npm - @nitra/cursor - Versions diffs - 1.11.3 → 1.11.6 - Mend

@nitra/cursor 1.11.3 → 1.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

package/rules/k8s/policy/base_manifest/base_manifest_test.rego DELETED Viewed

@@ -1,94 +0,0 @@
-# Тести для `k8s.base_manifest`. Запуск:
-#   conftest verify -p npm/policy/k8s/base_manifest --namespace k8s.base_manifest
-package k8s.base_manifest_test
-import rego.v1
-import data.k8s.base_manifest
-# ── metadata.namespace required ─────────────────────────────────────────
-test_deny_namespaced_kind_without_metadata if {
-	count(base_manifest.deny) > 0 with input as {
-		"apiVersion": "v1",
-		"kind": "ConfigMap",
-	}
-}
-test_deny_namespaced_kind_empty_namespace if {
-	count(base_manifest.deny) > 0 with input as {
-		"apiVersion": "v1",
-		"kind": "ConfigMap",
-		"metadata": {"name": "cm", "namespace": ""},
-	}
-}
-test_allow_cluster_scoped_kind_without_namespace if {
-	count(base_manifest.deny) == 0 with input as {
-		"apiVersion": "v1",
-		"kind": "Namespace",
-		"metadata": {"name": "dev"},
-	}
-}
-test_allow_namespaced_kind_with_namespace if {
-	count(base_manifest.deny) == 0 with input as {
-		"apiVersion": "v1",
-		"kind": "ConfigMap",
-		"metadata": {"name": "cm", "namespace": "dev"},
-	}
-}
-# ── base canon resources ─────────────────────────────────────────────────
-test_deny_deployment_cpu_not_base_canon if {
-	count(base_manifest.deny) > 0 with input as {
-		"apiVersion": "apps/v1",
-		"kind": "Deployment",
-		"metadata": {"name": "api", "namespace": "dev"},
-		"spec": {"template": {"spec": {"containers": [{
-			"name": "main",
-			"image": "x",
-			"resources": {"requests": {"cpu": "100m", "memory": "128Mi"}},
-		}]}}},
-	}
-}
-test_deny_deployment_memory_not_base_canon if {
-	count(base_manifest.deny) > 0 with input as {
-		"apiVersion": "apps/v1",
-		"kind": "Deployment",
-		"metadata": {"name": "api", "namespace": "dev"},
-		"spec": {"template": {"spec": {"containers": [{
-			"name": "main",
-			"image": "x",
-			"resources": {"requests": {"cpu": "0.02", "memory": "256Mi"}},
-		}]}}},
-	}
-}
-test_allow_deployment_with_base_canon_string if {
-	count(base_manifest.deny) == 0 with input as {
-		"apiVersion": "apps/v1",
-		"kind": "Deployment",
-		"metadata": {"name": "api", "namespace": "dev"},
-		"spec": {"template": {"spec": {"containers": [{
-			"name": "main",
-			"image": "x",
-			"resources": {"requests": {"cpu": "0.02", "memory": "128Mi"}},
-		}]}}},
-	}
-}
-test_allow_deployment_with_base_canon_number_cpu if {
-	count(base_manifest.deny) == 0 with input as {
-		"apiVersion": "apps/v1",
-		"kind": "Deployment",
-		"metadata": {"name": "api", "namespace": "dev"},
-		"spec": {"template": {"spec": {"containers": [{
-			"name": "main",
-			"image": "x",
-			"resources": {"requests": {"cpu": 0.02, "memory": "128mi"}},
-		}]}}},
-	}
-}

