@intentius/chant-lexicon-gitlab 0.0.16 → 0.0.22

package/src/lint/post-synth/wgl028.test.ts

@@ -0,0 +1,95 @@
+import { describe, test, expect } from "bun:test";
+import { wgl028, checkRedundantNeeds } from "./wgl028";
+
+describe("WGL028: Redundant Needs", () => {
+  test("check metadata", () => {
+    expect(wgl028.id).toBe("WGL028");
+    expect(wgl028.description).toContain("Redundant");
+  });
+
+  test("flags needs pointing to earlier stage job", () => {
+    const yaml = `stages:
+  - build
+  - test
+  - deploy
+
+build-app:
+  stage: build
+  script:
+    - npm build
+
+deploy-app:
+  stage: deploy
+  needs:
+    - build-app
+  script:
+    - deploy.sh
+`;
+    const diags = checkRedundantNeeds(yaml);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].severity).toBe("info");
+    expect(diags[0].message).toContain("deploy-app");
+    expect(diags[0].message).toContain("build-app");
+    expect(diags[0].message).toContain("earlier stage");
+  });
+
+  test("does not flag needs within same stage", () => {
+    const yaml = `stages:
+  - build
+  - test
+
+test-a:
+  stage: test
+  script:
+    - test-a
+
+test-b:
+  stage: test
+  needs:
+    - test-a
+  script:
+    - test-b
+`;
+    const diags = checkRedundantNeeds(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag when no stages defined", () => {
+    const yaml = `build-app:
+  script:
+    - npm build
+
+deploy-app:
+  needs:
+    - build-app
+  script:
+    - deploy.sh
+`;
+    const diags = checkRedundantNeeds(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("does not flag when no needs defined", () => {
+    const yaml = `stages:
+  - build
+  - test
+
+build-app:
+  stage: build
+  script:
+    - npm build
+
+test-app:
+  stage: test
+  script:
+    - npm test
+`;
+    const diags = checkRedundantNeeds(yaml);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostics on empty yaml", () => {
+    const diags = checkRedundantNeeds("");
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/wgl028.ts

@@ -0,0 +1,67 @@
+/**
+ * WGL028: Redundant Needs
+ *
+ * Detects `needs:` entries that list jobs already implied by stage ordering.
+ * While not incorrect, redundant needs add noise and make the pipeline
+ * harder to maintain. This is informational only.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractStages, extractJobs } from "./yaml-helpers";
+
+export function checkRedundantNeeds(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  const stages = extractStages(yaml);
+  if (stages.length === 0) return diagnostics;
+
+  const stageIndex = new Map<string, number>();
+  for (let i = 0; i < stages.length; i++) {
+    stageIndex.set(stages[i], i);
+  }
+
+  const jobs = extractJobs(yaml);
+
+  for (const [jobName, job] of jobs) {
+    if (!job.needs || !job.stage) continue;
+
+    const jobStageIdx = stageIndex.get(job.stage);
+    if (jobStageIdx === undefined) continue;
+
+    for (const need of job.needs) {
+      const neededJob = jobs.get(need);
+      if (!neededJob?.stage) continue;
+
+      const needStageIdx = stageIndex.get(neededJob.stage);
+      if (needStageIdx === undefined) continue;
+
+      // If the needed job is in an earlier stage, it's already implied
+      // by GitLab's default stage-based ordering
+      if (needStageIdx < jobStageIdx) {
+        diagnostics.push({
+          checkId: "WGL028",
+          severity: "info",
+          message: `Job "${jobName}" lists "${need}" in needs: but it's already in an earlier stage (${neededJob.stage} → ${job.stage})`,
+          entity: jobName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl028: PostSynthCheck = {
+  id: "WGL028",
+  description: "Redundant needs — needs listing jobs already implied by stage ordering",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkRedundantNeeds(yaml));
+    }
+    return diagnostics;
+  },
+};

