@lssm/lib.contracts 0.0.0-canary-20251217062943 → 0.0.0-canary-20251217072406

package/dist/app-config/validation.js

@@ -1 +1,538 @@
-var e=class{blueprintRules=[];tenantRules=[];resolvedRules=[];register(e){return e.scope===`blueprint`?this.blueprintRules.push(e):e.scope===`tenant`?this.tenantRules.push(e):this.resolvedRules.push(e),this}validateBlueprint(e,t){return w(this.blueprintRules.flatMap(n=>n.validate(e,t)))}validateTenant(e,t,n){return w(this.tenantRules.flatMap(r=>r.validate(e,t,n)))}validateResolved(e,t,n){return w(this.resolvedRules.flatMap(r=>r.validate(e,t,n)))}};const t=/^(?!:\/\/)([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]+\.[A-Za-z]{2,}$/,n=/^https:\/\//i,r={logo:[`png`,`svg`,`webp`],"logo-dark":[`png`,`svg`,`webp`],favicon:[`ico`,`png`,`svg`],"og-image":[`png`,`jpg`,`jpeg`,`webp`]},i={};let a;function o(){return a||=p(),a}function s(e,t,n=i){let r=o();return f(d(r.validateBlueprint(e,n)),d(r.validateTenant(e,t,n)))}function c(e,t=i){return d(o().validateBlueprint(e,t))}function l(e,t,n=i){return d(o().validateTenant(e,t,n))}function u(e,t,n=i){return d(o().validateResolved(e,t,n))}function d(e){let t=e.filter(e=>e.severity===`error`),n=e.filter(e=>e.severity===`warning`),r=e.filter(e=>e.severity===`info`);return{valid:t.length===0,errors:t,warnings:n,info:r}}function f(...e){let t=e.flatMap(e=>e.errors),n=e.flatMap(e=>e.warnings),r=e.flatMap(e=>e.info);return{valid:t.length===0,errors:t,warnings:n,info:r}}function p(){return new e().register(m).register(h).register(g).register(_).register(v).register(y).register(b).register(x).register(S)}const m={scope:`blueprint`,name:`integration.duplicate-slots`,category:`integration`,validate(e){let t=[],n=new Set;for(let r of e.integrationSlots??[])n.has(r.slotId)?t.push(C({code:`DUPLICATE_SLOT`,severity:`error`,path:`integrationSlots.${r.slotId}`,message:`Duplicate integration slot id "${r.slotId}".`})):n.add(r.slotId),r.allowedModes&&r.allowedModes.length===0&&t.push(C({code:`EMPTY_ALLOWED_MODES`,severity:`warning`,path:`integrationSlots.${r.slotId}.allowedModes`,message:`allowedModes is empty; the slot will accept any supported mode.`}));return e.branding&&!e.branding.appNameKey.trim()&&t.push(C({code:`MISSING_APP_NAME_KEY`,severity:`warning`,path:`branding.appNameKey`,message:`branding.appNameKey should reference a translation catalog key.`})),t}},h={scope:`blueprint`,name:`capability.registry-check`,category:`capability`,validate(e,t){let n=[],r=t.capabilities;return r&&(e.capabilities?.enabled??[]).forEach((e,t)=>{r.get(e.key,e.version)||n.push(C({code:`MISSING_CAPABILITY`,severity:`error`,path:`capabilities.enabled[${t}]`,message:`Capability "${e.key}@${e.version}" is not registered.`}))}),n}},g={scope:`tenant`,name:`capability.required-enabled`,category:`capability`,validate(e,t,n){let r=[],i=n.capabilities,a=new Set((e.capabilities?.enabled??[]).map(T)),o=t.capabilities?.disable??[];return o.forEach((e,t)=>{a.has(T(e))&&r.push(C({code:`DISABLED_REQUIRED_CAPABILITY`,severity:`error`,path:`capabilities.disable[${t}]`,message:`Capability "${e.key}@${e.version}" is required by the blueprint and cannot be disabled.`}))}),i&&((t.capabilities?.enable??[]).forEach((e,t)=>{i.get(e.key,e.version)||r.push(C({code:`UNKNOWN_CAPABILITY_ENABLE`,severity:`error`,path:`capabilities.enable[${t}]`,message:`Capability "${e.key}@${e.version}" is not registered.`}))}),o.forEach((e,t)=>{i.get(e.key,e.version)||r.push(C({code:`UNKNOWN_CAPABILITY_DISABLE`,severity:`warning`,path:`capabilities.disable[${t}]`,message:`Capability "${e.key}@${e.version}" is not registered.`}))})),r}},_={scope:`tenant`,name:`integration.slot-binding`,category:`integration`,validate(e,t,n){let r=[],i=new Map((e.integrationSlots??[]).map(e=>[e.slotId,e])),a=t.integrations??[],o=n.tenantConnections?.reduce((e,t)=>e.set(t.meta.id,t),new Map)??new Map,s=new Set;a.forEach(e=>{let a=`integrations.${e.slotId}`,c=i.get(e.slotId);if(!c){r.push(C({code:`UNKNOWN_SLOT_BINDING`,severity:`error`,path:a,message:`Integration slot "${e.slotId}" is not defined in the blueprint.`}));return}let l=!0,u=o.get(e.connectionId);if(!u){r.push(C({code:`MISSING_INTEGRATION_CONNECTION`,severity:`error`,path:a,message:`Integration connection "${e.connectionId}" was not found for tenant "${t.meta.tenantId}".`})),l=!1;return}u.meta.tenantId!==t.meta.tenantId&&(r.push(C({code:`FOREIGN_CONNECTION`,severity:`error`,path:a,message:`Connection "${e.connectionId}" belongs to tenant "${u.meta.tenantId}", not "${t.meta.tenantId}".`})),l=!1),c.allowedModes&&c.allowedModes.length>0&&(c.allowedModes.includes(u.ownershipMode)||(r.push(C({code:`MODE_MISMATCH`,severity:`error`,path:a,message:`Slot "${c.slotId}" only allows modes [${c.allowedModes.join(`, `)}] but connection is "${u.ownershipMode}".`})),l=!1)),u.status===`disconnected`||u.status===`error`?(r.push(C({code:`CONNECTION_NOT_READY`,severity:`error`,path:a,message:`Connection "${u.meta.label}" is in status "${u.status}".`})),l=!1):u.status===`unknown`&&r.push(C({code:`CONNECTION_STATUS_UNKNOWN`,severity:`warning`,path:a,message:`Connection "${u.meta.label}" has unknown health status.