@intentius/chant-lexicon-gcp 0.1.14 → 0.1.16

package/dist/integrity.json

@@ -1,7 +1,7 @@
 {
   "algorithm": "sha256",
   "artifacts": {
-    "manifest.json": "7c2f49cff06e49b16310682353b1e912b0bab74df0a90c3431f610b77d482529",
+    "manifest.json": "c7239e90d2c98771e463e46fa1caf8e5cdf5ac1a5e177c169feb5dcae951ed50",
     "meta.json": "2bc3713e9e01e90832d18dedaf4bf544dd4d8fe32f1363f7e95dc711d3d76e9d",
     "types/index.d.ts": "0554f7e883c6216ba735cbe79a8534ccad762bea28cc4d4c4884f8760a2f1dd3",
     "rules/hardcoded-project.ts": "228631d3159e1ffcce2359c66073d4ae59bb0285f378e46e446f416aec50481c",
@@ -37,5 +37,5 @@
     "skills/chant-gcp-patterns.md": "a7ef31c1eb2f7244d3f73952c300472ef94c1eb09bd7a1003281b89299b6b704",
     "skills/chant-gcp-gke.md": "be277019da9a722c851e47cd2dfb9c9536668948c3535fb20db7697e934c4e2b"
   },
-  "composite": "f1fb5bb2d78ed635a1522a87ec8b8339dd75ad601f6cbee347711ec560e7ff33"
+  "composite": "91a1efdba5fac572f59c43ae7203dfe7e3d8697adc20b0957c4d3293c11e8690"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "gcp",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "chantVersion": ">=0.1.0",
   "namespace": "GCP",
   "intrinsics": [],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-gcp",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "description": "Google Cloud lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",

package/src/describe-resources.ts

@@ -15,6 +15,7 @@
 import { exec } from "node:child_process";
 import { promisify } from "node:util";
 import type { ResourceMetadata } from "@intentius/chant/lexicon";
+import { hasOwnershipMarker, classifyOwnership } from "@intentius/chant/ownership";
 
 const execAsync = promisify(exec);
 
@@ -38,7 +39,7 @@ interface KubectlResponse {
  * derivation logic local so describeResources can compute the kubectl resource
  * name without importing serializer internals.
  */
-function deriveGVK(entityType: string): { group: string; kind: string } | null {
+export function deriveGVK(entityType: string): { group: string; kind: string } | null {
   const parts = entityType.split("::");
   if (parts.length !== 3 || parts[0] !== "GCP") return null;
   const service = parts[1].toLowerCase();
@@ -80,6 +81,7 @@ export async function describeResources(options: {
   buildOutput: string;
   entityNames: string[];
   entities: Map<string, { entityType: string; props: Record<string, unknown> }>;
+  owned?: boolean;
 }): Promise<Record<string, ResourceMetadata>> {
   const result: Record<string, ResourceMetadata> = {};
 
@@ -98,11 +100,16 @@ export async function describeResources(options: {
     try {
       const { stdout } = await execAsync(cmd);
       const obj: KubectlResponse = JSON.parse(stdout);
+      // owned filter: skip resources not carrying chant's marker label.
+      if (options.owned && !hasOwnershipMarker(obj.metadata?.labels, "label")) {
+        continue;
+      }
       result[entityName] = {
         type: entityType,
         physicalId: obj.metadata?.uid,
         status: statusFromCC(obj),
         lastUpdated: obj.metadata?.creationTimestamp,
+        ownership: classifyOwnership(obj.metadata?.labels, "label"),
         attributes: pruneUndefined({
           namespace: obj.metadata?.namespace,
           labels: obj.metadata?.labels,

