@standards-kit/conform 0.1.0

package/dist/chunk-M7G73Q6P.js

@@ -0,0 +1,662 @@
+// src/infra/manifest.ts
+import * as fs from "fs";
+import * as path from "path";
+
+// src/infra/arn.ts
+function isValidArn(arn) {
+  if (!arn.startsWith("arn:")) {
+    return false;
+  }
+  const parts = arn.split(":");
+  return parts.length >= 6;
+}
+function parseArn(arn) {
+  if (!isValidArn(arn)) {
+    return null;
+  }
+  const parts = arn.split(":");
+  const [, partition, service, region, accountId, ...resourceParts] = parts;
+  const resource = resourceParts.join(":");
+  const { resourceType, resourceId } = parseResource(service, resource);
+  return {
+    cloud: "aws",
+    partition,
+    service,
+    region,
+    accountId,
+    resourceType,
+    resourceId,
+    raw: arn
+  };
+}
+var serviceParsers = {
+  s3: parseS3Resource,
+  lambda: parseLambdaResource,
+  dynamodb: parseDynamoDBResource,
+  sqs: (resource) => ({ resourceType: "queue", resourceId: resource }),
+  sns: (resource) => ({ resourceType: "topic", resourceId: resource }),
+  iam: parseIAMResource,
+  secretsmanager: parseSecretsManagerResource,
+  logs: parseLogsResource
+};
+function parseS3Resource(resource) {
+  if (resource.includes("/")) {
+    const [bucket, ...keyParts] = resource.split("/");
+    return { resourceType: "object", resourceId: `${bucket}/${keyParts.join("/")}` };
+  }
+  return { resourceType: "bucket", resourceId: resource };
+}
+function parseLambdaResource(resource) {
+  if (resource.startsWith("function:")) {
+    const funcName = resource.slice("function:".length);
+    const colonIndex = funcName.indexOf(":");
+    const resourceId = colonIndex !== -1 ? funcName.slice(0, colonIndex) : funcName;
+    return { resourceType: "function", resourceId };
+  }
+  if (resource.startsWith("layer:")) {
+    const rest = resource.slice("layer:".length);
+    const colonIndex = rest.indexOf(":");
+    const resourceId = colonIndex !== -1 ? rest.slice(0, colonIndex) : rest;
+    return { resourceType: "layer", resourceId };
+  }
+  return { resourceType: "function", resourceId: resource };
+}
+function parseDynamoDBResource(resource) {
+  if (resource.startsWith("table/")) {
+    const rest = resource.slice("table/".length);
+    const indexPos = rest.indexOf("/index/");
+    const resourceType = indexPos !== -1 ? "index" : "table";
+    return { resourceType, resourceId: rest };
+  }
+  return { resourceType: "table", resourceId: resource };
+}
+function parseIAMResource(resource) {
+  const prefixes = ["role/", "user/", "policy/"];
+  for (const prefix of prefixes) {
+    if (resource.startsWith(prefix)) {
+      return {
+        resourceType: prefix.slice(0, -1),
+        resourceId: resource.slice(prefix.length)
+      };
+    }
+  }
+  const colonIndex = resource.indexOf(":");
+  if (colonIndex !== -1) {
+    return {
+      resourceType: resource.slice(0, colonIndex),
+      resourceId: resource.slice(colonIndex + 1)
+    };
+  }
+  return { resourceType: "", resourceId: resource };
+}
+function parseSecretsManagerResource(resource) {
+  if (resource.startsWith("secret:")) {
+    return { resourceType: "secret", resourceId: resource.slice("secret:".length) };
+  }
+  return { resourceType: "secret", resourceId: resource };
+}
+function parseLogsResource(resource) {
+  if (resource.startsWith("log-group:")) {
+    let logGroupName = resource.slice("log-group:".length);
+    if (logGroupName.endsWith(":*")) {
+      logGroupName = logGroupName.slice(0, -2);
+    }
+    return { resourceType: "log-group", resourceId: logGroupName };
+  }
+  return { resourceType: "log-group", resourceId: resource };
+}
+function parseGenericResource(resource) {
