@intentius/chant-lexicon-k8s 0.1.14 → 0.1.16

package/README.md

@@ -17,7 +17,6 @@ npm install --save-dev @intentius/chant @intentius/chant-lexicon-k8s
 | [@intentius/chant](https://www.npmjs.com/package/@intentius/chant) | Core type system, CLI, build pipeline |
 | [@intentius/chant-lexicon-aws](https://www.npmjs.com/package/@intentius/chant-lexicon-aws) | AWS CloudFormation lexicon |
 | [@intentius/chant-lexicon-gitlab](https://www.npmjs.com/package/@intentius/chant-lexicon-gitlab) | GitLab CI lexicon |
-| [@intentius/chant-lexicon-flyway](https://www.npmjs.com/package/@intentius/chant-lexicon-flyway) | Flyway migration lexicon |
 
 ## License
 

package/dist/integrity.json

@@ -1,12 +1,19 @@
 {
   "algorithm": "sha256",
   "artifacts": {
-    "manifest.json": "9f24df6eb8cca76630d9dbb22431ef5d0ed6e0281e5c6ccf4d893bb032c9b4e1",
-    "meta.json": "970c70eb6eea1686f7cb8ce6ceccc46ce2e57d696d344f1dd52460e266f9a56c",
-    "types/index.d.ts": "07473e029254345488bc9952585e88bcf18da79d1026cc26744027683f472554",
+    "manifest.json": "ac0a7f483cd0bf803770c6f429b2adf60dcd3ca77dac1d784d14ea73381c1cb5",
+    "meta.json": "b16aba17feef7b62df4057b714b51e34f88330a843d77e3904ea207d6bb073c5",
+    "types/index.d.ts": "be4a0a86c911d4407a22f1c252850d35d87c1234fac46eec8a0aebee248d60f5",
+    "rules/argo-appset-single-project.ts": "afa9f310753aa2d475f35012b13135b2dfaebed2a35d44edbe185ebc07673674",
+    "rules/argo-ast.ts": "f57b7d84fef9c9cd326a7cad0dff290914e01299415d64bdab48e2f6eb4181c3",
+    "rules/argo-automated-prune.ts": "176ac5441c3ccb7106a194abab3abe22fd8a29f976716761c66c243b72d57b14",
     "rules/hardcoded-namespace.ts": "ba3f43f2adbffdd87db20a2c45839354ceecda1b9f04f29ae31c4c077dddc7ec",
     "rules/latest-image-tag.ts": "9dd961b791b4f424fc4edcdbdce69ad30476dc1cd03f66b8c8e19cb5f8a4082d",
     "rules/missing-resource-limits.ts": "d64b5ed1c7c87d60e38eecfdad7668620222bbaf6ff6f4860adf54e816265bb2",
+    "rules/argo-helpers.ts": "9d665bf15443740bc0e1f5655e4380bf619d11025b7e0baaeffc2ee884266b45",
+    "rules/argo002.ts": "d2f07daabfc7a4624d3d60ea151fd2380d43f1578dd6a17825f6f6e0ebc610ba",
+    "rules/argo003.ts": "a61024fbd3db772eface6b2e4fee618a5818f12a1050faea8e358e0fdc992396",
+    "rules/argo005.ts": "611ea489e005e3ead925013e636f0d7c6899fd0ce68c59a97541fc6fe4e8d25c",
     "rules/k8s-helpers.ts": "d7d5020bc9b47bfb1827e8c8cb13ad1d406890d08a964a521c9fbcb93b230827",
     "rules/wk8005.ts": "71c3f6e68da973c466b2d5cf109bf4728b1671794aeca8e8fde79c80c8715ec1",
     "rules/wk8006.ts": "8705b24db14c9af12c6c45c5a8ecb5f4f427a5f76706ac2c82ba2949d41c498c",
@@ -25,7 +32,7 @@
     "rules/wk8207.ts": "e82dbf47e20fc186a105069b5923a8532553f236c58178332f9264f39ac31390",
     "rules/wk8208.ts": "0e9d654fa70f9ee91de4711df43689fcee4fde831ce0eb0081fdc4753632e9dd",
     "rules/wk8209.ts": "617324b7988a7c842502c9e76388412c5855dcd321e40a2df6039c9faf87ac47",
-    "rules/wk8301.ts": "12321c2b217db4a1f8842844e0d9875def589e54056dd66d6c0f4a65e50e1213",
+    "rules/wk8301.ts": "b7293376340ae511d6bec1691356558c38e2d42f5823e599125fdce1ddeefea6",
     "rules/wk8302.ts": "3e8e336e72618b543c3208f9b2b7a582b4535d3d284481cc6c77812c35812e71",
     "rules/wk8303.ts": "fdf8b072063359d2e654b1e810491738316eae01e85f9d18df1c341578caf2a6",
     "rules/wk8304.ts": "fd98b1bd1e62713b29af5fbb8e45d8ddf2b8b751eab1819caa9ea813efb9e54d",
@@ -40,7 +47,8 @@
     "skills/chant-k8s-security.md": "f4250284000fde0d380192ba4cd73f2190471da2142e3bf77d848881552807f7",
     "skills/chant-k8s-eks.md": "c391217039b35d1c9d88214e2cb7b8c1166331d6ab26996f5f7d907027508ab9",
     "skills/chant-k8s-gke.md": "8938840bf9ef5ed58d6333fdd773b3dd54ecaf25a9df35e58f7f5c3355d4928f",
-    "skills/chant-k8s-aks.md": "e18f0e2b055f72cd7a37deaf258d7027c2d4d3e286e8fd4975b27a1f981a3ad9"
+    "skills/chant-k8s-aks.md": "e18f0e2b055f72cd7a37deaf258d7027c2d4d3e286e8fd4975b27a1f981a3ad9",
+    "skills/chant-k8s-argo.md": "b1a0b826559d8c5033a479c5781efaf650320f0aee4419d8841170bd3393cea5"
   },
-  "composite": "12b0f3bc1b1e0cc82a5004133dc87e23c2943e62af01293b855e73a00cd8a58f"
+  "composite": "dbeeb60c7e3490151a54580d4fb83094de74efa196f6f98aab1770f2efe3dba6"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "k8s",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "chantVersion": ">=0.1.0",
   "namespace": "K8s",
   "intrinsics": [],

