@fjall/eslint-plugin 2.18.1

package/no-mask-identity-mock.js

@@ -0,0 +1,339 @@
+/**
+ * ESLint Rule: no-mask-identity-mock
+ *
+ * Flags vitest `vi.mock(...)` factories that replace a masking helper
+ * (`maskSensitiveOutput`, `maskSecrets`, `redact*`, `sanitis*`) with a
+ * shape that neuters the security boundary the test exists at. Two
+ * classes:
+ *
+ * 1. **Identity arrow** — `(s) => s` (or block-bodied equivalent). The
+ *    masker becomes a pass-through; tests asserting "raw error text reaches
+ *    the callback" pass whether or not the production code masked it.
+ *
+ * 2. **Partial-mask arrow** — the arrow's body produces a string that
+ *    contains the parameter's value unchanged: template-literal sentinel
+ *    wrappers (`(s) => \`«masked:${s}»\``), narrow `.replace()` chains
+ *    (`(s) => s.replace(/AKIA[A-Z0-9]{16}/g, "***")`), and `param + "suffix"`
+ *    concatenations. These shrink coverage to whatever the fixture happens
+ *    to anticipate — every shape the production masker handles but the
+ *    fixture omits ships unmasked. The 2026-05-24 pass found four sentinel
+ *    wrappers across cli tests; the canonical fix routes through
+ *    `vi.spyOn(util, "maskSensitiveOutput")` so the real masker runs AND
+ *    call args remain assertable.
+ *
+ * Per .claude/rules/cli-standards.md § "Masking-mock identity neutering is
+ * FORBIDDEN" and security-standards.md § "Credential masking — 4th boundary".
+ *
+ * Canonical bad shapes:
+ *   vi.mock("@fjall/util", async () => {
+ *     const actual = await vi.importActual("@fjall/util");
+ *     return { ...actual, maskSensitiveOutput: (s) => s };
+ *   });
+ *   vi.mock("@fjall/util", () => ({
+ *     maskSensitiveOutput: vi.fn((input) => `«masked:${input}»`)
+ *   }));
+ *   vi.mock("@fjall/util", () => ({
+ *     maskSensitiveOutput: (s) => s.replace(/AKIA[A-Z0-9]{16}/g, "***")
+ *   }));
+ *
+ * Canonical good shape: don't mock the masker at all; let the real
+ * implementation run. If a test needs to inspect the pre-mask string, use
+ * `vi.spyOn(util, "maskSensitiveOutput")` to assert call args while the
+ * real impl produces masked output for downstream assertions.
+ */
+
+const MASK_NAMES_RE = /^(mask|redact|saniti[sz]e)/i;
+
+/**
+ * Returns true iff `node` is `(<param>) => <param>` — an arrow function
+ * whose body is an Identifier referencing its sole parameter.
+ */
+function isIdentityArrow(node) {
+  if (!node) return false;
+  if (node.type !== "ArrowFunctionExpression") return false;
+  if (node.params.length !== 1) return false;
+
+  const param = node.params[0];
+  if (param.type !== "Identifier") return false;
+
+  const paramName = param.name;
+  const body = node.body;
+
+  if (body.type === "Identifier" && body.name === paramName) return true;
+
+  if (body.type === "BlockStatement") {
+    if (body.body.length !== 1) return false;
+    const stmt = body.body[0];
+    if (stmt.type !== "ReturnStatement") return false;
+    if (!stmt.argument) return false;
+    return (
+      stmt.argument.type === "Identifier" && stmt.argument.name === paramName
+    );
+  }
+
+  return false;
+}
+
+/**
+ * Returns true iff `node` is `vi.fn(<identityArrow>)` — wraps an identity
+ * arrow in a vitest spy. Common shape that escapes a bare `isIdentityArrow`
+ * check because the AST root is a CallExpression, not an ArrowFunctionExpression.
+ */
+function isViFnWrappingIdentityArrow(node) {
+  return isViFnWrapping(node, isIdentityArrow);
+}
+
+/**
+ * Returns true iff `node` is `vi.fn(<inner>)` for the supplied detector.
+ * Generalisation of the identity-wrapper check so the partial-mask
+ * detection can reuse the same vi.fn unwrapping logic.
