@intentius/chant-lexicon-k8s 0.1.4 → 0.1.6

package/dist/integrity.json

@@ -1,46 +1,46 @@
 {
-  "algorithm": "xxhash64",
+  "algorithm": "sha256",
   "artifacts": {
-    "manifest.json": "ba34543f183fd269",
-    "meta.json": "939607658c0e8f4a",
-    "types/index.d.ts": "cbd8853f04c0849c",
-    "rules/hardcoded-namespace.ts": "54b216c71018e101",
-    "rules/missing-resource-limits.ts": "a6f776d2ff477948",
-    "rules/latest-image-tag.ts": "eb48e8d61e4ca84e",
-    "rules/wk8209.ts": "820df53f304e0a59",
-    "rules/wk8202.ts": "6bd950ae2128256c",
-    "rules/wk8208.ts": "1133f9e53c174ae9",
-    "rules/k8s-helpers.ts": "4611ed839c0219b5",
-    "rules/wk8302.ts": "a80d1eab37c0dbe4",
-    "rules/wk8205.ts": "d000527c6371a05",
-    "rules/wk8006.ts": "6e04f754f79f076e",
-    "rules/wk8305.ts": "5c4b9482a0f3b91d",
-    "rules/wk8204.ts": "9244d6fdd6d2f7d",
-    "rules/wk8402.ts": "83b420543e246d20",
-    "rules/wk8401.ts": "62d5acc6a674b8ed",
-    "rules/wk8201.ts": "4dbbd20e21b5fa04",
-    "rules/wk8104.ts": "94bd75c16b8d50b7",
-    "rules/wk8101.ts": "f8ffcf6e5c89076b",
-    "rules/wk8105.ts": "8dbcfe399f23656a",
-    "rules/wk8041.ts": "4df512c93caaef50",
-    "rules/wk8207.ts": "6f2bc621d530afa2",
-    "rules/wk8102.ts": "78d4aac387107b56",
-    "rules/wk8005.ts": "a9a1b93b80f3aa51",
-    "rules/wk8301.ts": "283265ab0c5b8511",
-    "rules/wk8304.ts": "f51bf894c5a08dbe",
-    "rules/wk8042.ts": "6064c84481ae8551",
-    "rules/wk8403.ts": "81397f7658d888a",
-    "rules/wk8103.ts": "e5d6a506d966e312",
-    "rules/wk8306.ts": "5338575bfb0f9251",
-    "rules/wk8203.ts": "f5bf17539c0428c5",
-    "rules/wk8303.ts": "c545464e2af8fbb9",
-    "skills/chant-k8s.md": "bf3ac0c5bddd5d2a",
-    "skills/chant-k8s-patterns.md": "c5151ed799145c4b",
-    "skills/chant-k8s-deployment-strategies.md": "74f179e7cdb15ed5",
-    "skills/chant-k8s-security.md": "f377edc5fe0a3587",
-    "skills/chant-k8s-eks.md": "f79f31f058c7f2ed",
-    "skills/chant-k8s-gke.md": "2f65ca45aef40c22",
-    "skills/chant-k8s-aks.md": "764fa4b1408b618d"
+    "manifest.json": "7c2c231f5582d9228dc65679781e924d847bb5e8bb09a8861b6ec41c73bb17af",
+    "meta.json": "970c70eb6eea1686f7cb8ce6ceccc46ce2e57d696d344f1dd52460e266f9a56c",
+    "types/index.d.ts": "07473e029254345488bc9952585e88bcf18da79d1026cc26744027683f472554",
+    "rules/hardcoded-namespace.ts": "ba3f43f2adbffdd87db20a2c45839354ceecda1b9f04f29ae31c4c077dddc7ec",
+    "rules/latest-image-tag.ts": "9dd961b791b4f424fc4edcdbdce69ad30476dc1cd03f66b8c8e19cb5f8a4082d",
+    "rules/missing-resource-limits.ts": "d64b5ed1c7c87d60e38eecfdad7668620222bbaf6ff6f4860adf54e816265bb2",
+    "rules/k8s-helpers.ts": "d7d5020bc9b47bfb1827e8c8cb13ad1d406890d08a964a521c9fbcb93b230827",
+    "rules/wk8005.ts": "71c3f6e68da973c466b2d5cf109bf4728b1671794aeca8e8fde79c80c8715ec1",
+    "rules/wk8006.ts": "8705b24db14c9af12c6c45c5a8ecb5f4f427a5f76706ac2c82ba2949d41c498c",
+    "rules/wk8041.ts": "e55f97a9e1bc407ca681366c1f9e3dd93b73bbff5f5593dfcf0991c068c28658",
+    "rules/wk8042.ts": "31ef0636bd036b09bfcec1d3b65da405288868732b3183c504a6cd1afc3d431a",
+    "rules/wk8101.ts": "2e4087bb89412e88a3208d82876e4b7fd45d2c7ac698c334bf2c110974e4a05e",
+    "rules/wk8102.ts": "d5b0a0b3f2f097ca9a0b20af935152c5962a27536b563344460729c22df0211f",
+    "rules/wk8103.ts": "2afae27ed705a9b1f6fd2380bf02b393597a20772166673b94fcf069df428da7",
+    "rules/wk8104.ts": "cb0033e65b7545b1f484691b0419d5f21777b2b64063b514b134f44e195fe209",
+    "rules/wk8105.ts": "1e52f22cdb9683bc8ed2da56ff68daf8d9fcfa00aacd551c5d7985103206b9ac",
+    "rules/wk8201.ts": "594a8f353ffb30e356a12bc1414f59c5c61da421701e3e59b9e1064fe5ff3442",
