@intentius/chant-lexicon-gcp 0.0.16 → 0.0.22

package/src/import/import-fixtures.test.ts

@@ -0,0 +1,98 @@
+import { describe, test, expect } from "bun:test";
+import { GcpParser } from "./parser";
+import { GcpGenerator } from "./generator";
+
+const parser = new GcpParser();
+
+describe("GCP import with inline YAML fixtures", () => {
+  test("parses a single StorageBucket manifest", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+  uniformBucketLevelAccess: true
+`;
+    const ir = parser.parse(yaml);
+    expect(ir.resources).toHaveLength(1);
+    expect(ir.resources[0].logicalName).toBe("my-bucket");
+    expect(ir.resources[0].type).toContain("Bucket");
+  });
+
+  test("parses multi-document YAML into multiple resources", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeNetwork
+metadata:
+  name: my-network
+spec:
+  autoCreateSubnetworks: false
+---
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeSubnetwork
+metadata:
+  name: my-subnet
+spec:
+  region: us-central1
+  ipCidrRange: "10.0.0.0/24"
+  networkRef:
+    name: my-network
+`;
+    const ir = parser.parse(yaml);
+    expect(ir.resources).toHaveLength(2);
+    expect(ir.resources[0].logicalName).toBe("my-network");
+    expect(ir.resources[1].logicalName).toBe("my-subnet");
+  });
+
+  test("skips non-Config-Connector resources", () => {
+    const yaml = `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deploy
+spec:
+  replicas: 3
+---
+apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const ir = parser.parse(yaml);
+    expect(ir.resources).toHaveLength(1);
+    expect(ir.resources[0].type).toContain("Bucket");
+  });
+
+  test("preserves spec properties in parsed IR", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    tier: db-f1-micro
+    backupConfiguration:
+      enabled: true
+`;
+    const ir = parser.parse(yaml);
+    expect(ir.resources).toHaveLength(1);
+    expect(ir.resources[0].properties.databaseVersion).toBe("POSTGRES_15");
+  });
+
+  test("round-trips through parser and generator", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const ir = parser.parse(yaml);
+    const generator = new GcpGenerator();
+    const ts = generator.generate(ir);
+    expect(ts).toContain("Bucket");
+    expect(ts).toContain("import");
+  });
+});

