aact 2.1.5 → 3.0.0-beta.3

package/dist/shared/aact.CxegP3pU.mjs

@@ -0,0 +1,900 @@
+import * as v from 'valibot';
+import consola from 'consola';
+
+const getContainer = (m, name) => m.containers[name];
+const getBoundary = (m, name) => m.boundaries[name];
+const targetOf = (m, rel) => m.containers[rel.to];
+const allContainers = (m) => Object.values(m.containers);
+const allBoundaries = (m) => Object.values(m.boundaries);
+const walkBoundaries = function* (m) {
+  const visited = /* @__PURE__ */ new Set();
+  const visit = function* (name) {
+    if (visited.has(name)) return;
+    visited.add(name);
+    const b = m.boundaries[name];
+    if (!b) return;
+    yield b;
+    for (const child of b.boundaryNames) yield* visit(child);
+  };
+  for (const root of m.rootBoundaryNames) yield* visit(root);
+};
+
+const DEFAULT_API_TECHNOLOGIES = ["http", "grpc", "tcp"];
+const allRelations = (model) => allContainers(model).flatMap(
+  (container) => container.relations.map((relation) => ({ from: container, relation }))
+);
+const classifyRelation = (names, childNames, parentBoundary, from, relation, result, parentResult) => {
+  if (!names.has(from.name)) return;
+  if (names.has(relation.to)) {
+    result.cohesion++;
+    return;
+  }
+  const isInParentSibling = childNames?.has(relation.to) ?? false;
+  if (!parentBoundary || isInParentSibling) {
+    result.coupling++;
+    result.couplingRelations.push({ from: from.name, to: relation.to });
+    if (parentResult) parentResult.cohesion++;
+  } else if (parentResult) {
+    parentResult.coupling++;
+    parentResult.couplingRelations.push({
+      from: from.name,
+      to: relation.to
+    });
+  }
+};
+const buildBoundaryLookups = (model) => {
+  const boundaries = Object.values(model.boundaries);
+  const nameSets = new Map(
+    boundaries.map((b) => [b.name, new Set(b.containerNames)])
+  );
+  const parentMap = /* @__PURE__ */ new Map();
+  for (const b of boundaries) {
+    for (const childName of b.boundaryNames) {
+      const child = getBoundary(model, childName);
+      if (child) parentMap.set(child.name, b);
+    }
+  }
+  const result = /* @__PURE__ */ new Map();
+  for (const b of boundaries) {
+    const parentBoundary = parentMap.get(b.name);
+    let childNames;
+    if (parentBoundary) {
+      childNames = /* @__PURE__ */ new Set();
+      for (const siblingName of parentBoundary.boundaryNames) {
+        const sibling = getBoundary(model, siblingName);
+        if (sibling) {
+          for (const cName of sibling.containerNames) childNames.add(cName);
+        }
+      }
+    }
+    result.set(b.name, {
+      nameSet: nameSets.get(b.name),
+      childNames,
+      parentBoundary
+    });
+  }
+  return result;
+};
+const isSyncApiCall = (model, it, apiTechnologies) => {
+  if (it.relation.tags.includes("async")) return false;
+  const target = getContainer(model, it.relation.to);
+  if (target?.external === true && target.kind === "System") return true;
+  return apiTechnologies.some(
+    (t) => (it.relation.technology ?? "").toLowerCase().includes(t)
+  );
+};
+const analyzeModel = (model, options) => {
+  const apiTechnologies = options?.apiTechnologies ?? DEFAULT_API_TECHNOLOGIES;
+  const relations = allRelations(model);
+  const asyncApiCalls = relations.filter(
+    (it) => it.relation.tags.includes("async")
+  );
+  const syncApiCalls = relations.filter(
+    (it) => isSyncApiCall(model, it, apiTechnologies)
+  );
+  const lookups = buildBoundaryLookups(model);
+  const boundaryResults = /* @__PURE__ */ new Map();
+  for (const boundary of Object.values(model.boundaries)) {
+    boundaryResults.set(boundary.name, {
+      name: boundary.name,
+      label: boundary.label,
+      cohesion: 0,
+      coupling: 0,
+      couplingRelations: []
+    });
+  }
+  for (const boundary of Object.values(model.boundaries)) {
+    const { nameSet, childNames, parentBoundary } = lookups.get(boundary.name);
+    const result = boundaryResults.get(boundary.name);
