@intentius/chant-lexicon-k8s 0.0.14 → 0.0.15

package/dist/integrity.json

@@ -1,14 +1,16 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "59b066d7c2f8d709",
+    "manifest.json": "490e9ca9417db298",
     "meta.json": "1ce194f36f9b5f90",
     "types/index.d.ts": "beec4cc869064186",
     "rules/hardcoded-namespace.ts": "54b216c71018e101",
     "rules/wk8201.ts": "4dbbd20e21b5fa04",
-    "rules/wk8204.ts": "31c3f8eac8455795",
+    "rules/wk8204.ts": "9244d6fdd6d2f7d",
     "rules/wk8301.ts": "283265ab0c5b8511",
+    "rules/wk8306.ts": "5338575bfb0f9251",
     "rules/wk8102.ts": "78d4aac387107b56",
+    "rules/wk8305.ts": "5c4b9482a0f3b91d",
     "rules/wk8101.ts": "f8ffcf6e5c89076b",
     "rules/wk8302.ts": "a80d1eab37c0dbe4",
     "rules/wk8005.ts": "a9a1b93b80f3aa51",
@@ -21,6 +23,7 @@
     "rules/wk8042.ts": "6064c84481ae8551",
     "rules/wk8006.ts": "6e04f754f79f076e",
     "rules/wk8041.ts": "4df512c93caaef50",
+    "rules/wk8304.ts": "f51bf894c5a08dbe",
     "rules/wk8202.ts": "6bd950ae2128256c",
     "rules/wk8208.ts": "1133f9e53c174ae9",
     "rules/wk8105.ts": "8dbcfe399f23656a",
@@ -30,5 +33,5 @@
     "skills/chant-k8s-eks.md": "f79f31f058c7f2ed",
     "skills/chant-k8s-patterns.md": "c5151ed799145c4b"
   },
-  "composite": "586aea18d5400dd8"
+  "composite": "2a6c7f09f87d9a38"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "k8s",
-  "version": "0.0.14",
+  "version": "0.0.15",
   "chantVersion": ">=0.1.0",
   "namespace": "K8s",
   "intrinsics": [],

package/dist/rules/wk8204.ts

@@ -4,6 +4,10 @@
  * Containers should set securityContext.runAsNonRoot to true at either
  * the container level or pod level. Running as root inside a container
  * increases the blast radius of a container breakout.
+ *
+ * Additionally warns when runAsNonRoot: true is set but no explicit
+ * runAsUser is provided — without a numeric UID, K8s relies on the
+ * image's USER directive, which may be root (UID 0).
  */
 
 import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
@@ -30,13 +34,17 @@ export const wk8204: PostSynthCheck = {
         // Check pod-level securityContext
         const podSecCtx = podSpec.securityContext as Record<string, unknown> | undefined;
         const podRunAsNonRoot = podSecCtx?.runAsNonRoot === true;
+        const podRunAsUser = podSecCtx?.runAsUser;
 
         const containers = extractContainers(manifest);
         for (const container of containers) {
           const secCtx = container.securityContext;
           const containerRunAsNonRoot = secCtx?.runAsNonRoot === true;
+          const containerRunAsUser = secCtx?.runAsUser;
+
+          const hasRunAsNonRoot = podRunAsNonRoot || containerRunAsNonRoot;
 
-          if (!podRunAsNonRoot && !containerRunAsNonRoot) {
+          if (!hasRunAsNonRoot) {
             diagnostics.push({
               checkId: "WK8204",
               severity: "warning",
@@ -44,6 +52,30 @@ export const wk8204: PostSynthCheck = {
               entity: resourceName,
               lexicon: "k8s",
             });
+            continue;
+          }
+
+          // runAsNonRoot is true — check for explicit runAsUser
+          const effectiveRunAsUser = containerRunAsUser ?? podRunAsUser;
+
+          if (effectiveRunAsUser === 0) {
+            // Contradictory: runAsNonRoot: true + runAsUser: 0
+            diagnostics.push({
+              checkId: "WK8204",
+              severity: "warning",
+              message: `Container "${container.name ?? "(unnamed)"}" in ${manifest.kind} "${resourceName}" has runAsNonRoot: true but runAsUser: 0 — these settings are contradictory and the container will fail to start`,
+              entity: resourceName,
+              lexicon: "k8s",
+            });
+          } else if (effectiveRunAsUser === undefined || effectiveRunAsUser === null) {
+            // runAsNonRoot: true but no explicit UID
+            diagnostics.push({
+              checkId: "WK8204",
+              severity: "warning",
+              message: `Container "${container.name ?? "(unnamed)"}" in ${manifest.kind} "${resourceName}" has runAsNonRoot: true but no explicit runAsUser — set a numeric UID to ensure the container doesn't run as root`,
+              entity: resourceName,
+              lexicon: "k8s",
+            });
           }
         }
       }