package/src/lint/post-synth/yaml-helpers.ts

@@ -141,3 +141,85 @@ export function extractJobs(yaml: string): Map<string, ParsedJob> {
 export function hasInclude(yaml: string): boolean {
   return /^include:/m.test(yaml);
 }
+
+/**
+ * Extract global variables from serialized YAML.
+ */
+export function extractGlobalVariables(yaml: string): Map<string, string> {
+  const vars = new Map<string, string>();
+  const match = yaml.match(/^variables:\n((?:\s+.+\n?)+)/m);
+  if (!match) return vars;
+
+  for (const line of match[1].split("\n")) {
+    const kv = line.match(/^\s+(\w+):\s+(.+)$/);
+    if (kv) {
+      vars.set(kv[1], kv[2].trim().replace(/^['"]|['"]$/g, ""));
+    }
+  }
+  return vars;
+}
+
+/**
+ * Extract the full section text for a given job name.
+ */
+export function extractJobSection(yaml: string, jobName: string): string | null {
+  const sections = yaml.split("\n\n");
+  for (const section of sections) {
+    const lines = section.split("\n");
+    if (lines.length > 0 && lines[0].startsWith(`${jobName}:`)) {
+      return section;
+    }
+  }
+  return null;
+}
+
+/**
+ * Extract rules from a job section.
+ */
+export function extractJobRules(section: string): ParsedRule[] {
+  const rules: ParsedRule[] = [];
+  const lines = section.split("\n");
+
+  let inRules = false;
+  let currentRule: ParsedRule = {};
+
+  for (const line of lines) {
+    if (line.match(/^\s+rules:$/)) {
+      inRules = true;
+      continue;
+    }
+
+    if (inRules) {
+      const ruleStart = line.match(/^\s+- (if|when|changes):\s*(.*)$/);
+      if (ruleStart) {
+        if (Object.keys(currentRule).length > 0) {
+          rules.push(currentRule);
+        }
+        currentRule = {};
+        if (ruleStart[1] === "if") currentRule.if = ruleStart[2].trim();
+        if (ruleStart[1] === "when") currentRule.when = ruleStart[2].trim();
+        continue;
+      }
+
+      const whenMatch = line.match(/^\s+when:\s+(.+)$/);
+      if (whenMatch) {
+        currentRule.when = whenMatch[1].trim();
+        continue;
+      }
+
+      // End of rules block
+      if (!line.match(/^\s+\s/) || line.match(/^\s+[a-z_]+:/) && !line.match(/^\s+when:/)) {
+        if (Object.keys(currentRule).length > 0) {
+          rules.push(currentRule);
+        }
+        inRules = false;
+      }
+    }
+  }
+
+  if (inRules && Object.keys(currentRule).length > 0) {
+    rules.push(currentRule);
+  }
+
+  return rules;
+}

package/src/lsp/completions.test.ts

@@ -1,7 +1,12 @@
 import { describe, test, expect } from "bun:test";
-import { gitlabCompletions } from "./completions";
+import { existsSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 import type { CompletionContext } from "@intentius/chant/lsp/types";
 
+const generatedDir = join(dirname(dirname(fileURLToPath(import.meta.url))), "generated");
+const hasGenerated = existsSync(join(generatedDir, "lexicon-gitlab.json"));
+
 function makeCtx(overrides: Partial<CompletionContext>): CompletionContext {
   return {
     uri: "file:///test.ts",
@@ -14,7 +19,8 @@ function makeCtx(overrides: Partial<CompletionContext>): CompletionContext {
 }
 
 describe("gitlabCompletions", () => {
-  test("returns resource completions for 'new ' prefix", () => {
+  test.skipIf(!hasGenerated)("returns resource completions for 'new ' prefix", async () => {
+    const { gitlabCompletions } = await import("./completions");
     const ctx = makeCtx({
       linePrefix: "const j = new Job",
       wordAtCursor: "Job",
@@ -29,7 +35,8 @@ describe("gitlabCompletions", () => {
     expect(job!.kind).toBe("resource");
   });
 
-  test("returns all resource completions when no filter", () => {
+  test.skipIf(!hasGenerated)("returns all resource completions when no filter", async () => {
+    const { gitlabCompletions } = await import("./completions");
     const ctx = makeCtx({
       linePrefix: "const x = new ",
       wordAtCursor: "",
@@ -44,7 +51,8 @@ describe("gitlabCompletions", () => {
     expect(labels).toContain("Workflow");
   });
 
-  test("filters completions by prefix", () => {
+  test.skipIf(!hasGenerated)("filters completions by prefix", async () => {
+    const { gitlabCompletions } = await import("./completions");
     const ctx = makeCtx({
       linePrefix: "const x = new D",
       wordAtCursor: "D",
@@ -58,7 +66,8 @@ describe("gitlabCompletions", () => {
     expect(labels).not.toContain("Job");
   });
 
