@intentius/chant-lexicon-k8s 0.0.18 → 0.0.24

package/src/composites/composites.test.ts

@@ -1,6 +1,12 @@
 import { describe, test, expect, jest } from "bun:test";
+import { isCompositeInstance } from "@intentius/chant";
 import { emitYAML } from "@intentius/chant/yaml";
 import { WebApp } from "./web-app";
+
+/** Helper to access props on a Declarable member. */
+function p(member: unknown): Record<string, unknown> {
+  return (member as any).props;
+}
 import { StatefulApp } from "./stateful-app";
 import { CronWorkload } from "./cron-workload";
 import { AutoscaledService } from "./autoscaled-service";
@@ -49,7 +55,7 @@ describe("WebApp", () => {
       ingressHost: "app.example.com",
     });
     expect(result.ingress).toBeDefined();
-    const spec = result.ingress!.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.rules[0].host).toBe("app.example.com");
   });
 
@@ -60,7 +66,7 @@ describe("WebApp", () => {
       ingressHost: "app.example.com",
       ingressTlsSecret: "tls-secret",
     });
-    const spec = result.ingress!.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.tls).toBeDefined();
     expect(spec.tls[0].secretName).toBe("tls-secret");
   });
@@ -72,7 +78,7 @@ describe("WebApp", () => {
       port: 3000,
       replicas: 5,
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(5);
     const container = spec.template.spec.containers[0];
     expect(container.image).toBe("web:2.0");
@@ -81,26 +87,26 @@ describe("WebApp", () => {
 
   test("default port is 80", () => {
     const result = WebApp({ name: "app", image: "app:1.0" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.ports[0].containerPort).toBe(80);
   });
 
   test("default replicas is 2", () => {
     const result = WebApp({ name: "app", image: "app:1.0" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(2);
   });
 
   test("service type is ClusterIP", () => {
     const result = WebApp({ name: "app", image: "app:1.0" });
-    const spec = result.service.spec as any;
+    const spec = p(result.service).spec as any;
     expect(spec.type).toBe("ClusterIP");
   });
 
   test("includes common labels", () => {
     const result = WebApp({ name: "app", image: "app:1.0" });
-    const meta = result.deployment.metadata as any;
+    const meta = p(result.deployment).metadata as any;
     expect(meta.labels["app.kubernetes.io/name"]).toBe("app");
     expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
@@ -111,7 +117,7 @@ describe("WebApp", () => {
       image: "app:1.0",
       namespace: "prod",
     });
-    const meta = result.deployment.metadata as any;
+    const meta = p(result.deployment).metadata as any;
     expect(meta.namespace).toBe("prod");
   });
 
@@ -121,7 +127,7 @@ describe("WebApp", () => {
       image: "app:1.0",
       env: [{ name: "FOO", value: "bar" }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.env).toEqual([{ name: "FOO", value: "bar" }]);
   });
@@ -132,9 +138,9 @@ describe("WebApp", () => {
       image: "app:1.0",
       ingressHost: "app.example.com",
     });
-    expect((result.deployment.metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
-    expect((result.service.metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
-    expect((result.ingress!.metadata as any).labels["app.kubernetes.io/component"]).toBe("ingress");
+    expect((p(result.deployment).metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
+    expect((p(result.service).metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
+    expect((p(result.ingress).metadata as any).labels["app.kubernetes.io/component"]).toBe("ingress");
   });
 });
 
@@ -149,7 +155,7 @@ describe("StatefulApp", () => {
 
   test("service is headless (clusterIP: None)", () => {
     const result = StatefulApp({ name: "db", image: "postgres:16" });
-    const spec = result.service.spec as any;
+    const spec = p(result.service).spec as any;
     expect(spec.clusterIP).toBe("None");
   });
 
@@ -159,7 +165,7 @@ describe("StatefulApp", () => {
       image: "postgres:16",
       storageSize: "20Gi",
     });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.volumeClaimTemplates).toBeDefined();
     expect(spec.volumeClaimTemplates[0].spec.resources.requests.storage).toBe(
       "20Gi",
@@ -168,20 +174,20 @@ describe("StatefulApp", () => {
 
   test("default port is 5432", () => {
     const result = StatefulApp({ name: "db", image: "postgres:16" });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.ports[0].containerPort).toBe(5432);
   });
 
   test("default replicas is 1", () => {
     const result = StatefulApp({ name: "db", image: "postgres:16" });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.replicas).toBe(1);
   });
 
   test("serviceName matches name", () => {
     const result = StatefulApp({ name: "db", image: "postgres:16" });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.serviceName).toBe("db");
   });
 
@@ -191,14 +197,14 @@ describe("StatefulApp", () => {
       image: "postgres:16",
       storageClassName: "ssd",
     });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.volumeClaimTemplates[0].spec.storageClassName).toBe("ssd");
   });
 
   test("component labels on each resource", () => {
     const result = StatefulApp({ name: "db", image: "postgres:16" });
-    expect((result.statefulSet.metadata as any).labels["app.kubernetes.io/component"]).toBe("database");
-    expect((result.service.metadata as any).labels["app.kubernetes.io/component"]).toBe("database");
+    expect((p(result.statefulSet).metadata as any).labels["app.kubernetes.io/component"]).toBe("database");
+    expect((p(result.service).metadata as any).labels["app.kubernetes.io/component"]).toBe("database");
   });
 });
 
@@ -223,7 +229,7 @@ describe("CronWorkload", () => {
       image: "backup:1.0",
       schedule: "0 2 * * *",
     });
-    const spec = result.cronJob.spec as any;
+    const spec = p(result.cronJob).spec as any;
     expect(spec.schedule).toBe("0 2 * * *");
   });
 
@@ -233,7 +239,7 @@ describe("CronWorkload", () => {
       image: "backup:1.0",
       schedule: "0 2 * * *",
     });
-    const binding = result.roleBinding as any;
+    const binding = p(result.roleBinding) as any;
     expect(binding.subjects[0].name).toBe("backup-sa");
     expect(binding.roleRef.name).toBe("backup-role");
   });
@@ -244,7 +250,7 @@ describe("CronWorkload", () => {
       image: "cleanup:1.0",
       schedule: "*/5 * * * *",
     });
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.name).toBe("cleanup-sa");
   });
 
@@ -257,7 +263,7 @@ describe("CronWorkload", () => {
         { apiGroups: [""], resources: ["secrets"], verbs: ["get"] },
       ],
     });
-    const role = result.role as any;
+    const role = p(result.role) as any;
     expect(role.rules[0].resources).toEqual(["secrets"]);
     expect(role.rules[0].verbs).toEqual(["get"]);
   });
@@ -268,7 +274,7 @@ describe("CronWorkload", () => {
       image: "backup:1.0",
       schedule: "0 2 * * *",
     });
-    const role = result.role as any;
+    const role = p(result.role) as any;
     expect(role.rules.length).toBeGreaterThan(0);
   });
 
@@ -280,7 +286,7 @@ describe("CronWorkload", () => {
       command: ["pg_dump"],
       args: ["-h", "postgres"],
     });
-    const spec = result.cronJob.spec as any;
+    const spec = p(result.cronJob).spec as any;
     const container =
       spec.jobTemplate.spec.template.spec.containers[0];
     expect(container.command).toEqual(["pg_dump"]);
@@ -293,7 +299,7 @@ describe("CronWorkload", () => {
       image: "backup:1.0",
       schedule: "0 2 * * *",
     });
-    const spec = result.cronJob.spec as any;
+    const spec = p(result.cronJob).spec as any;
     expect(spec.jobTemplate.spec.template.spec.restartPolicy).toBe(
       "OnFailure",
     );
@@ -312,7 +318,7 @@ describe("CronWorkload", () => {
       result.role,
       result.roleBinding,
     ]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.labels["app.kubernetes.io/name"]).toBe("backup");
     }
   });
@@ -323,10 +329,10 @@ describe("CronWorkload", () => {
       image: "backup:1.0",
       schedule: "0 2 * * *",
     });
-    expect((result.cronJob.metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
-    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
-    expect((result.role.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
-    expect((result.roleBinding.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.cronJob).metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
+    expect((p(result.serviceAccount).metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
+    expect((p(result.role).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.roleBinding).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
   });
 });
 
@@ -351,36 +357,36 @@ describe("AutoscaledService", () => {
 
   test("default port is 80", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.ports[0].containerPort).toBe(80);
   });
 
   test("default minReplicas is 2", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(2);
-    const hpaSpec = result.hpa.spec as any;
+    const hpaSpec = p(result.hpa).spec as any;
     expect(hpaSpec.minReplicas).toBe(2);
   });
 
   test("HPA scaleTargetRef references the deployment", () => {
     const result = AutoscaledService(minProps);
-    const hpaSpec = result.hpa.spec as any;
+    const hpaSpec = p(result.hpa).spec as any;
     expect(hpaSpec.scaleTargetRef.kind).toBe("Deployment");
     expect(hpaSpec.scaleTargetRef.name).toBe("api");
   });
 
   test("HPA has CPU metric with default 70%", () => {
     const result = AutoscaledService(minProps);
-    const hpaSpec = result.hpa.spec as any;
+    const hpaSpec = p(result.hpa).spec as any;
     expect(hpaSpec.metrics[0].resource.name).toBe("cpu");
     expect(hpaSpec.metrics[0].resource.target.averageUtilization).toBe(70);
   });
 
   test("HPA includes memory metric when targetMemoryPercent set", () => {
     const result = AutoscaledService({ ...minProps, targetMemoryPercent: 80 });
-    const hpaSpec = result.hpa.spec as any;
+    const hpaSpec = p(result.hpa).spec as any;
     expect(hpaSpec.metrics).toHaveLength(2);
     expect(hpaSpec.metrics[1].resource.name).toBe("memory");
     expect(hpaSpec.metrics[1].resource.target.averageUtilization).toBe(80);
@@ -388,20 +394,20 @@ describe("AutoscaledService", () => {
 
   test("no memory metric by default", () => {
     const result = AutoscaledService(minProps);
-    const hpaSpec = result.hpa.spec as any;
+    const hpaSpec = p(result.hpa).spec as any;
     expect(hpaSpec.metrics).toHaveLength(1);
   });
 
   test("PDB selector matches deployment pod labels", () => {
     const result = AutoscaledService(minProps);
-    const pdbSpec = result.pdb.spec as any;
+    const pdbSpec = p(result.pdb).spec as any;
     expect(pdbSpec.selector.matchLabels["app.kubernetes.io/name"]).toBe("api");
     expect(pdbSpec.minAvailable).toBe(1);
   });
 
   test("resource requests are always set", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.resources.requests.cpu).toBe("100m");
     expect(container.resources.requests.memory).toBe("128Mi");
@@ -409,12 +415,12 @@ describe("AutoscaledService", () => {
 
   test("resource limits only set when provided", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.resources.limits).toBeUndefined();
 
     const withLimits = AutoscaledService({ ...minProps, cpuLimit: "1", memoryLimit: "512Mi" });
-    const spec2 = withLimits.deployment.spec as any;
+    const spec2 = p(withLimits.deployment).spec as any;
     const container2 = spec2.template.spec.containers[0];
     expect(container2.resources.limits.cpu).toBe("1");
     expect(container2.resources.limits.memory).toBe("512Mi");
@@ -422,7 +428,7 @@ describe("AutoscaledService", () => {
 
   test("includes health probes", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.livenessProbe).toBeDefined();
     expect(container.readinessProbe).toBeDefined();
@@ -430,14 +436,14 @@ describe("AutoscaledService", () => {
 
   test("service type is ClusterIP", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.service.spec as any;
+    const spec = p(result.service).spec as any;
     expect(spec.type).toBe("ClusterIP");
   });
 
   test("includes common labels on all resources", () => {
     const result = AutoscaledService(minProps);
     for (const resource of [result.deployment, result.service, result.hpa, result.pdb]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.labels["app.kubernetes.io/name"]).toBe("api");
       expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
     }
@@ -446,7 +452,7 @@ describe("AutoscaledService", () => {
   test("namespace propagated to all resources", () => {
     const result = AutoscaledService({ ...minProps, namespace: "prod" });
     for (const resource of [result.deployment, result.service, result.hpa, result.pdb]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.namespace).toBe("prod");
     }
   });
@@ -456,22 +462,22 @@ describe("AutoscaledService", () => {
       ...minProps,
       env: [{ name: "LOG_LEVEL", value: "debug" }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.env).toEqual([{ name: "LOG_LEVEL", value: "debug" }]);
   });
 
   test("component labels on each resource", () => {
     const result = AutoscaledService(minProps);
-    expect((result.deployment.metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
-    expect((result.service.metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
-    expect((result.hpa.metadata as any).labels["app.kubernetes.io/component"]).toBe("autoscaler");
-    expect((result.pdb.metadata as any).labels["app.kubernetes.io/component"]).toBe("disruption-budget");
+    expect((p(result.deployment).metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
+    expect((p(result.service).metadata as any).labels["app.kubernetes.io/component"]).toBe("server");
+    expect((p(result.hpa).metadata as any).labels["app.kubernetes.io/component"]).toBe("autoscaler");
+    expect((p(result.pdb).metadata as any).labels["app.kubernetes.io/component"]).toBe("disruption-budget");
   });
 