+  if (resource.includes("/")) {
+    const slashIndex = resource.indexOf("/");
+    return {
+      resourceType: resource.slice(0, slashIndex),
+      resourceId: resource.slice(slashIndex + 1)
+    };
+  }
+  if (resource.includes(":")) {
+    const colonIndex = resource.indexOf(":");
+    return {
+      resourceType: resource.slice(0, colonIndex),
+      resourceId: resource.slice(colonIndex + 1)
+    };
+  }
+  return { resourceType: "", resourceId: resource };
+}
+function parseResource(service, resource) {
+  const parser = serviceParsers[service];
+  return parser ? parser(resource) : parseGenericResource(resource);
+}
+
+// src/infra/gcp.ts
+function isValidGcpResource(path2) {
+  return path2.startsWith("projects/") && path2.split("/").length >= 3;
+}
+function parseGcpResource(path2) {
+  if (!isValidGcpResource(path2)) {
+    return null;
+  }
+  const parts = path2.split("/");
+  if (parts[0] !== "projects" || parts.length < 3) {
+    return null;
+  }
+  const project = parts[1];
+  const result = parseResourcePath(parts.slice(2), path2, project);
+  return result;
+}
+function parseResourcePath(parts, raw, project) {
+  if (parts[0] === "serviceAccounts" && parts.length >= 2) {
+    return gcpResource({
+      project,
+      service: "iam",
+      location: "global",
+      resourceType: "serviceAccounts",
+      resourceId: parts.slice(1).join("/"),
+      raw
+    });
+  }
+  if (parts[0] === "secrets" && parts.length >= 2) {
+    return gcpResource({
+      project,
+      service: "secretmanager",
+      location: "global",
+      resourceType: "secrets",
+      resourceId: parts[1],
+      raw
+    });
+  }
+  if (parts[0] === "locations" && parts.length >= 4) {
+    const location = parts[1];
+    const resourceType = parts[2];
+    const resourceId = parts.slice(3).join("/");
+    const service = getServiceFromResourceType(resourceType);
+    return gcpResource({
+      project,
+      service,
+      location,
+      resourceType,
+      resourceId,
+      raw
+    });
+  }
+  return null;
+}
+function getServiceFromResourceType(resourceType) {
+  const serviceMap = {
+    services: "run",
+    repositories: "artifactregistry",
+    functions: "cloudfunctions",
+    buckets: "storage",
+    instances: "compute",
+    clusters: "container"
+  };
+  return serviceMap[resourceType] ?? resourceType;
+}
+function gcpResource(params) {
+  return { cloud: "gcp", ...params };
+}
+
+// src/infra/schemas.ts
+import { z } from "zod";
+var CloudProviderSchema = z.enum(["aws", "gcp"]);
+var AccountKeySchema = z.string().regex(
+  /^(aws|gcp):.+$/,
+  "Invalid account key format. Expected: provider:accountId (e.g., aws:123456789012, gcp:my-project)"
+);
+var ArnSchema = z.string().regex(
+  /^arn:(aws|aws-cn|aws-us-gov):[a-z0-9-]+:[a-z0-9-]*:[0-9]*:.+$/,
+  "Invalid ARN format. Expected: arn:partition:service:region:account-id:resource"
+);
+var ParsedArnSchema = z.object({
+  /** Cloud provider (always "aws" for ARNs) */
+  cloud: z.literal("aws"),
+  /** AWS partition (aws, aws-cn, aws-us-gov) */
+  partition: z.string(),
+  /** AWS service (s3, lambda, rds, etc.) */
+  service: z.string(),
+  /** AWS region (empty for global services like S3, IAM) */
+  region: z.string(),
+  /** AWS account ID (empty for S3 buckets) */
+  accountId: z.string(),
+  /** Resource type (e.g., function, table, bucket) */
+  resourceType: z.string(),
+  /** Resource name/identifier */
+  resourceId: z.string(),
+  /** Original ARN string */
+  raw: z.string()
+});
+var GcpResourcePathSchema = z.string().regex(
+  /^projects\/[^/]+\/.+$/,
+  "Invalid GCP resource path format. Expected: projects/{project-id}/..."
