@intentius/chant-lexicon-github 0.0.18

package/src/lint/post-synth/post-synth.test.ts

@@ -0,0 +1,318 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { gha006 } from "./gha006";
+import { gha009 } from "./gha009";
+import { gha011 } from "./gha011";
+import { gha017 } from "./gha017";
+import { gha018 } from "./gha018";
+import { gha019 } from "./gha019";
+
+// ── Helpers ─────────────────────────────────────────────────────────
+
+function makeCtx(yaml: string): PostSynthContext {
+  return {
+    outputs: new Map([["github", yaml]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", yaml]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+function makeMultiCtx(files: Record<string, string>): PostSynthContext {
+  const result = {
+    primary: Object.values(files)[0] ?? "",
+    files,
+  };
+  return {
+    outputs: new Map([["github", result as unknown as string]]),
+    entities: new Map(),
+    buildResult: {
+      outputs: new Map([["github", result as unknown as string]]),
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+// ── GHA006: Duplicate Workflow Name ─────────────────────────────────
+
+describe("GHA006: duplicate workflow name", () => {
+  test("flags duplicate workflow names across files", () => {
+    const ctx = makeMultiCtx({
+      "ci.yml": `name: CI\non:\n  push:\njobs:\n  build:\n    runs-on: ubuntu-latest\n`,
+      "deploy.yml": `name: CI\non:\n  push:\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n`,
+    });
+    const diags = gha006.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA006");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("CI");
+  });
+
+  test("does not flag unique workflow names", () => {
+    const ctx = makeMultiCtx({
+      "ci.yml": `name: CI\non:\n  push:\njobs:\n  build:\n    runs-on: ubuntu-latest\n`,
+      "deploy.yml": `name: Deploy\non:\n  push:\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n`,
+    });
+    const diags = gha006.check(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});
+
+// ── GHA009: Empty Matrix Dimension ──────────────────────────────────
+
+describe("GHA009: empty matrix dimension", () => {
+  test("flags empty matrix array", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: []
+    steps:
+      - run: echo test
+`;
+    const diags = gha009.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA009");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("node-version");
+  });
+
+  test("does not flag non-empty matrix", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20, 22]
+    steps:
+      - run: echo test
+`;
+    const diags = gha009.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});
+
+// ── GHA011: Invalid Needs Reference ─────────────────────────────────
+
+describe("GHA011: invalid needs reference", () => {
+  test("flags needs referencing non-existent job", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build, test]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha011.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA011");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("test");
+    expect(diags[0].message).toContain("deploy");
+  });
+
+  test("does not flag valid needs", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha011.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});
+
+// ── GHA017: Missing Permissions ─────────────────────────────────────
+
+describe("GHA017: missing permissions", () => {
+  test("flags workflow without permissions", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+`;
+    const diags = gha017.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA017");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("does not flag workflow with permissions", () => {
+    const yaml = `name: CI
+on:
+  push:
+permissions:
+  contents: read
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo test
+`;
+    const diags = gha017.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});
+
+// ── GHA018: PR Target + Checkout ────────────────────────────────────
+
+describe("GHA018: pull_request_target + checkout", () => {
+  test("flags pull_request_target with checkout", () => {
+    const yaml = `name: CI
+on:
+  pull_request_target:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+`;
+    const diags = gha018.check(makeCtx(yaml));
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("GHA018");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("checkout");
+  });
+
+  test("does not flag pull_request_target without checkout", () => {
+    const yaml = `name: CI
+on:
+  pull_request_target:
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "label"
+`;
+    const diags = gha018.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag push trigger with checkout", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm test
+`;
+    const diags = gha018.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});
+
+// ── GHA019: Circular Needs ──────────────────────────────────────────
+
+describe("GHA019: circular needs chain", () => {
+  test("detects simple cycle", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    needs: [deploy]
+    steps:
+      - run: echo build
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha019.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("GHA019");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("→");
+  });
+
+  test("detects three-node cycle", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  a-job:
+    runs-on: ubuntu-latest
+    needs: [c-job]
+    steps:
+      - run: echo a
+  b-job:
+    runs-on: ubuntu-latest
+    needs: [a-job]
+    steps:
+      - run: echo b
+  c-job:
+    runs-on: ubuntu-latest
+    needs: [b-job]
+    steps:
+      - run: echo c
+`;
+    const diags = gha019.check(makeCtx(yaml));
+    expect(diags.length).toBeGreaterThanOrEqual(1);
+    expect(diags[0].checkId).toBe("GHA019");
+  });
+
+  test("does not flag acyclic graph", () => {
+    const yaml = `name: CI
+on:
+  push:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo build
+  test:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - run: echo test
+  deploy:
+    runs-on: ubuntu-latest
+    needs: [test]
+    steps:
+      - run: echo deploy
+`;
+    const diags = gha019.check(makeCtx(yaml));
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/yaml-helpers.ts

