@standards-kit/conform 0.1.0 → 0.2.0

package/dist/process/tools/coverage.d.ts

@@ -0,0 +1,57 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+/** Coverage configuration from standards.toml */
+interface CoverageConfig {
+    enabled?: boolean;
+    min_threshold?: number;
+    enforce_in?: "ci" | "config" | "both";
+    ci_workflow?: string;
+    ci_job?: string;
+}
+/**
+ * Coverage enforcement runner.
+ * Checks that coverage thresholds are configured in CI workflows and/or config files.
+ */
+export declare class CoverageRunner extends BaseProcessToolRunner {
+    readonly name = "Coverage";
+    readonly rule = "process.coverage";
+    readonly toolId = "coverage";
+    private config;
+    /**
+     * Set configuration from standards.toml
+     */
+    setConfig(config: CoverageConfig): void;
+    /** Check for vitest coverage config */
+    private checkVitestConfig;
+    /** Check jest config file */
+    private checkJestConfigFile;
+    /** Check jest config in package.json */
+    private checkJestPackageJson;
+    /** Check for jest coverage config */
+    private checkJestConfig;
+    /** Check a single nyc config file and return result */
+    private checkSingleNycConfig;
+    /** Check nyc config file */
+    private checkNycConfigFile;
+    /** Check nyc config in package.json */
+    private checkNycPackageJson;
+    /** Check for nyc coverage config */
+    private checkNycConfig;
+    /** Check for coverage config in any supported tool */
+    private checkConfigCoverage;
+    /** Check if a step has coverage enforcement */
+    private stepHasCoverage;
+    /** Check a single job for coverage enforcement */
+    private checkJobForCoverage;
+    /** Check workflow jobs for coverage */
+    private checkWorkflowJobs;
+    /** Check for coverage enforcement in CI workflow */
+    private checkCiCoverage;
+    /** Validate config coverage and add violations if needed */
+    private validateConfigCoverage;
+    /** Validate CI coverage and add violations if needed */
+    private validateCiCoverage;
+    /** Run coverage validation */
+    run(projectRoot: string): Promise<CheckResult>;
+}
+export {};

package/dist/process/tools/docs-helpers.d.ts

@@ -0,0 +1,44 @@
+/** Enforcement mode for documentation checks */
+export type EnforcementMode = "block" | "warn";
+/** Doc type configuration */
+export interface DocTypeConfig {
+    required_sections?: string[];
+    frontmatter?: string[];
+}
+/** Documentation configuration from standards.toml */
+export interface DocsConfig {
+    enabled?: boolean;
+    path?: string;
+    enforcement?: EnforcementMode;
+    allowlist?: string[];
+    max_files?: number;
+    max_file_lines?: number;
+    max_total_kb?: number;
+    staleness_days?: number;
+    stale_mappings?: Record<string, string>;
+    min_coverage?: number;
+    coverage_paths?: string[];
+    exclude_patterns?: string[];
+    types?: Record<string, DocTypeConfig>;
+}
+/** Parsed frontmatter from a markdown file */
+export interface ParsedDoc {
+    filePath: string;
+    frontmatter: Record<string, unknown>;
+    content: string;
+    headings: string[];
+}
+/** Export info from TypeScript file */
+export interface ExportInfo {
+    name: string;
+    file: string;
+    line: number;
+}
+/** Escape special regex characters in a string */
+export declare function escapeRegex(str: string): string;
+/** Parse a markdown file and extract frontmatter, content, headings */
+export declare function parseMarkdownFile(content: string, filePath: string): ParsedDoc;
+/** Extract exports from file content */
+export declare function extractFileExports(file: string, content: string): ExportInfo[];
+/** Get the source path that a doc file tracks */
+export declare function getTrackedPath(docFile: string, frontmatter: Record<string, unknown>, staleMappings: Record<string, string>, docsPath: string): string | null;

package/dist/process/tools/docs.d.ts

@@ -0,0 +1,38 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+import { type DocsConfig } from "./docs-helpers.js";
+/**
+ * Documentation governance runner.
+ * Validates documentation structure, content, freshness, and API coverage.
+ */
+export declare class DocsRunner extends BaseProcessToolRunner {
+    readonly name = "Documentation";
+    readonly rule = "process.docs";
+    readonly toolId = "docs";
+    private config;
+    setConfig(config: DocsConfig): void;
+    private getSeverity;
+    run(projectRoot: string): Promise<CheckResult>;
+    private checkStructure;
+    private checkAllowlist;
+    private checkFileLimits;
+    private checkSingleFileLimit;
+    private checkContent;
+    private validateDocFile;
+    private parseDocFile;
+    private validateFrontmatter;
+    private validateSections;
+    private validateInternalLinks;
+    private checkSingleLink;
+    private checkFreshness;
+    private getTimestamps;
+    private createStalenessViolation;
+    private checkFileFreshness;
+    private getGitLastModified;
+    private checkApiCoverage;
+    private getSourceFiles;
+    private getAllDocsContent;
+    private isExportDocumented;
+    private buildCoverageViolations;
+    private extractExports;
+}

