kamal-lint 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbb47a4aa7557a495d992e752262116d9b3617baa4918f8926be85fa3263f2c1
-  data.tar.gz: 5ae854761838ac0bb597aa7318126d94c6cbe40a3ae6ae7e1c28da47eedbe499
+  metadata.gz: 10d72a6911e515326e690ea6c0c65c74742378edf3f0c0229d725b9f623f75db
+  data.tar.gz: 63de632c1ff0ac7a21e180dd38e638464de147b81f69ea48654ddca5e07e7b28
 SHA512:
-  metadata.gz: f4651938af9157e4a519a4a76b03f57b126821b1d0849d7d240a2f018e446898570b50b85f208dc0238bbfede41340ba8000ba995dbfc51e3fddf5bb4273dcfe
-  data.tar.gz: 74dd99df9454c440074df74d3110c025eafc0b7f7b6e6917d8964b65363ab8ad69aff2c5fda62b4789c1cf9536e6ceca28bc04069a7d6c7532191ae6d08024f1
+  metadata.gz: ae304091aa74c7cbd9f3f85e455029cd85cb0bdfa0f3c26d49764e347733d7363c15fef2eb1a01c70df96521e7e8e868a0f17f92c9402e2996a37d9f0dc3cc5c
+  data.tar.gz: 66568b9b1bcfb8a0287a5e083e97a24520343366a9f6229f428df0715a341da15db5081efc4e8013444baa74cdc8e6f301e03a928ce39db6c994d6eb7e10fa69

data/CHANGELOG.md

@@ -1,52 +1,5 @@
 # Changelog
 
-All notable changes to this project will be documented in this file.
+Release notes are auto-generated from merged commits and pull requests, and live with each tagged release:
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [Unreleased]
-
-### Added
-- `--include-kamal-errors` flag to opt-in to surfacing errors from Kamal's own loader (off by default; use `kamal config` for parse-time checks).
-
-### Fixed
-- `image-registry-mismatch` no longer false-positives when `registry.server` is set to Docker Hub (`docker.io`, `index.docker.io`, `registry.hub.docker.com`) and the image lacks an explicit registry prefix — Docker Hub resolves unprefixed images automatically.
-
-### Internal
-- Renamed `LICENSE` → `MIT-LICENSE` to match Kamal's convention.
-- Added `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `.ruby-version`, `bin/release`.
-- Added `Release` GitHub Actions workflow for tag-triggered publishing via RubyGems trusted publishing (OIDC).
-- Added `actionlint` and `zizmor` workflow security audits in CI.
-- Added `dependabot.yml` for weekly bundler + GitHub Actions updates.
-- Added PR template and issue templates (bug report, new check proposal).
-
-## [0.1.0] - 2026-05-11
-
-### Added
-- Initial release.
-- 16 checks across reference integrity, coherence, and smells:
-  - `secret-not-declared`
-  - `accessory-role-undefined`
-  - `proxy-host-not-in-role`
-  - `image-registry-mismatch`
-  - `builder-registry-secret-undeclared`
-  - `ssl-without-host`
-  - `empty-web-role`
-  - `traefik-legacy-keys` (autofixable)
-  - `boot-limit-exceeds-hosts`
-  - `accessory-host-undefined`
-  - `missing-service-name` (autofixable)
-  - `kamal-secrets-not-gitignored` (autofixable)
-  - `secret-in-env-clear`
-  - `missing-proxy-healthcheck`
-  - `accessory-image-latest`
-  - `registry-without-explicit-server`
-- Three output formatters: `human`, `json`, `github` (GitHub Actions annotations).
-- `--fix` for the safe autofix subset.
-- `-d/--destination` for linting destination override files.
-- Auto-detection of installed Kamal version with version-gated checks.
-- `kamal-lint` GitHub Action (composite) for one-line CI integration.
-
-[Unreleased]: https://github.com/davafons/kamal-lint/compare/v0.1.0...HEAD
-[0.1.0]: https://github.com/davafons/kamal-lint/releases/tag/v0.1.0
+<https://github.com/davafons/kamal-lint/releases>

data/README.md

@@ -7,184 +7,129 @@
   <a href="https://rubygems.org/gems/kamal-lint"><img src="https://img.shields.io/gem/dt/kamal-lint" alt="Downloads"></a>
 </p>
 