+    "rules/wk8202.ts": "54fbc1f31ceb949b50ae898da5c97d6cedcd1b4c1bfc07c54b582f57ceb5ccf2",
+    "rules/wk8203.ts": "3ac5b7c7090ae225dd3fee36ba0fef9cff4904a9658d1fcbb4b8268aa1833259",
+    "rules/wk8204.ts": "464e1d1723a09fbbecb593f559873ce9b3555cd704b731916b31fb6f7c3c5880",
+    "rules/wk8205.ts": "1721e8fae72163ef38cfd72aaceaf0b7b87cf758488a2cbee9e48cfd082e8589",
+    "rules/wk8207.ts": "e82dbf47e20fc186a105069b5923a8532553f236c58178332f9264f39ac31390",
+    "rules/wk8208.ts": "0e9d654fa70f9ee91de4711df43689fcee4fde831ce0eb0081fdc4753632e9dd",
+    "rules/wk8209.ts": "617324b7988a7c842502c9e76388412c5855dcd321e40a2df6039c9faf87ac47",
+    "rules/wk8301.ts": "12321c2b217db4a1f8842844e0d9875def589e54056dd66d6c0f4a65e50e1213",
+    "rules/wk8302.ts": "3e8e336e72618b543c3208f9b2b7a582b4535d3d284481cc6c77812c35812e71",
+    "rules/wk8303.ts": "fdf8b072063359d2e654b1e810491738316eae01e85f9d18df1c341578caf2a6",
+    "rules/wk8304.ts": "fd98b1bd1e62713b29af5fbb8e45d8ddf2b8b751eab1819caa9ea813efb9e54d",
+    "rules/wk8305.ts": "9241685fe0f8ddaae9cf5f83b3e43f347924b3f4f1f5a95fe6ec16753e31b0bf",
+    "rules/wk8306.ts": "8a95b948df271384e86b564ea58e7032bddb339859c9be10d3ef0c7162f21db3",
+    "rules/wk8401.ts": "860e5104d53158ebea790f5acc3d34b82d666c4808d8ee5de44b68c1c602af77",
+    "rules/wk8402.ts": "91c58dc146c6aa44b93f167fd5ed8c16cb5dc95e9d99f40685d9d0acdf7eb474",
+    "rules/wk8403.ts": "abf42e48d9539768856d71d365b5e6cbb9d4800b9f890809b70d181641a86b98",
+    "skills/chant-k8s.md": "222268f9e6b19912ece4b066d8897f009b90a3fe6f14e9c5059d0717e7ee0f82",
+    "skills/chant-k8s-patterns.md": "683148e9f0f9da6879bd65d97c82cc29dbff897e31bc11b3c1de654cd6baeea3",
+    "skills/chant-k8s-deployment-strategies.md": "c4cc93cba064230567baa755b5a3493dc69bfc6e74a62e1990d12039ffaaf5f8",
+    "skills/chant-k8s-security.md": "f4250284000fde0d380192ba4cd73f2190471da2142e3bf77d848881552807f7",
+    "skills/chant-k8s-eks.md": "c391217039b35d1c9d88214e2cb7b8c1166331d6ab26996f5f7d907027508ab9",
+    "skills/chant-k8s-gke.md": "8938840bf9ef5ed58d6333fdd773b3dd54ecaf25a9df35e58f7f5c3355d4928f",
+    "skills/chant-k8s-aks.md": "e18f0e2b055f72cd7a37deaf258d7027c2d4d3e286e8fd4975b27a1f981a3ad9"
   },
-  "composite": "71a7bf45b20b1ebd"
+  "composite": "0c9b24ec573fdf75f6cc905b73496a3dc14c77121003ccfb4ea30a74cae054ef"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "k8s",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "chantVersion": ">=0.1.0",
   "namespace": "K8s",
   "intrinsics": [],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant-lexicon-k8s",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Kubernetes lexicon for chant — declarative IaC in TypeScript",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",
@@ -36,16 +36,18 @@
     "./types": "./dist/types/index.d.ts"
   },
   "scripts": {
-    "generate": "bun run src/codegen/generate-cli.ts",
-    "bundle": "bun run src/package-cli.ts",
-    "validate": "bun run src/validate-cli.ts",
-    "docs": "bun run src/codegen/docs-cli.ts",
-    "prepack": "bun run generate && bun run bundle && bun run validate"
+    "generate": "tsx src/codegen/generate-cli.ts",
+    "bundle": "tsx src/package-cli.ts",
+    "validate": "tsx src/validate-cli.ts",
+    "docs": "tsx src/codegen/docs-cli.ts",
+    "prepack": "npm run generate && npm run bundle && npm run validate"
+  },
+  "dependencies": {
+    "js-yaml": "^4.1.1"
   },
   "devDependencies": {
-    "@intentius/chant": "0.1.4",
+    "@intentius/chant": "*",
     "@types/js-yaml": "^4.0.9",
-    "js-yaml": "^4.1.1",
     "typescript": "^5.9.3"
   },
   "peerDependencies": {

