@intentius/chant-lexicon-gitlab 0.0.16 → 0.0.22

package/src/composites/composites.test.ts

@@ -98,6 +98,46 @@ describe("DockerBuild", () => {
     expect(expanded.has("dockerBuild")).toBe(true);
     expect(expanded.size).toBe(1);
   });
+
+  test("default dockerfile and context", () => {
+    const instance = DockerBuild({});
+    const props = (instance.build as any).props;
+    expect(props.script[0]).toContain("-f Dockerfile");
+    expect(props.script[0]).toMatch(/\.\s*$/);
+  });
+
+  test("custom dockerfile path", () => {
+    const instance = DockerBuild({ dockerfile: "docker/app.Dockerfile" });
+    const props = (instance.build as any).props;
+    expect(props.script[0]).toContain("-f docker/app.Dockerfile");
+  });
+
+  test("custom context directory", () => {
+    const instance = DockerBuild({ context: "./app" });
+    const props = (instance.build as any).props;
+    expect(props.script[0]).toContain("./app");
+  });
+
+  test("empty buildArgs produces no --build-arg flags", () => {
+    const instance = DockerBuild({ buildArgs: {} });
+    const props = (instance.build as any).props;
+    expect(props.script[0]).not.toContain("--build-arg");
+  });
+
+  test("multiple buildArgs are all present", () => {
+    const instance = DockerBuild({
+      buildArgs: { NODE_ENV: "production", VERSION: "1.0" },
+    });
+    const props = (instance.build as any).props;
+    expect(props.script[0]).toContain("--build-arg NODE_ENV=production");
+    expect(props.script[0]).toContain("--build-arg VERSION=1.0");
+  });
+
+  test("no rules by default", () => {
+    const instance = DockerBuild({});
+    const props = (instance.build as any).props;
+    expect(props.rules).toBeUndefined();
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -201,6 +241,52 @@ describe("NodePipeline", () => {
     expect(expanded.has("appBuild")).toBe(true);
     expect(expanded.has("appTest")).toBe(true);
   });
+
+  test("custom artifact paths", () => {
+    const instance = NodePipeline({ buildArtifactPaths: ["build/", "out/"] });
+    const props = (instance.build as any).props;
+    const artProps = (props.artifacts as any).props;
+    expect(artProps.paths).toEqual(["build/", "out/"]);
+  });
+
+  test("custom artifact expiry", () => {
+    const instance = NodePipeline({ artifactExpiry: "30 minutes" });
+    const props = (instance.build as any).props;
+    const artProps = (props.artifacts as any).props;
+    expect(artProps.expire_in).toBe("30 minutes");
+  });
+
+  test("cache has pull-push policy", () => {
+    const instance = NodePipeline({});
+    const defaultProps = (instance.defaults as any).props;
+    const cacheProps = (defaultProps.cache[0] as any).props;
+    expect(cacheProps.policy).toBe("pull-push");
+  });
+
+  test("pnpm install command", () => {
+    const instance = NodePipeline({ packageManager: "pnpm" });
+    const buildProps = (instance.build as any).props;
+    expect(buildProps.script[0]).toBe("pnpm install --frozen-lockfile");
+  });
+
+  test("bun install command", () => {
+    const instance = NodePipeline({ packageManager: "bun" });
+    const buildProps = (instance.build as any).props;
+    expect(buildProps.script[0]).toBe("bun install --frozen-lockfile");
+  });
+
+  test("test job stage is test", () => {
+    const instance = NodePipeline({});
+    const props = (instance.test as any).props;
+    expect(props.stage).toBe("test");
+  });
+
+  test("test artifacts always reported", () => {
+    const instance = NodePipeline({});
+    const props = (instance.test as any).props;
+    const artProps = (props.artifacts as any).props;
+    expect(artProps.when).toBe("always");
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -329,6 +415,42 @@ describe("PythonPipeline", () => {
     expect(expanded.has("pyTest")).toBe(true);
     expect(expanded.has("pyLint")).toBe(false);
   });
+
+  test("custom requirements file", () => {
+    const instance = PythonPipeline({ requirementsFile: "requirements-dev.txt" });
+    const defaultProps = (instance.defaults as any).props;
+    const cacheProps = (defaultProps.cache[0] as any).props;
+    expect(cacheProps.key).toEqual({ files: ["requirements-dev.txt"] });
+    expect(defaultProps.before_script).toContain("pip install -r requirements-dev.txt");
+  });
+
+  test("poetry mode sets virtualenvs.in-project config", () => {
+    const instance = PythonPipeline({ usePoetry: true });
+    const defaultProps = (instance.defaults as any).props;
+    expect(defaultProps.before_script).toContain("poetry config virtualenvs.in-project true");
+  });
+
+  test("custom lint command", () => {
+    const instance = PythonPipeline({ lintCommand: "flake8 src/" });
+    const members = instance.members as any;
+    const props = (members.lint as any).props;
+    expect(props.script).toContain("flake8 src/");
+  });
+
+  test("test and lint jobs share the test stage", () => {
+    const instance = PythonPipeline({});
+    const testProps = (instance.test as any).props;
+    const lintProps = ((instance.members as any).lint as any).props;
+    expect(testProps.stage).toBe("test");
+    expect(lintProps.stage).toBe("test");
+  });
+
+  test("cache has pull-push policy", () => {
+    const instance = PythonPipeline({});
+    const defaultProps = (instance.defaults as any).props;
+    const cacheProps = (defaultProps.cache[0] as any).props;
+    expect(cacheProps.policy).toBe("pull-push");
+  });
 });
 
