@intentius/chant-lexicon-gcp 0.0.15

package/src/lint/post-synth/wgc203.ts

@@ -0,0 +1,44 @@
+/**
+ * WGC203: GKE node pool with cloud-platform OAuth scope
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc203: PostSynthCheck = {
+  id: "WGC203",
+  description: "ContainerNodePool using overly broad cloud-platform OAuth scope",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ContainerNodePool") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const nodeConfig = spec.nodeConfig as Record<string, unknown> | undefined;
+        const oauthScopes = nodeConfig?.oauthScopes as string[] | undefined;
+
+        if (Array.isArray(oauthScopes) && oauthScopes.some(s =>
+          (typeof s === "string" && s.includes("cloud-platform")) ||
+          (typeof s === "object" && s !== null && JSON.stringify(s).includes("cloud-platform")),
+        )) {
+          diagnostics.push({
+            checkId: "WGC203",
+            severity: "warning",
+            message: `ContainerNodePool "${getResourceName(manifest)}" uses cloud-platform OAuth scope — this grants overly broad access; prefer workload identity with fine-grained IAM`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc204.ts

@@ -0,0 +1,39 @@
+/**
+ * WGC204: ComputeInstance without shielded VM config
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests, getSpec, getResourceName } from "./gcp-helpers";
+
+export const wgc204: PostSynthCheck = {
+  id: "WGC204",
+  description: "ComputeInstance without shielded VM configuration",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      for (const manifest of parseGcpManifests(output)) {
+        if (manifest.kind !== "ComputeInstance") continue;
+
+        const spec = getSpec(manifest);
+        if (!spec) continue;
+
+        const shieldedConfig = spec.shieldedInstanceConfig as Record<string, unknown> | undefined;
+        if (!shieldedConfig) {
+          diagnostics.push({
+            checkId: "WGC204",
+            severity: "info",
+            message: `ComputeInstance "${getResourceName(manifest)}" has no shielded VM configuration — consider enabling secureboot, vtpm, and integrity monitoring`,
+            entity: getResourceName(manifest),
+            lexicon: "gcp",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc301.ts

@@ -0,0 +1,34 @@
+/**
+ * WGC301: No audit logging config (IAMAuditConfig) in output
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests } from "./gcp-helpers";
+
+export const wgc301: PostSynthCheck = {
+  id: "WGC301",
+  description: "No IAMAuditConfig resource found in output — audit logging may not be configured",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+      if (manifests.length === 0) continue;
+
+      const hasAuditConfig = manifests.some(m => m.kind === "IAMAuditConfig");
+      if (!hasAuditConfig) {
+        diagnostics.push({
+          checkId: "WGC301",
+          severity: "info",
+          message: "No IAMAuditConfig resource found — consider adding audit logging for compliance",
+          lexicon: "gcp",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc302.ts

@@ -0,0 +1,34 @@
+/**
+ * WGC302: Service API not explicitly enabled
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests } from "./gcp-helpers";
+
+export const wgc302: PostSynthCheck = {
+  id: "WGC302",
+  description: "No Service resource found — GCP APIs may not be explicitly enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+      if (manifests.length === 0) continue;
+
+      const hasService = manifests.some(m => m.kind === "Service" && m.apiVersion?.includes("serviceusage.cnrm"));
+      if (!hasService) {
+        diagnostics.push({
+          checkId: "WGC302",
+          severity: "info",
+          message: "No Service (serviceusage) resource found — consider explicitly enabling required GCP APIs",
+          lexicon: "gcp",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgc303.ts

