aws-iam-language-server 0.0.10 → 0.0.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aws-iam-language-server",
-  "version": "0.0.10",
+  "version": "0.0.11",
   "type": "module",
   "bin": "./src/server.js",
   "publisher": "MichaelBarney",

package/readme.md

@@ -58,3 +58,14 @@ This language server provides completion on:
 - resources (progressive arn component suggestions, full arn completions for action-specific arns)
 - condition operators (`StringLike`, `ForAnyValue:*`, etc)
 - condition keys (global keys like `aws:RequestTag/${TagKey}`, action-specific keys like `s3:TlsVersion`)
+
+### Diagnostics
+
+This language server will provide diagnostics for some IAM policy issues, including:
+
+- no extra policy document keys are specified
+- no missing keys in a statement, (effect, action, resource or effect, action, principal)
+- no duplicate keys in a statement (including "not" variants like action/not action)
+- ensuring `Sid` uniqueness within a policy document
+- effect has a valid value
+- defined actions are valid, or wildcards resolve to valid actions

package/src/handlers/diagnostics/action.d.ts

@@ -0,0 +1,6 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { ElementValidator } from './base.ts';
+export declare class ActionValidator extends ElementValidator {
+    validate(entry: StatementEntry): Array<Diagnostic>;
+}

package/src/handlers/diagnostics/action.js

@@ -0,0 +1,14 @@
+import { expandActionPattern } from "../../lib/iam-policy/wildcard.js";
+import { ElementValidator } from "./base.js";
+import { createDiagnostic } from "./utils.js";
+export class ActionValidator extends ElementValidator {
+    validate(entry) {
+        const diagnostics = super.validate(entry);
+        for (const value of entry.values) {
+            if (expandActionPattern(value.text).length === 0) {
+                diagnostics.push(createDiagnostic(`Unrecognized action "${value.text}"`, value.range));
+            }
+        }
+        return diagnostics;
+    }
+}

package/src/handlers/diagnostics/base.d.ts

@@ -0,0 +1,9 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+export declare class ElementValidator {
+    #private;
+    constructor();
+    validate(entry: StatementEntry): Array<Diagnostic>;
+    isValidated(): boolean;
+    resetForStatement(): void;
+}

package/src/handlers/diagnostics/base.js

@@ -0,0 +1,21 @@
+import { createDiagnostic } from "./utils.js";
+export class ElementValidator {
+    #validated;
+    constructor() {
+        this.#validated = false;
+    }
+    validate(entry) {
+        const diagnostics = [];
+        if (this.#validated) {
+            diagnostics.push(createDiagnostic('duplicate statement key', entry.keyRange));
+        }
+        this.#validated = true;
+        return diagnostics;
+    }
+    isValidated() {
+        return this.#validated;
+    }
+    resetForStatement() {
+        this.#validated = false;
+    }
+}

package/src/handlers/diagnostics/condition.d.ts

@@ -0,0 +1,6 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { ElementValidator } from './base.ts';
+export declare class ConditionValidator extends ElementValidator {
+    validate(entry: StatementEntry): Array<Diagnostic>;
+}

package/src/handlers/diagnostics/condition.js

@@ -0,0 +1,7 @@
+import { ElementValidator } from "./base.js";
+export class ConditionValidator extends ElementValidator {
+    validate(entry) {
+        const diagnostics = super.validate(entry);
+        return diagnostics;
+    }
+}

package/src/handlers/diagnostics/diagnostics.d.ts

@@ -0,0 +1,4 @@
+import type { Connection } from 'vscode-languageserver';
+import type { TextDocument } from 'vscode-languageserver-textdocument';
+import type { TreeManager } from '../../lib/treesitter/manager.ts';
+export declare function diagnosticsHandler(document: TextDocument, treeManager: TreeManager, connection: Connection): Promise<void>;