package/src/lint/post-synth/gcp-helpers.test.ts

@@ -0,0 +1,166 @@
+import { describe, test, expect } from "bun:test";
+import {
+  parseGcpManifests,
+  isConfigConnectorResource,
+  getSpec,
+  getAnnotations,
+  getResourceName,
+  findResourceRefs,
+} from "./gcp-helpers";
+
+describe("parseGcpManifests", () => {
+  test("parses single document", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const manifests = parseGcpManifests(yaml);
+    expect(manifests).toHaveLength(1);
+    expect(manifests[0].kind).toBe("StorageBucket");
+    expect(manifests[0].metadata?.name).toBe("my-bucket");
+  });
+
+  test("parses multi-document YAML", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: bucket-a
+spec:
+  location: US
+---
+apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: bucket-b
+spec:
+  location: EU
+`;
+    const manifests = parseGcpManifests(yaml);
+    expect(manifests).toHaveLength(2);
+    expect(manifests[0].metadata?.name).toBe("bucket-a");
+    expect(manifests[1].metadata?.name).toBe("bucket-b");
+  });
+
+  test("skips empty documents", () => {
+    const yaml = `---
+---
+apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+---
+`;
+    const manifests = parseGcpManifests(yaml);
+    expect(manifests).toHaveLength(1);
+  });
+
+  test("returns empty array for empty input", () => {
+    const manifests = parseGcpManifests("");
+    expect(manifests).toHaveLength(0);
+  });
+});
+
+describe("isConfigConnectorResource", () => {
+  test("returns true for cnrm resource", () => {
+    expect(
+      isConfigConnectorResource({
+        apiVersion: "storage.cnrm.cloud.google.com/v1beta1",
+        kind: "StorageBucket",
+      }),
+    ).toBe(true);
+  });
+
+  test("returns false for non-cnrm resource", () => {
+    expect(
+      isConfigConnectorResource({
+        apiVersion: "apps/v1",
+        kind: "Deployment",
+      }),
+    ).toBe(false);
+  });
+
+  test("returns false when apiVersion is missing", () => {
+    expect(isConfigConnectorResource({ kind: "StorageBucket" })).toBe(false);
+  });
+});
+
+describe("getSpec", () => {
+  test("returns spec when present", () => {
+    const spec = getSpec({ spec: { location: "US" } });
+    expect(spec).toEqual({ location: "US" });
+  });
+
+  test("returns undefined when spec is missing", () => {
+    expect(getSpec({})).toBeUndefined();
+  });
+});
+
+describe("getAnnotations", () => {
+  test("returns annotations when present", () => {
+    const annotations = getAnnotations({
+      metadata: {
+        name: "x",
+        annotations: { "cnrm.cloud.google.com/project-id": "my-project" },
+      },
+    });
+    expect(annotations).toEqual({
+      "cnrm.cloud.google.com/project-id": "my-project",
+    });
+  });
+
+  test("returns undefined when annotations missing", () => {
+    expect(getAnnotations({ metadata: { name: "x" } })).toBeUndefined();
+  });
+
+  test("returns undefined when metadata missing", () => {
+    expect(getAnnotations({})).toBeUndefined();
+  });
+});
+
+describe("getResourceName", () => {
+  test("returns name from metadata", () => {
+    expect(getResourceName({ metadata: { name: "my-bucket" } })).toBe(
+      "my-bucket",
+    );
+  });
+
+  test("returns 'unknown' when name missing", () => {
+    expect(getResourceName({})).toBe("unknown");
+  });
+});
+
+describe("findResourceRefs", () => {
+  test("finds refs in spec", () => {
+    const refs = findResourceRefs({
+      clusterRef: { name: "my-cluster" },
+      networkRef: { name: "my-network" },
+    });
+    expect(refs.has("my-cluster")).toBe(true);
+    expect(refs.has("my-network")).toBe(true);
+    expect(refs.size).toBe(2);
+  });
+
+  test("skips external refs", () => {
+    const refs = findResourceRefs({
+      projectRef: { name: "my-project", external: true },
+    });
+    expect(refs.size).toBe(0);
+  });
+
+  test("finds refs nested in arrays", () => {
+    const refs = findResourceRefs({
+      items: [{ subnetRef: { name: "subnet-1" } }],
+    });
+    expect(refs.has("subnet-1")).toBe(true);
+  });
+
+  test("returns empty set for null/undefined", () => {
+    expect(findResourceRefs(null).size).toBe(0);
+    expect(findResourceRefs(undefined).size).toBe(0);
+  });
+});

package/src/lint/post-synth/post-synth.test.ts

@@ -19,6 +19,9 @@ import { wgc303 } from "./wgc303";
 import { wgc111 } from "./wgc111";
 import { wgc112 } from "./wgc112";
 import { wgc113 } from "./wgc113";
+import { wgc401 } from "./wgc401";
+import { wgc402 } from "./wgc402";
+import { wgc403 } from "./wgc403";
 