package/dist/process/tools/forbidden-files.d.ts

@@ -0,0 +1,40 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+/** Forbidden files configuration */
+interface ForbiddenFilesConfig {
+    enabled?: boolean;
+    files?: string[];
+    ignore?: string[];
+    message?: string;
+}
+/**
+ * Runner for forbidden files validation.
+ * Validates that certain files do NOT exist anywhere in the repository.
+ */
+export declare class ForbiddenFilesRunner extends BaseProcessToolRunner {
+    readonly name = "Forbidden Files";
+    readonly rule = "process.forbidden_files";
+    readonly toolId = "forbidden-files";
+    private config;
+    setConfig(config: ForbiddenFilesConfig): void;
+    /**
+     * Run check - scans for forbidden files using glob patterns
+     */
+    run(projectRoot: string): Promise<CheckResult>;
+    /**
+     * Find files matching a forbidden pattern
+     */
+    private findForbiddenFiles;
+    /**
+     * Get ignore patterns, respecting explicit empty array override
+     * - undefined: use defaults (node_modules, .git)
+     * - []: no ignores (scan everything)
+     * - [...]: use custom ignores
+     */
+    private getIgnorePatterns;
+    /**
+     * Create a violation for a forbidden file
+     */
+    private createViolation;
+}
+export {};

package/dist/process/tools/hooks.d.ts

@@ -0,0 +1,39 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+/** Hooks configuration from standards.toml */
+interface HooksConfig {
+    enabled?: boolean;
+    require_husky?: boolean;
+    require_hooks?: string[];
+    commands?: Record<string, string[]>;
+    protected_branches?: string[];
+}
+/**
+ * Git hooks validation runner.
+ * Checks that husky is installed and required hooks are configured.
+ */
+export declare class HooksRunner extends BaseProcessToolRunner {
+    readonly name = "Hooks";
+    readonly rule = "process.hooks";
+    readonly toolId = "hooks";
+    private config;
+    /**
+     * Set configuration from standards.toml
+     */
+    setConfig(config: HooksConfig): void;
+    /** Check if husky is installed */
+    private checkHuskyInstalled;
+    /** Check that required hooks exist */
+    private checkRequiredHooks;
+    /** Check that hooks contain required commands */
+    private checkHookCommands;
+    /** Create a pre-push hook violation */
+    private createPrePushViolation;
+    /** Check if pre-push hook has branch detection */
+    private hasBranchDetection;
+    /** Check that pre-push hook prevents direct pushes to protected branches */
+    private checkProtectedBranches;
+    /** Run hooks validation */
+    run(projectRoot: string): Promise<CheckResult>;
+}
+export {};

package/dist/process/tools/index.d.ts

@@ -0,0 +1,14 @@
+export { BackupsRunner } from "./backups.js";
+export { BaseProcessToolRunner } from "./base.js";
+export { BranchesRunner } from "./branches.js";
+export { ChangesetsRunner } from "./changesets.js";
+export { CiRunner } from "./ci.js";
+export { CodeownersRunner } from "./codeowners.js";
+export { CommitsRunner } from "./commits.js";
+export { CoverageRunner } from "./coverage.js";
+export { DocsRunner } from "./docs.js";
+export { ForbiddenFilesRunner } from "./forbidden-files.js";
+export { HooksRunner } from "./hooks.js";
+export { PrRunner } from "./pr.js";
+export { RepoRunner } from "./repo.js";
+export { TicketsRunner } from "./tickets.js";

