@tagma/sdk 0.6.10 → 0.6.11

package/src/schema.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, test } from 'bun:test';
 import yaml from 'js-yaml';
 import type { PipelineConfig, RawPipelineConfig } from './types';
-import { deresolvePipeline, serializePipeline } from './schema';
+import { deresolvePipeline, parseYaml, resolveConfig, serializePipeline } from './schema';
 
 function parsePipelineYaml(content: string): RawPipelineConfig {
   const doc = yaml.load(content) as { pipeline: RawPipelineConfig };
@@ -56,6 +56,37 @@ describe('completion default serialization', () => {
     });
   });
 
+  test('serializePipeline drops continue_from from command tasks (prompt-only field)', () => {
+    const raw: RawPipelineConfig = {
+      name: 'Strip Continue From',
+      tracks: [
+        {
+          id: 'track_a',
+          name: 'Track A',
+          tasks: [
+            { id: 'upstream', prompt: 'generate something' },
+            // Simulates a task the user authored as `prompt` with a
+            // continue_from, then toggled to `command` in the editor panel.
+            // The field should not survive serialization.
+            {
+              id: 'downstream',
+              command: 'bun run build',
+              continue_from: 'upstream',
+              depends_on: ['upstream'],
+            },
+            // A prompt task keeps its continue_from as-is.
+            { id: 'threaded', prompt: 'refine', continue_from: 'upstream' },
+          ],
+        },
+      ],
+    };
+
+    const parsed = parsePipelineYaml(serializePipeline(raw));
+    expect(parsed.tracks[0].tasks[1].continue_from).toBeUndefined();
+    expect(parsed.tracks[0].tasks[1].depends_on).toEqual(['upstream']);
+    expect(parsed.tracks[0].tasks[2].continue_from).toBe('upstream');
+  });
+
   test('deresolvePipeline also omits the default exit_code completion', () => {
     const resolved: PipelineConfig = {
       name: 'Deresolve Defaults',
@@ -99,3 +130,84 @@ describe('completion default serialization', () => {
     });
   });
 });
+
+describe('parseYaml structural validation', () => {
+  test('rejects non-array pipeline.tracks with a clear error', () => {
+    expect(() =>
+      parseYaml(`
+pipeline:
+  name: Bad
+  tracks:
+    id: not-an-array
+`),
+    ).toThrow(/pipeline\.tracks must be an array/);
+  });
+
+  test('rejects non-array track.tasks with a clear error', () => {
+    expect(() =>
+      parseYaml(`
+pipeline:
+  name: Bad
+  tracks:
+    - id: t
+      name: T
+      tasks:
+        id: not-an-array
+`),
+    ).toThrow(/track "t": tasks must be an array/);
+  });
+});
+
+describe('permissions inheritance', () => {
+  test('resolveConfig applies pipeline-level permissions to tracks and tasks', () => {
+    const raw: RawPipelineConfig = {
+      name: 'Pipeline Permissions',
+      permissions: { read: true, write: true, execute: false },
+      tracks: [
+        {
+          id: 'track_a',
+          name: 'Track A',
+          tasks: [{ id: 'task_1', prompt: 'hello' }],
+        },
+      ],
+    };
+
+    const resolved = resolveConfig(raw, 'D:/workspace');
+    expect(resolved.tracks[0].permissions).toEqual({ read: true, write: true, execute: false });
+    expect(resolved.tracks[0].tasks[0].permissions).toEqual({
+      read: true,
+      write: true,
+      execute: false,
+    });
+  });
+
+  test('deresolvePipeline preserves pipeline-level permissions without repeating inherited values', () => {
+    const resolved: PipelineConfig = {
+      name: 'Deresolve Permissions',
+      permissions: { read: true, write: true, execute: false },
+      tracks: [
+        {
+          id: 'track_a',
+          name: 'Track A',
+          permissions: { read: true, write: true, execute: false },
+          cwd: 'D:/workspace',
+          tasks: [
+            {
+              id: 'task_1',
+              name: 'Task 1',
+              prompt: 'hello',
+              permissions: { read: true, write: true, execute: false },
+              cwd: 'D:/workspace',
+            },
+          ],
+        },
+      ],
+    };
+
+    const raw = deresolvePipeline(resolved, 'D:/workspace');
+
+    expect(raw.permissions).toEqual({ read: true, write: true, execute: false });
+    expect(raw.tracks[0].permissions).toBeUndefined();
+    expect(raw.tracks[0].tasks[0].permissions).toBeUndefined();
+  });
+});