package/src/export-resources-io.test.ts

@@ -0,0 +1,81 @@
+import { describe, test, expect, vi, beforeEach } from "vitest";
+
+// Deliver exec results synchronously (value, or Error for the failure path) so
+// a skipped kind can't leave a dangling unhandled rejection.
+const execMock = vi.fn();
+vi.mock("node:child_process", async () => {
+  const actual = await vi.importActual<typeof import("node:child_process")>("node:child_process");
+  return {
+    ...actual,
+    exec: (
+      cmd: string,
+      cb: (err: Error | null, out: { stdout: string; stderr: string }) => void,
+    ) => {
+      const r = execMock(cmd);
+      queueMicrotask(() =>
+        r instanceof Error
+          ? cb(r, { stdout: "", stderr: "" })
+          : cb(null, r as { stdout: string; stderr: string }),
+      );
+    },
+  };
+});
+
+const { exportResources } = await import("./export-resources");
+
+const liveBucket = {
+  apiVersion: "storage.cnrm.cloud.google.com/v1beta1",
+  kind: "StorageBucket",
+  metadata: { name: "my-bucket", namespace: "default", uid: "u-1" },
+  spec: { location: "US", storageClass: "STANDARD" },
+};
+
+describe("gcp exportResources I/O glue (#160)", () => {
+  beforeEach(() => execMock.mockReset());
+
+  test("discovers cnrm kinds, sweeps each with `kubectl get`, maps to IR", async () => {
+    execMock.mockImplementation((cmd?: string) => {
+      if (cmd?.includes("api-resources")) {
+        return {
+          stdout:
+            "storagebuckets.storage.cnrm.cloud.google.com\n" +
+            "pubsubtopics.pubsub.cnrm.cloud.google.com\n" +
+            "pods\n",
+          stderr: "",
+        };
+      }
+      if (cmd?.includes("storagebuckets.storage.cnrm")) {
+        return { stdout: JSON.stringify({ items: [liveBucket] }), stderr: "" };
+      }
+      return { stdout: JSON.stringify({ items: [] }), stderr: "" };
+    });
+
+    const ir = await exportResources({ environment: "prod" });
+    const cmds = execMock.mock.calls.map((c) => c[0] as string);
+    expect(cmds.some((c) => c === "kubectl api-resources -o name")).toBe(true);
+    expect(
+      cmds.some((c) => c === "kubectl get storagebuckets.storage.cnrm.cloud.google.com -A -o json"),
+    ).toBe(true);
+    // The non-cnrm "pods" line must be filtered out of the sweep.
+    expect(cmds.some((c) => c.includes("kubectl get pods"))).toBe(false);
+    expect(ir.resources.map((r) => r.logicalId)).toContain("my-bucket");
+  });
+
+  test("a kind that errors (absent / RBAC) is skipped; export still succeeds", async () => {
+    execMock.mockImplementation((cmd?: string) => {
+      if (cmd?.includes("api-resources")) {
+        return { stdout: "computenetworks.compute.cnrm.cloud.google.com\n", stderr: "" };
+      }
+      return new Error("Error from server (Forbidden)");
+    });
+    const ir = await exportResources({ environment: "prod" });
+    expect(ir.resources).toEqual([]);
+  });
+
+  test("no cnrm kinds discovered → empty export, no get calls", async () => {
+    execMock.mockImplementation(() => ({ stdout: "pods\nservices\n", stderr: "" }));
+    const ir = await exportResources({ environment: "prod" });
+    expect(ir.resources).toEqual([]);
+    expect(execMock.mock.calls.filter((c) => (c[0] as string).includes("get")).length).toBe(0);
+  });
+});

package/src/export-resources.ts

@@ -0,0 +1,73 @@
+/**
+ * Live export for the GCP Config Connector lexicon — implements
+ * LexiconPlugin.exportResources() so `chant import --from <gcp-env>`
+ * regenerates GCP resources as chant TypeScript.
+ *
+ * Config Connector encodes each GCP resource as a Kubernetes CRD on a
+ * management cluster, so export reads live CC objects with kubectl and maps
+ * them to the import IR. A type selector targets one kind; otherwise every
+ * `*.cnrm.cloud.google.com` resource kind is discovered and swept. All I/O
+ * lives here; cleaning and IR-building is pure in `./import/live-export`.
+ */
+import { exec } from "node:child_process";
+import { promisify } from "node:util";
+import type { ExportedTemplate, ResourceSelector } from "@intentius/chant/lexicon";
+import { deriveGVK } from "./describe-resources";
+import { buildExportFromObjects } from "./import/live-export";
+
+const execAsync = promisify(exec);
+
+interface KubectlList {
+  items?: unknown[];
+}
+
+/** Discover all Config Connector resource kinds present in the cluster. */
+async function discoverCnrmResources(): Promise<string[]> {
+  try {
+    const { stdout } = await execAsync("kubectl api-resources -o name");
+    return stdout
+      .split("\n")
+      .map((l) => l.trim())
+      .filter((l) => l.endsWith(".cnrm.cloud.google.com"));
+  } catch {
+    return [];
+  }
+}
+
+export async function exportResources(options: {
+  environment: string;
+  selector?: ResourceSelector;
+  owned?: boolean;
+  verbatim?: boolean;
+}): Promise<ExportedTemplate> {
+  let resources: string[];
+  if (options.selector?.type) {
+    const gvk = deriveGVK(options.selector.type);
+    resources = gvk ? [`${gvk.kind.toLowerCase()}.${gvk.group}`] : [];
+  } else {
+    resources = await discoverCnrmResources();
+  }
+
+  if (resources.length === 0) {
+    return { resources: [], parameters: [] };
+  }
+
+  const objects: unknown[] = [];
+  for (const resource of resources) {
+    try {
+      const { stdout } = await execAsync(
+        ["kubectl", "get", resource, "-A", "-o", "json"].join(" "),
+      );
+      const list = JSON.parse(stdout) as KubectlList;
+      if (Array.isArray(list.items)) objects.push(...list.items);
+    } catch {
+      // Kind absent / RBAC denied — skip, don't fail the whole export.
+    }
+  }
+
+  return buildExportFromObjects(objects, {
+    verbatim: options.verbatim,
+    selector: options.selector,
+    owned: options.owned,
+  });
+}