 function makeCtx(yaml: string) {
   return {
@@ -709,3 +712,130 @@ spec:
     expect(diags).toHaveLength(0);
   });
 });
+
+// ── WGC401: Unknown spec field ─────────────────────────────────────
+
+describe("WGC401: unknown spec field", () => {
+  test("flags unknown field with did-you-mean suggestion", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: my-fw
+spec:
+  allowed:
+    - protocol: tcp
+  networkRef:
+    name: my-network
+`;
+    const diags = wgc401.check(makeCtx(yaml));
+    // "allowed" is not a valid field — "allow" is. Should flag it.
+    const unknownDiags = diags.filter(d => d.checkId === "WGC401");
+    // If schema is loaded, this will flag "allowed"
+    // If schema is not loaded (pre-generate), skip gracefully
+    if (unknownDiags.length > 0) {
+      expect(unknownDiags[0].severity).toBe("error");
+      expect(unknownDiags[0].message).toContain("allowed");
+    }
+  });
+
+  test("no diagnostic for valid fields", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc401.check(makeCtx(yaml));
+    // "location" is a valid StorageBucket field
+    const unknownDiags = diags.filter(d => d.checkId === "WGC401");
+    expect(unknownDiags).toHaveLength(0);
+  });
+});
+
+// ── WGC402: Missing required field ─────────────────────────────────
+
+describe("WGC402: missing required field", () => {
+  test("flags missing required field", () => {
+    const yaml = `apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeAddress
+metadata:
+  name: my-addr
+spec:
+  description: test
+`;
+    const diags = wgc402.check(makeCtx(yaml));
+    const requiredDiags = diags.filter(d => d.checkId === "WGC402");
+    // ComputeAddress requires "location" — if schema is loaded, this flags it
+    if (requiredDiags.length > 0) {
+      expect(requiredDiags[0].severity).toBe("error");
+      expect(requiredDiags[0].message).toContain("required");
+    }
+  });
+
+  test("no diagnostic when all required fields present", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc402.check(makeCtx(yaml));
+    const requiredDiags = diags.filter(d => d.checkId === "WGC402");
+    expect(requiredDiags).toHaveLength(0);
+  });
+});
+
+// ── WGC403: Type/structure mismatch ────────────────────────────────
+
+describe("WGC403: type/structure mismatch", () => {
+  test("flags string where number expected", () => {
+    const yaml = `apiVersion: cloudfunctions.cnrm.cloud.google.com/v1beta1
+kind: CloudFunctionsFunction
+metadata:
+  name: my-fn
+spec:
+  runtime: nodejs18
+  availableMemoryMb: "512"
+  region: us-central1
+`;
+    const diags = wgc403.check(makeCtx(yaml));
+    const typeDiags = diags.filter(d => d.checkId === "WGC403");
+    if (typeDiags.length > 0) {
+      expect(typeDiags[0].severity).toBe("error");
+      expect(typeDiags[0].message).toContain("number");
+      expect(typeDiags[0].message).toContain("string");
+    }
+  });
+
+  test("flags bare string instead of resourceRef object", () => {
+    const yaml = `apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
+kind: PubSubSubscription
+metadata:
+  name: my-sub
+spec:
+  topicRef: my-topic
+`;
+    const diags = wgc403.check(makeCtx(yaml));
+    const typeDiags = diags.filter(d => d.checkId === "WGC403");
+    if (typeDiags.length > 0) {
+      expect(typeDiags[0].severity).toBe("error");
+      expect(typeDiags[0].message).toContain("resourceRef");
+    }
+  });
+
+  test("no diagnostic with correct types", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+  uniformBucketLevelAccess: true
+`;
+    const diags = wgc403.check(makeCtx(yaml));
+    const typeDiags = diags.filter(d => d.checkId === "WGC403");
+    expect(typeDiags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/schema-registry.ts

@@ -0,0 +1,91 @@
+/**
+ * Schema registry for GCP Config Connector resources.
+ *
+ * Loads lexicon-gcp.json and builds a lookup from CRD kind to field schema,
+ * used by post-synth rules to validate YAML against known CRD schemas.
+ */
+
+import { createRequire } from "module";
+const require = createRequire(import.meta.url);
+
+export interface FieldSchema {
+  type: string;
+  required: boolean;
+  enum?: string[];
+  ref?: boolean;
+}
+
+export interface ResourceSchema {
+  fields: Record<string, FieldSchema>;
+  required: string[];
+}
+
+interface LexiconEntry {
+  kind: "resource" | "property";
+  gvkKind?: string;
+  schema?: ResourceSchema;
+}
+
+let cachedRegistry: Map<string, ResourceSchema> | null = null;
+
+/**
+ * Get the schema registry: Map<gvkKind, ResourceSchema>.
+ */
+export function getSchemaRegistry(): Map<string, ResourceSchema> {
+  if (cachedRegistry) return cachedRegistry;
+
+  cachedRegistry = new Map();
+  try {
+    const lexicon = require("../../generated/lexicon-gcp.json") as Record<string, LexiconEntry>;
+    for (const entry of Object.values(lexicon)) {
+      if (entry.kind === "resource" && entry.gvkKind && entry.schema) {
+        cachedRegistry.set(entry.gvkKind, entry.schema);
+      }
+    }
+  } catch {
+    // Lexicon JSON not yet generated — return empty registry
+  }
+
+  return cachedRegistry;
+}
+
+/**
+ * Levenshtein distance between two strings.
+ */
+export function levenshtein(a: string, b: string): number {
+  const m = a.length;
+  const n = b.length;
+  const dp: number[][] = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+
+  return dp[m][n];
+}
+
+/**
+ * Find the closest field name by Levenshtein distance.
+ * Returns the suggestion if distance ≤ 3, otherwise undefined.
+ */
+export function suggestField(unknown: string, knownFields: string[]): string | undefined {
+  let best: string | undefined;
+  let bestDist = 4; // threshold
+
+  for (const field of knownFields) {
+    const dist = levenshtein(unknown.toLowerCase(), field.toLowerCase());
+    if (dist < bestDist) {
+      bestDist = dist;
+      best = field;
+    }
+  }
+
+  return best;
+}

