@intentius/chant-lexicon-helm 0.0.24 → 0.1.0

package/dist/integrity.json

@@ -1,11 +1,12 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "2557e415419da552",
+    "manifest.json": "8230c04a29b03431",
     "meta.json": "b7aab243e162dfaf",
     "types/index.d.ts": "e8011da51963f058",
     "rules/no-hardcoded-image.ts": "c75aa9c33016c3b9",
     "rules/values-no-secrets.ts": "213276bfe1fb8ff7",
+    "rules/values-no-helm-tpl.ts": "ed23236546936fd0",
     "rules/chart-metadata.ts": "d0cff2b78fed78d3",
     "rules/whm103.ts": "a777a13f2eaf1831",
     "rules/whm104.ts": "e2d644da2a9dc605",
@@ -25,12 +26,13 @@
     "rules/whm401.ts": "fe72c3c450a12f93",
     "rules/whm105.ts": "8977ec834713b90c",
     "rules/whm403.ts": "729d10edb48b0d03",
+    "rules/whm005-no-empty-wrapper.ts": "1a1baea985f0bd86",
     "rules/whm405.ts": "ec82442f9120e5e0",
     "rules/whm202.ts": "dbe1cbb3237be84f",
     "rules/whm501.ts": "e9a9f2b4e034a51f",
-    "skills/chant-helm.md": "8ccf71feddc9536c",
-    "skills/chant-helm-patterns.md": "7a2163247f44bf6d",
+    "skills/chant-helm.md": "6476c552b9235085",
+    "skills/chant-helm-patterns.md": "cc9bfe5595f22710",
     "skills/chant-helm-security.md": "a7b950513dac7d37"
   },
-  "composite": "43682c36509928ac"
+  "composite": "8872cd0d6c961e4d"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "helm",
-  "version": "0.0.24",
+  "version": "0.1.0",
   "chantVersion": ">=0.1.0",
   "namespace": "Helm",
   "intrinsics": [

package/dist/rules/values-no-helm-tpl.ts

@@ -0,0 +1,92 @@
+/**
+ * WHM004: HelmTpl Expression Has No Effect in Values Constructor
+ *
+ * Detects Values constructor props that use `v.xxx` (the `values` proxy)
+ * or any HelmTpl-like expression. values.yaml is static YAML — it is NOT
+ * processed as a Go template by Helm. These expressions silently become ''.
+ *
+ * Bad:  new Values({ host: v.pgHost })
+ * Good: new Values({ host: runtimeSlot("Cloud SQL private IP") })
+ */
+
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import * as ts from "typescript";
+
+export const valuesNoHelmTplRule: LintRule = {
+  id: "WHM004",
+  severity: "warning",
+  category: "correctness",
+  description:
+    "HelmTpl expression has no effect in values.yaml — use runtimeSlot() for deploy-time values",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    function visit(node: ts.Node): void {
+      if (
+        ts.isNewExpression(node) &&
+        ts.isIdentifier(node.expression) &&
+        node.expression.text === "Values" &&
+        node.arguments &&
+        node.arguments.length > 0
+      ) {
+        const arg = node.arguments[0];
+        if (ts.isObjectLiteralExpression(arg)) {
+          checkObjectLiteral(arg, [], sourceFile, diagnostics);
+        }
+      }
+      ts.forEachChild(node, visit);
+    }
+
+    visit(sourceFile);
+    return diagnostics;
+  },
+};
+
+/**
+ * Get the root identifier name of a property access / call chain.
+ * v.foo → "v"; values.x.pipe("fn") → "values"; runtimeSlot() → "runtimeSlot"
+ */
+function getRootIdentifier(node: ts.Node): string | null {
+  if (ts.isIdentifier(node)) return node.text;
+  if (ts.isPropertyAccessExpression(node)) return getRootIdentifier(node.expression);
+  if (ts.isCallExpression(node)) return getRootIdentifier(node.expression);
+  return null;
+}
+
+function isHelmTplExpr(node: ts.Node): boolean {
+  const root = getRootIdentifier(node);
+  return root === "v" || root === "values";
+}
+
+function checkObjectLiteral(
+  obj: ts.ObjectLiteralExpression,
+  path: string[],
+  sourceFile: ts.SourceFile,
+  diagnostics: LintDiagnostic[],
+): void {
+  for (const prop of obj.properties) {
+    if (!ts.isPropertyAssignment(prop)) continue;
+
+    const keyName = ts.isIdentifier(prop.name) || ts.isStringLiteral(prop.name)
+      ? prop.name.text
+      : undefined;
+    const propPath = keyName ? [...path, keyName] : path;
+
+    if (isHelmTplExpr(prop.initializer)) {
+      const { line, character } = sourceFile.getLineAndCharacterOfPosition(prop.getStart());
+      const pathStr = propPath.join(".");
+      diagnostics.push({
+        file: sourceFile.fileName,
+        line: line + 1,
+        column: character + 1,
+        ruleId: "WHM004",
+        severity: "warning",
+        message: `HelmTpl expression has no effect in values.yaml (values.yaml is not a Go template). Use runtimeSlot() for deploy-time values or a static default.${pathStr ? ` (path: ${pathStr})` : ""}`,
+      });
+    } else if (ts.isObjectLiteralExpression(prop.initializer)) {
+      checkObjectLiteral(prop.initializer, propPath, sourceFile, diagnostics);
+    }
+  }
+}