+    const parentResult = parentBoundary ? boundaryResults.get(parentBoundary.name) : void 0;
+    for (const { from, relation } of relations) {
+      classifyRelation(
+        nameSet,
+        childNames,
+        parentBoundary,
+        from,
+        relation,
+        result,
+        parentResult
+      );
+    }
+  }
+  return {
+    elementsCount: allContainers(model).length,
+    syncApiCalls: syncApiCalls.length,
+    asyncApiCalls: asyncApiCalls.length,
+    databases: analyzeDatabases(model),
+    boundaries: [...boundaryResults.values()]
+  };
+};
+const analyzeDatabases = (model) => {
+  const dbNames = new Set(
+    allContainers(model).filter((it) => it.kind === "ContainerDb").map((it) => it.name)
+  );
+  let consumes = 0;
+  for (const container of allContainers(model)) {
+    for (const r of container.relations) {
+      if (dbNames.has(r.to)) consumes++;
+    }
+  }
+  return {
+    count: dbNames.size,
+    consumes
+  };
+};
+const analyzeArchitecture = (model, options) => ({
+  model,
+  report: analyzeModel(model, options)
+});
+
+const ruleOption = (entries) => v.optional(v.union([v.boolean(), v.strictObject(entries)]));
+const AactConfigSchema = v.strictObject({
+  source: v.union([
+    v.string(),
+    v.strictObject({
+      path: v.string(),
+      /** Optional — infer'ится из `path` через format registry `defaultPattern` если опущен. */
+      type: v.optional(v.string()),
+      /** Structurizr only: куда писать fix'ы (workspace.dsl). */
+      writePath: v.optional(v.string())
+    })
+  ]),
+  rules: v.optional(
+    v.looseObject({
+      acl: ruleOption({
+        tag: v.optional(v.string())
+      }),
+      acyclic: v.optional(v.boolean()),
+      apiGateway: ruleOption({
+        aclTag: v.optional(v.string()),
+        gatewayPattern: v.optional(v.instance(RegExp))
+      }),
+      crud: ruleOption({
+        repoTags: v.optional(v.array(v.string()))
+      }),
+      dbPerService: ruleOption({
+        ownerTags: v.optional(v.array(v.string()))
+      }),
+      cohesion: v.optional(v.boolean()),
+      stableDependencies: v.optional(v.boolean()),
+      commonReuse: v.optional(v.boolean())
+    })
+  ),
+  // RuleDefinition содержит function fields (check/fix) — valibot не валидирует
+  // shape глубже массива. Структурная проверка делается в check.ts на activation
+  // time (name/check required, conflict detection vs built-ins).
+  customRules: v.optional(v.array(v.any())),
+  generate: v.optional(
+    v.strictObject({
+      kubernetes: v.optional(
+        v.strictObject({
+          path: v.optional(v.string())
+        })
+      ),
+      boundaryLabel: v.optional(v.string())
+    })
+  )
+});
+const defineConfig = (config) => config;
+
+const formatLoaders = Object.freeze({
+  plantuml: () => import('../chunks/index.mjs').then((m) => m.plantumlFormat),
+  structurizr: () => import('../chunks/index2.mjs').then((m) => m.structurizrFormat),
+  kubernetes: () => import('../chunks/index3.mjs').then((m) => m.kubernetesFormat)
+});
+const loadFormat = async (name) => {
+  const loader = formatLoaders[name];
+  if (!loader) {
+    throw new Error(
+      `Unknown format "${name}". Known formats: ${Object.keys(formatLoaders).join(", ")}.`
+    );
+  }
+  return loader();
+};
+const knownFormatNames = () => Object.keys(formatLoaders);
+
+const canLoad = (f) => f.load !== void 0;
+const canGenerate = (f) => f.generate !== void 0;
+const canFix = (f) => f.fix !== void 0;
+
+const detectNamingConvention = (model) => {
+  const names = allContainers(model).map((c) => c.name);
+  if (names.length === 0) return "snake";
+  const withUnderscore = names.filter((n) => n.includes("_")).length;
+  const withHyphen = names.filter((n) => n.includes("-")).length;
+  const withCamel = names.filter((n) => /[a-z][A-Z]/.test(n)).length;
+  if (withHyphen > withUnderscore && withHyphen > withCamel) return "kebab";
+  if (withCamel > withUnderscore) return "camel";
+  return "snake";
+};