-  test("returns empty for non-constructor context", () => {
+  test.skipIf(!hasGenerated)("returns empty for non-constructor context", async () => {
+    const { gitlabCompletions } = await import("./completions");
     const ctx = makeCtx({
       linePrefix: "const x = foo(",
       wordAtCursor: "",
@@ -70,7 +79,8 @@ describe("gitlabCompletions", () => {
     expect(items).toHaveLength(0);
   });
 
-  test("completion items have detail with resource type", () => {
+  test.skipIf(!hasGenerated)("completion items have detail with resource type", async () => {
+    const { gitlabCompletions } = await import("./completions");
     const ctx = makeCtx({
       linePrefix: "const j = new Job",
       wordAtCursor: "Job",

package/src/lsp/hover.test.ts

@@ -1,7 +1,12 @@
 import { describe, test, expect } from "bun:test";
-import { gitlabHover } from "./hover";
+import { existsSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 import type { HoverContext } from "@intentius/chant/lsp/types";
 
+const generatedDir = join(dirname(dirname(fileURLToPath(import.meta.url))), "generated");
+const hasGenerated = existsSync(join(generatedDir, "lexicon-gitlab.json"));
+
 function makeCtx(overrides: Partial<HoverContext>): HoverContext {
   return {
     uri: "file:///test.ts",
@@ -14,7 +19,8 @@ function makeCtx(overrides: Partial<HoverContext>): HoverContext {
 }
 
 describe("gitlabHover", () => {
-  test("returns hover for Job class", () => {
+  test.skipIf(!hasGenerated)("returns hover for Job class", async () => {
+    const { gitlabHover } = await import("./hover");
     const ctx = makeCtx({ word: "Job" });
     const hover = gitlabHover(ctx);
     expect(hover).toBeDefined();
@@ -23,7 +29,8 @@ describe("gitlabHover", () => {
     expect(hover!.contents).toContain("Resource entity");
   });
 
-  test("returns hover for property entity", () => {
+  test.skipIf(!hasGenerated)("returns hover for property entity", async () => {
+    const { gitlabHover } = await import("./hover");
     const ctx = makeCtx({ word: "Cache" });
     const hover = gitlabHover(ctx);
     expect(hover).toBeDefined();
@@ -32,27 +39,31 @@ describe("gitlabHover", () => {
     expect(hover!.contents).toContain("Property entity");
   });
 
-  test("returns hover for Default", () => {
+  test.skipIf(!hasGenerated)("returns hover for Default", async () => {
+    const { gitlabHover } = await import("./hover");
     const ctx = makeCtx({ word: "Default" });
     const hover = gitlabHover(ctx);
     expect(hover).toBeDefined();
     expect(hover!.contents).toContain("GitLab::CI::Default");
   });
 
-  test("returns hover for Artifacts", () => {
+  test.skipIf(!hasGenerated)("returns hover for Artifacts", async () => {
+    const { gitlabHover } = await import("./hover");
     const ctx = makeCtx({ word: "Artifacts" });
     const hover = gitlabHover(ctx);
     expect(hover).toBeDefined();
     expect(hover!.contents).toContain("GitLab::CI::Artifacts");
   });
 
-  test("returns undefined for unknown word", () => {
+  test.skipIf(!hasGenerated)("returns undefined for unknown word", async () => {
+    const { gitlabHover } = await import("./hover");
     const ctx = makeCtx({ word: "UnknownEntity" });
     const hover = gitlabHover(ctx);
     expect(hover).toBeUndefined();
   });
 
-  test("returns undefined for empty word", () => {
+  test.skipIf(!hasGenerated)("returns undefined for empty word", async () => {
+    const { gitlabHover } = await import("./hover");
     const ctx = makeCtx({ word: "" });
     const hover = gitlabHover(ctx);
     expect(hover).toBeUndefined();

package/src/plugin.test.ts

@@ -83,7 +83,7 @@ describe("gitlabPlugin", () => {
 
   test("returns post-synth checks", () => {
     const checks = gitlabPlugin.postSynthChecks!();
-    expect(checks).toHaveLength(6);
+    expect(checks).toHaveLength(19);
     const ids = checks.map((c) => c.id);
     expect(ids).toContain("WGL010");
     expect(ids).toContain("WGL011");
@@ -91,6 +91,19 @@ describe("gitlabPlugin", () => {
     expect(ids).toContain("WGL013");
     expect(ids).toContain("WGL014");
     expect(ids).toContain("WGL015");
+    expect(ids).toContain("WGL016");
+    expect(ids).toContain("WGL017");
+    expect(ids).toContain("WGL018");
+    expect(ids).toContain("WGL019");
+    expect(ids).toContain("WGL020");
+    expect(ids).toContain("WGL021");
+    expect(ids).toContain("WGL022");
+    expect(ids).toContain("WGL023");
+    expect(ids).toContain("WGL024");
+    expect(ids).toContain("WGL025");
+    expect(ids).toContain("WGL026");
+    expect(ids).toContain("WGL027");
+    expect(ids).toContain("WGL028");
   });
 
