@intentius/chant-lexicon-helm 0.0.18 → 0.0.24

package/src/lint/rules/chart-metadata.test.ts

@@ -0,0 +1,45 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { chartMetadataRule } from "./chart-metadata";
+
+function makeContext(code: string): LintContext {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: "test.ts" };
+}
+
+describe("WHM001: chartMetadataRule", () => {
+  test("passes when all required fields present", () => {
+    const ctx = makeContext(`new Chart({ apiVersion: "v2", name: "my-app", version: "0.1.0" });`);
+    expect(chartMetadataRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("fails when name is missing", () => {
+    const ctx = makeContext(`new Chart({ apiVersion: "v2", version: "0.1.0" });`);
+    const diags = chartMetadataRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM001");
+    expect(diags[0].message).toContain("name");
+  });
+
+  test("fails when all fields are missing", () => {
+    const ctx = makeContext(`new Chart({});`);
+    const diags = chartMetadataRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("name");
+    expect(diags[0].message).toContain("version");
+    expect(diags[0].message).toContain("apiVersion");
+  });
+
+  test("ignores non-Chart constructors", () => {
+    const ctx = makeContext(`new Deployment({ name: "test" });`);
+    expect(chartMetadataRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("fails when version is missing", () => {
+    const ctx = makeContext(`new Chart({ apiVersion: "v2", name: "my-app" });`);
+    const diags = chartMetadataRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("version");
+  });
+});

package/src/lint/rules/no-hardcoded-image.test.ts

@@ -0,0 +1,41 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { noHardcodedImageRule } from "./no-hardcoded-image";
+
+function makeContext(code: string): LintContext {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: "test.ts" };
+}
+
+describe("WHM003: noHardcodedImageRule", () => {
+  test("warns on hardcoded image with tag", () => {
+    const ctx = makeContext(`new Deployment({ spec: { containers: [{ image: "nginx:1.19" }] } });`);
+    const diags = noHardcodedImageRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM003");
+    expect(diags[0].message).toContain("nginx:1.19");
+  });
+
+  test("warns on registry/image:tag format", () => {
+    const ctx = makeContext(`({ image: "registry.io/app:latest" })`);
+    const diags = noHardcodedImageRule.check(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("passes when image is not a string literal (intrinsic)", () => {
+    const ctx = makeContext(`({ image: printf("%s:%s", values.image.repo, values.image.tag) })`);
+    expect(noHardcodedImageRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes for image key without colon-tag pattern", () => {
+    const ctx = makeContext(`({ image: "just-a-name" })`);
+    expect(noHardcodedImageRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on multi-segment registry path", () => {
+    const ctx = makeContext(`({ image: "gcr.io/my-project/my-app:v1.0" })`);
+    const diags = noHardcodedImageRule.check(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/rules/values-no-secrets.test.ts

@@ -0,0 +1,48 @@
+import { describe, test, expect } from "bun:test";
+import * as ts from "typescript";
+import type { LintContext } from "@intentius/chant/lint/rule";
+import { valuesNoSecretsRule } from "./values-no-secrets";
+
+function makeContext(code: string): LintContext {
+  const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
+  return { sourceFile, entities: [], filePath: "test.ts" };
+}
+
+describe("WHM002: valuesNoSecretsRule", () => {
+  test("passes with empty values", () => {
+    const ctx = makeContext(`new Values({});`);
+    expect(valuesNoSecretsRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on hardcoded password", () => {
+    const ctx = makeContext(`new Values({ password: "hunter2" });`);
+    const diags = valuesNoSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM002");
+    expect(diags[0].message).toContain("password");
+  });
+
+  test("warns on hardcoded secret in nested object", () => {
+    const ctx = makeContext(`new Values({ db: { secret: "s3cret" } });`);
+    const diags = valuesNoSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("secret");
+  });
+
+  test("passes when secret value is empty", () => {
+    const ctx = makeContext(`new Values({ password: "" });`);
+    expect(valuesNoSecretsRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes for non-sensitive keys", () => {
+    const ctx = makeContext(`new Values({ replicaCount: 3, name: "test" });`);
+    expect(valuesNoSecretsRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on hardcoded token", () => {
+    const ctx = makeContext(`new Values({ token: "abc123" });`);
+    const diags = valuesNoSecretsRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].message).toContain("token");
+  });
+});