+const joinName = (base, word, convention) => {
+  switch (convention) {
+    case "camel": {
+      return base + word.charAt(0).toUpperCase() + word.slice(1);
+    }
+    case "kebab": {
+      return `${base}-${word}`;
+    }
+    default: {
+      return `${base}_${word}`;
+    }
+  }
+};
+
+const aclRule = {
+  name: "acl",
+  description: "Containers calling external systems must be tagged as ACL (Anti-corruption Layer)",
+  check(model, options) {
+    const tag = options?.tag ?? "acl";
+    const violations = [];
+    for (const container of allContainers(model)) {
+      const externalRelations = container.relations.filter(
+        (r) => targetOf(model, r)?.external === true
+      );
+      if (!container.tags.includes(tag) && externalRelations.length > 0) {
+        const names = externalRelations.map((r) => r.to).join(", ");
+        const label = externalRelations.length === 1 ? "system" : "systems";
+        violations.push({
+          container: container.name,
+          message: `calls external ${label} ${names} without an ACL layer`
+        });
+      }
+    }
+    return violations;
+  },
+  fix(model, violations, syntax, options) {
+    const tag = options?.tag ?? "acl";
+    const convention = detectNamingConvention(model);
+    const results = [];
+    for (const violation of violations) {
+      const container = model.containers[violation.container];
+      if (!container) continue;
+      const externalRels = container.relations.filter(
+        (r) => targetOf(model, r)?.external === true
+      );
+      if (externalRels.length === 0) continue;
+      const aclName = joinName(container.name, "acl", convention);
+      if (aclName in model.containers) {
+        consola.warn(
+          `fix acl: skipping ${container.name} \u2014 ${aclName} already exists`
+        );
+        continue;
+      }
+      results.push({
+        rule: "acl",
+        description: `Add ACL layer for ${container.name}`,
+        edits: [
+          {
+            type: "add",
+            search: syntax.containerPattern(container.name),
+            content: syntax.containerDecl(
+              aclName,
+              `${container.label} ACL`,
+              tag
+            )
+          },
+          {
+            type: "add",
+            search: syntax.containerPattern(aclName),
+            content: syntax.relationDecl(container.name, aclName)
+          },
+          ...externalRels.map((rel) => ({
+            type: "replace",
+            search: syntax.relationPattern(container.name, rel.to),
+            content: syntax.relationDecl(aclName, rel.to, rel.technology)
+          }))
+        ]
+      });
+    }
+    return results;
+  }
+};
+
+const acyclicRule = {
+  name: "acyclic",
+  description: "Dependency graph between containers must be acyclic (no cycles)",
+  check(model) {
+    const violations = [];
+    const findCycle = (fromName, target, visited) => {
+      const container = getContainer(model, fromName);
+      if (!container) return false;
+      for (const rel of container.relations) {
+        if (rel.to === target) return true;
+        if (visited.has(rel.to)) continue;
+        visited.add(rel.to);
+        if (findCycle(rel.to, target, visited)) return true;
+      }
+      return false;
+    };
+    for (const container of allContainers(model)) {
+      if (findCycle(container.name, container.name, /* @__PURE__ */ new Set())) {
+        violations.push({
+          container: container.name,
+          message: "participates in a dependency cycle"
+        });
+      }
+    }
+    return violations;
+  }
+};
+
+const apiGatewayRule = {
+  name: "apiGateway",
+  description: "ACL containers calling external systems must route through an API Gateway",
+  check(model, options) {
+    const aclTag = options?.aclTag ?? "acl";
+    const gatewayPattern = options?.gatewayPattern ?? /gateway/i;
+    const violations = [];
+    for (const container of allContainers(model)) {
+      if (!container.tags.includes(aclTag)) continue;
