@intentius/chant-lexicon-helm 0.0.18 → 0.0.24

package/src/lint/post-synth/whm301.test.ts

@@ -0,0 +1,49 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm301 } from "./whm301";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM301: Helm tests", () => {
+  test("info when no tests defined for application chart", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\ntype: application\n",
+      "templates/deploy.yaml": "kind: Deployment\n",
+    });
+    const diags = whm301.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM301");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("passes when test exists", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\ntype: application\n",
+      "templates/tests/test-connection.yaml": "helm.sh/hook: test\n",
+    });
+    expect(whm301.check(ctx)).toHaveLength(0);
+  });
+
+  test("skips library charts", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\ntype: library\n",
+    });
+    expect(whm301.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm302.test.ts

@@ -0,0 +1,58 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm302 } from "./whm302";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM302: resource limits", () => {
+  test("info when containers lack resources", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n",
+    });
+    const diags = whm302.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM302");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("passes when resources are set", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      resources:\n        limits:\n          cpu: 100m\n",
+    });
+    expect(whm302.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when resources use values reference", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      resources: {{ toYaml .Values.resources }}\n",
+    });
+    expect(whm302.check(ctx)).toHaveLength(0);
+  });
+
+  test("skips test templates", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/tests/test.yaml": "containers:\n  - name: test\n",
+    });
+    expect(whm302.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm401.test.ts

@@ -0,0 +1,59 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm401 } from "./whm401";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM401: image tag", () => {
+  test("warns on :latest tag", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      image: nginx:latest\n",
+    });
+    const diags = whm401.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM401");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("warns on untagged image", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      image: nginx\n",
+    });
+    const diags = whm401.check(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("passes with pinned tag", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      image: nginx:1.25.0\n",
+    });
+    expect(whm401.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with .Values reference", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      image: {{ .Values.image.repository }}:{{ .Values.image.tag }}\n",
+    });
+    expect(whm401.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm402.test.ts

@@ -0,0 +1,58 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm402 } from "./whm402";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM402: runAsNonRoot", () => {
+  test("warns when containers lack runAsNonRoot", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n",
+    });
+    const diags = whm402.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM402");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("passes with runAsNonRoot: true", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n  securityContext:\n    runAsNonRoot: true\n",
+    });
+    expect(whm402.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with .Values.securityContext ref", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n  securityContext: {{ toYaml .Values.securityContext }}\n",
+    });
+    expect(whm402.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with .Values.podSecurityContext ref", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n  securityContext: {{ toYaml .Values.podSecurityContext }}\n",
+    });
+    expect(whm402.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm403.test.ts

@@ -0,0 +1,50 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm403 } from "./whm403";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM403: readOnlyRootFilesystem", () => {
+  test("info when containers lack readOnlyRootFilesystem", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n",
+    });
+    const diags = whm403.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM403");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("passes with readOnlyRootFilesystem: true", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n  securityContext:\n    readOnlyRootFilesystem: true\n",
+    });
+    expect(whm403.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with .Values.securityContext ref", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n  securityContext: {{ toYaml .Values.securityContext }}\n",
+    });
+    expect(whm403.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm404.test.ts

@@ -0,0 +1,50 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm404 } from "./whm404";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM404: privileged mode", () => {
+  test("error on privileged: true", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      securityContext:\n        privileged: true\n",
+    });
+    const diags = whm404.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM404");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("passes without privileged mode", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n",
+    });
+    expect(whm404.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with privileged: false", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      securityContext:\n        privileged: false\n",
+    });
+    expect(whm404.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm405.test.ts

@@ -0,0 +1,60 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm405 } from "./whm405";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM405: resource spec detail", () => {
+  test("warns when resources lack cpu", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      resources:\n        limits:\n          memory: 256Mi\n",
+    });
+    const diags = whm405.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM405");
+    expect(diags[0].message).toContain("cpu");
+  });
+
+  test("passes with both cpu and memory", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      resources:\n        limits:\n          cpu: 100m\n          memory: 256Mi\n",
+    });
+    expect(whm405.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when resources use .Values", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      resources: {{ toYaml .Values.resources }}\n",
+    });
+    expect(whm405.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns when resources lack memory", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\nspec:\n  containers:\n    - name: app\n      resources:\n        limits:\n          cpu: 100m\n",
+    });
+    const diags = whm405.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("memory");
+  });
+});

package/src/lint/post-synth/whm406.test.ts

@@ -0,0 +1,43 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm406 } from "./whm406";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM406: CRD lifecycle", () => {
+  test("info when crds/ directory exists", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "crds/my-crd.yaml": "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\n",
+    });
+    const diags = whm406.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM406");
+    expect(diags[0].severity).toBe("info");
+    expect(diags[0].message).toContain("CRD");
+  });
+
+  test("passes without crds/ directory", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "kind: Deployment\n",
+    });
+    expect(whm406.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm407.test.ts