package/dist/process/tools/pr.d.ts

@@ -0,0 +1,59 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+/** PR configuration from standards.toml */
+interface PrConfig {
+    enabled?: boolean;
+    max_files?: number;
+    max_lines?: number;
+    require_issue?: boolean;
+    issue_keywords?: string[];
+    exclude?: string[];
+}
+/**
+ * PR size validation runner.
+ * Checks that the PR does not exceed configured size limits.
+ * Reads PR data from GITHUB_EVENT_PATH environment variable (GitHub Actions context).
+ */
+export declare class PrRunner extends BaseProcessToolRunner {
+    readonly name = "PR";
+    readonly rule = "process.pr";
+    readonly toolId = "pr";
+    private config;
+    /**
+     * Set configuration from standards.toml
+     */
+    setConfig(config: PrConfig): void;
+    /** Read PR data from GitHub event payload */
+    private readPrEventPayload;
+    /** Get PR data from payload, returns null if not available */
+    private getPrData;
+    /** Fetch a single page of PR files from GitHub API */
+    private fetchPrFilesPage;
+    /**
+     * Fetch PR files from GitHub API with pagination support.
+     * Returns empty array if GITHUB_TOKEN is not available or API fails.
+     */
+    private fetchPrFiles;
+    /**
+     * Filter files that match exclude patterns.
+     * Returns only files that do NOT match any exclude pattern.
+     */
+    private filterExcludedFiles;
+    /** Check if any validation is configured */
+    private hasValidationConfigured;
+    /** Check if PR body contains issue reference with keyword */
+    private findIssueReference;
+    /** Validate that PR contains issue reference */
+    private validateIssueReference;
+    /** Get PR counts, applying exclusions if configured */
+    private getPrCounts;
+    /** Check size limits and return violations */
+    private checkSizeLimits;
+    /** Validate PR size against configured limits */
+    private validatePrSize;
+    /** Collect all violations from PR validations */
+    private collectViolations;
+    /** Run PR validation */
+    run(_projectRoot: string): Promise<CheckResult>;
+}
+export {};

package/dist/process/tools/repo.d.ts

@@ -0,0 +1,65 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+/** Bypass actor configuration */
+interface BypassActorConfig {
+    actor_type: "Integration" | "OrganizationAdmin" | "RepositoryRole" | "Team" | "DeployKey";
+    actor_id?: number;
+    bypass_mode?: "always" | "pull_request";
+}
+/** Ruleset configuration (uses GitHub Rulesets API) */
+interface RulesetConfig {
+    name?: string;
+    branch?: string;
+    enforcement?: "active" | "evaluate" | "disabled";
+    required_reviews?: number;
+    dismiss_stale_reviews?: boolean;
+    require_code_owner_reviews?: boolean;
+    require_status_checks?: string[];
+    require_branches_up_to_date?: boolean;
+    require_signed_commits?: boolean;
+    enforce_admins?: boolean;
+    bypass_actors?: BypassActorConfig[];
+}
+/** Tag protection configuration */
+interface TagProtectionConfig {
+    patterns?: string[];
+    prevent_deletion?: boolean;
+    prevent_update?: boolean;
+}
+/** Repository configuration */
+interface RepoConfig {
+    enabled?: boolean;
+    require_branch_protection?: boolean;
+    require_codeowners?: boolean;
+    ruleset?: RulesetConfig;
+    tag_protection?: TagProtectionConfig;
+}
+/** Runner for repository settings validation */
+export declare class RepoRunner extends BaseProcessToolRunner {
+    readonly name = "Repository";
+    readonly rule = "process.repo";
+    readonly toolId = "repo";
+    private config;
+    setConfig(config: RepoConfig): void;
+    run(projectRoot: string): Promise<CheckResult>;
+    private collectViolations;
+    private isGhCliAvailable;
+    private getRepoInfo;
+    private checkCodeowners;
+    private checkBranchProtection;
+    private findBranchRuleset;
+    private matchesBranch;
+    private handleNoBranchRuleset;
+    private handleBranchProtectionError;
+    private validateBranchRulesetSettings;
+    private checkPullRequestRuleSettings;
+    private checkStatusChecksRuleSettings;
+    private checkBypassActorsSettings;
+    private checkTagProtection;
+    private validateTagProtection;
+    private checkTagPatterns;
+    private checkTagRules;
+    private tagViolation;
+    private handleTagProtectionError;
+}
+export {};

package/dist/process/tools/tickets.d.ts

@@ -0,0 +1,42 @@
+import { type CheckResult } from "../../core/index.js";
+import { BaseProcessToolRunner } from "./base.js";
+/** Tickets configuration from standards.toml */
+interface TicketsConfig {
+    enabled?: boolean;
+    pattern?: string;
+    require_in_commits?: boolean;
+    require_in_branch?: boolean;
+}
+/**
+ * Ticket reference validation runner.
+ * Checks that commit messages and/or branch names contain ticket references.
+ */
+export declare class TicketsRunner extends BaseProcessToolRunner {
+    readonly name = "Tickets";
+    readonly rule = "process.tickets";
+    readonly toolId = "tickets";
+    private config;
+    /**
+     * Set configuration from standards.toml
+     */
+    setConfig(config: TicketsConfig): void;
+    /** Get the current git branch name */
+    private getCurrentBranch;
+    /** Get the HEAD commit message */
+    private getHeadCommitMessage;
+    /** Check if text contains a match for the ticket pattern */
+    private matchesPattern;
+    /** Validate the regex pattern is valid */
+    private isValidPattern;
+    /** Check configuration validity */
+    private hasValidConfig;
+    /** Validate branch name contains ticket reference */
+    private validateBranch;
+    /** Validate commit message contains ticket reference */
+    private validateCommit;
+    /** Perform all validations and collect results */
+    private runValidations;
+    /** Run ticket validation */
+    run(projectRoot: string): Promise<CheckResult>;
+}
+export {};