+ */
+function isViFnWrapping(node, detector) {
+  if (!node || node.type !== "CallExpression") return false;
+  if (node.arguments.length !== 1) return false;
+
+  const callee = node.callee;
+  if (callee.type !== "MemberExpression") return false;
+  if (callee.computed) return false;
+  if (callee.object.type !== "Identifier" || callee.object.name !== "vi") {
+    return false;
+  }
+  if (callee.property.type !== "Identifier" || callee.property.name !== "fn") {
+    return false;
+  }
+
+  return detector(node.arguments[0]);
+}
+
+/**
+ * Returns true iff `expr` references the named parameter directly (an
+ * Identifier with the same name). The partial-mask detection uses this
+ * as the leaf check inside template literals, binary expressions, and
+ * member-expression chains.
+ */
+function refsParam(expr, paramName) {
+  return expr != null && expr.type === "Identifier" && expr.name === paramName;
+}
+
+/**
+ * Walks a `+` BinaryExpression tree returning true iff any leaf is the
+ * named parameter. `(s) => "prefix" + s` and `(s) => s + ":" + extra`
+ * both match; `(s) => "prefix" + helper(s)` does not (the param flows
+ * through a function call that may transform it).
+ */
+function binaryExprRefsParam(expr, paramName) {
+  if (refsParam(expr, paramName)) return true;
+  if (expr.type !== "BinaryExpression") return false;
+  if (expr.operator !== "+") return false;
+  return (
+    binaryExprRefsParam(expr.left, paramName) ||
+    binaryExprRefsParam(expr.right, paramName)
+  );
+}
+
+/**
+ * Walks a CallExpression's MemberExpression chain looking for the
+ * named parameter as the root object. `s.replace(/x/g, "y")` matches;
+ * `s.replace(...).slice(0, 4)` matches (the chain still roots at `s`);
+ * `realMask(s).slice(...)` does NOT match (the root is a call, not the
+ * param) — that shape is treated as a delegate-then-truncate pattern.
+ */
+function callChainRootedAtParam(expr, paramName) {
+  let cur = expr;
+  while (
+    cur &&
+    cur.type === "CallExpression" &&
+    cur.callee &&
+    cur.callee.type === "MemberExpression"
+  ) {
+    cur = cur.callee.object;
+  }
+  return refsParam(cur, paramName);
+}
+
+/**
+ * Returns true iff `node` is a partial-mask arrow — a single-parameter
+ * arrow whose body produces a string containing the parameter's value
+ * unchanged. Three shapes covered:
+ *   1. Template literal with the param interpolated.
+ *   2. String-method chain rooted at the param.
+ *   3. `+` concatenation involving the param.
+ *
+ * Functions that delegate to a callee `(s) => fn(s)` or constant returns
+ * `(s) => "[REDACTED]"` remain valid — those are legitimate stubs.
+ */
+function isPartialMaskArrow(node) {
+  if (!node) return false;
+  if (node.type !== "ArrowFunctionExpression") return false;
+  if (node.params.length !== 1) return false;
+
+  const param = node.params[0];
+  if (param.type !== "Identifier") return false;
+  const paramName = param.name;
+
+  let body = node.body;
+  if (body.type === "BlockStatement") {
+    if (body.body.length !== 1) return false;
+    const stmt = body.body[0];
+    if (stmt.type !== "ReturnStatement" || !stmt.argument) return false;
+    body = stmt.argument;
+  }
+
+  if (body.type === "TemplateLiteral") {
+    return body.expressions.some((e) => refsParam(e, paramName));
+  }
+
+  if (body.type === "CallExpression") {
+    return callChainRootedAtParam(body, paramName);
+  }
+
+  if (body.type === "BinaryExpression" && body.operator === "+") {
+    return binaryExprRefsParam(body, paramName);
+  }
+
+  return false;
+}
+
+/**
+ * `vi.fn(<partialMaskArrow>)` wrapper detection — the same wrapper class
+ * the identity-arrow check has, applied to the partial-mask shapes.
+ */
+function isViFnWrappingPartialMaskArrow(node) {
+  return isViFnWrapping(node, isPartialMaskArrow);
+}
+
+/**
+ * Maps a mock-value node onto the messageId of the rule violation it
+ * exhibits. Returns null when the value is acceptable (real impl
+ * delegation, constant stub, non-arrow).