   test("default probe paths are /healthz and /readyz", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.livenessProbe.httpGet.path).toBe("/healthz");
     expect(container.readinessProbe.httpGet.path).toBe("/readyz");
@@ -483,7 +489,7 @@ describe("AutoscaledService", () => {
       livenessPath: "/alive",
       readinessPath: "/ready",
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.livenessProbe.httpGet.path).toBe("/alive");
     expect(container.readinessProbe.httpGet.path).toBe("/ready");
@@ -491,7 +497,7 @@ describe("AutoscaledService", () => {
 
   test("probe targets container port", () => {
     const result = AutoscaledService({ ...minProps, port: 8080 });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.livenessProbe.httpGet.port).toBe(8080);
     expect(container.readinessProbe.httpGet.port).toBe(8080);
@@ -499,13 +505,13 @@ describe("AutoscaledService", () => {
 
   test("topologySpread not present by default", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.topologySpreadConstraints).toBeUndefined();
   });
 
   test("topologySpread: true adds zone constraint", () => {
     const result = AutoscaledService({ ...minProps, topologySpread: true });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const tsc = spec.template.spec.topologySpreadConstraints;
     expect(tsc).toHaveLength(1);
     expect(tsc[0].topologyKey).toBe("topology.kubernetes.io/zone");
@@ -519,7 +525,7 @@ describe("AutoscaledService", () => {
       ...minProps,
       topologySpread: { maxSkew: 2, topologyKey: "kubernetes.io/hostname" },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const tsc = spec.template.spec.topologySpreadConstraints;
     expect(tsc[0].maxSkew).toBe(2);
     expect(tsc[0].topologyKey).toBe("kubernetes.io/hostname");
@@ -527,19 +533,19 @@ describe("AutoscaledService", () => {
 
   test("minAvailable as string percentage", () => {
     const result = AutoscaledService({ ...minProps, minAvailable: "50%" });
-    const pdbSpec = result.pdb.spec as any;
+    const pdbSpec = p(result.pdb).spec as any;
     expect(pdbSpec.minAvailable).toBe("50%");
   });
 
   test("custom targetCPUPercent", () => {
     const result = AutoscaledService({ ...minProps, targetCPUPercent: 85 });
-    const hpaSpec = result.hpa.spec as any;
+    const hpaSpec = p(result.hpa).spec as any;
     expect(hpaSpec.metrics[0].resource.target.averageUtilization).toBe(85);
   });
 
   test("pod template labels include extra labels", () => {
     const result = AutoscaledService({ ...minProps, labels: { team: "platform" } });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const podLabels = spec.template.metadata.labels;
     expect(podLabels.team).toBe("platform");
     expect(podLabels["app.kubernetes.io/name"]).toBe("api");
@@ -547,13 +553,13 @@ describe("AutoscaledService", () => {
 
   test("serviceAccountName wired into pod spec", () => {
     const result = AutoscaledService({ ...minProps, serviceAccountName: "my-sa" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.serviceAccountName).toBe("my-sa");
   });
 
   test("no serviceAccountName by default", () => {
     const result = AutoscaledService(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.serviceAccountName).toBeUndefined();
   });
 
@@ -563,7 +569,7 @@ describe("AutoscaledService", () => {
       volumes: [{ name: "data", emptyDir: {} }],
       volumeMounts: [{ name: "data", mountPath: "/data" }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.volumes).toEqual([{ name: "data", emptyDir: {} }]);
     expect(spec.template.spec.containers[0].volumeMounts).toEqual([{ name: "data", mountPath: "/data" }]);
   });
@@ -573,7 +579,7 @@ describe("AutoscaledService", () => {
       ...minProps,
       tmpDirs: ["/tmp", "/var/cache/nginx"],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.volumes).toEqual([
       { name: "tmp-0", emptyDir: {} },
       { name: "tmp-1", emptyDir: {} },
@@ -591,7 +597,7 @@ describe("AutoscaledService", () => {
       volumeMounts: [{ name: "config", mountPath: "/etc/config" }],
       tmpDirs: ["/tmp"],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.volumes).toEqual([
       { name: "config", configMap: { name: "app-config" } },
       { name: "tmp-0", emptyDir: {} },
@@ -624,15 +630,15 @@ describe("WorkerPool", () => {
 
   test("default replicas is 1", () => {
     const result = WorkerPool(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(1);
   });
 
   test("RBAC naming convention", () => {
     const result = WorkerPool(minProps);
-    const saMeta = result.serviceAccount!.metadata as any;
-    const roleMeta = result.role!.metadata as any;
-    const bindingMeta = result.roleBinding!.metadata as any;
+    const saMeta = p(result.serviceAccount).metadata as any;
+    const roleMeta = p(result.role).metadata as any;
+    const bindingMeta = p(result.roleBinding).metadata as any;
     expect(saMeta.name).toBe("worker-sa");
     expect(roleMeta.name).toBe("worker-role");
     expect(bindingMeta.name).toBe("worker-binding");
@@ -640,7 +646,7 @@ describe("WorkerPool", () => {
 
   test("default RBAC rules for secrets and configmaps", () => {
     const result = WorkerPool(minProps);
-    const role = result.role! as any;
+    const role = p(result.role!) as any;
     expect(role.rules[0].resources).toEqual(["secrets", "configmaps"]);
     expect(role.rules[0].verbs).toEqual(["get"]);
   });
@@ -650,7 +656,7 @@ describe("WorkerPool", () => {
       ...minProps,
       rbacRules: [{ apiGroups: ["batch"], resources: ["jobs"], verbs: ["create"] }],
     });
-    const role = result.role! as any;
+    const role = p(result.role!) as any;
     expect(role.rules[0].resources).toEqual(["jobs"]);
   });
 
@@ -660,7 +666,7 @@ describe("WorkerPool", () => {
       command: ["bundle", "exec", "sidekiq"],
       args: ["-c", "5"],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.command).toEqual(["bundle", "exec", "sidekiq"]);
     expect(container.args).toEqual(["-c", "5"]);
@@ -672,10 +678,10 @@ describe("WorkerPool", () => {
       config: { REDIS_URL: "redis://redis:6379" },
     });
     expect(result.configMap).toBeDefined();
-    const data = (result.configMap as any).data;
+    const data = (p(result.configMap) as any).data;
     expect(data.REDIS_URL).toBe("redis://redis:6379");
 
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.envFrom[0].configMapRef.name).toBe("worker-config");
   });
@@ -686,18 +692,18 @@ describe("WorkerPool", () => {
       autoscaling: { minReplicas: 2, maxReplicas: 8, targetCPUPercent: 60 },
     });
     expect(result.hpa).toBeDefined();
-    const hpaSpec = (result.hpa as any).spec;
+    const hpaSpec = (p(result.hpa) as any).spec;
     expect(hpaSpec.minReplicas).toBe(2);
     expect(hpaSpec.maxReplicas).toBe(8);
     expect(hpaSpec.scaleTargetRef.name).toBe("worker");
 
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(2);
   });
 
   test("default resource limits", () => {
     const result = WorkerPool(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.resources.requests.cpu).toBe("100m");
     expect(container.resources.requests.memory).toBe("128Mi");
@@ -707,14 +713,14 @@ describe("WorkerPool", () => {
 
   test("serviceAccountName on pod spec", () => {
     const result = WorkerPool(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.serviceAccountName).toBe("worker-sa");
   });
 
   test("includes common labels on all resources", () => {
     const result = WorkerPool(minProps);
     for (const resource of [result.deployment, result.serviceAccount!, result.role!, result.roleBinding!]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.labels["app.kubernetes.io/name"]).toBe("worker");
       expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
     }
@@ -723,7 +729,7 @@ describe("WorkerPool", () => {
   test("namespace propagated", () => {
     const result = WorkerPool({ ...minProps, namespace: "jobs" });
     for (const resource of [result.deployment, result.serviceAccount!, result.role!, result.roleBinding!]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.namespace).toBe("jobs");
     }
   });
@@ -733,7 +739,7 @@ describe("WorkerPool", () => {
     expect(result.serviceAccount).toBeUndefined();
     expect(result.role).toBeUndefined();
     expect(result.roleBinding).toBeUndefined();
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.serviceAccountName).toBeUndefined();
   });
 
@@ -742,7 +748,7 @@ describe("WorkerPool", () => {
     expect(result.serviceAccount).toBeDefined();
     expect(result.role).toBeDefined();
     expect(result.roleBinding).toBeDefined();
-    const role = result.role as any;
+    const role = p(result.role) as any;
     expect(role.rules[0].resources).toEqual(["secrets", "configmaps"]);
   });
 
@@ -751,7 +757,7 @@ describe("WorkerPool", () => {
       ...minProps,
       env: [{ name: "LOG_LEVEL", value: "debug" }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.env).toEqual([{ name: "LOG_LEVEL", value: "debug" }]);
   });
@@ -762,7 +768,7 @@ describe("WorkerPool", () => {
       config: { KEY: "val" },
       namespace: "jobs",
     });
-    const meta = (result.configMap as any).metadata;
+    const meta = (p(result.configMap) as any).metadata;
     expect(meta.namespace).toBe("jobs");
     expect(meta.labels["app.kubernetes.io/name"]).toBe("worker");
   });
@@ -773,7 +779,7 @@ describe("WorkerPool", () => {
       autoscaling: { minReplicas: 1, maxReplicas: 5 },
       namespace: "jobs",
     });
-    const meta = (result.hpa as any).metadata;
+    const meta = (p(result.hpa) as any).metadata;
     expect(meta.namespace).toBe("jobs");
   });
 
@@ -782,7 +788,7 @@ describe("WorkerPool", () => {
       ...minProps,
       autoscaling: { minReplicas: 1, maxReplicas: 5 },
     });
-    const hpaSpec = (result.hpa as any).spec;
+    const hpaSpec = (p(result.hpa) as any).spec;
     expect(hpaSpec.metrics[0].resource.target.averageUtilization).toBe(70);
   });
 
@@ -792,12 +798,12 @@ describe("WorkerPool", () => {
       config: { K: "V" },
       autoscaling: { minReplicas: 1, maxReplicas: 5 },
     });
-    expect((result.deployment.metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
-    expect((result.serviceAccount!.metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
-    expect((result.role!.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
-    expect((result.roleBinding!.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
-    expect((result.configMap!.metadata as any).labels["app.kubernetes.io/component"]).toBe("config");
-    expect((result.hpa!.metadata as any).labels["app.kubernetes.io/component"]).toBe("autoscaler");
+    expect((p(result.deployment).metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
+    expect((p(result.serviceAccount).metadata as any).labels["app.kubernetes.io/component"]).toBe("worker");
+    expect((p(result.role).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.roleBinding).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.configMap).metadata as any).labels["app.kubernetes.io/component"]).toBe("config");
+    expect((p(result.hpa).metadata as any).labels["app.kubernetes.io/component"]).toBe("autoscaler");
   });
 });
 
@@ -818,7 +824,7 @@ describe("NamespaceEnv", () => {
   test("default-deny ingress NetworkPolicy created by default", () => {
     const result = NamespaceEnv({ name: "team-alpha" });
     expect(result.networkPolicy).toBeDefined();
-    const spec = result.networkPolicy!.spec as any;
+    const spec = p(result.networkPolicy).spec as any;
     expect(spec.policyTypes).toEqual(["Ingress"]);
     expect(spec.podSelector).toEqual({});
   });
@@ -828,7 +834,7 @@ describe("NamespaceEnv", () => {
       name: "team-alpha",
       defaultDenyEgress: true,
     });
-    const spec = result.networkPolicy!.spec as any;
+    const spec = p(result.networkPolicy).spec as any;
     expect(spec.policyTypes).toContain("Ingress");
     expect(spec.policyTypes).toContain("Egress");
   });
@@ -841,7 +847,7 @@ describe("NamespaceEnv", () => {
       maxPods: 50,
     });
     expect(result.resourceQuota).toBeDefined();
-    const spec = result.resourceQuota!.spec as any;
+    const spec = p(result.resourceQuota).spec as any;
     expect(spec.hard["limits.cpu"]).toBe("8");
     expect(spec.hard["limits.memory"]).toBe("16Gi");
     expect(spec.hard.pods).toBe("50");
@@ -849,7 +855,7 @@ describe("NamespaceEnv", () => {
 
   test("ResourceQuota in correct namespace", () => {
     const result = NamespaceEnv({ name: "team-alpha", cpuQuota: "4" });
-    const meta = result.resourceQuota!.metadata as any;
+    const meta = p(result.resourceQuota).metadata as any;
     expect(meta.namespace).toBe("team-alpha");
     expect(meta.name).toBe("team-alpha-quota");
   });
@@ -863,7 +869,7 @@ describe("NamespaceEnv", () => {
       defaultMemoryLimit: "512Mi",
     });
     expect(result.limitRange).toBeDefined();
-    const spec = result.limitRange!.spec as any;
+    const spec = p(result.limitRange).spec as any;
     const limit = spec.limits[0];
     expect(limit.type).toBe("Container");
     expect(limit.default.cpu).toBe("500m");
@@ -874,21 +880,21 @@ describe("NamespaceEnv", () => {
 
   test("LimitRange in correct namespace", () => {
     const result = NamespaceEnv({ name: "team-alpha", defaultCpuLimit: "1" });
-    const meta = result.limitRange!.metadata as any;
+    const meta = p(result.limitRange).metadata as any;
     expect(meta.namespace).toBe("team-alpha");
     expect(meta.name).toBe("team-alpha-limits");
   });
 
   test("includes common labels", () => {
     const result = NamespaceEnv({ name: "team-alpha" });
-    const meta = result.namespace.metadata as any;
+    const meta = p(result.namespace).metadata as any;
     expect(meta.labels["app.kubernetes.io/name"]).toBe("team-alpha");
     expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
 
   test("namespace resource has no namespace field (cluster-scoped)", () => {
     const result = NamespaceEnv({ name: "team-alpha" });
-    const meta = result.namespace.metadata as any;
+    const meta = p(result.namespace).metadata as any;
     expect(meta.namespace).toBeUndefined();
   });
 
