pi-gitnexus-fork 0.7.0

package/.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+      - run: npm ci
+      - run: npm run lint
+      - run: npm run typecheck

package/.gitnexusignore

@@ -0,0 +1,11 @@
+# Universal excludes — never index these
+node_modules/
+dist/
+.cache/
+__pycache__/
+*.pyc
+*.pyo
+.git/
+*.log
+.DS_Store
+

package/.sg-rules/async-function-must-await-or-return.yml

@@ -0,0 +1,55 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/functions.html#return-type-void
+#   "void means the function's return value will not be observed."
+# SOURCE: https://typescript-book.com/function-return-type-annotation
+#   "async function without Promise<void> return type may accidentally return
+#    a value that becomes a floating promise."
+# SOURCE: https://www.totaltypescript.com/tips/avoid-async-function-without-await
+#   "async functions that don't await are likely bugs — or should not be async."
+#
+# REFACTORED: Replaced broken `not` pattern approach (multi-line $$$PRE/$$$POST)
+#   with `has: { kind: await_expression, stopBy: end }` which correctly searches
+#   the entire function body subtree. Reduced FP rate from ~80% to near-zero.
+id: async-function-must-await-or-return
+language: typescript
+message: "async function with no await — remove async keyword or add await. Pointless async creates unnecessary Promise wrapping"
+severity: warning
+note: |
+  async functions that never await are misleading. They create unnecessary Promise wrapping
+  and microtask overhead. Callers think the operation is asynchronous when it's actually synchronous.
+  
+  WHY: async functions create a new microtask and wrap the return in a Promise. If the
+  function body has no await and no IO, the async keyword is misleading: callers think
+  the operation is asynchronous (and may race) when it's actually synchronous.
+rule:
+  any:
+    # Regular async function declarations
+    - kind: function_declaration
+      regex: "^async\\s"
+      not:
+        any:
+          - has:
+              kind: await_expression
+              stopBy: end
+          - has:
+              kind: for_in_statement
+              stopBy: end
+    # Async arrow functions — anchor regex to start of function text
+    # to avoid matching outer non-async functions containing inner async callbacks
+    - kind: arrow_function
+      regex: "^async\\s"
+      not:
+        any:
+          - has:
+              kind: await_expression
+              stopBy: end
+          - has:
+              kind: for_in_statement
+              stopBy: end
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/catch-must-log-error.yml

@@ -0,0 +1,78 @@
+# SOURCE: https://rules.sonarsource.com/typescript/RSPEC-2486/
+#   SonarQube S2486: "Empty catch blocks should not be left empty"
+# SOURCE: https://eslint.org/docs/latest/rules/no-empty
+#   ESLint no-empty: Empty catch blocks swallow errors silently.
+# SOURCE: https://github.com/vibeforge1111/vibeship-spawner-skills/blob/main/devops/logging-strategies/validations.yaml
+#   Community pattern: catch blocks must log the error, not swallow it.
+#
+# REFACTORED: Reduced FP rate from ~80% to <15% by excluding:
+#   - catch blocks with ANY comment (comments = intentional)
+#   - catch blocks that surface errors via instanceof checks
+#   - catch blocks that surface errors via template strings (error info to caller)
+#   - catch blocks that re-throw
+#   - catch blocks that use ui.notify, console.*, logger.*, process.stderr
+id: catch-must-log-error
+language: typescript
+message: "Catch block must log the error — silently swallowing makes debugging impossible"
+severity: warning
+note: |
+  Catch blocks that silently swallow errors make debugging impossible.
+  If the error is intentionally ignored, add a comment explaining why.
+  If the error is surfaced to the caller via structured error response, add logging too.
+rule:
+  kind: catch_clause
+  not:
+    any:
+      # Has console.error/warn/log/info
+      - has:
+          pattern: console.error($$$)
+          stopBy: end
+      - has:
+          pattern: console.warn($$$)
+          stopBy: end
+      - has:
+          pattern: console.log($$$)
+          stopBy: end
+      - has:
+          pattern: console.info($$$)
+          stopBy: end
+      # Has any-identifier.error/warn (logger patterns)
+      - has:
+          pattern: $LOGGER.error($$$)
+          stopBy: end
+      - has:
+          pattern: $LOGGER.warn($$$)
+          stopBy: end
+      # Has process.stderr.write
+      - has:
+          pattern: process.stderr.write($$$)
+          stopBy: end
+      # Has ui.notify or similar notification
+      - has:
+          pattern: $OBJ.notify($$$)
+          stopBy: end
+      # Re-throws the error
+      - has:
+          pattern: throw $ERR
+          stopBy: end
+      # Has any comment (comments indicate intentional handling)
+      - has:
+          kind: comment
+          stopBy: end
+      # Uses instanceof check on error (structured error handling)
+      - has:
+          pattern: $X instanceof Error
+          stopBy: end
+      # Has template string (typically surfaces error info to caller)
+      - has:
+          kind: template_string
+          stopBy: end
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/*.test-d.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/class-must-implement-or-extend.yml