`}));let d=D(n.integrationSpecs,u);if(!d){r.push(C({code:`INTEGRATION_SPEC_NOT_FOUND`,severity:`warning`,path:a,message:`Integration spec "${u.meta.integrationKey}@${u.meta.integrationVersion}" is not registered.`})),l=!1;return}d.meta.category!==c.requiredCategory&&(r.push(C({code:`CATEGORY_MISMATCH`,severity:`error`,path:a,message:`Slot "${c.slotId}" requires category "${c.requiredCategory}" but connection provides "${d.meta.category}".`})),l=!1),d.supportedModes.includes(u.ownershipMode)||(r.push(C({code:`UNSUPPORTED_OWNERSHIP_MODE`,severity:`error`,path:a,message:`Integration spec "${d.meta.key}" does not support ownership mode "${u.ownershipMode}".`})),l=!1);for(let e of c.requiredCapabilities??[])E(d,e)||(r.push(C({code:`CAPABILITY_NOT_PROVIDED`,severity:`error`,path:a,message:`Integration "${d.meta.key}" does not provide required capability "${e.key}@${e.version}".`})),l=!1);l&&s.add(c.slotId)});for(let e of i.values())e.required&&!s.has(e.slotId)&&r.push(C({code:`MISSING_REQUIRED_SLOT`,severity:`error`,path:`integrations.${e.slotId}`,message:`Required integration slot "${e.slotId}" is not bound.`}));return r}},v={scope:`tenant`,name:`knowledge.bindings`,category:`knowledge`,validate(e,t,n){let r=[],i=n.knowledgeSpaces;if(!i)return r;let a=n.knowledgeSources??[];return(t.knowledge??[]).forEach((e,n)=>{let o=`knowledge[${n}]`,s=i.get(e.spaceKey,e.spaceVersion);if(!s){r.push(C({code:`UNKNOWN_KNOWLEDGE_SPACE`,severity:`error`,path:`${o}.spaceKey`,message:`Knowledge space "${e.spaceKey}" is not registered.`}));return}a.some(t=>t.meta.spaceKey===e.spaceKey?e.spaceVersion==null?!0:t.meta.spaceVersion===e.spaceVersion:!1)||r.push(C({code:`MISSING_KNOWLEDGE_SOURCES`,severity:`error`,path:o,message:`Knowledge space "${e.spaceKey}" has no configured sources for tenant "${t.meta.tenantId}".`})),(s.meta.category===`external`||s.meta.category===`ephemeral`)&&r.push(C({code:`LOW_TRUST_KNOWLEDGE`,severity:`warning`,path:o,message:`Knowledge space "${e.spaceKey}" has category "${s.meta.category}". Avoid using it for irreversible or policy decisions.`}))}),r}},y={scope:`tenant`,name:`branding.constraints`,category:`branding`,validate(e,i,a){let o=[],s=i.branding;if(!s)return o;let c=s.customDomain?.trim();if(c){t.test(c)||o.push(C({code:`INVALID_DOMAIN`,severity:`error`,path:`branding.customDomain`,message:`Custom domain "${c}" is not a valid hostname.`}));let e=(a.existingConfigs??[]).find(e=>{if(e.meta.id===i.meta.id)return!1;let t=e.branding?.customDomain?.trim();return t?t.toLowerCase()===c.toLowerCase():!1});e&&o.push(C({code:`DUPLICATE_DOMAIN`,severity:`error`,path:`branding.customDomain`,message:`Custom domain "${c}" is already used by tenant "${e.meta.tenantId}".`}))}return(s.assets??[]).forEach((e,t)=>{let i=`branding.assets[${t}]`;n.test(e.url)||o.push(C({code:`INSECURE_ASSET_URL`,severity:`error`,path:`${i}.url`,message:`Branding asset "${e.type}" must use an HTTPS URL.`}));let a=r[e.type]??r.logo,s=O(e.url);s&&a&&!a.includes(s)&&o.push(C({code:`UNEXPECTED_ASSET_TYPE`,severity:`warning`,path:`${i}.url`,message:`Asset "${e.type}" should use one of: ${(a??[]).join(`, `)}. Detected "${s}".`}))}),o}},b={scope:`tenant`,name:`translation.consistency`,category:`translation`,validate(e,t,n){let r=[],i=e.translationCatalog,a=k(n.translationCatalogs),o=i?a.blueprint.find(e=>e.meta.name===i.name&&e.meta.version===i.version):void 0;i&&!o&&r.push(C({code:`MISSING_BLUEPRINT_CATALOG`,severity:`error`,path:`translationCatalog`,message:`Blueprint translation catalog "${i.name}@${i.version}" is not loaded in context.`}));let s=new Set;e.branding?.appNameKey&&(s.add(e.branding.appNameKey),o&&!A(o.entries,e.branding.appNameKey,o.defaultLocale)&&r.push(C({code:`MISSING_TRANSLATION_KEY`,severity:`error`,path:`branding.appNameKey`,message:`Translation key "${e.branding.appNameKey}" is missing for locale "${o.defaultLocale}".`})));let c=t.locales;if(c){let{defaultLocale:e,enabledLocales:t}=c;if(t.includes(e)||r.push(C({code:`LOCALE_NOT_ENABLED`,severity:`warning`,path:`locales.enabledLocales`,message:`enabledLocales does not include defaultLocale "${e}".`})),o){let n=new Set(o.supportedLocales);for(let i of[e,...t])n.has(i)||r.push(C({code:`UNSUPPORTED_LOCALE`,severity:`error`,path:`locales.enabledLocales`,message:`Locale "${i}" is not supported by blueprint catalog "${o.meta.name}".`}))}}let l=new Set;for(let e of a.blueprint)for(let t of e.entries)l.add(t.key);for(let e of a.platform)for(let t of e.entries)l.add(t.key);return(t.translationOverrides?.entries??[]).forEach((e,n)=>{let i=`translationOverrides.entries[${n}]`;l.has(e.key)||r.push(C({code:`UNKNOWN_TRANSLATION_KEY`,severity:`error`,path:i,message:`Override references unknown key "${e.key}".`})),o&&(new Set([...o.supportedLocales,...t.locales?.enabledLocales??[],t.locales?.defaultLocale??o.defaultLocale]).has(e.locale)||r.push(C({code:`UNSUPPORTED_LOCALE_OVERRIDE`,severity:`error`,path:i,message:`Locale "${e.locale}" is not enabled for tenant overrides.`})))}),r}},x={scope:`resolved`,name:`integration.required-slots`,category:`integration`,validate(e,t){let n=[],r=(e.integrationSlots??