type": zodCompanionType,
+    "prefer-set-has": preferSetHas,
+    "human-readable-durations": humanReadableDurations,
+    "prefer-with-agent-flags": preferWithAgentFlags,
+    "no-empty-string-env-fallthrough": noEmptyStringEnvFallthrough,
+    "mask-error-message-at-boundary": maskErrorMessageAtBoundary,
+    "mask-before-truncate": maskBeforeTruncate,
+    "no-zod-optional-string-empty-trap": noZodOptionalStringEmptyTrap,
+    "no-zod-enum-redeclaring-named-constant": noZodEnumRedeclaringNamedConstant,
+    "no-raw-cdk-properties-on-public-constructs":
+      noRawCdkPropertiesOnPublicConstructs,
+    "no-clickhouse-internal-reexport": noClickhouseInternalReexport,
+    "no-vacuous-cdk-synth-regex": noVacuousCdkSynthRegex,
+    "paired-ecs-validation": pairedEcsValidation,
+    "iam-secrets-arn-suffix": iamSecretsArnSuffix,
+    "no-raw-block-device-volume": noRawBlockDeviceVolume,
+    "constructor-validates-public-construct":
+      constructorValidatesPublicConstruct,
+    "no-undefined-prop-in-construct-id": noUndefinedPropInConstructId,
+    "no-mask-identity-mock": noMaskIdentityMock,
+    "no-duplicate-fjall-util-helper": noDuplicateFjallUtilHelper,
+    "no-l2-asg-lifecycle-hook": noL2AsgLifecycleHook,
+    "no-tier-stage-conflation": noTierStageConflation,
+    "no-bare-sdk-abort-timeout": noBareSdkAbortTimeout,
+    "require-abort-precheck-in-sdk-loop": requireAbortPrecheckInSdkLoop,
+    "no-classic-connected-account-assume": noClassicConnectedAccountAssume,
+    "no-raw-db-transaction": noRawDbTransaction
+  }
+};