 // ---------------------------------------------------------------------------
@@ -449,4 +571,42 @@ describe("ReviewApp", () => {
     // which the serializer converts to "staging-stop" in YAML
     expect(envProps.on_stop).toBe("staging-stop");
   });
+
+  test("default auto_stop_in is 1 week", () => {
+    const instance = ReviewApp(baseProps);
+    const props = (instance.deploy as any).props;
+    const envProps = (props.environment as any).props;
+    expect(envProps.auto_stop_in).toBe("1 week");
+  });
+
+  test("custom auto_stop_in", () => {
+    const instance = ReviewApp({ ...baseProps, autoStopIn: "2 days" });
+    const props = (instance.deploy as any).props;
+    const envProps = (props.environment as any).props;
+    expect(envProps.auto_stop_in).toBe("2 days");
+  });
+
+  test("default stage is deploy for both jobs", () => {
+    const instance = ReviewApp(baseProps);
+    const deployProps = (instance.deploy as any).props;
+    const stopProps = (instance.stop as any).props;
+    expect(deployProps.stage).toBe("deploy");
+    expect(stopProps.stage).toBe("deploy");
+  });
+
+  test("stop script as array", () => {
+    const instance = ReviewApp({
+      ...baseProps,
+      stopScript: ["helm uninstall app", "kubectl delete ns review"],
+    });
+    const props = (instance.stop as any).props;
+    expect(props.script).toEqual(["helm uninstall app", "kubectl delete ns review"]);
+  });
+
+  test("deploy environment url defaults to CI_ENVIRONMENT_SLUG pattern", () => {
+    const instance = ReviewApp(baseProps);
+    const props = (instance.deploy as any).props;
+    const envProps = (props.environment as any).props;
+    expect(envProps.url).toContain("$CI_ENVIRONMENT_SLUG");
+  });
 });

package/src/coverage.test.ts

@@ -1,20 +1,24 @@
 import { describe, test, expect } from "bun:test";
-import { computeCoverage, overallPct, formatSummary } from "./coverage";
-import { readFileSync } from "fs";
+import { existsSync, readFileSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 
 const basePath = dirname(dirname(fileURLToPath(import.meta.url)));
-const lexiconJSON = readFileSync(join(basePath, "src", "generated", "lexicon-gitlab.json"), "utf-8");
+const lexiconPath = join(basePath, "src", "generated", "lexicon-gitlab.json");
+const hasGenerated = existsSync(lexiconPath);
 
 describe("coverage analysis", () => {
-  test("computes coverage for GitLab lexicon", () => {
+  test.skipIf(!hasGenerated)("computes coverage for GitLab lexicon", async () => {
+    const { computeCoverage } = await import("./coverage");
+    const lexiconJSON = readFileSync(lexiconPath, "utf-8");
     const report = computeCoverage(lexiconJSON);
     expect(report.resourceCount).toBe(3); // Job, Default, Workflow
     expect(report.resources).toHaveLength(3);
   });
 
-  test("reports resource names correctly", () => {
+  test.skipIf(!hasGenerated)("reports resource names correctly", async () => {
+    const { computeCoverage } = await import("./coverage");
+    const lexiconJSON = readFileSync(lexiconPath, "utf-8");
     const report = computeCoverage(lexiconJSON);
     const names = report.resources.map((r) => r.name);
     expect(names).toContain("Job");
@@ -22,7 +26,9 @@ describe("coverage analysis", () => {
     expect(names).toContain("Workflow");
   });
 