+      for (const rel of container.relations) {
+        if (targetOf(model, rel)?.external !== true) continue;
+        const techs = rel.technology?.split(", ") ?? [];
+        if (!techs.some((t) => gatewayPattern.test(t))) {
+          violations.push({
+            container: container.name,
+            message: `calls external "${rel.to}" without going through an API Gateway`
+          });
+        }
+      }
+    }
+    return violations;
+  }
+};
+
+const getBoundaryCohesion = (model, boundary) => {
+  const names = new Set(boundary.containerNames);
+  let result = 0;
+  for (const containerName of boundary.containerNames) {
+    const container = getContainer(model, containerName);
+    if (!container) continue;
+    result += container.relations.filter((r) => names.has(r.to)).length;
+  }
+  for (const innerName of boundary.boundaryNames) {
+    const inner = getBoundary(model, innerName);
+    if (inner) result += getBoundaryCoupling(model, inner);
+  }
+  return result;
+};
+const getBoundaryCoupling = (model, boundary) => {
+  const names = new Set(boundary.containerNames);
+  let result = 0;
+  for (const containerName of boundary.containerNames) {
+    const container = getContainer(model, containerName);
+    if (!container) continue;
+    result += container.relations.filter((r) => {
+      const target = getContainer(model, r.to);
+      return target && !target.external && !names.has(r.to);
+    }).length;
+  }
+  for (const innerName of boundary.boundaryNames) {
+    const inner = getBoundary(model, innerName);
+    if (!inner) continue;
+    for (const containerName of inner.containerNames) {
+      const container = getContainer(model, containerName);
+      if (!container) continue;
+      result += container.relations.filter(
+        (r) => getContainer(model, r.to)?.external === true
+      ).length;
+    }
+  }
+  return result;
+};
+const cohesionRule = {
+  name: "cohesion",
+  description: "Each boundary should be more cohesive than coupled; parent boundaries less cohesive than inner ones",
+  check(model) {
+    const violations = [];
+    for (const boundary of Object.values(model.boundaries)) {
+      const cohesion = getBoundaryCohesion(model, boundary);
+      const coupling = getBoundaryCoupling(model, boundary);
+      if (cohesion <= coupling) {
+        violations.push({
+          container: boundary.name,
+          message: `coupling (${coupling}) \u2265 cohesion (${cohesion}) \u2014 more cross-boundary dependencies than internal connections`
+        });
+      }
+      if (boundary.boundaryNames.length > 0) {
+        const innerCohesionSum = boundary.boundaryNames.reduce(
+          (sum, innerName) => {
+            const inner = getBoundary(model, innerName);
+            return sum + (inner ? getBoundaryCohesion(model, inner) : 0);
+          },
+          0
+        );
+        if (cohesion >= innerCohesionSum) {
+          violations.push({
+            container: boundary.name,
+            message: `parent cohesion (${cohesion}) \u2265 sum of inner cohesions (${innerCohesionSum}) \u2014 parent boundary should be less cohesive than its sub-boundaries`
+          });
+        }
+      }
+    }
+    return violations;
+  }
+};
+
+const buildBoundaryLookup = (model) => {
+  const map = /* @__PURE__ */ new Map();
+  for (const boundary of Object.values(model.boundaries)) {
+    for (const containerName of boundary.containerNames) {
+      map.set(containerName, boundary);
+    }
+  }
+  return map;
+};
+const collectPublicAndUsage = (model, boundaryOf) => {
+  const publicOf = /* @__PURE__ */ new Map();
+  const used = /* @__PURE__ */ new Map();
+  for (const source of allContainers(model)) {
+    const srcBoundary = boundaryOf.get(source.name);
+    if (!srcBoundary) continue;
+    for (const rel of source.relations) {
+      const tgtBoundary = boundaryOf.get(rel.to);
+      if (!tgtBoundary || tgtBoundary === srcBoundary) continue;
+      let pub = publicOf.get(tgtBoundary);