package/src/schema.ts

@@ -17,13 +17,17 @@ import { buildDag } from './dag';
 // ═══ YAML Parsing ═══
 
 export function parseYaml(content: string): RawPipelineConfig {
-  const doc = yaml.load(content) as { pipeline?: RawPipelineConfig };
+  const doc = yaml.load(content) as { pipeline?: unknown };
   if (!doc?.pipeline) {
     throw new Error('YAML must contain a top-level "pipeline" key');
   }
-  const p = doc.pipeline;
+  if (typeof doc.pipeline !== 'object' || Array.isArray(doc.pipeline)) {
+    throw new Error('pipeline must be an object');
+  }
+  const p = doc.pipeline as RawPipelineConfig;
   if (!p.name) throw new Error('pipeline.name is required');
-  if (!p.tracks || p.tracks.length === 0) throw new Error('pipeline.tracks must be non-empty');
+  if (!Array.isArray(p.tracks)) throw new Error('pipeline.tracks must be an array');
+  if (p.tracks.length === 0) throw new Error('pipeline.tracks must be non-empty');
 
   // D14: Detect duplicate track IDs before per-track validation so the error
   // message is clear ("Duplicate track id") rather than a confusing DAG error
@@ -60,10 +64,16 @@ function assertValidId(id: string, label: string): void {
 }
 
 function validateRawTrack(track: RawTrackConfig): void {
+  if (!track || typeof track !== 'object' || Array.isArray(track)) {
+    throw new Error('track must be an object');
+  }
   if (!track.id) throw new Error('track.id is required');
   assertValidId(track.id, `track "${track.id}"`);
   if (!track.name) throw new Error(`track "${track.id}": name is required`);
-  if (!track.tasks || track.tasks.length === 0) {
+  if (!Array.isArray(track.tasks)) {
+    throw new Error(`track "${track.id}": tasks must be an array`);
+  }
+  if (track.tasks.length === 0) {
     throw new Error(`track "${track.id}": tasks must be non-empty`);
   }
   for (const task of track.tasks) {
@@ -72,6 +82,9 @@ function validateRawTrack(track: RawTrackConfig): void {
 }
 
 function validateRawTask(task: RawTaskConfig, trackId: string): void {
+  if (!task || typeof task !== 'object' || Array.isArray(task)) {
+    throw new Error(`track "${trackId}": task must be an object`);
+  }
   if (!task.id) throw new Error(`track "${trackId}": task.id is required`);
   assertValidId(task.id, `task "${task.id}" in track "${trackId}"`);
 
@@ -140,7 +153,7 @@ export function resolveConfig(raw: RawPipelineConfig, workDir: string): Pipeline
         model: rawTask.model ?? rawTrack.model ?? raw.model,
         reasoning_effort:
           rawTask.reasoning_effort ?? rawTrack.reasoning_effort ?? raw.reasoning_effort,
-        permissions: rawTask.permissions ?? rawTrack.permissions ?? DEFAULT_PERMISSIONS,
+        permissions: rawTask.permissions ?? rawTrack.permissions ?? raw.permissions ?? DEFAULT_PERMISSIONS,
         driver: rawTask.driver ?? trackDriver ?? 'opencode',
         timeout: rawTask.timeout,
         // Middleware: Task-level overrides Track (including [] to disable)
@@ -161,7 +174,7 @@ export function resolveConfig(raw: RawPipelineConfig, workDir: string): Pipeline
       agent_profile: rawTrack.agent_profile,
       model: rawTrack.model ?? raw.model,
       reasoning_effort: rawTrack.reasoning_effort ?? raw.reasoning_effort,
-      permissions: rawTrack.permissions ?? DEFAULT_PERMISSIONS,
+      permissions: rawTrack.permissions ?? raw.permissions ?? DEFAULT_PERMISSIONS,
       driver: trackDriver ?? 'opencode',
       cwd: trackCwd,
       middlewares: rawTrack.middlewares,
@@ -175,6 +188,7 @@ export function resolveConfig(raw: RawPipelineConfig, workDir: string): Pipeline
     driver: raw.driver,
     model: raw.model,
     reasoning_effort: raw.reasoning_effort,
+    permissions: raw.permissions,
     timeout: raw.timeout,
     plugins: raw.plugins,
     hooks: raw.hooks,
@@ -208,14 +222,32 @@ function stripDefaultTaskCompletion<T extends { completion?: CompletionConfig }>
   return rest as T;
 }
 