[]).filter(e=>e.required);for(let e of r)t.integrations.some(t=>t.slot.slotId===e.slotId)||n.push(C({code:`MISSING_REQUIRED_SLOT`,severity:`error`,path:`integrations.${e.slotId}`,message:`Resolved config is missing integration slot "${e.slotId}".`}));for(let e of t.integrations)(e.connection.status===`disconnected`||e.connection.status===`error`)&&n.push(C({code:`CONNECTION_NOT_READY`,severity:`error`,path:`integrations.${e.slot.slotId}`,message:`Resolved integration "${e.slot.slotId}" uses a connection in status "${e.connection.status}".`}));return n}},S={scope:`resolved`,name:`translation.default-locale`,category:`translation`,validate(e,t){let n=[],r=t.translation;return r&&!r.supportedLocales.includes(r.defaultLocale)&&n.push(C({code:`DEFAULT_LOCALE_NOT_SUPPORTED`,severity:`warning`,path:`translation.defaultLocale`,message:`supportedLocales should include defaultLocale for consistent fallback behaviour.`})),n}};function C(e){return e}function w(e){let t=new Map;for(let n of e){let e=`${n.code}|${n.path}|${n.severity}`;t.has(e)||t.set(e,n)}return[...t.values()]}function T(e){return`${e.key}@${e.version}`}function E(e,t){return e.capabilities.provides.some(e=>e.key===t.key&&e.version===t.version)}function D(e,t){if(e)return e.get(t.meta.integrationKey,t.meta.integrationVersion)}function O(e){let[t]=e.split(`?`);if(!t)return;let n=t.lastIndexOf(`.`);if(n!==-1)return t.slice(n+1).toLowerCase()}function k(e){return e?{platform:e.platform?Array.isArray(e.platform)?e.platform:[e.platform]:[],blueprint:e.blueprint?Array.isArray(e.blueprint)?e.blueprint:[e.blueprint]:[]}:{platform:[],blueprint:[]}}function A(e,t,n){return e.some(e=>e.key===t&&e.locale===n)}export{c as validateBlueprint,s as validateConfig,u as validateResolvedConfig,l as validateTenantConfig};
+//#region src/app-config/validation.ts
+var ValidationRuleRegistry = class {
+	blueprintRules = [];
+	tenantRules = [];
+	resolvedRules = [];
+	register(rule) {
+		if (rule.scope === "blueprint") this.blueprintRules.push(rule);
+		else if (rule.scope === "tenant") this.tenantRules.push(rule);
+		else this.resolvedRules.push(rule);
+		return this;
+	}
+	validateBlueprint(blueprint, context) {
+		return dedupeIssues(this.blueprintRules.flatMap((rule) => rule.validate(blueprint, context)));
+	}
+	validateTenant(blueprint, tenant, context) {
+		return dedupeIssues(this.tenantRules.flatMap((rule) => rule.validate(blueprint, tenant, context)));
+	}
+	validateResolved(blueprint, resolved, context) {
+		return dedupeIssues(this.resolvedRules.flatMap((rule) => rule.validate(blueprint, resolved, context)));
+	}
+};
+const DOMAIN_REGEX = /^(?!:\/\/)([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]+\.[A-Za-z]{2,}$/;
+const HTTPS_URL_REGEX = /^https:\/\//i;
+const ALLOWED_ASSET_EXTENSIONS = {
+	logo: [
+		"png",
+		"svg",
+		"webp"
+	],
+	"logo-dark": [
+		"png",
+		"svg",
+		"webp"
+	],
+	favicon: [
+		"ico",
+		"png",
+		"svg"
+	],
+	"og-image": [
+		"png",
+		"jpg",
+		"jpeg",
+		"webp"
+	]
+};
+const EMPTY_CONTEXT = {};
+let registryInstance;
+function getRegistry() {
+	if (!registryInstance) registryInstance = createDefaultRegistry();
+	return registryInstance;
+}
+function validateConfig(blueprint, tenant, context = EMPTY_CONTEXT) {
+	const registry = getRegistry();
+	return mergeResults(buildResult(registry.validateBlueprint(blueprint, context)), buildResult(registry.validateTenant(blueprint, tenant, context)));
+}
+function validateBlueprint(blueprint, context = EMPTY_CONTEXT) {
+	return buildResult(getRegistry().validateBlueprint(blueprint, context));
+}
+function validateTenantConfig(blueprint, tenant, context = EMPTY_CONTEXT) {
+	return buildResult(getRegistry().validateTenant(blueprint, tenant, context));
+}
+function validateResolvedConfig(blueprint, resolved, context = EMPTY_CONTEXT) {
+	return buildResult(getRegistry().validateResolved(blueprint, resolved, context));
+}
+function buildResult(issues) {
+	const errors = issues.filter((issue$1) => issue$1.severity === "error");
+	const warnings = issues.filter((issue$1) => issue$1.severity === "warning");
+	const info = issues.filter((issue$1) => issue$1.severity === "info");
+	return {
+		valid: errors.length === 0,
+		errors,
+		warnings,
+		info
+	};
+}
+function mergeResults(...results) {
+	const errors = results.flatMap((result) => result.errors);
+	const warnings = results.flatMap((result) => result.warnings);
+	const info = results.flatMap((result) => result.info);
+	return {
+		valid: errors.length === 0,
+		errors,
+		warnings,
+		info
+	};
+}
+function createDefaultRegistry() {
+	return new ValidationRuleRegistry().register(blueprintIntegrationSlotRule).register(blueprintCapabilityRegistryRule).register(tenantCapabilityRule).register(tenantIntegrationBindingRule).register(tenantKnowledgeRule).register(tenantBrandingRule).register(tenantTranslationRule).register(resolvedIntegrationRule).register(resolvedTranslationRule);
+}
+const blueprintIntegrationSlotRule = {
+	scope: "blueprint",
+	name: "integration.duplicate-slots",
+	category: "integration",
+	validate(blueprint) {
+		const issues = [];
+		const seen = /* @__PURE__ */ new Set();
