@intentius/chant-lexicon-aws 0.0.6 → 0.0.9

package/src/lint/post-synth/ext001.test.ts

@@ -1,68 +1,251 @@
 import { describe, test, expect } from "bun:test";
-import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
 import { createPostSynthContext } from "@intentius/chant-test-utils";
-import { ext001 } from "./ext001";
+import { ext001, checkExtensionConstraints, type ExtensionConstraint } from "./ext001";
 
 function makeCtx(template: object) {
   return createPostSynthContext({ aws: template });
 }
 
+/** Synthetic constraint map — no disk dependency. */
+function fakeConstraints(): Map<string, ExtensionConstraint[]> {
+  return new Map([
+    ["AWS::EC2::Instance", [
+      {
+        name: "SubnetRequired",
+        type: "if_then",
+        condition: { required: ["InstanceType"] },
+        requirement: { required: ["SubnetId"] },
+      },
+      {
+        name: "SpotExcludesPlacement",
+        type: "dependent_excluded",
+        requirement: { InstanceMarketOptions: ["PlacementGroup"] },
+      },
+    ]],
+    ["AWS::ECS::Service", [
+      {
+        name: "LaunchTypeOrCapacity",
+        type: "required_xor",
+        requirement: ["LaunchType", "CapacityProviderStrategy"],
+      },
+    ]],
+    ["AWS::S3::Bucket", [
+      {
+        name: "EncryptionOrNotification",
+        type: "required_or",
+        requirement: ["BucketEncryption", "NotificationConfiguration"],
+      },
+    ]],
+  ]);
+}
+
 describe("EXT001: Extension Constraint Violation", () => {
   test("check metadata", () => {
     expect(ext001.id).toBe("EXT001");
     expect(ext001.description).toContain("constraint");
   });
 
-  test("no diagnostics on empty template", () => {
-    const ctx = makeCtx({ Resources: {} });
-    const diags = ext001.check(ctx);
+  // --- if_then ---
+
+  test("if_then: flags when condition matches and requirement missing", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { InstanceType: "t3.micro" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("EXT001");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("SubnetRequired");
+    expect(diags[0].message).toContain("SubnetId");
+    expect(diags[0].entity).toBe("MyInstance");
+  });
+
+  test("if_then: no diagnostic when requirement satisfied", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { InstanceType: "t3.micro", SubnetId: "subnet-123" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    // SubnetRequired satisfied; SpotExcludesPlacement not triggered (no InstanceMarketOptions)
+    expect(diags).toHaveLength(0);
+  });
+
+  test("if_then: no diagnostic when condition does not match", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { ImageId: "ami-123" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
     expect(diags).toHaveLength(0);
   });
 
-  test("no diagnostics on unknown resource type", () => {
+  // --- dependent_excluded ---
+
+  test("dependent_excluded: flags when both present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: {
+            InstanceMarketOptions: { MarketType: "spot" },
+            PlacementGroup: "my-group",
+            SubnetId: "subnet-123",
+            InstanceType: "t3.micro",
+          },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    const excluded = diags.filter((d) => d.message.includes("excludes"));
+    expect(excluded).toHaveLength(1);
+    expect(excluded[0].message).toContain("InstanceMarketOptions");
+    expect(excluded[0].message).toContain("PlacementGroup");
+  });
+
+  test("dependent_excluded: no diagnostic when excluded prop absent", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: {
+            InstanceMarketOptions: { MarketType: "spot" },
+            SubnetId: "subnet-123",
+            InstanceType: "t3.micro",
+          },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    const excluded = diags.filter((d) => d.message.includes("excludes"));
+    expect(excluded).toHaveLength(0);
+  });
+
+  // --- required_xor ---
+
+  test("required_xor: flags when neither present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySvc: {
+          Type: "AWS::ECS::Service",
+          Properties: { ServiceName: "my-svc" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("exactly one of");
+    expect(diags[0].message).toContain("found 0");
+  });
+
+  test("required_xor: flags when both present", () => {
     const ctx = makeCtx({
       Resources: {
-        MyCustom: {
-          Type: "Custom::MyResource",
-          Properties: { Foo: "bar" },
+        MySvc: {
+          Type: "AWS::ECS::Service",
+          Properties: {
+            LaunchType: "FARGATE",
+            CapacityProviderStrategy: [{}],
+          },
         },
       },
     });
-    const diags = ext001.check(ctx);
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("found 2");
+  });
+
+  test("required_xor: no diagnostic when exactly one present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySvc: {
+          Type: "AWS::ECS::Service",
+          Properties: { LaunchType: "FARGATE" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
     expect(diags).toHaveLength(0);
   });
 