package/dist/rules/wk8304.ts

@@ -0,0 +1,70 @@
+/**
+ * WK8304: SSL Redirect Without Certificate
+ *
+ * Flags Ingress resources that have `alb.ingress.kubernetes.io/ssl-redirect`
+ * annotation set but are missing `alb.ingress.kubernetes.io/certificate-arn`
+ * or don't have HTTPS in their listen-ports.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests } from "./k8s-helpers";
+
+export const wk8304: PostSynthCheck = {
+  id: "WK8304",
+  description: "SSL redirect without certificate — ssl-redirect annotation requires a valid certificate-arn and HTTPS listen-ports",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "Ingress") continue;
+
+        const annotations = manifest.metadata?.annotations as Record<string, string> | undefined;
+        if (!annotations) continue;
+
+        const sslRedirect = annotations["alb.ingress.kubernetes.io/ssl-redirect"];
+        if (!sslRedirect) continue;
+
+        const resourceName = manifest.metadata?.name ?? "Ingress";
+        const certArn = annotations["alb.ingress.kubernetes.io/certificate-arn"];
+
+        if (!certArn) {
+          diagnostics.push({
+            checkId: "WK8304",
+            severity: "warning",
+            message: `Ingress "${resourceName}" has ssl-redirect annotation but no certificate-arn — HTTPS redirect will fail without a TLS certificate`,
+            entity: resourceName,
+            lexicon: "k8s",
+          });
+          continue;
+        }
+
+        // Check listen-ports includes HTTPS
+        const listenPorts = annotations["alb.ingress.kubernetes.io/listen-ports"];
+        if (listenPorts) {
+          try {
+            const ports = JSON.parse(listenPorts) as Array<Record<string, number>>;
+            const hasHttps = ports.some((p) => "HTTPS" in p);
+            if (!hasHttps) {
+              diagnostics.push({
+                checkId: "WK8304",
+                severity: "warning",
+                message: `Ingress "${resourceName}" has ssl-redirect but listen-ports does not include HTTPS`,
+                entity: resourceName,
+                lexicon: "k8s",
+              });
+            }
+          } catch {
+            // Can't parse listen-ports — skip this check
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wk8305.ts