+);
+var ParsedGcpResourceSchema = z.object({
+  /** Cloud provider (always "gcp" for GCP resources) */
+  cloud: z.literal("gcp"),
+  /** GCP project ID */
+  project: z.string(),
+  /** GCP service (run, iam, secretmanager, artifactregistry, etc.) */
+  service: z.string(),
+  /** Location/region (us-central1, global, etc.) */
+  location: z.string(),
+  /** Resource type (services, serviceAccounts, secrets, repositories, etc.) */
+  resourceType: z.string(),
+  /** Resource name/ID */
+  resourceId: z.string(),
+  /** Original resource path */
+  raw: z.string()
+});
+var ResourceIdentifierSchema = z.union([ArnSchema, GcpResourcePathSchema]);
+var AccountIdSchema = z.object({
+  /** Cloud provider */
+  cloud: CloudProviderSchema,
+  /** AWS account ID or GCP project ID */
+  id: z.string()
+});
+var ManifestAccountSchema = z.object({
+  /** Optional human-readable alias for this account */
+  alias: z.string().optional(),
+  /** List of resource identifiers (ARNs or GCP resource paths) */
+  resources: z.array(z.string())
+});
+var MultiAccountManifestSchema = z.object({
+  /** Manifest version - must be 2 for multi-account format */
+  version: z.literal(2),
+  /** Optional project name */
+  project: z.string().optional(),
+  /** Resources grouped by account key (e.g., "aws:123456789012", "gcp:my-project") */
+  accounts: z.record(z.string(), ManifestAccountSchema)
+});
+var LegacyManifestSchema = z.object({
+  /** Optional manifest version (1 or undefined for legacy) */
+  version: z.literal(1).optional(),
+  /** Optional project name */
+  project: z.string().optional(),
+  /** Flat list of resource identifiers */
+  resources: z.array(z.string())
+});
+var ManifestSchema = z.union([MultiAccountManifestSchema, LegacyManifestSchema]);
+var ResourceCheckResultSchema = z.object({
+  /** The resource ARN or GCP path */
+  arn: z.string(),
+  /** Whether the resource exists */
+  exists: z.boolean(),
+  /** Error message if check failed */
+  error: z.string().optional(),
+  /** Service name (e.g., s3, lambda, run) */
+  service: z.string(),
+  /** Resource type (e.g., bucket, function) */
+  resourceType: z.string(),
+  /** Resource identifier */
+  resourceId: z.string()
+});
+var InfraScanSummarySchema = z.object({
+  /** Total resources checked */
+  total: z.number().int().nonnegative(),
+  /** Resources that exist */
+  found: z.number().int().nonnegative(),
+  /** Resources that don't exist */
+  missing: z.number().int().nonnegative(),
+  /** Resources that couldn't be checked (errors) */
+  errors: z.number().int().nonnegative()
+});
+var AccountScanResultSchema = z.object({
+  /** Account alias if provided */
+  alias: z.string().optional(),
+  /** Individual resource check results */
+  results: z.array(ResourceCheckResultSchema),
+  /** Summary statistics for this account */
+  summary: InfraScanSummarySchema
+});
+var InfraScanResultSchema = z.object({
+  /** Path to the manifest file */
+  manifest: z.string(),
+  /** Project name */
+  project: z.string().optional(),
+  /** Individual resource check results */
+  results: z.array(ResourceCheckResultSchema),
+  /** Summary statistics */
+  summary: InfraScanSummarySchema,
+  /** Per-account results (only present for multi-account manifests) */
+  accountResults: z.record(z.string(), AccountScanResultSchema).optional()
+});
+var PulumiResourceSchema = z.object({
+  urn: z.string().optional(),
+  type: z.string().optional(),
+  inputs: z.record(z.string(), z.unknown()).optional(),
+  outputs: z.record(z.string(), z.unknown()).optional()
