@intentius/chant-lexicon-aws 0.1.13 → 0.1.15

package/src/import/live-export-io.test.ts

@@ -0,0 +1,61 @@
+import { describe, test, expect, vi, beforeEach } from "vitest";
+
+// AWS exportResources reaches the cloud through the runtime adapter's spawn
+// (not node:child_process), so the I/O seam is the runtime-adapter module.
+const spawnMock = vi.fn();
+vi.mock("@intentius/chant/runtime-adapter", () => ({
+  getRuntime: () => ({ spawn: spawnMock }),
+}));
+
+import { awsPlugin } from "../plugin";
+
+const liveTemplate = {
+  AWSTemplateFormatVersion: "2010-09-09",
+  Resources: {
+    MyBucket: {
+      Type: "AWS::S3::Bucket",
+      Properties: { BucketName: "my-bucket" },
+    },
+  },
+};
+
+describe("aws exportResources I/O glue (#160)", () => {
+  beforeEach(() => spawnMock.mockReset());
+
+  test("spawns `cloudformation get-template` for the env stack and maps the body", async () => {
+    spawnMock.mockResolvedValue({
+      stdout: JSON.stringify({ TemplateBody: liveTemplate }),
+      stderr: "",
+      exitCode: 0,
+    });
+    const ir = await awsPlugin.exportResources!({ environment: "prod" });
+    expect(spawnMock).toHaveBeenCalledTimes(1);
+    const argv = spawnMock.mock.calls[0][0] as string[];
+    expect(argv).toEqual(
+      expect.arrayContaining([
+        "aws", "cloudformation", "get-template",
+        "--stack-name", "prod",
+        "--output", "json",
+      ]),
+    );
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["MyBucket"]);
+  });
+
+  test("a non-zero exit throws with the stderr surfaced", async () => {
+    spawnMock.mockResolvedValue({
+      stdout: "",
+      stderr: "Stack with id ghost does not exist",
+      exitCode: 254,
+    });
+    await expect(awsPlugin.exportResources!({ environment: "ghost" })).rejects.toThrow(
+      /Failed to get template for stack "ghost".*does not exist/,
+    );
+  });
+
+  test("a stack with no TemplateBody throws", async () => {
+    spawnMock.mockResolvedValue({ stdout: JSON.stringify({}), stderr: "", exitCode: 0 });
+    await expect(awsPlugin.exportResources!({ environment: "prod" })).rejects.toThrow(
+      /no TemplateBody/,
+    );
+  });
+});