+		for (const slot of blueprint.integrationSlots ?? []) {
+			if (seen.has(slot.slotId)) issues.push(issue({
+				code: "DUPLICATE_SLOT",
+				severity: "error",
+				path: `integrationSlots.${slot.slotId}`,
+				message: `Duplicate integration slot id "${slot.slotId}".`
+			}));
+			else seen.add(slot.slotId);
+			if (slot.allowedModes && slot.allowedModes.length === 0) issues.push(issue({
+				code: "EMPTY_ALLOWED_MODES",
+				severity: "warning",
+				path: `integrationSlots.${slot.slotId}.allowedModes`,
+				message: "allowedModes is empty; the slot will accept any supported mode."
+			}));
+		}
+		if (blueprint.branding && !blueprint.branding.appNameKey.trim()) issues.push(issue({
+			code: "MISSING_APP_NAME_KEY",
+			severity: "warning",
+			path: "branding.appNameKey",
+			message: "branding.appNameKey should reference a translation catalog key."
+		}));
+		return issues;
+	}
+};
+const blueprintCapabilityRegistryRule = {
+	scope: "blueprint",
+	name: "capability.registry-check",
+	category: "capability",
+	validate(blueprint, context) {
+		const issues = [];
+		const registry = context.capabilities;
+		if (!registry) return issues;
+		(blueprint.capabilities?.enabled ?? []).forEach((ref, index) => {
+			if (!registry.get(ref.key, ref.version)) issues.push(issue({
+				code: "MISSING_CAPABILITY",
+				severity: "error",
+				path: `capabilities.enabled[${index}]`,
+				message: `Capability "${ref.key}@${ref.version}" is not registered.`
+			}));
+		});
+		return issues;
+	}
+};
+const tenantCapabilityRule = {
+	scope: "tenant",
+	name: "capability.required-enabled",
+	category: "capability",
+	validate(blueprint, tenant, context) {
+		const issues = [];
+		const registry = context.capabilities;
+		const requiredKeys = new Set((blueprint.capabilities?.enabled ?? []).map(capabilityRefKey));
+		const disabled = tenant.capabilities?.disable ?? [];
+		disabled.forEach((ref, index) => {
+			if (requiredKeys.has(capabilityRefKey(ref))) issues.push(issue({
+				code: "DISABLED_REQUIRED_CAPABILITY",
+				severity: "error",
+				path: `capabilities.disable[${index}]`,
+				message: `Capability "${ref.key}@${ref.version}" is required by the blueprint and cannot be disabled.`
+			}));
+		});
+		if (registry) {
+			(tenant.capabilities?.enable ?? []).forEach((ref, index) => {
+				if (!registry.get(ref.key, ref.version)) issues.push(issue({
+					code: "UNKNOWN_CAPABILITY_ENABLE",
+					severity: "error",
+					path: `capabilities.enable[${index}]`,
+					message: `Capability "${ref.key}@${ref.version}" is not registered.`
+				}));
+			});
+			disabled.forEach((ref, index) => {
+				if (!registry.get(ref.key, ref.version)) issues.push(issue({
+					code: "UNKNOWN_CAPABILITY_DISABLE",
+					severity: "warning",
+					path: `capabilities.disable[${index}]`,
+					message: `Capability "${ref.key}@${ref.version}" is not registered.`
+				}));
+			});
+		}
+		return issues;
+	}
+};
+const tenantIntegrationBindingRule = {
+	scope: "tenant",
+	name: "integration.slot-binding",
+	category: "integration",
+	validate(blueprint, tenant, context) {
+		const issues = [];
+		const slots = new Map((blueprint.integrationSlots ?? []).map((slot) => [slot.slotId, slot]));
+		const bindings = tenant.integrations ?? [];
+		const connections = context.tenantConnections?.reduce((map, connection) => map.set(connection.meta.id, connection), /* @__PURE__ */ new Map()) ?? /* @__PURE__ */ new Map();
+		const satisfiedSlots = /* @__PURE__ */ new Set();
+		bindings.forEach((binding) => {
+			const path = `integrations.${binding.slotId}`;
+			const slot = slots.get(binding.slotId);
+			if (!slot) {
+				issues.push(issue({
+					code: "UNKNOWN_SLOT_BINDING",
+					severity: "error",
+					path,
+					message: `Integration slot "${binding.slotId}" is not defined in the blueprint.`
+				}));
+				return;
+			}
+			let slotValid = true;
+			const connection = connections.get(binding.connectionId);
+			if (!connection) {
+				issues.push(issue({
+					code: "MISSING_INTEGRATION_CONNECTION",
+					severity: "error",
+					path,
+					message: `Integration connection "${binding.connectionId}" was not found for tenant "${tenant.meta.tenantId}".`
+				}));
+				slotValid = false;
+				return;
+			}
+			if (connection.meta.tenantId !== tenant.meta.tenantId) {
+				issues.push(issue({
+					code: "FOREIGN_CONNECTION",
+					severity: "error",
+					path,
+					message: `Connection "${binding.connectionId}" belongs to tenant "${connection.meta.tenantId}", not "${tenant.meta.tenantId}".`
+				}));
+				slotValid = false;
+			}
+			if (slot.allowedModes && slot.allowedModes.length > 0) {
+				if (!slot.allowedModes.includes(connection.ownershipMode)) {
+					issues.push(issue({
+						code: "MODE_MISMATCH",
+						severity: "error",
+						path,
+						message: `Slot "${slot.slotId}" only allows modes [${slot.allowedModes.join(", ")}] but connection is "${connection.ownershipMode}".`
+					}));
+					slotValid = false;
+				}
+			}
+			if (connection.status === "disconnected" || connection.status === "error") {
+				issues.push(issue({
+					code: "CONNECTION_NOT_READY",
+					severity: "error",
+					path,