@@ -0,0 +1,37 @@
+/**
+ * WGC303: Missing VPC Service Controls perimeter
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseGcpManifests } from "./gcp-helpers";
+
+export const wgc303: PostSynthCheck = {
+  id: "WGC303",
+  description: "No AccessContextManager ServicePerimeter found — VPC Service Controls not configured",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      if (typeof output !== "string") continue;
+
+      const manifests = parseGcpManifests(output);
+      if (manifests.length === 0) continue;
+
+      const hasPerimeter = manifests.some(m =>
+        m.kind === "AccessContextManagerServicePerimeter" ||
+        (m.apiVersion?.includes("accesscontextmanager") && m.kind?.includes("ServicePerimeter")),
+      );
+      if (!hasPerimeter) {
+        diagnostics.push({
+          checkId: "WGC303",
+          severity: "info",
+          message: "No VPC Service Controls perimeter found — consider adding for data exfiltration protection",
+          lexicon: "gcp",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/rules/hardcoded-project.ts

@@ -0,0 +1,58 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WGC001: Hardcoded GCP Project ID
+ *
+ * Detects hardcoded GCP project IDs in code.
+ * Project IDs should use GCP.ProjectId pseudo-parameter instead.
+ */
+export const hardcodedProjectRule: LintRule = {
+  id: "WGC001",
+  severity: "warning",
+  category: "security",
+  description: "Detects hardcoded GCP project IDs — use GCP.ProjectId pseudo-parameter instead",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    // GCP project ID pattern: lowercase letters, digits, hyphens, 6-30 chars
+    // We look for strings in annotation contexts like "cnrm.cloud.google.com/project-id"
+    const projectIdPattern = /^[a-z][a-z0-9-]{4,28}[a-z0-9]$/;
+
+    // Common false positives
+    const falsePositives = new Set([
+      "chant", "default", "kube-system", "kube-public", "kube-node-lease",
+      "config-connector", "cnrm-system", "my-project",
+    ]);
+
+    function visit(node: ts.Node): void {
+      if (ts.isPropertyAssignment(node) || ts.isPropertyDeclaration(node)) {
+        const propName = node.name?.getText(sourceFile) ?? "";
+        // Only flag project-id annotation values
+        if (propName.includes("project-id") || propName.includes("projectId") || propName === '"cnrm.cloud.google.com/project-id"') {
+          const initializer = ts.isPropertyAssignment(node) ? node.initializer : undefined;
+          if (initializer && ts.isStringLiteral(initializer)) {
+            const value = initializer.text;
+            if (projectIdPattern.test(value) && !falsePositives.has(value)) {
+              const { line, character } = sourceFile.getLineAndCharacterOfPosition(initializer.getStart());
+              diagnostics.push({
+                file: sourceFile.fileName,
+                line: line + 1,
+                column: character + 1,
+                ruleId: "WGC001",
+                severity: "warning",
+                message: `Hardcoded project ID "${value}" detected. Use GCP.ProjectId pseudo-parameter instead.`,
+              });
+            }
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/hardcoded-region.ts

@@ -0,0 +1,56 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WGC002: Hardcoded GCP Region/Zone
+ *
+ * Detects hardcoded GCP region and zone strings in code.
+ * Regions/zones should use GCP.Region or GCP.Zone pseudo-parameters instead.
+ */
+export const hardcodedRegionRule: LintRule = {
+  id: "WGC002",
+  severity: "warning",
+  category: "security",
+  description: "Detects hardcoded GCP region/zone strings — use GCP.Region/GCP.Zone pseudo-parameters instead",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    // GCP region pattern: continent-direction[N] (e.g., us-central1, europe-west4)
+    const regionPattern = /^(us|europe|asia|australia|southamerica|northamerica|me|africa)-(central|east|west|south|north|northeast|southeast|southwest|northwest)\d+$/;
+    // GCP zone pattern: region-[a-f] (e.g., us-central1-a)
+    const zonePattern = /^(us|europe|asia|australia|southamerica|northamerica|me|africa)-(central|east|west|south|north|northeast|southeast|southwest|northwest)\d+-[a-f]$/;
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node)) {
+        const value = node.text;
+        if (zonePattern.test(value)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WGC002",
+            severity: "warning",
+            message: `Hardcoded zone "${value}" detected. Use GCP.Zone pseudo-parameter instead.`,
+          });
+        } else if (regionPattern.test(value)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WGC002",
+            severity: "warning",
+            message: `Hardcoded region "${value}" detected. Use GCP.Region pseudo-parameter instead.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/index.ts