package/src/import/live-export.test.ts

@@ -0,0 +1,105 @@
+import { describe, expect, test } from "vitest";
+import { stripServerFields, buildExportFromObjects } from "./live-export";
+import { GcpGenerator } from "./generator";
+
+// A live Config Connector object as `kubectl get -o json` returns it.
+const liveBucket = () => ({
+  apiVersion: "storage.cnrm.cloud.google.com/v1beta1",
+  kind: "StorageBucket",
+  metadata: {
+    name: "my-bucket",
+    namespace: "default",
+    uid: "u-1",
+    resourceVersion: "55",
+    generation: 2,
+    creationTimestamp: "2026-01-01T00:00:00Z",
+    managedFields: [{ manager: "cnrm" }],
+    annotations: {
+      "cnrm.cloud.google.com/management-conflict-prevention-policy": "resource",
+      "cnrm.cloud.google.com/project-id": "my-project",
+      "team": "data",
+    },
+    labels: { env: "prod" },
+  },
+  spec: { location: "US", storageClass: "STANDARD" },
+  status: { conditions: [{ type: "Ready", status: "True" }] },
+});
+
+const livePubsub = () => ({
+  apiVersion: "pubsub.cnrm.cloud.google.com/v1beta1",
+  kind: "PubSubTopic",
+  metadata: { name: "events", namespace: "default", uid: "u-2" },
+  spec: { messageRetentionDuration: "86400s" },
+  status: { conditions: [] },
+});
+
+describe("GCP stripServerFields (#117)", () => {
+  test("removes status, managedFields, and server metadata", () => {
+    const cleaned = stripServerFields(liveBucket());
+    expect(cleaned.status).toBeUndefined();
+    const md = cleaned.metadata as Record<string, unknown>;
+    expect(md.managedFields).toBeUndefined();
+    expect(md.uid).toBeUndefined();
+    expect(md.generation).toBeUndefined();
+  });
+
+  test("drops cnrm bookkeeping annotations but keeps authored ones", () => {
+    const cleaned = stripServerFields(liveBucket());
+    const annotations = (cleaned.metadata as Record<string, unknown>).annotations as Record<string, string>;
+    expect(annotations["cnrm.cloud.google.com/management-conflict-prevention-policy"]).toBeUndefined();
+    expect(annotations["cnrm.cloud.google.com/project-id"]).toBeUndefined();
+    expect(annotations.team).toBe("data");
+  });
+
+  test("keeps authored spec and labels; does not mutate input", () => {
+    const input = liveBucket();
+    const cleaned = stripServerFields(input);
+    expect(cleaned.spec).toEqual({ location: "US", storageClass: "STANDARD" });
+    expect(input.status).toBeDefined();
+  });
+});
+
+describe("GCP buildExportFromObjects (#117)", () => {
+  test("maps live CC objects to export IR, stripped by default", () => {
+    const ir = buildExportFromObjects([liveBucket(), livePubsub()]);
+    expect(ir.resources).toHaveLength(2);
+    const bucket = ir.resources.find((r) => r.logicalId === "my-bucket")!;
+    expect(bucket.type).toBe("GCP::Storage::Bucket");
+    expect((bucket.properties.metadata as Record<string, unknown>).uid).toBeUndefined();
+    expect(bucket.properties.location).toBe("US");
+  });
+
+  test("verbatim keeps server fields", () => {
+    const ir = buildExportFromObjects([liveBucket()], { verbatim: true });
+    const bucket = ir.resources[0];
+    expect((bucket.properties.metadata as Record<string, unknown>).uid).toBe("u-1");
+  });
+
+  test("selector by type narrows the export", () => {
+    const ir = buildExportFromObjects([liveBucket(), livePubsub()], {
+      selector: { type: "GCP::Pubsub::Topic" },
+    });
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["events"]);
+  });
+
+  test("selector by name narrows the export", () => {
+    const ir = buildExportFromObjects([liveBucket(), livePubsub()], {
+      selector: { name: "my-bucket" },
+    });
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["my-bucket"]);
+  });
+
+  test("owned filter keeps only objects carrying the chant marker label (#120)", () => {
+    const mine = liveBucket();
+    (mine.metadata as any).labels = { "app.kubernetes.io/managed-by": "chant", "chant.intentius.io/stack": "billing" };
+    const theirs = livePubsub(); // no chant label
+    const ir = buildExportFromObjects([mine, theirs], { owned: true });
+    expect(ir.resources.map((r) => r.logicalId)).toEqual(["my-bucket"]);
+  });
+
+  test("export IR feeds GcpGenerator (templateGenerator) unchanged", () => {
+    const ir = buildExportFromObjects([liveBucket()]);
+    const files = new GcpGenerator().generate(ir);
+    expect(files.length).toBeGreaterThan(0);
+  });
+});