package/src/actions/actions.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import * as core from "./core";
 import * as apps from "./apps";
 import * as batch from "./batch";

package/src/codegen/docs.ts

@@ -548,7 +548,11 @@ const { statefulSet, service } = StatefulApp({
         slug: "composite-examples",
         title: "Examples: Composites",
         description: "Composite examples — WebApp, CronWorkload, AutoscaledService, WorkerPool, NamespaceEnv, NodeAgent",
-        content: `Composites are higher-level constructs that produce multiple coordinated K8s resources from a single function call.
+        content: `import Diagram from '../../components/Diagram.astro';
+
+Composites are higher-level constructs that produce multiple coordinated K8s resources from a single function call.
+
+<Diagram name="composite-expansion" alt="Single CockroachDbCluster composite declaration expanding into Namespace, StatefulSet, Service, ServiceAccount, NetworkPolicy, PodDisruptionBudget, and ConfigMap resources serialized to one YAML file" caption="Composite expansion: one declaration → many resources" />
 
 ## WebApp
 

package/src/codegen/generate-cli.ts

@@ -1,4 +1,4 @@
-#!/usr/bin/env bun
+#!/usr/bin/env tsx
 /**
  * CLI entry point for Kubernetes lexicon generation.
  */

package/src/codegen/naming.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { k8sShortName, type K8sParseResult } from "../spec/parse";
 import { NamingStrategy } from "./naming";
 

package/src/codegen/package.ts

@@ -3,9 +3,8 @@
  * with K8s-specific manifest building and skill collection.
  */
 
-import { createRequire } from "module";
 import { readFileSync } from "fs";
-const require = createRequire(import.meta.url);
+import { k8sPlugin } from "../plugin";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 import {
@@ -43,9 +42,7 @@ export async function packageLexicon(opts: PackageOptions = {}): Promise<Package
 
       srcDir: pkgDir,
 
-      collectSkills: () => {
-        const { k8sPlugin } = require("../plugin");
-        const skillDefs = k8sPlugin.skills?.() ?? [];
+      collectSkills: () => {        const skillDefs = k8sPlugin.skills?.() ?? [];
         return collectSkills(skillDefs);
       },
 

package/src/codegen/snapshot.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { existsSync, readFileSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";

package/src/codegen/typecheck.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { typecheckDTS } from "./typecheck";
 