@@ -931,13 +937,13 @@ describe("NamespaceEnv", () => {
       defaultDenyEgress: true,
     });
     expect(result.networkPolicy).toBeDefined();
-    const spec = result.networkPolicy!.spec as any;
+    const spec = p(result.networkPolicy).spec as any;
     expect(spec.policyTypes).toEqual(["Egress"]);
   });
 
   test("NetworkPolicy namespace is the namespace name", () => {
     const result = NamespaceEnv({ name: "team-beta", defaultDenyIngress: true });
-    const meta = result.networkPolicy!.metadata as any;
+    const meta = p(result.networkPolicy).metadata as any;
     expect(meta.namespace).toBe("team-beta");
   });
 
@@ -950,7 +956,7 @@ describe("NamespaceEnv", () => {
       labels: { env: "staging" },
     });
     for (const resource of [result.namespace, result.resourceQuota!, result.limitRange!, result.networkPolicy!]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.labels.env).toBe("staging");
     }
   });
@@ -962,10 +968,10 @@ describe("NamespaceEnv", () => {
       defaultCpuRequest: "100m",
       defaultDenyIngress: true,
     });
-    expect((result.namespace.metadata as any).labels["app.kubernetes.io/component"]).toBe("namespace");
-    expect((result.resourceQuota!.metadata as any).labels["app.kubernetes.io/component"]).toBe("quota");
-    expect((result.limitRange!.metadata as any).labels["app.kubernetes.io/component"]).toBe("limits");
-    expect((result.networkPolicy!.metadata as any).labels["app.kubernetes.io/component"]).toBe("network-policy");
+    expect((p(result.namespace).metadata as any).labels["app.kubernetes.io/component"]).toBe("namespace");
+    expect((p(result.resourceQuota).metadata as any).labels["app.kubernetes.io/component"]).toBe("quota");
+    expect((p(result.limitRange).metadata as any).labels["app.kubernetes.io/component"]).toBe("limits");
+    expect((p(result.networkPolicy).metadata as any).labels["app.kubernetes.io/component"]).toBe("network-policy");
   });
 });
 
@@ -995,37 +1001,37 @@ describe("NodeAgent", () => {
 
   test("uses ClusterRole/ClusterRoleBinding (not Role)", () => {
     const result = NodeAgent(minProps);
-    const binding = result.clusterRoleBinding as any;
+    const binding = p(result.clusterRoleBinding) as any;
     expect(binding.roleRef.kind).toBe("ClusterRole");
     expect(binding.roleRef.apiGroup).toBe("rbac.authorization.k8s.io");
   });
 
   test("ClusterRole/ClusterRoleBinding are cluster-scoped (no namespace)", () => {
     const result = NodeAgent({ ...minProps, namespace: "monitoring" });
-    const crMeta = result.clusterRole.metadata as any;
-    const crbMeta = result.clusterRoleBinding.metadata as any;
+    const crMeta = p(result.clusterRole).metadata as any;
+    const crbMeta = p(result.clusterRoleBinding).metadata as any;
     expect(crMeta.namespace).toBeUndefined();
     expect(crbMeta.namespace).toBeUndefined();
   });
 
   test("namespaced resources get namespace", () => {
     const result = NodeAgent({ ...minProps, namespace: "monitoring" });
-    const dsMeta = result.daemonSet.metadata as any;
-    const saMeta = result.serviceAccount.metadata as any;
+    const dsMeta = p(result.daemonSet).metadata as any;
+    const saMeta = p(result.serviceAccount).metadata as any;
     expect(dsMeta.namespace).toBe("monitoring");
     expect(saMeta.namespace).toBe("monitoring");
   });
 
   test("tolerateAllTaints adds Exists toleration by default", () => {
     const result = NodeAgent(minProps);
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const tolerations = spec.template.spec.tolerations;
     expect(tolerations).toEqual([{ operator: "Exists" }]);
   });
 
   test("tolerateAllTaints can be disabled", () => {
     const result = NodeAgent({ ...minProps, tolerateAllTaints: false });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     expect(spec.template.spec.tolerations).toBeUndefined();
   });
 
@@ -1034,7 +1040,7 @@ describe("NodeAgent", () => {
       ...minProps,
       hostPaths: [{ name: "varlog", hostPath: "/var/log", mountPath: "/var/log" }],
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const volumes = spec.template.spec.volumes;
     expect(volumes[0].name).toBe("varlog");
     expect(volumes[0].hostPath.path).toBe("/var/log");
@@ -1049,7 +1055,7 @@ describe("NodeAgent", () => {
       ...minProps,
       hostPaths: [{ name: "data", hostPath: "/data", mountPath: "/data", readOnly: false }],
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const mounts = spec.template.spec.containers[0].volumeMounts;
     expect(mounts[0].readOnly).toBe(false);
   });
@@ -1060,10 +1066,10 @@ describe("NodeAgent", () => {
       config: { "fluent.conf": "some config" },
     });
     expect(result.configMap).toBeDefined();
-    const data = (result.configMap as any).data;
+    const data = (p(result.configMap) as any).data;
     expect(data["fluent.conf"]).toBe("some config");
 
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const volumes = spec.template.spec.volumes;
     const configVol = volumes.find((v: any) => v.name === "config");
     expect(configVol.configMap.name).toBe("log-agent-config");
@@ -1076,7 +1082,7 @@ describe("NodeAgent", () => {
 
   test("port creates metrics port on container", () => {
     const result = NodeAgent({ ...minProps, port: 9100 });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.ports[0].containerPort).toBe(9100);
     expect(container.ports[0].name).toBe("metrics");
@@ -1084,9 +1090,9 @@ describe("NodeAgent", () => {
 
   test("RBAC naming convention", () => {
     const result = NodeAgent(minProps);
-    const saMeta = result.serviceAccount.metadata as any;
-    const crMeta = result.clusterRole.metadata as any;
-    const crbMeta = result.clusterRoleBinding.metadata as any;
+    const saMeta = p(result.serviceAccount).metadata as any;
+    const crMeta = p(result.clusterRole).metadata as any;
+    const crbMeta = p(result.clusterRoleBinding).metadata as any;
     expect(saMeta.name).toBe("log-agent-sa");
     expect(crMeta.name).toBe("log-agent-role");
     expect(crbMeta.name).toBe("log-agent-binding");
@@ -1094,14 +1100,14 @@ describe("NodeAgent", () => {
 
   test("RBAC rules passed through to ClusterRole", () => {
     const result = NodeAgent(minProps);
-    const cr = result.clusterRole as any;
+    const cr = p(result.clusterRole) as any;
     expect(cr.rules[0].resources).toEqual(["pods", "namespaces"]);
   });
 
   test("includes common labels on all resources", () => {
     const result = NodeAgent(minProps);
     for (const resource of [result.daemonSet, result.serviceAccount, result.clusterRole, result.clusterRoleBinding]) {
-      const meta = resource.metadata as any;
+      const meta = p(resource).metadata as any;
       expect(meta.labels["app.kubernetes.io/name"]).toBe("log-agent");
       expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
     }
@@ -1112,20 +1118,20 @@ describe("NodeAgent", () => {
       ...minProps,
       env: [{ name: "LOG_LEVEL", value: "info" }],
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.env).toEqual([{ name: "LOG_LEVEL", value: "info" }]);
   });
 
   test("serviceAccountName on pod spec", () => {
     const result = NodeAgent(minProps);
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     expect(spec.template.spec.serviceAccountName).toBe("log-agent-sa");
   });
 
   test("default resource requests and limits on container", () => {
     const result = NodeAgent(minProps);
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.resources.requests.cpu).toBe("50m");
     expect(container.resources.requests.memory).toBe("64Mi");
@@ -1141,7 +1147,7 @@ describe("NodeAgent", () => {
       cpuLimit: "500m",
       memoryLimit: "512Mi",
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.resources.requests.cpu).toBe("100m");
     expect(container.resources.requests.memory).toBe("256Mi");
@@ -1157,7 +1163,7 @@ describe("NodeAgent", () => {
         { name: "run", hostPath: "/run", mountPath: "/run", readOnly: false },
       ],
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     expect(spec.template.spec.volumes).toHaveLength(2);
     expect(spec.template.spec.containers[0].volumeMounts).toHaveLength(2);
     expect(spec.template.spec.containers[0].volumeMounts[1].readOnly).toBe(false);
@@ -1169,7 +1175,7 @@ describe("NodeAgent", () => {
       config: { key: "val" },
       namespace: "monitoring",
     });
-    const meta = (result.configMap as any).metadata;
+    const meta = (p(result.configMap) as any).metadata;
     expect(meta.namespace).toBe("monitoring");
   });
 
@@ -1178,11 +1184,11 @@ describe("NodeAgent", () => {
       ...minProps,
       config: { key: "val" },
     });
-    expect((result.daemonSet.metadata as any).labels["app.kubernetes.io/component"]).toBe("agent");
-    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("agent");
-    expect((result.clusterRole.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
-    expect((result.clusterRoleBinding.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
-    expect((result.configMap!.metadata as any).labels["app.kubernetes.io/component"]).toBe("config");
+    expect((p(result.daemonSet).metadata as any).labels["app.kubernetes.io/component"]).toBe("agent");
+    expect((p(result.serviceAccount).metadata as any).labels["app.kubernetes.io/component"]).toBe("agent");
+    expect((p(result.clusterRole).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.clusterRoleBinding).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.configMap).metadata as any).labels["app.kubernetes.io/component"]).toBe("config");
   });
 });
 
@@ -1192,7 +1198,7 @@ describe("WebApp hardening", () => {
   test("PDB created when minAvailable set", () => {
     const result = WebApp({ name: "app", image: "app:1.0", minAvailable: 1 });
     expect(result.pdb).toBeDefined();
-    const spec = result.pdb!.spec as any;
+    const spec = p(result.pdb).spec as any;
     expect(spec.minAvailable).toBe(1);
     expect(spec.selector.matchLabels["app.kubernetes.io/name"]).toBe("app");
   });
@@ -1208,7 +1214,7 @@ describe("WebApp hardening", () => {
       image: "app:1.0",
       initContainers: [{ name: "migrate", image: "migrate:1.0", command: ["./migrate.sh"] }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.initContainers).toHaveLength(1);
     expect(spec.template.spec.initContainers[0].name).toBe("migrate");
   });
@@ -1219,7 +1225,7 @@ describe("WebApp hardening", () => {
       image: "app:1.0",
       securityContext: { runAsNonRoot: true, readOnlyRootFilesystem: true },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.securityContext.runAsNonRoot).toBe(true);
   });
@@ -1236,7 +1242,7 @@ describe("WebApp hardening", () => {
         seccompProfile: { type: "RuntimeDefault" },
       },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.allowPrivilegeEscalation).toBe(false);
     expect(sc.capabilities).toEqual({ drop: ["ALL"] });
@@ -1245,13 +1251,13 @@ describe("WebApp hardening", () => {
 
   test("terminationGracePeriodSeconds set", () => {
     const result = WebApp({ name: "app", image: "app:1.0", terminationGracePeriodSeconds: 60 });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.terminationGracePeriodSeconds).toBe(60);
   });
 
   test("priorityClassName set", () => {
     const result = WebApp({ name: "app", image: "app:1.0", priorityClassName: "high-priority" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.priorityClassName).toBe("high-priority");
   });
 
