@intentius/chant-lexicon-gcp 0.0.22 → 0.0.24

package/src/composites/vpc-network.ts

@@ -2,6 +2,9 @@
  * VpcNetwork composite — ComputeNetwork + ComputeSubnetwork + ComputeFirewall + ComputeRouterNAT.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { VPCNetwork, Subnetwork, Firewall, Router, RouterNAT } from "../generated";
+
 export interface VpcSubnet {
   /** Subnet name suffix. */
   name: string;
@@ -32,14 +35,12 @@ export interface VpcNetworkProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface VpcNetworkResult {
-  network: Record<string, unknown>;
-  subnets: Record<string, unknown>[];
-  firewalls: Record<string, unknown>[];
-  router?: Record<string, unknown>;
-  routerNat?: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    network?: Partial<ConstructorParameters<typeof VPCNetwork>[0]>;
+    router?: Partial<ConstructorParameters<typeof Router>[0]>;
+    routerNat?: Partial<ConstructorParameters<typeof RouterNAT>[0]>;
+  };
 }
 
 /**
@@ -60,7 +61,7 @@ export interface VpcNetworkResult {
  * });
  * ```
  */
-export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
+export const VpcNetwork = Composite<VpcNetworkProps>((props) => {
   const {
     name,
     autoCreateSubnetworks = false,
@@ -71,6 +72,7 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
     allowIapSsh = false,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -79,7 +81,7 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
     ...extraLabels,
   };
 
-  const network: Record<string, unknown> = {
+  const network = new VPCNetwork(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -87,58 +89,63 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
     },
     autoCreateSubnetworks,
     routingMode: "REGIONAL",
-  };
+  } as Record<string, unknown>, defs?.network));
 
-  const subnets: Record<string, unknown>[] = subnetDefs.map((sub) => ({
-    metadata: {
-      name: `${name}-${sub.name}`,
-      ...(namespace && { namespace }),
-      labels: { ...commonLabels, "app.kubernetes.io/component": "subnet" },
-    },
-    networkRef: { name },
-    ipCidrRange: sub.ipCidrRange,
-    region: sub.region,
-    privateIpGoogleAccess: sub.privateIpGoogleAccess ?? true,
-  }));
+  // Spread subnets into named members (subnet_<name>) for Composite validation.
+  const subnetEntries: Record<string, any> = {};
+  for (const sub of subnetDefs) {
+    subnetEntries[`subnet_${sub.name}`] = new Subnetwork({
+      metadata: {
+        name: `${name}-${sub.name}`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "subnet" },
+      },
+      networkRef: { name },
+      ipCidrRange: sub.ipCidrRange,
+      region: sub.region,
+      privateIpGoogleAccess: sub.privateIpGoogleAccess ?? true,
+    } as Record<string, unknown>);
+  }
 
-  const firewalls: Record<string, unknown>[] = [];
+  // Spread firewalls into named members for Composite validation.
+  const firewallEntries: Record<string, any> = {};
 
   if (allowInternalTraffic) {
-    firewalls.push({
+    firewallEntries.firewallAllowInternal = new Firewall({
       metadata: {
         name: `${name}-allow-internal`,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "firewall" },
       },
       networkRef: { name },
-      allowed: [
+      allow: [
         { protocol: "tcp", ports: ["0-65535"] },
         { protocol: "udp", ports: ["0-65535"] },
         { protocol: "icmp" },
       ],
       sourceRanges: subnetDefs.map((s) => s.ipCidrRange),
-    });
+    } as Record<string, unknown>);
   }
 
   if (allowIapSsh) {
-    firewalls.push({
+    firewallEntries.firewallAllowIapSsh = new Firewall({
       metadata: {
         name: `${name}-allow-iap-ssh`,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "firewall" },
       },
       networkRef: { name },
-      allowed: [{ protocol: "tcp", ports: ["22"] }],
+      allow: [{ protocol: "tcp", ports: ["22"] }],
       sourceRanges: ["35.235.240.0/20"], // IAP IP range
-    });
+    } as Record<string, unknown>);
   }
 
-  const result: VpcNetworkResult = { network, subnets, firewalls };