+ */
+function detectBadMaskOverride(node) {
+  if (isIdentityArrow(node) || isViFnWrappingIdentityArrow(node)) {
+    return "identityMaskMock";
+  }
+  if (isPartialMaskArrow(node) || isViFnWrappingPartialMaskArrow(node)) {
+    return "partialMaskMock";
+  }
+  return null;
+}
+
+/**
+ * Walk an ObjectExpression's properties, reporting any property whose
+ * key matches the mask-name pattern AND whose value is an identity arrow
+ * (either bare `(s) => s` or wrapped in `vi.fn((s) => s)`).
+ */
+function checkObjectProperties(context, objectNode) {
+  if (!objectNode || objectNode.type !== "ObjectExpression") return;
+  for (const prop of objectNode.properties) {
+    if (prop.type !== "Property") continue;
+    if (prop.computed) continue;
+
+    let keyName;
+    if (prop.key.type === "Identifier") keyName = prop.key.name;
+    else if (prop.key.type === "Literal" && typeof prop.key.value === "string")
+      keyName = prop.key.value;
+    else continue;
+
+    if (!MASK_NAMES_RE.test(keyName)) continue;
+    const messageId = detectBadMaskOverride(prop.value);
+    if (!messageId) continue;
+
+    context.report({
+      node: prop,
+      messageId,
+      data: { name: keyName }
+    });
+  }
+}
+
+/**
+ * Find ObjectExpressions inside a function body's return statements,
+ * recursing into common nesting nodes (logical chains, ternaries,
+ * `await` of an `importActual` spread + override pattern).
+ */
+function findReturnedObjects(node, found = []) {
+  if (!node) return found;
+
+  if (node.type === "ObjectExpression") {
+    found.push(node);
+    return found;
+  }
+
+  if (
+    node.type === "ArrowFunctionExpression" ||
+    node.type === "FunctionExpression"
+  ) {
+    if (node.body.type === "BlockStatement") {
+      for (const stmt of node.body.body) {
+        if (stmt.type === "ReturnStatement" && stmt.argument) {
+          findReturnedObjects(stmt.argument, found);
+        }
+      }
+    } else {
+      findReturnedObjects(node.body, found);
+    }
+    return found;
+  }
+
+  if (node.type === "ConditionalExpression") {
+    findReturnedObjects(node.consequent, found);
+    findReturnedObjects(node.alternate, found);
+    return found;
+  }
+
+  if (node.type === "LogicalExpression") {
+    findReturnedObjects(node.left, found);
+    findReturnedObjects(node.right, found);
+    return found;
+  }
+
+  if (node.type === "AwaitExpression") {
+    findReturnedObjects(node.argument, found);
+    return found;
+  }
+
+  return found;
+}
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow vi.mock factories that replace masking helpers with identity functions — neuters the security boundary the test exists at.",
+      category: "Possible Errors",
+      recommended: true
+    },
+    messages: {
+      identityMaskMock:
+        "Identity mock for masking helper '{{name}}' neuters the credential-masking boundary. Remove the override and let the real implementation run (security-standards.md § 'Credential masking — 4th boundary'). If you genuinely need to inspect the pre-mask string, use vi.spyOn(...) and assert the call args, then let the real impl produce the masked output.",
+      partialMaskMock:
+        "Partial-mask override for '{{name}}' shrinks the masker's coverage to whatever the fixture anticipates — every credential shape the production masker handles but the fixture omits ships unmasked. Drop the override and let the real implementation run. If a test needs to inspect the pre-mask string, use vi.spyOn(util, '{{name}}') to assert call args while the real impl produces masked output (cli-standards.md § 'Masking-mock identity neutering is FORBIDDEN')."
+    },
+    schema: []
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        if (
+          node.callee.type !== "MemberExpression" ||
+          node.callee.object.type !== "Identifier" ||
+          node.callee.object.name !== "vi" ||
+          node.callee.property.type !== "Identifier" ||
+          node.callee.property.name !== "mock"
+        ) {
+          return;
+        }
+        if (node.arguments.length < 2) return;
+
+        const factory = node.arguments[1];
+        const returned = findReturnedObjects(factory);
+        for (const obj of returned) {
+          checkObjectProperties(context, obj);
+        }
+      }
+    };
+  }
+};

package/no-raw-block-device-volume.js

@@ -0,0 +1,75 @@
+/**
+ * ESLint Rule: no-raw-block-device-volume
+ *
+ * Forbids raw `BlockDeviceVolume` / `Volume` named imports from
+ * `aws-cdk-lib/aws-ec2` or `aws-cdk-lib/aws-autoscaling` outside the two
+ * compute-layer wrapper basenames. `BlockDeviceVolume` is re-exported by
+ * both modules — flagging only one leaves the other as a permanent
+ * backdoor (the very asymmetry the v2 review caught).