package/dist/projects/detector.d.ts

@@ -0,0 +1,16 @@
+import type { DetectedProject, DetectionResult, ProjectType } from "./types.js";
+/** Options for project detection */
+export interface DetectProjectsOptions {
+    /** Glob patterns to exclude from detection */
+    excludePatterns?: string[];
+}
+/**
+ * Detect all projects in a directory tree.
+ * Identifies projects by marker files and skips workspace roots.
+ *
+ * @param searchRoot - Root directory to search
+ * @param options - Detection options including exclude patterns
+ */
+export declare function detectProjects(searchRoot: string, options?: DetectProjectsOptions): Promise<DetectionResult>;
+/** Get all project types that need templates */
+export declare function getProjectTypes(projects: DetectedProject[]): Set<ProjectType>;

package/dist/projects/index.d.ts

@@ -0,0 +1,4 @@
+import type { DetectOptions } from "./types.js";
+export type { DetectOptions } from "./types.js";
+/** Main entry point for the detect command */
+export declare function runDetect(options: DetectOptions): Promise<void>;

package/dist/projects/templates.d.ts

@@ -0,0 +1,15 @@
+import type { ProjectType } from "./types.js";
+/** Get the default template for a project type */
+export declare function getTemplate(type: ProjectType): string;
+/** Get a template that extends from a registry */
+export declare function getExtendsTemplate(registryPath: string, projectType: ProjectType): string;
+/**
+ * Create a standards.toml file for a project.
+ * @returns true if file was created (or would be created in dry-run)
+ */
+export declare function createCheckToml(projectPath: string, type: ProjectType, dryRun: boolean, registryPath?: string): boolean;
+/**
+ * Create a shared registry with rulesets.
+ * @param projectTypes - Set of project types that need rulesets
+ */
+export declare function createRegistry(registryPath: string, projectTypes: Set<ProjectType>, dryRun: boolean): void;

package/dist/projects/tier-loader.d.ts

@@ -0,0 +1,21 @@
+import type { Tier } from "../validate/types.js";
+import type { TierSource } from "./types.js";
+/** Result of loading tier from a project directory */
+export interface TierInfo {
+    /** The tier value (undefined if no metadata exists) */
+    tier?: Tier;
+    /** Source of the tier: "standards.toml" or null if not found */
+    source: TierSource;
+    /** Project name (optional, from standards.toml [metadata]) */
+    project?: string;
+    /** Organisation name (optional, from standards.toml [metadata]) */
+    organisation?: string;
+    /** Status (optional, from standards.toml [metadata]) */
+    status?: "active" | "pre-release" | "deprecated";
+}
+/**
+ * Load tier information from a project directory.
+ * Reads from standards.toml [metadata] section.
+ * Returns tier and source, with null source if no metadata exists.
+ */
+export declare function loadProjectTier(projectDir: string): TierInfo;

package/dist/projects/types.d.ts

@@ -0,0 +1,76 @@
+import type { Tier } from "../validate/types.js";
+/** Re-export Tier for convenience */
+export type { Tier } from "../validate/types.js";
+/** Project types detected by marker files */
+export type ProjectType = "typescript" | "python";
+/** Source of tier value */
+export type TierSource = "standards.toml" | "default" | null;
+/** Project marker file configuration */
+export interface ProjectMarker {
+    file: string;
+    type: ProjectType;
+    /** Optional function to check if this marker indicates a workspace root */
+    isWorkspaceRoot?: (content: string) => boolean;
+}
+/** A detected project in the monorepo */
+export interface DetectedProject {
+    /** Relative path from search root */
+    path: string;
+    /** Detected project type */
+    type: ProjectType;
+    /** Whether standards.toml exists in this project */
+    hasCheckToml: boolean;
+    /** Which marker file triggered detection */
+    markerFile: string;
+}
+/** A project enriched with tier information */
+export interface EnrichedProject extends DetectedProject {
+    /** Tier from standards.toml [metadata] (undefined if not found) */
+    tier?: Tier;
+    /** Source of tier value: standards.toml, default, or null if not found */
+    tierSource?: TierSource;
+}
+/** Result of project detection */
+export interface DetectionResult {
+    /** All detected projects */
+    projects: DetectedProject[];
+    /** Paths that were identified as workspace roots (skipped) */
+    workspaceRoots: string[];
+}
+/** Options for the detect command */
+export interface DetectOptions {
+    /** Create missing standards.toml files */
+    fix?: boolean;
+    /** Show what would be created without creating */
+    dryRun?: boolean;
+    /** Create shared registry and extend from it */
+    registry?: string;
+    /** Output format */
+    format: "text" | "json";
+    /** Show tier/status from standards.toml [metadata] */
+    showStatus?: boolean;
+    /** Filter to projects without standards.toml */
+    missingConfig?: boolean;
+}
+/** JSON output structure */
+export interface DetectJsonOutput {
+    projects: {
+        path: string;
+        type: string;
+        status: "has-config" | "missing-config";
+        /** Tier from repo-metadata.yaml (only when --show-status) */
+        tier?: Tier | null;
+        /** Source of tier value (only when --show-status) */
+        tierSource?: TierSource;
+    }[];
+    workspaceRoots: string[];
+    summary: {
+        total: number;
+        withConfig: number;
+        missingConfig: number;
+    };
+    actions?: {
+        action: "created" | "would-create";
+        path: string;
+    }[];
+}