package/dist/rules/whm005-no-empty-wrapper.ts

@@ -0,0 +1,54 @@
+/**
+ * WHM005: Chart Has Sub-chart Dependencies But Generates No Templates
+ *
+ * A chart with HelmDependency entries but no templates/*.yaml files generates
+ * an empty templates/ directory. Deploying it requires `helm dependency build`
+ * as a non-obvious prerequisite.
+ *
+ * If you only need value overrides for an upstream chart, deploy it directly:
+ *   helm upgrade upstream-chart -f values-override.yaml
+ * and use ValuesOverride to generate the override file.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm005: PostSynthCheck = {
+  id: "WHM005",
+  description:
+    "Chart with sub-chart dependencies but no templates should deploy upstream chart directly",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+      const chartYaml = files["Chart.yaml"];
+      if (!chartYaml) continue;
+
+      // Check for non-empty dependencies block
+      const hasDependencies = /^dependencies:/m.test(chartYaml);
+      if (!hasDependencies) continue;
+
+      // Check for template files (excluding _helpers.tpl and NOTES.txt)
+      const hasTemplates = Object.keys(files).some((path) => {
+        if (!path.startsWith("templates/")) return false;
+        const filename = path.slice("templates/".length);
+        if (filename === "_helpers.tpl" || filename === "NOTES.txt") return false;
+        return filename.endsWith(".yaml") || filename.endsWith(".yml");
+      });
+
+      if (!hasTemplates) {
+        diagnostics.push({
+          checkId: "WHM005",
+          severity: "warning",
+          message:
+            "Chart has sub-chart dependencies but generates no templates. Deploying this chart requires 'helm dependency build' first. If you only need value overrides for an upstream chart, deploy it directly with 'helm upgrade upstream-chart -f values-override.yaml' and use ValuesOverride to generate the override file.",
+          lexicon: "helm",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/skills/chant-helm-patterns.md

@@ -215,6 +215,58 @@ ChartRef.Name         // {{ .Chart.Name }}
 ChartRef.Version      // {{ .Chart.Version }}
 ```
 
+## Deploying Upstream Charts with Value Overrides
+
+When you need to deploy an upstream chart (like `gitlab/gitlab`) with custom values, avoid wrapper charts with no templates. Instead:
+
+1. Use `runtimeSlot()` in `new Values({...})` for deploy-time values (DB IPs, bucket names, replicas)
+2. Use `ValuesOverride` for static values shared across all environments (disabled bundled services, shared secret refs)
+3. Deploy the upstream chart directly with `-f` flags
+
+```typescript
+import { Values, ValuesOverride, runtimeSlot } from "@intentius/chant-lexicon-helm";
+
+// Runtime slots → values-runtime-slots.yaml (deploy-time checklist)
+export const vals = new Values({
+  global: {
+    psql: { host: runtimeSlot("Cloud SQL private IP") },
+    redis: { host: runtimeSlot("Memorystore host") },
+  },
+});
+
+// Static overrides → values-base.yaml (shared across all deployments)
+export const baseOverride = new ValuesOverride({
+  filename: "values-base",
+  values: {
+    postgresql: { install: false },
+    redis: { install: false },
+    certmanager: { install: false },
+    "nginx-ingress": { enabled: false },
+  },
+});
+```
+
+Outputs:
+- `chart-dir/values.yaml` — defaults; runtime slots appear as `''`
+- `chart-dir/values-base.yaml` — generated static overrides
+- `chart-dir/values-runtime-slots.yaml` — deploy-time slots with descriptions as comments
+
+Deploy:
+```bash
+# chant build generates chart-dir/ including values-base.yaml
+chant build
+
+# Fill in runtime-slot values (one per environment)
+# values-prod.yaml contains: global.psql.host, global.redis.host, etc.
+
+helm upgrade --install my-release upstream/chart \
+  -f chart-dir/values-base.yaml \
+  -f values-prod.yaml \
+  --wait
+```
+
+**WHM005** warns when a chart has `HelmDependency` entries but generates no templates — this is the "empty wrapper" anti-pattern that requires `helm dependency build` as a non-obvious prerequisite.
+
 ## Template Functions
 