package/src/import/live-export.test.ts

@@ -0,0 +1,78 @@
+import { describe, expect, test } from "vitest";
+import { parseStackTemplate } from "./live-export";
+import { CFGenerator } from "./generator";
+
+// Mimics what `aws cloudformation get-template --output json` returns:
+// a JSON object under TemplateBody.
+const liveTemplate = {
+  AWSTemplateFormatVersion: "2010-09-09",
+  Resources: {
+    MyBucket: {
+      Type: "AWS::S3::Bucket",
+      Properties: { BucketName: "my-bucket", VersioningConfiguration: { Status: "Enabled" } },
+    },
+    MyQueue: {
+      Type: "AWS::SQS::Queue",
+      Properties: { QueueName: "my-queue" },
+    },
+  },
+};
+
+describe("AWS exportResources mapping (#115)", () => {
+  test("maps a live CloudFormation template body to export IR", () => {
+    const ir = parseStackTemplate(liveTemplate);
+    expect(ir.resources.map((r) => r.logicalId).sort()).toEqual(["MyBucket", "MyQueue"]);
+    const bucket = ir.resources.find((r) => r.logicalId === "MyBucket")!;
+    expect(bucket.type).toBe("AWS::S3::Bucket");
+    expect(bucket.properties.BucketName).toBe("my-bucket");
+  });
+
+  test("accepts a stringified template body (YAML-origin stacks)", () => {
+    const ir = parseStackTemplate(JSON.stringify(liveTemplate));
+    expect(ir.resources).toHaveLength(2);
+  });
+
+  test("selector by name narrows the export", () => {
+    const ir = parseStackTemplate(liveTemplate, { name: "MyQueue" });
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["MyQueue"]);
+  });
+
+  test("selector by type narrows the export", () => {
+    const ir = parseStackTemplate(liveTemplate, { type: "AWS::S3::Bucket" });
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["MyBucket"]);
+  });
+
+  test("owned filter keeps only resources carrying the chant marker (#120)", () => {
+    const mixed = {
+      AWSTemplateFormatVersion: "2010-09-09",
+      Resources: {
+        Mine: {
+          Type: "AWS::S3::Bucket",
+          Properties: {
+            BucketName: "mine",
+            Tags: [
+              { Key: "chant:managed-by", Value: "chant" },
+              { Key: "chant:stack", Value: "billing" },
+            ],
+          },
+        },
+        Theirs: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "theirs", Tags: [{ Key: "team", Value: "other" }] },
+        },
+      },
+    };
+    const ir = parseStackTemplate(mixed, undefined, true);
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["Mine"]);
+  });
+
+  test("export IR feeds CFGenerator (templateGenerator) unchanged", () => {
+    const ir = parseStackTemplate(liveTemplate);
+    const files = new CFGenerator().generate(ir);
+    expect(files.length).toBeGreaterThan(0);
+    const all = files.map((f) => f.content).join("\n");
+    // CFGenerator emits chant TypeScript (constructors), not raw CFN type strings.
+    expect(all).toContain("new Bucket(");
+    expect(all).toContain("BucketName");
+  });
+});

package/src/import/live-export.ts

@@ -0,0 +1,38 @@
+import type { ExportedTemplate, ResourceSelector } from "@intentius/chant/lexicon";
+import { hasOwnershipMarker, tagArrayToMap } from "@intentius/chant/ownership";
+import { CFParser } from "./parser";
+
+/**
+ * Map a live CloudFormation template body to full-fidelity export IR.
+ *
+ * `aws cloudformation get-template` returns the template body as a JSON object
+ * (for JSON templates) or a string (for YAML). `CFParser` already turns either
+ * into `TemplateIR` — the same IR the import path uses — so the result feeds
+ * `templateGenerator()` (CFGenerator) unchanged. Pure: all I/O stays in the
+ * caller.
+ */
+export function parseStackTemplate(
+  templateBody: unknown,
+  selector?: ResourceSelector,
+  owned?: boolean,
+): ExportedTemplate {
+  const content =
+    typeof templateBody === "string" ? templateBody : JSON.stringify(templateBody);
+  const ir = new CFParser().parse(content);
+
+  const hasSelector = selector && (selector.type !== undefined || selector.name !== undefined);
+  if (!hasSelector && !owned) return ir;
+
+  return {
+    ...ir,
+    resources: ir.resources.filter((r) => {
+      if (selector?.type !== undefined && r.type !== selector.type) return false;
+      if (selector?.name !== undefined && r.logicalId !== selector.name) return false;
+      if (owned) {
+        const tags = (r.properties as { Tags?: Array<{ Key?: string; Value?: unknown }> }).Tags;
+        if (!hasOwnershipMarker(tagArrayToMap(tags), "aws-tag")) return false;
+      }
+      return true;
+    }),
+  };
+}