-Static linter for [Kamal](https://kamal-deploy.org) `config/deploy.yml`. Catches cross-section bugs and smells that Kamal itself silently allows — undeclared secrets, accessory/role mismatches, registry inconsistencies, and more — before a single SSH connection happens.
+Static linter for [Kamal](https://kamal-deploy.org) `config/deploy.yml`. Catches missing secrets, role/registry mismatches, and proxy footguns that Kamal silently allows.
 
-```
-$ bundle exec kamal-lint
-kamal-lint 0.1.0 · kamal 2.11.0 detected
-  config:      config/deploy.yml
-
-✖ error   config/deploy.yml:9
-    env.secret references `RAILS_MASTER_KEY` but it isn't declared in .kamal/secrets
-    [secret-not-declared]
-
-⚠ warning config/deploy.yml:18 (autofixable)
-    `traefik:` block is Kamal 1.x legacy and is ignored in Kamal 2+; use `proxy:` instead
-    [traefik-legacy-keys]
-
-Summary: 1 error, 1 warning, 1 autofixable
-```
-
-## Why
-
-Kamal's own loader only checks "does this YAML parse into my schema?" It happily accepts a config that references secrets you never declared, points at registries you don't use, names roles that don't exist, or still uses Kamal 1.x `traefik:` keys. By the time you find out, you've already shipped a broken deploy.
-
-`kamal-lint` runs in CI (or pre-commit) and catches these before they hit production.
+<p align="center">
+  <img src="docs/preview.svg" alt="kamal-lint output sample" width="760">
+</p>
 
 ## Install
 
-Add to your project's `Gemfile`:
-
 ```ruby
+# Gemfile
 group :development, :test do
   gem "kamal-lint", require: false
 end
 ```
 
-Then:
-
 ```bash
-bundle install
 bundle exec kamal-lint
 ```
 
-Or install globally:
+## Usage
+
+**Default: lint base + every destination override at once.**
 
 ```bash
-gem install kamal-lint
-kamal-lint
+bundle exec kamal-lint
 ```
 