+  const result: Record<string, any> = { network, ...subnetEntries, ...firewallEntries };
 
   if (enableNat && natRegion) {
     const routerName = `${name}-router`;
 
-    result.router = {
+    result.router = new Router(mergeDefaults({
       metadata: {
         name: routerName,
         ...(namespace && { namespace }),
@@ -146,9 +153,9 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
       },
       networkRef: { name },
       region: natRegion,
-    };
+    } as Record<string, unknown>, defs?.router));
 
-    result.routerNat = {
+    result.routerNat = new RouterNAT(mergeDefaults({
       metadata: {
         name: `${name}-nat`,
         ...(namespace && { namespace }),
@@ -158,8 +165,8 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
       region: natRegion,
       natIpAllocateOption: "AUTO_ONLY",
       sourceSubnetworkIpRangesToNat: "ALL_SUBNETWORKS_ALL_IP_RANGES",
-    };
+    } as Record<string, unknown>, defs?.routerNat));
   }
 
   return result;
-}
+}, "VpcNetwork");

package/src/index.ts

@@ -20,20 +20,20 @@ export * from "./generated/index";
 
 // Composites
 export {
-  GkeCluster, CloudRunService, CloudSqlInstance, GcsBucket, VpcNetwork,
+  GkeCluster, CloudRunServiceComposite, CloudSqlInstance, GcsBucket, VpcNetwork,
   PubSubPipeline, CloudFunctionWithTrigger, PrivateService, ManagedCertificate, SecureProject,
 } from "./composites/index";
 export type {
-  GkeClusterProps, GkeClusterResult,
-  CloudRunServiceProps, CloudRunServiceResult,
-  CloudSqlInstanceProps, CloudSqlInstanceResult,
-  GcsBucketProps, GcsBucketResult,
-  VpcNetworkProps, VpcNetworkResult, VpcSubnet,
-  PubSubPipelineProps, PubSubPipelineResult,
-  CloudFunctionWithTriggerProps, CloudFunctionWithTriggerResult,
-  PrivateServiceProps, PrivateServiceResult,
-  ManagedCertificateProps, ManagedCertificateResult,
-  SecureProjectProps, SecureProjectResult,
+  GkeClusterProps,
+  CloudRunServiceProps,
+  CloudSqlInstanceProps,
+  GcsBucketProps,
+  VpcNetworkProps, VpcSubnet,
+  PubSubPipelineProps,
+  CloudFunctionWithTriggerProps,
+  PrivateServiceProps,
+  ManagedCertificateProps,
+  SecureProjectProps,
 } from "./composites/index";
 
 // IAM role constants

package/src/lint/post-synth/post-synth.test.ts

@@ -54,7 +54,8 @@ metadata:
 spec:
   location: US
   encryption:
-    defaultKmsKeyName: projects/p/locations/l/keyRings/kr/cryptoKeys/k
+    kmsKeyRef:
+      external: projects/p/locations/l/keyRings/kr/cryptoKeys/k
 `;
     const diags = wgc101.check(makeCtx(yaml));
     const bucketDiags = diags.filter(d => d.entity === "my-bucket");

package/src/lint/post-synth/wgc101.test.ts

@@ -30,7 +30,8 @@ metadata:
 spec:
   location: US
   encryption:
-    defaultKmsKeyName: projects/p/locations/l/keyRings/kr/cryptoKeys/k
+    kmsKeyRef:
+      external: projects/p/locations/l/keyRings/kr/cryptoKeys/k
 `;
     const diags = wgc101.check(makeCtx(yaml));
     const bucketDiags = diags.filter(d => d.entity === "my-bucket");

package/src/lint/post-synth/wgc101.ts

@@ -30,7 +30,7 @@ export const wgc101: PostSynthCheck = {
           diagnostics.push({
             checkId: "WGC101",
             severity: "warning",
-            message: `StorageBucket "${name}" has no encryption configuration — consider adding spec.encryption.defaultKmsKeyName`,
+            message: `StorageBucket "${name}" has no encryption configuration — consider adding spec.encryption.kmsKeyRef`,
             entity: name,
             lexicon: "gcp",
           });

package/src/plugin.ts

@@ -6,14 +6,16 @@
  */
 
 import { createRequire } from "module";
-import type { LexiconPlugin, SkillDefinition, InitTemplateSet, ResourceMetadata } from "@intentius/chant/lexicon";
+import type { LexiconPlugin, InitTemplateSet, ResourceMetadata } from "@intentius/chant/lexicon";
 const require = createRequire(import.meta.url);
 import type { LintRule } from "@intentius/chant/lint/rule";
-import type { PostSynthCheck } from "@intentius/chant/lint/post-synth";
 import type { TemplateParser } from "@intentius/chant/import/parser";
 import type { TypeScriptGenerator } from "@intentius/chant/import/generator";