-  // The following tests exercise the constraint validation logic directly
-  // by testing the check function. Whether diagnostics fire depends on
-  // the lexicon having constraints for the resource types used.
-  // Since we may not have the lexicon JSON in test environments,
-  // we verify the function at least runs without errors.
-  test("handles resource with no properties gracefully", () => {
+  // --- required_or ---
+
+  test("required_or: flags when none present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("at least one of");
+  });
+
+  test("required_or: no diagnostic when one present", () => {
     const ctx = makeCtx({
       Resources: {
         MyBucket: {
           Type: "AWS::S3::Bucket",
+          Properties: { BucketEncryption: {} },
         },
       },
     });
-    // Should not throw, diagnostics depend on lexicon data
-    const diags = ext001.check(ctx);
-    expect(Array.isArray(diags)).toBe(true);
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(0);
+  });
+
+  // --- Edge cases ---
+
+  test("no diagnostics for resource type not in constraints", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyRole: {
+          Type: "AWS::IAM::Role",
+          Properties: { RoleName: "test" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty template", () => {
+    const ctx = makeCtx({ Resources: {} });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
+    expect(diags).toHaveLength(0);
+  });
+
+  test("returns empty when constraint map is empty", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyInstance: {
+          Type: "AWS::EC2::Instance",
+          Properties: { InstanceType: "t3.micro" },
+        },
+      },
+    });
+    const diags = checkExtensionConstraints(ctx, new Map());
+    expect(diags).toHaveLength(0);
   });
 
   test("handles invalid JSON output gracefully", () => {
-    const ctx: PostSynthContext = {
-      outputs: new Map([["aws", "not json"]]),
-      entities: new Map(),
-      buildResult: {
-        outputs: new Map([["aws", "not json"]]),
-        entities: new Map(),
-        warnings: [],
-        errors: [],
-        sourceFileCount: 0,
-      },
-    };
-    const diags = ext001.check(ctx);
+    const ctx = createPostSynthContext({ aws: "not json" as unknown as object });
+    const diags = checkExtensionConstraints(ctx, fakeConstraints());
     expect(diags).toHaveLength(0);
   });
 });

package/src/lint/post-synth/ext001.ts

@@ -11,10 +11,12 @@
  * - required_xor: exactly one of the listed properties must exist
  */
 
+import { readFileSync } from "fs";
+import { join } from "path";
 import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
 import { parseCFTemplate, type CFResource } from "./cf-refs";
 
-interface ExtensionConstraint {
+export interface ExtensionConstraint {
   name: string;
   type: "if_then" | "dependent_excluded" | "required_or" | "required_xor";
   condition?: unknown;
@@ -23,7 +25,7 @@ interface ExtensionConstraint {
 
 interface LexiconEntry {
   kind: string;
-  cfn?: string;
+  resourceType: string;
   constraints?: ExtensionConstraint[];
   [key: string]: unknown;
 }
@@ -34,10 +36,6 @@ interface LexiconEntry {
 function loadLexiconConstraints(): Map<string, ExtensionConstraint[]> {
   const map = new Map<string, ExtensionConstraint[]>();
   try {
-    const { readFileSync } = require("fs");
-    const { join, dirname } = require("path");
-    const { fileURLToPath } = require("url");
-
     // Navigate from src/lint/post-synth/ up to the package root
     const pkgDir = join(__dirname, "..", "..", "..");
     const lexiconPath = join(pkgDir, "src", "generated", "lexicon-aws.json");
@@ -45,8 +43,8 @@ function loadLexiconConstraints(): Map<string, ExtensionConstraint[]> {
     const data = JSON.parse(content) as Record<string, LexiconEntry>;
 
     for (const [_name, entry] of Object.entries(data)) {
-      if (entry.kind === "resource" && entry.cfn && entry.constraints && entry.constraints.length > 0) {
-        map.set(entry.cfn, entry.constraints);
+      if (entry.kind === "resource" && entry.resourceType && entry.constraints && entry.constraints.length > 0) {
+        map.set(entry.resourceType, entry.constraints);
       }
     }
   } catch {
@@ -195,28 +193,37 @@ function validateResource(
   return diagnostics;
 }
 