@@ -1265,7 +1271,7 @@ describe("WebApp hardening", () => {
         { path: "/web", serviceName: "web", servicePort: 3000 },
       ],
     });
-    const spec = result.ingress!.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.rules[0].http.paths).toHaveLength(2);
     expect(spec.rules[0].http.paths[0].path).toBe("/api");
     expect(spec.rules[0].http.paths[1].backend.service.name).toBe("web");
@@ -1276,7 +1282,7 @@ describe("StatefulApp hardening", () => {
   test("PDB created when minAvailable set", () => {
     const result = StatefulApp({ name: "db", image: "postgres:16", minAvailable: 1 });
     expect(result.pdb).toBeDefined();
-    const spec = result.pdb!.spec as any;
+    const spec = p(result.pdb).spec as any;
     expect(spec.minAvailable).toBe(1);
   });
 
@@ -1286,7 +1292,7 @@ describe("StatefulApp hardening", () => {
       image: "postgres:16",
       initContainers: [{ name: "init", image: "init:1.0" }],
     });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.template.spec.initContainers).toHaveLength(1);
   });
 
@@ -1296,7 +1302,7 @@ describe("StatefulApp hardening", () => {
       image: "postgres:16",
       securityContext: { runAsNonRoot: true },
     });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
   });
 
@@ -1311,7 +1317,7 @@ describe("StatefulApp hardening", () => {
         seccompProfile: { type: "RuntimeDefault" },
       },
     });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.allowPrivilegeEscalation).toBe(false);
     expect(sc.capabilities).toEqual({ drop: ["ALL"] });
@@ -1323,7 +1329,7 @@ describe("WorkerPool hardening", () => {
   test("PDB created when minAvailable set", () => {
     const result = WorkerPool({ name: "w", image: "w:1.0", minAvailable: 1 });
     expect(result.pdb).toBeDefined();
-    const spec = result.pdb!.spec as any;
+    const spec = p(result.pdb).spec as any;
     expect(spec.minAvailable).toBe(1);
   });
 
@@ -1333,7 +1339,7 @@ describe("WorkerPool hardening", () => {
       image: "w:1.0",
       securityContext: { runAsNonRoot: true },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
   });
 
@@ -1348,7 +1354,7 @@ describe("WorkerPool hardening", () => {
         seccompProfile: { type: "RuntimeDefault" },
       },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.allowPrivilegeEscalation).toBe(false);
     expect(sc.capabilities).toEqual({ drop: ["ALL"] });
@@ -1364,7 +1370,7 @@ describe("AutoscaledService hardening", () => {
       ...minProps,
       initContainers: [{ name: "migrate", image: "m:1.0" }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.initContainers).toHaveLength(1);
   });
 
@@ -1373,7 +1379,7 @@ describe("AutoscaledService hardening", () => {
       ...minProps,
       securityContext: { runAsNonRoot: true },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.containers[0].securityContext.runAsNonRoot).toBe(true);
   });
 
@@ -1387,7 +1393,7 @@ describe("AutoscaledService hardening", () => {
         seccompProfile: { type: "RuntimeDefault" },
       },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.allowPrivilegeEscalation).toBe(false);
     expect(sc.capabilities).toEqual({ drop: ["ALL"] });
@@ -1396,7 +1402,7 @@ describe("AutoscaledService hardening", () => {
 
   test("terminationGracePeriodSeconds set", () => {
     const result = AutoscaledService({ ...minProps, terminationGracePeriodSeconds: 30 });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.terminationGracePeriodSeconds).toBe(30);
   });
 });
@@ -1416,20 +1422,20 @@ describe("BatchJob", () => {
 
   test("default backoffLimit is 6", () => {
     const result = BatchJob(minProps);
-    const spec = result.job.spec as any;
+    const spec = p(result.job).spec as any;
     expect(spec.backoffLimit).toBe(6);
   });
 
   test("custom backoffLimit and ttl", () => {
     const result = BatchJob({ ...minProps, backoffLimit: 3, ttlSecondsAfterFinished: 3600 });
-    const spec = result.job.spec as any;
+    const spec = p(result.job).spec as any;
     expect(spec.backoffLimit).toBe(3);
     expect(spec.ttlSecondsAfterFinished).toBe(3600);
   });
 
   test("parallelism and completions", () => {
     const result = BatchJob({ ...minProps, parallelism: 3, completions: 10 });
-    const spec = result.job.spec as any;
+    const spec = p(result.job).spec as any;
     expect(spec.parallelism).toBe(3);
     expect(spec.completions).toBe(10);
   });
@@ -1443,7 +1449,7 @@ describe("BatchJob", () => {
 
   test("command and args passed through", () => {
     const result = BatchJob({ ...minProps, command: ["python"], args: ["migrate.py"] });
-    const spec = result.job.spec as any;
+    const spec = p(result.job).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.command).toEqual(["python"]);
     expect(container.args).toEqual(["migrate.py"]);
@@ -1451,14 +1457,14 @@ describe("BatchJob", () => {
 
   test("namespace propagated", () => {
     const result = BatchJob({ ...minProps, namespace: "jobs" });
-    expect((result.job.metadata as any).namespace).toBe("jobs");
-    expect((result.serviceAccount!.metadata as any).namespace).toBe("jobs");
+    expect((p(result.job).metadata as any).namespace).toBe("jobs");
+    expect((p(result.serviceAccount).metadata as any).namespace).toBe("jobs");
   });
 
   test("component labels", () => {
     const result = BatchJob(minProps);
-    expect((result.job.metadata as any).labels["app.kubernetes.io/component"]).toBe("batch");
-    expect((result.role!.metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
+    expect((p(result.job).metadata as any).labels["app.kubernetes.io/component"]).toBe("batch");
+    expect((p(result.role).metadata as any).labels["app.kubernetes.io/component"]).toBe("rbac");
   });
 });
 
@@ -1479,14 +1485,14 @@ describe("SecureIngress", () => {
   test("creates certificate when clusterIssuer set", () => {
     const result = SecureIngress({ ...minProps, clusterIssuer: "letsencrypt-prod" });
     expect(result.certificate).toBeDefined();
-    const certSpec = result.certificate!.spec as any;
+    const certSpec = p(result.certificate!).spec as any;
     expect(certSpec.issuerRef.name).toBe("letsencrypt-prod");
     expect(certSpec.dnsNames).toEqual(["app.example.com"]);
   });
 
   test("TLS on ingress when clusterIssuer set", () => {
     const result = SecureIngress({ ...minProps, clusterIssuer: "letsencrypt-prod" });
-    const spec = result.ingress.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.tls).toBeDefined();
     expect(spec.tls[0].hosts).toEqual(["app.example.com"]);
   });
@@ -1500,9 +1506,9 @@ describe("SecureIngress", () => {
       ],
       clusterIssuer: "letsencrypt-prod",
     });
-    const spec = result.ingress.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.rules).toHaveLength(2);
-    const certSpec = result.certificate!.spec as any;
+    const certSpec = p(result.certificate!).spec as any;
     expect(certSpec.dnsNames).toHaveLength(2);
   });
 
@@ -1517,19 +1523,19 @@ describe("SecureIngress", () => {
         ],
       }],
     });
-    const spec = result.ingress.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.rules[0].http.paths).toHaveLength(2);
   });
 
   test("ingressClassName set", () => {
     const result = SecureIngress({ ...minProps, ingressClassName: "nginx" });
-    const spec = result.ingress.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.ingressClassName).toBe("nginx");
   });
 
   test("cert-manager annotation added", () => {
     const result = SecureIngress({ ...minProps, clusterIssuer: "letsencrypt-prod" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["cert-manager.io/cluster-issuer"]).toBe("letsencrypt-prod");
   });
 });
@@ -1549,12 +1555,12 @@ describe("ConfiguredApp", () => {
   test("creates ConfigMap when configData provided", () => {
     const result = ConfiguredApp({ ...minProps, configData: { "app.conf": "key=val" }, configMountPath: "/etc/app" });
     expect(result.configMap).toBeDefined();
-    expect((result.configMap as any).data["app.conf"]).toBe("key=val");
+    expect((p(result.configMap) as any).data["app.conf"]).toBe("key=val");
   });
 
   test("configMap volume mounted", () => {
     const result = ConfiguredApp({ ...minProps, configData: { "k": "v" }, configMountPath: "/etc/app" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.volumeMounts).toHaveLength(1);
     expect(container.volumeMounts[0].mountPath).toBe("/etc/app");
@@ -1563,7 +1569,7 @@ describe("ConfiguredApp", () => {
 
   test("secret volume mounted", () => {
     const result = ConfiguredApp({ ...minProps, secretName: "creds", secretMountPath: "/secrets" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.volumeMounts[0].mountPath).toBe("/secrets");
     expect(spec.template.spec.volumes[0].secret.secretName).toBe("creds");
@@ -1574,7 +1580,7 @@ describe("ConfiguredApp", () => {
       ...minProps,
       envFrom: { configMapRef: "my-config", secretRef: "my-secret" },
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.envFrom).toHaveLength(2);
     expect(container.envFrom[0].configMapRef.name).toBe("my-config");
@@ -1586,14 +1592,14 @@ describe("ConfiguredApp", () => {
       ...minProps,
       initContainers: [{ name: "init", image: "init:1.0", command: ["sh"] }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.initContainers).toHaveLength(1);
   });
 
   test("namespace propagated", () => {
     const result = ConfiguredApp({ ...minProps, namespace: "prod" });
-    expect((result.deployment.metadata as any).namespace).toBe("prod");
-    expect((result.service.metadata as any).namespace).toBe("prod");
+    expect((p(result.deployment).metadata as any).namespace).toBe("prod");
+    expect((p(result.service).metadata as any).namespace).toBe("prod");
   });
 });
 
@@ -1614,7 +1620,7 @@ describe("SidecarApp", () => {
 
   test("has multiple containers", () => {
     const result = SidecarApp(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.containers).toHaveLength(2);
     expect(spec.template.spec.containers[0].name).toBe("api");
     expect(spec.template.spec.containers[1].name).toBe("envoy");
@@ -1625,7 +1631,7 @@ describe("SidecarApp", () => {
       ...minProps,
       sidecars: [{ name: "envoy", image: "envoy:v1.28", ports: [{ containerPort: 9901, name: "admin" }] }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.containers[1].ports[0].containerPort).toBe(9901);
   });
 
@@ -1634,7 +1640,7 @@ describe("SidecarApp", () => {
       ...minProps,
       initContainers: [{ name: "migrate", image: "m:1.0", command: ["./migrate.sh"] }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.initContainers).toHaveLength(1);
   });
 
@@ -1643,7 +1649,7 @@ describe("SidecarApp", () => {
       ...minProps,
       sharedVolumes: [{ name: "tmp" }, { name: "config", configMapName: "my-config" }],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.template.spec.volumes).toHaveLength(2);
     expect(spec.template.spec.volumes[0].emptyDir).toBeDefined();
     expect(spec.template.spec.volumes[1].configMap.name).toBe("my-config");
@@ -1651,8 +1657,8 @@ describe("SidecarApp", () => {
 
   test("common labels on all resources", () => {
     const result = SidecarApp(minProps);
-    expect((result.deployment.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
-    expect((result.service.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    expect((p(result.deployment).metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    expect((p(result.service).metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
 });
 
@@ -1675,14 +1681,14 @@ describe("MonitoredService", () => {
       alertRules: [{ name: "HighError", expr: "rate(errors[5m]) > 0.1", severity: "critical" }],
     });
     expect(result.prometheusRule).toBeDefined();
-    const spec = result.prometheusRule!.spec as any;
+    const spec = p(result.prometheusRule!).spec as any;
     expect(spec.groups[0].rules[0].alert).toBe("HighError");
     expect(spec.groups[0].rules[0].labels.severity).toBe("critical");
   });
 
   test("serviceMonitor has correct selector and endpoint", () => {
     const result = MonitoredService({ ...minProps, metricsPort: 9090, metricsPath: "/metrics", scrapeInterval: "15s" });
-    const spec = result.serviceMonitor.spec as any;
+    const spec = p(result.serviceMonitor).spec as any;
     expect(spec.selector.matchLabels["app.kubernetes.io/name"]).toBe("api");
     expect(spec.endpoints[0].port).toBe("metrics");
     expect(spec.endpoints[0].path).toBe("/metrics");
@@ -1691,7 +1697,7 @@ describe("MonitoredService", () => {
 
   test("separate metrics port on container and service", () => {
     const result = MonitoredService({ ...minProps, port: 8080, metricsPort: 9090 });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const ports = spec.template.spec.containers[0].ports;
     expect(ports).toHaveLength(2);
     expect(ports[0].containerPort).toBe(8080);
@@ -1700,8 +1706,8 @@ describe("MonitoredService", () => {
 
   test("component labels", () => {
     const result = MonitoredService({ ...minProps, alertRules: [{ name: "A", expr: "1" }] });
-    expect((result.serviceMonitor.metadata as any).labels["app.kubernetes.io/component"]).toBe("monitoring");
-    expect((result.prometheusRule!.metadata as any).labels["app.kubernetes.io/component"]).toBe("monitoring");
+    expect((p(result.serviceMonitor).metadata as any).labels["app.kubernetes.io/component"]).toBe("monitoring");
+    expect((p(result.prometheusRule!).metadata as any).labels["app.kubernetes.io/component"]).toBe("monitoring");
   });
 });
 