package/rules/k8s/policy/gateway/gateway_test.rego DELETED Viewed

@@ -1,122 +0,0 @@
-# Тести для `k8s.gateway`. Запуск:
-#   conftest verify -p npm/policy/k8s/gateway --namespace k8s.gateway
-package k8s.gateway_test
-import rego.v1
-import data.k8s.gateway
-# ── HealthCheckPolicy ─────────────────────────────────────────────────────
-test_deny_hcp_targetref_without_hl_suffix if {
-	count(gateway.deny) > 0 with input as {
-		"apiVersion": "networking.gke.io/v1",
-		"kind": "HealthCheckPolicy",
-		"metadata": {"name": "hc"},
-		"spec": {"targetRef": {
-			"group": "",
-			"kind": "Service",
-			"name": "auth",
-		}},
-	}
-}
-test_allow_hcp_targetref_with_hl_suffix if {
-	count(gateway.deny) == 0 with input as {
-		"apiVersion": "networking.gke.io/v1",
-		"kind": "HealthCheckPolicy",
-		"metadata": {"name": "hc"},
-		"spec": {"targetRef": {
-			"group": "",
-			"kind": "Service",
-			"name": "auth-hl",
-		}},
-	}
-}
-test_deny_hcp_missing_targetref if {
-	count(gateway.deny) > 0 with input as {
-		"apiVersion": "networking.gke.io/v1",
-		"kind": "HealthCheckPolicy",
-		"metadata": {"name": "hc"},
-		"spec": {},
-	}
-}
-# Без kind=Service у targetRef правило не діє (інші kind не оцінюємо).
-test_allow_hcp_targetref_other_kind if {
-	count(gateway.deny) == 0 with input as {
-		"apiVersion": "networking.gke.io/v1",
-		"kind": "HealthCheckPolicy",
-		"metadata": {"name": "hc"},
-		"spec": {"targetRef": {
-			"kind": "Gateway",
-			"name": "gw",
-		}},
-	}
-}
-# ── HTTPRoute backendRef → Service з суфіксом `-hl` ──────────────────────
-test_deny_httproute_backend_without_hl if {
-	count(gateway.deny) > 0 with input as {
-		"apiVersion": "gateway.networking.k8s.io/v1",
-		"kind": "HTTPRoute",
-		"metadata": {"name": "r", "namespace": "dev"},
-		"spec": {"rules": [{"backendRefs": [{"name": "auth", "port": 8080}]}]},
-	}
-}
-test_allow_httproute_backend_with_hl if {
-	count(gateway.deny) == 0 with input as {
-		"apiVersion": "gateway.networking.k8s.io/v1",
-		"kind": "HTTPRoute",
-		"metadata": {"name": "r", "namespace": "dev"},
-		"spec": {"rules": [{"backendRefs": [{"name": "auth-hl", "port": 8080}]}]},
-	}
-}
-# ── HTTPRoute backendRef з redundant namespace ───────────────────────────
-test_deny_httproute_backend_redundant_namespace if {
-	count(gateway.deny) > 0 with input as {
-		"apiVersion": "gateway.networking.k8s.io/v1",
-		"kind": "HTTPRoute",
-		"metadata": {"name": "r", "namespace": "dev"},
-		"spec": {"rules": [{"backendRefs": [{
-			"name": "auth-hl",
-			"namespace": "dev",
-			"port": 8080,
-		}]}]},
-	}
-}
-test_allow_httproute_backend_different_namespace if {
-	count(gateway.deny) == 0 with input as {
-		"apiVersion": "gateway.networking.k8s.io/v1",
-		"kind": "HTTPRoute",
-		"metadata": {"name": "r", "namespace": "dev"},
-		"spec": {"rules": [{"backendRefs": [{
-			"name": "auth-hl",
-			"namespace": "other",
-			"port": 8080,
-		}]}]},
-	}
-}
-# Перевірка не діє на HTTPHeaderMatch (немає `port`).
-test_allow_httproute_header_match_without_port if {
-	count(gateway.deny) == 0 with input as {
-		"apiVersion": "gateway.networking.k8s.io/v1",
-		"kind": "HTTPRoute",
-		"metadata": {"name": "r", "namespace": "dev"},
-		"spec": {"rules": [{
-			"matches": [{"headers": [{
-				"type": "Exact",
-				"name": "X-Tenant",
-				"value": "acme",
-			}]}],
-			"backendRefs": [{"name": "auth-hl", "port": 8080}],
-		}]},
-	}
-}

package/rules/k8s/policy/hasura_configmap/hasura_configmap_test.rego DELETED Viewed

@@ -1,49 +0,0 @@
-# Тести для `k8s.hasura_configmap`. Запуск:
-#   conftest verify -p npm/policy/k8s/hasura_configmap --namespace k8s.hasura_configmap
-package k8s.hasura_configmap_test
-import rego.v1
-import data.k8s.hasura_configmap
-required_key := "HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS"
-base_cm := {
-	"apiVersion": "v1",
-	"kind": "ConfigMap",
-	"metadata": {"name": "db-h", "namespace": "dev"},
-}
-with_data(value) := object.union(base_cm, {"data": {required_key: value}})
-test_deny_missing_data if {
-	count(hasura_configmap.deny) > 0 with input as base_cm
-}
-test_deny_missing_required_key if {
-	count(hasura_configmap.deny) > 0 with input as object.union(base_cm, {"data": {"OTHER": "foo"}})
-}
-test_deny_required_key_value_false if {
-	count(hasura_configmap.deny) > 0 with input as with_data("false")
-}
-test_allow_required_key_string_true if {
-	count(hasura_configmap.deny) == 0 with input as with_data("true")
-}
-test_allow_required_key_boolean_true if {
-	count(hasura_configmap.deny) == 0 with input as with_data(true)
-}
-test_allow_required_key_uppercase_true if {
-	count(hasura_configmap.deny) == 0 with input as with_data("TRUE")
-}
-test_allow_non_configmap if {
-	count(hasura_configmap.deny) == 0 with input as {
-		"apiVersion": "apps/v1",
-		"kind": "Deployment",
-		"metadata": {"name": "x"},
-	}
-}

