@intentius/chant-lexicon-helm 0.0.18 → 0.0.22

package/src/lint/post-synth/whm407.test.ts

@@ -0,0 +1,60 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm407 } from "./whm407";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM407: inline secrets", () => {
+  test("warns on Secret with inline data", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: c2VjcmV0\n",
+    });
+    const diags = whm407.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM407");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("passes when ExternalSecret is used in chart", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: c2VjcmV0\n",
+      "templates/external-secret.yaml": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\n",
+    });
+    expect(whm407.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when data uses template values", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: {{ .Values.secret.password }}\n",
+    });
+    expect(whm407.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when SealedSecret is present", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: c2VjcmV0\n",
+      "templates/sealed.yaml": "kind: SealedSecret\n",
+    });
+    expect(whm407.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm501.test.ts

@@ -0,0 +1,70 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm501 } from "./whm501";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM501: unused values", () => {
+  test("info on values key not referenced in templates", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "replicaCount: 1\nunusedKey: hello\n",
+      "templates/deploy.yaml": "replicas: {{ .Values.replicaCount }}\n",
+    });
+    const diags = whm501.check(ctx);
+    expect(diags.some((d) => d.message.includes("unusedKey"))).toBe(true);
+    expect(diags[0].checkId).toBe("WHM501");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("passes when all values are referenced", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "replicaCount: 1\n",
+      "templates/deploy.yaml": "replicas: {{ .Values.replicaCount }}\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+
+  test("excludes nameOverride and fullnameOverride", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": 'nameOverride: ""\nfullnameOverride: ""\n',
+      "templates/deploy.yaml": "kind: Deployment\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+
+  test("parent key is not unused when child is referenced", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "image:\n  repository: nginx\n  tag: latest\n",
+      "templates/deploy.yaml": "image: {{ .Values.image.repository }}:{{ .Values.image.tag }}\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with empty values", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "{}\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm502.test.ts

@@ -0,0 +1,72 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm502 } from "./whm502";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM502: deprecated API versions", () => {
+  test("warns on extensions/v1beta1 Ingress", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/ingress.yaml": "apiVersion: extensions/v1beta1\nkind: Ingress\n",
+    });
+    const diags = whm502.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM502");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("networking.k8s.io/v1");
+  });
+
+  test("warns on apps/v1beta2", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "apiVersion: apps/v1beta2\nkind: Deployment\n",
+    });
+    const diags = whm502.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("apps/v1");
+  });
+
+  test("passes with current API versions", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "apiVersion: apps/v1\nkind: Deployment\n",
+      "templates/ingress.yaml": "apiVersion: networking.k8s.io/v1\nkind: Ingress\n",
+    });
+    expect(whm502.check(ctx)).toHaveLength(0);
+  });
+
+  test("skips template expression apiVersions", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "apiVersion: {{ .Capabilities.APIVersions }}\nkind: Deployment\n",
+    });
+    expect(whm502.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on batch/v1beta1 CronJob", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/cron.yaml": "apiVersion: batch/v1beta1\nkind: CronJob\n",
+    });
+    const diags = whm502.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("batch/v1");
+  });
+});

package/src/lint/rules/chart-metadata.test.ts

@@ -0,0 +1,45 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { chartMetadataRule } from "./chart-metadata";
+
+function makeContext(code: string): LintContext {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: "test.ts" };
+}
+
+describe("WHM001: chartMetadataRule", () => {
+  test("passes when all required fields present", () => {
+    const ctx = makeContext(`new Chart({ apiVersion: "v2", name: "my-app", version: "0.1.0" });`);
+    expect(chartMetadataRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("fails when name is missing", () => {
+    const ctx = makeContext(`new Chart({ apiVersion: "v2", version: "0.1.0" });`);
+    const diags = chartMetadataRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM001");
+    expect(diags[0].message).toContain("name");
+  });
+
+  test("fails when all fields are missing", () => {
+    const ctx = makeContext(`new Chart({});`);
+    const diags = chartMetadataRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("name");
+    expect(diags[0].message).toContain("version");
+    expect(diags[0].message).toContain("apiVersion");
+  });
+
+  test("ignores non-Chart constructors", () => {
+    const ctx = makeContext(`new Deployment({ name: "test" });`);
+    expect(chartMetadataRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("fails when version is missing", () => {
+    const ctx = makeContext(`new Chart({ apiVersion: "v2", name: "my-app" });`);
+    const diags = chartMetadataRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("version");
+  });
+});