package/src/handlers/diagnostics/diagnostics.js

@@ -0,0 +1,121 @@
+import { ActionValidator } from "./action.js";
+import { ConditionValidator } from "./condition.js";
+import { EffectValidator } from "./effect.js";
+import { PrincipalValidator } from "./principal.js";
+import { ResourceValidator } from "./resource.js";
+import { SidValidator } from "./sid.js";
+import { createDiagnostic } from "./utils.js";
+export async function diagnosticsHandler(document, treeManager, connection) {
+    const handler = treeManager.getLanguageHandler(document.uri);
+    if (!handler)
+        return;
+    let diagnostics = [];
+    const policyDocuments = handler.getAllPolicyDocuments(document.uri);
+    for (const policyDocument of policyDocuments) {
+        if (policyDocument.policyFormat === 'standard') {
+            diagnostics = diagnostics.concat(await handleStandardDiagnostics(policyDocument));
+        }
+        else if (policyDocument.policyFormat === 'hcl-block') {
+            diagnostics = diagnostics.concat(await handleHclBlockDiagnostics(policyDocument));
+        }
+    }
+    connection.console.log(`Publishing diagnostics for uri: ${document.uri}: ${policyDocuments.length} policy documents, ${diagnostics.length} diagnostics`);
+    await connection.sendDiagnostics({
+        uri: document.uri,
+        diagnostics,
+    });
+}
+async function handleStandardDiagnostics(policyDocument) {
+    let diagnostics = [];
+    const sidValidator = new SidValidator();
+    const effectValidator = new EffectValidator();
+    const principalValidator = new PrincipalValidator();
+    const actionValidator = new ActionValidator();
+    const resourceValidator = new ResourceValidator();
+    const conditionValidator = new ConditionValidator();
+    for (const statement of policyDocument.statements) {
+        for (const entry of statement.entries) {
+            if (entry.key === 'Sid') {
+                diagnostics = diagnostics.concat(sidValidator.validate(entry));
+            }
+            else if (entry.key === 'Effect') {
+                diagnostics = diagnostics.concat(effectValidator.validate(entry));
+            }
+            else if (entry.key === 'Principal' || entry.key === 'NotPrincipal') {
+                diagnostics = diagnostics.concat(principalValidator.validate(entry));
+            }
+            else if (entry.key === 'Action' || entry.key === 'NotAction') {
+                diagnostics = diagnostics.concat(actionValidator.validate(entry));
+            }
+            else if (entry.key === 'Resource' || entry.key === 'NotResource') {
+                diagnostics = diagnostics.concat(resourceValidator.validate(entry));
+            }
+            else if (entry.key === 'Condition') {
+                diagnostics = diagnostics.concat(conditionValidator.validate(entry));
+            }
+            else {
+                diagnostics.push(createDiagnostic(`Unrecognized entry "${entry.key}" in statement`, entry.keyRange));
+            }
+        }
+        if (!effectValidator.isValidated()) {
+            diagnostics.push(createDiagnostic(`Missing required "Effect" entry in statement`, statement.range));
+        }
+        if (!actionValidator.isValidated()) {
+            diagnostics.push(createDiagnostic(`Missing required "Action" or "NotAction" entry in statement`, statement.range));
+        }
+        if (!resourceValidator.isValidated() && !principalValidator.isValidated()) {
+            diagnostics.push(createDiagnostic(`Missing required "Resource"/"NotResource" or "Principal"/"NotPrincipal" entry in statement`, statement.range));
+        }
+        [sidValidator, effectValidator, principalValidator, actionValidator, resourceValidator, conditionValidator].forEach((x) => {
+            x.resetForStatement();
+        });
+    }
+    return diagnostics;
+}
+async function handleHclBlockDiagnostics(policyDocument) {
+    let diagnostics = [];
+    const sidValidator = new SidValidator();
+    const effectValidator = new EffectValidator();
+    const principalValidator = new PrincipalValidator();
+    const actionValidator = new ActionValidator();
+    const resourceValidator = new ResourceValidator();
+    const conditionValidator = new ConditionValidator();
+    for (const statement of policyDocument.statements) {
+        for (const entry of statement.entries) {
+            if (entry.key === 'sid') {
+                diagnostics = diagnostics.concat(sidValidator.validate(entry));
+            }
+            else if (entry.key === 'effect') {
+                diagnostics = diagnostics.concat(effectValidator.validate(entry));
+            }
+            else if (entry.key === 'principals' || entry.key === 'not_principals') {
+                diagnostics = diagnostics.concat(principalValidator.validate(entry));
+            }
+            else if (entry.key === 'actions' || entry.key === 'not_actions') {
+                diagnostics = diagnostics.concat(actionValidator.validate(entry));
+            }
+            else if (entry.key === 'resources' || entry.key === 'not_resources') {
+                diagnostics = diagnostics.concat(resourceValidator.validate(entry));
+            }
+            else if (entry.key === 'condition') {
+                diagnostics = diagnostics.concat(conditionValidator.validate(entry));
+            }
+            else {
+                diagnostics.push(createDiagnostic(`Unrecognized entry "${entry.key}" in statement`, entry.keyRange));
+            }
+        }
+        if (!effectValidator.isValidated()) {
+            diagnostics.push(createDiagnostic(`Missing required "effect" entry in statement`, statement.range));
+        }
+        if (!actionValidator.isValidated()) {
+            diagnostics.push(createDiagnostic(`Missing required "actions" or "not_actions" entry in statement`, statement.range));
+        }
+        if (!resourceValidator.isValidated() && !principalValidator.isValidated()) {
+            diagnostics.push(createDiagnostic(`Missing required "resources"/"not_resources" or "principals"/"not_principals" entry in statement`, statement.range));
+        }
+        [sidValidator, effectValidator, principalValidator, actionValidator, resourceValidator, conditionValidator].forEach((x) => {
+            x.resetForStatement();
+        });
+    }
+    return diagnostics;
+}

package/src/handlers/diagnostics/effect.d.ts

@@ -0,0 +1,6 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { ElementValidator } from './base.ts';
+export declare class EffectValidator extends ElementValidator {
+    validate(entry: StatementEntry): Array<Diagnostic>;
+}

package/src/handlers/diagnostics/effect.js

@@ -0,0 +1,12 @@
+import { ElementValidator } from "./base.js";
+import { createDiagnostic } from "./utils.js";
+export class EffectValidator extends ElementValidator {
+    validate(entry) {
+        const diagnostics = super.validate(entry);
+        const value = entry.values[0]?.text;
+        if (value !== 'Allow' && value !== 'Deny') {
+            diagnostics.push(createDiagnostic(`effect value must be either "Allow" or "Deny"`, entry.valueRange));
+        }
+        return diagnostics;
+    }
+}

package/src/handlers/diagnostics/principal.d.ts

@@ -0,0 +1,6 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { ElementValidator } from './base.ts';
+export declare class PrincipalValidator extends ElementValidator {
+    validate(entry: StatementEntry): Array<Diagnostic>;
+}

package/src/handlers/diagnostics/principal.js

@@ -0,0 +1,7 @@
+import { ElementValidator } from "./base.js";
+export class PrincipalValidator extends ElementValidator {
+    validate(entry) {
+        const diagnostics = super.validate(entry);
+        return diagnostics;
+    }
+}

package/src/handlers/diagnostics/resource.d.ts

@@ -0,0 +1,6 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { ElementValidator } from './base.ts';
+export declare class ResourceValidator extends ElementValidator {
+    validate(entry: StatementEntry): Array<Diagnostic>;
+}

package/src/handlers/diagnostics/resource.js

@@ -0,0 +1,7 @@
+import { ElementValidator } from "./base.js";
+export class ResourceValidator extends ElementValidator {
+    validate(entry) {
+        const diagnostics = super.validate(entry);
+        return diagnostics;
+    }
+}