-## Usage
+Auto-discovers `config/deploy.*.yml` files next to your base `config/deploy.yml` and lints each (base alone, then each destination merged onto base). Output groups findings by destination — bugs that live in a `deploy.production.yml` override show up *only* under `[production]`:
 
 ```
-bundle exec kamal-lint [OPTIONS]
-
-  -c, --config-file PATH    Path to deploy.yml (default: config/deploy.yml)
-  -d, --destination NAME    Lint with destination override applied
-                              (e.g. -d production → config/deploy.production.yml)
-  -f, --format FORMAT       human (default) | json | github
-      --fail-on LEVEL       error | warning (default) | info
-      --fix                 Apply safe autofixes in-place
-      --kamal-version VER   Override detected Kamal version
-      --include-kamal-errors  Also surface errors from Kamal's own loader
-                                (off by default; use `kamal config` for that)
-      --no-color            Disable colored output
-      --list-checks         Print all registered checks
-      --version             Print kamal-lint version
-```
-
-### Exit codes
+[base]       config/deploy.yml
+  ✓ No issues found.
 
-| Code | Meaning |
-|------|---------|
-| `0`  | No findings at or above `--fail-on` severity |
-| `1`  | Findings present at or above `--fail-on` severity |
-| `2`  | Config file not found / unreadable |
-
-## Checks
+[production] config/deploy.production.yml
+  ⚠ warning  ...
+      `traefik:` block is Kamal 1.x legacy ...
 
-| ID | Severity | Autofixable | What it catches |
-|---|---|---|---|
-| `secret-not-declared` | error | | `env.secret` references a key absent from `.kamal/secrets` |
-| `accessory-role-undefined` | error | | accessory `roles:` lists a role not in `servers` |
-| `role-hosts-empty` | error | | a role under `servers:` has no hosts (silent no-op deploy) |
-| `image-registry-mismatch` | error | | `image:` registry prefix ≠ `builder.registry.server` |
-| `builder-registry-secret-undeclared` | error | | registry username/password references undeclared secret |
-| `ssl-without-host` | error | | `proxy.ssl: true` without `host:` (Let's Encrypt won't work) |
-| `empty-web-role` | error | | `servers:` empty or has no hosts in any role |
-| `accessory-placement-missing` | error | | accessory has no `host`/`hosts`/`roles` declared |
-| `missing-service-name` | error | ✓ | `service:` not set |
-| `traefik-legacy-keys` | warning | ✓ | Kamal 1.x `traefik:` block (silently ignored by Kamal 2+) |
-| `boot-limit-exceeds-hosts` | warning | | `boot.limit` greater than the number of hosts |
-| `kamal-secrets-not-gitignored` | warning | ✓ | `.kamal/secrets` exists but isn't gitignored |
-| `secret-in-env-clear` | warning | | `env.clear` value looks like a secret (`*_KEY`/`*_TOKEN`/`*_SECRET`/etc.) |
-| `missing-proxy-healthcheck` | warning | | `proxy:` block with no `healthcheck:` (no zero-downtime guarantee) |
-| `accessory-image-latest` | warning | | accessory pinned to `:latest` or unpinned |
-| `registry-without-explicit-server` | warning | | `registry.server` missing; image silently defaults to Docker Hub |
-
-Run `kamal-lint list-checks` for the same table in your terminal, including the Kamal version range each check applies to.
-
-## Autofix
-
-`--fix` rewrites your config in-place for the safe subset:
-
-- `traefik-legacy-keys` → translates `traefik:` to a `proxy:` block (host, ssl, app_port)
-- `missing-service-name` → infers `service:` from the project directory name
-- `kamal-secrets-not-gitignored` → appends `.kamal/secrets` to `.gitignore`
+[staging]    config/deploy.staging.yml
+  ✓ No issues found.
 
-```bash
-bundle exec kamal-lint --fix
+Summary: 1 warning across 3 configs
 ```
 
-> **Heads-up:** autofixes re-serialize your YAML, which means comments and exact formatting are not preserved. Run on a clean working tree so you can review the diff. Anything riskier (e.g. moving env.clear values to env.secret) stays manual on purpose.
+Exits `1` if any findings are at or above `--fail-on` (default: `warning`), `0` otherwise.
 
-## Destination overrides
+**Narrow to a single destination:**
 
 ```bash
 bundle exec kamal-lint -d production
 ```
 
-Loads `config/deploy.yml`, deep-merges `config/deploy.production.yml` on top, then runs the full check suite against the merged config. Lets you catch staging/production-only issues without running `kamal deploy`.
-
-## CI / GitHub Actions
+Useful in CI matrix jobs or when debugging one destination. Skips auto-discovery; only lints `deploy.yml + deploy.production.yml`.
 
-Drop this into `.github/workflows/lint.yml`:
+**Other knobs:**
 
-```yaml
-name: kamal-lint
-on: [push, pull_request]
-jobs:
-  kamal-lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ruby/setup-ruby@v1
-        with:
-          bundler-cache: true
-      - run: bundle exec kamal-lint --format=github
+```bash
+bundle exec kamal-lint -c infra/deploy.yml      # non-default config path
+bundle exec kamal-lint list-checks              # show every registered check
+bundle exec kamal-lint --format=json            # machine-readable output
+bundle exec kamal-lint --include-kamal-errors   # also surface Kamal's loader errors
 ```
 
-The `--format=github` emits GitHub Actions workflow commands so findings show up as inline annotations on the changed file.
-
-A composite Action wrapper is also published in this repo at `action.yml`:
+**In CI:**
 