 import type { CompletionContext, CompletionItem, HoverContext, HoverInfo } from "@intentius/chant/lsp/types";
-import type { McpToolContribution, McpResourceContribution } from "@intentius/chant/mcp/types";
+import { discoverPostSynthChecks } from "@intentius/chant/lint/discover";
+import { createSkillsLoader, createDiffTool, createCatalogResource } from "@intentius/chant/lexicon-plugin-helpers";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 import { gcpSerializer } from "./serializer";
 
 export const gcpPlugin: LexiconPlugin = {
@@ -27,37 +29,9 @@ export const gcpPlugin: LexiconPlugin = {
     return [hardcodedProjectRule, hardcodedRegionRule, publicIamRule];
   },
 
-  postSynthChecks(): PostSynthCheck[] {
-    const { wgc101 } = require("./lint/post-synth/wgc101");
-    const { wgc102 } = require("./lint/post-synth/wgc102");
-    const { wgc103 } = require("./lint/post-synth/wgc103");
-    const { wgc104 } = require("./lint/post-synth/wgc104");
-    const { wgc105 } = require("./lint/post-synth/wgc105");
-    const { wgc106 } = require("./lint/post-synth/wgc106");
-    const { wgc107 } = require("./lint/post-synth/wgc107");
-    const { wgc108 } = require("./lint/post-synth/wgc108");
-    const { wgc109 } = require("./lint/post-synth/wgc109");
-    const { wgc110 } = require("./lint/post-synth/wgc110");
-    const { wgc201 } = require("./lint/post-synth/wgc201");
-    const { wgc202 } = require("./lint/post-synth/wgc202");
-    const { wgc203 } = require("./lint/post-synth/wgc203");
-    const { wgc204 } = require("./lint/post-synth/wgc204");
-    const { wgc301 } = require("./lint/post-synth/wgc301");
-    const { wgc302 } = require("./lint/post-synth/wgc302");
-    const { wgc303 } = require("./lint/post-synth/wgc303");
-    const { wgc111 } = require("./lint/post-synth/wgc111");
-    const { wgc112 } = require("./lint/post-synth/wgc112");
-    const { wgc113 } = require("./lint/post-synth/wgc113");
-    const { wgc401 } = require("./lint/post-synth/wgc401");
-    const { wgc402 } = require("./lint/post-synth/wgc402");
-    const { wgc403 } = require("./lint/post-synth/wgc403");
-    return [
-      wgc101, wgc102, wgc103, wgc104, wgc105, wgc106, wgc107, wgc108, wgc109, wgc110,
-      wgc111, wgc112, wgc113,
-      wgc201, wgc202, wgc203, wgc204,
-      wgc301, wgc302, wgc303,
-      wgc401, wgc402, wgc403,
-    ];
+  postSynthChecks() {
+    const postSynthDir = join(dirname(fileURLToPath(import.meta.url)), "lint", "post-synth");
+    return discoverPostSynthChecks(postSynthDir, import.meta.url);
   },
 
   intrinsics() {
@@ -353,50 +327,13 @@ export const bucketReader = new IAMPolicyMember({
     return resources;
   },
 
-  mcpTools(): McpToolContribution[] {
-    return [
-      {
-        name: "diff",
-        description: "Compare current build output against previous output for GCP Config Connector manifests",
-        inputSchema: {
-          type: "object" as const,
-          properties: {
-            path: {
-              type: "string",
-              description: "Path to the infrastructure project directory",
-            },
-          },
-          required: ["path"],
-        },
-        async handler(params: Record<string, unknown>): Promise<unknown> {
-          const { diffCommand } = await import("@intentius/chant/cli/commands/diff");
-          const result = await diffCommand({
-            path: (params.path as string) ?? ".",
-            serializers: [gcpSerializer],
-          });
-          return result;
-        },
-      },
-    ];
+  mcpTools() {
+    return [createDiffTool(gcpSerializer, "Compare current build output against previous output for GCP Config Connector manifests")];
   },
 
-  mcpResources(): McpResourceContribution[] {
+  mcpResources() {
     return [
-      {
-        uri: "resource-catalog",
-        name: "GCP Config Connector Resource Catalog",
-        description: "JSON list of all supported GCP Config Connector resource types",
-        mimeType: "application/json",
-        async handler(): Promise<string> {