 describe("typecheckDTS", () => {

package/src/composites/cockroachdb-region-stack.ts

@@ -0,0 +1,553 @@
+/**
+ * CockroachDbRegionStack composite — all K8s resources for one CockroachDB region.
+ *
+ * Collapses the 8-file per-region K8s pattern into a single composite call:
+ * namespace, storage, CockroachDB StatefulSet, External Secrets, GCE Ingress,
+ * ExternalDNS, Cloud Armor BackendConfig, TLS cert, and optional Prometheus monitoring.
+ *
+ * @gke Requires: External Secrets Operator (ESO), ExternalDNS (via GkeExternalDnsAgent).
+ */
+
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { createResource } from "@intentius/chant/runtime";
+import {
+  NetworkPolicy,
+  Deployment,
+  Service,
+  ConfigMap,
+} from "../generated";
+import { NamespaceEnv } from "./namespace-env";
+import { GcePdStorageClass } from "./gce-pd-storage-class";
+import { CockroachDbCluster } from "./cockroachdb-cluster";
+import { GceIngress } from "./gce-ingress";
+import { GkeExternalDnsAgent } from "./gke-external-dns-agent";
+
+// ── External CRDs (not in main generated index) ──────────────────────────────────
+
+const ClusterSecretStore = createResource("K8s::ExternalSecrets::ClusterSecretStore", "k8s", {});
+const ExternalSecret = createResource("K8s::ExternalSecrets::ExternalSecret", "k8s", {});
+const BackendConfig = createResource("K8s::GKE::BackendConfig", "k8s", {});
+const ManagedCertificate = createResource("K8s::NetworkingGKE::ManagedCertificate", "k8s", {});
+const FrontendConfig = createResource("K8s::NetworkingGKEBeta::FrontendConfig", "k8s", {});
+
+// ── Types ─────────────────────────────────────────────────────────────────────
+
+export interface CockroachDbRegionCockroachConfig {
+  /** Cluster name (default: "cockroachdb"). */
+  name?: string;
+  /** StatefulSet replicas (default: 3). */
+  replicas?: number;
+  /** CockroachDB image (default: "cockroachdb/cockroach:v24.3.0"). */
+  image?: string;
+  /** PVC storage size per node (default: "100Gi"). */
+  storageSize?: string;
+  /** CPU limit per pod (default: "2"). */
+  cpuLimit?: string;
+  /** Memory limit per pod (default: "8Gi"). */
+  memoryLimit?: string;
+  /** Locality flag (e.g. "cloud=gcp,region=us-east4"). */
+  locality?: string;
+  /** Join addresses for multi-region cluster. */
+  joinAddresses?: string[];
+  /**
+   * Skip the cockroach init Job (set true for secondary regions).
+   * Only the first region should run cockroach init.
+   */
+  skipInit?: boolean;
+  /**
+   * Mount the client certs secret into pods (needed for multi-region init via kubectl exec).
+   */
+  mountClientCerts?: boolean;
+  /**
+   * Extra DNS names to include in node cert SANs (e.g. cross-region ExternalDNS names).
+   */
+  extraCertNodeAddresses?: string[];
+  /**
+   * Domain for cross-cluster advertise address (e.g. "east.crdb.internal").
+   * When set, pods advertise "${HOSTNAME}.${advertiseHostDomain}" for cross-cluster gossip.
+   */
+  advertiseHostDomain?: string;
+}
+
+export interface CockroachDbRegionTlsConfig {
+  /**
+   * GCP Secret Manager secret names to sync into K8s Secrets via External Secrets Operator.
+   */
+  gcpSecretNames: {
+    /** CA cert secret name in GCP Secret Manager. */
+    ca: string;
+    /** Node cert secret name. */
+    nodeCrt: string;
+    /** Node cert key secret name. */
+    nodeKey: string;
+    /** Client root cert secret name. */
+    clientRootCrt: string;
+    /** Client root key secret name. */
+    clientRootKey: string;
+  };
+}
+
+export interface CockroachDbRegionStackConfig {
+  /**
+   * Short region identifier used in resource names and labels (e.g. "east").
+   * Used to distinguish resources across regions.
+   */
+  region: string;
+  /** K8s namespace for all namespaced resources (e.g. "crdb-east"). */
+  namespace: string;
+  /** Public UI domain for this region (e.g. "east.crdb.example.com"). */
+  domain: string;
+  /** Cross-cluster ExternalDNS domain (e.g. "east.crdb.internal"). */
+  internalDomain: string;
+  /** Root public domain for ExternalDNS domain filter (e.g. "crdb.example.com"). */
+  publicRootDomain: string;
+
+  /** GCP project ID — used in ClusterSecretStore Workload Identity config. */
+  projectId: string;
+  /** GKE cluster name — used in ClusterSecretStore Workload Identity config. */
+  clusterName: string;
+  /** GKE cluster region (e.g. "us-east4") — used in ClusterSecretStore config. */
+  clusterRegion: string;
+  /** GCP service account email for CRDB Workload Identity annotation on the K8s SA. */
+  crdbGsaEmail: string;
+  /** GCP service account email for ExternalDNS Workload Identity. */
+  externalDnsGsaEmail: string;
+
+  /** CockroachDB cluster configuration. */
+  cockroachdb: CockroachDbRegionCockroachConfig;
+  /** TLS certificate sync config (External Secrets Operator). */
+  tls: CockroachDbRegionTlsConfig;
+
+  /** Namespace resource quotas. */
+  quota?: {
+    /** Total CPU limit quota (e.g. "8"). */
+    cpu?: string;
+    /** Total memory limit quota (e.g. "20Gi"). */
+    memory?: string;
+    /** Maximum pods. */
+    maxPods?: number;
+  };
+
+  /**
+   * CIDRs that may send traffic to CockroachDB ports (26257 + 8080).
+   * Used in the allow-cockroachdb NetworkPolicy.
+   */
+  allowCidrs?: string[];
+
+  /**
+   * Cloud Armor WAF configuration.
+   * When set, a BackendConfig is created attaching the policy to the public service.
+   */
+  cloudArmor?: {
+    /** Cloud Armor security policy name. */
+    policyName: string;
+  };
+
+  /**
+   * Emit Prometheus ConfigMap + Deployment + Service for CockroachDB metrics.
+   * Uses a lightweight Prometheus scraping `/_status/vars` (default: false).
+   */
+  monitoring?: boolean;
+
+  /** Additional labels for all resources. */
+  labels?: Record<string, string>;
+}
+
+/**
+ * Create a CockroachDbRegionStack composite — returns all K8s resources for one
+ * CockroachDB region in a single call.
+ *
+ * Replaces: namespace.ts, storage.ts, cockroachdb.ts, external-secrets.ts,
+ * ingress.ts, tls.ts, backend-config.ts, monitoring.ts (8 files → 1 call).
+ *
+ * @gke
+ * @example
+ * ```ts
+ * import { CockroachDbRegionStack } from "@intentius/chant-lexicon-k8s";
+ *