-function stripDefaultCompletionsForSerialization<T extends PipelineConfig | RawPipelineConfig>(
+// `continue_from` is a prompt-only field — it tells AI drivers with
+// session-resume capability to thread off an upstream prompt task's context.
+// A command task runs as a plain shell subprocess and has no session to
+// resume, so any `continue_from` on a command task is dead weight. Drop it
+// at serialization time so YAML on disk never carries the stale field after
+// a user toggles task mode from prompt → command. The tagma-yaml agent's
+// system prompt (apps/editor/server/opencode-seed.ts) documents this
+// stripping — keep them in sync.
+function stripPromptOnlyFieldsFromCommandTask<
+  T extends { command?: string; continue_from?: string },
+>(task: T): T {
+  if (task.command === undefined || task.continue_from === undefined) return task;
+  const { continue_from: _cf, ...rest } = task;
+  return rest as T;
+}
+
+function stripForSerialization<T extends PipelineConfig | RawPipelineConfig>(
   config: T,
 ): T {
   return {
     ...config,
     tracks: config.tracks.map((track) => ({
       ...track,
-      tasks: track.tasks.map((task) => stripDefaultTaskCompletion(task)),
+      tasks: track.tasks.map((task) =>
+        stripPromptOnlyFieldsFromCommandTask(stripDefaultTaskCompletion(task)),
+      ),
     })),
   } as T;
 }
@@ -228,7 +260,7 @@ function stripDefaultCompletionsForSerialization<T extends PipelineConfig | RawP
  */
 export function serializePipeline(config: PipelineConfig | RawPipelineConfig): string {
   return yaml.dump(
-    { pipeline: stripDefaultCompletionsForSerialization(config) },
+    { pipeline: stripForSerialization(config) },
     { lineWidth: 120, indent: 2 },
   );
 }
@@ -302,7 +334,7 @@ export function deresolvePipeline(config: PipelineConfig, workDir: string): RawP
       ...(track.on_failure && track.on_failure !== 'skip_downstream'
         ? { on_failure: track.on_failure }
         : {}),
-      ...(track.permissions && !permissionsEqual(track.permissions, DEFAULT_PERMISSIONS)
+      ...(track.permissions && !permissionsEqual(track.permissions, config.permissions ?? DEFAULT_PERMISSIONS)
         ? { permissions: track.permissions }
         : {}),
       tasks,
@@ -314,6 +346,9 @@ export function deresolvePipeline(config: PipelineConfig, workDir: string): RawP
     ...(config.driver ? { driver: config.driver } : {}),
     ...(config.model ? { model: config.model } : {}),
     ...(config.reasoning_effort ? { reasoning_effort: config.reasoning_effort } : {}),
+    ...(config.permissions && !permissionsEqual(config.permissions, DEFAULT_PERMISSIONS)
+      ? { permissions: config.permissions }
+      : {}),
     ...(config.timeout ? { timeout: config.timeout } : {}),
     ...(config.plugins?.length ? { plugins: config.plugins } : {}),
     ...(config.hooks ? { hooks: config.hooks } : {}),

package/src/task-ref.ts

@@ -68,6 +68,7 @@ export function buildTaskIndex(config: RawPipelineConfig | PipelineConfig): Task
   const bareToQualified = new Map<string, string>();
   for (const track of config.tracks ?? []) {
     if (!track?.id) continue;
+    if (!Array.isArray(track.tasks)) continue;
     for (const task of track.tasks ?? []) {
       if (!task?.id) continue;
       const qid = qualifyTaskId(track.id, task.id);