package/rules/k8s/policy/hasura_httproute/hasura_httproute_test.rego DELETED Viewed

@@ -1,148 +0,0 @@
-# Тести для `k8s.hasura_httproute`. Запуск:
-#   conftest verify -p npm/policy/k8s/hasura_httproute --namespace k8s.hasura_httproute
-package k8s.hasura_httproute_test
-import rego.v1
-import data.k8s.hasura_httproute
-base_route := {
-	"apiVersion": "gateway.networking.k8s.io/v1",
-	"kind": "HTTPRoute",
-	"metadata": {"name": "db-h", "namespace": "dev"},
-}
-rule1(prefix) := {
-	"matches": [{"path": {"type": "Exact", "value": sprintf("%s/ql", [prefix])}}],
-	"filters": [{
-		"type": "RequestRedirect",
-		"requestRedirect": {
-			"path": {"type": "ReplaceFullPath", "replaceFullPath": sprintf("%s/ql/console", [prefix])},
-			"statusCode": 302,
-		},
-	}],
-}
-rule2(prefix) := {
-	"matches": [{"path": {"type": "Exact", "value": sprintf("%s/ql/", [prefix])}}],
-	"filters": [{
-		"type": "RequestRedirect",
-		"requestRedirect": {
-			"path": {"type": "ReplaceFullPath", "replaceFullPath": sprintf("%s/ql/console", [prefix])},
-			"statusCode": 302,
-		},
-	}],
-}
-rule3(prefix, backend) := {
-	"matches": [{"path": {"type": "PathPrefix", "value": sprintf("%s/ql", [prefix])}}],
-	"filters": [{
-		"type": "URLRewrite",
-		"urlRewrite": {"path": {"type": "ReplacePrefixMatch", "replacePrefixMatch": "/"}},
-	}],
-	"backendRefs": [{"name": backend, "port": 8080}],
-}
-rule4(prefix, backend) := {
-	"matches": [{
-		"path": {"type": "PathPrefix", "value": sprintf("%s/ql", [prefix])},
-		"headers": [{"type": "Exact", "name": "Upgrade", "value": "websocket"}],
-	}],
-	"filters": [
-		{
-			"type": "URLRewrite",
-			"urlRewrite": {"path": {"type": "ReplacePrefixMatch", "replacePrefixMatch": "/"}},
-		},
-		{
-			"type": "RequestHeaderModifier",
-			"requestHeaderModifier": {"remove": ["Authorization"]},
-		},
-	],
-	"backendRefs": [{"name": backend, "port": 8080}],
-}
-# ── canonical positive case ─────────────────────────────────────────────
-test_allow_canonical_route_empty_prefix if {
-	count(hasura_httproute.deny) == 0 with input as object.union(base_route, {"spec": {"rules": [
-		rule1(""),
-		rule2(""),
-		rule3("", "db-h-hl"),
-		rule4("", "db-h-hl"),
-	]}})
-}
-test_allow_canonical_route_with_prefix if {
-	count(hasura_httproute.deny) == 0 with input as object.union(base_route, {"spec": {"rules": [
-		rule1("/notify"),
-		rule2("/notify"),
-		rule3("/notify", "db-h-hl"),
-		rule4("/notify", "db-h-hl"),
-	]}})
-}
-# ── deny-кейси ───────────────────────────────────────────────────────────
-test_deny_missing_spec if {
-	count(hasura_httproute.deny) > 0 with input as base_route
-}
-test_deny_empty_rules if {
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": []}})
-}
-test_deny_missing_rule1 if {
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [{
-		"matches": [{"path": {"type": "PathPrefix", "value": "/api"}}],
-		"backendRefs": [{"name": "api-hl", "port": 8080}],
-	}]}})
-}
-test_deny_rule1_wrong_redirect if {
-	bad_rule1 := object.union(rule1(""), {"filters": [{
-		"type": "RequestRedirect",
-		"requestRedirect": {
-			"path": {"type": "ReplaceFullPath", "replaceFullPath": "/wrong"},
-			"statusCode": 302,
-		},
-	}]})
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
-		bad_rule1,
-		rule2(""),
-		rule3("", "db-h-hl"),
-		rule4("", "db-h-hl"),
-	]}})
-}
-test_deny_rule2_missing if {
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
-		rule1(""),
-		rule3("", "db-h-hl"),
-		rule4("", "db-h-hl"),
-	]}})
-}
-test_deny_rule3_missing if {
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
-		rule1(""),
-		rule2(""),
-		rule4("", "db-h-hl"),
-	]}})
-}
-test_deny_rule4_missing if {
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
-		rule1(""),
-		rule2(""),
-		rule3("", "db-h-hl"),
-	]}})
-}
-test_deny_rule4_wrong_backend if {
-	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
-		rule1(""),
-		rule2(""),
-		rule3("", "db-h-hl"),
-		rule4("", "other-hl"),
-	]}})
-}