+ * export const east = CockroachDbRegionStack({
+ *   region: "east",
+ *   namespace: "crdb-east",
+ *   domain: `east.${CRDB_DOMAIN}`,
+ *   internalDomain: `east.${INTERNAL_DOMAIN}`,
+ *   publicRootDomain: CRDB_DOMAIN,
+ *   projectId: GCP_PROJECT_ID,
+ *   clusterName: "gke-crdb-east",
+ *   clusterRegion: "us-east4",
+ *   crdbGsaEmail: `gke-crdb-east-crdb@${GCP_PROJECT_ID}.iam.gserviceaccount.com`,
+ *   externalDnsGsaEmail: `gke-crdb-east-dns@${GCP_PROJECT_ID}.iam.gserviceaccount.com`,
+ *   cockroachdb: {
+ *     locality: "cloud=gcp,region=us-east4",
+ *     joinAddresses: [...],
+ *     advertiseHostDomain: `east.${INTERNAL_DOMAIN}`,
+ *     skipInit: false,
+ *     mountClientCerts: true,
+ *   },
+ *   tls: {
+ *     gcpSecretNames: {
+ *       ca: "crdb-ca-crt", nodeCrt: "crdb-node-crt", nodeKey: "crdb-node-key",
+ *       clientRootCrt: "crdb-client-root-crt", clientRootKey: "crdb-client-root-key",
+ *     },
+ *   },
+ *   allowCidrs: ALL_CIDRS,
+ *   cloudArmor: { policyName: "crdb-ui-waf" },
+ *   monitoring: true,
+ * });
+ * ```
+ */
+export const CockroachDbRegionStack = Composite<CockroachDbRegionStackConfig>((props) => {
+  const {
+    region,
+    namespace: ns,
+    domain,
+    internalDomain,
+    publicRootDomain,
+    projectId,
+    clusterName,
+    clusterRegion,
+    crdbGsaEmail,
+    externalDnsGsaEmail,
+    cockroachdb: crdbProps,
+    tls,
+    quota,
+    allowCidrs = [],
+    cloudArmor,
+    monitoring = false,
+    labels: extraLabels = {},
+  } = props;
+
+  const crdbName = crdbProps.name ?? "cockroachdb";
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/managed-by": "chant",
+    "app.kubernetes.io/part-of": `cockroachdb-multi-region`,
+    "app.kubernetes.io/instance": region,
+    ...extraLabels,
+  };
+
+  // ── Namespace + Quotas ─────────────────────────────────────────────────────────
+
+  const nsResult = NamespaceEnv({
+    name: ns,
+    ...(quota?.cpu && { cpuQuota: quota.cpu }),
+    ...(quota?.memory && { memoryQuota: quota.memory }),
+    ...(quota?.maxPods !== undefined && { maxPods: quota.maxPods }),
+    defaultCpuRequest: "250m",
+    defaultMemoryRequest: "512Mi",
+    defaultCpuLimit: "1",
+    defaultMemoryLimit: "4Gi",
+    defaultDenyIngress: true,
+    labels: {
+      "pod-security.kubernetes.io/enforce": "baseline",
+      "pod-security.kubernetes.io/enforce-version": "latest",
+      "pod-security.kubernetes.io/warn": "restricted",
+      "pod-security.kubernetes.io/audit": "restricted",
+      ...commonLabels,
+    },
+  });
+
+  // Allow CockroachDB inter-node (26257) + HTTP UI (8080) from all region CIDRs.
+  const crdbNetworkPolicy = new NetworkPolicy(mergeDefaults({
+    metadata: {
+      name: "allow-cockroachdb",
+      namespace: ns,
+      labels: commonLabels,
+    },
+    spec: {
+      podSelector: { matchLabels: { "app.kubernetes.io/name": crdbName } },
+      policyTypes: ["Ingress"],
+      ingress: allowCidrs.length > 0
+        ? [{
+            from: allowCidrs.map((cidr) => ({ ipBlock: { cidr } })),
+            ports: [
+              { protocol: "TCP", port: 26257 },
+              { protocol: "TCP", port: 8080 },
+            ],
+          }]
+        : [],
+    },
+  }, {}));
+
+  // ── Storage ────────────────────────────────────────────────────────────────────
+
+  const { storageClass } = GcePdStorageClass({
+    name: "pd-ssd",
+    type: "pd-ssd",
+    labels: commonLabels,
+  });
+
+  // ── CockroachDB Cluster ────────────────────────────────────────────────────────
+
+  const crdb = CockroachDbCluster({
+    name: crdbName,
+    namespace: ns,
+    replicas: crdbProps.replicas ?? 3,
+    image: crdbProps.image,
+    storageSize: crdbProps.storageSize,
+    storageClassName: "pd-ssd",
+    cpuLimit: crdbProps.cpuLimit,
+    memoryLimit: crdbProps.memoryLimit,
+    locality: crdbProps.locality,
+    joinAddresses: crdbProps.joinAddresses,
+    secure: true,
+    skipCertGen: true,
+    skipInit: crdbProps.skipInit,
+    mountClientCerts: crdbProps.mountClientCerts,
+    advertiseHostDomain: crdbProps.advertiseHostDomain,
+    extraCertNodeAddresses: crdbProps.extraCertNodeAddresses,
+    labels: commonLabels,
+    defaults: {
+      serviceAccount: {
+        metadata: {
+          annotations: {
+            "iam.gke.io/gcp-service-account": crdbGsaEmail,
+          },
+        },
+      },
+      publicService: {
+        metadata: {
+          annotations: {
+            "cloud.google.com/backend-config": `{"default":"${crdbName}-ui-backend"}`,
+            "cloud.google.com/app-protocols": `{"http":"HTTPS"}`,
+          },
+        },
+      },
+      headlessService: {
+        metadata: {
+          annotations: {
+            "external-dns.alpha.kubernetes.io/hostname": internalDomain,
+          },
+        },
+      },
+    },
+  });
+
+  // ── External Secrets (TLS certs from GCP Secret Manager) ──────────────────────
+
+  const secretStoreName = "gcp-secret-manager";
+
+  const gcpSecretStore = new ClusterSecretStore({
+    metadata: { name: secretStoreName },
+    spec: {
+      provider: {
+        gcpsm: {
+          projectID: projectId,
+          auth: {
+            workloadIdentity: {
+              clusterLocation: clusterRegion,
+              clusterName,
+              serviceAccountRef: { name: "external-secrets-sa", namespace: "kube-system" },
+            },
+          },
+        },
+      },
+    },
+  });
+
+  const nodeCertsSecret = new ExternalSecret({
+    metadata: { name: `${crdbName}-node-certs-eso`, namespace: ns },
+    spec: {
+      refreshInterval: "1h",
+      secretStoreRef: { name: secretStoreName, kind: "ClusterSecretStore" },
+      target: { name: `${crdbName}-node-certs`, creationPolicy: "Owner" },
+      data: [
+        { secretKey: "ca.crt",   remoteRef: { key: tls.gcpSecretNames.ca } },
+        { secretKey: "node.crt", remoteRef: { key: tls.gcpSecretNames.nodeCrt } },
+        { secretKey: "node.key", remoteRef: { key: tls.gcpSecretNames.nodeKey } },
+      ],
+    },
+  });
+
+  const clientCertsSecret = new ExternalSecret({
+    metadata: { name: `${crdbName}-client-certs-eso`, namespace: ns },
+    spec: {
+      refreshInterval: "1h",