package/dist/meta.json

@@ -46,6 +46,137 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "AppProject": {
+    "resourceType": "K8s::Argo::AppProject",
+    "kind": "resource",
+    "lexicon": "k8s",
+    "apiVersion": "argoproj.io/v1alpha1",
+    "gvkKind": "AppProject"
+  },
+  "AppProject_ClusterResourceBlacklist": {
+    "resourceType": "K8s::Argo::AppProject.clusterResourceBlacklist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_ClusterResourceWhitelist": {
+    "resourceType": "K8s::Argo::AppProject.clusterResourceWhitelist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_Destination": {
+    "resourceType": "K8s::Argo::AppProject.destinations",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_DestinationServiceAccount": {
+    "resourceType": "K8s::Argo::AppProject.destinationServiceAccounts",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_NamespaceResourceBlacklist": {
+    "resourceType": "K8s::Argo::AppProject.namespaceResourceBlacklist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_NamespaceResourceWhitelist": {
+    "resourceType": "K8s::Argo::AppProject.namespaceResourceWhitelist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_OrphanedResources": {
+    "resourceType": "K8s::Argo::AppProject.orphanedResources",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_Role": {
+    "resourceType": "K8s::Argo::AppProject.roles",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_SignatureKey": {
+    "resourceType": "K8s::Argo::AppProject.signatureKeys",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "AppProject_SyncWindow": {
+    "resourceType": "K8s::Argo::AppProject.syncWindows",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application": {
+    "resourceType": "K8s::Argo::Application",
+    "kind": "resource",
+    "lexicon": "k8s",
+    "apiVersion": "argoproj.io/v1alpha1",
+    "gvkKind": "Application"
+  },
+  "ApplicationSet": {
+    "resourceType": "K8s::Argo::ApplicationSet",
+    "kind": "resource",
+    "lexicon": "k8s",
+    "apiVersion": "argoproj.io/v1alpha1",
+    "gvkKind": "ApplicationSet"
+  },
+  "ApplicationSet_Generator": {
+    "resourceType": "K8s::Argo::ApplicationSet.generators",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "ApplicationSet_IgnoreApplicationDifference": {
+    "resourceType": "K8s::Argo::ApplicationSet.ignoreApplicationDifferences",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "ApplicationSet_PreservedFields": {
+    "resourceType": "K8s::Argo::ApplicationSet.preservedFields",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "ApplicationSet_Strategy": {
+    "resourceType": "K8s::Argo::ApplicationSet.strategy",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "ApplicationSet_SyncPolicy": {
+    "resourceType": "K8s::Argo::ApplicationSet.syncPolicy",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "ApplicationSet_Template": {
+    "resourceType": "K8s::Argo::ApplicationSet.template",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application_Destination": {
+    "resourceType": "K8s::Argo::Application.destination",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application_IgnoreDifference": {
+    "resourceType": "K8s::Argo::Application.ignoreDifferences",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application_Info": {
+    "resourceType": "K8s::Argo::Application.info",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application_Source": {
+    "resourceType": "K8s::Argo::Application.source",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application_Sources": {
+    "resourceType": "K8s::Argo::Application.sources",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Application_SyncPolicy": {
+    "resourceType": "K8s::Argo::Application.syncPolicy",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "AutoscalerOptions": {
     "resourceType": "K8s::Ray::RayCluster.autoscalerOptions",
     "kind": "property",
@@ -133,6 +264,16 @@
     "apiVersion": "certificates.k8s.io/v1",
     "gvkKind": "CertificateSigningRequestList"
   },
+  "ClusterResourceBlacklist": {