package/src/handlers/diagnostics/sid.d.ts

@@ -0,0 +1,8 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { StatementEntry } from '../../lib/treesitter/base.ts';
+import { ElementValidator } from './base.ts';
+export declare class SidValidator extends ElementValidator {
+    #private;
+    constructor();
+    validate(entry: StatementEntry): Array<Diagnostic>;
+}

package/src/handlers/diagnostics/sid.js

@@ -0,0 +1,21 @@
+import { ElementValidator } from "./base.js";
+import { createDiagnostic } from "./utils.js";
+export class SidValidator extends ElementValidator {
+    #sids = {};
+    constructor() {
+        super();
+        this.#sids = {};
+    }
+    validate(entry) {
+        const diagnostics = super.validate(entry);
+        const sidValue = entry.values[0]?.text;
+        if (!sidValue)
+            return [];
+        if (sidValue in this.#sids) {
+            diagnostics.push(createDiagnostic(`Duplicate statement id value "${sidValue}"`, entry.valueRange));
+            diagnostics.push(createDiagnostic(`Duplicate statement id value "${sidValue}"`, this.#sids[sidValue].valueRange));
+        }
+        this.#sids[sidValue] = entry;
+        return diagnostics;
+    }
+}

package/src/handlers/diagnostics/utils.d.ts

@@ -0,0 +1,3 @@
+import type { Diagnostic } from 'vscode-languageclient';
+import type { Range } from '../../lib/treesitter/base.ts';
+export declare function createDiagnostic(message: string, range: Range): Diagnostic;

package/src/handlers/diagnostics/utils.js

@@ -0,0 +1,19 @@
+export function createDiagnostic(message, range) {
+    return {
+        source: 'aws-iam-language-server',
+        message,
+        range: convertRangeToDiagnosticRange(range),
+    };
+}
+function convertRangeToDiagnosticRange(range) {
+    return {
+        start: {
+            character: range.start.column,
+            line: range.start.line,
+        },
+        end: {
+            character: range.end.column,
+            line: range.end.line,
+        },
+    };
+}

package/src/handlers/document-link/document-link.d.ts

@@ -1,4 +1,4 @@
 import type { Connection, DocumentLink, DocumentLinkParams, TextDocuments } from 'vscode-languageserver';
 import type { TextDocument } from 'vscode-languageserver-textdocument';
 import type { TreeManager } from '../../lib/treesitter/manager.ts';
-export declare function documentLinkHandler(params: DocumentLinkParams, documents: TextDocuments<TextDocument>, _treeManager: TreeManager, connection: Connection): DocumentLink[];
+export declare function documentLinkHandler(params: DocumentLinkParams, documents: TextDocuments<TextDocument>, treeManager: TreeManager, connection: Connection): DocumentLink[];

package/src/handlers/document-link/document-link.js

@@ -1,35 +1,45 @@
 import { ServiceReference } from "../../lib/iam-policy/reference/services.js";
-export function documentLinkHandler(params, documents, _treeManager, connection) {
+export function documentLinkHandler(params, documents, treeManager, connection) {
     const document = documents.get(params.textDocument.uri);
     if (!document)
         return [];
-    const text = document.getText();
+    const handler = treeManager.getLanguageHandler(params.textDocument.uri);
+    if (!handler)
+        return [];
+    const policyDocuments = handler.getAllPolicyDocuments(params.textDocument.uri);
     const links = [];
-    const actionSet = new Set(ServiceReference.getAllActions().map((a) => a.toLowerCase()));
-    const pattern = /[a-z0-9-]+:[A-Za-z0-9*?]+/g;
-    for (const match of text.matchAll(pattern)) {
-        if (!actionSet.has(match[0].toLowerCase()))
-            continue;
-        const [serviceName, actionName] = match[0].split(':');
-        const action = ServiceReference.getAction(serviceName, actionName);
-        if (!action)
-            continue;
-        const index = match.index ?? 0;
-        const start = document.positionAt(index);
-        const end = document.positionAt(index + match[0].length);
-        if (action.iamUrl) {
-            links.push({
-                range: { start, end },
-                target: action.iamUrl,
-                tooltip: 'IAM Actions, Conditions, and Context Keys',
-            });
-        }
-        if (action.operationUrl) {
-            links.push({
-                range: { start, end },
-                target: action.operationUrl,
-                tooltip: 'API Operation Documentation',
-            });
+    for (const policyDoc of policyDocuments) {
+        const actionKeys = policyDoc.policyFormat === 'hcl-block' ? new Set(['actions', 'not_actions']) : new Set(['Action', 'NotAction']);
+        for (const statement of policyDoc.statements) {
+            for (const entry of statement.entries) {
+                if (!actionKeys.has(entry.key))
+                    continue;
+                for (const value of entry.values) {
+                    const colonIndex = value.text.indexOf(':');
+                    if (colonIndex === -1)
+                        continue;
+                    const action = ServiceReference.getAction(value.text);
+                    if (!action)
+                        continue;
+                    const start = { line: value.range.start.line, character: value.range.start.column };
+                    const end = { line: value.range.end.line, character: value.range.end.column };
+                    const range = { start, end };
+                    if (action.iamUrl) {
+                        links.push({
+                            range,
+                            target: action.iamUrl,
+                            tooltip: 'IAM Actions, Conditions, and Context Keys',
+                        });
+                    }
+                    if (action.operationUrl) {
+                        links.push({
+                            range,
+                            target: action.operationUrl,
+                            tooltip: 'API Operation Documentation',
+                        });
+                    }
+                }
+            }
         }
     }
     connection.console.debug(`Found ${links.length} document links in ${params.textDocument.uri}`);

