@standards-kit/conform 0.1.0 → 0.2.0

package/dist/infra/arn.d.ts

@@ -0,0 +1,16 @@
+/**
+ * ARN parsing utilities
+ *
+ * ARN format: arn:partition:service:region:account-id:resource
+ * or: arn:partition:service:region:account-id:resource-type/resource-id
+ * or: arn:partition:service:region:account-id:resource-type:resource-id
+ */
+import type { ParsedArn } from "./types.js";
+/**
+ * Validate that a string is a valid ARN format
+ */
+export declare function isValidArn(arn: string): boolean;
+/**
+ * Parse an ARN string into its components
+ */
+export declare function parseArn(arn: string): ParsedArn | null;

package/dist/infra/checkers/client-factory.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Shared AWS client factory with caching.
+ * Eliminates duplicated client caching pattern across all AWS checker files.
+ */
+/**
+ * Generic client constructor type
+ */
+type ClientConstructor<T> = new (config: {
+    region: string;
+}) => T;
+/**
+ * Creates a cached client factory for any AWS SDK client.
+ * Clients are cached per region to avoid creating multiple instances.
+ *
+ * @param ClientClass - The AWS SDK client class constructor
+ * @returns A function that returns a cached client for the given region
+ *
+ * @example
+ * ```ts
+ * import { S3Client } from "@aws-sdk/client-s3";
+ *
+ * const getS3Client = createClientFactory(S3Client);
+ * const client = getS3Client("us-east-1");
+ * ```
+ */
+export declare function createClientFactory<T>(ClientClass: ClientConstructor<T>): (region: string) => T;
+/**
+ * Creates a cached client factory for AWS SDK clients that need custom config.
+ * Useful for clients that need additional options beyond just region.
+ *
+ * @param createClient - Factory function that creates the client with config
+ * @returns A function that returns a cached client for the given region
+ *
+ * @example
+ * ```ts
+ * import { S3Client } from "@aws-sdk/client-s3";
+ *
+ * const getS3Client = createClientFactoryWithConfig(
+ *   (region) => new S3Client({ region, followRegionRedirects: true })
+ * );
+ * const client = getS3Client("us-east-1");
+ * ```
+ */
+export declare function createClientFactoryWithConfig<T>(createClient: (region: string) => T): (region: string) => T;
+export {};

package/dist/infra/checkers/cloudwatch.d.ts

@@ -0,0 +1,8 @@
+/**
+ * CloudWatch Logs resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * CloudWatch Logs log group checker
+ */
+export declare const CloudWatchLogsChecker: ResourceChecker;

package/dist/infra/checkers/dynamodb.d.ts

@@ -0,0 +1,8 @@
+/**
+ * DynamoDB resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * DynamoDB table checker
+ */
+export declare const DynamoDBChecker: ResourceChecker;

package/dist/infra/checkers/ec2.d.ts

@@ -0,0 +1,13 @@
+/**
+ * EC2 resource checker
+ *
+ * Supports:
+ * - Instances
+ * - Security groups
+ * - Key pairs
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * EC2 resource checker
+ */
+export declare const EC2Checker: ResourceChecker;

package/dist/infra/checkers/ecs.d.ts

@@ -0,0 +1,13 @@
+/**
+ * ECS resource checker
+ *
+ * Supports:
+ * - Clusters
+ * - Services
+ * - Task definitions
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * ECS resource checker
+ */
+export declare const ECSChecker: ResourceChecker;

package/dist/infra/checkers/elasticache.d.ts

@@ -0,0 +1,13 @@
+/**
+ * ElastiCache resource checker
+ *
+ * Supports:
+ * - Cache clusters
+ * - Subnet groups
+ * - Replication groups
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * ElastiCache resource checker
+ */
+export declare const ElastiCacheChecker: ResourceChecker;

package/dist/infra/checkers/elb.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Elastic Load Balancing v2 resource checker
+ *
+ * Supports:
+ * - Load balancers (ALB, NLB, GLB)
+ * - Target groups
+ * - Listeners
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * Elastic Load Balancing resource checker
+ */
+export declare const ELBChecker: ResourceChecker;