+    "resourceType": "K8s::Argo::AppProject.clusterResourceBlacklist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "ClusterResourceWhitelist": {
+    "resourceType": "K8s::Argo::AppProject.clusterResourceWhitelist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "ClusterRole": {
     "resourceType": "K8s::Rbac::ClusterRole",
     "kind": "resource",
@@ -325,6 +466,11 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "DestinationServiceAccount": {
+    "resourceType": "K8s::Argo::AppProject.destinationServiceAccounts",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "DeviceClass": {
     "resourceType": "K8s::Resource::DeviceClass",
     "kind": "resource",
@@ -449,6 +595,11 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "Generator": {
+    "resourceType": "K8s::Argo::ApplicationSet.generators",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "HPA": {
     "resourceType": "K8s::Autoscaling::HorizontalPodAutoscaler",
     "kind": "resource",
@@ -509,6 +660,21 @@
     "apiVersion": "networking.k8s.io/v1beta1",
     "gvkKind": "IPAddressList"
   },
+  "IgnoreApplicationDifference": {
+    "resourceType": "K8s::Argo::ApplicationSet.ignoreApplicationDifferences",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "IgnoreDifference": {
+    "resourceType": "K8s::Argo::Application.ignoreDifferences",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Info": {
+    "resourceType": "K8s::Argo::Application.info",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "Ing": {
     "resourceType": "K8s::Networking::Ingress",
     "kind": "resource",
@@ -678,6 +844,16 @@
     "apiVersion": "v1",
     "gvkKind": "NamespaceList"
   },
+  "NamespaceResourceBlacklist": {
+    "resourceType": "K8s::Argo::AppProject.namespaceResourceBlacklist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "NamespaceResourceWhitelist": {
+    "resourceType": "K8s::Argo::AppProject.namespaceResourceWhitelist",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "NetPol": {
     "resourceType": "K8s::Networking::NetworkPolicy",
     "kind": "resource",
@@ -756,6 +932,11 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "OrphanedResources": {
+    "resourceType": "K8s::Argo::AppProject.orphanedResources",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "PDB": {
     "resourceType": "K8s::Policy::PodDisruptionBudget",
     "kind": "resource",
@@ -899,6 +1080,11 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "PreservedFields": {
+    "resourceType": "K8s::Argo::ApplicationSet.preservedFields",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "PriorityClass": {
     "resourceType": "K8s::Scheduling::PriorityClass",
     "kind": "resource",
@@ -1330,6 +1516,21 @@
       }
     }
   },
+  "SignatureKey": {
+    "resourceType": "K8s::Argo::AppProject.signatureKeys",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Source": {
+    "resourceType": "K8s::Argo::Application.source",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
+  "Sources": {
+    "resourceType": "K8s::Argo::Application.sources",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "StatefulSet": {
     "resourceType": "K8s::Apps::StatefulSet",
     "kind": "resource",
@@ -1370,6 +1571,11 @@
     "apiVersion": "storage.k8s.io/v1",
     "gvkKind": "StorageClassList"
   },
+  "Strategy": {
+    "resourceType": "K8s::Argo::ApplicationSet.strategy",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "Subject": {
     "resourceType": "K8s::Rbac::Subject",
     "kind": "property",
@@ -1392,11 +1598,21 @@
     "kind": "property",
     "lexicon": "k8s"
   },
+  "SyncWindow": {
+    "resourceType": "K8s::Argo::AppProject.syncWindows",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "TCPSocketAction": {
     "resourceType": "K8s::Core::TCPSocketAction",
     "kind": "property",
     "lexicon": "k8s"
   },
+  "Template": {
+    "resourceType": "K8s::Argo::ApplicationSet.template",
+    "kind": "property",
+    "lexicon": "k8s"
+  },
   "TokenRequest": {
     "resourceType": "K8s::Authentication::TokenRequest",
     "kind": "resource",