+					message: `Connection "${connection.meta.label}" is in status "${connection.status}".`
+				}));
+				slotValid = false;
+			} else if (connection.status === "unknown") issues.push(issue({
+				code: "CONNECTION_STATUS_UNKNOWN",
+				severity: "warning",
+				path,
+				message: `Connection "${connection.meta.label}" has unknown health status.`
+			}));
+			const spec = lookupIntegrationSpec(context.integrationSpecs, connection);
+			if (!spec) {
+				issues.push(issue({
+					code: "INTEGRATION_SPEC_NOT_FOUND",
+					severity: "warning",
+					path,
+					message: `Integration spec "${connection.meta.integrationKey}@${connection.meta.integrationVersion}" is not registered.`
+				}));
+				slotValid = false;
+				return;
+			}
+			if (spec.meta.category !== slot.requiredCategory) {
+				issues.push(issue({
+					code: "CATEGORY_MISMATCH",
+					severity: "error",
+					path,
+					message: `Slot "${slot.slotId}" requires category "${slot.requiredCategory}" but connection provides "${spec.meta.category}".`
+				}));
+				slotValid = false;
+			}
+			if (!spec.supportedModes.includes(connection.ownershipMode)) {
+				issues.push(issue({
+					code: "UNSUPPORTED_OWNERSHIP_MODE",
+					severity: "error",
+					path,
+					message: `Integration spec "${spec.meta.key}" does not support ownership mode "${connection.ownershipMode}".`
+				}));
+				slotValid = false;
+			}
+			for (const required of slot.requiredCapabilities ?? []) if (!integrationProvidesCapability(spec, required)) {
+				issues.push(issue({
+					code: "CAPABILITY_NOT_PROVIDED",
+					severity: "error",
+					path,
+					message: `Integration "${spec.meta.key}" does not provide required capability "${required.key}@${required.version}".`
+				}));
+				slotValid = false;
+			}
+			if (slotValid) satisfiedSlots.add(slot.slotId);
+		});
+		for (const slot of slots.values()) if (slot.required && !satisfiedSlots.has(slot.slotId)) issues.push(issue({
+			code: "MISSING_REQUIRED_SLOT",
+			severity: "error",
+			path: `integrations.${slot.slotId}`,
+			message: `Required integration slot "${slot.slotId}" is not bound.`
+		}));
+		return issues;
+	}
+};
+const tenantKnowledgeRule = {
+	scope: "tenant",
+	name: "knowledge.bindings",
+	category: "knowledge",
+	validate(_blueprint, tenant, context) {
+		const issues = [];
+		const registry = context.knowledgeSpaces;
+		if (!registry) return issues;
+		const sources = context.knowledgeSources ?? [];
+		(tenant.knowledge ?? []).forEach((binding, index) => {
+			const path = `knowledge[${index}]`;
+			const space = registry.get(binding.spaceKey, binding.spaceVersion);
+			if (!space) {
+				issues.push(issue({
+					code: "UNKNOWN_KNOWLEDGE_SPACE",
+					severity: "error",
+					path: `${path}.spaceKey`,
+					message: `Knowledge space "${binding.spaceKey}" is not registered.`
+				}));
+				return;
+			}
+			if (!sources.some((source) => {
+				if (source.meta.spaceKey !== binding.spaceKey) return false;
+				if (binding.spaceVersion != null) return source.meta.spaceVersion === binding.spaceVersion;
+				return true;
+			})) issues.push(issue({
+				code: "MISSING_KNOWLEDGE_SOURCES",
+				severity: "error",
+				path,
+				message: `Knowledge space "${binding.spaceKey}" has no configured sources for tenant "${tenant.meta.tenantId}".`
+			}));
+			if (space.meta.category === "external" || space.meta.category === "ephemeral") issues.push(issue({
+				code: "LOW_TRUST_KNOWLEDGE",
+				severity: "warning",
+				path,
+				message: `Knowledge space "${binding.spaceKey}" has category "${space.meta.category}". Avoid using it for irreversible or policy decisions.`
+			}));
+		});
+		return issues;
+	}
+};
+const tenantBrandingRule = {
+	scope: "tenant",
+	name: "branding.constraints",
+	category: "branding",
+	validate(_blueprint, tenant, context) {
+		const issues = [];
+		const branding = tenant.branding;
+		if (!branding) return issues;
+		const domain = branding.customDomain?.trim();
+		if (domain) {
+			if (!DOMAIN_REGEX.test(domain)) issues.push(issue({
+				code: "INVALID_DOMAIN",
+				severity: "error",
+				path: "branding.customDomain",
+				message: `Custom domain "${domain}" is not a valid hostname.`
+			}));
+			const conflict = (context.existingConfigs ?? []).find((config) => {
+				if (config.meta.id === tenant.meta.id) return false;
+				const otherDomain = config.branding?.customDomain?.trim();
+				if (!otherDomain) return false;
+				return otherDomain.toLowerCase() === domain.toLowerCase();
+			});
+			if (conflict) issues.push(issue({
+				code: "DUPLICATE_DOMAIN",
+				severity: "error",
+				path: "branding.customDomain",
+				message: `Custom domain "${domain}" is already used by tenant "${conflict.meta.tenantId}".`
+			}));
+		}
+		(branding.assets ?? []).forEach((asset, index) => {
+			const assetPath = `branding.assets[${index}]`;
+			if (!HTTPS_URL_REGEX.test(asset.url)) issues.push(issue({
+				code: "INSECURE_ASSET_URL",
+				severity: "error",
+				path: `${assetPath}.url`,
+				message: `Branding asset "${asset.type}" must use an HTTPS URL.`
+			}));
+			const allowed = ALLOWED_ASSET_EXTENSIONS[asset.type] ?? ALLOWED_ASSET_EXTENSIONS.logo;