-  test("overallPct returns a number", () => {
+  test.skipIf(!hasGenerated)("overallPct returns a number", async () => {
+    const { computeCoverage, overallPct } = await import("./coverage");
+    const lexiconJSON = readFileSync(lexiconPath, "utf-8");
     const report = computeCoverage(lexiconJSON);
     const pct = overallPct(report);
     expect(typeof pct).toBe("number");
@@ -30,7 +36,9 @@ describe("coverage analysis", () => {
     expect(pct).toBeLessThanOrEqual(100);
   });
 
-  test("formatSummary returns readable string", () => {
+  test.skipIf(!hasGenerated)("formatSummary returns readable string", async () => {
+    const { computeCoverage, formatSummary } = await import("./coverage");
+    const lexiconJSON = readFileSync(lexiconPath, "utf-8");
     const report = computeCoverage(lexiconJSON);
     const summary = formatSummary(report);
     expect(summary).toContain("Coverage Report");

package/src/import/roundtrip.test.ts

@@ -1,11 +1,22 @@
 import { describe, test, expect } from "bun:test";
+import { readFileSync, readdirSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 import { GitLabParser } from "./parser";
 import { GitLabGenerator } from "./generator";
 
 const parser = new GitLabParser();
 const generator = new GitLabGenerator();
 
+const pipelinesDir = join(
+  dirname(dirname(fileURLToPath(import.meta.url))),
+  "testdata",
+  "pipelines",
+);
+
 describe("roundtrip: parse → generate", () => {
+  // ---- inline tests (existing smoke tests) ----
+
   test("simple pipeline roundtrip", () => {
     const yaml = `
 stages:
@@ -86,4 +97,125 @@ test-job:
     expect(content).toContain("new Workflow(");
     expect(content).toContain("new Job(");
   });
+
+  // ---- fixture-based tests ----
+
+  test("simple.gitlab-ci.yml fixture roundtrip", () => {
+    const yaml = readFileSync(join(pipelinesDir, "simple.gitlab-ci.yml"), "utf-8");
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    expect(files).toHaveLength(1);
+    const content = files[0].content;
+
+    expect(ir.resources).toHaveLength(1);
+    expect(content).toContain("new Job(");
+    expect(content).toContain("npm ci");
+    expect(content).toContain("npm test");
+    expect(content).toContain("node:22-alpine");
+  });
+
+  test("multi-stage.gitlab-ci.yml fixture roundtrip", () => {
+    const yaml = readFileSync(join(pipelinesDir, "multi-stage.gitlab-ci.yml"), "utf-8");
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    const content = files[0].content;
+
+    // 4 jobs: build-app, lint, unit-tests, deploy-staging
+    expect(ir.resources).toHaveLength(4);
+    expect(content).toContain("buildApp");
+    expect(content).toContain("lint");
+    expect(content).toContain("unitTests");
+    expect(content).toContain("deployStaging");
+    expect(content).toContain("Pipeline stages: build, test, deploy");
+    // Artifacts and cache references
+    expect(content).toContain("dist/");
+    expect(content).toContain("package-lock.json");
+  });
+
+  test("docker-build.gitlab-ci.yml fixture roundtrip", () => {
+    const yaml = readFileSync(join(pipelinesDir, "docker-build.gitlab-ci.yml"), "utf-8");
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    const content = files[0].content;
+
+    expect(ir.resources).toHaveLength(2);
+    expect(content).toContain("buildImage");
+    expect(content).toContain("pushLatest");
+    expect(content).toContain("docker:27-cli");
+    expect(content).toContain("docker:27-dind");
+    expect(content).toContain("docker build");
+    expect(content).toContain("docker push");
+  });
+
+  test("deploy-envs.gitlab-ci.yml fixture roundtrip", () => {
+    const yaml = readFileSync(join(pipelinesDir, "deploy-envs.gitlab-ci.yml"), "utf-8");
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    const content = files[0].content;
+
+    // 5 jobs: build, deploy-review, stop-review, deploy-staging, deploy-production
+    expect(ir.resources).toHaveLength(5);
+    expect(content).toContain("deployReview");
+    expect(content).toContain("stopReview");
+    expect(content).toContain("deployStaging");
+    expect(content).toContain("deployProduction");
+    // Environment constructs
+    expect(content).toContain("review/$CI_COMMIT_REF_SLUG");
+    expect(content).toContain("staging");
+    expect(content).toContain("production");
+  });
+
+  test("includes-templates.gitlab-ci.yml fixture roundtrip", () => {
+    const yaml = readFileSync(join(pipelinesDir, "includes-templates.gitlab-ci.yml"), "utf-8");
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    const content = files[0].content;
+
+    // default + build + unit-test + integration-test + deploy
+    expect(ir.resources.length).toBeGreaterThanOrEqual(3);
+    expect(content).toContain("new Default(");
+    // Include references should be captured as comments
+    expect(content).toContain("Auto-DevOps.gitlab-ci.yml");
+    expect(content).toContain("interruptible");
+  });
+
+  test("monorepo.gitlab-ci.yml fixture roundtrip", () => {
+    const yaml = readFileSync(join(pipelinesDir, "monorepo.gitlab-ci.yml"), "utf-8");
+    const ir = parser.parse(yaml);
+    const files = generator.generate(ir);
+
+    const content = files[0].content;
+
+    // frontend, backend, e2e-matrix, deploy-all
+    expect(ir.resources).toHaveLength(4);
+    expect(content).toContain("frontend");
+    expect(content).toContain("backend");
+    expect(content).toContain("e2eMatrix");
+    expect(content).toContain("deployAll");
+    // Monorepo-specific constructs
+    expect(content).toContain("cypress");
+  });
+
+  // ---- fixture directory sweep ----
+
+  test("all pipeline fixtures parse and generate without error", () => {
+    const fixtures = readdirSync(pipelinesDir).filter((f) => f.endsWith(".yml"));
+    expect(fixtures.length).toBeGreaterThanOrEqual(6);
+
+    for (const fixture of fixtures) {
+      const yaml = readFileSync(join(pipelinesDir, fixture), "utf-8");
+      const ir = parser.parse(yaml);
+      expect(ir.resources.length).toBeGreaterThan(0);
+
+      const files = generator.generate(ir);
+      expect(files.length).toBeGreaterThan(0);
+      expect(files[0].content).toContain("import");
+      expect(files[0].content).toContain("export const");
+    }
+  });
 });