+ *
+ * Use `safeEbs` from `lib/resources/aws/compute/blockDeviceVolume` for
+ * ephemeral / root volumes. `PersistentDataVolume` (Phase 1.75) covers
+ * data that must survive instance refresh.
+ */
+
+import path from "node:path";
+
+const ALLOWED_BASENAMES = new Set([
+  "blockDeviceVolume.ts",
+  "persistentDataVolume.ts"
+]);
+
+const FORBIDDEN_SOURCES = new Set([
+  "aws-cdk-lib/aws-ec2",
+  "aws-cdk-lib/aws-autoscaling"
+]);
+
+const FORBIDDEN_NAMED_IMPORTS = new Set(["BlockDeviceVolume", "Volume"]);
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow raw BlockDeviceVolume / Volume imports outside the compute-layer wrappers.",
+      category: "Best Practices",
+      recommended: true
+    },
+    messages: {
+      rawBlockDeviceVolume:
+        "Raw `{{name}}` import from `{{source}}` is forbidden. Use `safeEbs` from `lib/resources/aws/compute/blockDeviceVolume` for ephemeral / root volumes, or `PersistentDataVolume` (Phase 1.75) for data that must survive instance refresh. See aiDocs/patterns/infrastructure-wrapper-routing-pattern.md."
+    },
+    schema: []
+  },
+
+  create(context) {
+    const filename = context.filename ?? context.getFilename();
+    const basename = path.basename(filename);
+    if (ALLOWED_BASENAMES.has(basename)) {
+      return {};
+    }
+
+    return {
+      ImportDeclaration(node) {
+        if (!FORBIDDEN_SOURCES.has(node.source.value)) {
+          return;
+        }
+        for (const specifier of node.specifiers) {
+          if (specifier.type !== "ImportSpecifier") continue;
+          const importedName =
+            specifier.imported.type === "Identifier"
+              ? specifier.imported.name
+              : specifier.imported.value;
+          if (FORBIDDEN_NAMED_IMPORTS.has(importedName)) {
+            context.report({
+              node: specifier,
+              messageId: "rawBlockDeviceVolume",
+              data: { name: importedName, source: node.source.value }
+            });
+          }
+        }
+      }
+    };
+  }
+};

package/no-raw-cdk-properties-on-public-constructs.js

@@ -0,0 +1,80 @@
+/**
+ * ESLint Rule: no-raw-cdk-properties-on-public-constructs
+ *
+ * Forbids public class properties whose names match raw CDK plumbing
+ * identifiers (`namespace`, `instance`, `cluster`, `application`) on
+ * infrastructure constructs in `lib/{resources,patterns}/`. Internal CDK
+ * handles must remain `private readonly` so the public surface only exposes
+ * Fjall's connector / interface contract.
+ *
+ * Per .claude/rules/generator-standards.md § "Wrapper Routing Discipline"
+ * and the ClickHouse promotion hygiene rules. The textual hygiene test in
+ * `clickhouseHygiene.test.ts` enforces the same shape at runtime; this rule
+ * shifts the failure left to author-time.
+ *
+ * Suffixed names (e.g. `namespaceArn`, `instanceEndpoint`, `clusterId`) are
+ * allowed — they are output strings, not CDK handles.
+ *
+ * Accessibility handling: TypeScript treats class fields with NO access
+ * modifier as implicitly public, so `class Foo { namespace: X }` and
+ * `class Foo { public namespace: X }` are equivalent at runtime. The rule
+ * therefore flags both — only `private` / `protected` are exempt.
+ *
+ * Out of scope (acknowledged ceiling, not oversight): constructor parameter
+ * properties (`constructor(public namespace: X)` → TSParameterProperty),
+ * accessor methods (`get namespace()` → MethodDefinition), and `accessor`
+ * fields (AccessorProperty). The runtime hygiene test at
+ * lib/__tests__/clickhouseHygiene.test.ts uses a textual regex
+ * (/public\s+readonly\s+(namespace|instance|cluster)\b\s*:/g) and therefore
+ * partially catches the TSParameterProperty case for the `public readonly`
+ * form — the regex matches the source text regardless of whether the field
+ * is a class member or a constructor parameter property. The remaining
+ * blind spots common to both checks are accessor methods and `accessor`
+ * fields; if a future construct uses one, extend both visitors at the same
+ * time.