package/src/plugin.test.ts

@@ -64,8 +64,8 @@ describe("helmPlugin", () => {
     expect(Array.isArray(skills)).toBe(true);
     expect(skills.length).toBeGreaterThanOrEqual(3);
     const names = skills.map((s) => s.name);
-    expect(names).toContain("chant-helm-create-chart");
-    expect(names).toContain("chant-helm-chart-patterns");
-    expect(names).toContain("chant-helm-chart-security-patterns");
+    expect(names).toContain("chant-helm");
+    expect(names).toContain("chant-helm-patterns");
+    expect(names).toContain("chant-helm-security");
   });
 });

package/src/plugin.ts

@@ -5,9 +5,9 @@
  * Helm-specific intrinsics, lint rules, and post-synth checks.
  */
 
-import type { LexiconPlugin, IntrinsicDef, InitTemplateSet, SkillDefinition } from "@intentius/chant/lexicon";
+import type { LexiconPlugin, IntrinsicDef, InitTemplateSet } from "@intentius/chant/lexicon";
 import { discoverLintRules, discoverPostSynthChecks } from "@intentius/chant/lint/discover";
-import { readFileSync, readdirSync } from "fs";
+import { createSkillsLoader, createDiffTool } from "@intentius/chant/lexicon-plugin-helpers";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 import { helmSerializer } from "./serializer";
@@ -64,7 +64,190 @@ export const helmPlugin: LexiconPlugin = {
     return false;
   },
 