+      if (!pub) {
+        pub = /* @__PURE__ */ new Set();
+        publicOf.set(tgtBoundary, pub);
+      }
+      pub.add(rel.to);
+      const key = `${srcBoundary.name}\0${tgtBoundary.name}`;
+      let u = used.get(key);
+      if (!u) {
+        u = /* @__PURE__ */ new Set();
+        used.set(key, u);
+      }
+      u.add(rel.to);
+    }
+  }
+  return { publicOf, used };
+};
+const commonReuseRule = {
+  name: "commonReuse",
+  description: "Consumers using part of a boundary's public surface should use all of it",
+  check(model) {
+    const boundaryOf = buildBoundaryLookup(model);
+    const { publicOf, used } = collectPublicAndUsage(model, boundaryOf);
+    const violations = [];
+    for (const [provider, pubNames] of publicOf) {
+      if (pubNames.size < 2) continue;
+      for (const consumer of Object.values(model.boundaries)) {
+        if (consumer === provider) continue;
+        const key = `${consumer.name}\0${provider.name}`;
+        const usedNames = used.get(key);
+        if (!usedNames || usedNames.size >= pubNames.size) continue;
+        const missing = [...pubNames].filter((n) => !usedNames.has(n));
+        violations.push({
+          container: consumer.name,
+          message: `uses ${[...usedNames].join(", ")} of "${provider.name}" but not ${missing.join(", ")} \u2014 all public services of a context should be used together`
+        });
+      }
+    }
+    return violations;
+  }
+};
+
+const buildContainerBoundaryMap = (model) => {
+  const map = /* @__PURE__ */ new Map();
+  for (const boundary of Object.values(model.boundaries)) {
+    for (const containerName of boundary.containerNames) {
+      map.set(containerName, boundary);
+    }
+  }
+  return map;
+};
+const findPublicApiCandidate = (targetBoundary, ownerTags, model, containerBoundaryMap) => {
+  const candidates = targetBoundary.containerNames.map((name) => getContainer(model, name)).filter((c) => c !== void 0).filter(
+    (c) => c.kind !== "ContainerDb" && !ownerTags.some((t) => c.tags.includes(t))
+  );
+  if (candidates.length === 0) return void 0;
+  if (candidates.length === 1) return candidates[0];
+  const candidateNames = new Set(candidates.map((c) => c.name));
+  const inDegree = new Map(candidates.map((c) => [c.name, 0]));
+  for (const container of allContainers(model)) {
+    if (containerBoundaryMap.get(container.name) === targetBoundary) continue;
+    for (const rel of container.relations) {
+      if (candidateNames.has(rel.to)) {
+        inDegree.set(rel.to, (inDegree.get(rel.to) ?? 0) + 1);
+      }
+    }
+  }
+  return candidates.toSorted(
+    (a, b) => (inDegree.get(b.name) ?? 0) - (inDegree.get(a.name) ?? 0)
+  )[0];
+};
+const resolveRedirectTarget = (accessor, db, owner, ownerTags, model, containerBoundaryMap, ruleName) => {
+  const accessorBoundary = containerBoundaryMap.get(accessor.name);
+  const dbBoundary = containerBoundaryMap.get(db.name);
+  const isCrossBoundary = accessorBoundary !== void 0 && dbBoundary !== void 0 && accessorBoundary !== dbBoundary;
+  if (!isCrossBoundary) return owner;
+  const publicApi = findPublicApiCandidate(
+    dbBoundary,
+    ownerTags,
+    model,
+    containerBoundaryMap
+  );
+  if (!publicApi) {
+    consola.warn(
+      `fix ${ruleName}: boundary "${dbBoundary.name}" has no public API \u2014 cannot auto-redirect "${accessor.name}" away from "${db.name}", fix manually`
+    );
+    return void 0;
+  }
+  if (publicApi === owner) {
+    consola.warn(
+      `fix ${ruleName}: the only public API candidate in "${dbBoundary.name}" is the repo owner \u2014 cross-boundary access from "${accessor.name}" requires manual review`
+    );
+    return void 0;
+  }
+  return publicApi;
+};
+
+const DEFAULT_REPO_TAGS = ["repo", "relay"];
+const stripDbWord = (name) => {
+  const lower = name.toLowerCase();
+  for (const suffix of [
+    "_database",
+    "-database",
+    "database",
+    "_db",
+    "-db",
+    "db"
+  ]) {
