npm - @intentius/chant-lexicon-gcp - Versions diffs - 0.0.22 → 0.0.24 - Mend

@intentius/chant-lexicon-gcp 0.0.22 → 0.0.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist/integrity.json +7 -7
package/dist/manifest.json +1 -1
package/dist/rules/wgc101.ts +1 -1
package/dist/skills/{chant-gke.md → chant-gcp-gke.md} +1 -1
package/dist/skills/chant-gcp-patterns.md +3 -2
package/dist/skills/chant-gcp-security.md +3 -2
package/dist/skills/chant-gcp.md +360 -28
package/package.json +1 -1
package/src/composites/cloud-function.ts +23 -15
package/src/composites/cloud-run-service.ts +20 -13
package/src/composites/cloud-sql-instance.ts +18 -14
package/src/composites/composites.test.ts +94 -62
package/src/composites/gcs-bucket.ts +13 -9
package/src/composites/gke-cluster.ts +91 -16
package/src/composites/index.ts +11 -11
package/src/composites/managed-certificate.ts +19 -15
package/src/composites/private-service.ts +23 -15
package/src/composites/pubsub-pipeline.ts +30 -18
package/src/composites/secure-project.ts +42 -27
package/src/composites/vpc-network.ts +42 -35
package/src/index.ts +11 -11
package/src/lint/post-synth/post-synth.test.ts +2 -1
package/src/lint/post-synth/wgc101.test.ts +2 -1
package/src/lint/post-synth/wgc101.ts +1 -1
package/src/plugin.ts +92 -180
package/src/skills/{chant-gke.md → chant-gcp-gke.md} +1 -1
package/src/skills/chant-gcp-patterns.md +3 -2
package/src/skills/chant-gcp-security.md +3 -2
package/src/skills/chant-gcp.md +360 -28

package/src/composites/cloud-run-service.ts CHANGED Viewed

@@ -1,7 +1,13 @@
 /**
- * CloudRunService composite — RunService + optional IAMPolicyMember for public access.
+ * CloudRunServiceComposite composite — RunService + optional IAMPolicyMember for public access.
  */
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  CloudRunService as CloudRunServiceResource,
+  IAMPolicyMember,
+} from "../generated";
 export interface CloudRunServiceProps {
   /** Service name. */
   name: string;
@@ -29,11 +35,11 @@ export interface CloudRunServiceProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-export interface CloudRunServiceResult {
-  service: Record<string, unknown>;
-  publicIam?: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    service?: Partial<ConstructorParameters<typeof CloudRunServiceResource>[0]>;
+    publicIam?: Partial<ConstructorParameters<typeof IAMPolicyMember>[0]>;
+  };
 }
 /**
@@ -50,7 +56,7 @@ export interface CloudRunServiceResult {
  * });
  * ```
  */
-export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceResult {
+export const CloudRunServiceComposite = Composite<CloudRunServiceProps>((props) => {
   const {
     name,
     image,
@@ -65,6 +71,7 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
     env,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
   const commonLabels: Record<string, string> = {
@@ -84,7 +91,7 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
     },
   ];
-  const service: Record<string, unknown> = {
+  const service = new CloudRunServiceResource(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -99,12 +106,12 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
       },
       containers,
     },
-  };
+  } as Record<string, unknown>, defs?.service));
-  const result: CloudRunServiceResult = { service };
+  const result: Record<string, any> = { service };
   if (publicAccess) {
-    result.publicIam = {
+    result.publicIam = new IAMPolicyMember(mergeDefaults({
       metadata: {
         name: `${name}-public`,
         ...(namespace && { namespace }),
@@ -117,8 +124,8 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
         kind: "RunService",
         name,
       },
-    };
+    } as Record<string, unknown>, defs?.publicIam));
   }
   return result;
-}
+}, "CloudRunServiceComposite");

package/src/composites/cloud-sql-instance.ts CHANGED Viewed

@@ -2,6 +2,9 @@
  * CloudSqlInstance composite — SQLInstance + SQLDatabase + SQLUser.