   // -----------------------------------------------------------------------

package/src/plugin.ts

@@ -31,7 +31,24 @@ export const gitlabPlugin: LexiconPlugin = {
     const { wgl013 } = require("./lint/post-synth/wgl013");
     const { wgl014 } = require("./lint/post-synth/wgl014");
     const { wgl015 } = require("./lint/post-synth/wgl015");
-    return [wgl010, wgl011, wgl012, wgl013, wgl014, wgl015];
+    const { wgl016 } = require("./lint/post-synth/wgl016");
+    const { wgl017 } = require("./lint/post-synth/wgl017");
+    const { wgl018 } = require("./lint/post-synth/wgl018");
+    const { wgl019 } = require("./lint/post-synth/wgl019");
+    const { wgl020 } = require("./lint/post-synth/wgl020");
+    const { wgl021 } = require("./lint/post-synth/wgl021");
+    const { wgl022 } = require("./lint/post-synth/wgl022");
+    const { wgl023 } = require("./lint/post-synth/wgl023");
+    const { wgl024 } = require("./lint/post-synth/wgl024");
+    const { wgl025 } = require("./lint/post-synth/wgl025");
+    const { wgl026 } = require("./lint/post-synth/wgl026");
+    const { wgl027 } = require("./lint/post-synth/wgl027");
+    const { wgl028 } = require("./lint/post-synth/wgl028");
+    return [
+      wgl010, wgl011, wgl012, wgl013, wgl014, wgl015,
+      wgl016, wgl017, wgl018, wgl019, wgl020, wgl021,
+      wgl022, wgl023, wgl024, wgl025, wgl026, wgl027, wgl028,
+    ];
   },
 
   intrinsics(): IntrinsicDef[] {
@@ -356,7 +373,7 @@ user-invocable: true
 
 ## How chant and GitLab CI relate
 
-chant is a **synthesis-only** tool — it compiles TypeScript source files into \`.gitlab-ci.yml\` (YAML). chant does NOT call GitLab APIs. Your job as an agent is to bridge the two:
+chant is a **synthesis compiler** — it compiles TypeScript source files into \`.gitlab-ci.yml\` (YAML). \`chant build\` does not call GitLab APIs; synthesis is pure and deterministic. Your job as an agent is to bridge synthesis and deployment:
 
 - Use **chant** for: build, lint, diff (local YAML comparison)
 - Use **git + GitLab API** for: push, merge requests, pipeline monitoring, job logs, rollback, and all deployment operations
@@ -495,7 +512,7 @@ Add \`"dry_run": true, "include_merged_yaml": true\` for full expansion with inc
 | Step | Catches | When to run |
 |------|---------|-------------|
 | \`chant lint\` | Deprecated only/except (WGL001), missing script (WGL002), missing stage (WGL003), artifacts without expiry (WGL004) | Every edit |
-| \`chant build\` | Post-synth checks: undefined stages (WGL010), unreachable jobs (WGL011), deprecated properties (WGL012), invalid needs targets (WGL013), invalid extends targets (WGL014), circular needs chains (WGL015) | Before push |
+| \`chant build\` | Post-synth checks: undefined stages (WGL010), unreachable jobs (WGL011), deprecated properties (WGL012), invalid needs/extends targets (WGL013-014), circular needs (WGL015), secrets in variables (WGL016), insecure registry (WGL017), missing timeout/retry (WGL018-019), duplicate jobs (WGL020), unused variables (WGL021), missing artifacts expiry (WGL022), overly broad rules (WGL023), manual without allow_failure (WGL024), missing cache key (WGL025), DinD without TLS (WGL026), empty script (WGL027), redundant needs (WGL028) | Before push |
 | CI Lint API | GitLab-specific validation: include resolution, variable expansion, YAML schema errors | Before merge to default branch |
 
 Always run all three before deploying. Lint catches things the API cannot (and vice versa).