@@ -0,0 +1,129 @@
+/**
+ * Helpers for parsing serialized GitHub Actions YAML in post-synth checks.
+ */
+
+export { getPrimaryOutput } from "@intentius/chant/lint/post-synth";
+
+export interface ParsedJob {
+  name: string;
+  needs?: string[];
+  steps?: Array<{ uses?: string; run?: string; name?: string }>;
+  permissions?: Record<string, string>;
+}
+
+/**
+ * Extract jobs from a serialized GitHub Actions workflow YAML.
+ */
+export function extractJobs(yaml: string): Map<string, ParsedJob> {
+  const jobs = new Map<string, ParsedJob>();
+
+  // Find the jobs: section — take everything after `jobs:\n`
+  const jobsIdx = yaml.search(/^jobs:\s*$/m);
+  if (jobsIdx === -1) return jobs;
+
+  // Content after the `jobs:` line. Stop at the next top-level key (non-indented) or EOF.
+  const afterJobs = yaml.slice(jobsIdx + yaml.slice(jobsIdx).indexOf("\n") + 1);
+  const endMatch = afterJobs.search(/^[a-z]/m);
+  const jobsContent = endMatch === -1 ? afterJobs : afterJobs.slice(0, endMatch);
+
+  // Split into individual jobs by finding lines with exactly 2 spaces of indent followed by a key
+  const jobSections = jobsContent.split(/\n(?=  [a-z][a-z0-9-]*:)/);
+
+  for (const section of jobSections) {
+    const nameMatch = section.match(/^\s{2}([a-z][a-z0-9-]*):/);
+    if (!nameMatch) continue;
+
+    const name = nameMatch[1];
+    const job: ParsedJob = { name };
+
+    // Extract needs
+    const needsInline = section.match(/^\s{4}needs:\s+\[(.+)\]$/m);
+    if (needsInline) {
+      job.needs = needsInline[1].split(",").map((s) => s.trim().replace(/^'|'$/g, "").replace(/^"|"$/g, ""));
+    } else {
+      const needsList = section.match(/^\s{4}needs:\n((?:\s{6}- .+\n?)+)/m);
+      if (needsList) {
+        job.needs = [];
+        for (const line of needsList[1].split("\n")) {
+          const item = line.match(/^\s{6}- (.+)$/);
+          if (item) job.needs.push(item[1].trim().replace(/^'|'$/g, "").replace(/^"|"$/g, ""));
+        }
+      }
+    }
+
+    // Extract steps with uses:
+    const stepsMatch = section.match(/^\s{4}steps:\n([\s\S]*?)(?=\n\s{4}[a-z]|\n\s{2}[a-z]|$)/m);
+    if (stepsMatch) {
+      job.steps = [];
+      const stepEntries = stepsMatch[1].split(/\n(?=\s{6}- )/);
+      for (const stepEntry of stepEntries) {
+        const usesMatch = stepEntry.match(/uses:\s+(.+)$/m);
+        const runMatch = stepEntry.match(/run:\s+(.+)$/m);
+        const stepNameMatch = stepEntry.match(/name:\s+(.+)$/m);
+        if (usesMatch || runMatch) {
+          job.steps.push({
+            uses: usesMatch?.[1]?.trim().replace(/^'|'$/g, ""),
+            run: runMatch?.[1]?.trim(),
+            name: stepNameMatch?.[1]?.trim().replace(/^'|'$/g, ""),
+          });
+        }
+      }
+    }
+
+    jobs.set(name, job);
+  }
+
+  return jobs;
+}
+
+/**
+ * Extract trigger events from the YAML.
+ */
+export function extractTriggers(yaml: string): Record<string, unknown> {
+  const onMatch = yaml.match(/^on:\n([\s\S]*?)(?=\n[a-z]|$)/m);
+  if (!onMatch) return {};
+
+  const triggers: Record<string, unknown> = {};
+  const lines = onMatch[1].split("\n");
+  for (const line of lines) {
+    const triggerMatch = line.match(/^\s{2}([a-z_]+):/);
+    if (triggerMatch) {
+      triggers[triggerMatch[1]] = true;
+    }
+  }
+  return triggers;
+}
+
+/**
+ * Check if any step in the list uses a checkout action.
+ */
+export function hasCheckoutAction(steps: Array<{ uses?: string }>): boolean {
+  return steps.some((s) => s.uses?.startsWith("actions/checkout"));
+}
+
+/**
+ * Build a needs dependency graph from the YAML.
+ */
+export function buildNeedsGraph(yaml: string): Map<string, string[]> {
+  const jobs = extractJobs(yaml);
+  const graph = new Map<string, string[]>();
+  for (const [name, job] of jobs) {
+    graph.set(name, job.needs ?? []);
+  }
+  return graph;
+}
+
+/**
+ * Extract the workflow name from the YAML.
+ */
+export function extractWorkflowName(yaml: string): string | undefined {
+  const match = yaml.match(/^name:\s+(.+)$/m);
+  return match?.[1]?.trim().replace(/^'|'$/g, "");
+}
+
+/**
+ * Check if the YAML has an explicit permissions block.
+ */
+export function hasPermissions(yaml: string): boolean {
+  return /^permissions:/m.test(yaml);
+}