package/src/lint/rules/no-hardcoded-image.test.ts

@@ -0,0 +1,41 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { noHardcodedImageRule } from "./no-hardcoded-image";
+
+function makeContext(code: string): LintContext {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: "test.ts" };
+}
+
+describe("WHM003: noHardcodedImageRule", () => {
+  test("warns on hardcoded image with tag", () => {
+    const ctx = makeContext(`new Deployment({ spec: { containers: [{ image: "nginx:1.19" }] } });`);
+    const diags = noHardcodedImageRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM003");
+    expect(diags[0].message).toContain("nginx:1.19");
+  });
+
+  test("warns on registry/image:tag format", () => {
+    const ctx = makeContext(`({ image: "registry.io/app:latest" })`);
+    const diags = noHardcodedImageRule.check(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("passes when image is not a string literal (intrinsic)", () => {
+    const ctx = makeContext(`({ image: printf("%s:%s", values.image.repo, values.image.tag) })`);
+    expect(noHardcodedImageRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes for image key without colon-tag pattern", () => {
+    const ctx = makeContext(`({ image: "just-a-name" })`);
+    expect(noHardcodedImageRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on multi-segment registry path", () => {
+    const ctx = makeContext(`({ image: "gcr.io/my-project/my-app:v1.0" })`);
+    const diags = noHardcodedImageRule.check(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/rules/values-no-secrets.test.ts

@@ -0,0 +1,48 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { valuesNoSecretsRule } from "./values-no-secrets";
+
+function makeContext(code: string): LintContext {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: "test.ts" };
+}
+
+describe("WHM002: valuesNoSecretsRule", () => {
+  test("passes with empty values", () => {
+    const ctx = makeContext(`new Values({});`);
+    expect(valuesNoSecretsRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on hardcoded password", () => {
+    const ctx = makeContext(`new Values({ password: "hunter2" });`);
+    const diags = valuesNoSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM002");
+    expect(diags[0].message).toContain("password");
+  });
+
+  test("warns on hardcoded secret in nested object", () => {
+    const ctx = makeContext(`new Values({ db: { secret: "s3cret" } });`);
+    const diags = valuesNoSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("secret");
+  });
+
+  test("passes when secret value is empty", () => {
+    const ctx = makeContext(`new Values({ password: "" });`);
+    expect(valuesNoSecretsRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes for non-sensitive keys", () => {
+    const ctx = makeContext(`new Values({ replicaCount: 3, name: "test" });`);
+    expect(valuesNoSecretsRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on hardcoded token", () => {
+    const ctx = makeContext(`new Values({ token: "abc123" });`);
+    const diags = valuesNoSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("token");
+  });
+});

package/src/plugin.ts

@@ -64,7 +64,212 @@ export const helmPlugin: LexiconPlugin = {
     return false;
   },
 