@@ -1719,7 +1725,7 @@ describe("NetworkIsolatedApp", () => {
 
   test("networkPolicy podSelector matches app", () => {
     const result = NetworkIsolatedApp(minProps);
-    const spec = result.networkPolicy.spec as any;
+    const spec = p(result.networkPolicy).spec as any;
     expect(spec.podSelector.matchLabels["app.kubernetes.io/name"]).toBe("api");
   });
 
@@ -1728,7 +1734,7 @@ describe("NetworkIsolatedApp", () => {
       ...minProps,
       allowIngressFrom: [{ podSelector: { "app.kubernetes.io/name": "frontend" } }],
     });
-    const spec = result.networkPolicy.spec as any;
+    const spec = p(result.networkPolicy).spec as any;
     expect(spec.policyTypes).toContain("Ingress");
     expect(spec.ingress[0].from[0].podSelector.matchLabels["app.kubernetes.io/name"]).toBe("frontend");
   });
@@ -1738,19 +1744,19 @@ describe("NetworkIsolatedApp", () => {
       ...minProps,
       allowEgressTo: [{ podSelector: { "app.kubernetes.io/name": "db" }, ports: [{ port: 5432 }] }],
     });
-    const spec = result.networkPolicy.spec as any;
+    const spec = p(result.networkPolicy).spec as any;
     expect(spec.policyTypes).toContain("Egress");
     expect(spec.egress[0].ports[0].port).toBe(5432);
   });
 
   test("namespace propagated", () => {
     const result = NetworkIsolatedApp({ ...minProps, namespace: "prod" });
-    expect((result.networkPolicy.metadata as any).namespace).toBe("prod");
+    expect((p(result.networkPolicy).metadata as any).namespace).toBe("prod");
   });
 
   test("component label on networkPolicy", () => {
     const result = NetworkIsolatedApp(minProps);
-    expect((result.networkPolicy.metadata as any).labels["app.kubernetes.io/component"]).toBe("network-policy");
+    expect((p(result.networkPolicy).metadata as any).labels["app.kubernetes.io/component"]).toBe("network-policy");
   });
 });
 
@@ -1762,7 +1768,7 @@ describe("IrsaServiceAccount", () => {
   test("returns serviceAccount with IRSA annotation", () => {
     const result = IrsaServiceAccount(minProps);
     expect(result.serviceAccount).toBeDefined();
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/app-role");
   });
 
@@ -1779,18 +1785,18 @@ describe("IrsaServiceAccount", () => {
     });
     expect(result.role).toBeDefined();
     expect(result.roleBinding).toBeDefined();
-    const role = result.role as any;
+    const role = p(result.role) as any;
     expect(role.rules[0].resources).toEqual(["secrets"]);
   });
 
   test("namespace propagated", () => {
     const result = IrsaServiceAccount({ ...minProps, namespace: "prod" });
-    expect((result.serviceAccount.metadata as any).namespace).toBe("prod");
+    expect((p(result.serviceAccount).metadata as any).namespace).toBe("prod");
   });
 
   test("component labels", () => {
     const result = IrsaServiceAccount(minProps);
-    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
+    expect((p(result.serviceAccount).metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
   });
 });
 
@@ -1805,58 +1811,58 @@ describe("AlbIngress", () => {
   test("returns ingress with ALB annotations", () => {
     const result = AlbIngress(minProps);
     expect(result.ingress).toBeDefined();
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/scheme"]).toBe("internet-facing");
     expect(meta.annotations["alb.ingress.kubernetes.io/target-type"]).toBe("ip");
   });
 
   test("ingressClassName is alb", () => {
     const result = AlbIngress(minProps);
-    const spec = result.ingress.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.ingressClassName).toBe("alb");
   });
 
   test("certificate ARN sets TLS annotations", () => {
     const result = AlbIngress({ ...minProps, certificateArn: "arn:aws:acm:us-east-1:123:cert/abc" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/certificate-arn"]).toBe("arn:aws:acm:us-east-1:123:cert/abc");
     expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBe("443");
   });
 
   test("groupName annotation set", () => {
     const result = AlbIngress({ ...minProps, groupName: "shared-alb" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/group.name"]).toBe("shared-alb");
   });
 
   test("WAF ACL annotation set", () => {
     const result = AlbIngress({ ...minProps, wafAclArn: "arn:aws:wafv2:us-east-1:123:regional/webacl/abc" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/wafv2-acl-arn"]).toBe("arn:aws:wafv2:us-east-1:123:regional/webacl/abc");
   });
 
   test("internal scheme", () => {
     const result = AlbIngress({ ...minProps, scheme: "internal" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/scheme"]).toBe("internal");
   });
 
   test("empty-string certificateArn does NOT set ssl-redirect", () => {
     const result = AlbIngress({ ...minProps, certificateArn: "" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBeUndefined();
     expect(meta.annotations["alb.ingress.kubernetes.io/certificate-arn"]).toBeUndefined();
   });
 
   test("explicit sslRedirect: true overrides empty certificateArn", () => {
     const result = AlbIngress({ ...minProps, certificateArn: "", sslRedirect: true });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBe("443");
   });
 
   test("explicit sslRedirect: false suppresses redirect even with cert", () => {
     const result = AlbIngress({ ...minProps, certificateArn: "arn:aws:acm:us-east-1:123:cert/abc", sslRedirect: false });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["alb.ingress.kubernetes.io/ssl-redirect"]).toBeUndefined();
   });
 });
@@ -1872,55 +1878,55 @@ describe("GceIngress", () => {
   test("returns ingress with GCE annotations", () => {
     const result = GceIngress(minProps);
     expect(result.ingress).toBeDefined();
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["kubernetes.io/ingress.class"]).toBe("gce");
   });
 
   test("static IP annotation set", () => {
     const result = GceIngress({ ...minProps, staticIpName: "microservice-ip" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["kubernetes.io/ingress.global-static-ip-name"]).toBe("microservice-ip");
   });
 
   test("managed certificate annotation set", () => {
     const result = GceIngress({ ...minProps, managedCertificate: "api-cert" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["networking.gke.io/managed-certificates"]).toBe("api-cert");
   });
 
   test("frontendConfig annotation set", () => {
     const result = GceIngress({ ...minProps, frontendConfig: "my-frontend" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBe("my-frontend");
   });
 
   test("managedCertificate sets default FrontendConfig for ssl redirect", () => {
     const result = GceIngress({ ...minProps, managedCertificate: "api-cert" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBe("api-ingress-frontend-config");
   });
 
   test("explicit sslRedirect: false suppresses FrontendConfig even with cert", () => {
     const result = GceIngress({ ...minProps, managedCertificate: "api-cert", sslRedirect: false });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBeUndefined();
   });
 
   test("explicit sslRedirect: true sets default FrontendConfig without cert", () => {
     const result = GceIngress({ ...minProps, sslRedirect: true });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.annotations["networking.gke.io/v1beta1.FrontendConfig"]).toBe("api-ingress-frontend-config");
   });
 
   test("namespace is set when provided", () => {
     const result = GceIngress({ ...minProps, namespace: "production" });
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.namespace).toBe("production");
   });
 
   test("host rules are mapped correctly", () => {
     const result = GceIngress(minProps);
-    const spec = result.ingress.spec as any;
+    const spec = p(result.ingress).spec as any;
     expect(spec.rules).toHaveLength(1);
     expect(spec.rules[0].host).toBe("api.example.com");
     expect(spec.rules[0].http.paths[0].backend.service.name).toBe("api");
@@ -1928,7 +1934,7 @@ describe("GceIngress", () => {
 
   test("labels include component: ingress", () => {
     const result = GceIngress(minProps);
-    const meta = result.ingress.metadata as any;
+    const meta = p(result.ingress).metadata as any;
     expect(meta.labels["app.kubernetes.io/component"]).toBe("ingress");
     expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
@@ -1940,22 +1946,22 @@ describe("EbsStorageClass", () => {
   test("returns storageClass with EBS provisioner", () => {
     const result = EbsStorageClass({ name: "gp3" });
     expect(result.storageClass).toBeDefined();
-    expect((result.storageClass as any).provisioner).toBe("ebs.csi.aws.com");
+    expect((p(result.storageClass) as any).provisioner).toBe("ebs.csi.aws.com");
   });
 
   test("default type is gp3", () => {
     const result = EbsStorageClass({ name: "default" });
-    expect((result.storageClass as any).parameters.type).toBe("gp3");
+    expect((p(result.storageClass) as any).parameters.type).toBe("gp3");
   });
 
   test("encryption enabled by default", () => {
     const result = EbsStorageClass({ name: "enc" });
-    expect((result.storageClass as any).parameters.encrypted).toBe("true");
+    expect((p(result.storageClass) as any).parameters.encrypted).toBe("true");
   });
 
   test("custom parameters", () => {
     const result = EbsStorageClass({ name: "custom", type: "io2", iops: "5000", throughput: "250" });
-    const params = (result.storageClass as any).parameters;
+    const params = (p(result.storageClass) as any).parameters;
     expect(params.type).toBe("io2");
     expect(params.iops).toBe("5000");
     expect(params.throughput).toBe("250");
@@ -1963,24 +1969,24 @@ describe("EbsStorageClass", () => {
 
   test("allowVolumeExpansion default true", () => {
     const result = EbsStorageClass({ name: "exp" });
-    expect((result.storageClass as any).allowVolumeExpansion).toBe(true);
+    expect((p(result.storageClass) as any).allowVolumeExpansion).toBe(true);
   });
 
   test("storageClass is cluster-scoped (no namespace)", () => {
     const result = EbsStorageClass({ name: "sc" });
-    expect((result.storageClass.metadata as any).namespace).toBeUndefined();
+    expect((p(result.storageClass).metadata as any).namespace).toBeUndefined();
   });
 
   test("numeric iops and throughput coerced to strings", () => {
     const result = EbsStorageClass({ name: "perf", iops: 5000, throughput: 250 });
-    const params = (result.storageClass as any).parameters;
+    const params = (p(result.storageClass) as any).parameters;
     expect(params.iops).toBe("5000");
     expect(params.throughput).toBe("250");
   });
 
   test("string iops and throughput passed through", () => {
     const result = EbsStorageClass({ name: "perf", iops: "3000", throughput: "125" });
-    const params = (result.storageClass as any).parameters;
+    const params = (p(result.storageClass) as any).parameters;
     expect(params.iops).toBe("3000");
     expect(params.throughput).toBe("125");
   });
@@ -1991,17 +1997,17 @@ describe("EbsStorageClass", () => {
 describe("EfsStorageClass", () => {
   test("returns storageClass with EFS provisioner", () => {
     const result = EfsStorageClass({ name: "efs", fileSystemId: "fs-123" });
-    expect((result.storageClass as any).provisioner).toBe("efs.csi.aws.com");
+    expect((p(result.storageClass) as any).provisioner).toBe("efs.csi.aws.com");
   });
 
   test("fileSystemId in parameters", () => {
     const result = EfsStorageClass({ name: "efs", fileSystemId: "fs-abc" });
-    expect((result.storageClass as any).parameters.fileSystemId).toBe("fs-abc");
+    expect((p(result.storageClass) as any).parameters.fileSystemId).toBe("fs-abc");
   });
 
   test("default provisioningMode is efs-ap", () => {
     const result = EfsStorageClass({ name: "efs", fileSystemId: "fs-123" });
-    expect((result.storageClass as any).parameters.provisioningMode).toBe("efs-ap");
+    expect((p(result.storageClass) as any).parameters.provisioningMode).toBe("efs-ap");
   });
 });
 