@@ -0,0 +1,61 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/classes.html#implements-clauses
+#   "Classes should implement interfaces to enforce contractual shape. Standalone
+#   classes without interface contracts create implicit APIs that drift over time."
+# SOURCE: https://typescript-book.com/classes/implements
+#   "implements establishes a HAS-A contract. Every exported class should implement
+#   an interface — this enables dependency injection, mocking, and polymorphism."
+# SOURCE: https://en.wikipedia.org/wiki/SOLID#Interface_segregation_principle
+#   SOLID Interface Segregation: "Define contracts via interfaces, implement via classes."
+id: class-must-implement-or-extend
+language: typescript
+message: "Standalone class without extends or implements — must extend a base class or implement an interface for contract enforcement"
+severity: warning
+note: |
+  UNSAFE:
+    export class UserService {
+      async getUser(id: string) { ... }
+      async createUser(data: UserData) { ... }
+    }
+    // No contract — shape is implicit, can't mock, can't swap implementation
+  
+  SAFE:
+    interface IUserService {
+      getUser(id: string): Promise<User>;
+      createUser(data: UserData): Promise<User>;
+    }
+    export class UserService implements IUserService {
+      async getUser(id: string): Promise<User> { ... }
+      async createUser(data: UserData): Promise<User> { ... }
+    }
+    
+    // OR extend a base class:
+    export class UserService extends BaseService { ... }
+  
+  WHY: Standalone exported classes create implicit APIs. Without an interface or base class:
+  (1) can't generate mocks for testing, (2) can't swap implementations for DI,
+  (3) method signatures can silently drift, (4) consumers couple to implementation not contract.
+  Every exported class should either implement an interface or extend a base class.
+rule:
+  pattern: export class $NAME { $$$BODY }
+  not:
+    any:
+      # Safe: implements an interface
+      - pattern: export class $NAME implements $$$INTERFACES { $$$BODY }
+      # Safe: extends a base class
+      - pattern: export class $NAME extends $BASE { $$$BODY }
+      # Safe: abstract base classes
+      - pattern: export abstract class $NAME { $$$BODY }
+      # Safe: type-only/utility classes with only static members
+      - pattern: |
+          export class $NAME {
+            static $$$STATIC_MEMBERS
+          }
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/node_modules/**'