package/src/lifecycle-integration.test.ts

@@ -0,0 +1,105 @@
+/**
+ * Cross-lexicon lifecycle integration (#163) — AWS row.
+ *
+ * Drives the REAL awsPlugin through core's live-import driver
+ * (`liveImportFromPlugins`) and the changeset path (`buildChangeSet`), with the
+ * cloud edge (the runtime adapter's spawn) mocked. Proves the seam between core
+ * and a real lexicon — not a `createMockPlugin` fixture.
+ */
+import { describe, test, expect, vi, beforeEach } from "vitest";
+import { mkdtempSync, rmSync, readdirSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+const spawnMock = vi.fn();
+vi.mock("@intentius/chant/runtime-adapter", () => ({
+  getRuntime: () => ({ spawn: spawnMock }),
+}));
+
+const { awsPlugin } = await import("./plugin");
+const { liveImportFromPlugins } = await import("@intentius/chant/cli/commands/import");
+const { buildChangeSet } = await import("@intentius/chant/lifecycle/change-set");
+
+const liveTemplate = {
+  AWSTemplateFormatVersion: "2010-09-09",
+  Resources: {
+    MyBucket: { Type: "AWS::S3::Bucket", Properties: { BucketName: "my-bucket" } },
+  },
+};
+
+const ok = (stdout: string) => ({ stdout, stderr: "", exitCode: 0 });
+
+describe("aws lifecycle integration (#163)", () => {
+  beforeEach(() => spawnMock.mockReset());
+
+  test("live-import driver: real exportResources → IR → generated source", async () => {
+    spawnMock.mockResolvedValue(ok(JSON.stringify({ TemplateBody: liveTemplate })));
+    const output = mkdtempSync(join(tmpdir(), "chant-aws-li-"));
+    try {
+      const result = await liveImportFromPlugins([awsPlugin], {
+        environment: "prod",
+        output,
+        force: true,
+      });
+      expect(result.success).toBe(true);
+      expect(result.generatedFiles.length).toBeGreaterThan(0);
+      const all = readdirSync(output)
+        .map((f) => readFileSync(join(output, f), "utf-8"))
+        .join("\n");
+      expect(all).toContain("new Bucket(");
+      expect(all).toContain("BucketName");
+    } finally {
+      rmSync(output, { recursive: true, force: true });
+    }
+  });
+
+  test("changeset path: real describeResources → buildChangeSet verdicts", async () => {
+    // describe-stack-resources then describe-stacks.
+    spawnMock.mockImplementation((argv?: string[]) => {
+      if (argv?.includes("describe-stack-resources")) {
+        return Promise.resolve(
+          ok(
+            JSON.stringify({
+              StackResources: [
+                {
+                  LogicalResourceId: "MyBucket",
+                  ResourceType: "AWS::S3::Bucket",
+                  PhysicalResourceId: "my-bucket",
+                  ResourceStatus: "CREATE_COMPLETE",
+                  Timestamp: "2026-01-01T00:00:00Z",
+                },
+              ],
+            }),
+          ),
+        );
+      }
+      return Promise.resolve(ok(JSON.stringify({ Stacks: [{ Outputs: [] }] })));
+    });
+
+    const observedNow = await awsPlugin.describeResources!({
+      environment: "prod",
+      buildOutput: "",
+      entityNames: ["MyBucket"],
+    });
+    expect(observedNow.MyBucket?.type).toBe("AWS::S3::Bucket");
+
+    // Declared "MyQueue" is absent from live → create; live "MyBucket" is
+    // undeclared and unmarked → adopt (never delete without ownership).
+    const cs = buildChangeSet("prod", {
+      declared: new Set(["MyQueue"]),
+      observedNow,
+      observedThen: undefined,
+    });
+    const byName = Object.fromEntries(cs.entries.map((e) => [e.name, e.action]));
+    expect(byName.MyQueue).toBe("create");
+    expect(byName.MyBucket).toBe("adopt");
+
+    // Declared + live with no drift → noop.
+    const cs2 = buildChangeSet("prod", {
+      declared: new Set(["MyBucket"]),
+      observedNow,
+      observedThen: undefined,
+    });
+    expect(cs2.entries.find((e) => e.name === "MyBucket")!.action).toBe("noop");
+  });
+});

package/src/plugin.ts

@@ -1,5 +1,5 @@
 import { createRequire } from "module";
-import type { LexiconPlugin, IntrinsicDef, ResourceMetadata } from "@intentius/chant/lexicon";
+import type { LexiconPlugin, IntrinsicDef, ResourceMetadata, ExportedTemplate, ResourceSelector } from "@intentius/chant/lexicon";
 const require = createRequire(import.meta.url);
 import type { LintRule } from "@intentius/chant/lint/rule";
 import type { TemplateParser } from "@intentius/chant/import/parser";
@@ -13,6 +13,7 @@ import { fileURLToPath } from "url";
 import { awsSerializer } from "./serializer";
 import { CFParser } from "./import/parser";
 import { CFGenerator } from "./import/generator";
+import { parseStackTemplate } from "./import/live-export";
 import { awsCompletions } from "./lsp/completions";
 import { awsHover } from "./lsp/hover";
 