package/src/lint/post-synth/wgl016.test.ts

@@ -0,0 +1,72 @@
+import { describe, test, expect } from "bun:test";
+import { wgl016, checkSecretsInVariables } from "./wgl016";
+
+describe("WGL016: Secrets in Variables", () => {
+  test("check metadata", () => {
+    expect(wgl016.id).toBe("WGL016");
+    expect(wgl016.description).toContain("Secrets");
+  });
+
+  test("flags hardcoded password variable", () => {
+    const yaml = `variables:
+  DB_PASSWORD: my-secret-pass123
+  DB_HOST: postgres
+`;
+    const diags = checkSecretsInVariables(yaml);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WGL016");
+    expect(diags[0].severity).toBe("error");
+    expect(diags[0].message).toContain("DB_PASSWORD");
+  });
+
+  test("flags hardcoded token variable", () => {
+    const yaml = `variables:
+  API_TOKEN: abc123xyz
+`;
+    const diags = checkSecretsInVariables(yaml);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("API_TOKEN");
+  });
+
+  test("flags hardcoded secret variable", () => {
+    const yaml = `variables:
+  APP_SECRET: supersecretvalue
+`;
+    const diags = checkSecretsInVariables(yaml);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("APP_SECRET");
+  });
+
+  test("does not flag variable references", () => {
+    const yaml = `variables:
+  DB_PASSWORD: $CI_DB_PASSWORD
+  API_TOKEN: \${SECRET_TOKEN}
+`;
+    const diags = checkSecretsInVariables(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag non-secret variables", () => {
+    const yaml = `variables:
+  NODE_ENV: production
+  DB_HOST: postgres
+  STAGE: deploy
+`;
+    const diags = checkSecretsInVariables(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags multiple secret variables", () => {
+    const yaml = `variables:
+  DB_PASSWORD: pass123
+  API_SECRET: secret456
+`;
+    const diags = checkSecretsInVariables(yaml);
+    expect(diags).toHaveLength(2);
+  });
+
+  test("no diagnostics on empty yaml", () => {
+    const diags = checkSecretsInVariables("");
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl016.ts