+			const extension = extractExtension(asset.url);
+			if (extension && allowed && !allowed.includes(extension)) issues.push(issue({
+				code: "UNEXPECTED_ASSET_TYPE",
+				severity: "warning",
+				path: `${assetPath}.url`,
+				message: `Asset "${asset.type}" should use one of: ${(allowed ?? []).join(", ")}. Detected "${extension}".`
+			}));
+		});
+		return issues;
+	}
+};
+const tenantTranslationRule = {
+	scope: "tenant",
+	name: "translation.consistency",
+	category: "translation",
+	validate(blueprint, tenant, context) {
+		const issues = [];
+		const pointer = blueprint.translationCatalog;
+		const catalogs = normalizeCatalogs(context.translationCatalogs);
+		const blueprintCatalog = pointer ? catalogs.blueprint.find((catalog) => catalog.meta.name === pointer.name && catalog.meta.version === pointer.version) : void 0;
+		if (pointer && !blueprintCatalog) issues.push(issue({
+			code: "MISSING_BLUEPRINT_CATALOG",
+			severity: "error",
+			path: "translationCatalog",
+			message: `Blueprint translation catalog "${pointer.name}@${pointer.version}" is not loaded in context.`
+		}));
+		const requiredKeys = /* @__PURE__ */ new Set();
+		if (blueprint.branding?.appNameKey) {
+			requiredKeys.add(blueprint.branding.appNameKey);
+			if (blueprintCatalog && !hasTranslationEntry(blueprintCatalog.entries, blueprint.branding.appNameKey, blueprintCatalog.defaultLocale)) issues.push(issue({
+				code: "MISSING_TRANSLATION_KEY",
+				severity: "error",
+				path: "branding.appNameKey",
+				message: `Translation key "${blueprint.branding.appNameKey}" is missing for locale "${blueprintCatalog.defaultLocale}".`
+			}));
+		}
+		const tenantLocales = tenant.locales;
+		if (tenantLocales) {
+			const { defaultLocale, enabledLocales } = tenantLocales;
+			if (!enabledLocales.includes(defaultLocale)) issues.push(issue({
+				code: "LOCALE_NOT_ENABLED",
+				severity: "warning",
+				path: "locales.enabledLocales",
+				message: `enabledLocales does not include defaultLocale "${defaultLocale}".`
+			}));
+			if (blueprintCatalog) {
+				const supported = new Set(blueprintCatalog.supportedLocales);
+				for (const locale of [defaultLocale, ...enabledLocales]) if (!supported.has(locale)) issues.push(issue({
+					code: "UNSUPPORTED_LOCALE",
+					severity: "error",
+					path: "locales.enabledLocales",
+					message: `Locale "${locale}" is not supported by blueprint catalog "${blueprintCatalog.meta.name}".`
+				}));
+			}
+		}
+		const allowedKeys = /* @__PURE__ */ new Set();
+		for (const catalog of catalogs.blueprint) for (const entry of catalog.entries) allowedKeys.add(entry.key);
+		for (const catalog of catalogs.platform) for (const entry of catalog.entries) allowedKeys.add(entry.key);
+		(tenant.translationOverrides?.entries ?? []).forEach((entry, index) => {
+			const path = `translationOverrides.entries[${index}]`;
+			if (!allowedKeys.has(entry.key)) issues.push(issue({
+				code: "UNKNOWN_TRANSLATION_KEY",
+				severity: "error",
+				path,
+				message: `Override references unknown key "${entry.key}".`
+			}));
+			if (blueprintCatalog) {
+				if (!new Set([
+					...blueprintCatalog.supportedLocales,
+					...tenant.locales?.enabledLocales ?? [],
+					tenant.locales?.defaultLocale ?? blueprintCatalog.defaultLocale
+				]).has(entry.locale)) issues.push(issue({
+					code: "UNSUPPORTED_LOCALE_OVERRIDE",
+					severity: "error",
+					path,
+					message: `Locale "${entry.locale}" is not enabled for tenant overrides.`
+				}));
+			}
+		});
+		return issues;
+	}
+};
+const resolvedIntegrationRule = {
+	scope: "resolved",
+	name: "integration.required-slots",
+	category: "integration",
+	validate(blueprint, resolved) {
+		const issues = [];
+		const requiredSlots = (blueprint.integrationSlots ?? []).filter((slot) => slot.required);
+		for (const slot of requiredSlots) if (!resolved.integrations.some((integration) => integration.slot.slotId === slot.slotId)) issues.push(issue({
+			code: "MISSING_REQUIRED_SLOT",
+			severity: "error",
+			path: `integrations.${slot.slotId}`,
+			message: `Resolved config is missing integration slot "${slot.slotId}".`
+		}));
+		for (const integration of resolved.integrations) if (integration.connection.status === "disconnected" || integration.connection.status === "error") issues.push(issue({
+			code: "CONNECTION_NOT_READY",
+			severity: "error",
+			path: `integrations.${integration.slot.slotId}`,
+			message: `Resolved integration "${integration.slot.slotId}" uses a connection in status "${integration.connection.status}".`
+		}));
+		return issues;
+	}
+};
+const resolvedTranslationRule = {
+	scope: "resolved",
+	name: "translation.default-locale",
+	category: "translation",
+	validate(_blueprint, resolved) {
+		const issues = [];
+		const translation = resolved.translation;
+		if (translation && !translation.supportedLocales.includes(translation.defaultLocale)) issues.push(issue({
+			code: "DEFAULT_LOCALE_NOT_SUPPORTED",
+			severity: "warning",
+			path: "translation.defaultLocale",
+			message: "supportedLocales should include defaultLocale for consistent fallback behaviour."