package/dist/rules/argo-appset-single-project.ts

@@ -0,0 +1,66 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import { findResourceLiterals, getNestedObject, getNestedString, lineCol } from "./argo-ast";
+
+/**
+ * ARGO004: ApplicationSet template must scope to a single AppProject
+ *
+ * An `ApplicationSet` generates many Applications from one template. The
+ * template's `spec.project` should name a single, static `AppProject` so every
+ * generated Application lands in the same security boundary. If `project` is
+ * missing, the generated Applications fall back to whatever default and dodge
+ * project-level RBAC; if it is templated with a generator placeholder
+ * (`{{...}}`) the set sprays Applications across many projects, which defeats
+ * the point of an AppProject as a guardrail.
+ *
+ * Bad:  new ApplicationSet({ spec: { template: { spec: { repoURL: "..." } } } })          // no project
+ * Bad:  new ApplicationSet({ spec: { template: { spec: { project: "{{path.basename}}" } } } }) // templated
+ * Good: new ApplicationSet({ spec: { template: { spec: { project: "team-a" } } } })
+ */
+
+export const argoAppSetSingleProjectRule: LintRule = {
+  id: "ARGO004",
+  severity: "warning",
+  category: "correctness",
+  description:
+    "ApplicationSet template must scope to a single static AppProject (spec.template.spec.project)",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    for (const { literal } of findResourceLiterals(sourceFile, new Set(["ApplicationSet"]))) {
+      const templateSpec = getNestedObject(literal, ["spec", "template", "spec"]);
+      // No template/spec to inspect — leave it to other tooling.
+      if (!templateSpec) continue;
+
+      const project = getNestedString(literal, ["spec", "template", "spec", "project"]);
+      const { line, column } = lineCol(sourceFile, templateSpec);
+
+      if (project === undefined) {
+        diagnostics.push({
+          file: sourceFile.fileName,
+          line,
+          column,
+          ruleId: "ARGO004",
+          severity: "warning",
+          message:
+            "ApplicationSet template has no spec.project — scope it to a single AppProject so every generated Application inherits the same RBAC boundary.",
+        });
+        continue;
+      }
+
+      if (project.includes("{{")) {
+        diagnostics.push({
+          file: sourceFile.fileName,
+          line,
+          column,
+          ruleId: "ARGO004",
+          severity: "warning",
+          message: `ApplicationSet template scopes spec.project to a generator placeholder ("${project}"), spraying Applications across projects. Pin it to a single static AppProject.`,
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/argo-ast.ts