package/src/utils.test.ts

@@ -0,0 +1,28 @@
+import { describe, expect, test } from 'bun:test';
+import { mkdirSync, mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { validatePath } from './utils';
+
+describe('validatePath', () => {
+  test('rejects real parent traversal outside the project root', () => {
+    const root = mkdtempSync(join(tmpdir(), 'tagma-validate-path-'));
+    try {
+      expect(() => validatePath('../outside', root)).toThrow(/escapes project root/);
+    } finally {
+      rmSync(root, { recursive: true, force: true });
+    }
+  });
+
+  test('allows project-local names that merely start with two dots', () => {
+    const root = mkdtempSync(join(tmpdir(), 'tagma-validate-path-'));
+    try {
+      const inside = join(root, '..inside');
+      mkdirSync(inside);
+
+      expect(validatePath('..inside', root)).toBe(inside);
+    } finally {
+      rmSync(root, { recursive: true, force: true });
+    }
+  });
+});

package/src/utils.ts

@@ -1,4 +1,4 @@
-import { resolve, relative, parse as parsePath } from 'path';
+import { isAbsolute, resolve, relative, parse as parsePath, sep } from 'path';
 import { realpathSync, lstatSync, existsSync } from 'fs';
 import { randomBytes } from 'crypto';
 
@@ -38,7 +38,7 @@ export function validatePath(filePath: string, projectRoot: string): string {
   }
 
   const rel = relative(projectRoot, resolved);
-  if (rel.startsWith('..') || rel.startsWith('/')) {
+  if (rel === '..' || rel.startsWith(`..${sep}`) || isAbsolute(rel)) {
     throw new Error(
       `Security: path "${filePath}" escapes project root. ` +
         `All file references must be within "${projectRoot}".`,
@@ -83,7 +83,7 @@ export function validatePath(filePath: string, projectRoot: string): string {
       );
     }
     const realRel = relative(realRoot, real);
-    if (realRel.startsWith('..') || realRel.startsWith('/')) {
+    if (realRel === '..' || realRel.startsWith(`..${sep}`) || isAbsolute(realRel)) {
       throw new Error(
         `Security: path "${filePath}" resolves via symlink to "${real}" which escapes project root "${realRoot}".`,
       );

package/src/validate-raw.ts

@@ -32,6 +32,7 @@ function buildQidIndex(config: RawPipelineConfig): Map<string, QidEntry> {
   const idx = new Map<string, QidEntry>();
   for (const track of config.tracks ?? []) {
     if (!track.id) continue;
+    if (!Array.isArray(track.tasks)) continue;
     for (const task of track.tasks ?? []) {
       if (!task.id) continue;
       idx.set(qualifyTaskId(track.id, task.id), { track, task });
@@ -55,6 +56,7 @@ const isValidId = isValidTaskId;
 
 const VALID_ON_FAILURE = new Set(['skip_downstream', 'stop_all', 'ignore']);
 const VALID_REASONING_EFFORT = new Set(['low', 'medium', 'high']);
+const PERMISSION_FIELDS = ['read', 'write', 'execute'] as const;
 
 // Built-in plugin types always known to the SDK core, regardless of which
 // external plugin packages are installed. These MUST stay in sync with the
@@ -150,8 +152,13 @@ export function validateRaw(
       severity: 'warning',
     });
   }
+  validatePermissions(config.permissions, 'permissions', errors);
 
-  if (!config.tracks || config.tracks.length === 0) {
+  if (!Array.isArray(config.tracks)) {
+    errors.push({ path: 'tracks', message: 'pipeline.tracks must be an array' });
+    return errors;
+  }
+  if (config.tracks.length === 0) {
     errors.push({ path: 'tracks', message: 'At least one track is required' });
     return errors; // No point going further without tracks
   }
@@ -168,8 +175,13 @@ export function validateRaw(
   // ── Per-track validation ──
   const seenTrackIds = new Set<string>();
   for (let ti = 0; ti < config.tracks.length; ti++) {
-    const track = config.tracks[ti];
+    const maybeTrack = config.tracks[ti] as unknown;
     const trackPath = `tracks[${ti}]`;
+    if (!maybeTrack || typeof maybeTrack !== 'object' || Array.isArray(maybeTrack)) {
+      errors.push({ path: trackPath, message: `Track ${ti} must be an object` });
+      continue;
+    }
+    const track = maybeTrack as RawTrackConfig;
 
     if (!track.id?.trim()) {
       errors.push({ path: `${trackPath}.id`, message: 'Track id is required' });
@@ -205,6 +217,7 @@ export function validateRaw(
         severity: 'warning',
       });
     }
+    validatePermissions(track.permissions, `${trackPath}.permissions`, errors);
 