+    if (lower.endsWith(suffix)) return name.slice(0, -suffix.length);
+  }
+  return name;
+};
+const deriveRepoName = (dbName, convention) => {
+  const base = stripDbWord(dbName);
+  return joinName(base || dbName, "repo", convention);
+};
+const deriveRepoLabel = (dbName) => {
+  const base = stripDbWord(dbName);
+  const word = base || dbName;
+  return word.charAt(0).toUpperCase() + word.slice(1).replaceAll("_", " ") + " Repo";
+};
+const fixNonRepoAccessesDb = (accessor, model, syntax, ownerTags, convention) => {
+  const dbRels = accessor.relations.filter(
+    (r) => targetOf(model, r)?.kind === "ContainerDb"
+  );
+  const containerBoundaryMap = buildContainerBoundaryMap(model);
+  const edits = dbRels.flatMap((rel) => {
+    const db = targetOf(model, rel);
+    if (!db) return [];
+    const existingRepo = allContainers(model).find(
+      (c) => c !== accessor && c.relations.some((r) => r.to === db.name) && ownerTags.some((t) => c.tags.includes(t))
+    );
+    if (existingRepo) {
+      const redirectTarget = resolveRedirectTarget(
+        accessor,
+        db,
+        existingRepo,
+        ownerTags,
+        model,
+        containerBoundaryMap,
+        "crud"
+      );
+      if (!redirectTarget) return [];
+      return [
+        {
+          type: "replace",
+          search: syntax.relationPattern(accessor.name, db.name),
+          content: syntax.relationDecl(
+            accessor.name,
+            redirectTarget.name,
+            rel.technology
+          )
+        }
+      ];
+    }
+    const accessorBoundary = containerBoundaryMap.get(accessor.name);
+    const dbBoundary = containerBoundaryMap.get(db.name);
+    if (accessorBoundary !== void 0 && dbBoundary !== void 0 && accessorBoundary !== dbBoundary) {
+      consola.warn(
+        `fix crud: "${accessor.name}" accesses "${db.name}" cross-boundary with no existing repo \u2014 fix manually`
+      );
+      return [];
+    }
+    const repoName = deriveRepoName(db.name, convention);
+    if (repoName in model.containers) {
+      consola.warn(
+        `fix crud: cannot create repo for "${db.name}" \u2014 "${repoName}" already exists`
+      );
+      return [];
+    }
+    return [
+      {
+        type: "add",
+        search: syntax.containerPattern(db.name),
+        content: syntax.containerDecl(
+          repoName,
+          deriveRepoLabel(db.name),
+          ownerTags[0] ?? "repo"
+        )
+      },
+      {
+        type: "add",
+        search: syntax.containerPattern(repoName),
+        content: syntax.relationDecl(repoName, db.name, rel.technology)
+      },
+      {
+        type: "replace",
+        search: syntax.relationPattern(accessor.name, db.name),
+        content: syntax.relationDecl(accessor.name, repoName, rel.technology)
+      }
+    ];
+  });
+  if (edits.length === 0) return void 0;
+  return {
+    rule: "crud",
+    description: `Add repo intermediary for ${accessor.name} \u2192 ${dbRels.map((r) => r.to).join(", ")}`,
+    edits
+  };
+};
+const fixRepoWithNonDbDeps = (repo, model, syntax) => {
+  const nonDbRels = repo.relations.filter(
+    (r) => targetOf(model, r)?.kind !== "ContainerDb"
+  );
+  if (nonDbRels.length === 0) return void 0;
+  return {
+    rule: "crud",
+    description: `Remove non-database dependencies from repo ${repo.name}`,
+    edits: nonDbRels.map((rel) => ({
+      type: "remove",
+      search: syntax.relationPattern(repo.name, rel.to)
+    }))
+  };
+};
+const crudRule = {
+  name: "crud",
+  description: "Direct database access only through repo/relay containers; repos must access databases only",
+  check(model, options) {
+    const repoTags = options?.repoTags ?? DEFAULT_REPO_TAGS;
+    const violations = [];
+    for (const container of allContainers(model)) {
+      const dbRelations = container.relations.filter(
+        (r) => targetOf(model, r)?.kind === "ContainerDb"
+      );
+      const isRepo = repoTags.some((tag) => container.tags.includes(tag));
+      if (!isRepo && dbRelations.length > 0) {