+      secretStoreRef: { name: secretStoreName, kind: "ClusterSecretStore" },
+      target: { name: `${crdbName}-client-certs`, creationPolicy: "Owner" },
+      data: [
+        { secretKey: "ca.crt",           remoteRef: { key: tls.gcpSecretNames.ca } },
+        { secretKey: "client.root.crt",  remoteRef: { key: tls.gcpSecretNames.clientRootCrt } },
+        { secretKey: "client.root.key",  remoteRef: { key: tls.gcpSecretNames.clientRootKey } },
+      ],
+    },
+  });
+
+  // ── TLS: Managed Certificate + FrontendConfig ─────────────────────────────────
+
+  const certName = `${crdbName}-ui-cert`;
+  const frontendName = `${crdbName}-ui-frontend`;
+  const backendName = `${crdbName}-ui-backend`;
+
+  const crdbManagedCert = new ManagedCertificate({
+    metadata: {
+      name: certName,
+      namespace: ns,
+      labels: commonLabels,
+    },
+    spec: { domains: [domain] },
+  });
+
+  const crdbFrontendConfig = new FrontendConfig({
+    metadata: {
+      name: frontendName,
+      namespace: ns,
+      labels: commonLabels,
+    },
+    spec: {
+      redirectToHttps: {
+        enabled: true,
+        responseCodeName: "MOVED_PERMANENTLY_DEFAULT",
+      },
+    },
+  });
+
+  // ── GCE Ingress ────────────────────────────────────────────────────────────────
+
+  const { ingress: gceIngress } = GceIngress({
+    name: `${crdbName}-ui`,
+    hosts: [{
+      hostname: domain,
+      paths: [{ path: "/", serviceName: `${crdbName}-public`, servicePort: 8080 }],
+    }],
+    namespace: ns,
+    managedCertificate: certName,
+    frontendConfig: frontendName,
+    labels: commonLabels,
+  });
+
+  // ── ExternalDNS ────────────────────────────────────────────────────────────────
+
+  const dnsAgent = GkeExternalDnsAgent({
+    gcpServiceAccountEmail: externalDnsGsaEmail,
+    gcpProjectId: projectId,
+    domainFilters: [publicRootDomain, internalDomain.split(".").slice(1).join(".")],
+    txtOwnerId: clusterName,
+    source: ["service", "ingress"],
+    labels: commonLabels,
+  });
+
+  // ── Result object ─────────────────────────────────────────────────────────────
+
+  const result: Record<string, any> = {
+    // Namespace
+    ...nsResult,
+    crdbNetworkPolicy,
+
+    // Storage
+    storageClass,
+
+    // CockroachDB
+    cockroachdbServiceAccount: crdb.serviceAccount,
+    cockroachdbRole: crdb.role,
+    cockroachdbRoleBinding: crdb.roleBinding,
+    cockroachdbClusterRole: crdb.clusterRole,
+    cockroachdbClusterRoleBinding: crdb.clusterRoleBinding,
+    cockroachdbPublicService: crdb.publicService,
+    cockroachdbHeadlessService: crdb.headlessService,
+    cockroachdbPdb: crdb.pdb,
+    cockroachdbStatefulSet: crdb.statefulSet,
+    ...(crdb.initJob && { cockroachdbInitJob: crdb.initJob }),
+
+    // External Secrets
+    gcpSecretStore,
+    nodeCertsSecret,
+    clientCertsSecret,
+
+    // TLS
+    crdbManagedCert,
+    crdbFrontendConfig,
+
+    // Ingress + ExternalDNS
+    gceIngress,
+    dnsDeployment: dnsAgent.deployment,
+    dnsServiceAccount: dnsAgent.serviceAccount,
+    dnsClusterRole: dnsAgent.clusterRole,
+    dnsClusterRoleBinding: dnsAgent.clusterRoleBinding,
+  };
+
+  // Optional: Cloud Armor BackendConfig
+  if (cloudArmor) {
+    result.crdbBackendConfig = new BackendConfig({
+      metadata: {
+        name: backendName,
+        namespace: ns,
+        labels: commonLabels,
+      },
+      spec: {
+        securityPolicy: { name: cloudArmor.policyName },
+        healthCheck: { type: "HTTPS", requestPath: "/health", port: 8080 },
+      },
+    });
+  }
+
+  // Optional: Prometheus monitoring
+  if (monitoring) {
+    result.prometheusConfig = new ConfigMap({
+      metadata: { name: "prometheus-config", namespace: ns },
+      data: {
+        "prometheus.yml": [
+          `global:`,
+          `  scrape_interval: 15s`,
+          `scrape_configs:`,
+          `  - job_name: "cockroachdb"`,
+          `    kubernetes_sd_configs:`,
+          `      - role: pod`,
+          `        namespaces:`,
+          `          names: ["${ns}"]`,
+          `    relabel_configs:`,
+          `      - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]`,
+          `        regex: "cockroachdb"`,
+          `        action: keep`,
+          `      - source_labels: [__meta_kubernetes_pod_ip]`,
+          `        target_label: __address__`,
+          `        replacement: "$1:8080"`,
+          `      - source_labels: [__meta_kubernetes_pod_name]`,
+          `        target_label: instance`,
+          `    metrics_path: "/_status/vars"`,
+        ].join("\n"),
+      },
+    } as Record<string, unknown>);
+
+    result.prometheusDeployment = new Deployment({
+      metadata: {
+        name: "prometheus",
+        namespace: ns,
+        labels: { "app.kubernetes.io/name": "prometheus", ...commonLabels },
+      },
+      spec: {
+        replicas: 1,
+        selector: { matchLabels: { "app.kubernetes.io/name": "prometheus" } },
+        template: {
+          metadata: { labels: { "app.kubernetes.io/name": "prometheus" } },
+          spec: {
+            containers: [{
+              name: "prometheus",
+              image: "prom/prometheus:v2.51.0",
+              args: [
+                "--config.file=/etc/prometheus/prometheus.yml",
+                "--storage.tsdb.retention.time=15d",
+              ],
+              ports: [{ name: "http", containerPort: 9090 }],
+              resources: {
+                requests: { cpu: "500m", memory: "1Gi" },
+                limits:   { cpu: "1",    memory: "2Gi" },
+              },
+              volumeMounts: [{ name: "config", mountPath: "/etc/prometheus" }],
+            }],
+            volumes: [{ name: "config", configMap: { name: "prometheus-config" } }],
+          },
+        },
+      },
+    } as Record<string, unknown>);
+
+    result.prometheusService = new Service({
+      metadata: { name: "prometheus", namespace: ns },
+      spec: {
+        selector: { "app.kubernetes.io/name": "prometheus" },
+        ports: [{ name: "http", port: 9090, targetPort: "http" }],
+      },
+    } as Record<string, unknown>);
+  }
+
+  return result;
+}, "CockroachDbRegionStack");