@@ -0,0 +1,115 @@
+/**
+ * WK8305: Ingress Port Not Matching Service
+ *
+ * Flags Ingress backends whose `service.port.number` does not match
+ * any declared port on the referenced Service in the manifest set.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests } from "./k8s-helpers";
+import type { K8sManifest } from "./k8s-helpers";
+
+export const wk8305: PostSynthCheck = {
+  id: "WK8305",
+  description: "Ingress port not matching Service — backend port must match a declared Service port",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      // Build a map of Service name+namespace → set of port numbers
+      const servicePorts = collectServicePorts(manifests);
+
+      for (const manifest of manifests) {
+        if (manifest.kind !== "Ingress") continue;
+
+        const ingressName = manifest.metadata?.name ?? "Ingress";
+        const ingressNamespace = manifest.metadata?.namespace ?? "default";
+        const spec = manifest.spec;
+        if (!spec) continue;
+
+        const rules = spec.rules as Array<Record<string, unknown>> | undefined;
+        if (!rules) continue;
+
+        for (const rule of rules) {
+          const http = rule.http as Record<string, unknown> | undefined;
+          if (!http) continue;
+
+          const paths = http.paths as Array<Record<string, unknown>> | undefined;
+          if (!paths) continue;
+
+          for (const pathEntry of paths) {
+            const backend = pathEntry.backend as Record<string, unknown> | undefined;
+            if (!backend) continue;
+
+            const service = backend.service as Record<string, unknown> | undefined;
+            if (!service) continue;
+
+            const svcName = service.name as string | undefined;
+            const port = service.port as Record<string, unknown> | undefined;
+            const portNumber = port?.number as number | undefined;
+
+            if (!svcName || portNumber === undefined) continue;
+
+            // Look up the Service in the manifest set
+            const key = `${ingressNamespace}/${svcName}`;
+            const knownPorts = servicePorts.get(key);
+
+            // Skip if the Service is not in the manifest set (external service)
+            if (!knownPorts) continue;
+
+            if (!knownPorts.has(portNumber)) {
+              diagnostics.push({
+                checkId: "WK8305",
+                severity: "warning",
+                message: `Ingress "${ingressName}" references Service "${svcName}" port ${portNumber}, but the Service only declares ports [${[...knownPorts].join(", ")}]`,
+                entity: ingressName,
+                lexicon: "k8s",
+              });
+            }
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};
+
+/**
+ * Collect port numbers from all Service manifests, keyed by namespace/name.
+ */
+function collectServicePorts(manifests: K8sManifest[]): Map<string, Set<number>> {
+  const result = new Map<string, Set<number>>();
+
+  for (const manifest of manifests) {
+    if (manifest.kind !== "Service") continue;
+
+    const name = manifest.metadata?.name;
+    const namespace = manifest.metadata?.namespace ?? "default";
+    if (!name) continue;
+
+    const key = `${namespace}/${name}`;
+    const ports = new Set<number>();
+
+    const spec = manifest.spec;
+    if (spec) {
+      const specPorts = spec.ports as Array<Record<string, unknown>> | undefined;
+      if (specPorts) {
+        for (const p of specPorts) {
+          const port = p.port as number | undefined;
+          if (port !== undefined) {
+            ports.add(port);
+          }
+        }
+      }
+    }
+
+    result.set(key, ports);
+  }
+
+  return result;
+}

package/dist/rules/wk8306.ts

@@ -0,0 +1,50 @@
+/**
+ * WK8306: Container Command Starts With Flag
+ *
+ * If `command[0]` starts with `-` or `--`, it's almost certainly a mistake —
+ * the first element should be the binary/entrypoint, flags belong in `args`.
+ * This causes OCI runtime errors because the container runtime tries to
+ * execute the flag as a binary.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests, extractContainers, WORKLOAD_KINDS } from "./k8s-helpers";
+
+export const wk8306: PostSynthCheck = {
+  id: "WK8306",
+  description: "Container command starts with flag — first element should be a binary, not a flag",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      const manifests = parseK8sManifests(yaml);
+
+      for (const manifest of manifests) {
+        if (!manifest.kind || !WORKLOAD_KINDS.has(manifest.kind)) continue;
+
+        const resourceName = manifest.metadata?.name ?? manifest.kind;
+        const containers = extractContainers(manifest);
+
+        for (const container of containers) {
+          const command = (container as Record<string, unknown>).command as unknown[] | undefined;
+          if (!Array.isArray(command) || command.length === 0) continue;
+
+          const firstArg = String(command[0]);
+          if (firstArg.startsWith("-")) {
+            diagnostics.push({
+              checkId: "WK8306",
+              severity: "error",
+              message: `Container "${container.name ?? "(unnamed)"}" in ${manifest.kind} "${resourceName}" has command[0]="${firstArg}" which starts with a flag — the first element should be the binary, flags belong in args`,
+              entity: resourceName,
+              lexicon: "k8s",
+            });
+          }
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/package.json