package/src/lint/post-synth/wgc101.test.ts

@@ -0,0 +1,39 @@
+import { describe, test, expect } from "bun:test";
+import { wgc101 } from "./wgc101";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC101: missing encryption", () => {
+  test("flags StorageBucket without encryption", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc101.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC101");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when encryption present", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+  encryption:
+    defaultKmsKeyName: projects/p/locations/l/keyRings/kr/cryptoKeys/k
+`;
+    const diags = wgc101.check(makeCtx(yaml));
+    const bucketDiags = diags.filter(d => d.entity === "my-bucket");
+    expect(bucketDiags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc102.test.ts

@@ -0,0 +1,38 @@
+import { describe, test, expect } from "bun:test";
+import { wgc102 } from "./wgc102";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC102: public IAM in output", () => {
+  test("flags allUsers in output", () => {
+    const yaml = `apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: public-access
+spec:
+  member: allUsers
+  role: roles/run.invoker
+`;
+    const diags = wgc102.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC102");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when no public members", () => {
+    const yaml = `apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: private-access
+spec:
+  member: serviceAccount:sa@project.iam.gserviceaccount.com
+  role: roles/viewer
+`;
+    const diags = wgc102.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc103.test.ts

@@ -0,0 +1,38 @@
+import { describe, test, expect } from "bun:test";
+import { wgc103 } from "./wgc103";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC103: missing project annotation", () => {
+  test("flags resource without project annotation", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc103.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC103");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when project annotation present", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+  annotations:
+    cnrm.cloud.google.com/project-id: my-project
+spec:
+  location: US
+`;
+    const diags = wgc103.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc104.test.ts

@@ -0,0 +1,37 @@
+import { describe, test, expect } from "bun:test";
+import { wgc104 } from "./wgc104";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC104: missing uniform bucket access", () => {
+  test("flags StorageBucket without uniformBucketLevelAccess", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+`;
+    const diags = wgc104.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC104");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when uniformBucketLevelAccess is true", () => {
+    const yaml = `apiVersion: storage.cnrm.cloud.google.com/v1beta1
+kind: StorageBucket
+metadata:
+  name: my-bucket
+spec:
+  location: US
+  uniformBucketLevelAccess: true
+`;
+    const diags = wgc104.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgc105.test.ts

@@ -0,0 +1,46 @@
+import { describe, test, expect } from "bun:test";
+import { wgc105 } from "./wgc105";
+
+function makeCtx(yaml: string) {
+  return {
+    outputs: new Map([["gcp", yaml]]),
+  };
+}
+
+describe("WGC105: public Cloud SQL", () => {
+  test("flags SQLInstance with 0.0.0.0/0 in authorizedNetworks", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    ipConfiguration:
+      authorizedNetworks:
+        - value: "0.0.0.0/0"
+          name: public
+`;
+    const diags = wgc105.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("WGC105");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic with private networks only", () => {
+    const yaml = `apiVersion: sql.cnrm.cloud.google.com/v1beta1
+kind: SQLInstance
+metadata:
+  name: my-db
+spec:
+  databaseVersion: POSTGRES_15
+  settings:
+    ipConfiguration:
+      authorizedNetworks:
+        - value: "10.0.0.0/8"
+          name: internal
+`;
+    const diags = wgc105.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});