+ */
+
+export const FORBIDDEN_NAMES = new Set([
+  "namespace",
+  "instance",
+  "cluster",
+  "application"
+]);
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Disallow public CDK plumbing properties (`namespace`, `instance`, `cluster`, `application`) on infrastructure constructs.",
+      category: "Best Practices",
+      recommended: true
+    },
+    messages: {
+      rawCdkProperty:
+        "Public property `{{name}}` exposes raw CDK plumbing. Mark it `private readonly` and surface a typed accessor (ARN, endpoint, connector) instead. See aiDocs/patterns/clickhouse-database-factory-pattern.md § Hygiene rules."
+    },
+    schema: []
+  },
+
+  create(context) {
+    return {
+      PropertyDefinition(node) {
+        if (
+          node.accessibility === "private" ||
+          node.accessibility === "protected"
+        ) {
+          return;
+        }
+        if (!node.key || node.key.type !== "Identifier") return;
+        if (!FORBIDDEN_NAMES.has(node.key.name)) return;
+        context.report({
+          node: node.key,
+          messageId: "rawCdkProperty",
+          data: { name: node.key.name }
+        });
+      }
+    };
+  }
+};

package/no-raw-db-transaction.js

@@ -0,0 +1,112 @@
+/**
+ * @fileoverview Tenant transactions must go through the `scopedTransaction` /
+ * `runScopedWithRls` primitives, never a raw `db.$transaction(...)`.
+ *
+ * The webapp's scoped Prisma client (`~/.server/utils/tenantScopedDb` `db`)
+ * carries a per-operation `$allOperations` hook that, under `RLS_GUC_ENABLED`,
+ * wraps each bare operation in its own two-statement transaction
+ * `[set_config('app.current_org_id', $1, true), <query>]` so the Postgres RLS
+ * policies read a fail-closed tenant filter (the GATE-0 / Option C mechanism —
+ * decisions/2026-06-17-rls-role-auth-and-launch-gating.md D6).
+ *
+ * A caller that opens its OWN `db.$transaction(...)` without setting the GUC as
+ * the transaction's first statement breaks that contract the moment the flag
+ * flips: the interactive form nests an incoherent second transaction, and the
+ * array form returns a Promise (not a PrismaPromise) so a leading
+ * `set_config` cannot be batched into it. The two primitives in
+ * `rlsOrgContext.ts` (`scopedTransaction` for atomicity-dependent callers,
+ * `runScopedWithRls` for read bursts) are the ONLY legitimate `db.$transaction`
+ * call sites — they set the GUC first and enter the RLS scope so `tx.*` ops skip
+ * the per-op wrap.
+ *
+ * Carve-outs this rule already encodes:
+ *   - `rlsOrgContext.ts` (the primitives' home) is exempt wholesale by filename.
+ *   - `dbBypass.$transaction(...)` is NOT flagged — `dbBypass` connects as the
+ *     BYPASSRLS role and is exempt from tenant isolation by design.
+ *   - An aliased scoped-client import (`import { db as scoped } from
+ *     "~/.server/utils/tenantScopedDb"`) is resolved to its local binding, so
+ *     `scoped.$transaction(...)` is flagged too — the literal name `db` is not
+ *     the only trigger.
+ *   - `Parameters<typeof db.$transaction>` TYPE queries are naturally excluded
+ *     (this rule visits `CallExpression`, not type nodes).
+ *   - A genuine future primitive belongs in `rlsOrgContext.ts`; an unavoidable
+ *     one-off can use `// eslint-disable-next-line fjall/no-raw-db-transaction -- <reason>`.
+ *
+ * Why this rule exists: GATE-0 (webapp `91f872c3`) migrated the 15 then-existing
+ * `db.$transaction` callers to `scopedTransaction`. Without a guard, the next
+ * raw `db.$transaction` caller would silently reintroduce the hazard the moment
+ * `RLS_GUC_ENABLED` is enabled — invisible to typecheck. See webapp-standards.md
+ * § "Tenant transactions go through scopedTransaction".