package/dist/infra/checkers/gcp/artifactregistry.d.ts

@@ -0,0 +1,5 @@
+/**
+ * GCP Artifact Registry resource checker
+ */
+import type { GcpResourceChecker } from "../types.js";
+export declare const ArtifactRegistryChecker: GcpResourceChecker;

package/dist/infra/checkers/gcp/cloudrun.d.ts

@@ -0,0 +1,5 @@
+/**
+ * GCP Cloud Run resource checker
+ */
+import type { GcpResourceChecker } from "../types.js";
+export declare const CloudRunChecker: GcpResourceChecker;

package/dist/infra/checkers/gcp/iam.d.ts

@@ -0,0 +1,5 @@
+/**
+ * GCP IAM Service Account resource checker
+ */
+import type { GcpResourceChecker } from "../types.js";
+export declare const ServiceAccountChecker: GcpResourceChecker;

package/dist/infra/checkers/gcp/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * GCP checker registry with lazy loading
+ */
+import type { GcpResourceChecker } from "../types.js";
+/**
+ * Supported GCP services for resource checking
+ */
+export declare const SUPPORTED_GCP_SERVICES: readonly ["run", "secretmanager", "artifactregistry", "iam"];
+export type SupportedGcpService = (typeof SUPPORTED_GCP_SERVICES)[number];
+/**
+ * Check if a GCP service is supported
+ */
+export declare function isSupportedGcpService(service: string): service is SupportedGcpService;
+/**
+ * Get a GCP checker for a service, loading it if necessary
+ */
+export declare function getGcpChecker(service: string): Promise<GcpResourceChecker | undefined>;

package/dist/infra/checkers/gcp/secretmanager.d.ts

@@ -0,0 +1,5 @@
+/**
+ * GCP Secret Manager resource checker
+ */
+import type { GcpResourceChecker } from "../types.js";
+export declare const SecretManagerChecker: GcpResourceChecker;

package/dist/infra/checkers/iam.d.ts

@@ -0,0 +1,8 @@
+/**
+ * IAM resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * IAM resource checker (roles and policies)
+ */
+export declare const IAMChecker: ResourceChecker;

package/dist/infra/checkers/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Checker registry with lazy loading
+ *
+ * Checkers are loaded on-demand to avoid loading all AWS SDK clients upfront.
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * Supported AWS services for resource checking
+ */
+export declare const SUPPORTED_SERVICES: readonly ["s3", "lambda", "dynamodb", "sqs", "sns", "iam", "secretsmanager", "logs", "ecs", "rds", "ec2", "elasticache", "elasticloadbalancing"];
+export type SupportedService = (typeof SUPPORTED_SERVICES)[number];
+/**
+ * Check if a service is supported
+ */
+export declare function isSupportedService(service: string): service is SupportedService;
+/**
+ * Get a checker for a service, loading it if necessary
+ *
+ * @param service - The AWS service name
+ * @returns The checker instance, or undefined if the service is not supported
+ */
+export declare function getChecker(service: string): Promise<ResourceChecker | undefined>;
+/**
+ * Clear the checker cache (useful for testing)
+ */
+export declare function clearCheckerCache(): void;

package/dist/infra/checkers/lambda.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Lambda resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * Lambda function checker
+ */
+export declare const LambdaChecker: ResourceChecker;

package/dist/infra/checkers/rds.d.ts

@@ -0,0 +1,13 @@
+/**
+ * RDS resource checker
+ *
+ * Supports:
+ * - DB instances
+ * - DB clusters (Aurora)
+ * - DB subnet groups
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * RDS resource checker
+ */
+export declare const RDSChecker: ResourceChecker;

package/dist/infra/checkers/s3.d.ts

@@ -0,0 +1,8 @@
+/**
+ * S3 resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * S3 bucket checker
+ */
+export declare const S3Checker: ResourceChecker;

package/dist/infra/checkers/secretsmanager.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Secrets Manager resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * Secrets Manager secret checker
+ */
+export declare const SecretsManagerChecker: ResourceChecker;

package/dist/infra/checkers/sns.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SNS resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * SNS topic checker
+ */
+export declare const SNSChecker: ResourceChecker;