@@ -2021,36 +2027,36 @@ describe("FluentBitAgent", () => {
 
   test("default namespace is amazon-cloudwatch", () => {
     const result = FluentBitAgent(minProps);
-    expect((result.daemonSet.metadata as any).namespace).toBe("amazon-cloudwatch");
+    expect((p(result.daemonSet).metadata as any).namespace).toBe("amazon-cloudwatch");
   });
 
   test("configMap contains fluent-bit config with region", () => {
     const result = FluentBitAgent(minProps);
-    const data = (result.configMap as any).data;
+    const data = (p(result.configMap) as any).data;
     expect(data["fluent-bit.conf"]).toContain("us-east-1");
     expect(data["fluent-bit.conf"]).toContain("/aws/eks/cluster/containers");
   });
 
   test("tolerations for all nodes", () => {
     const result = FluentBitAgent(minProps);
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     expect(spec.template.spec.tolerations).toEqual([{ operator: "Exists" }]);
   });
 
   test("clusterRole is cluster-scoped", () => {
     const result = FluentBitAgent(minProps);
-    expect((result.clusterRole.metadata as any).namespace).toBeUndefined();
+    expect((p(result.clusterRole).metadata as any).namespace).toBeUndefined();
   });
 
   test("IRSA annotation when iamRoleArn set", () => {
     const result = FluentBitAgent({ ...minProps, iamRoleArn: "arn:aws:iam::123456789012:role/fb-role" });
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/fb-role");
   });
 
   test("no annotation when iamRoleArn omitted", () => {
     const result = FluentBitAgent(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations).toBeUndefined();
   });
 });
@@ -2073,32 +2079,32 @@ describe("ExternalDnsAgent", () => {
 
   test("IRSA annotation on serviceAccount", () => {
     const result = ExternalDnsAgent(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/external-dns");
   });
 
   test("domain filter in args", () => {
     const result = ExternalDnsAgent(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const args = spec.template.spec.containers[0].args;
     expect(args).toContain("--domain-filter=example.com");
   });
 
   test("txtOwnerId in args when set", () => {
     const result = ExternalDnsAgent({ ...minProps, txtOwnerId: "my-cluster" });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const args = spec.template.spec.containers[0].args;
     expect(args).toContain("--txt-owner-id=my-cluster");
   });
 
   test("default namespace is kube-system", () => {
     const result = ExternalDnsAgent(minProps);
-    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+    expect((p(result.deployment).metadata as any).namespace).toBe("kube-system");
   });
 
   test("replicas is 1", () => {
     const result = ExternalDnsAgent(minProps);
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(1);
   });
 });
@@ -2119,19 +2125,19 @@ describe("AdotCollector", () => {
 
   test("default namespace is amazon-metrics", () => {
     const result = AdotCollector(minProps);
-    expect((result.daemonSet.metadata as any).namespace).toBe("amazon-metrics");
+    expect((p(result.daemonSet).metadata as any).namespace).toBe("amazon-metrics");
   });
 
   test("configMap contains ADOT config with region", () => {
     const result = AdotCollector(minProps);
-    const data = (result.configMap as any).data;
+    const data = (p(result.configMap) as any).data;
     expect(data["config.yaml"]).toContain("us-east-1");
     expect(data["config.yaml"]).toContain("cluster");
   });
 
   test("OTLP ports on container", () => {
     const result = AdotCollector(minProps);
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const ports = spec.template.spec.containers[0].ports;
     expect(ports).toHaveLength(2);
     expect(ports[0].containerPort).toBe(4317);
@@ -2140,25 +2146,25 @@ describe("AdotCollector", () => {
 
   test("tolerations for all nodes", () => {
     const result = AdotCollector(minProps);
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     expect(spec.template.spec.tolerations).toEqual([{ operator: "Exists" }]);
   });
 
   test("custom exporters", () => {
     const result = AdotCollector({ ...minProps, exporters: ["prometheus"] });
-    const data = (result.configMap as any).data;
+    const data = (p(result.configMap) as any).data;
     expect(data["config.yaml"]).toContain("prometheusremotewrite");
   });
 
   test("IRSA annotation when iamRoleArn set", () => {
     const result = AdotCollector({ ...minProps, iamRoleArn: "arn:aws:iam::123456789012:role/adot-role" });
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["eks.amazonaws.com/role-arn"]).toBe("arn:aws:iam::123456789012:role/adot-role");
   });
 
   test("no annotation when iamRoleArn omitted", () => {
     const result = AdotCollector(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations).toBeUndefined();
   });
 });
@@ -2180,21 +2186,21 @@ describe("MetricsServer", () => {
 
   test("default namespace is kube-system", () => {
     const result = MetricsServer({});
-    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
-    expect((result.service.metadata as any).namespace).toBe("kube-system");
-    expect((result.serviceAccount.metadata as any).namespace).toBe("kube-system");
+    expect((p(result.deployment).metadata as any).namespace).toBe("kube-system");
+    expect((p(result.service).metadata as any).namespace).toBe("kube-system");
+    expect((p(result.serviceAccount).metadata as any).namespace).toBe("kube-system");
   });
 
   test("service targets port 10250", () => {
     const result = MetricsServer({});
-    const spec = result.service.spec as any;
+    const spec = p(result.service).spec as any;
     expect(spec.ports[0].port).toBe(443);
     expect(spec.ports[0].targetPort).toBe(10250);
   });
 
   test("deployment container has correct image and args", () => {
     const result = MetricsServer({});
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const container = spec.template.spec.containers[0];
     expect(container.image).toBe("registry.k8s.io/metrics-server/metrics-server:v0.7.2");
     expect(container.args).toContain("--secure-port=10250");
@@ -2204,14 +2210,14 @@ describe("MetricsServer", () => {
 
   test("clusterRole has nodes/metrics access", () => {
     const result = MetricsServer({});
-    const rules = result.clusterRole.rules as any[];
+    const rules = p(result.clusterRole).rules as any[];
     const nodeMetricsRule = rules.find((r: any) => r.resources?.includes("nodes/metrics"));
     expect(nodeMetricsRule).toBeDefined();
   });
 
   test("apiService references correct service", () => {
     const result = MetricsServer({});
-    const spec = (result.apiService as any).spec;
+    const spec = (p(result.apiService) as any).spec;
     expect(spec.service.name).toBe("metrics-server");
     expect(spec.service.namespace).toBe("kube-system");
     expect(spec.group).toBe("metrics.k8s.io");
@@ -2220,14 +2226,14 @@ describe("MetricsServer", () => {
 
   test("aggregated clusterRole has aggregate labels", () => {
     const result = MetricsServer({});
-    const labels = (result.aggregatedClusterRole.metadata as any).labels;
+    const labels = (p(result.aggregatedClusterRole).metadata as any).labels;
     expect(labels["rbac.authorization.k8s.io/aggregate-to-admin"]).toBe("true");
     expect(labels["rbac.authorization.k8s.io/aggregate-to-view"]).toBe("true");
   });
 
   test("custom image and replicas", () => {
     const result = MetricsServer({ image: "custom:v1", replicas: 2 });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     expect(spec.replicas).toBe(2);
     expect(spec.template.spec.containers[0].image).toBe("custom:v1");
   });
@@ -2250,7 +2256,7 @@ describe("BatchJob securityContext", () => {
       image: "migrate:1.0",
       securityContext: pssSecurityContext,
     });
-    const spec = result.job.spec as any;
+    const spec = p(result.job).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2267,7 +2273,7 @@ describe("CronWorkload securityContext", () => {
       schedule: "0 2 * * *",
       securityContext: pssSecurityContext,
     });
-    const spec = result.cronJob.spec as any;
+    const spec = p(result.cronJob).spec as any;
     const sc = spec.jobTemplate.spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2284,7 +2290,7 @@ describe("NodeAgent securityContext", () => {
       rbacRules: [{ apiGroups: [""], resources: ["pods"], verbs: ["get"] }],
       securityContext: pssSecurityContext,
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2299,7 +2305,7 @@ describe("ConfiguredApp securityContext", () => {
       image: "api:1.0",
       securityContext: pssSecurityContext,
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2316,7 +2322,7 @@ describe("SidecarApp securityContext", () => {
       sidecars: [{ name: "envoy", image: "envoy:1.0" }],
       securityContext: pssSecurityContext,
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2332,7 +2338,7 @@ describe("NetworkIsolatedApp securityContext", () => {
       image: "api:1.0",
       securityContext: pssSecurityContext,
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2348,7 +2354,7 @@ describe("MonitoredService securityContext", () => {
       image: "api:1.0",
       securityContext: pssSecurityContext,
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.allowPrivilegeEscalation).toBe(false);
@@ -2365,7 +2371,7 @@ describe("ExternalDnsAgent security defaults", () => {
       iamRoleArn: "arn:aws:iam::123456789012:role/test",
       domainFilters: ["example.com"],
     });
-    const spec = result.deployment.spec as any;
+    const spec = p(result.deployment).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.readOnlyRootFilesystem).toBe(true);
@@ -2380,7 +2386,7 @@ describe("FluentBitAgent security defaults", () => {
       region: "us-east-1",
       clusterName: "test",
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsUser).toBe(0);
     expect(sc.runAsNonRoot).toBeUndefined();
@@ -2395,7 +2401,7 @@ describe("AdotCollector security defaults", () => {
       region: "us-east-1",
       clusterName: "test",
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const sc = spec.template.spec.containers[0].securityContext;
     expect(sc.runAsNonRoot).toBe(true);
     expect(sc.runAsUser).toBe(10001);
@@ -2407,9 +2413,10 @@ describe("AdotCollector security defaults", () => {
 // ── Phase 3B: Composite serialization smoke tests ───────────────
 
 describe("Composite YAML serialization smoke tests", () => {
-  function serializeCompositeProps(props: Record<string, Record<string, unknown>>): string {
-    return Object.values(props)
-      .map((p) => emitYAML(p, 0))
+  function serializeCompositeProps(composite: Record<string, unknown>): string {
+    return Object.values(composite)
+      .filter((v) => v != null && typeof v === "object" && p(v as any) != null)
+      .map((v) => emitYAML(p(v as any), 0))
       .join("\n---\n");
   }
 
@@ -2462,7 +2469,7 @@ describe("Composite YAML serialization smoke tests", () => {
 describe("MetricsServer RBAC completeness", () => {
   test("clusterRole includes configmaps resource", () => {
     const result = MetricsServer({});
-    const rules = result.clusterRole.rules as any[];
+    const rules = p(result.clusterRole).rules as any[];
     const hasConfigmaps = rules.some((r: any) => r.resources?.includes("configmaps"));
     expect(hasConfigmaps).toBe(true);
   });
@@ -2476,7 +2483,7 @@ describe("AdotCollector command vs args", () => {
       region: "us-east-1",
       clusterName: "test",
     });
-    const spec = result.daemonSet.spec as any;
+    const spec = p(result.daemonSet).spec as any;
     const container = spec.template.spec.containers[0];
     // Config flag should be in args, not command
     expect(container.args).toContain("--config=/etc/adot/config.yaml");
@@ -2493,7 +2500,7 @@ describe("AdotCollector pipeline exporter separation", () => {
       clusterName: "test",
       exporters: ["cloudwatch", "xray"],
     });
-    const config = (result.configMap as any).data["config.yaml"] as string;
+    const config = (p(result.configMap) as any).data["config.yaml"] as string;
     // Extract metrics pipeline exporters line
     const metricsMatch = config.match(/metrics:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
     expect(metricsMatch).toBeDefined();
@@ -2508,7 +2515,7 @@ describe("AdotCollector pipeline exporter separation", () => {
       clusterName: "test",
       exporters: ["cloudwatch", "xray"],
     });
-    const config = (result.configMap as any).data["config.yaml"] as string;
+    const config = (p(result.configMap) as any).data["config.yaml"] as string;
     // Extract traces pipeline exporters line
     const tracesMatch = config.match(/traces:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
     expect(tracesMatch).toBeDefined();
@@ -2523,7 +2530,7 @@ describe("AdotCollector pipeline exporter separation", () => {
       clusterName: "test",
       exporters: ["cloudwatch"],
     });
-    const config = (result.configMap as any).data["config.yaml"] as string;
+    const config = (p(result.configMap) as any).data["config.yaml"] as string;
     // Traces pipeline should still have an exporter (fallback to awsxray)
     const tracesMatch = config.match(/traces:\s*\n\s*receivers:.*\n\s*processors:.*\n\s*exporters:\s*\[([^\]]+)\]/);
     expect(tracesMatch).toBeDefined();
@@ -2540,7 +2547,7 @@ describe("AdotCollector config structure", () => {
       region: "us-east-1",
       clusterName: "test",
     });
-    const config = (result.configMap as any).data["config.yaml"] as string;
+    const config = (p(result.configMap) as any).data["config.yaml"] as string;
     expect(config).toContain("receivers:");
     expect(config).toContain("exporters:");
     expect(config).toContain("processors:");
@@ -2559,7 +2566,7 @@ describe("WorkloadIdentityServiceAccount", () => {
   test("returns serviceAccount with Workload Identity annotation", () => {
     const result = WorkloadIdentityServiceAccount(minProps);
     expect(result.serviceAccount).toBeDefined();
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe("sa@my-project.iam.gserviceaccount.com");
   });
 
@@ -2576,18 +2583,18 @@ describe("WorkloadIdentityServiceAccount", () => {
     });
     expect(result.role).toBeDefined();
     expect(result.roleBinding).toBeDefined();
-    const role = result.role as any;
+    const role = p(result.role) as any;
     expect(role.rules[0].resources).toEqual(["secrets"]);
   });
 
   test("namespace propagated", () => {
     const result = WorkloadIdentityServiceAccount({ ...minProps, namespace: "prod" });
-    expect((result.serviceAccount.metadata as any).namespace).toBe("prod");
+    expect((p(result.serviceAccount).metadata as any).namespace).toBe("prod");
   });
 
   test("component labels", () => {
     const result = WorkloadIdentityServiceAccount(minProps);
-    expect((result.serviceAccount.metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
+    expect((p(result.serviceAccount).metadata as any).labels["app.kubernetes.io/component"]).toBe("service-account");
   });
 });
 