 ```yaml
-- uses: davafons/kamal-lint@v0
+- uses: davafons/kamal-lint@v0.1.0
   with:
-    config-file: config/deploy.yml
-    destination: production
     fail-on: warning
 ```
 
-## Kamal version support
+`--format=github` is set automatically so findings show as inline annotations in the PR view. By default the action lints all destinations; set `destination: production` to narrow.
 
-`kamal-lint` reuses your installed Kamal's loader for the parse layer — it auto-tracks whatever Kamal version is in your `Gemfile.lock`. Each check declares a `since:` / `until_version:` range so the registry filters checks to those applicable to your version.
-
-| kamal-lint | supported kamal |
-|---|---|
-| `0.1.x` | `>= 2.0`, `< 3.0` |
+## Checks
 
-Override detection with `--kamal-version 2.5.0` when needed (e.g. for CI matrix runs).
+| ID | Severity | What it catches |
+|---|---|---|
+| `secret-not-declared` | error | `env.secret` (top-level or per-accessory) references a key that isn't declared in `.kamal/secrets`. Kamal would fail at deploy time. |
+| `accessory-role-undefined` | error | An accessory's `roles:` lists a role name that isn't defined under `servers:`. The accessory won't deploy to anything. |
+| `role-hosts-empty` | error | A role under `servers:` has no hosts. Deploys to that role silently no-op. |
+| `image-registry-mismatch` | error | `image:` doesn't include the prefix of `registry.server`. Kamal would push/pull from the wrong registry. (Docker Hub is exempt — unprefixed images resolve there automatically.) |
+| `builder-registry-secret-undeclared` | error | `registry.username` or `registry.password` references a secret name that isn't in `.kamal/secrets`. |
+| `ssl-without-host` | error | `proxy.ssl: true` without a `host:` (or `hosts:`). Let's Encrypt provisioning has nothing to issue against. |
+| `empty-web-role` | error | `servers:` is empty or every role has no hosts. Nothing would be deployed. |
+| `accessory-placement-missing` | error | An accessory has none of `host`, `hosts`, or `roles` declared, so Kamal has no idea where to put it. |
+| `missing-service-name` | error | `service:` is not set. Kamal can't name the container. |
+| `traefik-legacy-keys` | warning | A `traefik:` block is still present. Kamal 2+ uses `proxy:` and silently ignores the old block. |
+| `boot-limit-exceeds-hosts` | warning | `boot.limit` is greater than the total number of hosts, so the rolling-deploy limit has no effect. |
+| `kamal-secrets-not-gitignored` | warning | `.kamal/secrets` exists in the repo but isn't matched by `.gitignore`. Real credentials are one `git add .` away from a commit. |
+| `secret-in-env-clear` | warning | A key in `env.clear` looks like a secret (`*_KEY`, `*_TOKEN`, `*_SECRET`, `*PASSWORD*`). Move it to `env.secret` + `.kamal/secrets`. |
+| `missing-proxy-healthcheck` | warning | The `proxy:` block has no `healthcheck:`. Kamal-proxy can't verify a new release before cutting traffic — zero-downtime deploys may fail. |
+| `accessory-image-latest` | warning | An accessory's `image:` is pinned to `:latest` (or has no tag). Updates can change unexpectedly between deploys. |
+| `registry-without-explicit-server` | warning | `registry` is set but `registry.server` isn't. Kamal silently defaults to Docker Hub. |
+| `kamal-parse-error` | error | *Opt-in.* Surfaces errors from Kamal's own loader. Enable with `--include-kamal-errors`. Useful in CI as a complement to `kamal config`. |
+
+Reasoning behind each finding is also in the message text — paste a finding into search and you'll usually land on the relevant Kamal doc.
+
+## Flags
 
-## Development
-
-```bash
-bin/setup     # bundle install
-bin/test      # run the test suite
-bin/console   # IRB with kamal-lint loaded
+```
+-c, --config-file PATH      config/deploy.yml
+-d, --destination NAME      lint deploy.<name>.yml merged onto base
+-f, --format FORMAT         human | json | github
+    --fail-on LEVEL         error | warning | info
+    --kamal-version VER     override detected Kamal version
+    --include-kamal-errors  also surface Kamal's loader errors
 ```
 
-To lint the gem's own source:
+Exit codes: `0` clean · `1` findings at/above `--fail-on` · `2` config missing.
 