package/dist/{rds-KLG5O5SI.js → rds-GZ5RVPIU.js}

@@ -1,3 +1,7 @@
+import {
+  createClientFactory
+} from "./chunk-O745CMWG.js";
+
 // src/infra/checkers/rds.ts
 import {
   DescribeDBInstancesCommand,
@@ -5,15 +9,7 @@ import {
   DescribeDBSubnetGroupsCommand,
   RDSClient
 } from "@aws-sdk/client-rds";
-var clientCache = /* @__PURE__ */ new Map();
-function getClient(region) {
-  let client = clientCache.get(region);
-  if (!client) {
-    client = new RDSClient({ region });
-    clientCache.set(region, client);
-  }
-  return client;
-}
+var getClient = createClientFactory(RDSClient);
 async function checkDBInstance(client, arn) {
   const { resourceId, raw } = arn;
   try {
@@ -148,4 +144,4 @@ var RDSChecker = {
 export {
   RDSChecker
 };
-//# sourceMappingURL=rds-KLG5O5SI.js.map
+//# sourceMappingURL=rds-GZ5RVPIU.js.map

package/dist/rds-GZ5RVPIU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/infra/checkers/rds.ts"],"sourcesContent":["/**\n * RDS resource checker\n *\n * Supports:\n * - DB instances\n * - DB clusters (Aurora)\n * - DB subnet groups\n */\n\nimport {\n  DescribeDBInstancesCommand,\n  DescribeDBClustersCommand,\n  DescribeDBSubnetGroupsCommand,\n  RDSClient,\n} from \"@aws-sdk/client-rds\";\n\nimport type { ParsedArn, ResourceCheckResult } from \"../types.js\";\nimport { createClientFactory } from \"./client-factory.js\";\nimport type { ResourceChecker } from \"./types.js\";\n\n/**\n * Get or create an RDS client for a region\n */\nconst getClient = createClientFactory(RDSClient);\n\n/**\n * Check if an RDS DB instance exists\n */\nasync function checkDBInstance(\n  client: RDSClient,\n  arn: ParsedArn\n): Promise<ResourceCheckResult> {\n  const { resourceId, raw } = arn;\n\n  try {\n    const response = await client.send(\n      new DescribeDBInstancesCommand({ DBInstanceIdentifier: resourceId })\n    );\n\n    const instance = response.DBInstances?.[0];\n    const exists = !!instance && instance.DBInstanceStatus !== \"deleting\";\n\n    return {\n      arn: raw,\n      exists,\n      service: \"rds\",\n      resourceType: \"db\",\n      resourceId,\n    };\n  } catch (error) {\n    const err = error as Error & { name?: string };\n\n    if (err.name === \"DBInstanceNotFoundFault\") {\n      return {\n        arn: raw,\n        exists: false,\n        service: \"rds\",\n        resourceType: \"db\",\n        resourceId,\n      };\n    }\n\n    return {\n      arn: raw,\n      exists: false,\n      error: err.message || \"Unknown error\",\n      service: \"rds\",\n      resourceType: \"db\",\n      resourceId,\n    };\n  }\n}\n\n/**\n * Check if an RDS DB cluster exists (Aurora)\n */\nasync function checkDBCluster(\n  client: RDSClient,\n  arn: ParsedArn\n): Promise<ResourceCheckResult> {\n  const { resourceId, raw } = arn;\n\n  try {\n    const response = await client.send(\n      new DescribeDBClustersCommand({ DBClusterIdentifier: resourceId })\n    );\n\n    const cluster = response.DBClusters?.[0];\n    const exists = !!cluster && cluster.Status !== \"deleting\";\n\n    return {\n      arn: raw,\n      exists,\n      service: \"rds\",\n      resourceType: \"cluster\",\n      resourceId,\n    };\n  } catch (error) {\n    const err = error as Error & { name?: string };\n\n    if (err.name === \"DBClusterNotFoundFault\") {\n      return {\n        arn: raw,\n        exists: false,\n        service: \"rds\",\n        resourceType: \"cluster\",\n        resourceId,\n      };\n    }\n\n    return {\n      arn: raw,\n      exists: false,\n      error: err.message || \"Unknown error\",\n      service: \"rds\",\n      resourceType: \"cluster\",\n      resourceId,\n    };\n  }\n}\n\n/**\n * Check if an RDS DB subnet group exists\n */\nasync function checkDBSubnetGroup(\n  client: RDSClient,\n  arn: ParsedArn\n): Promise<ResourceCheckResult> {\n  const { resourceId, raw } = arn;\n\n  try {\n    const response = await client.send(\n      new DescribeDBSubnetGroupsCommand({ DBSubnetGroupName: resourceId })\n    );\n\n    const subnetGroup = response.DBSubnetGroups?.