@@ -0,0 +1,82 @@
+/**
+ * WGL016: Secrets in Variables
+ *
+ * Detects hardcoded passwords, tokens, or secrets in `variables:` blocks.
+ * These should use CI/CD masked variables instead.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput } from "./yaml-helpers";
+
+const SECRET_PATTERNS = [
+  /password\s*[:=]\s*['"]?[^\s'"]+/i,
+  /secret\s*[:=]\s*['"]?[^\s'"]+/i,
+  /token\s*[:=]\s*['"]?[^\s'"]+/i,
+  /api[_-]?key\s*[:=]\s*['"]?[^\s'"]+/i,
+  /private[_-]?key\s*[:=]\s*['"]?[^\s'"]+/i,
+];
+
+/** Variable name patterns that indicate credentials. */
+const SECRET_VAR_NAMES = [
+  /password/i,
+  /secret/i,
+  /token/i,
+  /api[_-]?key/i,
+  /private[_-]?key/i,
+  /credentials?/i,
+];
+
+/** Values that are clearly references (not hardcoded secrets). */
+function isReference(value: string): boolean {
+  return value.startsWith("$") || value.startsWith("${");
+}
+
+export function checkSecretsInVariables(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  // Extract variables blocks (global and per-job)
+  const varBlocks = yaml.matchAll(/^(\s*)variables:\n((?:\1\s+.+\n?)+)/gm);
+
+  for (const block of varBlocks) {
+    const lines = block[2].split("\n");
+    for (const line of lines) {
+      const kv = line.match(/^\s+(\w+):\s+(.+)$/);
+      if (!kv) continue;
+
+      const [, varName, rawValue] = kv;
+      const value = rawValue.trim().replace(/^['"]|['"]$/g, "");
+
+      if (isReference(value)) continue;
+
+      // Check if variable name suggests a secret
+      for (const pattern of SECRET_VAR_NAMES) {
+        if (pattern.test(varName)) {
+          diagnostics.push({
+            checkId: "WGL016",
+            severity: "error",
+            message: `Variable "${varName}" appears to contain a hardcoded secret — use a CI/CD masked variable instead`,
+            entity: varName,
+            lexicon: "gitlab",
+          });
+          break;
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl016: PostSynthCheck = {
+  id: "WGL016",
+  description: "Secrets in variables — hardcoded passwords or tokens in variables blocks",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkSecretsInVariables(yaml));
+    }
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/wgl017.test.ts

@@ -0,0 +1,53 @@
+import { describe, test, expect } from "bun:test";
+import { wgl017, checkInsecureRegistry } from "./wgl017";
+
+describe("WGL017: Insecure Registry", () => {
+  test("check metadata", () => {
+    expect(wgl017.id).toBe("WGL017");
+    expect(wgl017.description).toContain("Insecure");
+  });
+
+  test("flags docker push to HTTP registry", () => {
+    const yaml = `build-image:
+  script:
+    - docker push http://registry.local/myimage:latest
+`;
+    const diags = checkInsecureRegistry(yaml);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("build-image");
+    expect(diags[0].message).toContain("insecure");
+  });
+
+  test("flags docker pull from HTTP registry", () => {
+    const yaml = `test-job:
+  script:
+    - docker pull http://insecure-registry.com/myimage
+`;
+    const diags = checkInsecureRegistry(yaml);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("does not flag HTTPS registry", () => {
+    const yaml = `build-image:
+  script:
+    - docker push https://registry.gitlab.com/myimage:latest
+`;
+    const diags = checkInsecureRegistry(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag registry without protocol", () => {
+    const yaml = `build-image:
+  script:
+    - docker push $CI_REGISTRY_IMAGE:latest
+`;
+    const diags = checkInsecureRegistry(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty yaml", () => {
+    const diags = checkInsecureRegistry("");
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl017.ts

@@ -0,0 +1,54 @@
+/**
+ * WGL017: Insecure Registry
+ *
+ * Detects Docker push/pull to non-HTTPS registries in job scripts.
+ * Using HTTP for container registries is a security risk.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractJobs } from "./yaml-helpers";
+
+const INSECURE_REGISTRY_PATTERN = /docker\s+(push|pull|tag|login)\s+.*http:\/\/[^\s]+/;
+
+export function checkInsecureRegistry(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  const sections = yaml.split("\n\n");
+  for (const section of sections) {
+    const lines = section.split("\n");
+    if (lines.length === 0) continue;
+
+    const topMatch = lines[0].match(/^(\.?[a-z][a-z0-9_.-]*):/);
+    if (!topMatch) continue;
+    const jobName = topMatch[1];
+
+    for (const line of lines) {
+      if (INSECURE_REGISTRY_PATTERN.test(line)) {
+        diagnostics.push({
+          checkId: "WGL017",
+          severity: "warning",
+          message: `Job "${jobName}" uses an insecure (HTTP) container registry — use HTTPS instead`,
+          entity: jobName,
+          lexicon: "gitlab",
+        });
+        break;
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl017: PostSynthCheck = {
+  id: "WGL017",
+  description: "Insecure registry — Docker push/pull to non-HTTPS registry",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkInsecureRegistry(yaml));
+    }
+    return diagnostics;
+  },
+};