@@ -0,0 +1,121 @@
+/**
+ * Shared AST helpers for the Argo declarative lint rules (ARGO001, ARGO004).
+ *
+ * The Argo CRDs are constructed like any other k8s resource —
+ * `new Application({ metadata, spec })` / `new ApplicationSet({ ... })`. These
+ * helpers walk the object-literal first argument so a rule can read a nested
+ * property by path without re-implementing the traversal each time.
+ */
+import * as ts from "typescript";
+
+/**
+ * Find the object-literal first argument of every `new <Kind>(...)` expression
+ * in the file, where Kind is one of the supplied resource kinds.
+ */
+export function findResourceLiterals(
+  sourceFile: ts.SourceFile,
+  kinds: Set<string>,
+): Array<{ kind: string; literal: ts.ObjectLiteralExpression; node: ts.NewExpression }> {
+  const found: Array<{ kind: string; literal: ts.ObjectLiteralExpression; node: ts.NewExpression }> = [];
+
+  function visit(node: ts.Node): void {
+    if (
+      ts.isNewExpression(node) &&
+      ts.isIdentifier(node.expression) &&
+      kinds.has(node.expression.text) &&
+      node.arguments &&
+      node.arguments.length > 0 &&
+      ts.isObjectLiteralExpression(node.arguments[0])
+    ) {
+      found.push({
+        kind: node.expression.text,
+        literal: node.arguments[0],
+        node,
+      });
+    }
+    ts.forEachChild(node, visit);
+  }
+
+  visit(sourceFile);
+  return found;
+}
+
+/** Read the initializer node for `key` on an object literal, if present. */
+export function getProp(
+  obj: ts.ObjectLiteralExpression,
+  key: string,
+): ts.Expression | undefined {
+  for (const prop of obj.properties) {
+    if (
+      ts.isPropertyAssignment(prop) &&
+      (ts.isIdentifier(prop.name) || ts.isStringLiteral(prop.name)) &&
+      prop.name.text === key
+    ) {
+      return prop.initializer;
+    }
+  }
+  return undefined;
+}
+
+/** Read a nested object literal by walking `path` (each segment an object). */
+export function getNestedObject(
+  obj: ts.ObjectLiteralExpression,
+  path: string[],
+): ts.ObjectLiteralExpression | undefined {
+  let current: ts.ObjectLiteralExpression | undefined = obj;
+  for (const segment of path) {
+    if (!current) return undefined;
+    const next = getProp(current, segment);
+    current = next && ts.isObjectLiteralExpression(next) ? next : undefined;
+  }
+  return current;
+}
+
+/** Read a string-literal property value by path (last segment is the key). */
+export function getNestedString(
+  obj: ts.ObjectLiteralExpression,
+  path: string[],
+): string | undefined {
+  const key = path[path.length - 1];
+  const parent = getNestedObject(obj, path.slice(0, -1));
+  if (!parent) return undefined;
+  const value = getProp(parent, key);
+  return value && ts.isStringLiteral(value) ? value.text : undefined;
+}
+
+/** Read a boolean-literal property value by path (last segment is the key). */
+export function getNestedBoolean(
+  obj: ts.ObjectLiteralExpression,
+  path: string[],
+): boolean | undefined {
+  const key = path[path.length - 1];
+  const parent = getNestedObject(obj, path.slice(0, -1));
+  if (!parent) return undefined;
+  const value = getProp(parent, key);
+  if (!value) return undefined;
+  if (value.kind === ts.SyntaxKind.TrueKeyword) return true;
+  if (value.kind === ts.SyntaxKind.FalseKeyword) return false;
+  return undefined;
+}
+
+/**
+ * True if the literal carries the given annotation key under
+ * `metadata.annotations`, regardless of value.
+ */
+export function hasAnnotation(
+  obj: ts.ObjectLiteralExpression,
+  annotationKey: string,
+): boolean {
+  const annotations = getNestedObject(obj, ["metadata", "annotations"]);
+  if (!annotations) return false;
+  return getProp(annotations, annotationKey) !== undefined;
+}
+
+/** Line/column (1-based) for a node, for diagnostics. */
+export function lineCol(
+  sourceFile: ts.SourceFile,
+  node: ts.Node,
+): { line: number; column: number } {
+  const { line, character } = sourceFile.getLineAndCharacterOfPosition(node.getStart());
+  return { line: line + 1, column: character + 1 };
+}