+		}));
+		return issues;
+	}
+};
+function issue(input) {
+	return input;
+}
+function dedupeIssues(issues) {
+	const map = /* @__PURE__ */ new Map();
+	for (const current of issues) {
+		const key = `${current.code}|${current.path}|${current.severity}`;
+		if (!map.has(key)) map.set(key, current);
+	}
+	return [...map.values()];
+}
+function capabilityRefKey(ref) {
+	return `${ref.key}@${ref.version}`;
+}
+function integrationProvidesCapability(spec, required) {
+	return spec.capabilities.provides.some((provided) => provided.key === required.key && provided.version === required.version);
+}
+function lookupIntegrationSpec(registry, connection) {
+	if (!registry) return void 0;
+	return registry.get(connection.meta.integrationKey, connection.meta.integrationVersion);
+}
+function extractExtension(url) {
+	const [raw] = url.split("?");
+	if (!raw) return void 0;
+	const lastDot = raw.lastIndexOf(".");
+	if (lastDot === -1) return void 0;
+	return raw.slice(lastDot + 1).toLowerCase();
+}
+function normalizeCatalogs(catalogs) {
+	if (!catalogs) return {
+		platform: [],
+		blueprint: []
+	};
+	return {
+		platform: catalogs.platform ? Array.isArray(catalogs.platform) ? catalogs.platform : [catalogs.platform] : [],
+		blueprint: catalogs.blueprint ? Array.isArray(catalogs.blueprint) ? catalogs.blueprint : [catalogs.blueprint] : []
+	};
+}
+function hasTranslationEntry(entries, key, locale) {
+	return entries.some((entry) => entry.key === key && entry.locale === locale);
+}
+
+//#endregion
+export { validateBlueprint, validateConfig, validateResolvedConfig, validateTenantConfig };

package/dist/capabilities/docs/capabilities.docblock.js

@@ -1 +1,22 @@
-import{registerDocBlocks as e}from"../../docs/registry.js";import"../../registry.js";const t=[{id:`docs.tech.contracts.capabilities`,title:`CapabilitySpec Overview`,summary:"Capability specs provide a canonical, versioned contract for what a module offers (`provides`) and what it depends on (`requires`). They enable safe composition across features, automated validation during `installFeature`, and consistent documentation for shared surfaces (APIs, events, workflows, UI, resources).",kind:`reference`,visibility:`public`,route:`/docs/tech/contracts/capabilities`,tags:[`tech`,`contracts`,`capabilities`],body:"# CapabilitySpec Overview\n\n## Purpose\n\nCapability specs provide a canonical, versioned contract for what a module offers (`provides`) and what it depends on (`requires`). They enable safe composition across features, automated validation during `installFeature`, and consistent documentation for shared surfaces (APIs, events, workflows, UI, resources).\n\n## Schema\n\nDefined in `@lssm/lib.contracts/src/capabilities.ts`.\n\n```ts\nexport interface CapabilitySpec {\n  meta: CapabilityMeta;              // ownership metadata + { key, version, kind }\n  provides?: CapabilitySurfaceRef[]; // what concrete surfaces this capability exposes\n  requires?: CapabilityRequirement[];// capabilities that must already exist\n}\n```\n\n- **CapabilityMeta**\n  - `key`: stable slug (e.g., `payments.stripe`)\n  - `version`: bump on breaking changes\n  - `kind`: `'api' | 'event' | 'data' | 'ui' | 'integration'`\n  - ownership fields (`title`, `description`, `domain`, `owners`, `tags`, `stability`)\n- **CapabilitySurfaceRef**\n  - `surface`: `'operation' | 'event' | 'workflow' | 'presentation' | 'resource'`\n  - `name` / `version`: points to the declared contract (operation name, event name, etc.)\n  - optional `description`\n- **CapabilityRequirement**\n  - `key`: capability slug to satisfy\n  - `version?`: pin to an exact version when required (defaults to highest registered)\n  - `kind?`: extra guard if the same key hosts multiple kinds\n  - `optional?`: skip strict enforcement (informational requirement)\n  - `reason?`: why this dependency exists (docs + tooling)\n\n## Registry\n\n`CapabilityRegistry` provides:\n\n- `register(spec)`: register a capability (`key + version` must be unique)\n- `get(key, version?)`: retrieve the exact or highest version\n- `list()`: inspect all capabilities\n- `satisfies(requirement, additional?)`: check if a requirement is met (includes locally provided capabilities passed via `additional`)\n\n## Feature Integration\n\n`FeatureModuleSpec` now accepts:\n\n```ts\ncapabilities?: {\n  provides?: CapabilityRef[];    // capabilities this feature exposes\n  requires?: CapabilityRequirement[]; // capabilities the feature needs\n};\n```\n\nDuring `installFeature`:\n\n1. `provides` entries must exist in the `CapabilityRegistry`.\n2. `requires` entries must be satisfied either by:\n   - the same feature’s `provides`,\n   - or existing capabilities already registered in the global registry.\n\nErrors are thrown when dependencies cannot be satisfied, preventing unsafe module composition.\n\n## Authoring Guidelines\n\n1. **Register capability specs** in a shared package (e.g., `packages/.../capabilities`) before referencing them in features.\n2. **Version consciously**: bump capability versions when the provided surfaces or contract semantics change.\n3. **Document dependencies** via `reason` strings to help operators understand why a capability is required.\n4. **Prefer stable keys** that map to business/technical domains (`billing.invoices`, `payments.stripe`, `cms.assets`).\n5. When introducing new capability kinds, update the `CapabilityKind` union and accompanying docs/tests.\n\n## Tooling (Roadmap)\n\n- CLI validation warns when feature specs reference missing capabilities.\n- Future build steps will leverage capability data to scaffold adapters and enforce policy in generated code.\n- Capability metadata will surface in docs/LLM guides to describe module marketplaces and installation flows.\n\n"}];e(t);export{t as tech_contracts_capabilities_DocBlocks};