-```bash
-BUNDLE_ONLY=rubocop bundle exec rubocop
-```
+## Kamal versions
 
-## Contributing
+| kamal-lint | kamal | tested against |
+|---|---|---|
+| `0.1.x` | `>= 2.0`, `< 3.0` | latest 2.x |
 
-Bug reports and pull requests welcome at [github.com/davafons/kamal-lint](https://github.com/davafons/kamal-lint).
+`kamal-lint` reuses your installed Kamal's loader, so it auto-tracks whatever's in your `Gemfile.lock`. Older 2.x versions likely work but aren't covered by CI — if you hit a bug on an older Kamal, please [open an issue](https://github.com/davafons/kamal-lint/issues). Override the detected version with `--kamal-version 2.5.0` for matrix runs.
 
-## License
+## Development
+
+```bash
+bin/setup     # install
+bin/test      # run tests
+bin/console   # IRB with kamal-lint loaded
+```
 
-MIT. See [MIT-LICENSE](./MIT-LICENSE).
+Contributions: [CONTRIBUTING.md](./CONTRIBUTING.md) · Security: [SECURITY.md](./SECURITY.md) · License: [MIT](./MIT-LICENSE).

data/action.yml

@@ -58,4 +58,11 @@ runs:
         if [ "$KL_FIX" = "true" ]; then
           ARGS+=(--fix)
         fi
-        bundle exec kamal-lint "${ARGS[@]}"
+
+        # Prefer bundler if there's a Gemfile referencing kamal-lint;
+        # fall back to a globally-installed gem otherwise.
+        if [ -f Gemfile ] && bundle list 2>/dev/null | grep -q '^  \* kamal-lint '; then
+          bundle exec kamal-lint "${ARGS[@]}"
+        else
+          kamal-lint "${ARGS[@]}"
+        fi

data/lib/kamal/lint/check.rb

@@ -34,12 +34,6 @@ module Kamal
           @until_version
         end
 
-        # Mark this check as autofix-capable in the registry listing.
-        def autofixable(value = nil)
-          @autofixable = value unless value.nil?
-          @autofixable || false
-        end
-
         def applies_to?(kamal_version)
           return true if kamal_version.nil?
 
@@ -66,25 +60,20 @@ module Kamal
 
       private
 
-      def finding(message:, line: nil, column: nil, autofix: nil)
+      def finding(message:, line: nil, column: nil)
         Finding.new(
           check_id: self.class.id,
           severity: self.class.severity,
           message: message,
           file: context.file_for_finding,
           line: line,
-          column: column,
-          autofix: autofix
+          column: column
         )
       end
 
       def parsed
         context.parsed
       end
-
-      def secrets
-        context.secrets
-      end
     end
   end
 end

data/lib/kamal/lint/checks/image_registry_mismatch.rb

@@ -14,6 +14,9 @@ module Kamal
         # configured registry is Docker Hub under any of its canonical names.
         DOCKER_HUB_HOSTS = %w[docker.io index.docker.io registry.hub.docker.com].freeze
 
+        # A leading path segment is treated as a registry host when it contains
+        # a `.` or `:` (e.g. `ghcr.io`, `localhost:5000`) — Kamal sees that as
+        # a host and won't add the configured server in front of it.
         def call
           image = parsed["image"]
           registry = parsed["registry"] || parsed.dig("builder", "registry") || {}
@@ -23,11 +26,17 @@ module Kamal
           normalized_server = server.sub(%r{/+\z}, "")
           return [] if DOCKER_HUB_HOSTS.include?(normalized_server)
 