@@ -2597,37 +2604,37 @@ describe("GcePdStorageClass", () => {
   test("returns storageClass with GCE PD provisioner", () => {
     const result = GcePdStorageClass({ name: "pd-balanced" });
     expect(result.storageClass).toBeDefined();
-    expect((result.storageClass as any).provisioner).toBe("pd.csi.storage.gke.io");
+    expect((p(result.storageClass) as any).provisioner).toBe("pd.csi.storage.gke.io");
   });
 
   test("default type is pd-balanced", () => {
     const result = GcePdStorageClass({ name: "default" });
-    expect((result.storageClass as any).parameters.type).toBe("pd-balanced");
+    expect((p(result.storageClass) as any).parameters.type).toBe("pd-balanced");
   });
 
   test("custom type", () => {
     const result = GcePdStorageClass({ name: "ssd", type: "pd-ssd" });
-    expect((result.storageClass as any).parameters.type).toBe("pd-ssd");
+    expect((p(result.storageClass) as any).parameters.type).toBe("pd-ssd");
   });
 
   test("regional-pd replication type", () => {
     const result = GcePdStorageClass({ name: "regional", replicationType: "regional-pd" });
-    expect((result.storageClass as any).parameters["replication-type"]).toBe("regional-pd");
+    expect((p(result.storageClass) as any).parameters["replication-type"]).toBe("regional-pd");
   });
 
   test("no replication-type param when none", () => {
     const result = GcePdStorageClass({ name: "default" });
-    expect((result.storageClass as any).parameters["replication-type"]).toBeUndefined();
+    expect((p(result.storageClass) as any).parameters["replication-type"]).toBeUndefined();
   });
 
   test("allowVolumeExpansion default true", () => {
     const result = GcePdStorageClass({ name: "exp" });
-    expect((result.storageClass as any).allowVolumeExpansion).toBe(true);
+    expect((p(result.storageClass) as any).allowVolumeExpansion).toBe(true);
   });
 
   test("storageClass is cluster-scoped (no namespace)", () => {
     const result = GcePdStorageClass({ name: "sc" });
-    expect((result.storageClass.metadata as any).namespace).toBeUndefined();
+    expect((p(result.storageClass).metadata as any).namespace).toBeUndefined();
   });
 });
 
@@ -2636,27 +2643,27 @@ describe("GcePdStorageClass", () => {
 describe("FilestoreStorageClass", () => {
   test("returns storageClass with Filestore provisioner", () => {
     const result = FilestoreStorageClass({ name: "filestore" });
-    expect((result.storageClass as any).provisioner).toBe("filestore.csi.storage.gke.io");
+    expect((p(result.storageClass) as any).provisioner).toBe("filestore.csi.storage.gke.io");
   });
 
   test("default tier is standard", () => {
     const result = FilestoreStorageClass({ name: "fs" });
-    expect((result.storageClass as any).parameters.tier).toBe("standard");
+    expect((p(result.storageClass) as any).parameters.tier).toBe("standard");
   });
 
   test("custom tier", () => {
     const result = FilestoreStorageClass({ name: "premium-fs", tier: "premium" });
-    expect((result.storageClass as any).parameters.tier).toBe("premium");
+    expect((p(result.storageClass) as any).parameters.tier).toBe("premium");
   });
 
   test("network parameter set when provided", () => {
     const result = FilestoreStorageClass({ name: "fs", network: "my-vpc" });
-    expect((result.storageClass as any).parameters.network).toBe("my-vpc");
+    expect((p(result.storageClass) as any).parameters.network).toBe("my-vpc");
   });
 
   test("no network parameter by default", () => {
     const result = FilestoreStorageClass({ name: "fs" });
-    expect((result.storageClass as any).parameters.network).toBeUndefined();
+    expect((p(result.storageClass) as any).parameters.network).toBeUndefined();
   });
 });
 
@@ -2676,26 +2683,26 @@ describe("GkeGateway", () => {
 
   test("default gatewayClassName", () => {
     const result = GkeGateway(minProps);
-    const spec = result.gateway.spec as any;
+    const spec = p(result.gateway).spec as any;
     expect(spec.gatewayClassName).toBe("gke-l7-global-external-managed");
   });
 
   test("custom gatewayClassName", () => {
     const result = GkeGateway({ ...minProps, gatewayClassName: "gke-l7-rilb" });
-    const spec = result.gateway.spec as any;
+    const spec = p(result.gateway).spec as any;
     expect(spec.gatewayClassName).toBe("gke-l7-rilb");
   });
 
   test("HTTP listener when no certificate", () => {
     const result = GkeGateway(minProps);
-    const spec = result.gateway.spec as any;
+    const spec = p(result.gateway).spec as any;
     expect(spec.listeners[0].protocol).toBe("HTTP");
     expect(spec.listeners[0].port).toBe(80);
   });
 
   test("HTTPS listener with certificate", () => {
     const result = GkeGateway({ ...minProps, certificateName: "api-cert" });
-    const spec = result.gateway.spec as any;
+    const spec = p(result.gateway).spec as any;
     expect(spec.listeners[0].protocol).toBe("HTTPS");
     expect(spec.listeners[0].port).toBe(443);
     expect(spec.listeners[0].tls.certificateRefs[0].name).toBe("api-cert");
@@ -2703,27 +2710,27 @@ describe("GkeGateway", () => {
 
   test("httpRoute references parent gateway", () => {
     const result = GkeGateway(minProps);
-    const spec = result.httpRoute.spec as any;
+    const spec = p(result.httpRoute).spec as any;
     expect(spec.parentRefs[0].name).toBe("api-gateway");
   });
 
   test("httpRoute has hostnames", () => {
     const result = GkeGateway(minProps);
-    const spec = result.httpRoute.spec as any;
+    const spec = p(result.httpRoute).spec as any;
     expect(spec.hostnames).toEqual(["api.example.com"]);
   });
 
   test("httpRoute rules map to backend services", () => {
     const result = GkeGateway(minProps);
-    const spec = result.httpRoute.spec as any;
+    const spec = p(result.httpRoute).spec as any;
     expect(spec.rules[0].backendRefs[0].name).toBe("api");
     expect(spec.rules[0].backendRefs[0].port).toBe(80);
   });
 
   test("namespace propagated to both resources", () => {
     const result = GkeGateway({ ...minProps, namespace: "prod" });
-    expect((result.gateway.metadata as any).namespace).toBe("prod");
-    expect((result.httpRoute.metadata as any).namespace).toBe("prod");
+    expect((p(result.gateway).metadata as any).namespace).toBe("prod");
+    expect((p(result.httpRoute).metadata as any).namespace).toBe("prod");
   });
 });
 
@@ -2735,34 +2742,34 @@ describe("ConfigConnectorContext", () => {
   test("returns context with apiVersion and kind", () => {
     const result = ConfigConnectorContext(minProps);
     expect(result.context).toBeDefined();
-    expect((result.context as any).apiVersion).toBe("core.cnrm.cloud.google.com/v1beta1");
-    expect((result.context as any).kind).toBe("ConfigConnectorContext");
+    expect((p(result.context) as any).apiVersion).toBe("core.cnrm.cloud.google.com/v1beta1");
+    expect((p(result.context) as any).kind).toBe("ConfigConnectorContext");
   });
 
   test("googleServiceAccount in spec", () => {
     const result = ConfigConnectorContext(minProps);
-    const spec = (result.context as any).spec;
+    const spec = (p(result.context) as any).spec;
     expect(spec.googleServiceAccount).toBe("cnrm@my-project.iam.gserviceaccount.com");
   });
 
   test("default stateIntoSpec is absent", () => {
     const result = ConfigConnectorContext(minProps);
-    expect((result.context as any).spec.stateIntoSpec).toBe("absent");
+    expect((p(result.context) as any).spec.stateIntoSpec).toBe("absent");
   });
 
   test("custom stateIntoSpec", () => {
     const result = ConfigConnectorContext({ ...minProps, stateIntoSpec: "merge" });
-    expect((result.context as any).spec.stateIntoSpec).toBe("merge");
+    expect((p(result.context) as any).spec.stateIntoSpec).toBe("merge");
   });
 
   test("default namespace is default", () => {
     const result = ConfigConnectorContext(minProps);
-    expect((result.context as any).metadata.namespace).toBe("default");
+    expect((p(result.context) as any).metadata.namespace).toBe("default");
   });
 
   test("custom namespace", () => {
     const result = ConfigConnectorContext({ ...minProps, namespace: "config-connector" });
-    expect((result.context as any).metadata.namespace).toBe("config-connector");
+    expect((p(result.context) as any).metadata.namespace).toBe("config-connector");
   });
 });
 
@@ -2788,7 +2795,7 @@ describe("GkeFluentBitAgent", () => {
 
   test("SA has GKE Workload Identity annotation", () => {
     const result = GkeFluentBitAgent(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe(
       "fluent-bit@test-project.iam.gserviceaccount.com",
     );
@@ -2799,40 +2806,40 @@ describe("GkeFluentBitAgent", () => {
       clusterName: "test-cluster",
       projectId: "test-project",
     });
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations).toBeUndefined();
   });
 
   test("configMap uses stackdriver output", () => {
     const result = GkeFluentBitAgent(minProps);
-    const data = result.configMap.data as any;
+    const data = p(result.configMap).data as any;
     expect(data["fluent-bit.conf"]).toContain("stackdriver");
     expect(data["fluent-bit.conf"]).toContain("test-cluster");
   });
 
   test("default namespace is gke-logging", () => {
     const result = GkeFluentBitAgent(minProps);
-    expect((result.daemonSet.metadata as any).namespace).toBe("gke-logging");
-    expect((result.serviceAccount.metadata as any).namespace).toBe("gke-logging");
+    expect((p(result.daemonSet).metadata as any).namespace).toBe("gke-logging");
+    expect((p(result.serviceAccount).metadata as any).namespace).toBe("gke-logging");
   });
 
   test("common labels on all resources", () => {
     const result = GkeFluentBitAgent(minProps);
     for (const resource of [result.daemonSet, result.serviceAccount, result.clusterRole, result.clusterRoleBinding, result.configMap]) {
-      expect((resource.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+      expect((p(resource).metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
     }
   });
 
   test("DaemonSet mounts host log directory", () => {
     const result = GkeFluentBitAgent(minProps);
-    const spec = (result.daemonSet as any).spec.template.spec;
+    const spec = (p(result.daemonSet) as any).spec.template.spec;
     const varlog = spec.volumes.find((v: any) => v.name === "varlog");
     expect(varlog.hostPath.path).toBe("/var/log");
   });
 
   test("container runs as root for log access", () => {
     const result = GkeFluentBitAgent(minProps);
-    const container = (result.daemonSet as any).spec.template.spec.containers[0];
+    const container = (p(result.daemonSet) as any).spec.template.spec.containers[0];
     expect(container.securityContext.runAsUser).toBe(0);
     expect(container.securityContext.readOnlyRootFilesystem).toBe(true);
   });
@@ -2860,7 +2867,7 @@ describe("GkeOtelCollector", () => {
 
   test("SA has GKE Workload Identity annotation", () => {
     const result = GkeOtelCollector(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe(
       "otel@test-project.iam.gserviceaccount.com",
     );
@@ -2871,25 +2878,25 @@ describe("GkeOtelCollector", () => {
       clusterName: "test-cluster",
       projectId: "test-project",
     });
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations).toBeUndefined();
   });
 
   test("configMap uses googlecloud exporter", () => {
     const result = GkeOtelCollector(minProps);
-    const data = result.configMap.data as any;
+    const data = p(result.configMap).data as any;
     expect(data["config.yaml"]).toContain("googlecloud");
     expect(data["config.yaml"]).toContain("test-project");
   });
 
   test("default namespace is gke-monitoring", () => {
     const result = GkeOtelCollector(minProps);
-    expect((result.daemonSet.metadata as any).namespace).toBe("gke-monitoring");
+    expect((p(result.daemonSet).metadata as any).namespace).toBe("gke-monitoring");
   });
 
   test("container exposes OTLP ports", () => {
     const result = GkeOtelCollector(minProps);
-    const container = (result.daemonSet as any).spec.template.spec.containers[0];
+    const container = (p(result.daemonSet) as any).spec.template.spec.containers[0];
     const ports = container.ports.map((p: any) => p.containerPort);
     expect(ports).toContain(4317);
     expect(ports).toContain(4318);
@@ -2897,7 +2904,7 @@ describe("GkeOtelCollector", () => {
 