+import { registerDocBlocks } from "../../docs/registry.js";
+import "../../registry.js";
+
+//#region src/capabilities/docs/capabilities.docblock.ts
+const tech_contracts_capabilities_DocBlocks = [{
+	id: "docs.tech.contracts.capabilities",
+	title: "CapabilitySpec Overview",
+	summary: "Capability specs provide a canonical, versioned contract for what a module offers (`provides`) and what it depends on (`requires`). They enable safe composition across features, automated validation during `installFeature`, and consistent documentation for shared surfaces (APIs, events, workflows, UI, resources).",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/contracts/capabilities",
+	tags: [
+		"tech",
+		"contracts",
+		"capabilities"
+	],
+	body: "# CapabilitySpec Overview\n\n## Purpose\n\nCapability specs provide a canonical, versioned contract for what a module offers (`provides`) and what it depends on (`requires`). They enable safe composition across features, automated validation during `installFeature`, and consistent documentation for shared surfaces (APIs, events, workflows, UI, resources).\n\n## Schema\n\nDefined in `@lssm/lib.contracts/src/capabilities.ts`.\n\n```ts\nexport interface CapabilitySpec {\n  meta: CapabilityMeta;              // ownership metadata + { key, version, kind }\n  provides?: CapabilitySurfaceRef[]; // what concrete surfaces this capability exposes\n  requires?: CapabilityRequirement[];// capabilities that must already exist\n}\n```\n\n- **CapabilityMeta**\n  - `key`: stable slug (e.g., `payments.stripe`)\n  - `version`: bump on breaking changes\n  - `kind`: `'api' | 'event' | 'data' | 'ui' | 'integration'`\n  - ownership fields (`title`, `description`, `domain`, `owners`, `tags`, `stability`)\n- **CapabilitySurfaceRef**\n  - `surface`: `'operation' | 'event' | 'workflow' | 'presentation' | 'resource'`\n  - `name` / `version`: points to the declared contract (operation name, event name, etc.)\n  - optional `description`\n- **CapabilityRequirement**\n  - `key`: capability slug to satisfy\n  - `version?`: pin to an exact version when required (defaults to highest registered)\n  - `kind?`: extra guard if the same key hosts multiple kinds\n  - `optional?`: skip strict enforcement (informational requirement)\n  - `reason?`: why this dependency exists (docs + tooling)\n\n## Registry\n\n`CapabilityRegistry` provides:\n\n- `register(spec)`: register a capability (`key + version` must be unique)\n- `get(key, version?)`: retrieve the exact or highest version\n- `list()`: inspect all capabilities\n- `satisfies(requirement, additional?)`: check if a requirement is met (includes locally provided capabilities passed via `additional`)\n\n## Feature Integration\n\n`FeatureModuleSpec` now accepts:\n\n```ts\ncapabilities?: {\n  provides?: CapabilityRef[];    // capabilities this feature exposes\n  requires?: CapabilityRequirement[]; // capabilities the feature needs\n};\n```\n\nDuring `installFeature`:\n\n1. `provides` entries must exist in the `CapabilityRegistry`.\n2. `requires` entries must be satisfied either by:\n   - the same feature’s `provides`,\n   - or existing capabilities already registered in the global registry.\n\nErrors are thrown when dependencies cannot be satisfied, preventing unsafe module composition.\n\n## Authoring Guidelines\n\n1. **Register capability specs** in a shared package (e.g., `packages/.../capabilities`) before referencing them in features.\n2. **Version consciously**: bump capability versions when the provided surfaces or contract semantics change.\n3. **Document dependencies** via `reason` strings to help operators understand why a capability is required.\n4. **Prefer stable keys** that map to business/technical domains (`billing.invoices`, `payments.stripe`, `cms.assets`).\n5. When introducing new capability kinds, update the `CapabilityKind` union and accompanying docs/tests.\n\n## Tooling (Roadmap)\n\n- CLI validation warns when feature specs reference missing capabilities.\n- Future build steps will leverage capability data to scaffold adapters and enforce policy in generated code.\n- Capability metadata will surface in docs/LLM guides to describe module marketplaces and installation flows.\n\n"
+}];
+registerDocBlocks(tech_contracts_capabilities_DocBlocks);
+
+//#endregion
+export { tech_contracts_capabilities_DocBlocks };