+  mcpTools() {
+    return [createDiffTool(helmSerializer, "Compare current Helm chart build output against previous output")];
+  },
+
+  mcpResources() {
+    return [
+      {
+        uri: "resource-catalog",
+        name: "Helm Chart Resource Catalog",
+        description: "JSON list of all supported Helm chart resource types",
+        mimeType: "application/json",
+        async handler(): Promise<string> {
+          const { readFileSync } = await import("fs");
+          const { join, dirname } = await import("path");
+          const { fileURLToPath } = await import("url");
+          const pkgDir = dirname(dirname(fileURLToPath(import.meta.url)));
+          try {
+            const lexicon = JSON.parse(readFileSync(join(pkgDir, "dist", "meta.json"), "utf-8")) as Record<string, { resourceType: string; kind: string }>;
+            const entries = Object.entries(lexicon).map(([className, entry]) => ({
+              className,
+              resourceType: entry.resourceType,
+              kind: entry.kind,
+            }));
+            return JSON.stringify(entries);
+          } catch {
+            return JSON.stringify([{ className: "Chart", kind: "resource" }, { className: "Values", kind: "resource" }, { className: "HelmNotes", kind: "resource" }]);
+          }
+        },
+      },
+      {
+        uri: "examples/web-app",
+        name: "Web App Helm Chart Example",
+        description: "A basic web application Helm chart with Deployment, Service, and Ingress",
+        mimeType: "text/typescript",
+        async handler(): Promise<string> {
+          return `import { Chart, Values, HelmNotes } from "@intentius/chant-lexicon-helm";
+import { values, Release, include, toYaml, printf } from "@intentius/chant-lexicon-helm/intrinsics";
+import { Deployment, Service, Ingress } from "@intentius/chant-lexicon-k8s";
+
+export const chart = new Chart({
+  apiVersion: "v2",
+  name: "web-app",
+  version: "0.1.0",
+  appVersion: "1.0.0",
+  type: "application",
+  description: "A web application chart",
+});
+
+export const valuesSchema = new Values({
+  replicaCount: 2,
+  image: { repository: "nginx", tag: "latest", pullPolicy: "IfNotPresent" },
+  service: { type: "ClusterIP", port: 80 },
+  ingress: { enabled: false, host: "example.com" },
+});
+
+export const deployment = new Deployment({
+  metadata: { name: include("web-app.fullname"), labels: include("web-app.labels") },
+  spec: {
+    replicas: values.replicaCount,
+    selector: { matchLabels: include("web-app.selectorLabels") },
+    template: {
+      metadata: { labels: include("web-app.selectorLabels") },
+      spec: {
+        containers: [{
+          name: "web-app",
+          image: printf("%s:%s", values.image.repository, values.image.tag),
+          ports: [{ containerPort: values.service.port, name: "http" }],
+        }],
+      },
+    },
+  },
+});
+
+export const service = new Service({
+  metadata: { name: include("web-app.fullname"), labels: include("web-app.labels") },
+  spec: {
+    type: values.service.type,
+    ports: [{ port: values.service.port, targetPort: "http", protocol: "TCP", name: "http" }],
+    selector: include("web-app.selectorLabels"),
+  },
+});
+`;
+        },
+      },
+    ];
+  },
+
   initTemplates(_template?: string): InitTemplateSet {
+    if (_template === "stateful-service") {
+      return {
+        src: {
+          "chart.ts": `import { Chart, Values, HelmNotes } from "@intentius/chant-lexicon-helm";
+import { values, Release, include, toYaml, printf } from "@intentius/chant-lexicon-helm/intrinsics";
+import { StatefulSet, Service, PersistentVolumeClaim, ConfigMap } from "@intentius/chant-lexicon-k8s";
+
+export const chart = new Chart({
+  apiVersion: "v2",
+  name: "my-stateful-app",
+  version: "0.1.0",
+  appVersion: "1.0.0",
+  type: "application",
+  description: "A Helm chart for a stateful application",
+});
+
+export const valuesSchema = new Values({
+  replicaCount: 3,
+  image: {
+    repository: "postgres",
+    tag: "16",
+    pullPolicy: "IfNotPresent",
+  },
+  service: {
+    port: 5432,
+  },
+  storage: {
+    size: "10Gi",
+    storageClass: "",
+  },
+  config: {
+    maxConnections: "100",
+    sharedBuffers: "256MB",
+  },
+});
+
+export const configMap = new ConfigMap({
+  metadata: {
+    name: include("my-stateful-app.fullname"),
+    labels: include("my-stateful-app.labels"),
+  },
+  data: {
+    "max_connections": values.config.maxConnections,
+    "shared_buffers": values.config.sharedBuffers,
+  },
+});
+
+export const headlessService = new Service({
+  metadata: {
+    name: printf("%s-headless", include("my-stateful-app.fullname")),
+    labels: include("my-stateful-app.labels"),
+  },
+  spec: {
+    type: "ClusterIP",
+    clusterIP: "None",
+    ports: [{ port: values.service.port, targetPort: "db", protocol: "TCP", name: "db" }],
+    selector: include("my-stateful-app.selectorLabels"),
+  },
+});
+
+export const statefulSet = new StatefulSet({
+  metadata: {
+    name: include("my-stateful-app.fullname"),
+    labels: include("my-stateful-app.labels"),
+  },
+  spec: {
+    serviceName: printf("%s-headless", include("my-stateful-app.fullname")),
+    replicas: values.replicaCount,
+    selector: { matchLabels: include("my-stateful-app.selectorLabels") },
+    template: {
+      metadata: { labels: include("my-stateful-app.selectorLabels") },
+      spec: {
+        containers: [{
+          name: "db",
+          image: printf("%s:%s", values.image.repository, values.image.tag),
+          ports: [{ containerPort: values.service.port, name: "db" }],
+          volumeMounts: [{ name: "data", mountPath: "/var/lib/postgresql/data" }],
+        }],
+      },
+    },
+    volumeClaimTemplates: [
+      new PersistentVolumeClaim({
+        metadata: { name: "data" },
+        spec: {
+          accessModes: ["ReadWriteOnce"],
+          resources: { requests: { storage: values.storage.size } },
+        },
+      }),
+    ],
+  },
+});
+`,
+        },
+      };
+    }
+
     return {
       src: {
         "chart.ts": `import { Chart, Values, HelmNotes } from "@intentius/chant-lexicon-helm";
@@ -139,23 +322,11 @@ export const service = new Service({
     };
   },
 