package/src/lint/rules/data/deprecated-versions.ts

@@ -0,0 +1,13 @@
+/**
+ * Deprecated action versions and recommended replacements.
+ */
+
+export const deprecatedVersions: Record<string, { deprecated: string[]; recommended: string }> = {
+  "actions/checkout": { deprecated: ["v1", "v2", "v3"], recommended: "v4" },
+  "actions/setup-node": { deprecated: ["v1", "v2", "v3"], recommended: "v4" },
+  "actions/setup-go": { deprecated: ["v1", "v2", "v3", "v4"], recommended: "v5" },
+  "actions/setup-python": { deprecated: ["v1", "v2", "v3", "v4"], recommended: "v5" },
+  "actions/cache": { deprecated: ["v1", "v2", "v3"], recommended: "v4" },
+  "actions/upload-artifact": { deprecated: ["v1", "v2", "v3"], recommended: "v4" },
+  "actions/download-artifact": { deprecated: ["v1", "v2", "v3"], recommended: "v4" },
+};

package/src/lint/rules/data/known-actions.ts

@@ -0,0 +1,13 @@
+/**
+ * Registry of well-known GitHub Actions and their typed composite wrappers.
+ */
+
+export const knownActions: Record<string, { composite: string; importPath: string }> = {
+  "actions/checkout": { composite: "Checkout", importPath: "@intentius/chant-lexicon-github" },
+  "actions/setup-node": { composite: "SetupNode", importPath: "@intentius/chant-lexicon-github" },
+  "actions/setup-go": { composite: "SetupGo", importPath: "@intentius/chant-lexicon-github" },
+  "actions/setup-python": { composite: "SetupPython", importPath: "@intentius/chant-lexicon-github" },
+  "actions/cache": { composite: "Cache", importPath: "@intentius/chant-lexicon-github" },
+  "actions/upload-artifact": { composite: "UploadArtifact", importPath: "@intentius/chant-lexicon-github" },
+  "actions/download-artifact": { composite: "DownloadArtifact", importPath: "@intentius/chant-lexicon-github" },
+};