-          prefix = "#{normalized_server}/"
-          return [] if image.start_with?(prefix)
+          first_segment = image.split("/", 2).first.to_s
+          looks_like_host = first_segment.include?(".") || first_segment.include?(":")
+
+          # Unprefixed `org/repo` is the canonical Kamal style — the registry
+          # server is prepended automatically. Only flag when the image already
+          # carries a registry host that disagrees with `registry.server`.
+          return [] unless looks_like_host
+          return [] if image.start_with?("#{normalized_server}/")
 
           [ finding(
-            message: "image `#{image}` does not include the configured registry `#{server}`; Kamal will push to the wrong registry",
+            message: "image `#{image}` is prefixed with a registry host that disagrees with `registry.server: #{server}`; Kamal will push to the wrong registry",
             line: context.line_for([ "image" ])
           ) ]
         end

data/lib/kamal/lint/checks/kamal_parse_error.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Kamal
+  module Lint
+    module Checks
+      # Opt-in: surfaces errors from Kamal's own loader as findings.
+      # Off by default because Kamal's parse-level validation is what
+      # `kamal config` is for — the linter's value-add is the cross-section
+      # checks. Enabled with `--include-kamal-errors`.
+      class KamalParseError < Check
+        id "kamal-parse-error"
+        severity :error
+        since "2.0.0"
+        title "Kamal's own loader rejected this config"
+
+        def call
+          return [] unless context.include_kamal_errors
+          return [] unless context.kamal_load_error
+
+          [ finding(
+            message: "kamal could not load this config: #{context.kamal_load_error.message}",
+            line: 1
+          ) ]
+        end
+      end
+
+      Lint.registry.register(KamalParseError)
+    end
+  end
+end

data/lib/kamal/lint/checks/kamal_secrets_not_gitignored.rb

@@ -7,23 +7,27 @@ module Kamal
         id "kamal-secrets-not-gitignored"
         severity :warning
         since "2.0.0"
-        autofixable true
         title ".kamal/secrets is not in .gitignore"
 
         # We only flag when:
         #   - a .kamal/secrets file exists (so there's something to leak), AND
-        #   - it is NOT covered by .gitignore (or .gitignore is missing).
+        #   - it is NOT covered by .gitignore (or .gitignore is missing), AND
+        #   - it contains at least one raw literal value (not just shell
+        #     substitutions like `$(cmd)`, `${VAR}`, or `$VAR`). Files that
+        #     only reference secrets via substitution are safe to commit.
         def call
           return [] unless File.exist?(context.secrets_path)
           return [] if gitignored?
+          return [] unless contains_literal_secret?
 
           [ finding(
-            message: ".kamal/secrets exists but isn't ignored by .gitignore; you risk committing real secrets",
-            line: 1,
-            autofix: method(:apply_fix)
+            message: ".kamal/secrets exists but isn't ignored by .gitignore; add `.kamal/secrets` to .gitignore",
+            line: 1
           ) ]
         end
 
+        private
+
         def gitignored?
           return false unless File.exist?(context.gitignore_path)
 
@@ -39,14 +43,40 @@ module Kamal
           end
         end
 
-        def apply_fix(ctx)
-          path = ctx.gitignore_path
-          existing = File.exist?(path) ? File.read(path) : ""
-          existing = existing + "\n" unless existing.empty? || existing.end_with?("\n")
-          File.write(path, "#{existing}.kamal/secrets\n")
-          true
-        rescue => _e
-          false
+        # A value is "safe" when it sources its content from outside the file:
+        #   FOO=$(cmd ...)            # command substitution
+        #   FOO=${VAR:-fallback}      # parameter expansion
+        #   FOO=$VAR                  # plain variable
+        #   FOO=                      # empty
+        # Anything else (literal token, quoted string, fragment) is treated as
+        # a raw secret and triggers the finding.
+        SAFE_VALUE = /\A
+          \s*                         # leading whitespace
+          (?:
+            \z                          # empty
+            |
+            \$\(.*\)                    # $( ... )
+            |
+            \$\{.*\}                    # ${ ... }
+            |
+            \$[A-Za-z_][A-Za-z0-9_]*    # $VAR
+          )
+          \s*\z
+        /x
+
+        def contains_literal_secret?
+          return false unless File.exist?(context.secrets_path)
+
+          File.foreach(context.secrets_path).any? do |raw|
+            line = raw.strip
+            next false if line.empty? || line.start_with?("#")
+
+            line = line.sub(/\Aexport\s+/, "")
+            _name, eq, value = line.partition("=")
+            next false if eq.empty?
+
+            !SAFE_VALUE.match?(value)
+          end
         end
       end
 