@@ -0,0 +1,3 @@
+export { hardcodedProjectRule } from "./hardcoded-project";
+export { hardcodedRegionRule } from "./hardcoded-region";
+export { publicIamRule } from "./public-iam";

package/src/lint/rules/public-iam.ts

@@ -0,0 +1,43 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+/**
+ * WGC003: Public IAM Binding
+ *
+ * Warns on allUsers or allAuthenticatedUsers IAM bindings,
+ * which grant public access to GCP resources.
+ */
+export const publicIamRule: LintRule = {
+  id: "WGC003",
+  severity: "warning",
+  category: "security",
+  description: "Warns on allUsers/allAuthenticatedUsers IAM members — grants public access",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    const publicMembers = new Set(["allUsers", "allAuthenticatedUsers"]);
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node)) {
+        const value = node.text;
+        if (publicMembers.has(value)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "WGC003",
+            severity: "warning",
+            message: `Public IAM member "${value}" detected. This grants access to everyone${value === "allAuthenticatedUsers" ? " with a Google account" : " on the internet"}.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/rules.test.ts

@@ -0,0 +1,63 @@
+import { describe, test, expect } from "bun:test";
+import { hardcodedProjectRule } from "./hardcoded-project";
+import { hardcodedRegionRule } from "./hardcoded-region";
+import { publicIamRule } from "./public-iam";
+import * as ts from "typescript";
+
+function makeContext(code: string) {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile };
+}
+
+describe("WGC001: hardcoded project", () => {
+  test("has correct id and severity", () => {
+    expect(hardcodedProjectRule.id).toBe("WGC001");
+    expect(hardcodedProjectRule.severity).toBe("warning");
+  });
+});
+
+describe("WGC002: hardcoded region", () => {
+  test("detects hardcoded region", () => {
+    const ctx = makeContext('const region = "us-central1";');
+    const diags = hardcodedRegionRule.check(ctx);
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].ruleId).toBe("WGC002");
+    expect(diags[0].message).toContain("us-central1");
+  });
+
+  test("detects hardcoded zone", () => {
+    const ctx = makeContext('const zone = "us-central1-a";');
+    const diags = hardcodedRegionRule.check(ctx);
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].message).toContain("us-central1-a");
+  });
+
+  test("no diagnostics for non-region strings", () => {
+    const ctx = makeContext('const name = "my-app";');
+    const diags = hardcodedRegionRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});
+
+describe("WGC003: public IAM", () => {
+  test("detects allUsers", () => {
+    const ctx = makeContext('const member = "allUsers";');
+    const diags = publicIamRule.check(ctx);
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].ruleId).toBe("WGC003");
+    expect(diags[0].message).toContain("allUsers");
+  });
+
+  test("detects allAuthenticatedUsers", () => {
+    const ctx = makeContext('const member = "allAuthenticatedUsers";');
+    const diags = publicIamRule.check(ctx);
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].message).toContain("allAuthenticatedUsers");
+  });
+
+  test("no diagnostics for normal member", () => {
+    const ctx = makeContext('const member = "user:admin@example.com";');
+    const diags = publicIamRule.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lsp/completions.test.ts