  */
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { SQLInstance, SQLDatabase, SQLUser } from "../generated";
 export interface CloudSqlInstanceProps {
   /** Instance name. */
   name: string;
@@ -27,12 +30,12 @@ export interface CloudSqlInstanceProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-export interface CloudSqlInstanceResult {
-  instance: Record<string, unknown>;
-  database: Record<string, unknown>;
-  user: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    instance?: Partial<ConstructorParameters<typeof SQLInstance>[0]>;
+    database?: Partial<ConstructorParameters<typeof SQLDatabase>[0]>;
+    user?: Partial<ConstructorParameters<typeof SQLUser>[0]>;
+  };
 }
 /**
@@ -49,7 +52,7 @@ export interface CloudSqlInstanceResult {
  * });
  * ```
  */
-export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstanceResult {
+export const CloudSqlInstance = Composite<CloudSqlInstanceProps>((props) => {
   const {
     name,
     databaseVersion = "POSTGRES_15",
@@ -63,6 +66,7 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
     highAvailability = false,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
   const commonLabels: Record<string, string> = {
@@ -85,7 +89,7 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
     };
   }
-  const instance: Record<string, unknown> = {
+  const instance = new SQLInstance(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -94,18 +98,18 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
     databaseVersion,
     ...(region && { region }),
     settings,
-  };
+  } as Record<string, unknown>, defs?.instance));
-  const database: Record<string, unknown> = {
+  const database = new SQLDatabase(mergeDefaults({
     metadata: {
       name: databaseName,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "database" },
     },
     instanceRef: { name },
-  };
+  } as Record<string, unknown>, defs?.database));
-  const user: Record<string, unknown> = {
+  const user = new SQLUser(mergeDefaults({
     metadata: {
       name: `${name}-${userName}`,
       ...(namespace && { namespace }),
@@ -120,7 +124,7 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
         },
       },
     },
-  };
+  } as Record<string, unknown>, defs?.user));
   return { instance, database, user };
-}
+}, "CloudSqlInstance");

package/src/composites/composites.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { describe, test, expect } from "bun:test";
 import { GkeCluster } from "./gke-cluster";
-import { CloudRunService } from "./cloud-run-service";
+import { CloudRunServiceComposite } from "./cloud-run-service";
 import { CloudSqlInstance } from "./cloud-sql-instance";
 import { GcsBucket } from "./gcs-bucket";
 import { VpcNetwork } from "./vpc-network";
@@ -10,6 +10,11 @@ import { PrivateService } from "./private-service";
 import { ManagedCertificate } from "./managed-certificate";
 import { SecureProject } from "./secure-project";
+/** Helper to extract props from a Declarable member. */
+function p(member: unknown): Record<string, any> {
+  return (member as any).props;
+}
 // ── GkeCluster ──────────────────────────────────────────────────────
 describe("GkeCluster", () => {
@@ -21,60 +26,81 @@ describe("GkeCluster", () => {
   test("includes common labels", () => {
     const result = GkeCluster({ name: "my-cluster" });
-    const labels = result.cluster.metadata as any;
-    expect(labels.labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    const meta = p(result.cluster).metadata;
+    expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
   test("node pool references cluster", () => {
     const result = GkeCluster({ name: "my-cluster" });
-    expect((result.nodePool as any).clusterRef.name).toBe("my-cluster");
+    expect(p(result.nodePool).clusterRef.name).toBe("my-cluster");
   });
   test("respects maxNodeCount", () => {
     const result = GkeCluster({ name: "c", maxNodeCount: 20 });
-    expect((result.nodePool as any).autoscaling.maxNodeCount).toBe(20);
+    expect(p(result.nodePool).autoscaling.maxNodeCount).toBe(20);
   });
   test("sets namespace when provided", () => {
     const result = GkeCluster({ name: "c", namespace: "infra" });
-    expect((result.cluster.metadata as any).namespace).toBe("infra");
-    expect((result.nodePool.metadata as any).namespace).toBe("infra");
+    expect(p(result.cluster).metadata.namespace).toBe("infra");
+    expect(p(result.nodePool).metadata.namespace).toBe("infra");