package/src/lib/iam-policy/reference/services.d.ts

@@ -11,7 +11,7 @@ export declare class ServiceReference {
         types: string[];
     }>;
     static getGlobalConditionKeys(): Array<GlobalConditionKey>;
-    static getAction(service: string, actionName: string): Action | undefined;
+    static getAction(action: string): Action | undefined;
     static getConditionKey(service: string, keyName: string): ConditionKey | undefined;
     static getResourcesForActions(actions: string[]): Map<string, {
         service: string;

package/src/lib/iam-policy/reference/services.js

@@ -60,9 +60,11 @@ export class ServiceReference {
         }
         return ServiceReference.#globalConditionKeys;
     }
-    static getAction(service, actionName) {
+    static getAction(action) {
         try {
-            return ServiceReference.getServiceData(service).actions[actionName];
+            const serviceName = action.split(':')[0];
+            const actionName = action.split(':')[1];
+            return ServiceReference.getServiceData(serviceName).actions[actionName];
         }
         catch {
             return undefined;

package/src/lib/treesitter/base.d.ts

@@ -1,8 +1,33 @@
-import type { Language, Tree } from 'web-tree-sitter';
+import type { Language, Node, Tree } from 'web-tree-sitter';
 export type Position = {
     line: number;
     column: number;
 };
+export type Range = {
+    start: Position;
+    end: Position;
+};
+export type StatementValue = {
+    text: string;
+    range: Range;
+};
+export type StatementEntry = {
+    key: string;
+    keyRange: Range;
+    values: StatementValue[];
+    valueRange: Range;
+    children?: StatementEntry[];
+};
+export type StatementNode = {
+    range: Range;
+    entries: StatementEntry[];
+};
+export type PolicyDocumentNode = {
+    range: Range;
+    policyFormat: PolicyFormat;
+    statements: StatementNode[];
+};
+export declare function nodeRange(node: Node): Range;
 export type PolicyFormat = 'standard' | 'hcl-block';
 export type CursorContext = {
     keys: string[];
@@ -29,8 +54,9 @@ export declare class TreeBase {
     openDocument(uri: string, content: string): void;
     updateDocument(uri: string, content: string): void;
     closeDocument(uri: string): void;
-    getNodeAtPosition(uri: string, position: Position): import("web-tree-sitter").Node | null;
+    getNodeAtPosition(uri: string, position: Position): Node | null;
     getCursorContext(_uri: string, _position: Position): CursorContext | null;
     getStatementContext(_uri: string, _position: Position): StatementContext | null;
     getSiblingKeys(_uri: string, _position: Position): string[];
+    getAllPolicyDocuments(_uri: string): PolicyDocumentNode[];
 }

package/src/lib/treesitter/base.js

@@ -1,5 +1,11 @@
 import { Parser } from 'web-tree-sitter';
 await Parser.init();
+export function nodeRange(node) {
+    return {
+        start: { line: node.startPosition.row, column: node.startPosition.column },
+        end: { line: node.endPosition.row, column: node.endPosition.column },
+    };
+}
 export class TreeBase {
     #trees = new Map();
     #parser;
@@ -47,4 +53,7 @@ export class TreeBase {
     getSiblingKeys(_uri, _position) {
         throw new Error('getSiblingKeys must be implemented by a subclass');
     }
+    getAllPolicyDocuments(_uri) {
+        throw new Error('getAllPolicyDocuments must be implemented by a subclass');
+    }
 }

package/src/lib/treesitter/hcl.d.ts

@@ -1,4 +1,4 @@
-import type { CursorContext, Position, StatementContext } from './base.ts';
+import type { CursorContext, PolicyDocumentNode, Position, StatementContext } from './base.ts';
 import { TreeBase } from './base.ts';
 export declare class TreeHcl extends TreeBase {
     #private;
@@ -6,4 +6,5 @@ export declare class TreeHcl extends TreeBase {
     getCursorContext(uri: string, position: Position): CursorContext | null;
     getStatementContext(uri: string, position: Position): StatementContext | null;
     getSiblingKeys(uri: string, position: Position): string[];
+    getAllPolicyDocuments(uri: string): PolicyDocumentNode[];
 }