package/rules/k8s/policy/hpa_pdb/hpa_pdb_test.rego DELETED Viewed

@@ -1,101 +0,0 @@
-# Тести для `k8s.hpa_pdb`. Запуск:
-#   conftest verify -p npm/policy/k8s/hpa_pdb --namespace k8s.hpa_pdb
-package k8s.hpa_pdb_test
-import rego.v1
-import data.k8s.hpa_pdb
-valid_hpa := {
-	"apiVersion": "autoscaling/v2",
-	"kind": "HorizontalPodAutoscaler",
-	"metadata": {"name": "api"},
-	"spec": {
-		"scaleTargetRef": {"apiVersion": "apps/v1", "kind": "Deployment", "name": "api"},
-		"minReplicas": 1,
-		"maxReplicas": 1,
-		"metrics": [{
-			"type": "Resource",
-			"resource": {"name": "cpu", "target": {"type": "Utilization", "averageUtilization": 75}},
-		}],
-		"behavior": {
-			"scaleUp": {"policies": [{"type": "Pods", "value": 1, "periodSeconds": 60}]},
-			"scaleDown": {"policies": [{"type": "Pods", "value": 1, "periodSeconds": 60}]},
-		},
-	},
-}
-valid_pdb := {
-	"apiVersion": "policy/v1",
-	"kind": "PodDisruptionBudget",
-	"metadata": {"name": "api"},
-	"spec": {
-		"minAvailable": 1,
-		"selector": {"matchLabels": {"app": "api"}},
-	},
-}
-# ── HPA позитив / негатив ────────────────────────────────────────────────
-test_allow_valid_hpa if {
-	count(hpa_pdb.deny) == 0 with input as valid_hpa
-}
-test_deny_hpa_v1 if {
-	count(hpa_pdb.deny) > 0 with input as object.union(valid_hpa, {"apiVersion": "autoscaling/v1"})
-}
-test_deny_hpa_missing_metrics if {
-	bad := json.patch(valid_hpa, [{"op": "remove", "path": "/spec/metrics"}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-test_deny_hpa_empty_metrics if {
-	bad := json.patch(valid_hpa, [{"op": "replace", "path": "/spec/metrics", "value": []}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-test_deny_hpa_missing_behavior if {
-	bad := json.patch(valid_hpa, [{"op": "remove", "path": "/spec/behavior"}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-test_deny_hpa_empty_scale_up_policies if {
-	bad := json.patch(valid_hpa, [{"op": "replace", "path": "/spec/behavior/scaleUp/policies", "value": []}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-test_deny_hpa_missing_scale_down if {
-	bad := json.patch(valid_hpa, [{"op": "remove", "path": "/spec/behavior/scaleDown"}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-# ── PDB позитив / негатив ────────────────────────────────────────────────
-test_allow_valid_pdb if {
-	count(hpa_pdb.deny) == 0 with input as valid_pdb
-}
-test_deny_pdb_wrong_api_version if {
-	bad := object.union(valid_pdb, {"apiVersion": "policy/v1beta1"})
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-test_deny_pdb_missing_selector if {
-	bad := json.patch(valid_pdb, [{"op": "remove", "path": "/spec/selector"}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-test_deny_pdb_missing_match_labels if {
-	bad := json.patch(valid_pdb, [{"op": "replace", "path": "/spec/selector", "value": {}}])
-	count(hpa_pdb.deny) > 0 with input as bad
-}
-# Не той kind/apiVersion — пакет не діє.
-test_allow_unrelated_manifest if {
-	count(hpa_pdb.deny) == 0 with input as {
-		"apiVersion": "v1",
-		"kind": "ConfigMap",
-		"metadata": {"name": "x"},
-	}
-}