 ```typescript

package/dist/skills/chant-helm.md

@@ -65,6 +65,53 @@ import { If, values } from "@intentius/chant-lexicon-helm";
 export const ingress = If(values.ingress.enabled, new Ingress({ ... }));
 ```
 
+### Runtime values and value overrides
+
+Use `runtimeSlot()` for deploy-time values that cannot be known at build time (database IPs, bucket names, etc.):
+
+```typescript
+import { Values, runtimeSlot } from "@intentius/chant-lexicon-helm";
+
+export const vals = new Values({
+  global: {
+    psql: {
+      host: runtimeSlot("Cloud SQL private IP"),  // → '' in values.yaml
+    },
+    redis: {
+      host: runtimeSlot("Memorystore persistent host"),
+    },
+  },
+});
+```
+
+`runtimeSlot()` generates two outputs:
+- `values.yaml` — the field emits `''` (empty placeholder, safe for `helm template`)
+- `values-runtime-slots.yaml` — lists only the slots with descriptions as YAML comments, for use as a deploy-time checklist
+
+**WHM004** fires when `v.xxx` (the values proxy) is used inside `new Values({...})` — values.yaml is not a Go template, so `{{ .Values.x }}` would silently become `''`. Use `runtimeSlot()` instead.
+
+Use `ValuesOverride` for static configuration shared across all deployments, like disabling bundled services:
+
+```typescript
+import { ValuesOverride } from "@intentius/chant-lexicon-helm";
+
+export const baseOverride = new ValuesOverride({
+  filename: "values-base",           // → generates chart-dir/values-base.yaml
+  values: {
+    postgresql: { install: false },
+    redis: { install: false },
+    certmanager: { install: false },
+  },
+});
+```
+
+Pass the generated file at deploy time:
+```bash
+helm upgrade --install my-release chart/
+  -f chart/values-base.yaml          # generated by ValuesOverride
+  -f values-prod.yaml                # runtime overrides (from values-runtime-slots.yaml)
+```
+
 ### Built-in objects
 