package/src/lib/treesitter/hcl.js

@@ -1,6 +1,6 @@
 import { resolve } from 'node:path';
 import { Language } from 'web-tree-sitter';
-import { TreeBase } from "./base.js";
+import { nodeRange, TreeBase } from "./base.js";
 export class TreeHcl extends TreeBase {
     static async init() {
         const grammarDir = resolve(import.meta.dirname, '../../grammars');
@@ -65,6 +65,267 @@ export class TreeHcl extends TreeBase {
         }
         return [];
     }
+    getAllPolicyDocuments(uri) {
+        const tree = this.getTree(uri);
+        if (!tree)
+            return [];
+        const root = tree.rootNode;
+        const results = [];
+        // Block mode: statement { ... } — group by parent data block's body
+        const blocks = this.#findAllStatementBlocks(root);
+        const blockGroups = new Map();
+        for (const block of blocks) {
+            const parentBody = block.parent;
+            if (!parentBody || parentBody.type !== 'body')
+                continue;
+            const existing = blockGroups.get(parentBody.id);
+            if (existing) {
+                existing.blocks.push(block);
+            }
+            else {
+                blockGroups.set(parentBody.id, { parentBody, blocks: [block] });
+            }
+        }
+        for (const group of blockGroups.values()) {
+            results.push({
+                range: nodeRange(group.parentBody),
+                policyFormat: 'hcl-block',
+                statements: group.blocks.map((block) => {
+                    const body = block.namedChildren.find((child) => child.type === 'body');
+                    return {
+                        range: nodeRange(block),
+                        entries: body ? this.#buildBlockStatementEntries(body) : [],
+                    };
+                }),
+            });
+        }
+        // Jsonencode mode: jsonencode({ Statement = [...] }) — group by parent tuple
+        const objects = this.#findAllJsonencodeStatementObjects(root);
+        const tupleGroups = new Map();
+        for (const object of objects) {
+            const tuple = this.#findParentTuple(object);
+            if (!tuple)
+                continue;
+            const existing = tupleGroups.get(tuple.id);
+            if (existing) {
+                existing.objects.push(object);
+            }
+            else {
+                tupleGroups.set(tuple.id, { tuple, objects: [object] });
+            }
+        }
+        for (const group of tupleGroups.values()) {
+            results.push({
+                range: nodeRange(group.tuple),
+                policyFormat: 'standard',
+                statements: group.objects.map((object) => ({
+                    range: nodeRange(object),
+                    entries: this.#buildJsonencodeStatementEntries(object),
+                })),
+            });
+        }
+        return results;
+    }
+    #findParentTuple(object) {
+        let current = object.parent;
+        while (current && (current.type === 'collection_value' || current.type === 'expression')) {
+            current = current.parent;
+        }
+        return current?.type === 'tuple' ? current : null;
+    }
+    #findAllStatementBlocks(root) {
+        const results = [];
+        const visit = (node) => {
+            if (node.type === 'block' && this.#getBlockIdentifier(node) === 'statement') {
+                results.push(node);
+                return; // skip descendants
+            }
+            for (const child of node.namedChildren) {
+                visit(child);
+            }
+        };
+        visit(root);
+        return results;
+    }
+    #findAllJsonencodeStatementObjects(root) {
+        const results = [];
+        const visit = (node) => {
+            if (node.type === 'object' && this.#isInsideStatementTuple(node)) {
+                results.push(node);
+                return; // skip descendants
+            }
+            for (const child of node.namedChildren) {
+                visit(child);
+            }
+        };
+        visit(root);
+        return results;
+    }
+    #buildBlockStatementEntries(body) {
+        const entries = [];
+        for (const child of body.namedChildren) {
+            if (child.type === 'attribute') {
+                const id = child.namedChildren.find((c) => c.type === 'identifier');
+                if (!id)
+                    continue;
+                const keyRange = nodeRange(id);
+                const expression = child.namedChildren.find((c) => c.type === 'expression');
+                const values = expression ? this.#readExpressionStatementValues(expression) : [];
+                const valueRange = expression
+                    ? nodeRange(expression)
+                    : {
+                        start: { line: child.endPosition.row, column: child.endPosition.column },
+                        end: { line: child.endPosition.row, column: child.endPosition.column },
+                    };
+                entries.push({ key: id.text, keyRange, values, valueRange });
+            }
+            else if (child.type === 'block') {
+                const blockId = this.#getBlockIdentifier(child);
+                if (!blockId)
+                    continue;
+                const keyIdNode = child.namedChildren.find((c) => c.type === 'identifier');
+                const keyRange = keyIdNode ? nodeRange(keyIdNode) : nodeRange(child);
+                const blockBody = child.namedChildren.find((c) => c.type === 'body');
+                const children = blockBody ? this.#buildBlockStatementEntries(blockBody) : [];
+                const valueRange = blockBody ? nodeRange(blockBody) : nodeRange(child);
+                entries.push({ key: blockId, keyRange, values: [], valueRange, children });
+            }
+        }
+        return entries;
+    }
+    #readExpressionStatementValues(expression) {
+        // Single string literal
+        const literal = expression.namedChildren.find((child) => child.type === 'literal_value');
+        if (literal) {
+            const string = literal.namedChildren.find((child) => child.type === 'string_lit');
+            const template = string?.namedChildren.find((child) => child.type === 'template_literal');
+            if (template?.text)
+                return [{ text: template.text, range: nodeRange(template) }];
+            return [];
+        }
+        // Tuple of strings
+        let tuple = expression.namedChildren.find((child) => child.type === 'tuple');
+        if (!tuple) {
+            const collectionValue = expression.namedChildren.find((child) => child.type === 'collection_value');
+            tuple = collectionValue?.namedChildren.find((child) => child.type === 'tuple') ?? undefined;
+        }
+        if (tuple) {
+            const values = [];