-          const lexicon = require("./generated/lexicon-gcp.json") as Record<string, { resourceType: string; kind: string }>;
-          const entries = Object.entries(lexicon).map(([className, entry]) => ({
-            className,
-            resourceType: entry.resourceType,
-            kind: entry.kind,
-          }));
-          return JSON.stringify(entries);
-        },
-      },
+      createCatalogResource(import.meta.url, "GCP Config Connector Resource Catalog", "JSON list of all supported GCP Config Connector resource types", "lexicon-gcp.json"),
       {
         uri: "examples/basic-bucket",
         name: "Basic GCS Bucket Example",
@@ -422,111 +359,86 @@ export const bucket = new StorageBucket({
     ];
   },
 
-  skills(): SkillDefinition[] {
-    const { readFileSync } = require("fs");
-    const { join, dirname } = require("path");
-    const { fileURLToPath } = require("url");
-    const dir = dirname(fileURLToPath(import.meta.url));
-
-    const skills: SkillDefinition[] = [];
-
-    const skillFiles = [
-      {
-        file: "chant-gcp.md",
-        name: "chant-gcp",
-        description: "GCP Config Connector lifecycle — build, lint, apply, and troubleshoot from a chant project",
-        triggers: [
-          { type: "file-pattern" as const, value: "*.gcp.ts" },
-          { type: "context" as const, value: "gcp" },
-        ],
-        parameters: [
-          {
-            name: "resourceType",
-            type: "string",
-            description: "GCP Config Connector resource type to work with",
-          },
-        ],
-        examples: [
-          {
-            title: "Create a Storage Bucket",
-            output: "new StorageBucket({ location: \"US\", storageClass: \"STANDARD\" })",
-          },
-          {
-            title: "Create a GKE Cluster",
-            output: "new GKECluster({ location: GCP.Region, releaseChannel: { channel: \"REGULAR\" } })",
-          },
-        ],
-      },
-      {
-        file: "chant-gcp-security.md",
-        name: "chant-gcp-security",
-        description: "GCP security best practices for infrastructure",
-        triggers: [
-          { type: "context" as const, value: "gcp security" },
-          { type: "context" as const, value: "gcp iam" },
-        ],
-        parameters: [],
-        examples: [
-          {
-            title: "Secure Storage Bucket",
-            input: "Create a storage bucket with encryption and uniform access",
-            output: "import { GcsBucket } from \"@intentius/chant-lexicon-gcp\";\n\nconst { bucket } = GcsBucket({ name: \"my-bucket\", kmsKeyName: \"...\" });",
-          },
-        ],
-      },
-      {
-        file: "chant-gcp-patterns.md",
-        name: "chant-gcp-patterns",
-        description: "Advanced GCP Config Connector patterns",
-        triggers: [
-          { type: "context" as const, value: "gcp patterns" },
-          { type: "context" as const, value: "gcp composites" },
-        ],
-        parameters: [],
-        examples: [
-          {
-            title: "VPC with Subnets",
-            input: "Create a VPC network with private subnets",
-            output: "import { VpcNetwork } from \"@intentius/chant-lexicon-gcp\";\n\nconst { network, subnets } = VpcNetwork({ name: \"my-vpc\", subnets: [...] });",
-          },
-        ],
-      },
-      {
-        file: "chant-gke.md",
-        name: "chant-gke",
-        description: "GKE end-to-end workflow — bootstrap cluster, deploy Config Connector resources, deploy K8s workloads",
-        triggers: [
-          { type: "context" as const, value: "gke" },
-          { type: "context" as const, value: "gcp kubernetes" },
-          { type: "context" as const, value: "config connector" },
-        ],
-        parameters: [],
-        examples: [
-          {
-            title: "Deploy GKE microservice",
-            input: "Deploy a GKE project end-to-end",
-            output: "npm run bootstrap && npm run deploy",
-          },
-        ],
-      },
-    ];
-
-    for (const skill of skillFiles) {
-      try {
-        const content = readFileSync(join(dir, "skills", skill.file), "utf-8");