 ```typescript
@@ -218,28 +265,30 @@ const lifecycle = HelmCRDLifecycle({
 
 ## Lint rules
 
-| Rule | Description |
-|------|-------------|
-| WHM001 | Chart must have name, version, apiVersion |
-| WHM002 | Values should not contain bare secrets |
-| WHM003 | Container images should use values references |
-| WHM101 | Chart.yaml has valid apiVersion (v2) |
-| WHM102 | values.schema.json present when Values used |
-| WHM103 | Go template syntax valid (balanced braces) |
-| WHM104 | NOTES.txt exists for application charts |
-| WHM105 | _helpers.tpl exists |
-| WHM201 | Resources have standard Helm labels |
-| WHM301 | At least one test for application charts |
-| WHM302 | Resource limits set |
-| WHM401 | Image uses :latest tag or no tag |
-| WHM402 | runAsNonRoot not set |
-| WHM403 | readOnlyRootFilesystem not set |
-| WHM404 | privileged: true detected |
-| WHM405 | Resource spec missing cpu/memory |
-| WHM406 | CRD lifecycle limitation |
-| WHM407 | Secret with inline data |
-| WHM501 | Unused values keys |
-| WHM502 | Deprecated K8s API versions |
+| Rule | Phase | Description |
+|------|-------|-------------|
+| WHM001 | pre-synth | Chart must have name, version, apiVersion |
+| WHM002 | pre-synth | Values should not contain bare secrets |
+| WHM003 | pre-synth | Container images should use values references |
+| WHM004 | pre-synth | HelmTpl (`v.xxx`) has no effect in Values — use `runtimeSlot()` |
+| WHM005 | post-synth | Chart with dependencies but no templates — deploy upstream chart directly |
+| WHM101 | post-synth | Chart.yaml has valid apiVersion (v2) |
+| WHM102 | post-synth | values.schema.json present when Values used |
+| WHM103 | post-synth | Go template syntax valid (balanced braces) |
+| WHM104 | post-synth | NOTES.txt exists for application charts |
+| WHM105 | post-synth | _helpers.tpl exists |
+| WHM201 | post-synth | Resources have standard Helm labels |
+| WHM301 | post-synth | At least one test for application charts |
+| WHM302 | post-synth | Resource limits set |
+| WHM401 | post-synth | Image uses :latest tag or no tag |
+| WHM402 | post-synth | runAsNonRoot not set |
+| WHM403 | post-synth | readOnlyRootFilesystem not set |
+| WHM404 | post-synth | privileged: true detected |
+| WHM405 | post-synth | Resource spec missing cpu/memory |
+| WHM406 | post-synth | CRD lifecycle limitation |
+| WHM407 | post-synth | Secret with inline data |
+| WHM501 | post-synth | Unused values keys |
+| WHM502 | post-synth | Deprecated K8s API versions |
 
 ## OCI registry workflow
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-helm",
-  "version": "0.0.24",
+  "version": "0.1.0",
   "description": "Helm chart lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",
@@ -43,10 +43,13 @@
     "prepack": "bun run generate && bun run bundle && bun run validate"
   },
   "dependencies": {
-    "@intentius/chant": "0.0.22",
-    "@intentius/chant-lexicon-k8s": "0.0.22"
+    "@intentius/chant-lexicon-k8s": "0.1.0"
   },
   "devDependencies": {
+    "@intentius/chant": "0.1.0",
     "typescript": "^5.9.3"
+  },
+  "peerDependencies": {
+    "@intentius/chant": "^0.1.0"
   }
 }

package/src/codegen/docs.ts

@@ -102,6 +102,7 @@ export async function generateDocs(opts?: { verbose?: boolean }): Promise<void>
     description: "Typed constructors for parameterized Helm charts",
     distDir: join(pkgDir, "dist"),
     outDir: join(pkgDir, "docs"),
+    basePath: process.env.DOCS_BASE_PATH ?? "/chant/lexicons/helm/",
     overview,
     outputFormat,
     serviceFromType,
@@ -474,8 +475,8 @@ When you scaffold a new project with \`chant init --lexicon helm\`, the skill is
     ],
   };
 
-  const result = await docsPipeline(config);
-  writeDocsSite(result, config.outDir);
+  const result = docsPipeline(config);
+  writeDocsSite(config, result);
 
   if (opts?.verbose) {
     console.error(`Generated ${result.pages.length} documentation pages`);

package/src/index.ts

@@ -5,7 +5,7 @@ export { helmSerializer } from "./serializer";
 export { helmPlugin } from "./plugin";
 
 // Resources
-export { Chart, Values, HelmTest, HelmNotes, HelmHook, HelmDependency, HelmMaintainer, HelmCRD } from "./resources";
+export { Chart, Values, ValuesOverride, HelmTest, HelmNotes, HelmHook, HelmDependency, HelmMaintainer, HelmCRD } from "./resources";
 
 // Intrinsics
 export {
@@ -14,6 +14,9 @@ export {
   HELM_IF_KEY,
   HELM_RANGE_KEY,
   HELM_WITH_KEY,
+  RuntimeSlot,
+  RUNTIME_SLOT_KEY,
+  runtimeSlot,
   values,
   Release,
   ChartRef,

package/src/intrinsics.ts

@@ -473,6 +473,59 @@ export function argoWave(wave: number): Record<string, string> {
   return { "argocd.argoproj.io/sync-wave": String(wave) };
 }
 