+            for (const element of tuple.namedChildren) {
+                const elementExpression = element.type === 'expression' ? element : null;
+                const elementLiteral = elementExpression?.namedChildren.find((child) => child.type === 'literal_value');
+                const elementString = elementLiteral?.namedChildren.find((child) => child.type === 'string_lit');
+                const elementTemplate = elementString?.namedChildren.find((child) => child.type === 'template_literal');
+                if (elementTemplate?.text)
+                    values.push({ text: elementTemplate.text, range: nodeRange(elementTemplate) });
+            }
+            return values;
+        }
+        return [];
+    }
+    #buildJsonencodeStatementEntries(object) {
+        const entries = [];
+        for (const child of object.namedChildren) {
+            if (child.type !== 'object_elem')
+                continue;
+            const key = this.#getObjectElemKey(child);
+            if (!key)
+                continue;
+            const keyExpression = child.namedChildren.find((c) => c.type === 'expression');
+            const keyId = keyExpression?.namedChildren
+                .find((c) => c.type === 'variable_expr')
+                ?.namedChildren.find((c) => c.type === 'identifier');
+            const keyRange = keyId ? nodeRange(keyId) : nodeRange(child);
+            const expressions = child.namedChildren.filter((c) => c.type === 'expression');
+            const valueExpression = expressions.length >= 2 ? expressions[1] : null;
+            const values = valueExpression ? this.#readJsonencodeExpressionStatementValues(valueExpression) : [];
+            const valueRange = valueExpression
+                ? nodeRange(valueExpression)
+                : {
+                    start: { line: child.endPosition.row, column: child.endPosition.column },
+                    end: { line: child.endPosition.row, column: child.endPosition.column },
+                };
+            const nestedKeys = new Set(['Condition', 'Principal', 'NotPrincipal']);
+            let children;
+            if (nestedKeys.has(key) && valueExpression) {
+                let nestedObject = valueExpression.namedChildren.find((c) => c.type === 'object');
+                if (!nestedObject) {
+                    const collectionValue = valueExpression.namedChildren.find((c) => c.type === 'collection_value');
+                    nestedObject = collectionValue?.namedChildren.find((c) => c.type === 'object') ?? undefined;
+                }
+                if (nestedObject) {
+                    children = this.#buildJsonencodeNestedEntries(nestedObject);
+                }
+            }
+            entries.push({ key, keyRange, values, valueRange, ...(children ? { children } : {}) });
+        }
+        return entries;
+    }
+    #readJsonencodeExpressionStatementValues(expression) {
+        // Single string literal
+        const literal = expression.namedChildren.find((child) => child.type === 'literal_value');
+        if (literal) {
+            const string = literal.namedChildren.find((child) => child.type === 'string_lit');
+            const template = string?.namedChildren.find((child) => child.type === 'template_literal');
+            if (template?.text)
+                return [{ text: template.text, range: nodeRange(template) }];
+            return [];
+        }
+        // Tuple
+        let tuple = expression.namedChildren.find((child) => child.type === 'tuple');
+        if (!tuple) {
+            const collectionValue = expression.namedChildren.find((child) => child.type === 'collection_value');
+            tuple = collectionValue?.namedChildren.find((child) => child.type === 'tuple') ?? undefined;
+        }
+        if (tuple) {
+            const values = [];
+            for (const element of tuple.namedChildren) {
+                const elementExpression = element.type === 'expression' ? element : null;
+                const elementLiteral = elementExpression?.namedChildren.find((child) => child.type === 'literal_value');
+                const elementString = elementLiteral?.namedChildren.find((child) => child.type === 'string_lit');
+                const elementTemplate = elementString?.namedChildren.find((child) => child.type === 'template_literal');
+                if (elementTemplate?.text)
+                    values.push({ text: elementTemplate.text, range: nodeRange(elementTemplate) });
+            }
+            return values;
+        }
+        return [];
+    }
+    #buildJsonencodeNestedEntries(object) {
+        const entries = [];
+        for (const child of object.namedChildren) {
+            if (child.type !== 'object_elem')
+                continue;
+            const key = this.#getObjectElemKey(child);
+            if (!key)
+                continue;
+            const keyExpression = child.namedChildren.find((c) => c.type === 'expression');
+            const keyId = keyExpression?.namedChildren
+                .find((c) => c.type === 'variable_expr')
+                ?.namedChildren.find((c) => c.type === 'identifier');
+            const keyRange = keyId ? nodeRange(keyId) : nodeRange(child);
+            const expressions = child.namedChildren.filter((c) => c.type === 'expression');
+            const valueExpression = expressions.length >= 2 ? expressions[1] : null;
+            const values = valueExpression ? this.#readJsonencodeExpressionStatementValues(valueExpression) : [];
+            const valueRange = valueExpression
+                ? nodeRange(valueExpression)
+                : {
+                    start: { line: child.endPosition.row, column: child.endPosition.column },
+                    end: { line: child.endPosition.row, column: child.endPosition.column },
+                };
+            let nestedObject;
+            if (valueExpression) {
+                nestedObject = valueExpression.namedChildren.find((c) => c.type === 'object');
+                if (!nestedObject) {
+                    const collectionValue = valueExpression.namedChildren.find((c) => c.type === 'collection_value');
+                    nestedObject = collectionValue?.namedChildren.find((c) => c.type === 'object') ?? undefined;
+                }
+            }
+            const children = nestedObject ? this.#buildJsonencodeNestedEntries(nestedObject) : undefined;
+            entries.push({ key, keyRange, values, valueRange, ...(children ? { children } : {}) });
+        }
+        return entries;
+    }
     // ---------------------------------------------------------------------------
     // Jsonencode mode — object/object_elem/tuple, PascalCase keys, same as JSON
     // ---------------------------------------------------------------------------