@@ -0,0 +1,67 @@
+import { describe, test, expect } from "bun:test";
+import { existsSync, readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const pkgDir = dirname(dirname(dirname(fileURLToPath(import.meta.url))));
+const lexiconPath = join(pkgDir, "src", "generated", "lexicon-gcp.json");
+const hasGenerated = existsSync(lexiconPath) && (() => {
+  try {
+    const content = JSON.parse(readFileSync(lexiconPath, "utf-8"));
+    return Object.keys(content).length > 0;
+  } catch { return false; }
+})();
+
+describe("gcpCompletions", () => {
+  test("returns empty for non-constructor context", async () => {
+    const { gcpCompletions } = await import("./completions");
+    const items = gcpCompletions({
+      uri: "file:///a.ts",
+      content: "const x = 42",
+      position: { line: 0, character: 13 },
+      wordAtCursor: "42",
+      linePrefix: "const x = 42",
+    } as any);
+    expect(items).toHaveLength(0);
+  });
+
+  test.skipIf(!hasGenerated)(
+    "returns completions for 'new S' prefix including Storage*",
+    async () => {
+      const { gcpCompletions } = await import("./completions");
+      const result = gcpCompletions({
+        uri: "file:///test.ts",
+        content: "const x = new S",
+        linePrefix: "const x = new S",
+        wordAtCursor: "S",
+        position: { line: 0, character: 15 },
+      } as any);
+
+      expect(result).toBeDefined();
+      expect(Array.isArray(result)).toBe(true);
+      const labels = result.map((c: any) => c.label ?? c);
+      expect(labels.some((l: string) => l.startsWith("Storage"))).toBe(true);
+    },
+  );
+
+  test.skipIf(!hasGenerated)(
+    "returns completions for 'new Compute' including ComputeInstance",
+    async () => {
+      const { gcpCompletions } = await import("./completions");
+      const result = gcpCompletions({
+        uri: "file:///test.ts",
+        content: "const x = new Compute",
+        linePrefix: "const x = new Compute",
+        wordAtCursor: "Compute",
+        position: { line: 0, character: 21 },
+      } as any);
+
+      expect(result).toBeDefined();
+      expect(Array.isArray(result)).toBe(true);
+      if (result.length > 0) {
+        const labels = result.map((c: any) => c.label ?? c);
+        expect(labels.some((l: string) => l.includes("Compute"))).toBe(true);
+      }
+    },
+  );
+});

package/src/lsp/completions.ts

@@ -0,0 +1,17 @@
+import { createRequire } from "module";
+import type { CompletionContext, CompletionItem } from "@intentius/chant/lsp/types";
+import { LexiconIndex, lexiconCompletions, type LexiconEntry } from "@intentius/chant/lsp/lexicon-providers";
+const require = createRequire(import.meta.url);
+
+let cachedIndex: LexiconIndex | null = null;
+
+function getIndex(): LexiconIndex {
+  if (cachedIndex) return cachedIndex;
+  const data = require("../generated/lexicon-gcp.json") as Record<string, LexiconEntry>;
+  cachedIndex = new LexiconIndex(data);
+  return cachedIndex;
+}
+
+export function gcpCompletions(ctx: CompletionContext): CompletionItem[] {
+  return lexiconCompletions(ctx, getIndex(), "GCP Config Connector resource");
+}

package/src/lsp/hover.test.ts

@@ -0,0 +1,66 @@
+import { describe, test, expect } from "bun:test";
+import { existsSync, readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const pkgDir = dirname(dirname(dirname(fileURLToPath(import.meta.url))));
+const lexiconPath = join(pkgDir, "src", "generated", "lexicon-gcp.json");
+const hasGenerated = existsSync(lexiconPath) && (() => {
+  try {
+    const content = JSON.parse(readFileSync(lexiconPath, "utf-8"));
+    return Object.keys(content).length > 0;
+  } catch { return false; }
+})();
+
+describe("gcpHover", () => {
+  test("returns undefined for unknown word", async () => {
+    const { gcpHover } = await import("./hover");
+    const info = gcpHover({
+      uri: "file:///a.ts",
+      content: "xyz",
+      position: { line: 0, character: 1 },
+      word: "NotAResource12345",
+      lineText: "xyz",
+    } as any);
+    expect(info).toBeUndefined();
+  });
+
+  test.skipIf(!hasGenerated)(
+    "returns hover info for StorageBucket",
+    async () => {
+      const { gcpHover } = await import("./hover");
+      const result = gcpHover({
+        word: "StorageBucket",
+        position: { line: 0, character: 0 },
+      } as any);
+
+      expect(result).toBeDefined();
+      if (result) {
+        expect(typeof result).toBe("object");
+      }
+    },
+  );
+
+  test.skipIf(!hasGenerated)(
+    "returns hover info for ComputeInstance",
+    async () => {
+      const { gcpHover } = await import("./hover");
+      const result = gcpHover({
+        word: "ComputeInstance",
+        position: { line: 0, character: 0 },
+      } as any);
+
+      expect(result).toBeDefined();
+    },
+  );
+
+  test.skipIf(!hasGenerated)("returns undefined for empty string", async () => {
+    const { gcpHover } = await import("./hover");
+    const result = gcpHover({
+      word: "",
+      position: { line: 0, character: 0 },
+    } as any);
+
+    expect(result).toBeUndefined();
+  });
+});