+        violations.push({
+          container: container.name,
+          message: `directly accesses database ${dbRelations.map((r) => r.to).join(", ")} \u2014 add a repo or relay`
+        });
+      }
+      if (isRepo && container.relations.some(
+        (r) => targetOf(model, r)?.kind !== "ContainerDb"
+      )) {
+        const nonDbTargets = container.relations.filter((r) => targetOf(model, r)?.kind !== "ContainerDb").map((r) => r.to).join(", ");
+        violations.push({
+          container: container.name,
+          message: `repo has non-database dependencies: ${nonDbTargets} \u2014 repos should only access databases`
+        });
+      }
+    }
+    return violations;
+  },
+  fix(model, violations, syntax, options) {
+    const ownerTags = options?.repoTags ?? DEFAULT_REPO_TAGS;
+    const convention = detectNamingConvention(model);
+    const results = [];
+    for (const violation of violations) {
+      const container = model.containers[violation.container];
+      if (!container) continue;
+      const isRepo = ownerTags.some((t) => container.tags.includes(t));
+      const fix = isRepo ? fixRepoWithNonDbDeps(container, model, syntax) : fixNonRepoAccessesDb(container, model, syntax, ownerTags, convention);
+      if (fix) results.push(fix);
+    }
+    return results;
+  }
+};
+
+const DEFAULT_OWNER_TAGS = ["repo", "relay"];
+const resolveOwner = (dbName, accessors, ownerTags) => {
+  const tagged = accessors.filter(
+    (c) => c.tags.some((t) => ownerTags.includes(t))
+  );
+  if (tagged.length === 0) {
+    consola.warn(
+      `Cannot determine owner of ${dbName}: no ${ownerTags.join("/")} tagged accessor found, using ${accessors[0].name}`
+    );
+    return accessors[0];
+  }
+  if (tagged.length > 1) {
+    consola.warn(
+      `Cannot determine owner of ${dbName}: multiple tagged accessors (${tagged.map((c) => c.name).join(", ")}), using ${tagged[0].name}`
+    );
+  }
+  return tagged[0];
+};
+const dbPerServiceRule = {
+  name: "dbPerService",
+  description: "Each database container must have a single owner (one repo/relay per DB)",
+  check(model) {
+    const violations = [];
+    const dbAccessMap = /* @__PURE__ */ new Map();
+    for (const container of allContainers(model)) {
+      for (const rel of container.relations) {
+        if (targetOf(model, rel)?.kind === "ContainerDb") {
+          const accessors = dbAccessMap.get(rel.to) ?? [];
+          accessors.push(container.name);
+          dbAccessMap.set(rel.to, accessors);
+        }
+      }
+    }
+    for (const [db, accessors] of dbAccessMap) {
+      if (accessors.length > 1) {
+        violations.push({
+          container: db,
+          message: `shared between ${accessors.join(", ")} \u2014 each database should have a single owner`
+        });
+      }
+    }
+    return violations;
+  },
+  fix(model, violations, syntax, options) {
+    const ownerTags = options?.ownerTags ?? DEFAULT_OWNER_TAGS;
+    const containerBoundaryMap = buildContainerBoundaryMap(model);
+    const results = [];
+    for (const violation of violations) {
+      const db = allContainers(model).find(
+        (c) => c.name === violation.container && c.kind === "ContainerDb"
+      );
+      if (!db) continue;
+      const accessors = allContainers(model).filter(
+        (c) => c.relations.some((r) => r.to === db.name)
+      );
+      if (accessors.length <= 1) continue;
+      const owner = resolveOwner(db.name, accessors, ownerTags);
+      const edits = accessors.filter((c) => c !== owner).flatMap((accessor) => {
+        const rel = accessor.relations.find((r) => r.to === db.name);
+        const redirectTarget = resolveRedirectTarget(
+          accessor,
+          db,
+          owner,
+          ownerTags,
+          model,
+          containerBoundaryMap,
+          "dbPerService"
+        );
+        if (!redirectTarget) return [];
+        const tags = rel.tags.length > 0 ? rel.tags.join("+") : void 0;
+        return [