package/src/lib/treesitter/json.d.ts

@@ -1,4 +1,4 @@
-import type { CursorContext, Position, StatementContext } from './base.ts';
+import type { CursorContext, PolicyDocumentNode, Position, StatementContext } from './base.ts';
 import { TreeBase } from './base.ts';
 export declare class TreeJson extends TreeBase {
     #private;
@@ -6,4 +6,5 @@ export declare class TreeJson extends TreeBase {
     getCursorContext(uri: string, position: Position): CursorContext | null;
     getStatementContext(uri: string, position: Position): StatementContext | null;
     getSiblingKeys(uri: string, position: Position): string[];
+    getAllPolicyDocuments(uri: string): PolicyDocumentNode[];
 }

package/src/lib/treesitter/json.js

@@ -1,6 +1,6 @@
 import { resolve } from 'node:path';
 import { Language } from 'web-tree-sitter';
-import { TreeBase } from "./base.js";
+import { nodeRange, TreeBase } from "./base.js";
 export class TreeJson extends TreeBase {
     static async init() {
         const grammarDir = resolve(import.meta.dirname, '../../grammars');
@@ -59,6 +59,131 @@ export class TreeJson extends TreeBase {
             return [];
         return this.#collectExistingKeys(this.#findInnermostObject(node, statementObject));
     }
+    getAllPolicyDocuments(uri) {
+        const tree = this.getTree(uri);
+        if (!tree)
+            return [];
+        const objects = this.#findAllStatementObjects(tree.rootNode);
+        // Group by parent array (each Statement array = one policy document)
+        const groups = new Map();
+        for (const object of objects) {
+            const array = object.parent;
+            if (!array || array.type !== 'array')
+                continue;
+            const existing = groups.get(array.id);
+            if (existing) {
+                existing.objects.push(object);
+            }
+            else {
+                groups.set(array.id, { array, objects: [object] });
+            }
+        }
+        const results = [];
+        for (const group of groups.values()) {
+            results.push({
+                range: nodeRange(group.array),
+                policyFormat: 'standard',
+                statements: group.objects.map((object) => ({
+                    range: nodeRange(object),
+                    entries: this.#buildStatementEntries(object),
+                })),
+            });
+        }
+        return results;
+    }
+    #findAllStatementObjects(root) {
+        const results = [];
+        const visit = (node) => {
+            if (node.type === 'object' && this.#isInsideStatementArray(node)) {
+                results.push(node);
+                return; // skip descendants
+            }
+            for (const child of node.namedChildren) {
+                visit(child);
+            }
+        };
+        visit(root);
+        return results;
+    }
+    #buildStatementEntries(object) {
+        const entries = [];
+        for (const child of object.namedChildren) {
+            if (child.type !== 'pair')
+                continue;
+            const key = this.#getPairKeyText(child);
+            if (!key)
+                continue;
+            const keyString = child.namedChildren[0];
+            const keyRange = keyString ? nodeRange(keyString) : nodeRange(child);
+            const values = this.#readPairStatementValues(child);
+            const valueRange = this.#getPairValueRange(child);
+            const nestedKeys = new Set(['Condition', 'Principal', 'NotPrincipal']);
+            let children;
+            if (nestedKeys.has(key)) {
+                const valueNode = child.namedChildren[1];
+                if (valueNode?.type === 'object') {
+                    children = this.#buildNestedEntries(valueNode);
+                }
+            }
+            entries.push({ key, keyRange, values, valueRange, ...(children ? { children } : {}) });
+        }
+        return entries;
+    }
+    #buildNestedEntries(object) {
+        const entries = [];
+        for (const child of object.namedChildren) {
+            if (child.type !== 'pair')
+                continue;
+            const key = this.#getPairKeyText(child);
+            if (!key)
+                continue;
+            const keyString = child.namedChildren[0];
+            const keyRange = keyString ? nodeRange(keyString) : nodeRange(child);
+            const values = this.#readPairStatementValues(child);
+            const valueRange = this.#getPairValueRange(child);
+            const valueNode = child.namedChildren[1];
+            let children;
+            if (valueNode?.type === 'object') {
+                children = this.#buildNestedEntries(valueNode);
+            }
+            entries.push({ key, keyRange, values, valueRange, ...(children ? { children } : {}) });
+        }
+        return entries;
+    }
+    #readPairStatementValues(pair) {
+        const valueNode = pair.namedChildren[1];
+        if (!valueNode)
+            return [];
+        if (valueNode.type === 'string') {
+            const content = valueNode.namedChildren.find((child) => child.type === 'string_content');
+            if (!content?.text)
+                return [];
+            return [{ text: content.text, range: nodeRange(content) }];
+        }
+        if (valueNode.type === 'array') {
+            const values = [];
+            for (const element of valueNode.namedChildren) {
+                if (element.type !== 'string')
+                    continue;
+                const content = element.namedChildren.find((child) => child.type === 'string_content');
+                if (content?.text) {
+                    values.push({ text: content.text, range: nodeRange(content) });
+                }
+            }
+            return values;
+        }
+        return [];
+    }
+    #getPairValueRange(pair) {
+        const valueNode = pair.namedChildren[1];
+        if (!valueNode) {
+            return {
+                start: { line: pair.endPosition.row, column: pair.endPosition.column },
+                end: { line: pair.endPosition.row, column: pair.endPosition.column },
+            };
+        }
+        return nodeRange(valueNode);
+    }
     #resolveCursorContext(node, statementObject, position) {
         const cursorPath = this.#buildCursorPath(node, statementObject, position);
         return { ...cursorPath, policyFormat: 'standard' };

package/src/lib/treesitter/yaml.d.ts

@@ -1,4 +1,4 @@
-import type { CursorContext, Position, StatementContext } from './base.ts';
+import type { CursorContext, PolicyDocumentNode, Position, StatementContext } from './base.ts';
 import { TreeBase } from './base.ts';
 export declare class TreeYaml extends TreeBase {
     #private;
@@ -6,4 +6,5 @@ export declare class TreeYaml extends TreeBase {
     getCursorContext(uri: string, position: Position): CursorContext | null;
     getStatementContext(uri: string, position: Position): StatementContext | null;
     getSiblingKeys(uri: string, position: Position): string[];
+    getAllPolicyDocuments(uri: string): PolicyDocumentNode[];
 }