package/src/lsp/hover.ts

@@ -0,0 +1,54 @@
+import { createRequire } from "module";
+import type { HoverContext, HoverInfo } from "@intentius/chant/lsp/types";
+import { LexiconIndex, lexiconHover, type LexiconEntry } from "@intentius/chant/lsp/lexicon-providers";
+const require = createRequire(import.meta.url);
+
+let cachedIndex: LexiconIndex | null = null;
+
+function getIndex(): LexiconIndex {
+  if (cachedIndex) return cachedIndex;
+  const data = require("../generated/lexicon-gcp.json") as Record<string, LexiconEntry>;
+  cachedIndex = new LexiconIndex(data);
+  return cachedIndex;
+}
+
+export function gcpHover(ctx: HoverContext): HoverInfo | undefined {
+  return lexiconHover(ctx, getIndex(), resourceHover);
+}
+
+function resourceHover(className: string, entry: LexiconEntry): HoverInfo | undefined {
+  const lines: string[] = [];
+
+  lines.push(`**${className}**`);
+  lines.push("");
+  lines.push(`GCP Config Connector resource: \`${entry.resourceType}\``);
+
+  if (entry.apiVersion) {
+    lines.push(`API Version: \`${entry.apiVersion}\``);
+  }
+
+  if (entry.gvkKind) {
+    lines.push(`Kind: \`${entry.gvkKind}\``);
+  }
+
+  const customAttrs = Object.entries(entry.attrs ?? {})
+    .filter(([k]) => k !== "apiVersion" && k !== "kind" && k !== "name" && k !== "namespace" && k !== "uid");
+  if (customAttrs.length > 0) {
+    lines.push("");
+    lines.push("**Attributes:**");
+    for (const [key, value] of customAttrs) {
+      lines.push(`- \`${key}\` → \`${value}\``);
+    }
+  }
+
+  // Link to Config Connector docs
+  const parts = entry.resourceType.split("::");
+  if (parts.length >= 3) {
+    const service = parts[1].toLowerCase();
+    const kind = parts[2].toLowerCase();
+    lines.push("");
+    lines.push(`[Config Connector docs](https://cloud.google.com/config-connector/docs/reference/resource-docs/${service}/${service}${kind})`);
+  }
+
+  return { contents: lines.join("\n") };
+}

package/src/package-cli.ts

@@ -0,0 +1,24 @@
+#!/usr/bin/env bun
+/**
+ * Thin entry point for `bun run bundle` in lexicon-gcp.
+ * Generates src/generated/ files and writes dist/ bundle.
+ *
+ * NOTE: Uses top-level await (matching AWS/Azure pattern) to avoid
+ * event loop references from async wrappers keeping the process alive.
+ */
+import { packageLexicon } from "./codegen/package";
+import { writeBundleSpec } from "@intentius/chant/codegen/package";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+
+const pkgDir = dirname(fileURLToPath(import.meta.url));
+const distDir = join(pkgDir, "..", "dist");
+
+const verbose = process.argv.includes("--verbose") || !process.argv.includes("--quiet");
+const force = process.argv.includes("--force");
+
+const { spec, stats } = await packageLexicon({ verbose, force });
+writeBundleSpec(spec, distDir);
+
+console.error(`Packaged ${stats.resources} resources, ${stats.ruleCount} rules, ${stats.skillCount} skills`);
+console.error(`dist/ written to ${distDir}`);