   });
   test("enables workload identity by default", () => {
     const result = GkeCluster({ name: "c" });
-    expect((result.cluster as any).workloadIdentityConfig).toBeDefined();
-    expect((result.nodePool as any).nodeConfig.workloadMetadataConfig).toBeDefined();
+    expect(p(result.cluster).workloadIdentityConfig).toBeDefined();
+    expect(p(result.nodePool).nodeConfig.workloadMetadataConfig).toBeDefined();
+  });
+  test("workloadPool uses explicit projectId", () => {
+    const result = GkeCluster({ name: "c", projectId: "my-project-123" });
+    expect(p(result.cluster).workloadIdentityConfig.workloadPool).toBe(
+      "my-project-123.svc.id.goog",
+    );
+  });
+  test("workloadPool falls back to GCP_PROJECT_ID env var", () => {
+    const prev = process.env.GCP_PROJECT_ID;
+    process.env.GCP_PROJECT_ID = "env-project-456";
+    try {
+      const result = GkeCluster({ name: "c" });
+      expect(p(result.cluster).workloadIdentityConfig.workloadPool).toBe(
+        "env-project-456.svc.id.goog",
+      );
+    } finally {
+      if (prev === undefined) delete process.env.GCP_PROJECT_ID;
+      else process.env.GCP_PROJECT_ID = prev;
+    }
   });
 });
 // ── CloudRunService ─────────────────────────────────────────────────
-describe("CloudRunService", () => {
+describe("CloudRunServiceComposite", () => {
   test("returns service", () => {
-    const result = CloudRunService({ name: "api", image: "gcr.io/p/api:1" });
+    const result = CloudRunServiceComposite({ name: "api", image: "gcr.io/p/api:1" });
     expect(result.service).toBeDefined();
   });
   test("no public IAM by default", () => {
-    const result = CloudRunService({ name: "api", image: "gcr.io/p/api:1" });
+    const result = CloudRunServiceComposite({ name: "api", image: "gcr.io/p/api:1" });
     expect(result.publicIam).toBeUndefined();
   });
   test("creates public IAM when requested", () => {
-    const result = CloudRunService({
+    const result = CloudRunServiceComposite({
       name: "api",
       image: "gcr.io/p/api:1",
       publicAccess: true,
     });
     expect(result.publicIam).toBeDefined();
-    expect((result.publicIam as any).member).toBe("allUsers");
-    expect((result.publicIam as any).role).toBe("roles/run.invoker");
+    expect(p(result.publicIam).member).toBe("allUsers");
+    expect(p(result.publicIam).role).toBe("roles/run.invoker");
   });
   test("sets custom port", () => {
-    const result = CloudRunService({ name: "api", image: "img", port: 3000 });
-    const containers = (result.service as any).template.containers;
+    const result = CloudRunServiceComposite({ name: "api", image: "img", port: 3000 });
+    const containers = p(result.service).template.containers;
     expect(containers[0].ports[0].containerPort).toBe(3000);
   });
 });
@@ -91,22 +117,22 @@ describe("CloudSqlInstance", () => {
   test("database references instance", () => {
     const result = CloudSqlInstance({ name: "db" });
-    expect((result.database as any).instanceRef.name).toBe("db");
+    expect(p(result.database).instanceRef.name).toBe("db");
   });
   test("default database version is POSTGRES_15", () => {
     const result = CloudSqlInstance({ name: "db" });
-    expect((result.instance as any).databaseVersion).toBe("POSTGRES_15");
+    expect(p(result.instance).databaseVersion).toBe("POSTGRES_15");
   });
   test("enables backups by default", () => {
     const result = CloudSqlInstance({ name: "db" });
-    expect((result.instance as any).settings.backupConfiguration.enabled).toBe(true);
+    expect(p(result.instance).settings.backupConfiguration.enabled).toBe(true);
   });
   test("high availability when requested", () => {
     const result = CloudSqlInstance({ name: "db", highAvailability: true });
-    expect((result.instance as any).settings.availabilityType).toBe("REGIONAL");
+    expect(p(result.instance).settings.availabilityType).toBe("REGIONAL");
   });
 });
@@ -120,7 +146,7 @@ describe("GcsBucket", () => {
   test("uniform access enabled by default", () => {
     const result = GcsBucket({ name: "my-bucket" });
-    expect((result.bucket as any).uniformBucketLevelAccess).toBe(true);
+    expect(p(result.bucket).uniformBucketLevelAccess).toBe(true);
   });
   test("adds lifecycle rules", () => {
@@ -128,8 +154,8 @@ describe("GcsBucket", () => {
       name: "my-bucket",
       lifecycleDeleteAfterDays: 30,
     });