package/src/lib/treesitter/yaml.js

@@ -1,6 +1,6 @@
 import { resolve } from 'node:path';
 import { Language } from 'web-tree-sitter';
-import { TreeBase } from "./base.js";
+import { nodeRange, TreeBase } from "./base.js";
 export class TreeYaml extends TreeBase {
     static async init() {
         const grammarDir = resolve(import.meta.dirname, '../../grammars');
@@ -61,6 +61,140 @@ export class TreeYaml extends TreeBase {
             return [];
         return this.#collectExistingKeysAtPath(match.mapping, cursorPath.keys);
     }
+    getAllPolicyDocuments(uri) {
+        const root = this.getTree(uri)?.rootNode;
+        if (!root)
+            return [];
+        const mappings = this.#findAllStatementMappings(root);
+        // Group by parent block_sequence (each sequence = one policy document)
+        const groups = new Map();
+        for (const mapping of mappings) {
+            const sequence = this.#getParentStatementSequence(mapping);
+            if (!sequence)
+                continue;
+            const existing = groups.get(sequence.id);
+            if (existing) {
+                existing.mappings.push(mapping);
+            }
+            else {
+                groups.set(sequence.id, { sequence, mappings: [mapping] });
+            }
+        }
+        const results = [];
+        for (const group of groups.values()) {
+            results.push({
+                range: nodeRange(group.sequence),
+                policyFormat: 'standard',
+                statements: group.mappings.map((mapping) => ({
+                    range: nodeRange(mapping),
+                    entries: this.#buildStatementEntries(mapping),
+                })),
+            });
+        }
+        return results;
+    }
+    #buildStatementEntries(mapping) {
+        const entries = [];
+        for (const child of mapping.namedChildren) {
+            if (child.type !== 'block_mapping_pair')
+                continue;
+            const key = this.#getPairKeyText(child);
+            if (!key)
+                continue;
+            const keyFlow = child.namedChildren.find((c) => c.type === 'flow_node');
+            const keyRange = keyFlow ? nodeRange(keyFlow) : nodeRange(child);
+            const values = this.#readPairStatementValues(child);
+            const valueRange = this.#getPairValueRange(child);
+            const nestedKeys = new Set(['Condition', 'Principal', 'NotPrincipal']);
+            let children;
+            if (nestedKeys.has(key)) {
+                const nestedMapping = this.#findValueBlockMapping(child);
+                if (nestedMapping) {
+                    children = this.#buildNestedEntries(nestedMapping);
+                }
+            }
+            entries.push({ key, keyRange, values, valueRange, ...(children ? { children } : {}) });
+        }
+        return entries;
+    }
+    #buildNestedEntries(mapping) {
+        const entries = [];
+        for (const child of mapping.namedChildren) {
+            if (child.type !== 'block_mapping_pair')
+                continue;
+            const key = this.#getPairKeyText(child);
+            if (!key)
+                continue;
+            const keyFlow = child.namedChildren.find((c) => c.type === 'flow_node');
+            const keyRange = keyFlow ? nodeRange(keyFlow) : nodeRange(child);
+            const values = this.#readPairStatementValues(child);
+            const valueRange = this.#getPairValueRange(child);
+            // Recurse for deeper nesting (Condition operator → key → values)
+            const nestedMapping = this.#findValueBlockMapping(child);
+            let children;
+            if (nestedMapping) {
+                children = this.#buildNestedEntries(nestedMapping);
+            }
+            entries.push({ key, keyRange, values, valueRange, ...(children ? { children } : {}) });
+        }
+        return entries;
+    }
+    #readPairStatementValues(pair) {
+        if (pair.namedChildren.length < 2)
+            return [];
+        const valueNode = pair.namedChildren[1];
+        // Direct flow_node scalar
+        if (valueNode.type === 'flow_node') {
+            return this.#flowNodeToStatementValue(valueNode);
+        }
+        // block_node wrapping
+        const inner = valueNode.type === 'block_node' ? (valueNode.namedChildren[0] ?? null) : valueNode;
+        if (!inner)
+            return [];
+        if (inner.type === 'flow_node') {
+            return this.#flowNodeToStatementValue(inner);
+        }
+        // Block sequence
+        if (inner.type === 'block_sequence') {
+            const values = [];
+            for (const item of inner.namedChildren) {
+                if (item.type !== 'block_sequence_item')
+                    continue;
+                const flowNode = item.namedChildren.find((child) => child.type === 'flow_node');
+                if (flowNode) {
+                    values.push(...this.#flowNodeToStatementValue(flowNode));
+                }
+            }
+            return values;
+        }
+        // Flow sequence
+        if (inner.type === 'flow_sequence') {
+            const values = [];
+            for (const flowItem of inner.namedChildren) {
+                if (flowItem.type !== 'flow_node')
+                    continue;
+                values.push(...this.#flowNodeToStatementValue(flowItem));
+            }
+            return values;
+        }
+        return [];
+    }
+    #flowNodeToStatementValue(flowNode) {
+        const text = this.#getScalarText(flowNode);
+        if (text === null)
+            return [];
+        return [{ text, range: nodeRange(flowNode) }];
+    }
+    #getPairValueRange(pair) {
+        if (pair.namedChildren.length < 2) {
+            // No value — zero-width range at key end
+            return {
+                start: { line: pair.endPosition.row, column: pair.endPosition.column },
+                end: { line: pair.endPosition.row, column: pair.endPosition.column },
+            };
+        }
+        return nodeRange(pair.namedChildren[1]);
+    }
     /**
      * Traverse the tree from root, collecting every block_mapping that sits inside
      * a Statement sequence. Skip descendants of matched mappings (they can't nest).

package/src/server.js

@@ -2,6 +2,7 @@
 import { createConnection, ProposedFeatures, TextDocumentSyncKind, TextDocuments } from 'vscode-languageserver/node.js';
 import { TextDocument } from 'vscode-languageserver-textdocument';
 import { handleCompletionRequest } from "./handlers/completion/index.js";
+import { diagnosticsHandler } from "./handlers/diagnostics/diagnostics.js";
 import { documentLinkHandler } from "./handlers/document-link/document-link.js";
 import { TreeManager } from "./lib/treesitter/manager.js";
 const connection = createConnection(ProposedFeatures.all);
@@ -20,9 +21,17 @@ connection.onInitialize(async () => {
         },
     };
 });
-documents.onDidOpen(({ document }) => treeManager.openDocument(document.uri, document.getText(), document.languageId));
-documents.onDidChangeContent(({ document }) => treeManager.updateDocument(document.uri, document.getText()));
-documents.onDidClose(({ document }) => treeManager.closeDocument(document.uri));
+documents.onDidOpen(async ({ document }) => {
+    await treeManager.openDocument(document.uri, document.getText(), document.languageId);
+    await diagnosticsHandler(document, treeManager, connection);
+});
+documents.onDidChangeContent(async ({ document }) => {
+    await treeManager.updateDocument(document.uri, document.getText());
+    await diagnosticsHandler(document, treeManager, connection);
+});
+documents.onDidClose(async ({ document }) => {
+    await treeManager.closeDocument(document.uri);
+});
 connection.onCompletion((params) => handleCompletionRequest(params, documents, treeManager, connection));
 connection.onDocumentLinks((params) => documentLinkHandler(params, documents, treeManager, connection));
 documents.listen(connection);