+});
+var PulumiStackExportSchema = z.object({
+  version: z.number().optional(),
+  deployment: z.object({
+    manifest: z.object({
+      time: z.string().optional(),
+      magic: z.string().optional(),
+      version: z.string().optional()
+    }).optional(),
+    resources: z.array(PulumiResourceSchema).optional()
+  }).optional()
+});
+function validateArn(arn) {
+  return ArnSchema.parse(arn);
+}
+function isValidArnFormat(arn) {
+  return ArnSchema.safeParse(arn).success;
+}
+function validateGcpResourcePath(path2) {
+  return GcpResourcePathSchema.parse(path2);
+}
+function isValidGcpResourcePath(path2) {
+  return GcpResourcePathSchema.safeParse(path2).success;
+}
+function validateAccountKey(key) {
+  return AccountKeySchema.parse(key);
+}
+function isValidAccountKey(key) {
+  return AccountKeySchema.safeParse(key).success;
+}
+function validateLegacyManifest(data) {
+  return LegacyManifestSchema.parse(data);
+}
+function validateMultiAccountManifest(data) {
+  return MultiAccountManifestSchema.parse(data);
+}
+function validateManifest(data) {
+  return ManifestSchema.parse(data);
+}
+function isMultiAccountManifestSchema(data) {
+  return MultiAccountManifestSchema.safeParse(data).success;
+}
+function isLegacyManifestSchema(data) {
+  return LegacyManifestSchema.safeParse(data).success;
+}
+function validateStackExport(data) {
+  return PulumiStackExportSchema.parse(data);
+}
+
+// src/infra/manifest.ts
+function isValidResource(resource) {
+  return isValidArn(resource) || isValidGcpResource(resource);
+}
+var ManifestError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ManifestError";
+  }
+};
+function isMultiAccountManifest(manifest) {
+  return "accounts" in manifest && typeof manifest.accounts === "object";
+}
+function isLegacyManifest(manifest) {
+  return "resources" in manifest && Array.isArray(manifest.resources);
+}
+function parseAccountKey(key) {
+  if (!isValidAccountKey(key)) {
+    return null;
+  }
+  const colonIndex = key.indexOf(":");
+  return {
+    cloud: key.substring(0, colonIndex),
+    id: key.substring(colonIndex + 1)
+  };
+}
+function formatAccountKey(cloud, id) {
+  return `${cloud}:${id}`;
+}
+function normalizeManifest(manifest) {
+  if (isMultiAccountManifest(manifest)) {
+    return manifest;
+  }
+  const accounts = {};
+  for (const resource of manifest.resources) {
+    const accountKey = detectAccountFromResource(resource);
+    if (accountKey in accounts) {
+      accounts[accountKey].resources.push(resource);
+    } else {
+      accounts[accountKey] = { resources: [resource] };
+    }
+  }
+  return {
+    version: 2,
+    project: manifest.project,
+    accounts
+  };
+}
+function detectAccountFromResource(resource) {
+  if (resource.startsWith("arn:")) {
+    const parts = resource.split(":");
+    if (parts.length >= 5) {
+      const accountId = parts[4];
+      if (accountId) {
+        return formatAccountKey("aws", accountId);
+      }
+      return "aws:unknown";
+    }
+  }
+  const gcpRegex = /^projects\/([^/]+)\//;
+  const gcpMatch = gcpRegex.exec(resource);
+  if (gcpMatch) {
+    return formatAccountKey("gcp", gcpMatch[1]);
+  }
+  return "unknown:unknown";
+}
+function getAllResources(manifest) {
+  if (isMultiAccountManifest(manifest)) {
+    return Object.values(manifest.accounts).flatMap((account) => account.resources);
+  }
+  return manifest.resources;
+}
+function readManifest(manifestPath) {
+  if (!fs.existsSync(manifestPath)) {
+    throw new ManifestError(`Manifest file not found: ${manifestPath}`);