     // Track-level middlewares can reference a plugin that was uninstalled
     // after the YAML was written — surface a warning so the user notices
@@ -222,7 +235,14 @@ export function validateRaw(
       }
     }
 
-    if (!track.tasks || track.tasks.length === 0) {
+    if (!Array.isArray(track.tasks)) {
+      errors.push({
+        path: `${trackPath}.tasks`,
+        message: `Track "${track.id || ti}": tasks must be an array`,
+      });
+      continue;
+    }
+    if (track.tasks.length === 0) {
       errors.push({
         path: `${trackPath}.tasks`,
         message: `Track "${track.id || ti}": must have at least one task`,
@@ -302,6 +322,7 @@ export function validateRaw(
           severity: 'warning',
         });
       }
+      validatePermissions(task.permissions, `${taskPath}.permissions`, errors);
 
       // ── Plugin type warnings (trigger / completion / middlewares) ──
       // Only fire when the host supplied a `knownTypes` snapshot, so offline
@@ -374,7 +395,7 @@ export function validateRaw(
           });
         } else if (
           !task.depends_on ||
-          !task.depends_on.some((dep) => {
+          !task.depends_on.some((dep: string) => {
             const depResolved = resolveTaskRef(dep, track.id, index);
             return depResolved.kind === 'resolved' && depResolved.qid === resolved.qid;
           })
@@ -400,6 +421,32 @@ export function validateRaw(
   return errors;
 }
 
+function validatePermissions(
+  value: unknown,
+  basePath: string,
+  errors: ValidationError[],
+): void {
+  if (value === undefined) return;
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    errors.push({
+      path: basePath,
+      message: 'permissions must be an object with read/write/execute booleans',
+    });
+    return;
+  }
+  const p = value as Record<string, unknown>;
+  for (const field of PERMISSION_FIELDS) {
+    const path = `${basePath}.${field}`;
+    if (!(field in p)) {
+      errors.push({ path, message: `permissions.${field} is required` });
+      continue;
+    }
+    if (typeof p[field] !== 'boolean') {
+      errors.push({ path, message: `permissions.${field} must be a boolean` });
+    }
+  }
+}
+
 const VALID_PORT_TYPES: ReadonlySet<PortType> = new Set([
   'string',
   'number',
@@ -764,6 +811,7 @@ function detectCycles(config: RawPipelineConfig, index: TaskIndex): ValidationEr
 
   for (const track of config.tracks) {
     if (!track.id) continue;
+    if (!Array.isArray(track.tasks)) continue;
     for (const task of track.tasks ?? []) {
       if (!task.id) continue;
       const qid = qualifyTaskId(track.id, task.id);