package/src/composites/composites.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect, jest } from "bun:test";
+import { describe, test, expect, vi } from "vitest";
 import { isCompositeInstance } from "@intentius/chant";
 import { emitYAML } from "@intentius/chant/yaml";
 import { WebApp } from "./web-app";
@@ -899,7 +899,7 @@ describe("NamespaceEnv", () => {
   });
 
   test("warns when quota set without limits", () => {
-    const warnSpy = jest.spyOn(console, "warn").mockImplementation(() => {});
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
     NamespaceEnv({ name: "warn-test", cpuQuota: "4", defaultDenyIngress: false });
     expect(warnSpy).toHaveBeenCalledWith(
       expect.stringContaining("ResourceQuota set but no LimitRange defaults"),
@@ -908,7 +908,7 @@ describe("NamespaceEnv", () => {
   });
 
   test("no warning when both quota and limits set", () => {
-    const warnSpy = jest.spyOn(console, "warn").mockImplementation(() => {});
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
     NamespaceEnv({
       name: "both-test",
       cpuQuota: "4",
@@ -920,7 +920,7 @@ describe("NamespaceEnv", () => {
   });
 
   test("no warning when limits only (no quota)", () => {
-    const warnSpy = jest.spyOn(console, "warn").mockImplementation(() => {});
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
     NamespaceEnv({
       name: "limits-only",
       defaultCpuRequest: "100m",

package/src/composites/index.ts

@@ -73,6 +73,8 @@ export { AksExternalDnsAgent } from "./aks-external-dns-agent";
 export type { AksExternalDnsAgentProps, AksExternalDnsAgentResult } from "./aks-external-dns-agent";
 export { CockroachDbCluster } from "./cockroachdb-cluster";
 export type { CockroachDbClusterProps, CockroachDbClusterResult } from "./cockroachdb-cluster";
+export { CockroachDbRegionStack } from "./cockroachdb-region-stack";
+export type { CockroachDbRegionStackConfig, CockroachDbRegionCockroachConfig, CockroachDbRegionTlsConfig } from "./cockroachdb-region-stack";
 export { RayCluster } from "./ray-cluster";
 export type { RayClusterProps, RayClusterResult, RayClusterSpec, ResourceSpec, HeadGroupSpec, WorkerGroupSpec } from "./ray-cluster";
 export { RayJob } from "./ray-job";

package/src/coverage.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { existsSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";

package/src/crd/loader.ts

@@ -5,6 +5,7 @@
  * live cluster introspection via kubectl.
  */
 
+import { existsSync, readFileSync } from "fs";
 import type { CRDSource, CRDSpec } from "./types";
 import type { K8sParseResult } from "../spec/parse";
 import { parseCRD } from "./parser";
@@ -53,13 +54,11 @@ async function loadFromFile(source: CRDSource): Promise<string> {
     throw new Error("CRD source type 'file' requires a 'path' property");
   }
 
-  const file = Bun.file(source.path);
-  const exists = await file.exists();
-  if (!exists) {
+  if (!existsSync(source.path)) {
     throw new Error(`CRD file not found: ${source.path}`);
   }
 
-  return file.text();
+  return readFileSync(source.path, "utf8");
 }
 
 /**
@@ -85,28 +84,21 @@ async function loadFromURL(source: CRDSource): Promise<string> {
  * requires kubectl access and proper authentication.
  */
 async function loadFromCluster(source: CRDSource): Promise<string> {
-  const contextArg = source.context ? `--context=${source.context}` : "";
-  const nsArg = source.namespace ? `--namespace=${source.namespace}` : "";
+  const { execFile } = await import("child_process");
+  const { promisify } = await import("util");
+  const execFileAsync = promisify(execFile);
 
-  const args = ["kubectl", "get", "crds", "-o", "yaml"];
-  if (contextArg) args.push(contextArg);
-  if (nsArg) args.push(nsArg);
+  const args = ["get", "crds", "-o", "yaml"];
+  if (source.context) args.push(`--context=${source.context}`);
+  if (source.namespace) args.push(`--namespace=${source.namespace}`);
 
-  const proc = Bun.spawn(args, {
-    stdout: "pipe",
-    stderr: "pipe",
-  });
-
-  const stdout = await new Response(proc.stdout).text();
-  const stderr = await new Response(proc.stderr).text();
-  const exitCode = await proc.exited;
-
-  if (exitCode !== 0) {
+  const { stdout, stderr } = await execFileAsync("kubectl", args).catch((err: NodeJS.ErrnoException & { stdout?: string; stderr?: string }) => {
     throw new Error(
-      `kubectl failed (exit ${exitCode}): ${stderr.trim() || "unknown error"}. ` +
+      `kubectl failed: ${err.stderr?.trim() || err.message}. ` +
       "Ensure kubectl is installed and configured with access to the target cluster.",
     );
-  }
+  });
 