package/src/import/live-export.ts

@@ -0,0 +1,87 @@
+import type { ExportedTemplate, ResourceSelector } from "@intentius/chant/lexicon";
+import { hasOwnershipMarker } from "@intentius/chant/ownership";
+import { GcpParser } from "./parser";
+
+/** Server-written metadata fields, stripped unless `verbatim`. */
+const SERVER_METADATA_FIELDS = [
+  "managedFields",
+  "uid",
+  "resourceVersion",
+  "generation",
+  "creationTimestamp",
+  "selfLink",
+  "ownerReferences",
+  "finalizers",
+];
+
+function isRecord(v: unknown): v is Record<string, unknown> {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+
+/**
+ * Strip `status` and server-written metadata to reach the declared shape of a
+ * Config Connector object. Config Connector writes back several
+ * `cnrm.cloud.google.com/*` annotations that are not authored config; those are
+ * dropped too. Returns a new object; the input is not mutated.
+ */
+export function stripServerFields(obj: Record<string, unknown>): Record<string, unknown> {
+  const clone = JSON.parse(JSON.stringify(obj)) as Record<string, unknown>;
+  delete clone.status;
+
+  if (isRecord(clone.metadata)) {
+    const md = clone.metadata;
+    for (const f of SERVER_METADATA_FIELDS) delete md[f];
+    if (isRecord(md.annotations)) {
+      for (const key of Object.keys(md.annotations)) {
+        // Config Connector's own bookkeeping annotations, plus the apply
+        // round-trip annotation — none are authored config.
+        if (
+          key.startsWith("cnrm.cloud.google.com/") ||
+          key === "kubectl.kubernetes.io/last-applied-configuration"
+        ) {
+          delete md.annotations[key];
+        }
+      }
+      if (Object.keys(md.annotations).length === 0) delete md.annotations;
+    }
+  }
+  return clone;
+}
+
+/**
+ * Build full-fidelity export IR from a list of live Config Connector objects
+ * (each live object is already its manifest). Reuses the import GcpParser by
+ * feeding cleaned objects as JSON documents. Pure: all I/O stays in the caller.
+ */
+export function buildExportFromObjects(
+  objects: unknown[],
+  opts: { verbatim?: boolean; selector?: ResourceSelector; owned?: boolean } = {},
+): ExportedTemplate {
+  const owning = opts.owned
+    ? objects.filter((o) => {
+        if (!isRecord(o)) return false;
+        const labels = isRecord(o.metadata) ? (o.metadata.labels as Record<string, unknown>) : undefined;
+        return hasOwnershipMarker(labels, "label");
+      })
+    : objects;
+
+  const cleaned = owning
+    .filter(isRecord)
+    .map((o) => (opts.verbatim ? o : stripServerFields(o)));
+
+  const content = cleaned.map((o) => JSON.stringify(o, null, 2)).join("\n---\n");
+  const ir = new GcpParser().parse(content);
+
+  const selector = opts.selector;
+  if (!selector || (selector.type === undefined && selector.name === undefined)) {
+    return ir;
+  }
+  return {
+    ...ir,
+    resources: ir.resources.filter(
+      (r) =>
+        (selector.type === undefined || r.type === selector.type) &&
+        (selector.name === undefined || r.logicalId === selector.name),
+    ),
+  };
+}