@@ -0,0 +1,60 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm407 } from "./whm407";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM407: inline secrets", () => {
+  test("warns on Secret with inline data", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: c2VjcmV0\n",
+    });
+    const diags = whm407.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM407");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("passes when ExternalSecret is used in chart", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: c2VjcmV0\n",
+      "templates/external-secret.yaml": "apiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\n",
+    });
+    expect(whm407.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when data uses template values", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: {{ .Values.secret.password }}\n",
+    });
+    expect(whm407.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when SealedSecret is present", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/secret.yaml": "apiVersion: v1\nkind: Secret\nmetadata:\n  name: my-secret\ndata:\n  password: c2VjcmV0\n",
+      "templates/sealed.yaml": "kind: SealedSecret\n",
+    });
+    expect(whm407.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm501.test.ts

@@ -0,0 +1,70 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm501 } from "./whm501";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM501: unused values", () => {
+  test("info on values key not referenced in templates", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "replicaCount: 1\nunusedKey: hello\n",
+      "templates/deploy.yaml": "replicas: {{ .Values.replicaCount }}\n",
+    });
+    const diags = whm501.check(ctx);
+    expect(diags.some((d) => d.message.includes("unusedKey"))).toBe(true);
+    expect(diags[0].checkId).toBe("WHM501");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("passes when all values are referenced", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "replicaCount: 1\n",
+      "templates/deploy.yaml": "replicas: {{ .Values.replicaCount }}\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+
+  test("excludes nameOverride and fullnameOverride", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": 'nameOverride: ""\nfullnameOverride: ""\n',
+      "templates/deploy.yaml": "kind: Deployment\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+
+  test("parent key is not unused when child is referenced", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "image:\n  repository: nginx\n  tag: latest\n",
+      "templates/deploy.yaml": "image: {{ .Values.image.repository }}:{{ .Values.image.tag }}\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes with empty values", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "values.yaml": "{}\n",
+    });
+    expect(whm501.check(ctx)).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/whm502.test.ts

@@ -0,0 +1,72 @@
+import { describe, test, expect } from "bun:test";
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import type { SerializerResult } from "@intentius/chant/serializer";
+import { whm502 } from "./whm502";
+
+function makeCtx(files: Record<string, string>): PostSynthContext {
+  const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
+  const outputs = new Map<string, string | SerializerResult>();
+  outputs.set("helm", result);
+  return {
+    outputs,
+    entities: new Map(),
+    buildResult: {
+      outputs,
+      entities: new Map(),
+      warnings: [],
+      errors: [],
+      sourceFileCount: 1,
+    },
+  };
+}
+
+describe("WHM502: deprecated API versions", () => {
+  test("warns on extensions/v1beta1 Ingress", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/ingress.yaml": "apiVersion: extensions/v1beta1\nkind: Ingress\n",
+    });
+    const diags = whm502.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM502");
+    expect(diags[0].severity).toBe("warning");
+    expect(diags[0].message).toContain("networking.k8s.io/v1");
+  });
+
+  test("warns on apps/v1beta2", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "apiVersion: apps/v1beta2\nkind: Deployment\n",
+    });
+    const diags = whm502.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("apps/v1");
+  });
+
+  test("passes with current API versions", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "apiVersion: apps/v1\nkind: Deployment\n",
+      "templates/ingress.yaml": "apiVersion: networking.k8s.io/v1\nkind: Ingress\n",
+    });
+    expect(whm502.check(ctx)).toHaveLength(0);
+  });
+
+  test("skips template expression apiVersions", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deploy.yaml": "apiVersion: {{ .Capabilities.APIVersions }}\nkind: Deployment\n",
+    });
+    expect(whm502.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on batch/v1beta1 CronJob", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/cron.yaml": "apiVersion: batch/v1beta1\nkind: CronJob\n",
+    });
+    const diags = whm502.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("batch/v1");
+  });
+});