@@ -1,30 +1,33 @@
 {
   "name": "@intentius/chant-lexicon-k8s",
-  "version": "0.0.14",
+  "version": "0.0.15",
   "license": "Apache-2.0",
   "type": "module",
-  "files": ["src/", "dist/"],
+  "files": [
+    "src/",
+    "dist/"
+  ],
   "publishConfig": {
-  "access": "public"
-},
-"exports": {
-  ".": "./src/index.ts",
-  "./*": "./src/*",
-  "./manifest": "./dist/manifest.json",
-  "./meta": "./dist/meta.json",
-  "./types": "./dist/types/index.d.ts"
-},
-"scripts": {
-  "generate": "bun run src/codegen/generate-cli.ts",
-  "bundle": "bun run src/package-cli.ts",
-  "validate": "bun run src/validate-cli.ts",
-  "docs": "bun run src/codegen/docs-cli.ts",
-  "prepack": "bun run generate && bun run bundle && bun run validate"
-},
-"dependencies": {
-  "@intentius/chant": "0.0.13"
-},
-"devDependencies": {
-  "typescript": "^5.9.3"
-}
+    "access": "public"
+  },
+  "exports": {
+    ".": "./src/index.ts",
+    "./*": "./src/*.ts",
+    "./manifest": "./dist/manifest.json",
+    "./meta": "./dist/meta.json",
+    "./types": "./dist/types/index.d.ts"
+  },
+  "scripts": {
+    "generate": "bun run src/codegen/generate-cli.ts",
+    "bundle": "bun run src/package-cli.ts",
+    "validate": "bun run src/validate-cli.ts",
+    "docs": "bun run src/codegen/docs-cli.ts",
+    "prepack": "bun run generate && bun run bundle && bun run validate"
+  },
+  "dependencies": {
+    "@intentius/chant": "0.0.15"
+  },
+  "devDependencies": {
+    "typescript": "^5.9.3"
+  }
 }

package/src/codegen/docs.ts

@@ -1102,7 +1102,7 @@ Skills are structured markdown documents bundled with a lexicon. When an AI agen
 
 ## Installation
 
-When you scaffold a new project with \`chant init --lexicon k8s\`, the skill is installed to \`.claude/skills/chant-k8s/SKILL.md\` for automatic discovery by Claude Code.
+When you scaffold a new project with \`chant init --lexicon k8s\`, the skill is installed to \`skills/chant-k8s/SKILL.md\` for automatic discovery by Claude Code.
 
 ## Skill: chant-k8s
 

package/src/composites/adot-collector.ts

@@ -129,7 +129,7 @@ service:
     metrics:
       receivers: [otlp]
       processors: [batch]
-      exporters: [${exporterNames.join(", ")}]
+      exporters: [${exporterNames.filter((e) => e !== "awsxray").join(", ") || "awsemf"}]
     traces:
       receivers: [otlp]
       processors: [batch]
@@ -139,7 +139,7 @@ service:
   const container: Record<string, unknown> = {
     name,
     image,
-    command: ["--config=/etc/adot/config.yaml"],
+    args: ["--config=/etc/adot/config.yaml"],
     ports: [
       { containerPort: 4317, name: "otlp-grpc" },
       { containerPort: 4318, name: "otlp-http" },
@@ -151,6 +151,12 @@ service:
     volumeMounts: [
       { name: "config", mountPath: "/etc/adot", readOnly: true },
     ],
+    securityContext: {
+      runAsNonRoot: true,
+      runAsUser: 10001,
+      readOnlyRootFilesystem: true,
+      allowPrivilegeEscalation: false,
+    },
   };
 
