@intentius/gitlab-warden 0.1.0 โ†’ 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +48 -5
  2. package/dist/cli.js +9483 -17
  3. package/package.json +8 -1
package/README.md CHANGED
@@ -1,5 +1,8 @@
1
1
  # gitlab-warden
2
2
 
3
+ [![ci](https://github.com/INTENTIUS/gitlab-warden/actions/workflows/ci.yml/badge.svg)](https://github.com/INTENTIUS/gitlab-warden/actions/workflows/ci.yml)
4
+ [![e2e](https://github.com/INTENTIUS/gitlab-warden/actions/workflows/e2e.yml/badge.svg)](https://github.com/INTENTIUS/gitlab-warden/actions/workflows/e2e.yml)
5
+
3
6
  Declarative governance for GitLab **groups & projects** โ€” the whole surface, in one lightweight tool you run in CI.
4
7
 
5
8
  The third [warden](https://github.com/INTENTIUS/github-warden), built on the shared
@@ -11,10 +14,6 @@ supplies the GitLab layer: a REST + GraphQL client (configurable host for
11
14
  self-managed + GitLab.com), config + live-state types, a GitLab `diff()`, and the
12
15
  reconcile cycles.
13
16
 
14
- > ๐Ÿšง **Preview published; engine in progress.** `@intentius/gitlab-warden@0.1.0` is a
15
- > placeholder that establishes the package + release pipeline. The reconcile engine
16
- > is being built per the [roadmap epic](https://github.com/INTENTIUS/gitlab-warden/issues/21).
17
-
18
17
  ## What it is
19
18
 
20
19
  You declare desired state in YAML (selective-by-omission โ€” an absent field is never
@@ -48,7 +47,51 @@ sharpest single example of the model, but warden goes after the *entire* surface
48
47
  | **Instance** (self-managed) | application settings ยท instance CI/CD variables ยท system hooks ยท custom member roles |
49
48
 
50
49
  REST for most of it; **GraphQL** for the few surfaces that require it (compliance
51
- frameworks, security-policy attachment, custom roles).
50
+ frameworks, security-policy attachment). The Ultimate-only GraphQL cycles are
51
+ best-effort (unvalidated against a live Ultimate instance โ€” the e2e runs CE).
52
+
53
+ ## Usage
54
+
55
+ ```sh
56
+ npx @intentius/gitlab-warden reconcile \
57
+ --config governance.yaml \
58
+ --mode dry-run \
59
+ --token-env GITLAB_TOKEN \
60
+ --base-url https://gitlab.example.com # omit for gitlab.com
61
+ ```
62
+
63
+ ```yaml
64
+ # governance.yaml โ€” declared nodes, keyed by full path
65
+ nodes:
66
+ acme/platform:
67
+ kind: group
68
+ groupSettings: { description: "Platform team", visibility: private }
69
+ members:
70
+ - { user: alice, accessLevel: owner }
71
+ pushRules: { preventSecrets: true }
72
+ acme/platform/api:
73
+ kind: project
74
+ projectSettings: { mergeMethod: ff, topics: [go, service] }
75
+ protectedBranches:
76
+ - { name: main, pushAccessLevel: 40, mergeAccessLevel: 30 }
77
+ ```
78
+
79
+ `--mode dry-run` (default) prints the plan; `--mode apply` converges it. Guardrails
80
+ block a mass-delete and tier-gated (Premium/Ultimate) endpoints that 403 are
81
+ reported and skipped, never fatal.
82
+
83
+ ## Tests
84
+
85
+ `npm test` runs the unit suite (mock-client, fully offline). The [e2e suite](e2e/)
86
+ is **fully hermetic** โ€” it stands up GitLab CE via Docker Compose, mints a token,
87
+ provisions its own group/project, exercises every cycle, and tears down (no
88
+ external account or secrets):
89
+
90
+ ```sh
91
+ eval "$(npm run --silent e2e:up)" # compose up + mint token (GitLab CE is slow)
92
+ npm run test:e2e:run
93
+ npm run e2e:down
94
+ ```
52
95
 
53
96
  ## The one genuinely hard part
54
97