   test("container runs as non-root", () => {
     const result = GkeOtelCollector(minProps);
-    const container = (result.daemonSet as any).spec.template.spec.containers[0];
+    const container = (p(result.daemonSet) as any).spec.template.spec.containers[0];
     expect(container.securityContext.runAsNonRoot).toBe(true);
     expect(container.securityContext.runAsUser).toBe(10001);
   });
@@ -2905,7 +2912,7 @@ describe("GkeOtelCollector", () => {
   test("common labels on all resources", () => {
     const result = GkeOtelCollector(minProps);
     for (const resource of [result.daemonSet, result.serviceAccount, result.clusterRole, result.clusterRoleBinding, result.configMap]) {
-      expect((resource.metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
+      expect((p(resource).metadata as any).labels["app.kubernetes.io/managed-by"]).toBe("chant");
     }
   });
 });
@@ -2931,7 +2938,7 @@ describe("GkeExternalDnsAgent", () => {
 
   test("SA has GKE Workload Identity annotation", () => {
     const result = GkeExternalDnsAgent(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["iam.gke.io/gcp-service-account"]).toBe(
       "external-dns@test-project.iam.gserviceaccount.com",
     );
@@ -2939,36 +2946,36 @@ describe("GkeExternalDnsAgent", () => {
 
   test("uses google provider", () => {
     const result = GkeExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--provider=google");
   });
 
   test("passes google-project arg", () => {
     const result = GkeExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--google-project=test-project");
   });
 
   test("domain filters are applied", () => {
     const result = GkeExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--domain-filter=example.com");
   });
 
   test("txtOwnerId is applied when set", () => {
     const result = GkeExternalDnsAgent({ ...minProps, txtOwnerId: "my-cluster" });
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--txt-owner-id=my-cluster");
   });
 
   test("default namespace is kube-system", () => {
     const result = GkeExternalDnsAgent(minProps);
-    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+    expect((p(result.deployment).metadata as any).namespace).toBe("kube-system");
   });
 
   test("container runs as non-root", () => {
     const result = GkeExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.securityContext.runAsNonRoot).toBe(true);
     expect(container.securityContext.runAsUser).toBe(65534);
   });
@@ -2997,7 +3004,7 @@ describe("AksExternalDnsAgent", () => {
 
   test("SA has AKS Workload Identity annotation and label", () => {
     const result = AksExternalDnsAgent(minProps);
-    const meta = result.serviceAccount.metadata as any;
+    const meta = p(result.serviceAccount).metadata as any;
     expect(meta.annotations["azure.workload.identity/client-id"]).toBe(
       "00000000-0000-0000-0000-000000000000",
     );
@@ -3006,20 +3013,20 @@ describe("AksExternalDnsAgent", () => {
 
   test("uses azure provider", () => {
     const result = AksExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--provider=azure");
   });
 
   test("passes azure resource group and subscription", () => {
     const result = AksExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--azure-resource-group=test-rg");
     expect(container.args).toContain("--azure-subscription-id=11111111-1111-1111-1111-111111111111");
   });
 
   test("container has Azure env vars", () => {
     const result = AksExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     const envMap = Object.fromEntries(container.env.map((e: any) => [e.name, e.value]));
     expect(envMap.AZURE_TENANT_ID).toBe("22222222-2222-2222-2222-222222222222");
     expect(envMap.AZURE_SUBSCRIPTION_ID).toBe("11111111-1111-1111-1111-111111111111");
@@ -3028,24 +3035,24 @@ describe("AksExternalDnsAgent", () => {
 
   test("pod labels include workload identity use label", () => {
     const result = AksExternalDnsAgent(minProps);
-    const podLabels = (result.deployment as any).spec.template.metadata.labels;
+    const podLabels = (p(result.deployment) as any).spec.template.metadata.labels;
     expect(podLabels["azure.workload.identity/use"]).toBe("true");
   });
 
   test("domain filters are applied", () => {
     const result = AksExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.args).toContain("--domain-filter=example.com");
   });
 
   test("default namespace is kube-system", () => {
     const result = AksExternalDnsAgent(minProps);
-    expect((result.deployment.metadata as any).namespace).toBe("kube-system");
+    expect((p(result.deployment).metadata as any).namespace).toBe("kube-system");
   });
 
   test("container runs as non-root", () => {
     const result = AksExternalDnsAgent(minProps);
-    const container = (result.deployment as any).spec.template.spec.containers[0];
+    const container = (p(result.deployment) as any).spec.template.spec.containers[0];
     expect(container.securityContext.runAsNonRoot).toBe(true);
     expect(container.securityContext.runAsUser).toBe(65534);
   });
@@ -3075,19 +3082,19 @@ describe("CockroachDbCluster", () => {
 
   test("default replicas is 3", () => {
     const result = CockroachDbCluster(minProps);
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.replicas).toBe(3);
   });
 
   test("default image is cockroachdb/cockroach:v24.3.0", () => {
     const result = CockroachDbCluster(minProps);
-    const container = (result.statefulSet.spec as any).template.spec.containers[0];
+    const container = (p(result.statefulSet).spec as any).template.spec.containers[0];
     expect(container.image).toBe("cockroachdb/cockroach:v24.3.0");
   });
 
   test("StatefulSet has correct ports (26257+8080)", () => {
     const result = CockroachDbCluster(minProps);
-    const container = (result.statefulSet.spec as any).template.spec.containers[0];
+    const container = (p(result.statefulSet).spec as any).template.spec.containers[0];
     const ports = container.ports.map((p: any) => p.containerPort);
     expect(ports).toContain(26257);
     expect(ports).toContain(8080);
@@ -3095,36 +3102,36 @@ describe("CockroachDbCluster", () => {
 
   test("StatefulSet has PVC with default 100Gi storage", () => {
     const result = CockroachDbCluster(minProps);
-    const vct = (result.statefulSet.spec as any).volumeClaimTemplates[0];
+    const vct = (p(result.statefulSet).spec as any).volumeClaimTemplates[0];
     expect(vct.spec.resources.requests.storage).toBe("100Gi");
     expect(vct.spec.accessModes).toEqual(["ReadWriteOnce"]);
   });
 
   test("headless service has clusterIP None and publishNotReadyAddresses", () => {
     const result = CockroachDbCluster(minProps);
-    const spec = result.headlessService.spec as any;
+    const spec = p(result.headlessService).spec as any;
     expect(spec.clusterIP).toBe("None");
     expect(spec.publishNotReadyAddresses).toBe(true);
   });
 
   test("public service has ClusterIP type with both ports", () => {
     const result = CockroachDbCluster(minProps);
-    const spec = result.publicService.spec as any;
+    const spec = p(result.publicService).spec as any;
     expect(spec.type).toBe("ClusterIP");
-    const ports = spec.ports.map((p: any) => p.port);
+    const ports = spec.ports.map((pt: any) => pt.port);
     expect(ports).toContain(26257);
     expect(ports).toContain(8080);
   });
 
   test("PDB has maxUnavailable 1", () => {
     const result = CockroachDbCluster(minProps);
-    const spec = result.pdb.spec as any;
+    const spec = p(result.pdb).spec as any;
     expect(spec.maxUnavailable).toBe(1);
   });
 
   test("StatefulSet has pod anti-affinity", () => {
     const result = CockroachDbCluster(minProps);
-    const affinity = (result.statefulSet.spec as any).template.spec.affinity;
+    const affinity = (p(result.statefulSet).spec as any).template.spec.affinity;
     expect(affinity.podAntiAffinity).toBeDefined();
   });
 
@@ -3135,7 +3142,7 @@ describe("CockroachDbCluster", () => {
       image: "cockroachdb/cockroach:v23.2.0",
       storageSize: "200Gi",
     });
-    const spec = result.statefulSet.spec as any;
+    const spec = p(result.statefulSet).spec as any;
     expect(spec.replicas).toBe(5);
     expect(spec.template.spec.containers[0].image).toBe("cockroachdb/cockroach:v23.2.0");
     expect(spec.volumeClaimTemplates[0].spec.resources.requests.storage).toBe("200Gi");
@@ -3144,42 +3151,41 @@ describe("CockroachDbCluster", () => {
   test("joinAddresses appear in container args", () => {
     const joins = ["crdb-0.crdb.ns.svc.cluster.local", "crdb-1.crdb.ns.svc.cluster.local"];
     const result = CockroachDbCluster({ name: "crdb", joinAddresses: joins });
-    const args = (result.statefulSet.spec as any).template.spec.containers[0].args as string[];
-    const joinArg = args.find((a: string) => a.startsWith("--join="));
-    expect(joinArg).toBeDefined();
-    expect(joinArg).toContain("crdb-0.crdb.ns.svc.cluster.local");
-    expect(joinArg).toContain("crdb-1.crdb.ns.svc.cluster.local");
+    const cmd = (p(result.statefulSet).spec as any).template.spec.containers[0].args[0] as string;
+    expect(cmd).toContain("--join=");
+    expect(cmd).toContain("crdb-0.crdb.ns.svc.cluster.local");
+    expect(cmd).toContain("crdb-1.crdb.ns.svc.cluster.local");
   });
 
   test("locality appears in container args when set", () => {
     const result = CockroachDbCluster({ name: "crdb", locality: "cloud=aws,region=us-east-1" });
-    const args = (result.statefulSet.spec as any).template.spec.containers[0].args as string[];
-    expect(args).toContain("--locality=cloud=aws,region=us-east-1");
+    const cmd = (p(result.statefulSet).spec as any).template.spec.containers[0].args[0] as string;
+    expect(cmd).toContain("--locality=cloud=aws,region=us-east-1");
   });
 
   test("namespace is set on all namespaced resources", () => {
     const result = CockroachDbCluster({ name: "crdb", namespace: "crdb-eks" });
     for (const key of ["serviceAccount", "role", "roleBinding", "publicService", "headlessService", "pdb", "statefulSet", "initJob", "certGenJob"] as const) {
-      expect((result[key].metadata as any).namespace).toBe("crdb-eks");
+      expect((p(result[key]).metadata as any).namespace).toBe("crdb-eks");
     }
   });
 
   test("cluster-scoped resources do not have namespace", () => {
     const result = CockroachDbCluster({ name: "crdb", namespace: "crdb-eks" });
-    expect((result.clusterRole.metadata as any).namespace).toBeUndefined();
-    expect((result.clusterRoleBinding.metadata as any).namespace).toBeUndefined();
+    expect((p(result.clusterRole).metadata as any).namespace).toBeUndefined();
+    expect((p(result.clusterRoleBinding).metadata as any).namespace).toBeUndefined();
   });
 
   test("includes common labels", () => {
     const result = CockroachDbCluster(minProps);
-    const meta = result.statefulSet.metadata as any;
+    const meta = p(result.statefulSet).metadata as any;
     expect(meta.labels["app.kubernetes.io/name"]).toBe("cockroachdb");
     expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
 
   test("secure mode mounts certs volume", () => {
     const result = CockroachDbCluster({ name: "crdb", secure: true });
-    const spec = (result.statefulSet.spec as any).template.spec;
+    const spec = (p(result.statefulSet).spec as any).template.spec;
     expect(spec.volumes).toBeDefined();
     const certsVol = spec.volumes.find((v: any) => v.name === "certs");
     expect(certsVol).toBeDefined();
@@ -3188,32 +3194,32 @@ describe("CockroachDbCluster", () => {
 
   test("insecure mode omits certs volume", () => {
     const result = CockroachDbCluster({ name: "crdb", secure: false });
-    const spec = (result.statefulSet.spec as any).template.spec;
+    const spec = (p(result.statefulSet).spec as any).template.spec;
     expect(spec.volumes).toBeUndefined();
-    const args = spec.containers[0].args as string[];
-    expect(args).toContain("--insecure");
+    const cmd = spec.containers[0].args[0] as string;
+    expect(cmd).toContain("--insecure");
   });
 
   test("storageClassName is set when provided", () => {
     const result = CockroachDbCluster({ name: "crdb", storageClassName: "gp3-encrypted" });
-    const vct = (result.statefulSet.spec as any).volumeClaimTemplates[0];
+    const vct = (p(result.statefulSet).spec as any).volumeClaimTemplates[0];
     expect(vct.spec.storageClassName).toBe("gp3-encrypted");
   });
 
   test("init job references correct host", () => {
     const result = CockroachDbCluster({ name: "crdb" });
-    const container = (result.initJob.spec as any).template.spec.containers[0];
+    const container = (p(result.initJob).spec as any).template.spec.containers[0];
     expect(container.args).toContain("--host=crdb-0.crdb");
   });
 
   test("StatefulSet uses Parallel podManagementPolicy", () => {
     const result = CockroachDbCluster(minProps);
-    expect((result.statefulSet.spec as any).podManagementPolicy).toBe("Parallel");
+    expect((p(result.statefulSet).spec as any).podManagementPolicy).toBe("Parallel");
   });
 
   test("cert-gen job uses same image as StatefulSet", () => {
     const result = CockroachDbCluster({ name: "crdb", image: "cockroachdb/cockroach:v23.2.0" });
-    const container = (result.certGenJob.spec as any).template.spec.containers[0];
+    const container = (p(result.certGenJob).spec as any).template.spec.containers[0];
     expect(container.image).toBe("cockroachdb/cockroach:v23.2.0");
   });
 });