package/src/yaml-compiler.test.ts

@@ -0,0 +1,108 @@
+import { describe, expect, test } from 'bun:test';
+import { compileYamlContent } from './yaml-compiler';
+
+describe('compileYamlContent', () => {
+  test('reports YAML syntax failures as parse errors', () => {
+    const result = compileYamlContent('pipeline:\n  name: [');
+
+    expect(result.parseOk).toBe(false);
+    expect(result.success).toBe(false);
+    expect(result.validation.errors).toEqual([]);
+    expect(result.summary).toMatch(/^YAML parse error:/);
+  });
+
+  test('reports missing top-level pipeline as a validation error', () => {
+    const result = compileYamlContent('name: Missing Pipeline\n');
+
+    expect(result.parseOk).toBe(true);
+    expect(result.success).toBe(false);
+    expect(result.validation.errors).toEqual([
+      { path: 'pipeline', message: 'Top-level "pipeline" key is required' },
+    ]);
+    expect(result.summary).toBe('Invalid: 1 error(s), 0 warning(s)');
+  });
+
+  test('reports non-array tracks as a validation error, not a parse failure', () => {
+    const result = compileYamlContent(`
+pipeline:
+  name: Bad
+  tracks:
+    id: not-an-array
+`);
+
+    expect(result.parseOk).toBe(true);
+    expect(result.success).toBe(false);
+    expect(result.validation.errors).toEqual([
+      { path: 'tracks', message: 'pipeline.tracks must be an array' },
+    ]);
+  });
+
+  test('reports non-array task lists as validation errors, not validation crashes', () => {
+    const result = compileYamlContent(`
+pipeline:
+  name: Bad Tasks
+  tracks:
+    - id: t
+      name: T
+      tasks:
+        id: not-an-array
+`);
+
+    expect(result.parseOk).toBe(true);
+    expect(result.success).toBe(false);
+    expect(result.validation.errors).toEqual([
+      { path: 'tracks[0].tasks', message: 'Track "t": tasks must be an array' },
+    ]);
+    expect(result.summary).not.toMatch(/Validation crashed/);
+  });
+
+  test('routes schema errors through validation when YAML syntax is valid', () => {
+    const result = compileYamlContent(`
+pipeline:
+  name: Missing Track Name
+  tracks:
+    - id: main
+      tasks:
+        - id: task
+          prompt: hello
+`);
+
+    expect(result.parseOk).toBe(true);
+    expect(result.success).toBe(false);
+    expect(result.validation.errors).toContainEqual({
+      path: 'tracks[0].name',
+      message: 'Track name is required',
+    });
+  });
+
+  test('validates pipeline, track, and task permissions shape', () => {
+    const result = compileYamlContent(`
+pipeline:
+  name: Bad Permissions
+  permissions: { read: true, write: "yes", execute: false }
+  tracks:
+    - id: main
+      name: Main
+      permissions: { read: true, execute: false }
+      tasks:
+        - id: task
+          prompt: hello
+          permissions: nope
+`);
+
+    expect(result.parseOk).toBe(true);
+    expect(result.success).toBe(false);
+    expect(result.validation.errors).toContainEqual({
+      path: 'permissions.write',
+      message: 'permissions.write must be a boolean',
+    });
+    expect(result.validation.errors).toContainEqual({
+      path: 'tracks[0].permissions.write',
+      message: 'permissions.write is required',
+    });
+    expect(result.validation.errors).toContainEqual({
+      path: 'tracks[0].tasks[0].permissions',
+      message: 'permissions must be an object with read/write/execute booleans',
+    });
+  });
+});

package/src/yaml-compiler.ts

@@ -1,4 +1,4 @@
-import { parseYaml } from './schema';
+import yaml from 'js-yaml';
 import { validateRaw } from './validate-raw';
 import type { ValidationError, KnownPluginTypes } from './validate-raw';
 import type { RawPipelineConfig } from './types';
@@ -27,9 +27,9 @@ export function compileYamlContent(
   const timestamp = new Date().toISOString();
   const sourceName = opts.sourceName ?? 'untitled';
 
-  let config: RawPipelineConfig;
+  let doc: unknown;
   try {
-    config = parseYaml(content);
+    doc = yaml.load(content);
   } catch (err) {
     return {
       timestamp,
@@ -41,6 +41,12 @@ export function compileYamlContent(
     };
   }
 
+  const envelopeErrors = validateEnvelope(doc);
+  if (envelopeErrors.length > 0) {
+    return buildValidationResult(timestamp, sourceName, envelopeErrors);
+  }
+  const config = (doc as { pipeline: RawPipelineConfig }).pipeline;
+
   let errors: ValidationError[];
   try {
     errors = validateRaw(config, opts.knownTypes);
@@ -55,8 +61,29 @@ export function compileYamlContent(
     };
   }
 
-  const validationErrors = errors.filter((e) => e.severity === 'error' || e.severity == null);
-  const validationWarnings = errors.filter((e) => e.severity === 'warning');
+  return buildValidationResult(timestamp, sourceName, errors);
+}
+
+function validateEnvelope(doc: unknown): ValidationError[] {
+  if (!doc || typeof doc !== 'object' || Array.isArray(doc) || !('pipeline' in doc)) {
+    return [{ path: 'pipeline', message: 'Top-level "pipeline" key is required' }];
+  }
+  const pipeline = (doc as Record<string, unknown>).pipeline;
+  if (!pipeline || typeof pipeline !== 'object' || Array.isArray(pipeline)) {
+    return [{ path: 'pipeline', message: 'pipeline must be an object' }];
+  }
+  return [];
+}
+
+function buildValidationResult(
+  timestamp: string,
+  sourceName: string,
+  diagnostics: readonly ValidationError[],
+): YamlCompileResult {
+  const validationErrors = diagnostics.filter(
+    (e) => e.severity === 'error' || e.severity == null,
+  );
+  const validationWarnings = diagnostics.filter((e) => e.severity === 'warning');
 
   return {
     timestamp,