-    expect((result.bucket as any).lifecycleRule).toHaveLength(1);
-    expect((result.bucket as any).lifecycleRule[0].condition.age).toBe(30);
+    expect(p(result.bucket).lifecycleRule).toHaveLength(1);
+    expect(p(result.bucket).lifecycleRule[0].condition.age).toBe(30);
   });
   test("adds encryption when kmsKeyName provided", () => {
@@ -137,17 +163,17 @@ describe("GcsBucket", () => {
       name: "my-bucket",
       kmsKeyName: "projects/p/locations/l/keyRings/kr/cryptoKeys/k",
     });
-    expect((result.bucket as any).encryption).toBeDefined();
+    expect(p(result.bucket).encryption).toBeDefined();
   });
   test("versioning disabled by default", () => {
     const result = GcsBucket({ name: "my-bucket" });
-    expect((result.bucket as any).versioning).toBeUndefined();
+    expect(p(result.bucket).versioning).toBeUndefined();
   });
   test("versioning enabled when requested", () => {
     const result = GcsBucket({ name: "my-bucket", versioning: true });
-    expect((result.bucket as any).versioning.enabled).toBe(true);
+    expect(p(result.bucket).versioning.enabled).toBe(true);
   });
 });
@@ -166,8 +192,8 @@ describe("VpcNetwork", () => {
         { name: "app", ipCidrRange: "10.0.0.0/24", region: "us-central1" },
       ],
     });
-    expect(result.subnets).toHaveLength(1);
-    expect((result.subnets[0] as any).ipCidrRange).toBe("10.0.0.0/24");
+    expect(result.subnet_app).toBeDefined();
+    expect(p(result.subnet_app).ipCidrRange).toBe("10.0.0.0/24");
   });
   test("subnet references network", () => {
@@ -175,7 +201,7 @@ describe("VpcNetwork", () => {
       name: "my-vpc",
       subnets: [{ name: "app", ipCidrRange: "10.0.0.0/24", region: "us-central1" }],
     });
-    expect((result.subnets[0] as any).networkRef.name).toBe("my-vpc");
+    expect(p(result.subnet_app).networkRef.name).toBe("my-vpc");
   });
   test("creates internal firewall by default", () => {
@@ -183,8 +209,8 @@ describe("VpcNetwork", () => {
       name: "my-vpc",
       subnets: [{ name: "app", ipCidrRange: "10.0.0.0/24", region: "us-central1" }],
     });
-    expect(result.firewalls.length).toBeGreaterThanOrEqual(1);
-    expect((result.firewalls[0] as any).metadata.name).toBe("my-vpc-allow-internal");
+    expect(result.firewallAllowInternal).toBeDefined();
+    expect(p(result.firewallAllowInternal).metadata.name).toBe("my-vpc-allow-internal");
   });
   test("creates NAT when enabled", () => {
@@ -195,7 +221,7 @@ describe("VpcNetwork", () => {
     });
     expect(result.router).toBeDefined();
     expect(result.routerNat).toBeDefined();
-    expect((result.routerNat as any).routerRef.name).toBe("my-vpc-router");
+    expect(p(result.routerNat).routerRef.name).toBe("my-vpc-router");
   });
   test("no NAT by default", () => {
@@ -206,9 +232,8 @@ describe("VpcNetwork", () => {
   test("IAP SSH firewall when requested", () => {
     const result = VpcNetwork({ name: "my-vpc", allowIapSsh: true });
-    const iapFw = result.firewalls.find((f: any) => (f.metadata as any).name.includes("iap-ssh"));
-    expect(iapFw).toBeDefined();
-    expect((iapFw as any).sourceRanges).toContain("35.235.240.0/20");
+    expect(result.firewallAllowIapSsh).toBeDefined();
+    expect(p(result.firewallAllowIapSsh).sourceRanges).toContain("35.235.240.0/20");
   });
 });
@@ -223,7 +248,7 @@ describe("PubSubPipeline", () => {
   test("subscription references topic", () => {
     const result = PubSubPipeline({ name: "events" });
-    expect((result.subscription as any).topicRef.name).toBe("events-topic");
+    expect(p(result.subscription).topicRef.name).toBe("events-topic");
   });
   test("no DLQ by default", () => {
@@ -234,8 +259,8 @@ describe("PubSubPipeline", () => {
   test("creates DLQ when enabled", () => {
     const result = PubSubPipeline({ name: "events", enableDeadLetterQueue: true });
     expect(result.deadLetterTopic).toBeDefined();
-    expect((result.deadLetterTopic as any).metadata.name).toBe("events-dlq");
-    expect((result.subscription as any).deadLetterPolicy.deadLetterTopicRef.name).toBe("events-dlq");
+    expect(p(result.deadLetterTopic).metadata.name).toBe("events-dlq");
+    expect(p(result.subscription).deadLetterPolicy.deadLetterTopicRef.name).toBe("events-dlq");
   });
   test("creates subscriber IAM when service account provided", () => {
@@ -244,18 +269,18 @@ describe("PubSubPipeline", () => {
       subscriberServiceAccount: "worker@project.iam.gserviceaccount.com",