+ */
+
+/** @type {import('eslint').Rule.RuleModule} */
+const noRawDbTransaction = {
+  meta: {
+    type: "problem",
+    docs: {
+      description:
+        "Tenant transactions must use scopedTransaction / runScopedWithRls from ~/.server/utils/rlsOrgContext, not a raw db.$transaction(...) that would bypass the RLS GUC contract."
+    },
+    messages: {
+      rawDbTransaction:
+        'Use `scopedTransaction(fn, options)` (or `runScopedWithRls` for a read burst) from `~/.server/utils/rlsOrgContext` instead of calling `db.$transaction(...)` directly. Under `RLS_GUC_ENABLED` the scoped client wraps each bare op in its own transaction; a raw `db.$transaction` that does not set `app.current_org_id` as its first statement nests an incoherent transaction (interactive form) or breaks the batch (array form). The two primitives in `rlsOrgContext.ts` are the only legitimate `db.$transaction` call sites; `dbBypass.$transaction` (BYPASSRLS) is exempt. A genuine new primitive belongs in `rlsOrgContext.ts`. See webapp-standards.md § "Tenant transactions go through scopedTransaction".'
+    },
+    schema: []
+  },
+  create(context) {
+    const filename =
+      typeof context.filename === "string"
+        ? context.filename
+        : typeof context.getFilename === "function"
+          ? context.getFilename()
+          : "";
+    if (filename.endsWith("rlsOrgContext.ts")) {
+      return {};
+    }
+    // Flag `db.$transaction` plus any alias of the `db` import from tenantScopedDb
+    // (`import { db as scoped }`). Reports defer to `Program:exit` so an alias is
+    // resolved regardless of whether its import precedes the call in source order.
+    const scopedClientNames = new Set(["db"]);
+    const candidates = [];
+    return {
+      ImportDeclaration(node) {
+        if (
+          typeof node.source.value !== "string" ||
+          !node.source.value.endsWith("tenantScopedDb")
+        ) {
+          return;
+        }
+        for (const spec of node.specifiers) {
+          if (
+            spec.type === "ImportSpecifier" &&
+            spec.imported.type === "Identifier" &&
+            spec.imported.name === "db"
+          ) {
+            scopedClientNames.add(spec.local.name);
+          }
+        }
+      },
+      CallExpression(node) {
+        const callee = node.callee;
+        if (
+          callee.type === "MemberExpression" &&
+          !callee.computed &&
+          callee.object.type === "Identifier" &&
+          callee.property.type === "Identifier" &&
+          callee.property.name === "$transaction"
+        ) {
+          candidates.push({ node, name: callee.object.name });
+        }
+      },
+      "Program:exit"() {
+        for (const { node, name } of candidates) {
+          if (scopedClientNames.has(name)) {
+            context.report({ node, messageId: "rawDbTransaction" });
+          }
+        }
+      }
+    };
+  }
+};
+
+export default noRawDbTransaction;

package/no-throw-in-services.js

@@ -0,0 +1,63 @@
+/**
+ * ESLint Rule: no-throw-in-services
+ *
+ * Services must use Result<T, E> pattern instead of throwing errors.
+ * Throwing breaks the explicit error handling contract and makes
+ * error paths implicit and harder to trace.
+ *
+ */
+
+/** @type {import('eslint').Rule.RuleModule} */
+export default {
+  meta: {
+    type: "problem",
+    docs: {
+      description: "Disallow throw statements in service files",
+      category: "Best Practices",
+      recommended: true
+    },
+    messages: {
+      noThrow:
+        "Services must use Result<T, E> pattern instead of throw. Use failure() to return errors.",
+      noThrowInConstructor:
+        "Consider using a factory function that returns Result instead of throwing in constructor."
+    },
+    schema: []
+  },
+
+  create(context) {
+    const filename = context.filename;
+
+    // Only apply to service files
+    const isServiceFile =
+      filename.includes("/services/") || filename.includes("Service.ts");
+
+    if (!isServiceFile) {
+      return {};
+    }
+
+    return {
+      ThrowStatement(node) {
+        // Check if we're inside a constructor
+        let parent = node.parent;
+        let inConstructor = false;
+
+        while (parent) {
+          if (
+            parent.type === "MethodDefinition" &&
+            parent.kind === "constructor"
+          ) {
+            inConstructor = true;
+            break;
+          }
+          parent = parent.parent;
+        }
+
+        context.report({
+          node,
+          messageId: inConstructor ? "noThrowInConstructor" : "noThrow"
+        });
+      }
+    };
+  }
+};