+          {
+            type: "replace",
+            search: syntax.relationPattern(accessor.name, db.name),
+            content: syntax.relationDecl(
+              accessor.name,
+              redirectTarget.name,
+              rel.technology ?? "",
+              tags
+            )
+          }
+        ];
+      });
+      if (edits.length === 0) continue;
+      results.push({
+        rule: "dbPerService",
+        description: `Redirect access to ${db.name} through ${owner.name}`,
+        edits
+      });
+    }
+    return results;
+  }
+};
+
+const applyIndent = (content, indent) => content.split("\n").map((line) => line.trim() ? indent + line : line).join("\n");
+const applyEdits = (source, edits) => {
+  const lines = source.split("\n");
+  for (const edit of edits) {
+    const idx = lines.findIndex((line) => line.includes(edit.search));
+    if (idx === -1) {
+      consola.warn(`fix: pattern not found in source \u2014 "${edit.search}"`);
+      continue;
+    }
+    const matchCount = lines.filter(
+      (line) => line.includes(edit.search)
+    ).length;
+    if (matchCount > 1) {
+      consola.warn(
+        `fix: ambiguous pattern "${edit.search}" matches ${matchCount} lines, using first`
+      );
+    }
+    const indent = /^(\s*)/.exec(lines[idx])[1];
+    switch (edit.type) {
+      case "remove": {
+        lines.splice(idx, 1);
+        break;
+      }
+      case "replace": {
+        lines[idx] = applyIndent(edit.content ?? "", indent);
+        break;
+      }
+      case "add": {
+        lines.splice(idx + 1, 0, applyIndent(edit.content ?? "", indent));
+        break;
+      }
+    }
+  }
+  return lines.join("\n");
+};
+
+const computeCoupling = (internal, internalNames) => {
+  const ca = /* @__PURE__ */ new Map();
+  const ce = /* @__PURE__ */ new Map();
+  for (const c of internal) {
+    ca.set(c.name, 0);
+    ce.set(c.name, 0);
+  }
+  for (const c of internal) {
+    for (const rel of c.relations) {
+      if (!internalNames.has(rel.to)) continue;
+      ce.set(c.name, ce.get(c.name) + 1);
+      ca.set(rel.to, ca.get(rel.to) + 1);
+    }
+  }
+  return { ca, ce };
+};
+const stableDependenciesRule = {
+  name: "stableDependencies",
+  description: "Dependencies should point toward more stable containers (instability calculation)",
+  check(model) {
+    const violations = [];
+    const internal = allContainers(model).filter((c) => !c.external);
+    const internalNames = new Set(internal.map((c) => c.name));
+    const { ca, ce } = computeCoupling(internal, internalNames);
+    const instability = (name) => {
+      const afferent = ca.get(name);
+      const efferent = ce.get(name);
+      if (afferent + efferent === 0) return 1;
+      return efferent / (afferent + efferent);
+    };
+    for (const c of internal) {
+      for (const rel of c.relations) {
+        if (!internalNames.has(rel.to)) continue;
+        const iSource = instability(c.name);
+        const iTarget = instability(rel.to);
+        if (iSource < iTarget) {
+          violations.push({
+            container: c.name,
+            message: `stable module (I=${iSource.toFixed(2)}) depends on less stable "${rel.to}" (I=${iTarget.toFixed(2)}) \u2014 dependencies should point toward stability`
+          });
+        }
+      }
+    }
+    return violations;
+  }
+};
+
+const ruleRegistry = [
+  aclRule,
+  acyclicRule,
+  apiGatewayRule,
+  crudRule,
+  dbPerServiceRule,
+  cohesionRule,
+  stableDependenciesRule,
+  commonReuseRule
+];
+
+export { AactConfigSchema as A, aclRule as a, acyclicRule as b, allBoundaries as c, allContainers as d, analyzeArchitecture as e, apiGatewayRule as f, applyEdits as g, canFix as h, canGenerate as i, canLoad as j, cohesionRule as k, commonReuseRule as l, crudRule as m, dbPerServiceRule as n, defineConfig as o, getBoundary as p, getContainer as q, knownFormatNames as r, loadFormat as s, ruleRegistry as t, stableDependenciesRule as u, targetOf as v, walkBoundaries as w };