     });
     expect(result.subscriberIam).toBeDefined();
-    expect((result.subscriberIam as any).role).toBe("roles/pubsub.subscriber");
+    expect(p(result.subscriberIam).role).toBe("roles/pubsub.subscriber");
   });
   test("sets namespace when provided", () => {
     const result = PubSubPipeline({ name: "events", namespace: "infra" });
-    expect((result.topic as any).metadata.namespace).toBe("infra");
-    expect((result.subscription as any).metadata.namespace).toBe("infra");
+    expect(p(result.topic).metadata.namespace).toBe("infra");
+    expect(p(result.subscription).metadata.namespace).toBe("infra");
   });
   test("includes managed-by label", () => {
     const result = PubSubPipeline({ name: "events" });
-    expect((result.topic as any).metadata.labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    expect(p(result.topic).metadata.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
 });
@@ -289,8 +314,8 @@ describe("CloudFunctionWithTrigger", () => {
       publicAccess: true,
     });
     expect(result.invokerIam).toBeDefined();
-    expect((result.invokerIam as any).member).toBe("allUsers");
-    expect((result.invokerIam as any).role).toBe("roles/cloudfunctions.invoker");
+    expect(p(result.invokerIam).member).toBe("allUsers");
+    expect(p(result.invokerIam).role).toBe("roles/cloudfunctions.invoker");
   });
   test("sets runtime and entry point", () => {
@@ -299,8 +324,8 @@ describe("CloudFunctionWithTrigger", () => {
       runtime: "python312",
       entryPoint: "main",
     });
-    expect((result.function as any).runtime).toBe("python312");
-    expect((result.function as any).entryPoint).toBe("main");
+    expect(p(result.function).runtime).toBe("python312");
+    expect(p(result.function).entryPoint).toBe("main");
   });
   test("configures pubsub trigger", () => {
@@ -311,8 +336,8 @@ describe("CloudFunctionWithTrigger", () => {
       triggerType: "pubsub",
       triggerTopic: "my-topic",
     });
-    expect((result.function as any).eventTrigger).toBeDefined();
-    expect((result.function as any).eventTrigger.pubsubTopic).toBe("my-topic");
+    expect(p(result.function).eventTrigger).toBeDefined();
+    expect(p(result.function).eventTrigger.pubsubTopic).toBe("my-topic");
   });
 });
@@ -327,12 +352,12 @@ describe("PrivateService", () => {
   test("address references network", () => {
     const result = PrivateService({ name: "db", networkName: "my-vpc" });
-    expect((result.globalAddress as any).networkRef.name).toBe("my-vpc");
+    expect(p(result.globalAddress).networkRef.name).toBe("my-vpc");
   });
   test("connection references network", () => {
     const result = PrivateService({ name: "db", networkName: "my-vpc" });
-    expect((result.serviceConnection as any).networkRef.name).toBe("my-vpc");
+    expect(p(result.serviceConnection).networkRef.name).toBe("my-vpc");
   });
   test("no DNS by default", () => {
@@ -343,7 +368,7 @@ describe("PrivateService", () => {
   test("creates DNS zone when enabled", () => {
     const result = PrivateService({ name: "db", networkName: "my-vpc", enableDns: true });
     expect(result.dnsZone).toBeDefined();
-    expect((result.dnsZone as any).visibility).toBe("private");
+    expect(p(result.dnsZone).visibility).toBe("private");
   });
 });
@@ -357,7 +382,7 @@ describe("ManagedCertificate", () => {
   test("certificate includes domains", () => {
     const result = ManagedCertificate({ name: "my-cert", domains: ["example.com", "www.example.com"] });
-    expect((result.certificate as any).managed.domains).toEqual(["example.com", "www.example.com"]);
+    expect(p(result.certificate).managed.domains).toEqual(["example.com", "www.example.com"]);
   });
   test("no proxy by default", () => {
@@ -375,7 +400,7 @@ describe("ManagedCertificate", () => {
     });
     expect(result.targetHttpsProxy).toBeDefined();
     expect(result.urlMap).toBeDefined();
-    expect((result.urlMap as any).defaultService.backendServiceRef.name).toBe("my-backend");
+    expect(p(result.urlMap).defaultService.backendServiceRef.name).toBe("my-backend");
   });
 });
@@ -386,19 +411,26 @@ describe("SecureProject", () => {
     const result = SecureProject({ name: "my-project" });
     expect(result.project).toBeDefined();
     expect(result.auditConfig).toBeDefined();
-    expect(result.services.length).toBeGreaterThan(0);
+    // Default 5 APIs become service_compute, service_container, etc.