+// ── RuntimeSlot ───────────────────────────────────────────
+
+/**
+ * JSON marker key used by the serializer to detect runtime slot placeholders.
+ * Distinguished from HelmTpl: RuntimeSlot appears in values.yaml as '' AND
+ * is collected into values-runtime-slots.yaml with its description as a comment.
+ */
+export const RUNTIME_SLOT_KEY = "__runtime_slot" as const;
+
+/**
+ * A deploy-time value placeholder in a Values object.
+ *
+ * Marks fields that cannot be known at build time (DB IP, bucket name, etc.)
+ * and must be supplied via a `-f` override file when running `helm upgrade`.
+ *
+ * Two outputs are generated:
+ * - `values.yaml` — the field emits `''` (empty placeholder)
+ * - `values-runtime-slots.yaml` — lists only the RuntimeSlot fields with
+ *   their descriptions as YAML comments, for use as a deploy-time checklist
+ *
+ * ```ts
+ * new Values({
+ *   global: {
+ *     psql: { host: runtimeSlot("Cloud SQL private IP") },
+ *   }
+ * })
+ * ```
+ */
+export class RuntimeSlot implements Intrinsic {
+  readonly [INTRINSIC_MARKER] = true as const;
+  readonly description: string;
+
+  constructor(description = "") {
+    this.description = description;
+  }
+
+  toJSON(): { [RUNTIME_SLOT_KEY]: string } {
+    return { [RUNTIME_SLOT_KEY]: this.description };
+  }
+}
+
+/**
+ * Mark a Values field as a deploy-time runtime slot.
+ *
+ * Emits `''` in values.yaml and generates an entry in values-runtime-slots.yaml.
+ *
+ * @param description Human-readable description of what to provide.
+ *   Emitted as a YAML comment in values-runtime-slots.yaml.
+ */
+export function runtimeSlot(description = ""): RuntimeSlot {
+  return new RuntimeSlot(description);
+}
+
 // ── Helpers ───────────────────────────────────────────────
 
 /**

package/src/lint/post-synth/post-synth.test.ts

@@ -18,6 +18,7 @@ import { whm406 } from "./whm406";
 import { whm407 } from "./whm407";
 import { whm501 } from "./whm501";
 import { whm502 } from "./whm502";
+import { whm005 } from "./whm005-no-empty-wrapper";
 
 function makeCtx(files: Record<string, string>): PostSynthContext {
   const result: SerializerResult = { primary: files["Chart.yaml"] ?? "", files };
@@ -36,6 +37,48 @@ function makeCtx(files: Record<string, string>): PostSynthContext {
   };
 }
 
+describe("WHM005: noEmptyWrapperChart", () => {
+  test("warns when chart has HelmDependency but no templates", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "Chart.yaml.deps": "",
+      "templates/_helpers.tpl": "{{/* helpers */}}",
+    });
+    // Inject dependencies block
+    const files = {
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\ndependencies:\n  - name: gitlab\n    version: 8.7.2\n    repository: https://charts.gitlab.io\n",
+      "templates/_helpers.tpl": "{{/* helpers */}}",
+    };
+    const ctx2 = makeCtx(files);
+    const diags = whm005.check(ctx2);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WHM005");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("passes when chart has dependencies and templates", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\ndependencies:\n  - name: gitlab\n    version: 8.7.2\n    repository: https://charts.gitlab.io\n",
+      "templates/_helpers.tpl": "{{/* helpers */}}",
+      "templates/deployment.yaml": "apiVersion: apps/v1\nkind: Deployment\n",
+    });
+    expect(whm005.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when chart has no dependencies", () => {
+    const ctx = makeCtx({
+      "Chart.yaml": "apiVersion: v2\nname: test\nversion: 0.1.0\n",
+      "templates/deployment.yaml": "apiVersion: apps/v1\nkind: Deployment\n",
+    });
+    expect(whm005.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes when no Chart.yaml present", () => {
+    const ctx = makeCtx({});
+    expect(whm005.check(ctx)).toHaveLength(0);
+  });
+});
+
 describe("WHM101: Chart.yaml validation", () => {
   test("passes with valid Chart.yaml", () => {
     const ctx = makeCtx({