package/src/lifecycle-integration.test.ts

@@ -0,0 +1,119 @@
+/**
+ * Cross-lexicon lifecycle integration (#163) — GCP row.
+ *
+ * Drives the REAL gcpPlugin through core's live-import driver and the changeset
+ * path, with the `kubectl` (Config Connector) edge mocked.
+ */
+import { describe, test, expect, vi, beforeEach } from "vitest";
+import { mkdtempSync, rmSync, readdirSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+const execMock = vi.fn();
+vi.mock("node:child_process", async () => {
+  const actual = await vi.importActual<typeof import("node:child_process")>("node:child_process");
+  return {
+    ...actual,
+    exec: (
+      cmd: string,
+      cb: (err: Error | null, out: { stdout: string; stderr: string }) => void,
+    ) => {
+      const r = execMock(cmd);
+      queueMicrotask(() =>
+        r instanceof Error
+          ? cb(r, { stdout: "", stderr: "" })
+          : cb(null, r as { stdout: string; stderr: string }),
+      );
+    },
+  };
+});
+
+const { gcpPlugin } = await import("./plugin");
+const { liveImportFromPlugins } = await import("@intentius/chant/cli/commands/import");
+const { buildChangeSet } = await import("@intentius/chant/lifecycle/change-set");
+
+const liveBucket = {
+  apiVersion: "storage.cnrm.cloud.google.com/v1beta1",
+  kind: "StorageBucket",
+  metadata: { name: "my-bucket", namespace: "default", uid: "u-1" },
+  spec: { location: "US", storageClass: "STANDARD" },
+};
+
+describe("gcp lifecycle integration (#163)", () => {
+  beforeEach(() => execMock.mockReset());
+
+  test("live-import driver: real exportResources → IR → generated source", async () => {
+    execMock.mockImplementation((cmd?: string) => {
+      if (cmd?.includes("api-resources")) {
+        return { stdout: "storagebuckets.storage.cnrm.cloud.google.com\n", stderr: "" };
+      }
+      if (cmd?.includes("storagebuckets.storage.cnrm")) {
+        return { stdout: JSON.stringify({ items: [liveBucket] }), stderr: "" };
+      }
+      return { stdout: JSON.stringify({ items: [] }), stderr: "" };
+    });
+    const output = mkdtempSync(join(tmpdir(), "chant-gcp-li-"));
+    try {
+      const result = await liveImportFromPlugins([gcpPlugin], {
+        environment: "prod",
+        output,
+        force: true,
+      });
+      expect(result.success).toBe(true);
+      expect(result.generatedFiles.length).toBeGreaterThan(0);
+      const all = readdirSync(output)
+        .map((f) => readFileSync(join(output, f), "utf-8"))
+        .join("\n")
+        .toLowerCase();
+      expect(all).toContain("bucket");
+    } finally {
+      rmSync(output, { recursive: true, force: true });
+    }
+  });
+
+  test("changeset path: real describeResources → buildChangeSet verdicts", async () => {
+    execMock.mockImplementation((cmd?: string) =>
+      cmd?.includes("data-bucket")
+        ? {
+            stdout: JSON.stringify({
+              metadata: { name: "data-bucket", namespace: "config-control", uid: "uid-1" },
+              status: { conditions: [{ type: "Ready", status: "True" }] },
+            }),
+            stderr: "",
+          }
+        : new Error("not found"),
+    );
+
+    const observedNow = await gcpPlugin.describeResources!({
+      environment: "prod",
+      buildOutput: "",
+      entityNames: ["dataBucket"],
+      entities: new Map([
+        [
+          "dataBucket",
+          {
+            entityType: "GCP::Storage::Bucket",
+            props: { metadata: { name: "data-bucket", namespace: "config-control" } },
+          },
+        ],
+      ]),
+    });
+    expect(observedNow.dataBucket?.type).toBe("GCP::Storage::Bucket");
+
+    const cs = buildChangeSet("prod", {
+      declared: new Set(["pubsubTopic"]),
+      observedNow,
+      observedThen: undefined,
+    });
+    const byName = Object.fromEntries(cs.entries.map((e) => [e.name, e.action]));
+    expect(byName.pubsubTopic).toBe("create");
+    expect(byName.dataBucket).toBe("adopt");
+
+    const cs2 = buildChangeSet("prod", {
+      declared: new Set(["dataBucket"]),
+      observedNow,
+      observedThen: undefined,
+    });
+    expect(cs2.entries.find((e) => e.name === "dataBucket")!.action).toBe("noop");
+  });
+});