package/dist/infra/checkers/sqs.d.ts

@@ -0,0 +1,8 @@
+/**
+ * SQS resource checker
+ */
+import type { ResourceChecker } from "./types.js";
+/**
+ * SQS queue checker
+ */
+export declare const SQSChecker: ResourceChecker;

package/dist/infra/checkers/types.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Types for resource checkers
+ */
+import type { ParsedArn, ParsedGcpResource, ResourceCheckResult } from "../types.js";
+/**
+ * Interface for AWS resource checkers
+ */
+export interface ResourceChecker {
+    /**
+     * Check if a resource exists
+     *
+     * @param arn - Parsed ARN of the resource
+     * @returns Check result with exists status and optional error
+     */
+    check(arn: ParsedArn): Promise<ResourceCheckResult>;
+}
+/**
+ * Interface for GCP resource checkers
+ */
+export interface GcpResourceChecker {
+    /**
+     * Check if a resource exists
+     *
+     * @param resource - Parsed GCP resource
+     * @returns Check result with exists status and optional error
+     */
+    check(resource: ParsedGcpResource): Promise<ResourceCheckResult>;
+}

package/dist/infra/gcp.d.ts

@@ -0,0 +1,18 @@
+/**
+ * GCP resource path parsing utilities
+ *
+ * GCP resource paths follow patterns like:
+ * - projects/{project}/locations/{location}/services/{service} (Cloud Run)
+ * - projects/{project}/serviceAccounts/{email} (IAM Service Accounts)
+ * - projects/{project}/secrets/{secret} (Secret Manager)
+ * - projects/{project}/locations/{location}/repositories/{repo} (Artifact Registry)
+ */
+import type { ParsedGcpResource } from "./types.js";
+/**
+ * Validate that a string is a valid GCP resource path
+ */
+export declare function isValidGcpResource(path: string): boolean;
+/**
+ * Parse a GCP resource path into its components
+ */
+export declare function parseGcpResource(path: string): ParsedGcpResource | null;

package/dist/infra/generate.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Manifest generation from Pulumi stack exports
+ *
+ * Parses Pulumi stack export JSON and extracts resource ARNs/identifiers
+ * to generate an infra-manifest.json file.
+ */
+import type { Manifest, MultiAccountManifest } from "./types.js";
+/** Default manifest filename */
+export declare const DEFAULT_MANIFEST_NAME = "infra-manifest.json";
+/**
+ * Options for manifest generation
+ */
+export interface GenerateManifestOptions {
+    /** Project name (extracted from stack if not provided) */
+    project?: string;
+    /** Output file path (defaults to infra-manifest.json) */
+    output?: string;
+    /** If true, output to stdout instead of file */
+    stdout?: boolean;
+    /** Account alias (e.g., "prod-aws") for multi-account manifests */
+    account?: string;
+    /** Explicit account ID (e.g., "aws:111111111111") */
+    accountId?: string;
+    /** Merge into existing manifest instead of overwriting */
+    merge?: boolean;
+}
+/**
+ * Parse Pulumi stack export JSON and extract manifest
+ */
+export declare function parseStackExport(stackExport: unknown, project?: string): Manifest;
+/**
+ * Generate manifest from stdin (Pulumi stack export)
+ */
+export declare function generateManifestFromStdin(options?: GenerateManifestOptions): Promise<Manifest>;
+/**
+ * Generate manifest from a file
+ */
+export declare function generateManifestFromFile(filePath: string, options?: GenerateManifestOptions): Manifest;
+/**
+ * Write manifest to file or stdout
+ *
+ * @param manifest - The manifest to write
+ * @param options - Output options (defaults to writing infra-manifest.json)
+ */
+export declare function writeManifest(manifest: Manifest, options?: {
+    output?: string;
+    stdout?: boolean;
+}): void;
+/**
+ * Parse Pulumi stack export and create multi-account manifest
+ * Groups resources by detected account
+ */
+export declare function parseStackExportMultiAccount(stackExport: unknown, options?: GenerateManifestOptions): MultiAccountManifest;
+/**
+ * Read existing manifest from file
+ * Returns null if file doesn't exist
+ */
+export declare function readExistingManifest(filePath: string): Manifest | null;
+/**
+ * Merge new resources into an existing manifest
+ */
+export declare function mergeIntoManifest(existing: Manifest, newResources: string[], accountKey: string, alias?: string): MultiAccountManifest;
+/**
+ * Generate multi-account manifest from stdin (Pulumi stack export)
+ */
+export declare function generateMultiAccountFromStdin(options?: GenerateManifestOptions): Promise<MultiAccountManifest>;
+/**
+ * Generate multi-account manifest from a file
+ */
+export declare function generateMultiAccountFromFile(filePath: string, options?: GenerateManifestOptions): MultiAccountManifest;
+/**
+ * Handle merge operation for manifest generation
+ */
+export declare function generateWithMerge(inputPath: string | undefined, options: GenerateManifestOptions): Promise<Manifest>;