package/rules/k8s/policy/kustomization/kustomization_test.rego DELETED Viewed

@@ -1,128 +0,0 @@
-# Тести для `k8s.kustomization`. Запуск:
-#   conftest verify -p npm/policy/k8s/kustomization --namespace k8s.kustomization
-package k8s.kustomization_test
-import rego.v1
-import data.k8s.kustomization
-base_kust := {
-	"apiVersion": "kustomize.config.k8s.io/v1beta1",
-	"kind": "Kustomization",
-}
-# ── resources sort ───────────────────────────────────────────────────────
-test_deny_resources_unsorted if {
-	count(kustomization.deny) > 0 with input as object.union(base_kust, {"resources": [
-		"deployment.yaml",
-		"configmap.yaml",
-	]})
-}
-test_allow_resources_sorted if {
-	count(kustomization.deny) == 0 with input as object.union(base_kust, {"resources": [
-		"configmap.yaml",
-		"deployment.yaml",
-	]})
-}
-test_allow_resources_case_insensitive_sorted if {
-	count(kustomization.deny) == 0 with input as object.union(base_kust, {"resources": [
-		"AAA.yaml",
-		"bbb.yaml",
-		"CCC.yaml",
-	]})
-}
-test_deny_resources_not_array if {
-	count(kustomization.deny) > 0 with input as object.union(base_kust, {"resources": "string-not-array"})
-}
-test_deny_resources_item_not_string if {
-	count(kustomization.deny) > 0 with input as object.union(base_kust, {"resources": [
-		"a.yaml",
-		{"obj": "not allowed"},
-	]})
-}
-# ── patches sort ─────────────────────────────────────────────────────────
-test_deny_patches_unsorted_by_kind_name if {
-	count(kustomization.deny) > 0 with input as object.union(base_kust, {"patches": [
-		{"target": {"kind": "Deployment", "name": "z"}},
-		{"target": {"kind": "Deployment", "name": "a"}},
-	]})
-}
-test_allow_patches_sorted_by_kind_name if {
-	count(kustomization.deny) == 0 with input as object.union(base_kust, {"patches": [
-		{"target": {"kind": "Deployment", "name": "a"}},
-		{"target": {"kind": "Deployment", "name": "z"}},
-	]})
-}
-test_deny_patches_not_array if {
-	count(kustomization.deny) > 0 with input as object.union(base_kust, {"patches": "string-not-array"})
-}
-# ── JSON6902 remove+add conflict ─────────────────────────────────────────
-test_deny_json6902_remove_and_add_same_path if {
-	patch_text := concat("\n", [
-		"- op: remove",
-		"  path: /spec/replicas",
-		"- op: add",
-		"  path: /spec/replicas",
-		"  value: 3",
-	])
-	count(kustomization.deny) > 0 with input as object.union(base_kust, {"patches": [{
-		"target": {"kind": "Deployment", "name": "api"},
-		"patch": patch_text,
-	}]})
-}
-test_allow_json6902_replace_same_path if {
-	patch_text := concat("\n", [
-		"- op: replace",
-		"  path: /spec/replicas",
-		"  value: 3",
-	])
-	count(kustomization.deny) == 0 with input as object.union(base_kust, {"patches": [{
-		"target": {"kind": "Deployment", "name": "api"},
-		"patch": patch_text,
-	}]})
-}
-test_allow_json6902_remove_and_add_different_paths if {
-	patch_text := concat("\n", [
-		"- op: remove",
-		"  path: /spec/replicas",
-		"- op: add",
-		"  path: /spec/strategy",
-		"  value: {}",
-	])
-	count(kustomization.deny) == 0 with input as object.union(base_kust, {"patches": [{
-		"target": {"kind": "Deployment", "name": "api"},
-		"patch": patch_text,
-	}]})
-}
-# Маніфест не Kustomization — правила не діють.
-test_allow_non_kustomization if {
-	count(kustomization.deny) == 0 with input as {
-		"apiVersion": "v1",
-		"kind": "ConfigMap",
-		"metadata": {"name": "x"},
-		"data": {"key": "value"},
-	}
-}
-# Не той apiVersion — правила не діють.
-test_allow_kustomization_other_api_version if {
-	count(kustomization.deny) == 0 with input as {
-		"apiVersion": "other.example.com/v1",
-		"kind": "Kustomization",
-		"resources": ["z.yaml", "a.yaml"],
-	}
-}