package/src/plugin.ts

@@ -385,4 +385,9 @@ export const bucket = new StorageBucket({
     const { describeResources } = await import("./describe-resources");
     return describeResources(options);
   },
+
+  async exportResources(options) {
+    const { exportResources } = await import("./export-resources");
+    return exportResources(options);
+  },
 };

package/src/serializer-ownership.test.ts

@@ -0,0 +1,28 @@
+import { describe, test, expect } from "vitest";
+import { gcpSerializer } from "./serializer";
+import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
+
+function mockResource(entityType: string, props: Record<string, unknown>): any {
+  return { [DECLARABLE_MARKER]: true, lexicon: "gcp", entityType, kind: "resource", props };
+}
+
+describe("gcpSerializer ownership stamping (#119)", () => {
+  test("stamps the ownership marker as labels when context.ownership is set", () => {
+    const entities = new Map<string, any>([
+      ["myBucket", mockResource("GCP::Storage::Bucket", { metadata: { name: "my-bucket" }, location: "US" })],
+    ]);
+    const yaml = gcpSerializer.serialize(entities, [], { ownership: { stack: "billing", env: "prod" } });
+    expect(yaml).toContain("app.kubernetes.io/managed-by: chant");
+    expect(yaml).toContain("chant.intentius.io/stack: billing");
+    expect(yaml).toContain("chant.intentius.io/env: prod");
+  });
+
+  test("no ownership context → no chant labels", () => {
+    const entities = new Map<string, any>([
+      ["myBucket", mockResource("GCP::Storage::Bucket", { metadata: { name: "my-bucket" }, location: "US" })],
+    ]);
+    const yaml = gcpSerializer.serialize(entities, []);
+    expect(yaml).not.toContain("managed-by: chant");
+    expect(yaml).not.toContain("chant.intentius.io/stack");
+  });
+});

package/src/serializer.ts

@@ -8,7 +8,8 @@
 import { createRequire } from "module";
 import type { Declarable } from "@intentius/chant/declarable";
 import { isPropertyDeclarable } from "@intentius/chant/declarable";
-import type { Serializer, SerializerResult } from "@intentius/chant/serializer";
+import type { Serializer, SerializerResult, SerializeContext } from "@intentius/chant/serializer";
+import { ownershipEntries } from "@intentius/chant/ownership";
 import type { LexiconOutput } from "@intentius/chant/lexicon-output";
 import { walkValue, type SerializerVisitor } from "@intentius/chant/serializer-walker";
 import { emitYAML } from "@intentius/chant/yaml";
@@ -116,15 +117,18 @@ export const gcpSerializer: Serializer = {
   name: "gcp",
   rulePrefix: "WGC",
 
-  serialize(entities: Map<string, Declarable>, _outputs?: LexiconOutput[]): string {
+  serialize(entities: Map<string, Declarable>, _outputs?: LexiconOutput[], context?: SerializeContext): string {
     // Build reverse map: entity → name
     const entityNames = new Map<Declarable, string>();
     for (const [name, entity] of entities) {
       entityNames.set(entity, name);
     }
 
-    // Collect default labels and annotations
-    let defaultLabelEntries: Record<string, unknown> = {};
+    // Collect default labels and annotations. Ownership markers are stamped as
+    // labels (Config Connector resources carry them in metadata.labels).
+    let defaultLabelEntries: Record<string, unknown> = context?.ownership
+      ? { ...ownershipEntries("label", context.ownership) }
+      : {};
     let defaultAnnotationEntries: Record<string, unknown> = {};
 
     for (const [, entity] of entities) {