package/dist/rules/argo-automated-prune.ts

@@ -0,0 +1,75 @@
+import type { LintRule, LintDiagnostic, LintContext } from "@intentius/chant/lint/rule";
+import {
+  findResourceLiterals,
+  getNestedBoolean,
+  getNestedString,
+  getProp,
+  hasAnnotation,
+  lineCol,
+} from "./argo-ast";
+import * as ts from "typescript";
+
+/**
+ * ARGO001: Production Application must not enable automated prune
+ *
+ * An Argo CD `Application` whose `syncPolicy.automated.prune` is `true` lets the
+ * controller delete live resources that disappear from git. On a production
+ * Application that is a foot-gun — a bad merge can sweep away running
+ * infrastructure. Require `prune: false` for prod Applications unless the author
+ * opts in explicitly with the `argocd.chant.dev/allow-prune` annotation.
+ *
+ * "Production" is inferred from the Application name, its `metadata.namespace`,
+ * or its `spec.destination.namespace` containing `prod`.
+ *
+ * Bad:  new Application({ metadata: { name: "api-prod" }, spec: { syncPolicy: { automated: { prune: true } } } })
+ * Good: new Application({ metadata: { name: "api-prod" }, spec: { syncPolicy: { automated: { prune: false } } } })
+ * Good: new Application({ metadata: { name: "api-prod", annotations: { "argocd.chant.dev/allow-prune": "true" } }, spec: { syncPolicy: { automated: { prune: true } } } })
+ */
+
+export const ALLOW_PRUNE_ANNOTATION = "argocd.chant.dev/allow-prune";
+
+function looksProd(obj: ts.ObjectLiteralExpression): boolean {
+  const candidates = [
+    getNestedString(obj, ["metadata", "name"]),
+    getNestedString(obj, ["metadata", "namespace"]),
+    getNestedString(obj, ["spec", "destination", "namespace"]),
+  ];
+  return candidates.some((v) => v !== undefined && /prod/i.test(v));
+}
+
+export const argoAutomatedPruneRule: LintRule = {
+  id: "ARGO001",
+  severity: "warning",
+  category: "correctness",
+  description:
+    "Production Argo Application must not enable syncPolicy.automated.prune without the allow-prune override annotation",
+
+  check(context: LintContext): LintDiagnostic[] {
+    const { sourceFile } = context;
+    const diagnostics: LintDiagnostic[] = [];
+
+    for (const { literal } of findResourceLiterals(sourceFile, new Set(["Application"]))) {
+      const prune = getNestedBoolean(literal, ["spec", "syncPolicy", "automated", "prune"]);
+      if (prune !== true) continue;
+      if (!looksProd(literal)) continue;
+      if (hasAnnotation(literal, ALLOW_PRUNE_ANNOTATION)) continue;
+
+      // Anchor the diagnostic at the `prune` assignment when we can find it.
+      const automated = getProp(literal, "spec");
+      const anchor: ts.Node = automated ?? literal;
+      const { line, column } = lineCol(sourceFile, anchor);
+
+      const name = getNestedString(literal, ["metadata", "name"]) ?? "(unnamed)";
+      diagnostics.push({
+        file: sourceFile.fileName,
+        line,
+        column,
+        ruleId: "ARGO001",
+        severity: "warning",
+        message: `Production Application "${name}" enables automated prune. Set syncPolicy.automated.prune=false, or opt in explicitly with the "${ALLOW_PRUNE_ANNOTATION}" annotation.`,
+      });
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/argo-helpers.ts

@@ -0,0 +1,49 @@
+/**
+ * Shared helpers for the Argo post-synth checks (ARGO002, ARGO003, ARGO005).
+ *
+ * Excluded from check auto-discovery by the "helper" filename filter.
+ */
+import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, parseK8sManifests, type K8sManifest } from "./k8s-helpers";
+
+/** The always-present, in-cluster Argo destination. */
+export const IN_CLUSTER_SERVER = "https://kubernetes.default.svc";
+export const IN_CLUSTER_NAME = "in-cluster";
+
+/** Label that marks a Secret as an Argo CD external cluster registration. */
+export const CLUSTER_SECRET_TYPE_LABEL = "argocd.argoproj.io/secret-type";
+
+/** All manifests across every lexicon output. */
+export function allManifests(ctx: PostSynthContext): K8sManifest[] {
+  const manifests: K8sManifest[] = [];
+  for (const [, output] of ctx.outputs) {
+    manifests.push(...parseK8sManifests(getPrimaryOutput(output)));
+  }
+  return manifests;
+}
+
+/** Manifests of a given Argo kind. */
+export function manifestsOfKind(manifests: K8sManifest[], kind: string): K8sManifest[] {
+  return manifests.filter((m) => m.kind === kind);
+}
+
+/**
+ * Read a string field from a Secret's stringData or data block.
+ * (Argo cluster Secrets conventionally use stringData.)
+ */
+export function secretField(manifest: K8sManifest, key: string): string | undefined {
+  const stringData = manifest.stringData as Record<string, unknown> | undefined;
+  const data = manifest.data as Record<string, unknown> | undefined;
+  const fromStringData = stringData?.[key];
+  if (typeof fromStringData === "string") return fromStringData;
+  const fromData = data?.[key];
+  if (typeof fromData === "string") return fromData;
+  return undefined;
+}
+
+/** True if the Secret is labelled as an Argo cluster registration. */
+export function isClusterSecret(manifest: K8sManifest): boolean {
+  if (manifest.kind !== "Secret") return false;
+  const labels = manifest.metadata?.labels;
+  return labels?.[CLUSTER_SECRET_TYPE_LABEL] === "cluster";
+}