-        skills.push({
-          name: skill.name,
-          description: skill.description,
-          content,
-          triggers: skill.triggers,
-          parameters: skill.parameters,
-          examples: skill.examples,
-        });
-      } catch { /* skip missing skills */ }
-    }
-
-    return skills;
-  },
+  skills: createSkillsLoader(import.meta.url, [
+    {
+      file: "chant-gcp.md",
+      name: "chant-gcp",
+      description: "Build, validate, and deploy GCP Config Connector manifests from a chant project",
+      triggers: [
+        { type: "file-pattern" as const, value: "*.gcp.ts" },
+        { type: "context" as const, value: "gcp" },
+      ],
+      parameters: [
+        {
+          name: "resourceType",
+          type: "string",
+          description: "GCP Config Connector resource type to work with",
+        },
+      ],
+      examples: [
+        {
+          title: "Create a Storage Bucket",
+          output: "new StorageBucket({ location: \"US\", storageClass: \"STANDARD\" })",
+        },
+        {
+          title: "Create a GKE Cluster",
+          output: "new GKECluster({ location: GCP.Region, releaseChannel: { channel: \"REGULAR\" } })",
+        },
+      ],
+    },
+    {
+      file: "chant-gcp-security.md",
+      name: "chant-gcp-security",
+      description: "GCP security best practices for infrastructure",
+      triggers: [
+        { type: "context" as const, value: "gcp security" },
+        { type: "context" as const, value: "gcp iam" },
+      ],
+      parameters: [],
+      examples: [
+        {
+          title: "Secure Storage Bucket",
+          input: "Create a storage bucket with encryption and uniform access",
+          output: "import { GcsBucket } from \"@intentius/chant-lexicon-gcp\";\n\nconst { bucket } = GcsBucket({ name: \"my-bucket\", kmsKeyName: \"...\" });",
+        },
+      ],
+    },
+    {
+      file: "chant-gcp-patterns.md",
+      name: "chant-gcp-patterns",
+      description: "Advanced GCP Config Connector patterns",
+      triggers: [
+        { type: "context" as const, value: "gcp patterns" },
+        { type: "context" as const, value: "gcp composites" },
+      ],
+      parameters: [],
+      examples: [
+        {
+          title: "VPC with Subnets",
+          input: "Create a VPC network with private subnets",
+          output: "import { VpcNetwork } from \"@intentius/chant-lexicon-gcp\";\n\nconst { network, subnets } = VpcNetwork({ name: \"my-vpc\", subnets: [...] });",
+        },
+      ],
+    },
+    {
+      file: "chant-gcp-gke.md",
+      name: "chant-gcp-gke",
+      description: "End-to-end GKE workflow bridging GCP infrastructure and Kubernetes workloads",
+      triggers: [
+        { type: "context" as const, value: "gke" },
+        { type: "context" as const, value: "gcp kubernetes" },
+        { type: "context" as const, value: "config connector" },
+      ],
+      parameters: [],
+      examples: [
+        {
+          title: "Deploy GKE microservice",
+          input: "Deploy a GKE project end-to-end",
+          output: "npm run bootstrap && npm run deploy",
+        },
+      ],
+    },
+  ]),
 
   async generate(options?: { verbose?: boolean }): Promise<void> {
     const { generate, writeGeneratedFiles } = await import("./codegen/generate");

package/src/skills/{chant-gke.md → chant-gcp-gke.md}

@@ -1,5 +1,5 @@
 ---
-skill: chant-gke
+skill: chant-gcp-gke
 description: End-to-end GKE workflow bridging GCP infrastructure and Kubernetes workloads
 user-invocable: true
 ---

package/src/skills/chant-gcp-patterns.md

@@ -1,6 +1,7 @@
 ---
-source: chant-lexicon
-lexicon: gcp
+skill: chant-gcp-patterns
+description: Advanced GCP Config Connector patterns
+user-invocable: true
 ---
 
 # Advanced GCP Config Connector Patterns with Chant

package/src/skills/chant-gcp-security.md

@@ -1,6 +1,7 @@
 ---
-source: chant-lexicon
-lexicon: gcp
+skill: chant-gcp-security
+description: GCP security best practices for infrastructure
+user-invocable: true
 ---
 
 # GCP Security Best Practices for Chant