-export const ext001: PostSynthCheck = {
-  id: "EXT001",
-  description: "Extension constraint violation — cross-property validation from cfn-lint extension schemas",
-
-  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
-    const lexiconConstraints = loadLexiconConstraints();
-    if (lexiconConstraints.size === 0) return [];
+/**
+ * Core detection logic — exported for direct testing with synthetic data.
+ */
+export function checkExtensionConstraints(
+  ctx: PostSynthContext,
+  constraintMap: Map<string, ExtensionConstraint[]>,
+): PostSynthDiagnostic[] {
+  if (constraintMap.size === 0) return [];
 
-    const diagnostics: PostSynthDiagnostic[] = [];
+  const diagnostics: PostSynthDiagnostic[] = [];
 
-    for (const [_lexicon, output] of ctx.outputs) {
-      const template = parseCFTemplate(output);
-      if (!template?.Resources) continue;
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
 
-      for (const [logicalId, resource] of Object.entries(template.Resources)) {
-        const constraints = lexiconConstraints.get(resource.Type);
-        if (!constraints) continue;
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      const constraints = constraintMap.get(resource.Type);
+      if (!constraints) continue;
 
-        diagnostics.push(...validateResource(logicalId, resource, constraints));
-      }
+      diagnostics.push(...validateResource(logicalId, resource, constraints));
     }
+  }
+
+  return diagnostics;
+}
 
-    return diagnostics;
+export const ext001: PostSynthCheck = {
+  id: "EXT001",
+  description: "Extension constraint violation — cross-property validation from cfn-lint extension schemas",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkExtensionConstraints(ctx, loadLexiconConstraints());
   },
 };

package/src/lint/post-synth/waw013.test.ts

@@ -0,0 +1,120 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { Declarable } from "@intentius/chant/declarable";
+import { CHILD_PROJECT_MARKER, type ChildProjectInstance } from "@intentius/chant/child-project";
+import { STACK_OUTPUT_MARKER, type StackOutput } from "@intentius/chant/stack-output";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+import { waw013 } from "./waw013";
+
+function makeStackOutput(): StackOutput {
+  return {
+    [STACK_OUTPUT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "chant:output",
+    kind: "output",
+    sourceRef: {} as any,
+  };
+}
+
+function makeChildProject(opts: {
+  projectPath?: string;
+  childEntities?: Map<string, Declarable>;
+}): ChildProjectInstance {
+  return {
+    [CHILD_PROJECT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "AWS::CloudFormation::Stack",
+    kind: "resource",
+    projectPath: opts.projectPath ?? "/tmp/child",
+    logicalName: "Child",
+    outputs: {},
+    options: {},
+    buildResult: {
+      outputs: new Map(),
+      entities: opts.childEntities ?? new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+function makeCtx(entities: Map<string, Declarable>): PostSynthContext {
+  return {
+    outputs: new Map(),
+    entities,
+    buildResult: {
+      outputs: new Map(),
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WAW013: Child project has no stackOutput() exports", () => {
+  test("check metadata", () => {
+    expect(waw013.id).toBe("WAW013");
+    expect(waw013.description).toContain("stackOutput");
+  });
+
+  test("flags child project with no outputs", () => {
+    const child = makeChildProject({ childEntities: new Map() });
+    const ctx = makeCtx(new Map([["Network", child]]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW013");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("Network");
+    expect(diags[0].message).toContain("no stackOutput()");
+    expect(diags[0].entity).toBe("Network");
+  });
+
+  test("no diagnostic when child has stackOutput", () => {
+    const childEntities = new Map<string, Declarable>([
+      ["subnetId", makeStackOutput()],
+    ]);
+    const child = makeChildProject({ childEntities });
+    const ctx = makeCtx(new Map([["Network", child]]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic when no child projects", () => {
+    const ctx = makeCtx(new Map());
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("only flags children without outputs, not those with", () => {
+    const goodChild = makeChildProject({
+      projectPath: "/tmp/good",
+      childEntities: new Map([["out", makeStackOutput()]]),
+    });
+    const badChild = makeChildProject({
+      projectPath: "/tmp/bad",
+      childEntities: new Map(),
+    });
+    const ctx = makeCtx(new Map<string, Declarable>([
+      ["Good", goodChild],
+      ["Bad", badChild],
+    ]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("Bad");
+  });
+
+  test("skips non-child-project entities", () => {
+    const plainEntity: Declarable = {
+      [DECLARABLE_MARKER]: true,
+      lexicon: "aws",
+      entityType: "AWS::S3::Bucket",
+    };
+    const ctx = makeCtx(new Map([["MyBucket", plainEntity]]));
+    const diags = waw013.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw014.test.ts