package/dist/infra/index.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Infra scan module - Public API
+ *
+ * Provides functionality to verify AWS resources declared in a manifest actually exist.
+ */
+import type { InfraScanResult, RunInfraScanOptions, ScanInfraOptions } from "./types.js";
+export type { AccountId, AccountScanResult, Arn, CloudProvider, GcpResourcePath, InfraScanResult, InfraScanSummary, LegacyManifest, Manifest, ManifestAccount, MultiAccountManifest, ParsedArn, ParsedGcpResource, PulumiResource, PulumiStackExport, ResourceCheckResult, ResourceIdentifier, ScanInfraOptions, } from "./types.js";
+export { ArnSchema, AccountIdSchema, AccountKeySchema, CloudProviderSchema, GcpResourcePathSchema, InfraScanResultSchema, InfraScanSummarySchema, LegacyManifestSchema, ManifestAccountSchema, ManifestSchema, MultiAccountManifestSchema, ParsedArnSchema, ParsedGcpResourceSchema, PulumiResourceSchema, PulumiStackExportSchema, ResourceCheckResultSchema, ResourceIdentifierSchema, isValidArnFormat, isValidGcpResourcePath, isValidAccountKey, isMultiAccountManifestSchema, isLegacyManifestSchema, validateArn, validateGcpResourcePath, validateAccountKey, validateManifest, validateMultiAccountManifest, validateLegacyManifest, validateStackExport, } from "./types.js";
+export { ManifestError, isMultiAccountManifest, isLegacyManifest, parseAccountKey, formatAccountKey, normalizeManifest, detectAccountFromResource, getAllResources, } from "./manifest.js";
+export { parseArn, isValidArn } from "./arn.js";
+export { parseGcpResource, isValidGcpResource } from "./gcp.js";
+export { SUPPORTED_SERVICES, isSupportedService } from "./checkers/index.js";
+export { SUPPORTED_GCP_SERVICES, isSupportedGcpService } from "./checkers/gcp/index.js";
+export { DEFAULT_MANIFEST_NAME, generateManifestFromStdin, generateManifestFromFile, generateMultiAccountFromStdin, generateMultiAccountFromFile, generateWithMerge, mergeIntoManifest, parseStackExport, parseStackExportMultiAccount, readExistingManifest, writeManifest, type GenerateManifestOptions, } from "./generate.js";
+/**
+ * Scan infrastructure resources declared in a manifest.
+ *
+ * This is the programmatic API for @standards-kit/drift integration.
+ *
+ * @param options - Options for the scan
+ * @returns Scan result with all resource check results and summary
+ *
+ * @example
+ * ```typescript
+ * import { scanInfra } from "@standards-kit/conform";
+ *
+ * const result = await scanInfra({ manifestPath: "./infra-manifest.json" });
+ * console.log(result.summary);
+ * // { total: 5, found: 4, missing: 1, errors: 0 }
+ * ```
+ */
+export declare function scanInfra(options?: ScanInfraOptions): Promise<InfraScanResult>;
+/**
+ * Run infra scan from CLI
+ */
+export declare function runInfraScan(options?: RunInfraScanOptions): Promise<void>;
+/**
+ * Options for CLI generate command
+ */
+export interface RunInfraGenerateOptions {
+    /** Input file path (if not provided, reads from stdin) */
+    input?: string;
+    /** Output file path (defaults to infra-manifest.json) */
+    output?: string;
+    /** Project name override */
+    project?: string;
+    /** Output to stdout instead of file */
+    stdout?: boolean;
+    /** Account alias (e.g., "prod-aws") for multi-account manifests */
+    account?: string;
+    /** Explicit account ID (e.g., "aws:111111111111") */
+    accountId?: string;
+    /** Merge into existing manifest instead of overwriting */
+    merge?: boolean;
+}
+/**
+ * Run infra generate from CLI
+ */
+export declare function runInfraGenerate(options?: RunInfraGenerateOptions): Promise<void>;