+  }
+  const content = fs.readFileSync(manifestPath, "utf-8");
+  const ext = path.extname(manifestPath).toLowerCase();
+  if (ext === ".json") {
+    return parseJsonManifest(content, manifestPath);
+  }
+  if (ext === ".txt") {
+    return parseTxtManifest(content, manifestPath);
+  }
+  try {
+    return parseJsonManifest(content, manifestPath);
+  } catch {
+    return parseTxtManifest(content, manifestPath);
+  }
+}
+function parseJsonManifest(content, manifestPath) {
+  const data = parseJsonContent(content, manifestPath);
+  if (!data || typeof data !== "object") {
+    throw new ManifestError(`Manifest ${manifestPath} must be a JSON object`);
+  }
+  if (isMultiAccountManifestSchema(data)) {
+    return validateMultiAccountManifestWithResources(data, manifestPath);
+  }
+  if (isLegacyManifestSchema(data)) {
+    return validateLegacyManifestWithResources(data, manifestPath);
+  }
+  return parseFallbackManifest(data, manifestPath);
+}
+function parseFallbackManifest(obj, manifestPath) {
+  if ("accounts" in obj) {
+    return parseMultiAccountManifestFallback(obj, manifestPath);
+  }
+  validateJsonStructure(obj, manifestPath);
+  const resources = extractAndValidateResources(obj.resources, manifestPath);
+  const project = typeof obj.project === "string" ? obj.project : void 0;
+  return { project, resources };
+}
+function validateMultiAccountManifestWithResources(data, manifestPath) {
+  try {
+    const manifest = validateMultiAccountManifest(data);
+    for (const [accountKey, account] of Object.entries(manifest.accounts)) {
+      if (!isValidAccountKey(accountKey)) {
+        throw new ManifestError(
+          `Manifest ${manifestPath} has invalid account key: "${accountKey}". Expected format: "aws:<account-id>" or "gcp:<project-id>"`
+        );
+      }
+      const invalidResources = account.resources.filter((r) => !isValidResource(r));
+      if (invalidResources.length > 0) {
+        throw new ManifestError(
+          `Manifest ${manifestPath} account "${accountKey}" contains invalid resources: ${invalidResources.join(", ")}`
+        );
+      }
+    }
+    return manifest;
+  } catch (error) {
+    if (error instanceof ManifestError) {
+      throw error;
+    }
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new ManifestError(`Invalid manifest ${manifestPath}: ${message}`);
+  }
+}
+function validateLegacyManifestWithResources(data, manifestPath) {
+  try {
+    const manifest = validateLegacyManifest(data);
+    const invalidResources = manifest.resources.filter((r) => !isValidResource(r));
+    if (invalidResources.length > 0) {
+      throw new ManifestError(
+        `Manifest ${manifestPath} contains invalid resources: ${invalidResources.join(", ")}`
+      );
+    }
+    return manifest;
+  } catch (error) {
+    if (error instanceof ManifestError) {
+      throw error;
+    }
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new ManifestError(`Invalid manifest ${manifestPath}: ${message}`);
+  }
+}
+function parseMultiAccountManifestFallback(obj, manifestPath) {
+  const accountsRaw = obj.accounts;
+  const accounts = {};
+  for (const [key, value] of Object.entries(accountsRaw)) {
+    accounts[key] = parseAccountEntry(key, value, manifestPath);
+  }
+  const project = typeof obj.project === "string" ? obj.project : void 0;
+  return { version: 2, project, accounts };
+}
+function parseAccountEntry(key, value, manifestPath) {
+  const parsedKey = parseAccountKey(key);
+  if (!parsedKey) {
+    throw new ManifestError(