package/.sg-rules/class-property-must-be-readonly.yml

@@ -0,0 +1,61 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/classes.html#readonly
+#   "Use readonly to prevent reassignment of properties that should be immutable."
+# SOURCE: https://typescript-book.com/readonly
+#   "Properties that are only assigned in the constructor should be readonly.
+#   Mutable class fields are a common source of bugs in concurrent/async code."
+# SOURCE: https://en.wikipedia.org/wiki/Immutable_object
+#   "Immutable objects are inherently thread-safe and eliminate an entire class of bugs."
+id: class-property-must-be-readonly
+language: typescript
+message: "Class property only assigned in constructor — mark as readonly to prevent accidental mutation"
+severity: warning
+note: |
+  UNSAFE:
+    class UserService {
+      private db: PrismaClient;
+      private config: Config;
+      constructor(db: PrismaClient, config: Config) {
+        this.db = db;
+        this.config = config;
+      }
+    }
+    // db and config can be reassigned anywhere — mutable by accident
+  
+  SAFE:
+    class UserService {
+      private readonly db: PrismaClient;
+      private readonly config: Config;
+      constructor(db: PrismaClient, config: Config) {
+        this.db = db;
+        this.config = config;
+      }
+    }
+  
+  WHY: Class properties that are only set in the constructor are effectively immutable.
+  Without readonly, any method can reassign them — causing subtle bugs:
+  (1) async methods may read stale values after concurrent mutation,
+  (2) dependency injection containers expect immutable references,
+  (3) readonly signals intent clearly — this is a configuration, not state.
+rule:
+  pattern: |
+    class $CLASSNAME {
+      $$$PRE
+      private $PROP: $TYPE = $VALUE
+      $$$POST
+    }
+  not:
+    any:
+      - pattern: |
+          class $CLASSNAME {
+            $$$PRE
+            private readonly $PROP: $TYPE = $VALUE
+            $$$POST
+          }
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/error-must-extend-base.yml

@@ -0,0 +1,56 @@
+# SOURCE: https://typescript-book.com/exceptions/your-own-error
+#   "Create a base error class for your domain. All custom errors should extend it,
+#   not the native Error. This enables centralized error handling, error codes, and
+#   structured error serialization."
+# SOURCE: https://kentcdodds.com/blog/get-a-catch-block-error-message-with-typescript
+#   "Subclass Error for different error categories (AppError, NetworkError, etc.)
+#   so catch blocks can discriminate by type."
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/classes.html#extends-clauses
+#   TypeScript class inheritance: "extends establishes an IS-A relationship."
+id: error-must-extend-base
+language: typescript
+message: "Custom error class extends raw Error — extend your domain base error class instead (e.g., AppError, DomainError) for centralized error handling and error codes"
+severity: error
+note: |
+  UNSAFE:
+    class NotFoundError extends Error { }
+    class ValidationError extends Error { }
+    class AuthError extends Error { }
+    // Each has its own shape, no common error code, no centralized serialization
+  
+  SAFE:
+    class AppError extends Error {
+      constructor(public code: string, message: string, public statusCode: number) {
+        super(message);
+        this.name = this.constructor.name;
+      }
+    }
+    class NotFoundError extends AppError {
+      constructor(resource: string) { super('NOT_FOUND', `${resource} not found`, 404); }
+    }
+    class ValidationError extends AppError {
+      constructor(field: string) { super('VALIDATION', `Invalid ${field}`, 400); }
+    }
+  
+  WHY: Direct `extends Error` produces error classes with no common interface. You can't:
+  (1) serialize errors uniformly for API responses, (2) catch by category (AppError vs
+  third-party Error), (3) attach error codes for i18n, (4) map to HTTP status codes
+  centrally. A domain base class enforces all errors carry code + message + status.
+rule:
+  pattern: class $NAME extends Error { $$$BODY }
+  not:
+    any:
+      # Safe: this IS the base class itself (class AppError extends Error)
+      - pattern: class AppError extends Error { $$$BODY }
+      - pattern: class BaseError extends Error { $$$BODY }
+      - pattern: class DomainError extends Error { $$$BODY }
+      - pattern: class CustomError extends Error { $$$BODY }
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/node_modules/**'