@@ -475,11 +476,21 @@ aws cloudformation wait stack-update-complete --stack-name my-app-prod`,
     environment: string;
     buildOutput: string;
     entityNames: string[];
+    owned?: boolean;
   }): Promise<Record<string, ResourceMetadata>> {
     const { getRuntime } = await import("@intentius/chant/runtime-adapter");
     const rt = getRuntime();
     const resources: Record<string, ResourceMetadata> = {};
 
+    if (options.owned) {
+      // describe-stack-resources does not return tags, so ownership cannot be
+      // determined here. Degrade to detect-only rather than silently filtering.
+      // eslint-disable-next-line no-console
+      console.warn(
+        "[aws] ownership filter unavailable on describeResources (no tags from describe-stack-resources) — returning all; use `chant import --from <env> --owned` for ownership-filtered export",
+      );
+    }
+
     // Derive stack name: environment-based convention
     // Try to parse the build output to detect stack name from Metadata or use convention
     const stackName = `${options.environment}`;
@@ -556,6 +567,35 @@ aws cloudformation wait stack-update-complete --stack-name my-app-prod`,
     return resources;
   },
 
+  async exportResources(options: {
+    environment: string;
+    selector?: ResourceSelector;
+    owned?: boolean;
+  }): Promise<ExportedTemplate> {
+    const { getRuntime } = await import("@intentius/chant/runtime-adapter");
+    const rt = getRuntime();
+
+    // Same stack-name convention as describeResources.
+    const stackName = `${options.environment}`;
+
+    const result = await rt.spawn([
+      "aws", "cloudformation", "get-template",
+      "--stack-name", stackName,
+      "--template-stage", "Original",
+      "--output", "json",
+    ]);
+    if (result.exitCode !== 0) {
+      throw new Error(`Failed to get template for stack "${stackName}": ${result.stderr}`);
+    }
+
+    const parsed = JSON.parse(result.stdout) as { TemplateBody?: unknown };
+    if (parsed.TemplateBody === undefined) {
+      throw new Error(`Stack "${stackName}" returned no TemplateBody`);
+    }
+
+    return parseStackTemplate(parsed.TemplateBody, options.selector, options.owned);
+  },
+
   mcpTools() {
     return [
       {

package/src/serializer-ownership.test.ts

@@ -0,0 +1,37 @@
+import { describe, test, expect } from "vitest";
+import { awsSerializer } from "./serializer";
+import { DECLARABLE_MARKER, type Declarable } from "@intentius/chant/declarable";
+import { AttrRef } from "@intentius/chant/attrref";
+
+class MockBucket implements Declarable {
+  readonly [DECLARABLE_MARKER] = true as const;
+  readonly lexicon = "aws";
+  readonly entityType = "AWS::S3::Bucket";
+  readonly arn: AttrRef;
+  readonly props: Record<string, unknown>;
+  constructor(props: Record<string, unknown> = {}) {
+    this.props = props;
+    this.arn = new AttrRef(this, "Arn");
+  }
+}
+
+describe("awsSerializer ownership stamping (#119)", () => {
+  test("stamps the ownership marker as tags when context.ownership is set", () => {
+    const entities = new Map<string, Declarable>([["MyBucket", new MockBucket({ BucketName: "b" })]]);
+    const out = awsSerializer.serialize(entities, [], { ownership: { stack: "billing", env: "prod" } });
+    const template = JSON.parse(out as string);
+    const tags = template.Resources.MyBucket.Properties.Tags as Array<{ Key: string; Value: string }>;
+    const byKey = Object.fromEntries(tags.map((t) => [t.Key, t.Value]));
+    expect(byKey["chant:managed-by"]).toBe("chant");
+    expect(byKey["chant:stack"]).toBe("billing");
+    expect(byKey["chant:env"]).toBe("prod");
+  });
+
+  test("no ownership context → no chant tags injected", () => {
+    const entities = new Map<string, Declarable>([["MyBucket", new MockBucket({ BucketName: "b" })]]);
+    const out = awsSerializer.serialize(entities, []);
+    const template = JSON.parse(out as string);
+    const tags = (template.Resources.MyBucket.Properties?.Tags ?? []) as Array<{ Key: string }>;
+    expect(tags.some((t) => t.Key.startsWith("chant:"))).toBe(false);
+  });
+});