[0];\n    const exists = !!subnetGroup;\n\n    return {\n      arn: raw,\n      exists,\n      service: \"rds\",\n      resourceType: \"subgrp\",\n      resourceId,\n    };\n  } catch (error) {\n    const err = error as Error & { name?: string };\n\n    if (err.name === \"DBSubnetGroupNotFoundFault\") {\n      return {\n        arn: raw,\n        exists: false,\n        service: \"rds\",\n        resourceType: \"subgrp\",\n        resourceId,\n      };\n    }\n\n    return {\n      arn: raw,\n      exists: false,\n      error: err.message || \"Unknown error\",\n      service: \"rds\",\n      resourceType: \"subgrp\",\n      resourceId,\n    };\n  }\n}\n\n/**\n * RDS resource checker\n */\nexport const RDSChecker: ResourceChecker = {\n  async check(arn: ParsedArn): Promise<ResourceCheckResult> {\n    const { resourceType, resourceId, region, raw } = arn;\n    const client = getClient(region);\n\n    switch (resourceType) {\n      case \"db\":\n        return checkDBInstance(client, arn);\n\n      case \"cluster\":\n        return checkDBCluster(client, arn);\n\n      case \"subgrp\":\n        return checkDBSubnetGroup(client, arn);\n\n      default:\n        return {\n          arn: raw,\n          exists: false,\n          error: `Unsupported RDS resource type: ${resourceType}`,\n          service: \"rds\",\n          resourceType,\n          resourceId,\n        };\n    }\n  },\n};\n"],"mappings":";;;;;AASA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AASP,IAAM,YAAY,oBAAoB,SAAS;AAK/C,eAAe,gBACb,QACA,KAC8B;AAC9B,QAAM,EAAE,YAAY,IAAI,IAAI;AAE5B,MAAI;AACF,UAAM,WAAW,MAAM,OAAO;AAAA,MAC5B,IAAI,2BAA2B,EAAE,sBAAsB,WAAW,CAAC;AAAA,IACrE;AAEA,UAAM,WAAW,SAAS,cAAc,CAAC;AACzC,UAAM,SAAS,CAAC,CAAC,YAAY,SAAS,qBAAqB;AAE3D,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA,SAAS;AAAA,MACT,cAAc;AAAA,MACd;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,UAAM,MAAM;AAEZ,QAAI,IAAI,SAAS,2BAA2B;AAC1C,aAAO;AAAA,QACL,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,cAAc;AAAA,QACd;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,OAAO,IAAI,WAAW;AAAA,MACtB,SAAS;AAAA,MACT,cAAc;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACF;AAKA,eAAe,eACb,QACA,KAC8B;AAC9B,QAAM,EAAE,YAAY,IAAI,IAAI;AAE5B,MAAI;AACF,UAAM,WAAW,MAAM,OAAO;AAAA,MAC5B,IAAI,0BAA0B,EAAE,qBAAqB,WAAW,CAAC;AAAA,IACnE;AAEA,UAAM,UAAU,SAAS,aAAa,CAAC;AACvC,UAAM,SAAS,CAAC,CAAC,WAAW,QAAQ,WAAW;AAE/C,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA,SAAS;AAAA,MACT,cAAc;AAAA,MACd;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,UAAM,MAAM;AAEZ,QAAI,IAAI,SAAS,0BAA0B;AACzC,aAAO;AAAA,QACL,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,cAAc;AAAA,QACd;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,OAAO,IAAI,WAAW;AAAA,MACtB,SAAS;AAAA,MACT,cAAc;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACF;AAKA,eAAe,mBACb,QACA,KAC8B;AAC9B,QAAM,EAAE,YAAY,IAAI,IAAI;AAE5B,MAAI;AACF,UAAM,WAAW,MAAM,OAAO;AAAA,MAC5B,IAAI,8BAA8B,EAAE,mBAAmB,WAAW,CAAC;AAAA,IACrE;AAEA,UAAM,cAAc,SAAS,iBAAiB,CAAC;AAC/C,UAAM,SAAS,CAAC,CAAC;AAEjB,WAAO;AAAA,MACL,KAAK;AAAA,MACL;AAAA,MACA,SAAS;AAAA,MACT,cAAc;AAAA,MACd;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,UAAM,MAAM;AAEZ,QAAI,IAAI,SAAS,8BAA8B;AAC7C,aAAO;AAAA,QACL,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,SAAS;AAAA,QACT,cAAc;AAAA,QACd;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,OAAO,IAAI,WAAW;AAAA,MACtB,SAAS;AAAA,MACT,cAAc;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACF;AAKO,IAAM,aAA8B;AAAA,EACzC,MAAM,MAAM,KAA8C;AACxD,UAAM,EAAE,cAAc,YAAY,QAAQ,IAAI,IAAI;AAClD,UAAM,SAAS,UAAU,MAAM;AAE/B,YAAQ,cAAc;AAAA,MACpB,KAAK;AACH,eAAO,gBAAgB,QAAQ,GAAG;AAAA,MAEpC,KAAK;AACH,eAAO,eAAe,QAAQ,GAAG;AAAA,MAEnC,KAAK;AACH,eAAO,mBAAmB,QAAQ,GAAG;AAAA,MAEvC;AACE,eAAO;AAAA,UACL,KAAK;AAAA,UACL,QAAQ;AAAA,UACR,OAAO,kCAAkC,YAAY;AAAA,UACrD,SAAS;AAAA,UACT;AAAA,UACA;AAAA,QACF;AAAA,IACJ;AAAA,EACF;AACF;","names":[]}