@@ -0,0 +1,121 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { Declarable } from "@intentius/chant/declarable";
+import { CHILD_PROJECT_MARKER, type ChildProjectInstance } from "@intentius/chant/child-project";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+import { waw014 } from "./waw014";
+
+function makeChildProject(projectPath = "/tmp/child"): ChildProjectInstance {
+  return {
+    [CHILD_PROJECT_MARKER]: true,
+    [DECLARABLE_MARKER]: true,
+    lexicon: "aws",
+    entityType: "AWS::CloudFormation::Stack",
+    kind: "resource",
+    projectPath,
+    logicalName: "Child",
+    outputs: {},
+    options: {},
+  };
+}
+
+function makeCtx(
+  entities: Map<string, Declarable>,
+  templateJson: string,
+): PostSynthContext {
+  const outputs = new Map<string, string>([["aws", templateJson]]);
+  return {
+    outputs,
+    entities,
+    buildResult: {
+      outputs,
+      entities,
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WAW014: Unreferenced Nested Stack Outputs", () => {
+  test("check metadata", () => {
+    expect(waw014.id).toBe("WAW014");
+    expect(waw014.description).toContain("outputs");
+  });
+
+  test("flags child whose outputs are never referenced in parent template", () => {
+    const entities = new Map<string, Declarable>([
+      ["Network", makeChildProject()],
+    ]);
+    // Parent template doesn't reference Network via Fn::GetAtt
+    const template = JSON.stringify({
+      Resources: {
+        Network: {
+          Type: "AWS::CloudFormation::Stack",
+          Properties: { TemplateURL: "network.json" },
+        },
+      },
+    });
+    const ctx = makeCtx(entities, template);
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW014");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("Network");
+    expect(diags[0].message).toContain("never referenced");
+    expect(diags[0].entity).toBe("Network");
+  });
+
+  test("no diagnostic when child outputs are referenced via Fn::GetAtt", () => {
+    const entities = new Map<string, Declarable>([
+      ["Network", makeChildProject()],
+    ]);
+    const template = JSON.stringify({
+      Resources: {
+        Network: {
+          Type: "AWS::CloudFormation::Stack",
+          Properties: { TemplateURL: "network.json" },
+        },
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            VpcConfig: {
+              SubnetIds: [{ "Fn::GetAtt": ["Network", "Outputs.SubnetId"] }],
+            },
+          },
+        },
+      },
+    });
+    const ctx = makeCtx(entities, template);
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic when no child projects", () => {
+    const ctx = makeCtx(new Map(), JSON.stringify({ Resources: {} }));
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags only unreferenced children, not referenced ones", () => {
+    const entities = new Map<string, Declarable>([
+      ["Network", makeChildProject("/tmp/net")],
+      ["Database", makeChildProject("/tmp/db")],
+    ]);
+    // Only Network is referenced
+    const template = JSON.stringify({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            SubnetId: { "Fn::GetAtt": ["Network", "Outputs.SubnetId"] },
+          },
+        },
+      },
+    });
+    const ctx = makeCtx(entities, template);
+    const diags = waw014.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("Database");
+  });
+});