-  skills(): SkillDefinition[] {
-    const skillsDir = join(dirname(fileURLToPath(import.meta.url)), "skills");
-    const skills: SkillDefinition[] = [];
-    try {
-      for (const file of readdirSync(skillsDir)) {
-        if (!file.endsWith(".md")) continue;
-        const content = readFileSync(join(skillsDir, file), "utf-8");
-        const name = file.replace(/\.md$/, "");
-        // Derive a readable description from the filename
-        const desc = name.replace(/-/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
-        skills.push({ name: `chant-helm-${name}`, description: desc, content });
-      }
-    } catch {
-      // No skills directory
-    }
-    return skills;
-  },
+  skills: createSkillsLoader(import.meta.url, [
+    { file: "chant-helm.md", name: "chant-helm", description: "Build, validate, and package Helm charts from a chant project" },
+    { file: "chant-helm-patterns.md", name: "chant-helm-patterns", description: "Common Helm chart patterns and best practices using chant" },
+    { file: "chant-helm-security.md", name: "chant-helm-security", description: "Security best practices for Helm charts built with chant" },
+  ]),
 
   async docs(options?: { verbose?: boolean }): Promise<void> {
     const { generateDocs } = await import("./codegen/docs");

package/src/resources.ts

@@ -75,3 +75,32 @@ export const HelmMaintainer = createProperty("Helm::Maintainer", LEXICON);
  * Props: { content: string, filename?: string }
  */
 export const HelmCRD = createResource("Helm::CRD", LEXICON, {});
+
+// ── K8s resource types used by composites ────────────────
+// These are thin wrappers so composite members are Declarable.
+
+const K8S = "k8s";
+
+export const Deployment = createResource("K8s::Apps::Deployment", K8S, {});
+export const StatefulSet = createResource("K8s::Apps::StatefulSet", K8S, {});
+export const DaemonSet = createResource("K8s::Apps::DaemonSet", K8S, {});
+export const Service = createResource("K8s::Core::Service", K8S, {});
+export const ServiceAccount = createResource("K8s::Core::ServiceAccount", K8S, {});
+export const ConfigMap = createResource("K8s::Core::ConfigMap", K8S, {});
+export const Namespace = createResource("K8s::Core::Namespace", K8S, {});
+export const Job = createResource("K8s::Batch::Job", K8S, {});
+export const CronJob = createResource("K8s::Batch::CronJob", K8S, {});
+export const Ingress = createResource("K8s::Networking::Ingress", K8S, {});
+export const NetworkPolicy = createResource("K8s::Networking::NetworkPolicy", K8S, {});
+export const HPA = createResource("K8s::Autoscaling::HorizontalPodAutoscaler", K8S, {});
+export const PDB = createResource("K8s::Policy::PodDisruptionBudget", K8S, {});
+export const ResourceQuota = createResource("K8s::Core::ResourceQuota", K8S, {});
+export const LimitRange = createResource("K8s::Core::LimitRange", K8S, {});
+export const ClusterRole = createResource("K8s::Rbac::ClusterRole", K8S, {});
+export const ClusterRoleBinding = createResource("K8s::Rbac::ClusterRoleBinding", K8S, {});
+export const Role = createResource("K8s::Rbac::Role", K8S, {});
+export const RoleBinding = createResource("K8s::Rbac::RoleBinding", K8S, {});
+export const ExternalSecret = createResource("K8s::ExternalSecrets::ExternalSecret", K8S, {});
+export const ServiceMonitor = createResource("K8s::Monitoring::ServiceMonitor", K8S, {});
+export const PrometheusRule = createResource("K8s::Monitoring::PrometheusRule", K8S, {});
+export const Certificate = createResource("K8s::CertManager::Certificate", K8S, {});