package/dist/{registry-V65CC7IN.js → registry-JRCQAIHR.js}

@@ -4,7 +4,8 @@ import {
   mergeConfigs,
   parseRegistryUrl,
   resolveExtends
-} from "./chunk-KHO6NIAI.js";
+} from "./chunk-YGDEM6K5.js";
+import "./chunk-RHM53NLG.js";
 export {
   fetchRegistry,
   loadRuleset,
@@ -12,4 +13,4 @@ export {
   parseRegistryUrl,
   resolveExtends
 };
-//# sourceMappingURL=registry-V65CC7IN.js.map
+//# sourceMappingURL=registry-JRCQAIHR.js.map

package/dist/{s3-2DH7PRVR.js → s3-53UELUWT.js}

@@ -1,17 +1,21 @@
+import {
+  AWS_DEFAULTS
+} from "./chunk-RHM53NLG.js";
+import {
+  createClientFactoryWithConfig
+} from "./chunk-O745CMWG.js";
+
 // src/infra/checkers/s3.ts
 import { HeadBucketCommand, S3Client } from "@aws-sdk/client-s3";
-var clientCache = /* @__PURE__ */ new Map();
+var getClientForRegion = createClientFactoryWithConfig(
+  (region) => new S3Client({
+    region,
+    followRegionRedirects: true
+  })
+);
 function getClient(region) {
-  const effectiveRegion = region || "us-east-1";
-  let client = clientCache.get(effectiveRegion);
-  if (!client) {
-    client = new S3Client({
-      region: effectiveRegion,
-      followRegionRedirects: true
-    });
-    clientCache.set(effectiveRegion, client);
-  }
-  return client;
+  const effectiveRegion = region || AWS_DEFAULTS.globalRegion;
+  return getClientForRegion(effectiveRegion);
 }
 var S3Checker = {
   async check(arn) {
@@ -46,4 +50,4 @@ async function checkBucket(bucketName, region, arn) {
 export {
   S3Checker
 };
-//# sourceMappingURL=s3-2DH7PRVR.js.map
+//# sourceMappingURL=s3-53UELUWT.js.map