+  mcpTools() {
+    return [
+      {
+        name: "diff",
+        description: "Compare current Helm chart build output against previous output",
+        inputSchema: {
+          type: "object" as const,
+          properties: {
+            path: {
+              type: "string",
+              description: "Path to the infrastructure project directory",
+            },
+          },
+        },
+        async handler(params: Record<string, unknown>): Promise<unknown> {
+          const { diffCommand } = await import("@intentius/chant/cli/commands/diff");
+          const result = await diffCommand({
+            path: (params.path as string) ?? ".",
+            serializers: [helmSerializer],
+          });
+          return result;
+        },
+      },
+    ];
+  },
+
+  mcpResources() {
+    return [
+      {
+        uri: "resource-catalog",
+        name: "Helm Chart Resource Catalog",
+        description: "JSON list of all supported Helm chart resource types",
+        mimeType: "application/json",
+        async handler(): Promise<string> {
+          const { readFileSync } = await import("fs");
+          const { join, dirname } = await import("path");
+          const { fileURLToPath } = await import("url");
+          const pkgDir = dirname(dirname(fileURLToPath(import.meta.url)));
+          try {
+            const lexicon = JSON.parse(readFileSync(join(pkgDir, "dist", "meta.json"), "utf-8")) as Record<string, { resourceType: string; kind: string }>;
+            const entries = Object.entries(lexicon).map(([className, entry]) => ({
+              className,
+              resourceType: entry.resourceType,
+              kind: entry.kind,
+            }));
+            return JSON.stringify(entries);
+          } catch {
+            return JSON.stringify([{ className: "Chart", kind: "resource" }, { className: "Values", kind: "resource" }, { className: "HelmNotes", kind: "resource" }]);
+          }
+        },
+      },
+      {
+        uri: "examples/web-app",
+        name: "Web App Helm Chart Example",
+        description: "A basic web application Helm chart with Deployment, Service, and Ingress",
+        mimeType: "text/typescript",
+        async handler(): Promise<string> {
+          return `import { Chart, Values, HelmNotes } from "@intentius/chant-lexicon-helm";
+import { values, Release, include, toYaml, printf } from "@intentius/chant-lexicon-helm/intrinsics";
+import { Deployment, Service, Ingress } from "@intentius/chant-lexicon-k8s";
+
+export const chart = new Chart({
+  apiVersion: "v2",
+  name: "web-app",
+  version: "0.1.0",
+  appVersion: "1.0.0",
+  type: "application",
+  description: "A web application chart",
+});
+
+export const valuesSchema = new Values({
+  replicaCount: 2,
+  image: { repository: "nginx", tag: "latest", pullPolicy: "IfNotPresent" },
+  service: { type: "ClusterIP", port: 80 },
+  ingress: { enabled: false, host: "example.com" },
+});
+
+export const deployment = new Deployment({
+  metadata: { name: include("web-app.fullname"), labels: include("web-app.labels") },
+  spec: {
+    replicas: values.replicaCount,
+    selector: { matchLabels: include("web-app.selectorLabels") },
+    template: {
+      metadata: { labels: include("web-app.selectorLabels") },
+      spec: {
+        containers: [{
+          name: "web-app",
+          image: printf("%s:%s", values.image.repository, values.image.tag),
+          ports: [{ containerPort: values.service.port, name: "http" }],
+        }],
+      },
+    },
+  },
+});
+
+export const service = new Service({
+  metadata: { name: include("web-app.fullname"), labels: include("web-app.labels") },
+  spec: {
+    type: values.service.type,
+    ports: [{ port: values.service.port, targetPort: "http", protocol: "TCP", name: "http" }],
+    selector: include("web-app.selectorLabels"),
+  },
+});
+`;
+        },
+      },
+    ];
+  },
+
   initTemplates(_template?: string): InitTemplateSet {
+    if (_template === "stateful-service") {
+      return {
+        src: {
+          "chart.ts": `import { Chart, Values, HelmNotes } from "@intentius/chant-lexicon-helm";
+import { values, Release, include, toYaml, printf } from "@intentius/chant-lexicon-helm/intrinsics";
+import { StatefulSet, Service, PersistentVolumeClaim, ConfigMap } from "@intentius/chant-lexicon-k8s";
+
+export const chart = new Chart({
+  apiVersion: "v2",
+  name: "my-stateful-app",
+  version: "0.1.0",
+  appVersion: "1.0.0",
+  type: "application",
+  description: "A Helm chart for a stateful application",
+});
+
+export const valuesSchema = new Values({
+  replicaCount: 3,
+  image: {
+    repository: "postgres",
+    tag: "16",
+    pullPolicy: "IfNotPresent",
+  },
+  service: {
+    port: 5432,
+  },
+  storage: {
+    size: "10Gi",
+    storageClass: "",
+  },
+  config: {
+    maxConnections: "100",
+    sharedBuffers: "256MB",
+  },
+});
+
+export const configMap = new ConfigMap({
+  metadata: {
+    name: include("my-stateful-app.fullname"),
+    labels: include("my-stateful-app.labels"),
+  },
+  data: {
+    "max_connections": values.config.maxConnections,
+    "shared_buffers": values.config.sharedBuffers,
+  },
+});
+
+export const headlessService = new Service({
+  metadata: {
+    name: printf("%s-headless", include("my-stateful-app.fullname")),
+    labels: include("my-stateful-app.labels"),
+  },
+  spec: {
+    type: "ClusterIP",
+    clusterIP: "None",
+    ports: [{ port: values.service.port, targetPort: "db", protocol: "TCP", name: "db" }],
+    selector: include("my-stateful-app.selectorLabels"),
+  },
+});
+
+export const statefulSet = new StatefulSet({
+  metadata: {
+    name: include("my-stateful-app.fullname"),
+    labels: include("my-stateful-app.labels"),
+  },
+  spec: {
+    serviceName: printf("%s-headless", include("my-stateful-app.fullname")),
+    replicas: values.replicaCount,
+    selector: { matchLabels: include("my-stateful-app.selectorLabels") },
+    template: {
+      metadata: { labels: include("my-stateful-app.selectorLabels") },
+      spec: {
+        containers: [{
+          name: "db",
+          image: printf("%s:%s", values.image.repository, values.image.tag),
+          ports: [{ containerPort: values.service.port, name: "db" }],
+          volumeMounts: [{ name: "data", mountPath: "/var/lib/postgresql/data" }],
+        }],
+      },
+    },
+    volumeClaimTemplates: [
+      new PersistentVolumeClaim({
+        metadata: { name: "data" },
+        spec: {
+          accessModes: ["ReadWriteOnce"],
+          resources: { requests: { storage: values.storage.size } },
+        },
+      }),
+    ],
+  },
+});
+`,
+        },
+      };
+    }
+
     return {
       src: {
         "chart.ts": `import { Chart, Values, HelmNotes } from "@intentius/chant-lexicon-helm";

package/src/skills/create-chart.md

@@ -8,7 +8,7 @@ user-invocable: true
 
 ## How chant and Helm relate
 
-chant is a **synthesis-only** tool — it compiles TypeScript source files into a complete Helm chart directory (Chart.yaml, values.yaml, templates/, etc.). chant does NOT call Helm CLI. Your job as an agent is to bridge the two:
+chant is a **synthesis compiler** — it compiles TypeScript source files into a complete Helm chart directory (Chart.yaml, values.yaml, templates/, etc.). `chant build` does not call the Helm CLI; synthesis is pure and deterministic. Your job as an agent is to bridge synthesis and deployment:
 
 - Use **chant** for: build, lint, diff (local chart comparison)
 - Use **helm** for: install, upgrade, rollback, test, dependency update