+    expect(result.service_compute).toBeDefined();
+    expect(result.service_container).toBeDefined();
+    expect(result.service_iam).toBeDefined();
+    expect(result.service_logging).toBeDefined();
+    expect(result.service_monitoring).toBeDefined();
   });
   test("audit config covers all services", () => {
     const result = SecureProject({ name: "my-project" });
-    expect((result.auditConfig as any).service).toBe("allServices");
-    expect((result.auditConfig as any).auditLogConfigs.length).toBe(3);
+    expect(p(result.auditConfig).service).toBe("allServices");
+    expect(p(result.auditConfig).auditLogConfigs.length).toBe(3);
   });
   test("enables default APIs", () => {
     const result = SecureProject({ name: "my-project" });
-    expect(result.services.length).toBe(5);
-    expect(result.services.some((s: any) => s.resourceID === "compute.googleapis.com")).toBe(true);
+    // 5 services as individual members
+    const serviceKeys = Object.keys(result.members).filter((k) => k.startsWith("service_"));
+    expect(serviceKeys.length).toBe(5);
+    expect(p(result.service_compute).resourceID).toBe("compute.googleapis.com");
   });
   test("no owner IAM by default", () => {
@@ -412,8 +444,8 @@ describe("SecureProject", () => {
       owner: "user:admin@example.com",
     });
     expect(result.ownerIam).toBeDefined();
-    expect((result.ownerIam as any).member).toBe("user:admin@example.com");
-    expect((result.ownerIam as any).role).toBe("roles/owner");
+    expect(p(result.ownerIam).member).toBe("user:admin@example.com");
+    expect(p(result.ownerIam).role).toBe("roles/owner");
   });
   test("creates logging sink when destination provided", () => {
@@ -422,7 +454,7 @@ describe("SecureProject", () => {
       loggingSinkDestination: "bigquery.googleapis.com/projects/my-project/datasets/audit_logs",
     });
     expect(result.loggingSink).toBeDefined();
-    expect((result.loggingSink as any).destination).toContain("bigquery");
+    expect(p(result.loggingSink).destination).toContain("bigquery");
   });
   test("no logging sink by default", () => {

package/src/composites/gcs-bucket.ts CHANGED Viewed

@@ -2,6 +2,9 @@
  * GcsBucket composite — StorageBucket with encryption, uniform access, and lifecycle.
  */
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { StorageBucket } from "../generated";
 export interface GcsBucketProps {
   /** Bucket name. */
   name: string;
@@ -23,10 +26,10 @@ export interface GcsBucketProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-export interface GcsBucketResult {
-  bucket: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    bucket?: Partial<ConstructorParameters<typeof StorageBucket>[0]>;
+  };
 }
 /**
@@ -44,7 +47,7 @@ export interface GcsBucketResult {
  * });
  * ```
  */
-export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
+export const GcsBucket = Composite<GcsBucketProps>((props) => {
   const {
     name,
     location = "US",
@@ -56,6 +59,7 @@ export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
     lifecycleNearlineAfterDays,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
   const commonLabels: Record<string, string> = {
@@ -75,7 +79,7 @@ export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
   }
   if (kmsKeyName) {
-    spec.encryption = { defaultKmsKeyName: kmsKeyName };
+    spec.encryption = { kmsKeyRef: { external: kmsKeyName } };
   }
   const lifecycleRules: Array<Record<string, unknown>> = [];
@@ -98,14 +102,14 @@ export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
     spec.lifecycleRule = lifecycleRules;
   }
-  const bucket: Record<string, unknown> = {
+  const bucket = new StorageBucket(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
     },
     ...spec,
-  };
+  } as Record<string, unknown>, defs?.bucket));
   return { bucket };
-}
+}, "GcsBucket");