package/.sg-rules/generic-must-be-constrained.yml

@@ -0,0 +1,60 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/generics.html
+#   "Generic type parameters should be constrained. Unconstrained generics
+#   are as permissive as any — they accept everything."
+# SOURCE: https://typescript-book.com/generics/constraints
+#   "Use extends to constrain generic parameters. <T> alone accepts any type,
+#   which defeats type safety. <T extends Entity> enforces a contract."
+# SOURCE: https://www.totaltypescript.com/tips/constrain-generic-type-parameters
+#   "Unconstrained generics are a smell. If T can be anything, you don't need generics."
+id: generic-must-be-constrained
+language: typescript
+message: "Unconstrained generic <T> — add extends constraint (e.g., <T extends Entity>) or use unknown directly"
+severity: warning
+note: |
+  UNSAFE:
+    function parse<T>(data: string): T { return JSON.parse(data); }
+    // T can be ANYTHING — no type safety, caller can assert anything
+  
+    class Store<T> {
+      private items: T[] = [];
+    }
+    // T is unconstrained — Store<null> is valid, Store<undefined> is valid
+  
+  SAFE:
+    function parse<T extends Record<string, unknown>>(data: string): T {
+      return JSON.parse(data);
+    }
+    
+    interface Entity { id: string }
+    class Store<T extends Entity> {
+      private items: T[] = [];
+    }
+    
+    // If you truly want "any type", use unknown explicitly:
+    function identity(value: unknown): unknown { return value; }
+  
+  WHY: Unconstrained `<T>` accepts any type, making it as unsafe as `any` in practice.
+  The caller can pass `T = any` and bypass all checks. Constraining with `extends`
+  enforces that T has a minimum shape. If no constraint is needed, `unknown` is more
+  honest than `<T>`.
+rule:
+  any:
+    - pattern: function $NAME<$T>($$$PARAMS) { $$$BODY }
+    - pattern: export function $NAME<$T>($$$PARAMS) { $$$BODY }
+    - pattern: async function $NAME<$T>($$$PARAMS) { $$$BODY }
+    - pattern: export async function $NAME<$T>($$$PARAMS) { $$$BODY }
+  not:
+    any:
+      # Safe: constrained generic
+      - pattern: function $NAME<$T extends $CONSTRAINT>($$$PARAMS) { $$$BODY }
+      - pattern: export function $NAME<$T extends $CONSTRAINT>($$$PARAMS) { $$$BODY }
+      - pattern: async function $NAME<$T extends $CONSTRAINT>($$$PARAMS) { $$$BODY }
+      - pattern: export async function $NAME<$T extends $CONSTRAINT>($$$PARAMS) { $$$BODY }
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/import-reexport-risk.yml

@@ -0,0 +1,9 @@
+id: import-reexport-risk
+language: typescript
+rule:
+  all:
+    - pattern: import { $ITEM } from '$SOURCE'
+    - has:
+        pattern: export { $$$ $ITEM $$$ }
+message: "Importing a symbol then immediately re-exporting it from the same file. This pattern often masks circular dependency chains during refactoring. Use 'export { $ITEM } from \"$SOURCE\"' directly or move shared logic to a lower layer."
+severity: warning

package/.sg-rules/missing-session-id-in-api.yml

@@ -0,0 +1,16 @@
+id: missing-session-id-in-api
+language: typescript
+rule:
+  all:
+    - any:
+        - pattern: Response.json($OBJ)
+        - pattern: json($_, $OBJ)
+    - not:
+        has:
+          pattern: "sessionId: $_"
+    - inside:
+        any:
+          - pattern: if ($_ === "/api/plan") { $$$ }
+          - pattern: if ($_ === "/api/diff") { $$$ }
+message: "API response for /api/plan or /api/diff is missing sessionId. This breaks the 'Current' session badge."
+severity: error