package/src/lint/rules/data/recommended-inputs.ts

@@ -0,0 +1,10 @@
+/**
+ * Recommended inputs for setup action composites.
+ * If a setup action is used without any of the listed inputs, a warning is raised.
+ */
+
+export const recommendedInputs: Record<string, string[]> = {
+  SetupNode: ["nodeVersion", "node-version"],
+  SetupGo: ["goVersion", "go-version"],
+  SetupPython: ["pythonVersion", "python-version"],
+};

package/src/lint/rules/data/secret-patterns.ts

@@ -0,0 +1,31 @@
+/**
+ * Regex patterns for detecting hardcoded secrets in source code.
+ */
+
+export const secretPatterns: Array<{ pattern: RegExp; description: string }> = [
+  { pattern: /AKIA[0-9A-Z]{16}/, description: "AWS Access Key ID" },
+  { pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/, description: "Private Key" },
+  { pattern: /sk_live_[a-zA-Z0-9]{20,}/, description: "Stripe Live Secret Key" },
+  { pattern: /xox[bpors]-[a-zA-Z0-9-]{10,}/, description: "Slack Token" },
+  { pattern: /AIza[0-9A-Za-z_-]{35}/, description: "Google API Key" },
+  { pattern: /AC[a-z0-9]{32}/, description: "Twilio Account SID" },
+  { pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/, description: "SendGrid API Key" },
+  { pattern: /key-[a-zA-Z0-9]{32}/, description: "Mailgun API Key" },
+  { pattern: /npm_[a-zA-Z0-9]{36}/, description: "NPM Token" },
+  { pattern: /pypi-[a-zA-Z0-9_-]{50,}/, description: "PyPI Token" },
+  { pattern: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/, description: "JWT Token" },
+  { pattern: /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, description: "Heroku API Key (UUID)" },
+  { pattern: /dop_v1_[a-f0-9]{64}/, description: "DigitalOcean Personal Access Token" },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/, description: "GitHub Personal Access Token" },
+  { pattern: /ghs_[a-zA-Z0-9]{36}/, description: "GitHub Server-to-Server Token" },
+  { pattern: /ghu_[a-zA-Z0-9]{36}/, description: "GitHub User-to-Server Token" },
+  { pattern: /ghr_[a-zA-Z0-9]{36}/, description: "GitHub Refresh Token" },
+  { pattern: /gho_[a-zA-Z0-9]{36}/, description: "GitHub OAuth Token" },
+  { pattern: /github_pat_[a-zA-Z0-9_]{22,}/, description: "GitHub Fine-grained PAT" },
+  { pattern: /glpat-[a-zA-Z0-9_-]{20,}/, description: "GitLab Personal Access Token" },
+  { pattern: /sk-[a-zA-Z0-9]{48}/, description: "OpenAI API Key" },
+  { pattern: /r8_[a-zA-Z0-9]{37}/, description: "Replicate API Token" },
+  { pattern: /sq0atp-[a-zA-Z0-9_-]{22}/, description: "Square Access Token" },
+  { pattern: /shpat_[a-fA-F0-9]{32}/, description: "Shopify Admin API Token" },
+  { pattern: /shr[a-z]{2}_[a-f0-9]{32}/, description: "Shopify Shared Secret" },
+];