package/src/lint/post-synth/whm005-no-empty-wrapper.ts

@@ -0,0 +1,54 @@
+/**
+ * WHM005: Chart Has Sub-chart Dependencies But Generates No Templates
+ *
+ * A chart with HelmDependency entries but no templates/*.yaml files generates
+ * an empty templates/ directory. Deploying it requires `helm dependency build`
+ * as a non-obvious prerequisite.
+ *
+ * If you only need value overrides for an upstream chart, deploy it directly:
+ *   helm upgrade upstream-chart -f values-override.yaml
+ * and use ValuesOverride to generate the override file.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getChartFiles } from "./helm-helpers";
+
+export const whm005: PostSynthCheck = {
+  id: "WHM005",
+  description:
+    "Chart with sub-chart dependencies but no templates should deploy upstream chart directly",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const files = getChartFiles(output);
+      const chartYaml = files["Chart.yaml"];
+      if (!chartYaml) continue;
+
+      // Check for non-empty dependencies block
+      const hasDependencies = /^dependencies:/m.test(chartYaml);
+      if (!hasDependencies) continue;
+
+      // Check for template files (excluding _helpers.tpl and NOTES.txt)
+      const hasTemplates = Object.keys(files).some((path) => {
+        if (!path.startsWith("templates/")) return false;
+        const filename = path.slice("templates/".length);
+        if (filename === "_helpers.tpl" || filename === "NOTES.txt") return false;
+        return filename.endsWith(".yaml") || filename.endsWith(".yml");
+      });
+
+      if (!hasTemplates) {
+        diagnostics.push({
+          checkId: "WHM005",
+          severity: "warning",
+          message:
+            "Chart has sub-chart dependencies but generates no templates. Deploying this chart requires 'helm dependency build' first. If you only need value overrides for an upstream chart, deploy it directly with 'helm upgrade upstream-chart -f values-override.yaml' and use ValuesOverride to generate the override file.",
+          lexicon: "helm",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/src/lint/rules/lint-rules.test.ts

@@ -4,6 +4,7 @@ import type { LintContext } from "@intentius/chant/lint/rule";
 import { chartMetadataRule } from "./chart-metadata";
 import { valuesNoSecretsRule } from "./values-no-secrets";
 import { noHardcodedImageRule } from "./no-hardcoded-image";
+import { valuesNoHelmTplRule } from "./values-no-helm-tpl";
 
 function makeContext(code: string): LintContext {
   const sourceFile = ts.createSourceFile("test.ts", code, ts.ScriptTarget.Latest, true);
@@ -70,6 +71,40 @@ describe("WHM002: valuesNoSecretsRule", () => {
   });
 });
 
+describe("WHM004: valuesNoHelmTplRule", () => {
+  test("warns when Values prop uses v.xxx", () => {
+    const ctx = makeContext(`new Values({ host: v.myHost });`);
+    const diags = valuesNoHelmTplRule.check(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].ruleId).toBe("WHM004");
+  });
+
+  test("warns on nested v.xxx", () => {
+    const ctx = makeContext(`new Values({ global: { hosts: { domain: v.cellDomain } } });`);
+    expect(valuesNoHelmTplRule.check(ctx).length).toBeGreaterThan(0);
+  });
+
+  test("passes when Values props are static", () => {
+    const ctx = makeContext(`new Values({ host: "localhost" });`);
+    expect(valuesNoHelmTplRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("passes for runtimeSlot() calls", () => {
+    const ctx = makeContext(`new Values({ host: runtimeSlot("Cloud SQL IP") });`);
+    expect(valuesNoHelmTplRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("does not fire on non-Values constructors", () => {
+    const ctx = makeContext(`new Deployment({ image: v.image });`);
+    expect(valuesNoHelmTplRule.check(ctx)).toHaveLength(0);
+  });
+
+  test("warns on v.xxx pipe chain", () => {
+    const ctx = makeContext(`new Values({ host: v.myHost.pipe("quote") });`);
+    expect(valuesNoHelmTplRule.check(ctx)).toHaveLength(1);
+  });
+});
+
 describe("WHM003: noHardcodedImageRule", () => {
   test("warns on hardcoded image with tag", () => {
     const ctx = makeContext(`new Deployment({ spec: { containers: [{ image: "nginx:1.19" }] } });`);