package/dist/s3-53UELUWT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/infra/checkers/s3.ts"],"sourcesContent":["/**\n * S3 resource checker\n */\n\nimport { HeadBucketCommand, S3Client } from \"@aws-sdk/client-s3\";\n\nimport { AWS_DEFAULTS } from \"../../constants.js\";\nimport type { ParsedArn, ResourceCheckResult } from \"../types.js\";\nimport { createClientFactoryWithConfig } from \"./client-factory.js\";\nimport type { ResourceChecker } from \"./types.js\";\n\n/**\n * Get or create an S3 client for a region.\n * S3 is global, but we use the default region for global operations.\n * Uses followRegionRedirects for cross-region bucket access.\n */\nconst getClientForRegion = createClientFactoryWithConfig(\n  (region: string) =>\n    new S3Client({\n      region,\n      followRegionRedirects: true,\n    })\n);\n\n/**\n * Get S3 client with fallback to default region\n */\nfunction getClient(region: string): S3Client {\n  const effectiveRegion = region || AWS_DEFAULTS.globalRegion;\n  return getClientForRegion(effectiveRegion);\n}\n\n/**\n * S3 bucket checker\n */\nexport const S3Checker: ResourceChecker = {\n  async check(arn: ParsedArn): Promise<ResourceCheckResult> {\n    const { resourceType, resourceId, raw } = arn;\n\n    // Only check bucket existence (not individual objects)\n    if (resourceType === \"object\") {\n      // For objects, we'd need to check if the key exists, which is expensive\n      // For now, we just check if the bucket exists\n      const bucketName = resourceId.split(\"/\")[0];\n      return checkBucket(bucketName, arn.region, raw);\n    }\n\n    return checkBucket(resourceId, arn.region, raw);\n  },\n};\n\n/**\n * Create a bucket check result\n */\nfunction bucketResult(\n  arn: string,\n  bucketName: string,\n  exists: boolean,\n  error?: string\n): ResourceCheckResult {\n  return { arn, exists, error, service: \"s3\", resourceType: \"bucket\", resourceId: bucketName };\n}\n\n/**\n * Check if error indicates bucket doesn't exist (404 or 403)\n */\nfunction isBucketNotFound(err: Error & { name?: string; $metadata?: { httpStatusCode?: number } }): boolean {\n  const httpStatus = err.$metadata?.httpStatusCode;\n  // 404 = not found, 403 = access denied (S3 returns 403 for non-existent buckets to prevent enumeration)\n  return err.name === \"NotFound\" || err.name === \"NoSuchBucket\" || httpStatus === 404 ||\n         err.name === \"Forbidden\" || err.name === \"AccessDenied\" || httpStatus === 403;\n}\n\n/**\n * Check if an S3 bucket exists\n */\nasync function checkBucket(bucketName: string, region: string, arn: string): Promise<ResourceCheckResult> {\n  const client = getClient(region);\n\n  try {\n    await client.send(new HeadBucketCommand({ Bucket: bucketName }));\n    return bucketResult(arn, bucketName, true);\n  } catch (error) {\n    const err = error as Error & { name?: string; $metadata?: { httpStatusCode?: number } };\n    if (isBucketNotFound(err)) {\n      return bucketResult(arn, bucketName, false);\n    }\n    return bucketResult(arn, bucketName, false, err.message || \"Unknown error\");\n  }\n}\n"],"mappings":";;;;;;;;AAIA,SAAS,mBAAmB,gBAAgB;AAY5C,IAAM,qBAAqB;AAAA,EACzB,CAAC,WACC,IAAI,SAAS;AAAA,IACX;AAAA,IACA,uBAAuB;AAAA,EACzB,CAAC;AACL;AAKA,SAAS,UAAU,QAA0B;AAC3C,QAAM,kBAAkB,UAAU,aAAa;AAC/C,SAAO,mBAAmB,eAAe;AAC3C;AAKO,IAAM,YAA6B;AAAA,EACxC,MAAM,MAAM,KAA8C;AACxD,UAAM,EAAE,cAAc,YAAY,IAAI,IAAI;AAG1C,QAAI,iBAAiB,UAAU;AAG7B,YAAM,aAAa,WAAW,MAAM,GAAG,EAAE,CAAC;AAC1C,aAAO,YAAY,YAAY,IAAI,QAAQ,GAAG;AAAA,IAChD;AAEA,WAAO,YAAY,YAAY,IAAI,QAAQ,GAAG;AAAA,EAChD;AACF;AAKA,SAAS,aACP,KACA,YACA,QACA,OACqB;AACrB,SAAO,EAAE,KAAK,QAAQ,OAAO,SAAS,MAAM,cAAc,UAAU,YAAY,WAAW;AAC7F;AAKA,SAAS,iBAAiB,KAAkF;AAC1G,QAAM,aAAa,IAAI,WAAW;AAElC,SAAO,IAAI,SAAS,cAAc,IAAI,SAAS,kBAAkB,eAAe,OACzE,IAAI,SAAS,eAAe,IAAI,SAAS,kBAAkB,eAAe;AACnF;AAKA,eAAe,YAAY,YAAoB,QAAgB,KAA2C;AACxG,QAAM,SAAS,UAAU,MAAM;AAE/B,MAAI;AACF,UAAM,OAAO,KAAK,IAAI,kBAAkB,EAAE,QAAQ,WAAW,CAAC,CAAC;AAC/D,WAAO,aAAa,KAAK,YAAY,IAAI;AAAA,EAC3C,SAAS,OAAO;AACd,UAAM,MAAM;AACZ,QAAI,iBAAiB,GAAG,GAAG;AACzB,aAAO,aAAa,KAAK,YAAY,KAAK;AAAA,IAC5C;AACA,WAAO,aAAa,KAAK,YAAY,OAAO,IAAI,WAAW,eAAe;AAAA,EAC5E;AACF;","names":[]}