package/src/lint/rules/deprecated-action-version.ts

@@ -0,0 +1,49 @@
+/**
+ * GHA012: Deprecated Action Version
+ *
+ * Flags `uses:` strings referencing deprecated action versions.
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+import { deprecatedVersions } from "./data/deprecated-versions";
+
+export const deprecatedActionVersionRule: LintRule = {
+  id: "GHA012",
+  severity: "warning",
+  category: "correctness",
+  description: "Action version is deprecated — upgrade to the recommended version",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node)) {
+        const text = node.text;
+        const atIndex = text.indexOf("@");
+        if (atIndex === -1) { ts.forEachChild(node, visit); return; }
+
+        const actionName = text.slice(0, atIndex);
+        const version = text.slice(atIndex + 1);
+        const info = deprecatedVersions[actionName];
+
+        if (info && info.deprecated.includes(version)) {
+          const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+          diagnostics.push({
+            file: sourceFile.fileName,
+            line: line + 1,
+            column: character + 1,
+            ruleId: "GHA012",
+            severity: "warning",
+            message: `"${text}" uses deprecated version ${version}. Upgrade to ${actionName}@${info.recommended}.`,
+          });
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/detect-secrets.ts

@@ -0,0 +1,53 @@
+/**
+ * GHA020: Detect Secrets
+ *
+ * Scans string literals for patterns matching known secret formats.
+ * Skips strings containing "secrets." (proper usage).
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+import { secretPatterns } from "./data/secret-patterns";
+
+export const detectSecretsRule: LintRule = {
+  id: "GHA020",
+  severity: "error",
+  category: "security",
+  description: "Potential secret detected in source code",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function visit(node: ts.Node): void {
+      if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
+        const text = node.text;
+
+        // Skip strings that reference secrets properly
+        if (text.includes("secrets.")) {
+          ts.forEachChild(node, visit);
+          return;
+        }
+
+        for (const { pattern, description } of secretPatterns) {
+          if (pattern.test(text)) {
+            const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+            diagnostics.push({
+              file: sourceFile.fileName,
+              line: line + 1,
+              column: character + 1,
+              ruleId: "GHA020",
+              severity: "error",
+              message: `Potential ${description} detected. Use secrets() to reference secrets securely.`,
+            });
+            break; // One diagnostic per string
+          }
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};

package/src/lint/rules/extract-inline-structs.ts

@@ -0,0 +1,62 @@
+/**
+ * GHA005: Extract Inline Structs
+ *
+ * Flags object literal nesting depth > 2 inside resource constructors.
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+const RESOURCE_NAMES = new Set(["Job", "Workflow", "ReusableWorkflowCallJob"]);
+const MAX_DEPTH = 2;
+
+export const extractInlineStructsRule: LintRule = {
+  id: "GHA005",
+  severity: "info",
+  category: "style",
+  description: "Extract deeply nested inline objects to named constants",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function isResourceConstructor(node: ts.NewExpression): boolean {
+      if (ts.isIdentifier(node.expression)) return RESOURCE_NAMES.has(node.expression.text);
+      if (ts.isPropertyAccessExpression(node.expression)) return RESOURCE_NAMES.has(node.expression.name.text);
+      return false;
+    }
+
+    function checkDepth(node: ts.ObjectLiteralExpression, depth: number): void {
+      if (depth > MAX_DEPTH) {
+        const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+        diagnostics.push({
+          file: sourceFile.fileName,
+          line: line + 1,
+          column: character + 1,
+          ruleId: "GHA005",
+          severity: "info",
+          message: `Object nesting depth ${depth} exceeds ${MAX_DEPTH}. Consider extracting to a named constant.`,
+        });
+        return;
+      }
+      for (const prop of node.properties) {
+        if (ts.isPropertyAssignment(prop) && ts.isObjectLiteralExpression(prop.initializer)) {
+          checkDepth(prop.initializer, depth + 1);
+        }
+      }
+    }
+
+    function visit(node: ts.Node): void {
+      if (ts.isNewExpression(node) && isResourceConstructor(node) && node.arguments?.[0]) {
+        const arg = node.arguments[0];
+        if (ts.isObjectLiteralExpression(arg)) {
+          checkDepth(arg, 1);
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};