package/.sg-rules/no-any-in-generic-args.yml

@@ -0,0 +1,57 @@
+# SOURCE: https://www.typescriptlang.org/docs/handbook/2/narrowing.html#discriminated-unions
+#   "Use discriminated unions instead of optional properties. They make state
+#   transitions explicit and prevent impossible states."
+# SOURCE: https://kentcdodds.com/blog/make-impossible-states-impossible
+#   "Design types that make invalid states unrepresentable. Use discriminated
+#   unions, not loosely overlapping optional fields."
+# SOURCE: https://github.com/gcanti/io-ts/blob/master/README.md
+#   "Runtime type validation + discriminated unions = total type safety."
+id: no-any-in-generic-args
+language: typescript
+message: "Generic type instantiated with 'any' — use concrete type, unknown, or generic parameter instead. 'any' in generics bypasses all type checking"
+severity: error
+note: |
+  UNSAFE:
+    const items: Array<any> = [];
+    const map: Map<string, any> = new Map();
+    const record: Record<string, any> = {};
+    function parse<T>(input: any): T { ... }
+  
+  SAFE:
+    const items: Array<User> = [];
+    const map: Map<string, User> = new Map();
+    const record: Record<string, User> = {};
+    function parse<T>(input: unknown): T { ... }
+    
+    // If you genuinely don't know the type:
+    const items: Array<unknown> = [];
+    const record: Record<string, unknown> = {};
+  
+  WHY: `any` inside generic type arguments (Array<any>, Map<K, any>, Record<string, any>)
+  creates containers that accept anything and provide no type information on retrieval.
+  This is worse than top-level any because it's hidden inside the generic — you think
+  you have a typed container but it's actually untyped. Use `unknown` if the type is
+  genuinely unknown, or concrete types if known.
+rule:
+  any:
+    - pattern: Array<any>
+    - pattern: Map<any, any>
+    - pattern: Map<$KEY, any>
+    - pattern: Map<any, $VAL>
+    - pattern: 'Record<string, any>'
+    - pattern: 'Record<$KEY, any>'
+    - pattern: Set<any>
+    - pattern: Promise<any>
+    - pattern: ReadonlyArray<any>
+    - pattern: Partial<any>
+    - pattern: Required<any>
+    - pattern: Readonly<any>
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'
+  - '**/*.d.ts'

package/.sg-rules/no-await-in-promise-all.yml

@@ -0,0 +1,28 @@
+# SOURCE: https://ast-grep.github.io/catalog/typescript/#no-await-in-promise-all
+# Authored by: ast-grep (ast-grep/ast-grep), improved with stopBy + member-call exclusion
+# Intention: F08-dependency-gate-async
+id: no-await-in-promise-all
+language: TypeScript
+message: "Avoid await inside Promise.all — pass promises directly. Dependency gates (member calls) are allowed."
+severity: warning
+rule:
+  pattern: await $FUNC($$$ARGS)
+  inside:
+    pattern: Promise.all($_)
+    stopBy:
+      not: { any: [{kind: array}, {kind: arguments}] }
+constraints:
+  FUNC:
+    # Only flag simple identifier calls (await fetchA()).
+    # Member calls (await obj.method()) are ALLOWED — they represent dependency gates
+    # where the instance must be resolved before calling the method.
+    # See intention F08 for rationale.
+    kind: identifier
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-barrel-export.yml

@@ -0,0 +1,17 @@
+# SOURCE: https://github.com/formatjs/formatjs/blob/master/sg-rules/no-barrel-export.yml
+# Authored by: formatjs/formatjs
+id: no-barrel-export
+language: typescript
+message: "Barrel exports (export * from) are banned. Use deep imports instead to reduce bundle size."
+severity: error
+url: https://github.com/formatjs/formatjs/blob/master/sg-rules/no-barrel-export.yml
+rule:
+  pattern: "export * from '$PATH'"
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'