package/src/serializer.ts

@@ -1,6 +1,7 @@
 import type { Declarable, CoreParameter } from "@intentius/chant/declarable";
 import { isPropertyDeclarable } from "@intentius/chant/declarable";
-import type { Serializer, SerializerResult } from "@intentius/chant/serializer";
+import type { Serializer, SerializerResult, SerializeContext } from "@intentius/chant/serializer";
+import { ownershipEntries, type OwnershipMarker } from "@intentius/chant/ownership";
 import type { LexiconOutput } from "@intentius/chant/lexicon-output";
 import { walkValue, type SerializerVisitor } from "@intentius/chant/serializer-walker";
 import { isChildProject, type ChildProjectInstance } from "@intentius/chant/child-project";
@@ -131,6 +132,7 @@ function serializeToTemplate(
   outputs?: LexiconOutput[],
   extraParameters?: Record<string, CFParameter>,
   extraOutputs?: Record<string, CFOutput>,
+  ownership?: OwnershipMarker,
 ): CFTemplate {
   const template: CFTemplate = {
     AWSTemplateFormatVersion: "2010-09-09",
@@ -148,8 +150,15 @@ function serializeToTemplate(
     entityNames.set(entity, name);
   }
 
-  // Collect default tags
+  // Collect default tags. The ownership marker is stamped as tags, seeded
+  // first so user default tags (and explicit per-resource tags) take precedence
+  // on key collisions.
   const defaultTagEntries: TagEntry[] = [];
+  if (ownership) {
+    for (const [Key, Value] of Object.entries(ownershipEntries("aws-tag", ownership))) {
+      defaultTagEntries.push({ Key, Value });
+    }
+  }
   for (const [, entity] of entities) {
     if (isDefaultTags(entity)) {
       defaultTagEntries.push(...entity.tags);
@@ -323,7 +332,9 @@ export const awsSerializer: Serializer = {
   name: "aws",
   rulePrefix: "WAW",
 
-  serialize(entities: Map<string, Declarable>, outputs?: LexiconOutput[]): string | SerializerResult {
+  serialize(entities: Map<string, Declarable>, outputs?: LexiconOutput[], context?: SerializeContext): string | SerializerResult {
+    const ownership = context?.ownership;
+
     // Check if any entities are child projects (nested stacks)
     const childProjects = new Map<string, ChildProjectInstance>();
     let hasChildProjects = false;
@@ -337,7 +348,7 @@ export const awsSerializer: Serializer = {
 
     // No nested stacks — use the simple path
     if (!hasChildProjects) {
-      const template = serializeToTemplate(entities, outputs);
+      const template = serializeToTemplate(entities, outputs, undefined, undefined, ownership);
       return JSON.stringify(template, null, 2);
     }
 
@@ -377,7 +388,7 @@ export const awsSerializer: Serializer = {
     }
 
     // Serialize the parent template (ChildProjectInstance entities become CF::Stack resources)
-    const parentTemplate = serializeToTemplate(entities, outputs, parentParams);
+    const parentTemplate = serializeToTemplate(entities, outputs, parentParams, undefined, ownership);
     const primary = JSON.stringify(parentTemplate, null, 2);
 
     return {