+      `Manifest ${manifestPath} has invalid account key: "${key}". Expected format: "aws:<account-id>" or "gcp:<project-id>"`
+    );
+  }
+  if (!value || typeof value !== "object") {
+    throw new ManifestError(`Manifest ${manifestPath} account "${key}" must be an object`);
+  }
+  const accountObj = value;
+  if (!Array.isArray(accountObj.resources)) {
+    throw new ManifestError(`Manifest ${manifestPath} account "${key}" must have a "resources" array`);
+  }
+  const resources = extractAndValidateResources(accountObj.resources, manifestPath);
+  const alias = typeof accountObj.alias === "string" ? accountObj.alias : void 0;
+  return { alias, resources };
+}
+function parseJsonContent(content, manifestPath) {
+  try {
+    return JSON.parse(content);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new ManifestError(`Invalid JSON in manifest ${manifestPath}: ${message}`);
+  }
+}
+function validateJsonStructure(data, manifestPath) {
+  if (!data || typeof data !== "object") {
+    throw new ManifestError(`Manifest ${manifestPath} must be a JSON object`);
+  }
+  const obj = data;
+  if (!Array.isArray(obj.resources)) {
+    throw new ManifestError(`Manifest ${manifestPath} must have a "resources" array`);
+  }
+}
+function extractAndValidateResources(items, manifestPath) {
+  const resources = [];
+  const invalidResources = [];
+  for (const item of items) {
+    if (typeof item !== "string") {
+      throw new ManifestError(
+        `Manifest ${manifestPath} contains non-string resource: ${JSON.stringify(item)}`
+      );
+    }
+    if (!isValidResource(item)) {
+      invalidResources.push(item);
+    } else {
+      resources.push(item);
+    }
+  }
+  if (invalidResources.length > 0) {
+    throw new ManifestError(
+      `Manifest ${manifestPath} contains invalid resources: ${invalidResources.join(", ")}`
+    );
+  }
+  return resources;
+}
+function parseTxtManifest(content, manifestPath) {
+  const lines = content.split("\n");
+  const resources = [];
+  const invalidResources = [];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+    if (!isValidResource(line)) {
+      invalidResources.push({ line: i + 1, value: line });
+    } else {
+      resources.push(line);
+    }
+  }
+  if (invalidResources.length > 0) {
+    const details = invalidResources.map((a) => `line ${a.line}: "${a.value}"`).join(", ");
+    throw new ManifestError(`Manifest ${manifestPath} contains invalid resources: ${details}`);
+  }
+  return { resources };
+}
+
+export {
+  isValidArn,
+  parseArn,
+  isValidGcpResource,
+  parseGcpResource,
+  CloudProviderSchema,
+  AccountKeySchema,
+  ArnSchema,
+  ParsedArnSchema,
+  GcpResourcePathSchema,
+  ParsedGcpResourceSchema,
+  ResourceIdentifierSchema,
+  AccountIdSchema,
+  ManifestAccountSchema,
+  MultiAccountManifestSchema,
+  LegacyManifestSchema,
+  ManifestSchema,
+  ResourceCheckResultSchema,
+  InfraScanSummarySchema,
+  InfraScanResultSchema,
+  PulumiResourceSchema,
+  PulumiStackExportSchema,
+  validateArn,
+  isValidArnFormat,
+  validateGcpResourcePath,
+  isValidGcpResourcePath,
+  validateAccountKey,
+  isValidAccountKey,
+  validateLegacyManifest,
+  validateMultiAccountManifest,
+  validateManifest,
+  isMultiAccountManifestSchema,
+  isLegacyManifestSchema,
+  validateStackExport,
+  ManifestError,
+  isMultiAccountManifest,
+  isLegacyManifest,
+  parseAccountKey,
+  formatAccountKey,
+  normalizeManifest,
+  detectAccountFromResource,
+  getAllResources,
+  readManifest
+};
+//# sourceMappingURL=chunk-M7G73Q6P.js.map