+  void stderr;
   return stdout;
 }

package/src/crd/parser.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { parseCRD, parseCRDSpec } from "./parser";
 
 describe("parseCRD", () => {

package/src/default-labels.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import {
   defaultLabels,
   defaultAnnotations,

package/src/import/generator.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { K8sGenerator } from "./generator";
 import type { TemplateIR, ResourceIR } from "@intentius/chant/import/parser";
 

package/src/import/parser.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { K8sParser } from "./parser";
 
 const parser = new K8sParser();

package/src/import/roundtrip.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { readFileSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";

package/src/index.ts

@@ -21,7 +21,7 @@ export {
   BatchJob, SecureIngress, ConfiguredApp, SidecarApp, MonitoredService, NetworkIsolatedApp,
   IrsaServiceAccount, AlbIngress, EbsStorageClass, EfsStorageClass, FluentBitAgent, ExternalDnsAgent, AdotCollector,
   MetricsServer, WorkloadIdentityServiceAccount, GcePdStorageClass, FilestoreStorageClass, GkeGateway, ConfigConnectorContext,
-  GceIngress, CockroachDbCluster,
+  GceIngress, CockroachDbCluster, CockroachDbRegionStack,
   RayCluster, RayJob, RayService,
   AgicIngress, AzureDiskStorageClass, AzureFileStorageClass, AzureMonitorCollector,
   AksWorkloadIdentityServiceAccount,
@@ -45,6 +45,7 @@ export type {
   GkeGatewayProps, GkeGatewayResult,
   ConfigConnectorContextProps, ConfigConnectorContextResult,
   GceIngressProps, GceIngressResult, CockroachDbClusterProps, CockroachDbClusterResult,
+  CockroachDbRegionStackConfig, CockroachDbRegionCockroachConfig, CockroachDbRegionTlsConfig,
   RayClusterProps, RayClusterResult, RayClusterSpec, ResourceSpec, HeadGroupSpec, WorkerGroupSpec,
   RayJobProps, RayJobResult,
   RayServiceProps, RayServiceResult,

package/src/lint/post-synth/k8s-helpers.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import {
   parseK8sManifests,
   extractContainers,

package/src/lint/post-synth/post-synth.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import type { PostSynthContext } from "@intentius/chant/lint/post-synth";
 
 // Import all checks

package/src/lint/rules/rules.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { hardcodedNamespaceRule } from "./hardcoded-namespace";
 import { latestImageTagRule } from "./latest-image-tag";
 import { missingResourceLimitsRule } from "./missing-resource-limits";

package/src/lsp/completions.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { existsSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";

package/src/lsp/hover.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { existsSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";

package/src/package-cli.ts

@@ -1,4 +1,4 @@
-#!/usr/bin/env bun
+#!/usr/bin/env tsx
 /**
  * CLI entry point for Kubernetes lexicon packaging.
  */

package/src/plugin.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { existsSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";

package/src/plugin.ts

@@ -5,24 +5,26 @@
  * lint rules, and LSP/MCP integration for Kubernetes manifests.
  */
 
-import { createRequire } from "module";
 import type { LexiconPlugin, InitTemplateSet, ResourceMetadata } from "@intentius/chant/lexicon";
-const require = createRequire(import.meta.url);
 import type { LintRule } from "@intentius/chant/lint/rule";
 import { discoverPostSynthChecks } from "@intentius/chant/lint/discover";
 import { createSkillsLoader, createDiffTool, createCatalogResource } from "@intentius/chant/lexicon-plugin-helpers";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 import { k8sSerializer } from "./serializer";
+import { hardcodedNamespaceRule } from "./lint/rules/hardcoded-namespace";
+import { latestImageTagRule } from "./lint/rules/latest-image-tag";
+import { missingResourceLimitsRule } from "./lint/rules/missing-resource-limits";
+import { k8sCompletions } from "./lsp/completions";
+import { k8sHover } from "./lsp/hover";
+import { K8sParser } from "./import/parser";
+import { K8sGenerator } from "./import/generator";
 
 export const k8sPlugin: LexiconPlugin = {
   name: "k8s",
   serializer: k8sSerializer,
 
   lintRules(): LintRule[] {
-    const { hardcodedNamespaceRule } = require("./lint/rules/hardcoded-namespace");
-    const { latestImageTagRule } = require("./lint/rules/latest-image-tag");
-    const { missingResourceLimitsRule } = require("./lint/rules/missing-resource-limits");
     return [hardcodedNamespaceRule, latestImageTagRule, missingResourceLimitsRule];
   },
 
@@ -204,22 +206,18 @@ export const service = new Service({
   },
 
   completionProvider(ctx: import("@intentius/chant/lsp/types").CompletionContext) {
-    const { k8sCompletions } = require("./lsp/completions");
     return k8sCompletions(ctx);
   },
 
   hoverProvider(ctx: import("@intentius/chant/lsp/types").HoverContext) {
-    const { k8sHover } = require("./lsp/hover");
     return k8sHover(ctx);
   },
 
   templateParser() {
-    const { K8sParser } = require("./import/parser");
     return new K8sParser();
   },
 
   templateGenerator() {
-    const { K8sGenerator } = require("./import/generator");
     return new K8sGenerator();
   },
 

package/src/serializer.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { k8sSerializer } from "./serializer";
 import { DECLARABLE_MARKER } from "@intentius/chant/declarable";
 import {

package/src/spec/fetch.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { fetchK8sSchema, fetchSchemas, K8S_SCHEMA_VERSION } from "./fetch";
 
 describe("fetch", () => {

package/src/spec/parse.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import {
   gvkToTypeName,
   gvkToApiVersion,

package/src/validate-cli.ts

@@ -1,4 +1,4 @@
-#!/usr/bin/env bun
+#!/usr/bin/env tsx
 /**
  * CLI entry point for Kubernetes lexicon validation.
  */

package/src/validate.test.ts

@@ -1,4 +1,4 @@
-import { describe, test, expect } from "bun:test";
+import { describe, test, expect } from "vitest";
 import { validate } from "./validate";
 
 describe("validate", () => {