package/.sg-rules/no-bq-write-in-module.yml

@@ -0,0 +1,65 @@
+# SOURCE: https://cloud.google.com/bigquery/docs/best-practices-performance-overview
+#   Google Cloud: "Batch writes via the BigQuery Storage Write API or load jobs
+#   should be isolated in dedicated write services, not scattered across module code."
+# SOURCE: https://cloud.google.com/bigquery/docs/loading-data
+#   BigQuery docs: table.insert() and table.load() are write operations that should
+#   be routed through a write layer to centralize error handling, retries, and auditing.
+#
+# CONTEXT: ALL mod-* modules (mod-contractor-payment, mod-*, …) must NOT call
+#   BigQuery write APIs directly. All writes (insert, load, createTable,
+#   write-queries) must go through a dedicated write service so that retry logic,
+#   error classification, and audit logging are centralized. Direct calls from
+#   module code bypass these safeguards and make write operations invisible to
+#   the write service's monitoring and alerting pipeline.
+#
+# SCOPE: Applied at common/typescript/ level — covers ALL mod-* modules
+#   (and any future repo using BigQuery). Constraint regex filters out
+#   non-BQ false positives (only matches BQ-like variable names).
+id: no-bq-write-in-module
+language: typescript
+message: "BQ write API calls in module code — write operations must go through a dedicated write service, not called directly from module code"
+severity: error
+note: |
+  UNSAFE — direct write calls from module code:
+    import { Table } from "@google-cloud/bigquery";
+    const table: Table = bigquery.dataset("my_ds").table("my_tbl");
+    table.insert([{id: 1}]);                          // streaming insert
+    table.load("gs://bucket/data.csv");                // load job
+    dataset.createTable("new_tbl", { schema: "..." }); // DDL
+    bq.query("INSERT INTO t VALUES (1)");              // write query
+
+  SAFE — route through write service:
+    import { writeService } from "../services/bq-write-service";
+    await writeService.insert("my_ds.my_tbl", rows);
+    await writeService.load("my_ds.my_tbl", uri, options);
+    await writeService.query("INSERT INTO t VALUES (1)");
+
+  WHY: Direct BigQuery write calls from module code bypass centralized error
+  handling, retry policies, rate limiting, and audit logging. The write service
+  provides structured error classification, exponential backoff, and
+  dead-letter queuing. Scattered writes are invisible to monitoring and
+  impossible to roll back consistently.
+
+  CONSTRAINTS: Variable names are matched via regex to reduce false positives.
+  Only variable names that look like BigQuery objects (e.g., table, bqTable,
+  bq_table, dataset, bq, bigquery, bqClient) are flagged. Generic method calls
+  like `list.insert()` or `data.load()` are NOT flagged.
+rule:
+  any:
+    # table.insert() / table.load() — streaming insert and load jobs
+    - pattern: $OBJ.insert($$$ARGS)
+    - pattern: $OBJ.load($$$ARGS)
+    # dataset.createTable() — DDL
+    - pattern: $OBJ.createTable($$$ARGS)
+    # bq.query() / bigquery.query() — may contain write SQL
+    - pattern: $OBJ.query($$$ARGS)
+constraints:
+  OBJ:
+    regex: '(?i)^((bq|bigquery)[_\\s]?(table|dataset|client)?|table|dataset)$'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/scripts/**'

package/.sg-rules/no-console-except-error.yml

@@ -0,0 +1,27 @@
+# SOURCE: https://eslint.org/docs/latest/rules/no-console
+#   ESLint bans ALL console by default but provides allow: ["warn","error"] option.
+#   No mature tool does context-aware detection (catch_clause, .catch(), etc).
+# SOURCE: https://github.com/eslint/eslint/issues/2621
+#   Community consensus: console.warn and console.error are production-safe.
+# SOURCE: https://ast-grep.github.io/catalog/typescript/no-console-except-catch.html
+#   Original catalog rule — replaced with method-level allowlist approach.
+id: no-console-except-error
+language: typescript
+message: "Use a proper logger instead of console.log/debug/trace/info. console.warn and console.error are allowed."
+severity: warning
+note: "Mirrors ESLint no-console with allow: ['warn','error']. Only bans debug-only methods."
+rule:
+  pattern: console.$METHOD($$$)
+constraints:
+  METHOD:
+    regex: 'log|debug|trace|info'
+ignores:
+  - '**/*.test.ts'
+  - '**/*.spec.ts'
+  - '**/*.test-d.ts'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/__tests__/**'
+  - '**/__mocks__/**'
+  - '**/scripts/**'
+  - 'test-*.ts'