data/lib/kamal/lint/checks/missing_service_name.rb

@@ -7,7 +7,6 @@ module Kamal
         id "missing-service-name"
         severity :error
         since "2.0.0"
-        autofixable true
         title "`service:` is required and missing"
 
         def call
@@ -16,28 +15,9 @@ module Kamal
 
           [ finding(
             message: "`service:` is required; without it Kamal can't name the deployed container",
-            line: 1,
-            autofix: method(:apply_fix)
+            line: 1
           ) ]
         end
-
-        def apply_fix(ctx)
-          file = ctx.file_for_finding
-          text = File.read(file)
-          parsed = YAML.safe_load(text, aliases: true) || {}
-          return false if parsed["service"].is_a?(String) && !parsed["service"].empty?
-
-          name = File.basename(ctx.working_dir).gsub(/[^A-Za-z0-9_-]/, "-")
-          return false if name.empty?
-
-          # Parse-and-dump so the fix composes safely with other autofixes
-          # that may also rewrite the file. The trade-off is that comments
-          # in the original YAML are lost — documented in the README.
-          File.write(file, YAML.dump({ "service" => name }.merge(parsed)))
-          true
-        rescue
-          false
-        end
       end
 
       Lint.registry.register(MissingServiceName)

data/lib/kamal/lint/checks/traefik_legacy_keys.rb

@@ -7,49 +7,16 @@ module Kamal
         id "traefik-legacy-keys"
         severity :warning
         since "2.0.0"
-        autofixable true
         title "Kamal 1.x `traefik:` keys present (use `proxy:` in Kamal 2+)"
 
         def call
           return [] unless parsed.key?("traefik")
 
           [ finding(
-            message: "`traefik:` block is Kamal 1.x legacy and is ignored in Kamal 2+; use `proxy:` instead",
-            line: context.line_for([ "traefik" ]),
-            autofix: method(:apply_fix)
+            message: "`traefik:` block is Kamal 1.x legacy and is ignored in Kamal 2+; replace it with a `proxy:` block",
+            line: context.line_for([ "traefik" ])
           ) ]
         end
-
-        def apply_fix(ctx)
-          file = ctx.file_for_finding
-          text = File.read(file)
-          parsed = YAML.safe_load(text, aliases: true) || {}
-          return false unless parsed.is_a?(Hash) && parsed.key?("traefik")
-
-          traefik = parsed.delete("traefik") || {}
-          proxy = parsed["proxy"] || {}
-
-          # Conservative translation:
-          # - traefik.host           → proxy.host
-          # - traefik.ssl_redirect   → proxy.ssl: true (Kamal 2 handles SSL via proxy.ssl)
-          # - traefik.args.entryPoints.address: ":<port>" → proxy.app_port: <port>
-          if (host = traefik["host"]) && !proxy["host"]
-            proxy["host"] = host
-          end
-          if traefik["ssl_redirect"] == true || traefik.dig("args", "entrypoints.websecure.address")
-            proxy["ssl"] = true unless proxy.key?("ssl")
-          end
-          if (addr = traefik.dig("args", "entrypoints.web.address")) && addr.is_a?(String)
-            port = addr.scan(/\d+/).first
-            proxy["app_port"] = port.to_i if port && !proxy.key?("app_port")
-          end
-
-          parsed["proxy"] = proxy unless proxy.empty?
-          File.write(file, YAML.dump(parsed))
-          true
-        rescue => _e
-          false
-        end
       end
 
       Lint.registry.register(TraefikLegacyKeys)