   const daemonSetProps: Record<string, unknown> = {

package/src/composites/agic-ingress.ts

@@ -0,0 +1,149 @@
+/**
+ * AgicIngress composite — Ingress with Azure Application Gateway Ingress Controller annotations.
+ *
+ * @aks Full `appgw.ingress.kubernetes.io/*` annotation set including SSL redirect,
+ * WAF policy, backend path prefix, and cookie-based affinity.
+ */
+
+export interface AgicIngressHost {
+  /** Hostname (e.g., "api.example.com"). */
+  hostname: string;
+  /** Path rules for this host. */
+  paths: Array<{
+    path: string;
+    pathType?: string;
+    serviceName: string;
+    servicePort: number;
+  }>;
+}
+
+export interface AgicIngressProps {
+  /** Ingress name — used in metadata and labels. */
+  name: string;
+  /** Host definitions with paths. */
+  hosts: AgicIngressHost[];
+  /** Azure Key Vault certificate URI or secret name for TLS. */
+  certificateArn?: string;
+  /** WAF policy resource ID. */
+  wafPolicyId?: string;
+  /** Health check path for backend. */
+  healthCheckPath?: string;
+  /** Enable HTTP->HTTPS redirect (default: true when certificateArn set). */
+  sslRedirect?: boolean;
+  /** Backend path prefix override. */
+  backendPathPrefix?: string;
+  /** Enable cookie-based affinity (default: false). */
+  cookieAffinity?: boolean;
+  /** Additional annotations on the Ingress. */
+  annotations?: Record<string, string>;
+  /** Additional labels to apply to all resources. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface AgicIngressResult {
+  ingress: Record<string, unknown>;
+}
+
+/**
+ * Create an AgicIngress composite — returns prop objects for
+ * an Ingress with Azure Application Gateway Ingress Controller annotations.
+ *
+ * @aks
+ * @example
+ * ```ts
+ * import { AgicIngress } from "@intentius/chant-lexicon-k8s";
+ *
+ * const { ingress } = AgicIngress({
+ *   name: "api-ingress",
+ *   hosts: [
+ *     {
+ *       hostname: "api.example.com",
+ *       paths: [{ path: "/", serviceName: "api", servicePort: 80 }],
+ *     },
+ *   ],
+ *   certificateArn: "keyvault-secret-name",
+ *   wafPolicyId: "/subscriptions/.../Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/my-waf",
+ * });
+ * ```
+ */
+export function AgicIngress(props: AgicIngressProps): AgicIngressResult {
+  const {
+    name,
+    hosts,
+    certificateArn,
+    wafPolicyId,
+    healthCheckPath,
+    sslRedirect,
+    backendPathPrefix,
+    cookieAffinity = false,
+    annotations: extraAnnotations = {},
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  // Build AGIC annotations
+  const annotations: Record<string, string> = {
+    "kubernetes.io/ingress.class": "azure/application-gateway",
+    ...extraAnnotations,
+  };
+
+  if (sslRedirect ?? (certificateArn !== undefined)) {
+    annotations["appgw.ingress.kubernetes.io/ssl-redirect"] = "true";
+  }
+
+  if (certificateArn) {
+    annotations["appgw.ingress.kubernetes.io/appgw-ssl-certificate"] = certificateArn;
+  }
+
+  if (wafPolicyId) {
+    annotations["appgw.ingress.kubernetes.io/waf-policy-for-path"] = wafPolicyId;
+  }
+
+  if (healthCheckPath) {
+    annotations["appgw.ingress.kubernetes.io/health-probe-path"] = healthCheckPath;
+  }
+
+  if (backendPathPrefix) {
+    annotations["appgw.ingress.kubernetes.io/backend-path-prefix"] = backendPathPrefix;
+  }
+
+  if (cookieAffinity) {
+    annotations["appgw.ingress.kubernetes.io/cookie-based-affinity"] = "true";
+  }
+
+  const ingressRules = hosts.map((host) => ({
+    host: host.hostname,
+    http: {
+      paths: host.paths.map((p) => ({
+        path: p.path,
+        pathType: p.pathType ?? "Prefix",
+        backend: {
+          service: { name: p.serviceName, port: { number: p.servicePort } },
+        },
+      })),
+    },
+  }));
+
+  const ingressProps: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "ingress" },
+      annotations,
+    },
+    spec: {
+      ingressClassName: "azure/application-gateway",
+      rules: ingressRules,
+    },
+  };
+
+  return { ingress: ingressProps };
+}

package/src/composites/alb-ingress.ts

@@ -13,6 +13,7 @@ export interface AlbIngressHost {
     path: string;
     pathType?: string;
     serviceName: string;
+    /** Port on the Kubernetes Service (not the container port). */
     servicePort: number;
   }>;
 }
@@ -105,7 +106,7 @@ export function AlbIngress(props: AlbIngressProps): AlbIngressResult {
     annotations["alb.ingress.kubernetes.io/listen-ports"] = '[{"HTTPS":443}]';
   }
 
-  if (sslRedirect ?? (certificateArn !== undefined)) {
+  if (sslRedirect ?? !!certificateArn) {
     annotations["alb.ingress.kubernetes.io/ssl-redirect"] = "443";
   }