package/dist/infra/manifest.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Manifest reader for infra scan
+ *
+ * Supports two formats:
+ * 1. JSON: { "project": "...", "resources": ["arn:...", "projects/..."] }
+ * 2. TXT: One resource per line, # for comments
+ *
+ * Resources can be:
+ * - AWS ARNs: arn:aws:s3:::bucket-name
+ * - GCP paths: projects/{project}/locations/{location}/services/{service}
+ */
+import { type AccountId, type LegacyManifest, type Manifest, type MultiAccountManifest } from "./types.js";
+/**
+ * Error thrown when manifest parsing fails
+ */
+export declare class ManifestError extends Error {
+    constructor(message: string);
+}
+/**
+ * Type guard: check if manifest is multi-account format (v2)
+ */
+export declare function isMultiAccountManifest(manifest: Manifest): manifest is MultiAccountManifest;
+/**
+ * Type guard: check if manifest is legacy format (v1)
+ */
+export declare function isLegacyManifest(manifest: Manifest): manifest is LegacyManifest;
+/**
+ * Parse an account key (e.g., "aws:111111111111" or "gcp:my-project")
+ *
+ * @param key - The account key in format "cloud:id"
+ * @returns Parsed AccountId or null if invalid
+ */
+export declare function parseAccountKey(key: string): AccountId | null;
+/**
+ * Format an account key from cloud and id
+ */
+export declare function formatAccountKey(cloud: "aws" | "gcp", id: string): string;
+/**
+ * Normalize a legacy manifest to multi-account format
+ * This converts v1 manifests to v2 format for unified processing
+ */
+export declare function normalizeManifest(manifest: Manifest): MultiAccountManifest;
+/**
+ * Detect the account key from a resource identifier
+ * Extracts AWS account ID from ARN or GCP project from resource path
+ */
+export declare function detectAccountFromResource(resource: string): string;
+/**
+ * Get all resources from a manifest (flattened for v2 manifests)
+ */
+export declare function getAllResources(manifest: Manifest): string[];
+/**
+ * Read and parse a manifest file
+ *
+ * @param manifestPath - Path to the manifest file
+ * @returns Parsed manifest with project name and resource ARNs
+ */
+export declare function readManifest(manifestPath: string): Manifest;

package/dist/infra/output.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Output formatters for infra scan results
+ */
+import type { InfraScanResult } from "./types.js";
+/**
+ * Format scan result based on output format
+ */
+export declare function formatScan(result: InfraScanResult, format: "text" | "json"): string;

package/dist/infra/scan.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Scan logic for infra scan
+ *
+ * Orchestrates checking all resources in a manifest (AWS and GCP)
+ */
+import type { InfraScanResult, Manifest } from "./types.js";
+/**
+ * Options for scanning
+ */
+interface ScanOptions {
+    /** Max number of parallel checks */
+    concurrency?: number;
+    /** Filter to specific account (by alias or account key) */
+    account?: string;
+}
+/**
+ * Scan all resources in a manifest
+ *
+ * @param manifest - The manifest containing resources to check
+ * @param manifestPath - Path to the manifest file (for result metadata)
+ * @param options - Scan options
+ * @returns Scan result with all resource check results and summary
+ */
+export declare function scanManifest(manifest: Manifest, manifestPath: string, options?: ScanOptions): Promise<InfraScanResult>;
+export {};