package/src/testdata/pipelines/deploy-envs.gitlab-ci.yml

@@ -0,0 +1,60 @@
+stages:
+  - build
+  - deploy
+  - cleanup
+
+build:
+  stage: build
+  script:
+    - npm ci
+    - npm run build
+  artifacts:
+    paths:
+      - dist/
+
+deploy-review:
+  stage: deploy
+  script:
+    - deploy-review.sh
+  environment:
+    name: review/$CI_COMMIT_REF_SLUG
+    url: https://$CI_ENVIRONMENT_SLUG.review.example.com
+    on_stop: stop-review
+    auto_stop_in: 1 week
+  resource_group: review/$CI_COMMIT_REF_SLUG
+  rules:
+    - if: $CI_MERGE_REQUEST_IID
+
+stop-review:
+  stage: cleanup
+  script:
+    - teardown-review.sh
+  environment:
+    name: review/$CI_COMMIT_REF_SLUG
+    action: stop
+  rules:
+    - if: $CI_MERGE_REQUEST_IID
+      when: manual
+  needs:
+    - deploy-review
+
+deploy-staging:
+  stage: deploy
+  script:
+    - deploy.sh staging
+  environment:
+    name: staging
+    url: https://staging.example.com
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+deploy-production:
+  stage: deploy
+  script:
+    - deploy.sh production
+  environment:
+    name: production
+    url: https://example.com
+  rules:
+    - if: $CI_COMMIT_TAG
+      when: manual

package/src/testdata/pipelines/docker-build.gitlab-ci.yml

@@ -0,0 +1,41 @@
+stages:
+  - build
+  - push
+
+variables:
+  DOCKER_TLS_CERTDIR: "/certs"
+  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
+
+build-image:
+  stage: build
+  image: docker:27-cli
+  services:
+    - name: docker:27-dind
+      alias: docker
+  variables:
+    DOCKER_HOST: tcp://docker:2376
+  before_script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  script:
+    - docker build -t $IMAGE_TAG .
+    - docker push $IMAGE_TAG
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_IID
+
+push-latest:
+  stage: push
+  image: docker:27-cli
+  services:
+    - name: docker:27-dind
+      alias: docker
+  needs:
+    - build-image
+  before_script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  script:
+    - docker pull $IMAGE_TAG
+    - docker tag $IMAGE_TAG $CI_REGISTRY_IMAGE:latest
+    - docker push $CI_REGISTRY_IMAGE:latest
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

package/src/testdata/pipelines/includes-templates.gitlab-ci.yml

@@ -0,0 +1,52 @@
+include:
+  - template: Auto-DevOps.gitlab-ci.yml
+  - project: my-group/ci-templates
+    ref: main
+    file: /templates/build.yml
+
+stages:
+  - build
+  - test
+  - deploy
+
+default:
+  image: node:22-alpine
+  interruptible: true
+  retry:
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+
+.test-template: &test-defaults
+  stage: test
+  before_script:
+    - npm ci
+
+build:
+  stage: build
+  extends: .build-template
+  script:
+    - npm ci
+    - npm run build
+
+unit-test:
+  <<: *test-defaults
+  script:
+    - npm test
+
+integration-test:
+  <<: *test-defaults
+  script:
+    - npm run test:integration
+  rules:
+    - if: $CI_MERGE_REQUEST_IID
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+deploy:
+  stage: deploy
+  extends: .deploy-template
+  script:
+    - deploy.sh
+  rules:
+    - if: $CI_COMMIT_TAG

package/src/testdata/pipelines/monorepo.gitlab-ci.yml

@@ -0,0 +1,51 @@
+stages:
+  - build
+  - test
+  - deploy
+
+variables:
+  GIT_DEPTH: 20
+
+frontend:
+  stage: build
+  trigger:
+    include: frontend/.gitlab-ci.yml
+    strategy: depend
+  rules:
+    - changes:
+        - frontend/**/*
+
+backend:
+  stage: build
+  trigger:
+    include: backend/.gitlab-ci.yml
+    strategy: depend
+  rules:
+    - changes:
+        - backend/**/*
+
+e2e-matrix:
+  stage: test
+  image: cypress/included:13
+  needs:
+    - frontend
+    - backend
+  parallel:
+    matrix:
+      - BROWSER: [chrome, firefox]
+        VIEWPORT: [desktop, mobile]
+  script:
+    - cypress run --browser $BROWSER --config viewportPreset=$VIEWPORT
+  artifacts:
+    when: always
+    paths:
+      - cypress/screenshots/
+      - cypress/videos/
+    expire_in: 3 days
+
+deploy-all:
+  stage: deploy
+  script:
+    - deploy.sh
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH